strongSwan

= config setup =

 * ''cachecrls = yes|'''no'''''

     certificate revocation lists (CRLs) fetched via http or ldap will be cached in ''/etc/ipsec.d/crls/''

     under a unique file name derived from the certification authority's public key.

 * ''charonstart = '''yes'''|no''

     starts the IKEv2 charon daemon.

 * ''plutostart = '''yes'''|no''

     starts the IKEv1 pluto daemon.

 * ''strictcrlpolicy = yes|ifuri|'''no'''''

     defines if a fresh CRL must be available in order for the peer authentication based on RSA

     signatures to succeed. IKEv2 additionally recognizes ''ifuri'' which reverts to ''yes'' if

     at least one CRL URI is defined and to ''no'' if no URI is known.

 * ''uniqueids = '''yes'''|no|replace|keep''

     whether a particular participant ID should be kept unique, with any new (automatically  keyed)

     connection using an ID from a different IP address deemed to replace all old ones using that ID.

     Participant IDs normally _are_ unique, so a new (automatically-keyed)  connection  using the same ID

     is almost invariably intended to replace an old one. The IKEv2 daemon also accepts the value ''replace''

     which is identical to ''yes'' and the value ''keep'' to reject new IKE_SA setups and keep the duplicate

     established earlier.

'''IKEv1 pluto daemon only:'''

 * ''crlcheckinterval = 0s''|<time>

     interval in seconds. CRL fetching is enabled if the value is greater than zero.

     Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.

 * ''keep_alive = '''20s'''|''<time>

     interval in seconds between NAT keep alive packets.

 * ''nat_traversal = yes|'''no'''''

     activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able

     of floating to udp/4500 if a NAT situation is detected.  Used by IKEv1 only, NAT traversal

     always being active in IKEv2.

 * ''nocrsend = yes|'''no'''''

     no certificate request  payloads will be sent.

 * ''pkcs11initargs = ''<args>

     non-standard argument string for PKCS!#11 C_Initialize() function; required by NSS softoken.

 * ''pkcs11module = ''<lib>

     defines the path during run-time to a dynamically loadable PKCS!#11 library. Overrides any

     path defined during compile-time using the ''--pkcs11-module'' configure option.

 * ''pkcs11keepstate = yes|'''no'''''

     PKCS!#11 login sessions will be kept during the whole lifetime of the keying daemon.

     Useful with  pin-pad smart card readers where PINs cannot be cached. 

 * ''pkcs11proxy = yes|'''no'''''

     Pluto will act as a PKCS!#11 proxy accessible via the whack interface.

 * ''plutodebug = '''none'''''|<debug list>|''all''

     how much Pluto debugging output should be logged. ''none'' means  no  debugging output

     while ''all'' means full output.  Otherwise only the specified types of output separated by white space) are enabled;

     Available debugging types are ''control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw''.

     Recommended setting is ''plutodebug=control''.

 * ''plutostderrlog = ''<file>

     Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.

 * ''postpluto = ''<command>

     shell command to run after starting Pluto (e.g., to remove a decrypted copy of the ''ipsec.secrets'' file).

     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.

     Any output is redirected for logging, so running interactive commands is difficult unless they use

     ''/dev/tty'' or equivalent for their interaction.

 * ''prepluto = ''<command>

     shell command to run before starting Pluto (e.g., to decrypt an encrypted copy of the ''ipsec.secrets'' file).

     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.

     Any output is redirected for logging, so running interactive commands is difficult unless they use

     ''/dev/tty'' or equivalent for their interaction.

 * ''virtual_private = ''<networks>

     defines private networks using a wildcard notation.

'''IKEv2 charon daemon only:'''

 * ''charondebug = ''<debug list>

     how much Charon debugging output should be logged. A comma-separated list containing

     ''type level'' pairs  may  be specified, e.g: ''dmn 3, ike 1, net -1''.  Acceptable values for

     types are ''dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib'' and the level is one of

     ''-1,  0,  1,  2,  3,  4'' (for silent, audit, control, controlmore, raw, private).