Project

General

Profile

ipsec.conf: config setup Reference » History » Version 9

Tobias Brunner, 10.12.2008 18:30
uniqueids like in the manpage

1 1 Martin Willi
2 9 Tobias Brunner
h1. config setup
3 9 Tobias Brunner
4 9 Tobias Brunner
5 9 Tobias Brunner
* _cachecrls = yes|*no*_
6 9 Tobias Brunner
     certificate revocation lists (CRLs) fetched via http or ldap will be cached in _/etc/ipsec.d/crls/_
7 1 Martin Willi
     under a unique file name derived from the certification authority's public key.
8 3 Martin Willi
9 9 Tobias Brunner
* _charonstart = *yes*|no_
10 1 Martin Willi
     starts the IKEv2 charon daemon.
11 1 Martin Willi
12 9 Tobias Brunner
* _plutostart = *yes*|no_
13 1 Martin Willi
     starts the IKEv1 pluto daemon.
14 1 Martin Willi
15 9 Tobias Brunner
* _strictcrlpolicy = yes|ifuri|*no*_
16 1 Martin Willi
     defines if a fresh CRL must be available in order for the peer authentication based on RSA
17 9 Tobias Brunner
     signatures to succeed. IKEv2 additionally recognizes _ifuri_ which reverts to _yes_ if
18 9 Tobias Brunner
     at least one CRL URI is defined and to _no_ if no URI is known.
19 8 Tobias Brunner
20 9 Tobias Brunner
* _uniqueids = *yes*|no|replace|keep_
21 8 Tobias Brunner
     whether a particular participant ID should be kept unique, with any new (automatically  keyed)
22 1 Martin Willi
     connection using an ID from a different IP address deemed to replace all old ones using that ID.
23 8 Tobias Brunner
     Participant IDs normally _are_ unique, so a new (automatically-keyed)  connection  using the same ID
24 9 Tobias Brunner
     is almost invariably intended to replace an old one. The IKEv2 daemon also accepts the value _replace_
25 9 Tobias Brunner
     which is identical to _yes_ and the value _keep_ to reject new IKE_SA setups and keep the duplicate
26 1 Martin Willi
     established earlier.
27 1 Martin Willi
28 9 Tobias Brunner
*IKEv1 pluto daemon only:*
29 8 Tobias Brunner
30 9 Tobias Brunner
* _crlcheckinterval = 0s_|<time>
31 1 Martin Willi
     interval in seconds. CRL fetching is enabled if the value is greater than zero.
32 1 Martin Willi
     Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.
33 3 Martin Willi
34 9 Tobias Brunner
* _keep_alive = *20s*|_<time>
35 1 Martin Willi
     interval in seconds between NAT keep alive packets.
36 1 Martin Willi
37 9 Tobias Brunner
* _nat_traversal = yes|*no*_
38 1 Martin Willi
     activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
39 1 Martin Willi
     of floating to udp/4500 if a NAT situation is detected.  Used by IKEv1 only, NAT traversal
40 1 Martin Willi
     always being active in IKEv2.
41 3 Martin Willi
42 9 Tobias Brunner
* _nocrsend = yes|*no*_
43 1 Martin Willi
     no certificate request  payloads will be sent.
44 1 Martin Willi
45 9 Tobias Brunner
* _pkcs11initargs = _<args>
46 1 Martin Willi
     non-standard argument string for PKCS!#11 C_Initialize() function; required by NSS softoken.
47 3 Martin Willi
48 9 Tobias Brunner
* _pkcs11module = _<lib>
49 1 Martin Willi
     defines the path during run-time to a dynamically loadable PKCS!#11 library. Overrides any
50 9 Tobias Brunner
     path defined during compile-time using the _--pkcs11-module_ configure option.
51 3 Martin Willi
52 9 Tobias Brunner
* _pkcs11keepstate = yes|*no*_
53 1 Martin Willi
     PKCS!#11 login sessions will be kept during the whole lifetime of the keying daemon.
54 6 Martin Willi
     Useful with  pin-pad smart card readers where PINs cannot be cached. 
55 1 Martin Willi
56 9 Tobias Brunner
* _pkcs11proxy = yes|*no*_
57 3 Martin Willi
     Pluto will act as a PKCS!#11 proxy accessible via the whack interface.
58 4 Martin Willi
59 9 Tobias Brunner
* _plutodebug = *none_*|<debug list>|_all_
60 9 Tobias Brunner
     how much Pluto debugging output should be logged. _none_ means  no  debugging output
61 9 Tobias Brunner
     while _all_ means full output.  Otherwise only the specified types of output separated by white space) are enabled;
62 9 Tobias Brunner
     Available debugging types are _control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw_.
63 9 Tobias Brunner
     Recommended setting is _plutodebug=control_.
64 7 Martin Willi
65 9 Tobias Brunner
* _plutostderrlog = _<file>
66 3 Martin Willi
     Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.
67 1 Martin Willi
68 9 Tobias Brunner
* _postpluto = _<command>
69 9 Tobias Brunner
     shell command to run after starting Pluto (e.g., to remove a decrypted copy of the _ipsec.secrets_ file).
70 5 Martin Willi
     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
71 1 Martin Willi
     Any output is redirected for logging, so running interactive commands is difficult unless they use
72 9 Tobias Brunner
     _/dev/tty_ or equivalent for their interaction.
73 1 Martin Willi
74 9 Tobias Brunner
* _prepluto = _<command>
75 9 Tobias Brunner
     shell command to run before starting Pluto (e.g., to decrypt an encrypted copy of the _ipsec.secrets_ file).
76 3 Martin Willi
     It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
77 3 Martin Willi
     Any output is redirected for logging, so running interactive commands is difficult unless they use
78 9 Tobias Brunner
     _/dev/tty_ or equivalent for their interaction.
79 1 Martin Willi
80 9 Tobias Brunner
* _virtual_private = _<networks>
81 1 Martin Willi
     defines private networks using a wildcard notation.
82 2 Martin Willi
83 9 Tobias Brunner
*IKEv2 charon daemon only:*
84 3 Martin Willi
85 9 Tobias Brunner
* _charondebug = _<debug list>
86 3 Martin Willi
     how much Charon debugging output should be logged. A comma-separated list containing
87 9 Tobias Brunner
     _type level_ pairs  may  be specified, e.g: _dmn 3, ike 1, net -1_.  Acceptable values for
88 9 Tobias Brunner
     types are _dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib_ and the level is one of
89 9 Tobias Brunner
     _-1,  0,  1,  2,  3,  4_ (for silent, audit, control, controlmore, raw, private).