strongSwan

h1. = config setup

=

* _cachecrls ''cachecrls = yes|*no*_ yes|'''no'''''
certificate revocation lists (CRLs) fetched via http or ldap will be cached in _/etc/ipsec.d/crls/_ ''/etc/ipsec.d/crls/''
under a unique file name derived from the certification authority's public key.



* _charonstart ''charonstart = *yes*|no_ '''yes'''|no''
starts the IKEv2 charon daemon.



* _plutostart ''plutostart = *yes*|no_ '''yes'''|no''
starts the IKEv1 pluto daemon.



* _strictcrlpolicy ''strictcrlpolicy = yes|ifuri|*no*_ yes|ifuri|'''no'''''
defines if a fresh CRL must be available in order for the peer authentication based on RSA
signatures to succeed. IKEv2 additionally recognizes _ifuri_ ''ifuri'' which reverts to _yes_ ''yes'' if
at least one CRL URI is defined and to _no_ ''no'' if no URI is known.



* _uniqueids ''uniqueids = *yes*|no|replace|keep_ '''yes'''|no|replace|keep''
whether a particular participant ID should be kept unique, with any new (automatically keyed)
connection using an ID from a different IP address deemed to replace all old ones using that ID.
Participant IDs normally _are_ unique, so a new (automatically-keyed) connection using the same ID
is almost invariably intended to replace an old one. The IKEv2 daemon also accepts the value _replace_ ''replace''
which is identical to _yes_ ''yes'' and the value _keep_ ''keep'' to reject new IKE_SA setups and keep the duplicate
established earlier.

*IKEv1 '''IKEv1 pluto daemon only:*

only:'''

* _crlcheckinterval ''crlcheckinterval = 0s_|<time> 0s''|<time>
interval in seconds. CRL fetching is enabled if the value is greater than zero.
Asynchronous, periodic checking for fresh CRLs is currently done by the IKEv1 Pluto daemon only.



* _keep_alive ''keep_alive = *20s*|_<time> '''20s'''|''<time>
interval in seconds between NAT keep alive packets.



* _nat_traversal ''nat_traversal = yes|*no*_ yes|'''no'''''
activates NAT traversal by accepting source ISAKMP ports different from udp/500 and being able
of floating to udp/4500 if a NAT situation is detected. Used by IKEv1 only, NAT traversal
always being active in IKEv2.



* _nocrsend ''nocrsend = yes|*no*_ yes|'''no'''''
no certificate request payloads will be sent.



* _pkcs11initargs ''pkcs11initargs = _<args> ''<args>
non-standard argument string for PKCS!#11 C_Initialize() function; required by NSS softoken.



* _pkcs11module ''pkcs11module = _<lib> ''<lib>
defines the path during run-time to a dynamically loadable PKCS!#11 library. Overrides any
path defined during compile-time using the _--pkcs11-module_ ''--pkcs11-module'' configure option.



* _pkcs11keepstate ''pkcs11keepstate = yes|*no*_ yes|'''no'''''
PKCS!#11 login sessions will be kept during the whole lifetime of the keying daemon.
Useful with pin-pad smart card readers where PINs cannot be cached.



* _pkcs11proxy ''pkcs11proxy = yes|*no*_ yes|'''no'''''
Pluto will act as a PKCS!#11 proxy accessible via the whack interface.



* _plutodebug ''plutodebug = *none_*|<debug list>|_all_ '''none'''''|<debug list>|''all''
how much Pluto debugging output should be logged. _none_ ''none'' means no debugging output
while _all_ ''all'' means full output. Otherwise only the specified types of output separated by white space) are enabled;
Available debugging types are _control ''control controlmore crypt dns emitting klips lifecycle natt oppo parsing private raw_. raw''.
Recommended setting is _plutodebug=control_.

''plutodebug=control''.

* _plutostderrlog ''plutostderrlog = _<file> ''<file>
Pluto will not use syslog, but rather log to stderr, and redirect stderr to <file>.



* _postpluto ''postpluto = _<command> ''<command>
shell command to run after starting Pluto (e.g., to remove a decrypted copy of the _ipsec.secrets_ ''ipsec.secrets'' file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
_/dev/tty_ ''/dev/tty'' or equivalent for their interaction.



* _prepluto ''prepluto = _<command> ''<command>
shell command to run before starting Pluto (e.g., to decrypt an encrypted copy of the _ipsec.secrets_ ''ipsec.secrets'' file).
It's run in a very simple way; complexities like I/O redirection are best hidden within a script.
Any output is redirected for logging, so running interactive commands is difficult unless they use
_/dev/tty_ ''/dev/tty'' or equivalent for their interaction.



* _virtual_private ''virtual_private = _<networks> ''<networks>
defines private networks using a wildcard notation.

*IKEv2 '''IKEv2 charon daemon only:*

only:'''

* _charondebug ''charondebug = _<debug ''<debug list>
how much Charon debugging output should be logged. A comma-separated list containing
_type level_ ''type level'' pairs may be specified, e.g: _dmn ''dmn 3, ike 1, net -1_. -1''. Acceptable values for
types are _dmn, ''dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib_ lib'' and the level is one of
_-1, ''-1, 0, 1, 2, 3, 4_ 4'' (for silent, audit, control, controlmore, raw, private).