strongSwan

h1. conn <name>

h2. general per connection parameters

_ah = <algorithms>_

p((. AH authentication algorithm to be used for the connection, e.g. _hmac-md5_.

_also = <section name>_

p((. includes conn section <name>.

_auth = *esp* | ah_

p((. whether authentication should be done as part of ESP encryption, or separately using the AH protocol.

     The IKEv2 daemon currently supports ESP only.

_authby = *pubkey* | rsasig | ecdsasig | psk | secret | xauthrsasig | xauthpsk | eap | never_

p((. how the two security gateways should authenticate each other; acceptable values are *secret* or *psk*

     for pre-shared secrets, *pubkey* for public key signatures as well as the synonyms *rsasig* for RSA digital

     signatures and *ecdsasig* for Elliptic Curve DSA signatures. *never*  can be used if  negotiation is  never

     to be attempted or accepted (useful for shunt-only conns). Digital signatures are superior in every way to

     shared secrets. In IKEv2, the two ends must not agree on this parameter, it is relevant for the out-bound 

     authentication  method only. IKEv1 additionally supports the values *xauthpsk* and *xauthrsasig* that

     will enable _eXtended AUTHentication (XAUTH)_ in addition to IKEv1 main mode based on shared secrets

     or digital RSA signatures,  respectively. IKEv2 additionally supports the value *eap*, which indicates

     an initiator to request EAP authentication. The EAP method to use is selected by the server (see _eap_).

     This parameter is deprecated for IKEv2 connections, as two peers do ot need to agree on an authentication

     method. Use the _left|rightauth_ parameter to define authentication methods in IKEv2.

_auto = *ignore* | add | route | start_

p((. what operation, if any, should be done automatically at IPsec startup. *add* loads a connection without

     starting it. *route* loads a connection and installs kernel traps. If traffic is detected between

     _leftsubnet_ and _rightsubnet_, a connection is established. *start* loads a connection and brings

     it up immediatly. *ignore* ignores the connection. This is equal to delete a connection from the config

     file. Relevant only locally, other end need not agree on it (but in general, for an intended-to-be-permanent

     connection, both ends should use _auto = *start*_ to ensure that any reboot causes immediate renegotiation).

_compress = yes | *no*_

p((. whether IPComp compression of content is proposed on the connection (link-level compression does not work on

     encrypted data, so to be effective, compression must be done before encryption). A value of *yes* causes IPsec

     to propose both compressed and  uncompressed, and  prefer compressed. A value of no prevents IPsec from proposing

     compression; a proposal to compress will still be accepted.

_dpdaction = *none* | clear | hold | restart_

p((. controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages

     (IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the

     IPsec peer. The values *clear*, *hold*, and *restart* all activate DPD. If no activity is detected,

     all  connections with a dead peer are stopped and unrouted (*clear*), put in the hold state (*hold*)

     or restarted (*restart*). For IKEv1, the default is *none* which disables the active sending of

     R_U_THERE  notifications. Nevertheless Pluto will always send the DPD Vendor ID during connection set up

     in order to signal the readiness to act passively as a responder if the peer wants to use DPD. For IKEv2,

     *none* does't make sense, since all messages are used to detect dead peers. If specified, it has the

     same meaning as the default (*clear*).

_dpddelay = <time>_

p((. defines  the  period time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.

     These are only sent if no other traffic is received. In IKEv2, a value of 0 sends no additional INFORMATIONAL

     messages and uses only standard messages (such as those to rekey) to detect dead peers.

_dpdtimeout = <time>_

p((. defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.

     This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to

     detect dead peers.

_inactivity = <time>_

p((. defines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic.

     Currently supported in IKEv2 connections only.

_eap = aka | gtc | md5 | mschapv2 | radius | sim | <type> | <type>-<vendor>_

p((. defines the EAP type to be used if _authby=eap_ is selected. Currently supported values are *aka*

     for EAP-AKA, *gtc* for EAP-GTC, *md5* for EAP-MD5, *mschapv2* for EAP-MS-CHAPv2, *radius* for the

     EAP-RADIUS proxy  and *sim* for EAP-SIM.

     Additionally, IANA assigned EAP method numbers are accepted, or a definition in the form *eap=type-vendor*

     (e.g. eap=7-12345 ) can be used to specify vendor specific EAP types. For IKEv2 this parameter is deprecated

     in favour of _left|rightauth_.

_eap_identity = <id>_

p((. defines the identity the client uses to reply to an EAP Identity request. If defined on the EAP server, the defined

     identity  will be used as peer identity during EAP authentication. The special value _%identity_ uses the EAP Identity method

     to ask the client for a EAP identity. If not defined, the IKEv2 identity will be used as EAP identity.

_esp = <cipher suites>_

p((. comma-separated list of ESP encryption/authentication algorithms to be used for the connection, e.g.

     _3des-md5_. The notation is _encryption-integrity-[dhgroup]_. If _dh-group_ is specified,

     CHILD_SA setup and rekeying include a separate Diffe-Hellman exchange (IKEv2 only).

_forceencaps = yes | *no*_

p((.  Force UDP encapsulation for ESP packets even if no NAT situation is detected.

      This may help to surmount restrictive firewalls. In order to force the peer to

      encapsulate packets, NAT detection payloads are faked (IKEv2 only). 

_ike = <cipher suites>_

p((. comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms to be used, e.g.

     _aes128-sha1-modp2048_. The notation is _encryption-integrity-dhgroup_. In IKEv2, multiple algorithms

     and proposals may be included, such as _aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024_.

_ikelifetime = *3h* | <time>_

p((. how long the keying channel of a connection (_ISAKMP or IKE SA_) should last before being renegotiated.

_installpolicy = *yes* | no_

p((. decides whether IPsec policies are installed in the kernel by the IKEv2 charon daemon for a given connection.

     Allows peaceful cooperation e.g. with the Mobile IPv6  _mip6d_ daemon who wants to control the kernel policies.

_keyexchange = *ike* | ikev1 | ikev2_

p((. method of key exchange; which protocol should be used to initialize the connection. Connections marked with

     *ikev1*  are initiated with Pluto, those marked with *ikev2* with Charon. An incoming request from 

     the remote peer is handled by the correct daemon, unaffected from the _keyexchange_ setting. The default 

     value *ike* currently is a synonym for *ikev1*.

_keyingtries = *%forever* | <number>_

p((. how  many attempts (a whole number or _%forever_) should be made to negotiate a connection, or a replacement

     for one, before giving up. The value _%forever_ means 'never give up'.  Relevant  only  locally, other end need

     not agree on it.

_keylife_

p((. synonym for _lifetime_.

_lifebytes = <number>_

p((. the number of bytes transmitted over an IPsec SA before it expires (IKEv2 only).

_lifepackets = <number>_

p((. the number of packets transmitted over an IPsec SA before it expires (IKEv2 only).

_lifetime = *1h* | <time>_

p((. how  long  a  particular  instance  of a connection (a set of encryption/authentication keys for user packets)

     should last, from successful negotiation to expiry; acceptable values are an integer optionally followed by

     _s_ (a time in seconds) or a decimal number followed by _m_, _h_, or _d_ (a time in minutes, hours,

     or days respectively) (default _1h_, maximum _24h_).  Normally, the connection is renegotiated (via the

     keying  channel) before it expires (see _margintime_).  The two ends need not exactly agree on _lifetime_, although if they

     do not, there will be some clutter of superseded connections on the end which thinks the lifetime is longer.

_marginbytes = <number>_

p((. how many bytes before IPsec SA expiry (see _lifebytes_) should attempts to negotiate a replacement begin (IKEv2 only).

_marginpackets = <number>_

p((. how many packets before IPsec SA expiry (see _lifepackets_) should attempts to negotiate a replacement begin (IKEv2 only).

_margintime = *9m* | <time>_

p((. how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin; acceptable values

     as for _lifetime_ (default _9m_).  Relevant only locally, other end need not agree on it.

_mobike = *yes* | no_

p((. enables the IKEv2 [[MobIke|MOBIKE]] protocol defined by RFC 4555. If set to *no*, the IKEv2 charon

     daemon will not actively propose [[MobIke|MOBIKE]] but will still accept and support the mobility protocol

     as a responder.

_modeconfig = push | *pull*_

p((. defines which mode is used to assign a virtual IP. Currently relevant for IKEv1 only since IKEv2 always uses

     the configuration payload in *pull* mode. Cisco VPN gateways usually operate in *push* mode.

_pfs = *yes* | no_

p((. whether _Perfect Forward Secrecy_ of keys is desired on the connection's keying channel (with PFS,

     penetration of the key-exchange protocol does not compromise keys negotiated earlier). IKEv2 always uses

     PFS for IKE_SA rekeying whereas for CHILD_SA rekeying PFS is enforced by defining a Diffie-Hellman dhgroup

     in the _esp_ parameter.

_pfsgroup = <modp group>_

p((. defines a Diffie-Hellman group for _perfect forward secrecy_ in IKEv1 Quick Mode differing from the DH group

     used for IKEv1 Main Mode (IKEv1 pluto daemon only). 

_reauth = *yes* | no_

p((. whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done.

     In  IKEv2, a value of *no* rekeys without uninstalling the IPsec SAs, a value of *yes* (the default)

     creates a new IKE_SA from scratch and tries to recreate all IPsec SAs.

_rekey = *yes* | no_

p((. whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but

     while a value of no prevents Pluto/Charon from requesting renegotiation, it does not prevent responding

     to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it.

_rekeyfuzz = *100%* | <percentage>_

p((. maximum percentage by which _marginbytes_, _marginpackets_ and _margintime_ should be randomly increased to randomize

     rekeying intervals (important for hosts with many connections); acceptable values are an integer, which may exceed 100,

     followed  by  a '%' .

     The value of _marginTYPE_, after this random increase, must not exceed _lifeTYPE_ (where TYPE is one of bytes, packets or type).

     The value _0%_ will suppress randomization. Relevant only locally, other end need not agree on it.

_rekeymargin_

p((.  synonym for _margintime_.

_reqid_

p((. sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).

_type = *tunnel* | transport | transport_proxy | passthrough | drop | reject_

p((. the type of the connection; currently the accepted values are *tunnel*, signifying a  host-to-host,

     host-to-subnet, or subnet-to-subnet tunnel; *transport*, signifying host-to-host transport mode;

     *transport_proxy*, signifying the special Mobile IPv6 transport proxy mode;

     *passthrough*, signifying that no IPsec processing should be done at all; *drop*, signifying that packets

     should be  discarded; and *reject*, signifying that packets should be discarded and a diagnostic ICMP

     returned. Charon currently supports only *tunnel*, transport, and transport_proxy connection types.

_xauth = *client* | server_

p((. specifies the role in the XAUTH protocol if activated by _authby=xauthpsk_ or _authby=xauthrsasig_.

h2. left|right end parameters

Connection descriptions are defined in terms of a left endpoint and a right endpoint. For example, the

two parameters leftid and rightid specify the identity of the left and the right endpoint. For every

connection description an attempt is made to figure out whether the local endpoint should act as the left or

the right endpoint. This is done by matching the IP addresses defined for both endpoints with the

IP addresses assigned to local network interfaces. If a match is found then the role (left or right) that

matches is going to be considered "local". If no match is found during startup, "left" is considered "local".

_left|right = <ip address> | <fqdn> | %defaultroute | %any_

p((. (required) the IP address of the participant's public-network interface or one of several magic values.

     If it is _%%defaultroute_, the value will be filled in automatically with the local address of

     the default-route interface (as determined at IPsec startup time and during configuration

     update). Either left or right may be _%%defaultroute_, but not both. The prefix % in front of a

     fully-qualified domain name or an IP address will implicitly set _leftallowany=yes_. If the domain name

     cannot be resolved into an IP address at IPsec startup or update time then _left=%any_ and _leftallowany=no_

     will be assumed.

p((. In case of an IKEv2 connection, the value _%any_ for the local endpoint signifies an address to be filled in

     (by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table

     will be queried to determine the correct local IP address. In case the local peer is responding to a connection

     setup then any IP address that is assigned to a local interface will be accepted. Note that specifying _%any_

     for the local endpoint is not supported by the IKEv1 pluto daemon.

p((. If _%any_ is used for the remote endpoint it literally means any IP address.

p((. Please note that with the usage of wildcards multiple connection descriptions might match a given incoming

     connection attempt. The most specific description is used in that case.

_left|rightallowany = yes | *no*_

p((. a modifier for _left|right_, making it behave as _%any_ although a concrete IP address has been

     assigned. Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or update time.

_left|rightauth = <auth method>_

p((. Authentication method to use locally (left) or require from the remote (right) side. This parameter is 

     supported in IKEv2 only. Acceptable values are *pubkey* for public key encryption (RSA/ECDSA), *psk*

     for pre-shared key authentication, and *eap* to [require the] use of the Extensible Authentication Protocol.

     In the case of *eap*, an optional EAP method can be appended. Currently defined methods are *eap-aka*,

     *eap-sim*, *eap-gtc*, *eap-md5*, and *eap-mschapv2*.  Alternatively, IANA assigned EAP method

     numbers are accepted. Vendor specific EAP methods are defined in the form *eap-type-vendor* (e.g.

     *eap-7-12345*).

_left|rightauth2 = <auth method>_

p((. Same as _left|rightauth_, but defines a second authentication exchange. IKEv2 supports multiple authentication

     rounds using _Multiple Authentication Exchanges_ defined in "RFC 4739":http://tools.ietf.org/html/rfc4739.

     This allows e.g. a separate authentication of host and user (IKEv2 only).

_left|rightca = <issuer dn> | %same_

p((. the distinguished name of a certificate authority which is required to lie in the trust path going from the

     _left|right_ participant's certificate up to the root certification authority.

_left|rightca2 = <issuer dn> | %same_

p((. Same as _left|rightca_ but for the second authentication (IKev2 only).

_left|rightcert = <path>_

p((. the path to the left|right participant's X.509 certificate. The file can be coded either in PEM or DER format.

     OpenPGP certificates are supported as well (IKEv1 only).  Both absolute paths or paths relative to

     [[IpsecDirectoryCerts|/etc/ipsec.d/certs]] are accepted. By default _left|rightcert_ sets _left|rightid_

     to the distinguished name of the certificate's subject and _left|rightca_ to the distinguished name of

     the certificate's issuer. The _left|right_ participant's ID can be overridden by specifying a _left|rightid_

     value which must be certified by the certificate, though.

_left|rightcert2 = <path>_

p((. Same as _left|rightcert_ but for the second authentication round (IKEv2 only).

_left|rightfirewall = yes | *no*_

p((. whether the _left|right_ participant is doing forwarding-firewalling (including  masquerading)

     using iptables for traffic from _left|rightsubnet_, which should be turned off for traffic to the

     other subnet) once the connection is established. May not be used in the same connection description with

     _left|rightupdown_. Implemented as a parameter to the default _ipsec _updown_ script. Relevant only

     locally, other end need not agree on it.

p((. If one or  both security gateways are doing forwarding firewalling (possibly including masquerading),

     and this is specified using the firewall parameters, tunnels  established with  IPsec  are exempted from

     it so that packets can flow unchanged through the tunnels. (This means that all subnets connected in this

     manner must have distinct, non-overlapping subnet address blocks.)  This is done by the default 

     _ipsec _updown_ script (see pluto(8)).

p((. In situations calling for more control, it may be preferable for the user to supply his own updown script,

     which makes the appropriate adjustments for his system.

_left|rightgroups = <group list>_

p((. a comma-separated list of group names. If the _left|rightgroups_ parameter is present then the peer must

     be a member of at least one of the groups defined by the parameter. Group membership must be certified by a

     valid attribute certificate stored in [[IpsecDirectoryAcerts|/etc/ipsec.d/acerts]] that has been issued

     to the peer by a trusted Authorization Authority stored in [[IpsecDirectoryAacerts|/etc/ipsec.d/aacerts]].

     Attribute certificates are not supported in IKEv2 yet.

_left|righthostaccess = yes | *no*_

p((. inserts a pair of INPUT and OUTPUT iptables rules using the default _ipsec _updown_ script,

     thus allowing access to the host itself in the case where the host's internal interface is part

     of the negotiated client subnet. 

_left|rightid = <id>_

p((. how the _left|right_ participant should be identified for authentication; defaults to _left|right_.

     Can be an IP address or a fully-qualified domain name preceded by @ (which is used as a literal string and not resolved).

_left|rightid2 = <id>_

p((. Identity to use for the second authentication of the left participant (IKEv2 only).

     Defaults to _left|rightid_.

_leftikeport = <port>_

p((. UDP port the left participant uses for IKE communication. Currently supported in IKEv2 connections only.

     If unspecified, port 500 is used with the port floating to 4500 if a NAT is detected or MOBIKE is enabled.

     Specifying a local IKE port different from the default additionally requires a socket implementation that

     listens to this port.

_left|rightnexthop = %direct | %defaultroute | <ip address> | <fqdn>_

p((. this parameter is usually not needed any more because the NETKEY IPsec stack does not require

     explicit routing entries for the traffic to be tunneled. If _left|sourceip_ is used with IKEv1

     then _left|rightnexthop_ must still be set in order for the source routes to work properly.

_left|rightprotoport = <protocol>/<port>_

p((. restrict the traffic selector to a single protocol and/or port. Examples: _leftprotoport=tcp/http_

     or _leftprotoport=6/80_ or _rightprotoport=udp_

_left|rightrsasigkey = *%cert* | <raw rsa public key>_

p((. the left participant's public key for RSA signature authentication, in RFC 2537 format using ttodata(3)

     encoding. The default value _%cert_ means that the key is extracted from a certificate.

_left|rightsendcert = never | no | *ifasked* | always | yes_

p((. Accepted values are *never* or *no*, *always* or *yes*, and *ifasked*, the latter meaning that 

     the peer must send a certificate request (CR) payload in order to get a certificate in return.

_leftsourceip = %config | %cfg | %modeconfig | %modecfg | <ip address>_

p((. The internal source IP to use in a tunnel, also known as [[VirtualIp|virtual IP]].

     If the value is one of the synonyms _%modeconfig, %modecfg, %config_, or _%cfg_, an address is

     requested from the peer. In IKEv2, a statically defined address is also requested, since the server

     may change it.

p((. If _leftsourceip=%config_ is set to request a [[VirtualIp|virtual IP]] from the peer then the

     responder must define the address-to-be-assigned using a separate conn section with a _rightsourceip_

     statement for each client.

_rightsourceip = %config | <network>/<netmask> | %poolname_

p((. The internal source IP to use in a tunnel for the remote peer. If the value is %config on the responder

     side, the initiator must propose an address which is then echoed back. Also supported are address pools

     expressed as _<network>/<netmask>_ or the use of an external IP address pool using _%%poolname_ where

     _poolname_ is the name of the IP address pool used for the lookup (see [[VirtualIp|virtual IP]] for details). 

_left|rightsubnet = <ip subnet>_

p((. private subnet behind the left participant, expressed as network/netmask (actually, any form acceptable to

     ttosubnet(3)); if omitted, essentially assumed to be left/32, signifying that the _left|right_ end of the

     connection goes to the _left|right_ participant only. When using IKEv2, the configured subnet of the peers

     may differ, the  protocol  narrows  it  to  the greatest common subnet. Further, IKEv2 supports multiple

     subnets separated by commas. IKEv1 only interprets the first subnet of such a definition. 

_left|rightsubnetwithin = <ip subnet>_

p((. the  peer can propose any subnet or single IP address that fits within the range defined by

     _left|rightsubnetwithin_.  Not relevant for IKEv2, as subnets are narrowed.

_left|rightupdown = <path>_

p((. what _updown_ script to run to adjust routing and/or firewalling when the status of the connection

     changes (default _ipsec _updown_). Relevant only locally, other end need not agree on it.

     IKEv2 uses the _updown_ script to insert firewall rules only, since routing has been implemented directly

     into Charon.