strongSwan

{{title(ipsec.conf: conn Reference)}}

h1. ipsec.conf: conn <name>

{{>toc}}

h2. General Connection Parameters

_aaa_identity = <id>_

p((. defines the identity of the AAA backend used during IKEv2 EAP authentication. This is required if

     the EAP client uses a method that verifies the server identity (such as EAP-TLS), but it does not

     match the IKEv2 gateway identity.

_ah = <cipher suites>_

p((. comma-separated list of AH algorithms to be used for the connection, e.g. _sha1-sha256-modp1024_.

     The notation is integrity[-dhgroup]. For IKEv2, multiple algorithms (separated by -) of the same type

     can be included in a single proposal. IKEv1 only includes the first algorithm in a proposal.

     Only either the *ah* or the *esp* keyword may be used, AH+ESP bundles are not supported.

p((. There is no default AH cipher suite since by default ESP is used. The daemon adds its extensive default

     proposal to the configured value. To restrict it to the configured proposal an exclamation mark (!) can

     be added at the end.

     *Note:* As a responder, the daemon defaults to selecting the first configured proposal that's also

     supported by the peer. By disabling _charon.prefer_configured_proposals_ in [[strongswan.conf]] this may

     be changed to selecting the first acceptable proposal sent by the peer instead.

     In order to restrict a responder to only accept specific cipher suites, the strict flag (!, exclamation mark)

     can be used, e.g: sha256-sha512-modp2048!

p((. If dh-group is specified, CHILD_SA/Quick Mode setup and rekeying include a separate Diffe-Hellman

     exchange (refer to _esp_ for details).

p((. Refer to [[IKEv1CipherSuites]] and [[IKEv2CipherSuites]] for a list of valid keywords.

p((. Available since [[5.1.1]].

_aggressive = yes | *no*_

p((. whether to use IKEv1 Aggressive or Main Mode (the default). Available since [[5.0.0]].

_also = <name>_

p((. includes conn section <name>. Some aspects of this changed with version:5.2.0 (refer to [[IpsecConf#Reusing-Existing-Parameters]] for details).

_authby = *pubkey* | rsasig | ecdsasig | psk | secret | xauthrsasig | xauthpsk | never_

p((. how the two security gateways should authenticate each other; acceptable values are *secret* or *psk*

     for pre-shared secrets, *pubkey* (the default) for public key signatures as well as the synonyms *rsasig*

     for RSA digital signatures and *ecdsasig* for Elliptic Curve DSA signatures.

     *never*  can be used if negotiation is never to be attempted or accepted (useful for shunt-only conns).

     Digital signatures are superior in every way to shared secrets. IKEv1 additionally supports the values

     *xauthpsk* and *xauthrsasig* that will enable _eXtended Authentication (XAuth)_ in addition to IKEv1 main

     mode based on shared secrets or digital RSA signatures,  respectively.

     This parameter is deprecated for IKEv2 connections (and IKEv1 connections since [[5.0.0]]), as two peers

     do not need to agree on an authentication method. Use the _left|rightauth_ parameter instead to define

     authentication methods.

_auto = *ignore* | add | route | start_

p((. what operation, if any, should be done automatically at IPsec startup. *add* loads a connection without

     starting it. *route* loads a connection and installs kernel traps. If traffic is detected between

     _leftsubnet_ and _rightsubnet_, a connection is established. *start* loads a connection and brings

     it up immediately. *ignore* ignores the connection. This is equal to deleting a connection from the config

     file. Relevant only locally, other end need not agree on it.

_closeaction = *none* | clear | hold | restart_

p((. defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see _dpdaction_ for

     meaning of values). A _closeaction_ should not be used if the peer uses reauthentication or uniqueids checking,

     as these events might trigger the defined action when not desired. Prior to version:5.1.0, _closeaction_ was 

     not supported for IKEv1 connections.

_compress = yes | *no*_

p((. whether IPComp compression of content is proposed on the connection (link-level compression does not work on

     encrypted data, so to be effective, compression must be done before encryption). A value of *yes* causes the daemon

     to propose both compressed and  uncompressed, and  prefer compressed. A value of *no* prevents the daemon from proposing or accepting compression.

_dpdaction = *none* | clear | hold | restart_

p((. controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages

     (IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the

     IPsec peer. The values *clear*, *hold*, and *restart* all activate DPD and determine the action to perform on a timeout.

     With *clear* the connection is closed with no further actions taken. *hold* installs a trap policy, which will catch

     matching traffic and tries to re-negotiate the connection on demand. *restart* will immediately trigger an attempt

     to re-negotiate the connection. The default is *none* which disables the active sending of DPD messages.

_dpddelay = *30s* | <time>_

p((. defines  the  period time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer.

     These are only sent if no other traffic is received. In IKEv2, a value of 0 sends no additional INFORMATIONAL

     messages and uses only standard messages (such as those to rekey) to detect dead peers.

_dpdtimeout = *150s* | <time>_

p((. defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.

     This only applies to IKEv1, in IKEv2 the default [[Retransmission|retransmission timeout]] applies, as every exchange is used to

     detect dead peers.

_inactivity = <time>_

p((. defines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic.

     Not supported for IKEv1 connections prior to [[5.0.0]].

_eap_identity = <id>_

p((. defines the identity the client uses to reply to an EAP Identity request. If defined on the EAP server, the defined

     identity  will be used as peer identity during EAP authentication. The special value _%identity_ uses the EAP Identity method

     to ask the client for a EAP identity. If not defined, the IKEv2 identity will be used as EAP identity.

_esp = <cipher suites>_

p((. comma-separated list of ESP encryption/authentication algorithms to be used for the connection, e.g.

     _aes128-sha256_. The notation is _encryption-integrity[-dhgroup][-esnmode]_.

     For IKEv2, multiple algorithms (separated by -) of the same type can be included in a single proposal.

     IKEv1 only includes the first algorithm in a proposal.  Only either the *ah* or the *esp* keyword may

     be used, AH+ESP bundles are not supported.

p((. Defaults to *aes128-sha256* (_aes128-sha1,3des-sha1_ before version:5.4.0). The daemon adds its extensive default

     proposal to this default or the configured value. To restrict it to the configured proposal an exclamation mark (*!*)

     can be added at the end.

     *Note:* As a responder, the daemon defaults to selecting the first configured proposal that's also

     supported by the peer. By disabling _charon.prefer_configured_proposals_ in [[strongswan.conf]] this may

     be changed to selecting the first acceptable proposal sent by the peer instead.

     In order to restrict a responder to only accept specific cipher suites, the strict flag (*!*, exclamation mark)

     can be used, e.g: _aes256-sha512-modp4096!_

p((. If _dh-group_ is specified, CHILD_SA rekeying and initial negotiation include a separate Diffe-Hellman

     exchange (since [[5.0.0]] this also applies to IKEv1 Quick Mode). However, for IKEv2, the keys of the CHILD_SA

     created implicitly with the IKE_SA will always be derived from the IKE_SA's key material. So any DH group

     specified here will only apply when the CHILD_SA is later rekeyed or is created with a separate CREATE_CHILD_SA

     exchange.  Therefore, a proposal mismatch might not immediately be noticed when the SA is established,

     but may later cause rekeying to fail.

p((. Valid values for _esnmode_ are _esn_ and _noesn_.  Specifying both negotiates extended sequence

     number support with the peer, the default is *noesn*.

p((. Refer to [[IKEv1CipherSuites]] and [[IKEv2CipherSuites]] for a list of valid keywords.

_forceencaps = yes | *no*_

p((.  force UDP encapsulation for ESP packets even if no NAT situation is detected.

      This may help to surmount restrictive firewalls. In order to force the peer to

      encapsulate packets, NAT detection payloads are faked.

      Not supported for IKEv1 connections prior to [[5.0.0]].

_fragmentation = *yes* | accept | force | no_

p((.  whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per "RFC 7383":http://tools.ietf.org/html/rfc7383).

      Fragmented messages sent by a peer are always processed irrespective of the value of this option (even when set to *no*).

      If set to *yes* (the default since version:5.5.1) and the peer supports it, oversized IKE messages will be sent in fragments (the

      maximum fragment size can be configured in [[strongswan.conf]]). If set to *accept* (available since version:5.5.3) support for

      fragmentation is announced to the peer but the daemon does not send its own messages in fragments.

      If set to *force* (only supported for IKEv1) the initial IKE message will already be fragmented if required.

      Available for IKEv1 connections since version:5.0.2 and for IKEv2 connections since version:5.2.1.

_ike = <cipher suites>_

p((. comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms to be used, e.g.

     _aes128-sha256-modp3072_. The notation is _encryption-integrity[-prf]-dhgroup_. In IKEv2, multiple algorithms

     and proposals may be included, such as _aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024_.

p((. The ability to configure a PRF algorithm different to that defined for integrity protection was added with [[5.0.2]].

     If no PRF is configured, the algorithms defined for integrity are proposed as PRF.  The prf keywords are the same as

     the integrity algorithms, but have a _prf_ prefix (such as _prfsha1_, _prfsha256_ or _prfaesxcbc_).

p((. Defaults to *aes128-sha256-modp3072* (_aes128-sha1-modp2048,3des-sha1-modp1536_ before version:5.4.0) for IKEv1.

     The daemon adds its extensive default proposal to this default or the configured value. To restrict it to the

     configured proposal an exclamation mark (*!*) can be added at the end.

     Refer to [[IKEv1CipherSuites]] and [[IKEv2CipherSuites]] for a list of valid keywords.

p((. *Note*: As a responder both daemons accept the first supported proposal received from the peer. In order

     to restrict a responder to only accept specific cipher suites, the strict flag (*!*, exclamation mark)

     can be used, e.g: _aes256-sha512-modp4096!_

_ikedscp = *000000* | <DSCP field>_

p((. Differentiated Services Field Codepoint to set on outgoing IKE packets sent

     from this connection. The value is a six digit binary encoded string defining

     the Codepoint to set, as defined in "RFC 2474":http://tools.ietf.org/html/rfc2474.

_ikelifetime = *3h* | <time>_

p((. how long the keying channel of a connection (_ISAKMP or IKE SA_) should last before being renegotiated.

     Also see [[ExpiryRekey|Expiry and Rekey]].

_installpolicy = *yes* | no_

p((. decides whether IPsec policies are installed in the kernel by the charon daemon for a given connection.

     Allows peaceful cooperation e.g. with the Mobile IPv6  _mip6d_ daemon who wants to control the kernel policies.

_keyexchange = *ike* | ikev1 | ikev2_

p((. method of key exchange; which protocol should be used to initialize the connection.

     Prior to [[5.0.0]] connections marked with *ikev1*  were initiated with Pluto, those marked with *ikev2* with Charon.

     An incoming request from the remote peer was handled by the correct daemon, unaffected from the _keyexchange_ setting.

     Starting with strongSwan [[4.5.0]] the default value *ike* is a synonym for *ikev2*, whereas in older strongSwan releases *ikev1* was assumed.

     Since [[5.0.0]] both protocols are handled by Charon and connections marked with *ike* will use IKEv2 when initiating, but accept any protocol version when responding.

_keyingtries = *3* | <number> | %forever_

p((. how  many attempts (a positive integer or _%forever_) should be made to negotiate a connection, or a replacement

     for one, before giving up (default 3). The value _%forever_ means 'never give up'.  Relevant  only  locally, other end need

     not agree on it.

_keylife_

p((. synonym for _lifetime_.

_lifebytes = <number>_

p((. the number of bytes transmitted over an IPsec SA before it expires. Not supported for IKEv1 connections prior to [[5.0.0]].

_lifepackets = <number>_

p((. the number of packets transmitted over an IPsec SA before it expires. Not supported for IKEv1 connections prior to [[5.0.0]].

_lifetime = *1h* | <time>_

p((. how  long  a  particular  instance  of a connection (a set of encryption/authentication keys for user packets)

     should last, from successful negotiation to expiry; acceptable values are an integer optionally followed by

     _s_ (a time in seconds) or a decimal number followed by _m_, _h_, or _d_ (a time in minutes, hours,

     or days respectively) (default _1h_, maximum _24h_).  Normally, the connection is renegotiated (via the

     keying  channel) before it expires (see _margintime_).  The two ends need not exactly agree on _lifetime_, although if they

     do not, there will be some clutter of superseded connections on the end which thinks the lifetime is longer.

     Also see [[ExpiryRekey|Expiry and Rekey]].

_marginbytes = <number>_

p((. how many bytes before IPsec SA expiry (see _lifebytes_) should attempts to negotiate a replacement begin.

_marginpackets = <number>_

p((. how many packets before IPsec SA expiry (see _lifepackets_) should attempts to negotiate a replacement begin.

_margintime = *9m* | <time>_

p((. how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin; acceptable values

     as for _lifetime_ (default _9m_).  Relevant only locally, other end need not agree on it. Also see [[ExpiryRekey|Expiry and Rekey]].

_mark = <value>[/<mask>]_

p((. sets an XFRM mark on the inbound policy (before version:5.5.2 also on the IPsec SA) and outbound IPsec SA and policy.

     If the mask is missing then a default mask of *0xffffffff* is assumed. Since version:5.3.0 the special value *%unique*

     assigns a unique value to each newly created IPsec SA (used e.g. in combination with the [[forecast]] or

     [[connmark]] plugins). To additionally make the mark unique for each IPsec SA direction (in/out) the special value

     *%unique-dir* may be used since version:5.6.0.

_mark_in = <value>[/<mask>]_

p((. sets an XFRM mark on the inbound policy (and before version:5.5.2 also on the inbound SA). If the mask is missing then

     a default mask of *0xffffffff* is assumed.

_mark_out = <value>[/<mask>]_

p((. sets an XFRM mark on the outbound IPsec SA and policy. If the mask is missing then

     a default mask of *0xffffffff* is assumed.

_mobike = *yes* | no_

p((. enables the IKEv2 [[MobIke|MOBIKE]] protocol defined by RFC 4555. If set to *no*, the charon

     daemon will not actively propose [[MobIke|MOBIKE]] as initiator and ignore the MOBIKE_SUPPORTED

     notify as responder.

_modeconfig = push | *pull*_

p((. defines which mode is used to assign a virtual IP. Currently relevant for IKEv1 only since IKEv2 always uses

     the configuration payload in *pull* mode. Cisco VPN gateways usually operate in *push* mode.

     In versions prior to [[5.1.1]] the charon daemon did not support *push* mode.

     This setting must be the same on both sides.

_reauth = *yes* | no_

p((. whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done.

     In  IKEv2, a value of *no* rekeys without uninstalling the IPsec SAs, a value of *yes* (the default)

     creates a new IKE_SA from scratch and tries to recreate all IPsec SAs.

_rekey = *yes* | no_

p((. whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but

     while a value of no prevents the daemon from requesting renegotiation, it does not prevent responding

     to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it.

     Also see _reauth_.

_rekeyfuzz = *100%* | <percentage>_

p((. maximum percentage by which _marginbytes_, _marginpackets_ and _margintime_ should be randomly increased to randomize

     rekeying intervals (important for hosts with many connections); acceptable values are an integer, which may exceed 100,

     followed  by  a '%' .

     The value of _marginTYPE_, after this random increase, must not exceed _lifeTYPE_ (where TYPE is one of bytes, packets or time).

     The value _0%_ will suppress randomization. Relevant only locally, other end need not agree on it.

     Also see [[ExpiryRekey|Expiry and Rekey]].

_rekeymargin_

p((.  synonym for _margintime_.

_replay_window = -1 | <number>_

p((. The  IPsec  replay  window  size  for  this connection. With the default of -1 the value configured with _charon.replay_window_  in

     [[strongswan.conf]]  is used. Larger values than 32 are supported using the Netlink backend only, a  value  of  0  disables  IPsec

     replay protection. Available since version:5.2.0.

_reqid = <number>_

p((. sets the reqid for a given connection to a pre-configured fixed value.

_sha256_96 = *no* | yes_

p((. HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility with implementations that     incorrectly use 96-bit

     truncation this option may be enabled to configure the shorter truncation length in the kernel.  This is not negotiated, so this

     only works with peers that use the incorrect truncation length (or have this option enabled). Available since version:5.5.3.

_tfc = <value>_

p((. number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The special value %mtu fills up ESP packets with padding to have the size of the MTU.

_type = *tunnel* | transport | transport_proxy | passthrough | drop_

p((. the type of the connection; currently the accepted values are *tunnel*, signifying a  host-to-host,

     host-to-subnet, or subnet-to-subnet tunnel; *transport*, signifying host-to-host transport mode;

     *transport_proxy*, signifying the special Mobile IPv6 transport proxy mode;

     *passthrough*, signifying that no IPsec processing should be done at all; *drop*, signifying that packets

     should be  discarded.

_xauth = *client* | server_

p((. specifies the role in the XAuth protocol if activated by _authby=xauthpsk_ or _authby=xauthrsasig_.

_xauth_identity = <id>_

p((. defines the identity/username the client uses to reply to an XAuth request. If not defined, the IKEv1 identity will be used as XAuth identity.

h2. left|right End Parameters

Connection descriptions are defined in terms of a left endpoint and a right endpoint. For example, the

two parameters leftid and rightid specify the identity of the left and the right endpoint. For every

connection description an attempt is made to figure out whether the local endpoint should act as the left or

the right endpoint. This is done by matching the IP addresses defined for both endpoints with the

IP addresses assigned to local network interfaces. If a match is found then the role (left or right) that

matches is going to be considered "local". If no match is found during startup, "left" is considered "local".

_left|right = <ip address> | <fqdn> | *%any* | range | subnet_

p((. The IP address of the participant's public-network interface or one of several magic values.

     The value _%any_ for the local endpoint signifies an address to be filled in

     (by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table

     will be queried to determine the correct local IP address. In case the local peer is responding to a connection

     setup then any IP address that is assigned to a local interface will be accepted.

p((. Prior to [[5.0.0]] specifying _%%any_ for the local endpoint was not supported for IKEv1 connections, instead

     the keyword _%%defaultroute_ could be used, causing the value to be filled in automatically with the local

     address of the default-route interface (as determined at IPsec startup time and during configuration

     update). Either left or right may be _%defaultroute_, but not both.

p((. The prefix % in front of a fully-qualified domain name or an IP address will implicitly set _left|rightallowany=yes_.

p((. If _%any_ is used for the remote endpoint it literally means any IP address.

p((. If an FQDN is assigned it is resolved every time a configuration lookup is done. If DNS resolution times out,

     the lookup is delayed for that time.

p((. Since [[5.1.1]] connections can be limited to a specific range of hosts. To do so a range (10.1.0.0-10.2.255.255)

     or a subnet (10.1.0.0/16) can be specified, and multiple addresses, ranges and subnets can be separated by commas.

     While one can freely combine these items, to initiate the connection at least one non-range/subnet is required.

p((. Please note that with the usage of wildcards multiple connection descriptions might match a given incoming

     connection attempt. The most specific description is used in that case.

_left|rightallowany = yes | *no*_

p((. a modifier for _left|right_, making it behave as _%any_ although a concrete IP address has been

     assigned. Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or update time.

_left|rightauth = <auth method>_

p((. Authentication method to use locally (left) or require from the remote (right) side. Acceptable values are *pubkey*

     for public key encryption (RSA/ECDSA), *psk* for pre-shared key authentication, *eap* to [require the] use of the Extensible Authentication Protocol, and *xauth* for IKEv1 eXtended Authentication.

p((. To require a trustchain public key strength for the remote side, specify the key type followed

     by the minimum strength in bits (for example *ecdsa-384* or *rsa-2048-ecdsa-256*).

     To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms

     to *pubkey* or a key strength definition (for example *pubkey-sha1-sha256* or *rsa-2048-ecdsa-256-sha256-sha384-sha512*).

     Since version:5.3.0 and unless disabled in [[strongswan.conf]], or explicit IKEv2 signature constraints are

     configured (see below), such key types and hash algorithms are also applied as constraints against IKEv2 signature

     authentication schemes used by the remote side.

p((. Since version:5.3.0 and if both peers support "RFC 7427":http://tools.ietf.org/html/rfc7427 ("Signature  Authentication in IKEv2") specific hash

     algorithms to be used during IKEv2 authentication may be configured. The syntax is the same as above,

     but with _ike:_ prefix (before version:5.4.0 without that prefix).

     For  example, with _ike:pubkey-sha384-sha256_ a public key signature scheme with either SHA-384 or SHA-256

     would get used for authentication, in that order and depending on the hash algorithms supported by the peer.

     If no specific hash algorithms are  configured, the default is to prefer an algorithm that matches or exceeds

     the strength of the signature key.

     If no constraints with _ike:_ prefix are configured any signature scheme constraint (without _ike:_ prefix) will

     also apply to IKEv2 authentication, unless this is disabled in [[strongswan.conf]] (this is also the behavior before

     version:5.4.0, which introduced the _ike:_ prefix).

     Since version:5.6.1 RSASSA-PSS signatures are supported. To use or require them configure _rsa/pss_ instead of _rsa_

     as in e.g. _ike:rsa/pss-sha256_. If _pubkey_ or _rsa_ constraints are configured RSASSA-PSS signatures will only be

     used/accepted if enabled in [[strongswan.conf]].

p((. In the case of *eap*, an optional EAP method can be appended. Currently defined methods are *eap-aka*,

     *eap-gtc*, *eap-md5*, *eap-mschapv2*, *eap-peap*, *eap-sim*, *eap-tls*, *eap-ttls*, *eap-dynamic*, and *eap-radius*.

     Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific EAP methods are defined

     in the form *eap-type-vendor* (e.g. *eap-7-12345*).

     Since version:5.3.0 signature and trust chain constraints for EAP-(T)TLS may be defined.  To do so, append a

     colon to the EAP method, followed by the key type/size and hash algorithm as discussed above.

     For *xauth*, an XAuth authentication backend can be specified, such as *xauth-generic* or *xauth-eap*.

     If XAuth is used in _leftauth_, Hybrid authentication is used. For traditional XAuth authentication, define XAuth in _leftauth2_.

p((. Not supported for IKEv1 connections prior to [[5.0.0]].

_left|rightauth2 = <auth method>_

p((. Same as _left|rightauth_, but defines an additional authentication exchange. In IKEv1, only XAuth can be used

     in the second authentication round. IKEv2 supports multiple complete authentication rounds using

     _Multiple Authentication Exchanges_ defined in "RFC 4739":http://tools.ietf.org/html/rfc4739. This allows e.g. a separate authentication of host and user.

p((. Not supported for IKEv1 connections prior to [[5.0.0]].

_left|rightca = <issuer dn> | %same_

p((. the distinguished name of a certificate authority which is required to lie in the trust path going from the

     _left|right_ participant's certificate up to the root certification authority.

     *%same* means that the value configured for the other participant should be reused.

_left|rightca2 = <issuer dn> | %same_

p((. Same as _left|rightca_ but for the second authentication (IKev2 only).

_left|rightcert = <path>_

p((. the path to the left|right participant's X.509 certificate. The file can be coded either in PEM or DER format.

     OpenPGP certificates are supported as well.  Both absolute paths or paths relative to

     [[IpsecDirectoryCerts|/etc/ipsec.d/certs]] are accepted. By default _left|rightcert_ sets _left|rightid_

     to the distinguished name of the certificate's subject. The _left|right_ participant's ID can be overridden

     by specifying a _left|rightid_ value which must be certified by the certificate, though.

p((. Since [[5.0.2]] certificates can be configured in the form _%smartcard[<slot nr>[@<module>]]:<keyid>_, which

     defines a specific certificate to load from a PKCS#11 backend for this connection (e.g. via the [[PKCS11Plugin|pkcs11 plugin]]).

     See [[PinSecret|ipsec.secrets]] for details about smartcard definitions.

     Defining a certificate on a smartcard with _left|rightcert_ is only required if the automatic selection via _left|rightid_

     is not sufficient, for example, if multiple certificates use the same subject.

p((. Since [[5.0.3]] multiple certificate paths or PKCS#11 backends can be specified in a comma separated list.

     The daemon chooses the certificate based on the received certificate requests, if possible, before enforcing

     the first.

_left|rightcert2 = <path>_

p((. Same as _left|rightcert_ but for the second authentication round (IKEv2 only).

_left|rightcertpolicy = <OIDs>_

p((. Comma separated list of certificate policy OIDs the peer's certificate must have.

     OIDs are specified using the numerical dotted representation. Not supported for IKEv1 connections prior to [[5.0.0]].

_left|rightdns = <servers>_

p((. Comma separated list of DNS server addresses to exchange as configuration attributes. On the initiator,

     a server is a fixed IPv4/IPv6 address, or _%config4/%config6_ to request attributes without an address.

     On the responder, only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned to the client.

     Available since [[5.0.1]].

_left|rightfirewall = yes | *no*_

p((. whether the _left|right_ participant is doing forwarding-firewalling (including  masquerading)

     using iptables for traffic from _left|rightsubnet_, which should be turned off for traffic to the

     other subnet) once the connection is established. May not be used in the same connection description with

     _left|rightupdown_. Implemented as a parameter to the default _ipsec _updown_ script. Relevant only

     locally, other end need not agree on it.

p((. If one or  both security gateways are doing forwarding firewalling (possibly including masquerading),

     and this is specified using the firewall parameters, tunnels  established with  IPsec  are exempted from

     it so that packets can flow unchanged through the tunnels. (This means that all subnets connected in this

     manner must have distinct, non-overlapping subnet address blocks.)  This is done by the default 

     _ipsec _updown_ script.

p((. In situations calling for more control, it may be preferable for the user to supply his own _updown_ script,

     which makes the appropriate adjustments for his system.

_left|rightgroups = <group list>_

p((. a comma-separated list of group names. If the _left|rightgroups_ parameter is present then the peer must

     be a member of at least one of the groups defined by the parameter. Groups may be used together with the

     [[EapRadius#Group-selection|eap-radius]] plugin.

_left|rightgroups2 = <group list>_

p((. Same as _left|rightgroups_ but for the second authentication round defined with _left|rightauth2_.

     Available since [[5.0.1]].

_left|righthostaccess = yes | *no*_

p((. inserts a pair of INPUT and OUTPUT iptables rules using the default _ipsec _updown_ script,

     thus allowing access to the host itself in the case where the host's internal interface is part

     of the negotiated client subnet. 

_left|rightid = <id>_

p((. how the _left|right_ participant should be identified for authentication; defaults to _left|right_ or the subject of the

     certificate configured with _left|rightcert_.  If _left|rightcert_ is configured the identity has to be confirmed by the

     certificate, that is, it has to match the full subject DN or one of the subjectAltName extensions contained in the

     certificate.

p((. Can be an IP address, a fully-qualified domain name, an email address or a Distinguished Name for which the

     ID type is determined automatically and the string is converted to the appropriate encoding. The rules for this

     conversion are described on [[IdentityParsing]].  In versions before [[5.0.0]] fully-qualified domain names can be

     preceded by an @ to avoid them being resolved to an IP address.

p((. In certain special situations the identity parsing above might be inadequate or produce the wrong result.

     Examples are the need to encode a FQDN as KEY_ID or the string parser being unable to produce the correct

     binary ASN.1 encoding of a certificate's DN. For these situations it is possible since version:5.2.2 to enforce a specific

     identity type and to provide the binary encoding of the identity.  To do this a prefix may be used, followed by a

     colon (:). If the number sign (#) follows the colon, the remaining data is interpreted as hex encoding, otherwise

     the string is used as is as the identification data. *Note:* The latter implies that no conversion is performed for

     non-string identities. For example, _ipv4:10.0.0.1_ does not create a valid ID_IPV4_ADDR IKE identity, as it does not

     get converted to binary 0x0a000001. Instead, one could use _ipv4:#0a000001_ to get a valid identity, but just using

     the implicit type with [[IdentityParsing|automatic conversion]] is usually simpler. The same applies to the ASN.1 encoded types.

     The following prefixes are known: _ipv4, ipv6, rfc822, email, userfqdn, fqdn, dns, asn1dn, asn1gn_ and _keyid_.

     Custom type prefixes may be specified by surrounding the numerical type value with curly brackets.

p((. Since [[5.0.1]] _rightid_ for IKEv2 connections optionally takes a % as prefix in front of the identity.

     If given it prevents the daemon from sending IDr in its IKE_AUTH request and will allow it to verify the 

     configured identity against the subject and subjectAltNames contained in the responder's certificate (otherwise,

     it is only compared with the IDr returned by the responder). The IDr sent by the initiator might otherwise 

     prevent the responder from finding a config if it has configured a different value for _leftid_.

_left|rightid2 = <id>_

p((. Identity to use for the second authentication of the left participant (IKEv2 only).

     Defaults to _left|rightid_.

_left|rightikeport = <port>_

p((. UDP port the left participant uses for IKE communication. If unspecified, port 500 is used with the port

     floating to 4500 if a NAT is detected or MOBIKE is enabled.

     Specifying a local IKE port different from the default additionally requires a socket implementation that

     listens to this port. Not supported for IKEv1 connections prior to [[5.0.0]].

_left|rightprotoport = <protocol>/<port>_

p((. restrict the traffic selector to a single protocol and/or port.  Since [[5.1.0]] this option is deprecated

     as protocol/port information can be defined for each subnet directly in _left|rightsubnet_.

_left|rightrsasigkey = <raw rsa public key> | <path to public key>_

p((. Since [[5.1.0]] a synonym for _left|rightsigkey_. Before that it denoted the left|right participant's public key

for RSA signature authentication, in RFC 2537 format using hex (0x prefix) or base64 (0s prefix) encoding.

Also accepted was the path to a file containing the public key in PEM or DER encoding.

_left|rightsigkey = <raw public key> | <path to public key>_

p((. Added with [[5.1.0]]. The left|right participant's public key for public key signature authentication, in PKCS#1

format using  using hex (0x prefix) or base64 (0s prefix) encoding. With the optional _dns:_ or _ssh:_ prefix in front

of 0x or 0s, the public key is expected in either the RFC 3110 (not the full RR, only the RSA key part) or

RFC 4253 public key format, respectively.

Also accepted is the path to a file containing the public key in PEM, DER or SSH encoding. Both absolute paths or

paths relative to [[ipsecdirectorycerts|/etc/ipsec.d/certs]] are accepted.

_left|rightsendcert = never | no | *ifasked* | always | yes_

p((. Accepted values are *never* or *no*, *always* or *yes*, and *ifasked*, the latter meaning that 

     the peer must send a certificate request (CR) payload in order to get a certificate in return.

_leftsourceip = %config4 | %config6 | <ip address>_

p((. The internal source IP to use in a tunnel, also known as [[VirtualIp|virtual IP]].

     If the value is one of the synonyms _%config_, _%cfg_, _%modeconfig_ or _%modecfg_, an address (from

     the tunnel address family) is requested from the peer.

     Since [[5.0.1]] a comma-separated list is accepted to request multiple addresses, and with _%config4_ and

     _%config6_ an address of the given address family will be requested explicitly.

     If an IP address is configured, it will be requested from the responder, which is free to respond with a

     different address.

_rightsourceip = %config | <network>/<netmask> | <from>-<to> | %poolname_

p((. The internal source IP to use in a tunnel for the remote peer. If the value is %config on the responder

     side, the initiator must propose an address which is then echoed back. Also supported are address pools

     expressed as _<network>/<netmask>_ and _<from>-<to>_ (since version:5.2.2) or the use of an external IP address pool

     using _%%poolname_ where _poolname_ is the name of the IP address pool used for the lookup (see [[VirtualIp|virtual IP]] for details).

     Since [[5.0.1]] a comma-separated list of IP addresses / pools is accepted, for instance, to define pools of

     different address families.

_left|rightsubnet = <ip subnet>![[<proto/port>]][,...]_

p((. private subnet behind the left participant, expressed as network/netmask; if omitted, essentially assumed

     to be _left_/32|128, signifying that the _left|right_ end of the connection goes to the _left|right_ participant only.

     The configured subnets of the peers may differ, the protocol narrows it to the greatest common subnet.

     Since [[5.0.0]] this is also done for IKEv1, but as this may lead to problems with other implementations,

     make sure to configure identical subnets in such configurations.

     IKEv2 supports multiple subnets separated by commas, IKEv1 only interprets the first subnet of such a definition,

     unless the Cisco Unity extension plugin is enabled (available since version:5.0.1).  This is due to a limitation of the IKEv1

     protocol, which only allows a single pair of subnets per CHILD_SA. So to tunnel several subnets a conn entry has

     to be defined and brought up for each pair of subnets.

p((. Since [[5.1.0]] the optional part after each subnet enclosed in square brackets specifies a protocol/port to restrict

     the selector for that subnet. *Examples:* leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] or leftsubnet=fec1::1[udp],10.0.0.0/16[/53].

     Instead of omitting either value _%any_ can be used to the same effect, e.g. leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53].

p((. Since [[5.1.1]], if the protocol is _icmp_ or _ipv6-icmp_ the port is interpreted as ICMP message type if it is less than 256,

     or as type and code if it greater or equal to 256, with the type in the most significant 8 bits and the code in the

     least significant 8 bits.

p((. The port value can alternatively take the value _%opaque_ for RFC 4301 OPAQUE selectors, or a numerical range

     in the form 1024-65535. None of the kernel backends currently supports opaque or port ranges and uses _%any_

     for policy installation instead.

p((. Instead of specifying a subnet, _%dynamic_ can be used to replace it with the IKE address, having the same effect

     as omitting _left|rightsubnet_ completely. Using _%dynamic_ can be used to define multiple dynamic selectors,

     each having a potentially different protocol/port definition.

_left|rightupdown = <path>_

p((. what _updown_ script to run to adjust routing and/or firewalling when the status of the connection

     changes (default _ipsec _updown_). Relevant only locally, other end need not agree on it.

     Charon uses the _updown_ script to insert firewall rules only, since routing has been implemented directly

     into the daemon.

h2. IKEv2 Mediation Extension Parameters

The following parameters are relevant to IKEv2 Mediation Extension operation only.

_mediation = yes | *no*_

p((. whether this connection is a mediation connection,  ie.  whether this connection is used to mediate other

     connections.  Mediation connections create no child SA. Acceptable values  are  no (the default) and yes.

_mediated_by = <name>_

p((. the  name  of the connection to mediate this connection through. If given, the connection will  be  mediated

     through  the  named mediation  connection.  The mediation connection must set *mediation=yes*.

_me_peerid = <id>_

p((. ID as which the peer is known to the mediation server, ie. which the  other end of this connection uses as

     its leftid on its connection to the mediation server.  This is the ID we request  the mediation server to

     mediate us with.  If me_peerid is not given, the rightid of this connection will be used as peer ID.

h2. Removed parameters (since 5.0.0)

_auth = *esp* | ah_

p((. whether authentication should be done as part of ESP encryption, or separately using the AH protocol.

	Only supported by the IKEv1 daemon pluto.

p((. Since [[5.1.1]] the *ah* keyword can be used to configure AH with the charon IKE daemon.

_pfs = *yes* | no_

p((. whether _Perfect Forward Secrecy_ of keys is desired on the connection's keying channel (with PFS,

     penetration of the key-exchange protocol does not compromise keys negotiated earlier). IKEv2 always uses

     PFS for IKE_SA rekeying whereas for CHILD_SA rekeying PFS is enforced by defining a Diffie-Hellman dhgroup

     in the _esp_ parameter.  Since [[5.0.0]] the latter also applies to IKEv1 and this parameter has no effect anymore.

_pfsgroup = <modp group>_

p((. defines a Diffie-Hellman group for _perfect forward secrecy_ in IKEv1 Quick Mode differing from the DH group

     used for IKEv1 Main Mode (IKEv1 pluto daemon only).

_left|rightnexthop = %direct | %defaultroute | <ip address> | <fqdn>_

p((. This parameter is usually not needed any more because the NETKEY IPsec stack does not require

     explicit routing entries for the traffic to be tunneled. If _left|sourceip_ is used with IKEv1

     then _left|rightnexthop_ must still be set in order for the source routes to work properly.

_left|rightsubnetwithin = <ip subnet>_

p((. the  peer can propose any subnet or single IP address that fits within the range defined by

     _left|rightsubnetwithin_.  Is a synonym for _left|rightsubnet_ since [[5.0.0]], as subnets are narrowed.