ipsec.conf

strongSwan's /etc/ipsec.conf configuration file consists of three different section types:

There can be only one config setup section but an unlimited number of conn and ca sections.

All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.

A line which contains include followed by a file name is replaced by the contents
of that file. If the file name is not a full pathname, it is considered to be relative
to the directory containing the including file. Such inclusions can be nested. The file
name may include wildcards, for example: include ipsec.*.conf

Reusing Existing Parameters

All conn and ca sections inherit the parameters defined in a conn %default
or ca %default section, respectively.

Parameters defined in other conn or ca sections may be included in a section
with the also=othersection parameter. The included section may in turn use the
also keyword to include other sections.

In versions prior to 5.2.0 each setting could only be defined once, so settings included
via also could not be changed (the only exception were settings defined in the %default
section, which could be overwritten once).
Since 5.2.0 settings from included sections may be changed - the same setting may
even be defined multiple times in the same section, the last value will be used. It does
not matter if settings are defined before or after an also statement, settings in the current
section always override inherited settings. But if multiple also statements are used in the
same section their order matters (settings from a section included later will override those
from previously included sections). The new parser also allows to unset a setting by
assigning no value (e.g. leftcert=), the setting's default value, if any, will apply, which
may be used to "remove" settings inherited from e.g. the %default section.

Example

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
       cachecrls=yes
       strictcrlpolicy=yes

ca strongswan  #define alternative CRL distribution point
       cacert=strongswanCert.pem
       crluri=http://crl2.strongswan.org/strongswan.crl
       auto=add

conn %default
       keyingtries=1
       keyexchange=ikev2

conn roadwarrior
       leftsubnet=10.1.0.0/16
       leftcert=moonCert.pem
       leftid=@moon.strongswan.org
       right=%any
       auto=add