ipsec.conf¶

strongSwan's /etc/ipsec.conf configuration file consists of three different section types:

• config setup defines general configuration parameters
• conn <name> defines a connection
• ca <name> defines a certification authority

There can be only one config setup section but
an unlimited number of conn and ca sections.

All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.

Example¶

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
       crlcheckinterval=600s
       cachecrls=yes
       strictcrlpolicy=yes
       plutostart=no

ca strongswan  #define alternative CRL distribution point
       cacert=strongswanCert.pem
       crluri=http://crl2.strongswan.org/strongswan.crl
       auto=add

conn %default
       keyingtries=1
       keyexchange=ikev2

conn roadwarrior
       left=192.168.0.1
       leftsubnet=10.1.0.0/16
       leftcert=moonCert.pem
       leftid=@moon.strongswan.org
       right=%any
       auto=add

IKE and ESP Cipher Suites¶

• IKEv1 Cipher Suites
• IKEv2 Cipher Suites