ipsec.conf Reference » History » Version 16
Tobias Brunner, 24.10.2011 10:07
| 1 | 16 | Tobias Brunner | {{title(ipsec.conf Reference)}} |
|---|---|---|---|
| 2 | 16 | Tobias Brunner | |
| 3 | 12 | Andreas Steffen | h1. ipsec.conf |
| 4 | 1 | Martin Willi | |
| 5 | 1 | Martin Willi | |
| 6 | 12 | Andreas Steffen | strongSwan's _/etc/ipsec.conf_ configuration file consists of three different section types: |
| 7 | 1 | Martin Willi | |
| 8 | 12 | Andreas Steffen | * [[ConfigSetupSection|config setup]] defines general configuration parameters |
| 9 | 12 | Andreas Steffen | * [[ConnSection|conn <name>]] defines a connection |
| 10 | 12 | Andreas Steffen | * [[CaSection|ca <name>]] defines a certification authority |
| 11 | 12 | Andreas Steffen | |
| 12 | 1 | Martin Willi | There can be only one [[ConfigSetupSection|config setup]] section but |
| 13 | 13 | Tobias Brunner | an unlimited number of [[ConnSection|conn]] and [[CaSection|ca]] sections. |
| 14 | 12 | Andreas Steffen | |
| 15 | 3 | Martin Willi | All parameters belonging to a section must be indented by at least one space or tab |
| 16 | 4 | Martin Willi | character. The rest of the line after a '#' character is treated as a comment. |
| 17 | 4 | Martin Willi | Comments within a section must also be indented. |
| 18 | 4 | Martin Willi | |
| 19 | 15 | Tobias Brunner | A line which contains *include* followed by a file name is replaced by the contents |
| 20 | 15 | Tobias Brunner | of that file. If the file name is not a full pathname, it is considered to be relative |
| 21 | 15 | Tobias Brunner | to the directory containing the including file. Such inclusions can be nested. The file |
| 22 | 15 | Tobias Brunner | name may include wildcards, for example: @include ipsec.*.conf@ |
| 23 | 12 | Andreas Steffen | |
| 24 | 12 | Andreas Steffen | h2. Example |
| 25 | 12 | Andreas Steffen | |
| 26 | 12 | Andreas Steffen | <pre> |
| 27 | 9 | Martin Willi | # /etc/ipsec.conf - strongSwan IPsec configuration file |
| 28 | 9 | Martin Willi | |
| 29 | 8 | Martin Willi | config setup |
| 30 | 8 | Martin Willi | crlcheckinterval=600s |
| 31 | 8 | Martin Willi | cachecrls=yes |
| 32 | 8 | Martin Willi | strictcrlpolicy=yes |
| 33 | 8 | Martin Willi | plutostart=no |
| 34 | 8 | Martin Willi | |
| 35 | 10 | Martin Willi | ca strongswan #define alternative CRL distribution point |
| 36 | 8 | Martin Willi | cacert=strongswanCert.pem |
| 37 | 8 | Martin Willi | crluri=http://crl2.strongswan.org/strongswan.crl |
| 38 | 8 | Martin Willi | auto=add |
| 39 | 8 | Martin Willi | |
| 40 | 8 | Martin Willi | conn %default |
| 41 | 1 | Martin Willi | keyingtries=1 |
| 42 | 1 | Martin Willi | keyexchange=ikev2 |
| 43 | 1 | Martin Willi | |
| 44 | 1 | Martin Willi | conn roadwarrior |
| 45 | 1 | Martin Willi | left=192.168.0.1 |
| 46 | 8 | Martin Willi | leftsubnet=10.1.0.0/16 |
| 47 | 8 | Martin Willi | leftcert=moonCert.pem |
| 48 | 8 | Martin Willi | leftid=@moon.strongswan.org |
| 49 | 8 | Martin Willi | right=%any |
| 50 | 8 | Martin Willi | auto=add |
| 51 | 12 | Andreas Steffen | </pre> |
| 52 | 8 | Martin Willi | |
| 53 | 8 | Martin Willi | |
| 54 | 12 | Andreas Steffen | h2. IKE and ESP Cipher Suites |
| 55 | 12 | Andreas Steffen | |
| 56 | 12 | Andreas Steffen | |
| 57 | 14 | Andreas Steffen | |
| 58 | 14 | Andreas Steffen | * [[IKEv1CipherSuites|IKEv1 Cipher Suites]] |
| 59 | 12 | Andreas Steffen | * [[IKEv2CipherSuites|IKEv2 Cipher Suites]] |