Project

General

Profile

Edit History

strongSwan User Documentation » Configuration Files »

ipsec.conf Reference » History » Version 17

Tobias Brunner, 03.10.2012 12:11

1 16 Tobias Brunner 
{{title(ipsec.conf Reference)}}
2 16 Tobias Brunner 





    3
    12
    Andreas Steffen
    
h1. ipsec.conf





    4
    1
    Martin Willi
    





    5
    1
    Martin Willi
    





    6
    12
    Andreas Steffen
    
strongSwan's _/etc/ipsec.conf_ configuration file consists of three different section types:





    7
    1
    Martin Willi
    





    8
    12
    Andreas Steffen
    
* [[ConfigSetupSection|config setup]] defines general configuration parameters





    9
    12
    Andreas Steffen
    
* [[ConnSection|conn <name>]] defines a connection





    10
    12
    Andreas Steffen
    
* [[CaSection|ca <name>]] defines a certification authority





    11
    12
    Andreas Steffen
    





    12
    1
    Martin Willi
    
There can be only one [[ConfigSetupSection|config setup]] section but





    13
    13
    Tobias Brunner
    
an unlimited number of [[ConnSection|conn]] and [[CaSection|ca]] sections.





    14
    12
    Andreas Steffen
    





    15
    3
    Martin Willi
    
All parameters belonging to a section must be indented by at least one space or tab





    16
    4
    Martin Willi
    
character. The rest of the line after a '#' character is treated as a comment.





    17
    4
    Martin Willi
    
Comments within a section must also be indented.





    18
    4
    Martin Willi
    





    19
    15
    Tobias Brunner
    
A line which contains *include* followed by a file name is replaced by the contents





    20
    15
    Tobias Brunner
    
of that file.  If the file name is not a full pathname, it is considered to be relative





    21
    15
    Tobias Brunner
    
to the directory containing the including file. Such inclusions can be nested. The file





    22
    15
    Tobias Brunner
    
name may include wildcards, for example: @include ipsec.*.conf@





    23
    12
    Andreas Steffen
    





    24
    12
    Andreas Steffen
    
h2. Example





    25
    12
    Andreas Steffen
    





    26
    12
    Andreas Steffen
    
<pre>





    27
    9
    Martin Willi
    
# /etc/ipsec.conf - strongSwan IPsec configuration file





    28
    9
    Martin Willi
    





    29
    8
    Martin Willi
    
config setup





    30
    8
    Martin Willi
    
       cachecrls=yes





    31
    8
    Martin Willi
    
       strictcrlpolicy=yes





    32
    8
    Martin Willi
    





    33
    10
    Martin Willi
    
ca strongswan  #define alternative CRL distribution point





    34
    8
    Martin Willi
    
       cacert=strongswanCert.pem





    35
    8
    Martin Willi
    
       crluri=http://crl2.strongswan.org/strongswan.crl





    36
    8
    Martin Willi
    
       auto=add





    37
    8
    Martin Willi
    





    38
    8
    Martin Willi
    
conn %default





    39
    1
    Martin Willi
    
       keyingtries=1





    40
    1
    Martin Willi
    
       keyexchange=ikev2





    41
    1
    Martin Willi
    
	





    42
    1
    Martin Willi
    
conn roadwarrior





    43
    8
    Martin Willi
    
       leftsubnet=10.1.0.0/16





    44
    8
    Martin Willi
    
       leftcert=moonCert.pem





    45
    8
    Martin Willi
    
       leftid=@moon.strongswan.org





    46
    8
    Martin Willi
    
       right=%any





    47
    8
    Martin Willi
    
       auto=add





    48
    12
    Andreas Steffen
    
</pre>





    49
    8
    Martin Willi
    





    50
    8
    Martin Willi
    





    51
    12
    Andreas Steffen
    
h2. IKE and ESP Cipher Suites





    52
    12
    Andreas Steffen
    





    53
    12
    Andreas Steffen
    





    54
    14
    Andreas Steffen
    





    55
    14
    Andreas Steffen
    
* [[IKEv1CipherSuites|IKEv1 Cipher Suites]]





    56
    12
    Andreas Steffen
    
* [[IKEv2CipherSuites|IKEv2 Cipher Suites]]