ipsec.conf Reference » History » Version 17
Version 16 (Tobias Brunner, 24.10.2011 10:07) → Version 17/21 (Tobias Brunner, 03.10.2012 12:11)
{{title(ipsec.conf Reference)}}
h1. ipsec.conf
strongSwan's _/etc/ipsec.conf_ configuration file consists of three different section types:
* [[ConfigSetupSection|config setup]] defines general configuration parameters
* [[ConnSection|conn <name>]] defines a connection
* [[CaSection|ca <name>]] defines a certification authority
There can be only one [[ConfigSetupSection|config setup]] section but
an unlimited number of [[ConnSection|conn]] and [[CaSection|ca]] sections.
All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.
A line which contains *include* followed by a file name is replaced by the contents
of that file. If the file name is not a full pathname, it is considered to be relative
to the directory containing the including file. Such inclusions can be nested. The file
name may include wildcards, for example: @include ipsec.*.conf@
h2. Example
<pre>
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=600s
cachecrls=yes
strictcrlpolicy=yes
plutostart=no
ca strongswan #define alternative CRL distribution point
cacert=strongswanCert.pem
crluri=http://crl2.strongswan.org/strongswan.crl
auto=add
conn %default
keyingtries=1
keyexchange=ikev2
conn roadwarrior
left=192.168.0.1
leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=@moon.strongswan.org
right=%any
auto=add
</pre>
h2. IKE and ESP Cipher Suites
* [[IKEv1CipherSuites|IKEv1 Cipher Suites]]
* [[IKEv2CipherSuites|IKEv2 Cipher Suites]]
h1. ipsec.conf
strongSwan's _/etc/ipsec.conf_ configuration file consists of three different section types:
* [[ConfigSetupSection|config setup]] defines general configuration parameters
* [[ConnSection|conn <name>]] defines a connection
* [[CaSection|ca <name>]] defines a certification authority
There can be only one [[ConfigSetupSection|config setup]] section but
an unlimited number of [[ConnSection|conn]] and [[CaSection|ca]] sections.
All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.
A line which contains *include* followed by a file name is replaced by the contents
of that file. If the file name is not a full pathname, it is considered to be relative
to the directory containing the including file. Such inclusions can be nested. The file
name may include wildcards, for example: @include ipsec.*.conf@
h2. Example
<pre>
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=600s
cachecrls=yes
strictcrlpolicy=yes
plutostart=no
ca strongswan #define alternative CRL distribution point
cacert=strongswanCert.pem
crluri=http://crl2.strongswan.org/strongswan.crl
auto=add
conn %default
keyingtries=1
keyexchange=ikev2
conn roadwarrior
left=192.168.0.1
leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=@moon.strongswan.org
right=%any
auto=add
</pre>
h2. IKE and ESP Cipher Suites
* [[IKEv1CipherSuites|IKEv1 Cipher Suites]]
* [[IKEv2CipherSuites|IKEv2 Cipher Suites]]