ipsec.conf¶

strongSwan's /etc/ipsec.conf configuration file consists of three different section types:

• config setup defines general configuration parameters
• conn <name> defines a connection
• ca <name> defines a certification authority

There can be only one config setup section but an unlimited number of conn and ca sections.

All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.

A line which contains include followed by a file name is replaced by the contents
of that file. If the file name is not a full pathname, it is considered to be relative
to the directory containing the including file. Such inclusions can be nested. The file
name may include wildcards, for example: include ipsec.*.conf

Reusing Existing Parameters¶

All conn and ca sections inherit the parameters defined in a conn %default
or ca %default section, respectively.

Parameters defined in other conn or ca sections may be included in a section
with the also=othersection parameter.

Example¶

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
       cachecrls=yes
       strictcrlpolicy=yes

ca strongswan  #define alternative CRL distribution point
       cacert=strongswanCert.pem
       crluri=http://crl2.strongswan.org/strongswan.crl
       auto=add

conn %default
       keyingtries=1
       keyexchange=ikev2

conn roadwarrior
       leftsubnet=10.1.0.0/16
       leftcert=moonCert.pem
       leftid=@moon.strongswan.org
       right=%any
       auto=add

IKE and ESP Cipher Suites¶

• IKEv1 Cipher Suites
• IKEv2 Cipher Suites