ipsec.conf Reference » History » Version 18
Tobias Brunner, 29.10.2012 11:49
| 1 | 16 | Tobias Brunner | {{title(ipsec.conf Reference)}} |
|---|---|---|---|
| 2 | 16 | Tobias Brunner | |
| 3 | 12 | Andreas Steffen | h1. ipsec.conf |
| 4 | 1 | Martin Willi | |
| 5 | 1 | Martin Willi | |
| 6 | 12 | Andreas Steffen | strongSwan's _/etc/ipsec.conf_ configuration file consists of three different section types: |
| 7 | 1 | Martin Willi | |
| 8 | 12 | Andreas Steffen | * [[ConfigSetupSection|config setup]] defines general configuration parameters |
| 9 | 12 | Andreas Steffen | * [[ConnSection|conn <name>]] defines a connection |
| 10 | 12 | Andreas Steffen | * [[CaSection|ca <name>]] defines a certification authority |
| 11 | 12 | Andreas Steffen | |
| 12 | 18 | Tobias Brunner | There can be only one [[ConfigSetupSection|config setup]] section but an unlimited number of [[ConnSection|conn]] and [[CaSection|ca]] sections. |
| 13 | 12 | Andreas Steffen | |
| 14 | 3 | Martin Willi | All parameters belonging to a section must be indented by at least one space or tab |
| 15 | 4 | Martin Willi | character. The rest of the line after a '#' character is treated as a comment. |
| 16 | 4 | Martin Willi | Comments within a section must also be indented. |
| 17 | 4 | Martin Willi | |
| 18 | 15 | Tobias Brunner | A line which contains *include* followed by a file name is replaced by the contents |
| 19 | 15 | Tobias Brunner | of that file. If the file name is not a full pathname, it is considered to be relative |
| 20 | 1 | Martin Willi | to the directory containing the including file. Such inclusions can be nested. The file |
| 21 | 1 | Martin Willi | name may include wildcards, for example: @include ipsec.*.conf@ |
| 22 | 18 | Tobias Brunner | |
| 23 | 18 | Tobias Brunner | h2. Reusing Existing Parameters |
| 24 | 18 | Tobias Brunner | |
| 25 | 18 | Tobias Brunner | All [[ConnSection|conn]] and [[CaSection|ca]] sections inherit the parameters defined in a @conn %default@ |
| 26 | 18 | Tobias Brunner | or @ca %default@ section, respectively. |
| 27 | 18 | Tobias Brunner | |
| 28 | 18 | Tobias Brunner | Parameters defined in other [[ConnSection|conn]] or [[CaSection|ca]] sections may be included in a section |
| 29 | 18 | Tobias Brunner | with the @also=othersection@ parameter. |
| 30 | 18 | Tobias Brunner | |
| 31 | 12 | Andreas Steffen | |
| 32 | 12 | Andreas Steffen | h2. Example |
| 33 | 12 | Andreas Steffen | |
| 34 | 12 | Andreas Steffen | <pre> |
| 35 | 9 | Martin Willi | # /etc/ipsec.conf - strongSwan IPsec configuration file |
| 36 | 9 | Martin Willi | |
| 37 | 8 | Martin Willi | config setup |
| 38 | 8 | Martin Willi | cachecrls=yes |
| 39 | 8 | Martin Willi | strictcrlpolicy=yes |
| 40 | 8 | Martin Willi | |
| 41 | 10 | Martin Willi | ca strongswan #define alternative CRL distribution point |
| 42 | 8 | Martin Willi | cacert=strongswanCert.pem |
| 43 | 8 | Martin Willi | crluri=http://crl2.strongswan.org/strongswan.crl |
| 44 | 8 | Martin Willi | auto=add |
| 45 | 8 | Martin Willi | |
| 46 | 8 | Martin Willi | conn %default |
| 47 | 1 | Martin Willi | keyingtries=1 |
| 48 | 1 | Martin Willi | keyexchange=ikev2 |
| 49 | 1 | Martin Willi | |
| 50 | 1 | Martin Willi | conn roadwarrior |
| 51 | 8 | Martin Willi | leftsubnet=10.1.0.0/16 |
| 52 | 8 | Martin Willi | leftcert=moonCert.pem |
| 53 | 8 | Martin Willi | leftid=@moon.strongswan.org |
| 54 | 8 | Martin Willi | right=%any |
| 55 | 8 | Martin Willi | auto=add |
| 56 | 12 | Andreas Steffen | </pre> |
| 57 | 8 | Martin Willi | |
| 58 | 8 | Martin Willi | |
| 59 | 12 | Andreas Steffen | h2. IKE and ESP Cipher Suites |
| 60 | 12 | Andreas Steffen | |
| 61 | 12 | Andreas Steffen | |
| 62 | 14 | Andreas Steffen | |
| 63 | 14 | Andreas Steffen | * [[IKEv1CipherSuites|IKEv1 Cipher Suites]] |
| 64 | 12 | Andreas Steffen | * [[IKEv2CipherSuites|IKEv2 Cipher Suites]] |