ipsec.conf Reference » History » Version 19
Version 18 (Tobias Brunner, 29.10.2012 11:49) → Version 19/21 (Tobias Brunner, 23.10.2015 18:57)
{{title(ipsec.conf Reference)}}
h1. ipsec.conf
strongSwan's _/etc/ipsec.conf_ configuration file consists of three different section types:
* [[ConfigSetupSection|config setup]] defines general configuration parameters
* [[ConnSection|conn <name>]] defines a connection
* [[CaSection|ca <name>]] defines a certification authority
There can be only one [[ConfigSetupSection|config setup]] section but an unlimited number of [[ConnSection|conn]] and [[CaSection|ca]] sections.
All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.
A line which contains *include* followed by a file name is replaced by the contents
of that file. If the file name is not a full pathname, it is considered to be relative
to the directory containing the including file. Such inclusions can be nested. The file
name may include wildcards, for example: @include ipsec.*.conf@
h2. Reusing Existing Parameters
All [[ConnSection|conn]] and [[CaSection|ca]] sections inherit the parameters defined in a @conn %default@
or @ca %default@ section, respectively.
Parameters defined in other [[ConnSection|conn]] or [[CaSection|ca]] sections may be included in a section
with the @also=othersection@ parameter. The included section may in turn use the
_also_ keyword to include other sections.
In versions prior to version:5.2.0 each setting could only be defined once, so settings included
via _also_ could not be changed (the only exception were settings defined in the _%default_
section, which could be overwritten once).
Since version:5.2.0 settings from included sections may be changed - the same setting may
even be defined multiple times in the same section, the last value will be used. It does
not matter if settings are defined before or after an _also_ statement, settings in the current
section always override inherited settings. But if multiple _also_ statements are used in the
same section their order matters (settings from a section included later will override those
from previously included sections). The new parser also allows to unset a setting by
assigning no value (e.g. @leftcert=@), the setting's default value, if any, will apply, which
may be used to "remove" settings inherited from e.g. the _%default_ section.
h2. Example
<pre>
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
cachecrls=yes
strictcrlpolicy=yes
ca strongswan #define alternative CRL distribution point
cacert=strongswanCert.pem
crluri=http://crl2.strongswan.org/strongswan.crl
auto=add
conn %default
keyingtries=1
keyexchange=ikev2
conn roadwarrior
leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=@moon.strongswan.org
right=%any
auto=add
</pre>
h2. IKE and ESP Cipher Suites
* [[IKEv1CipherSuites|IKEv1 Cipher Suites]]
* [[IKEv2CipherSuites|IKEv2 Cipher Suites]]
h1. ipsec.conf
strongSwan's _/etc/ipsec.conf_ configuration file consists of three different section types:
* [[ConfigSetupSection|config setup]] defines general configuration parameters
* [[ConnSection|conn <name>]] defines a connection
* [[CaSection|ca <name>]] defines a certification authority
There can be only one [[ConfigSetupSection|config setup]] section but an unlimited number of [[ConnSection|conn]] and [[CaSection|ca]] sections.
All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.
A line which contains *include* followed by a file name is replaced by the contents
of that file. If the file name is not a full pathname, it is considered to be relative
to the directory containing the including file. Such inclusions can be nested. The file
name may include wildcards, for example: @include ipsec.*.conf@
h2. Reusing Existing Parameters
All [[ConnSection|conn]] and [[CaSection|ca]] sections inherit the parameters defined in a @conn %default@
or @ca %default@ section, respectively.
Parameters defined in other [[ConnSection|conn]] or [[CaSection|ca]] sections may be included in a section
with the @also=othersection@ parameter. The included section may in turn use the
_also_ keyword to include other sections.
In versions prior to version:5.2.0 each setting could only be defined once, so settings included
via _also_ could not be changed (the only exception were settings defined in the _%default_
section, which could be overwritten once).
Since version:5.2.0 settings from included sections may be changed - the same setting may
even be defined multiple times in the same section, the last value will be used. It does
not matter if settings are defined before or after an _also_ statement, settings in the current
section always override inherited settings. But if multiple _also_ statements are used in the
same section their order matters (settings from a section included later will override those
from previously included sections). The new parser also allows to unset a setting by
assigning no value (e.g. @leftcert=@), the setting's default value, if any, will apply, which
may be used to "remove" settings inherited from e.g. the _%default_ section.
h2. Example
<pre>
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
cachecrls=yes
strictcrlpolicy=yes
ca strongswan #define alternative CRL distribution point
cacert=strongswanCert.pem
crluri=http://crl2.strongswan.org/strongswan.crl
auto=add
conn %default
keyingtries=1
keyexchange=ikev2
conn roadwarrior
leftsubnet=10.1.0.0/16
leftcert=moonCert.pem
leftid=@moon.strongswan.org
right=%any
auto=add
</pre>
h2. IKE and ESP Cipher Suites
* [[IKEv1CipherSuites|IKEv1 Cipher Suites]]
* [[IKEv2CipherSuites|IKEv2 Cipher Suites]]