strongSwan

{{title(ipsec.conf Reference)}}

{{swanctl}}

h1. ipsec.conf

strongSwan's _/etc/ipsec.conf_ configuration file consists of three different section types:

* [[ConfigSetupSection|config setup]] defines general configuration parameters

* [[ConnSection|conn <name>]] defines a connection

* [[CaSection|ca <name>]] defines a certification authority

There can be only one [[ConfigSetupSection|config setup]] section but an unlimited number of [[ConnSection|conn]] and [[CaSection|ca]] sections.

All parameters belonging to a section must be indented by at least one space or tab

character. The rest of the line after a '#' character is treated as a comment.

Comments within a section must also be indented.

A line which contains *include* followed by a file name is replaced by the contents

of that file.  If the file name is not a full pathname, it is considered to be relative

to the directory containing the including file. Such inclusions can be nested. The file

name may include wildcards, for example: @include ipsec.*.conf@

h2. Reusing Existing Parameters

All [[ConnSection|conn]] and [[CaSection|ca]] sections inherit the parameters defined in a @conn %default@

or @ca %default@ section, respectively.

Parameters defined in other [[ConnSection|conn]] or [[CaSection|ca]] sections may be included in a section

with the @also=othersection@ parameter.  The included section may in turn use the

_also_ keyword to include other sections.

In versions prior to version:5.2.0 each setting could only be defined once, so settings included

via _also_ could not be changed (the only exception were settings defined in the _%default_

section, which could be overwritten once).

Since version:5.2.0 settings from included sections may be changed - the same setting may

even be defined multiple times in the same section, the last value will be used. It does

not matter if settings are defined before or after an _also_ statement, settings in the current

section always override inherited settings. But if multiple _also_ statements are used in the

same section their order matters (settings from a section included later will override those

from previously included sections). The new parser also allows to unset a setting by

assigning no value (e.g. @leftcert=@), the setting's default value, if any, will apply, which

may be used to "remove" settings inherited from e.g. the _%default_ section.

h2. Example

<pre>

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

       cachecrls=yes

       strictcrlpolicy=yes

ca strongswan  #define alternative CRL distribution point

       cacert=strongswanCert.pem

       crluri=http://crl2.strongswan.org/strongswan.crl

       auto=add

conn %default

       keyingtries=1

       keyexchange=ikev2

conn roadwarrior

       leftsubnet=10.1.0.0/16

       leftcert=moonCert.pem

       leftid=@moon.strongswan.org

       right=%any

       auto=add

</pre>