strongSwan's /etc/ipsec.conf configuration file consists of three different section types:
- config setup defines general configuration parameters
- conn <name> defines a connection
- ca <name> defines a certification authority
All parameters belonging to a section must be indented by at least one space or tab
character. The rest of the line after a '#' character is treated as a comment.
Comments within a section must also be indented.
A line which contains include followed by a file name is replaced by the contents
of that file. If the file name is not a full pathname, it is considered to be relative
to the directory containing the including file. Such inclusions can be nested. The file
name may include wildcards, for example:
Reusing Existing Parameters¶
In versions prior to 5.2.0 each setting could only be defined once, so settings included
via also could not be changed (the only exception were settings defined in the %default
section, which could be overwritten once).
Since 5.2.0 settings from included sections may be changed - the same setting may
even be defined multiple times in the same section, the last value will be used. It does
not matter if settings are defined before or after an also statement, settings in the current
section always override inherited settings. But if multiple also statements are used in the
same section their order matters (settings from a section included later will override those
from previously included sections). The new parser also allows to unset a setting by
assigning no value (e.g.
leftcert=), the setting's default value, if any, will apply, which
may be used to "remove" settings inherited from e.g. the %default section.
# /etc/ipsec.conf - strongSwan IPsec configuration file config setup cachecrls=yes strictcrlpolicy=yes ca strongswan #define alternative CRL distribution point cacert=strongswanCert.pem crluri=http://crl2.strongswan.org/strongswan.crl auto=add conn %default keyingtries=1 keyexchange=ikev2 conn roadwarrior leftsubnet=10.1.0.0/16 leftcert=moonCert.pem firstname.lastname@example.org right=%any auto=add