diff options
author | Martin Willi <martin@revosec.ch> | 2013-06-05 12:03:22 +0200 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2013-06-19 16:36:01 +0200 |
commit | 24df067810993dc9736f7bcc274d4063d4d1c721 (patch) | |
tree | b1aec2210ece0afb2a12f0a9196e20e6f2ac05a4 /man/ipsec.conf.5.in | |
parent | 483a258ad81c65e85a44b98691d9d29efb23e5da (diff) | |
download | strongswan-24df067810993dc9736f7bcc274d4063d4d1c721.tar.bz2 strongswan-24df067810993dc9736f7bcc274d4063d4d1c721.tar.xz |
man: update ipsec.conf.5, describing new proto/port definition within leftsubnet
Diffstat (limited to 'man/ipsec.conf.5.in')
-rw-r--r-- | man/ipsec.conf.5.in | 58 |
1 files changed, 34 insertions, 24 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 4ee884bcc..22efa4908 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -731,29 +731,10 @@ different from the default additionally requires a socket implementation that listens on this port. .TP .BR leftprotoport " = <protocol>/<port>" -restrict the traffic selector to a single protocol and/or port. -Examples: -.B leftprotoport=tcp/http -or -.B leftprotoport=6/80 -or -.B leftprotoport=udp -or -.BR leftprotoport=/53 . -Instead of omitting either value -.B %any -can be used to the same effect, e.g. -.B leftprotoport=udp/%any -or -.BR leftprotoport=%any/53 . - -The port value can alternatively take the value -.B %opaque -for RFC 4301 OPAQUE selectors, or a numerical range in the form -.BR 1024-65535 . -None of the kernel backends currently supports opaque or port ranges and uses -.B %any -for policy installation instead. +restrict the traffic selector to a single protocol and/or port. This option +is now deprecated, protocol/port information can be defined for each subnet +directly in +.BR leftsubnet . .TP .BR leftsigkey " = <raw public key> | <path to public key>" the left participant's public key for public key signature authentication, @@ -807,7 +788,7 @@ echoed back. Also supported are address pools expressed as or the use of an external IP address pool using %\fIpoolname\fR, where \fIpoolname\fR is the name of the IP address pool used for the lookup. .TP -.BR leftsubnet " = <ip subnet>" +.BR leftsubnet " = <ip subnet>[:<proto/port>][,...]" private subnet behind the left participant, expressed as \fInetwork\fB/\fInetmask\fR; if omitted, essentially assumed to be \fIleft\fB/32\fR, @@ -818,6 +799,35 @@ implementations, make sure to configure identical subnets in such configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only interprets the first subnet of such a definition, unless the Cisco Unity extension plugin is enabled. + +The part in each subnet following an optional colon specifies a protocol/port +to restrict the selector for that subnet. + +Example: +.BR leftsubnet=10.0.0.1:tcp/http,10.0.0.2:6/80,10.0.0.3:udp,10.0.0.0/16:/53 . +Instead of omitting either value +.B %any +can be used to the same effect, e.g. +.BR leftsubnet=10.0.0.3:udp/%any,10.0.0.0/16=%any/53 . + +The port value can alternatively take the value +.B %opaque +for RFC 4301 OPAQUE selectors, or a numerical range in the form +.BR 1024-65535 . +None of the kernel backends currently supports opaque or port ranges and uses +.B %any +for policy installation instead. + +Instead of specifying a subnet, +.B %dynamic +can be used to replace it with the IKE address, having the same effect +as omitting +.B leftsubnet +completely. Using +.B %dynamic +can be used to define multiple dynamic selectors, each having a potentially +different protocol/port definiton. + .TP .BR leftupdown " = <path>" what ``updown'' script to run to adjust routing and/or firewalling |