diff options
author | Tobias Brunner <tobias@strongswan.org> | 2016-02-01 18:16:16 +0100 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2016-03-04 16:19:54 +0100 |
commit | 3c23a75120c5b548383da439537cab956b15dafd (patch) | |
tree | 54d3815f724b65a2e1dbebc0b80b5563613b507f /man/ipsec.conf.5.in | |
parent | e37e6d6dcaee842b6d8a5be2d271f560f86fabcc (diff) | |
download | strongswan-3c23a75120c5b548383da439537cab956b15dafd.tar.bz2 strongswan-3c23a75120c5b548383da439537cab956b15dafd.tar.xz |
auth-cfg: Make IKE signature schemes configurable
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
Diffstat (limited to 'man/ipsec.conf.5.in')
-rw-r--r-- | man/ipsec.conf.5.in | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 61804c8b3..f070eaa59 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -587,18 +587,23 @@ or a key strength definition (for example or .BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ). Unless disabled in -.BR strongswan.conf (5) -such key types and hash algorithms are also applied as constraints against IKEv2 +.BR strongswan.conf (5), +or explicit IKEv2 signature constraints are configured (see below), such key +types and hash algorithms are also applied as constraints against IKEv2 signature authentication schemes used by the remote side. If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific hash algorithms to be used during IKEv2 authentication may be configured. -The syntax is the same as above. For example, with -.B pubkey-sha384-sha256 +The syntax is the same as above, but with ike: prefix. For example, with +.B ike:pubkey-sha384-sha256 a public key signature scheme with either SHA-384 or SHA-256 would get used for authentication, in that order and depending on the hash algorithms supported by the peer. If no specific hash algorithms are configured, the default is to prefer an algorithm that matches or exceeds the strength of the signature key. +If no constraints with ike: prefix are configured any signature scheme +constraint (without ike: prefix) will also apply to IKEv2 authentication, unless +this is disabled in +.BR strongswan.conf (5). For .BR eap , |