diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2016-08-31 11:38:38 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2016-08-31 11:47:14 +0200 |
| commit | bbd46207777bf191ddc3cfd42c0b1576efe9357e (patch) | |
| tree | 9697a3fd431812e3754e5b75a704f94449db48cc /man | |
| parent | fe4ed4578fea266477b00c4ca62869f79cd29317 (diff) | |
| download | strongswan-bbd46207777bf191ddc3cfd42c0b1576efe9357e.tar.bz2 strongswan-bbd46207777bf191ddc3cfd42c0b1576efe9357e.tar.xz | |
man: Update description of the esp keyword
Clarifies how DH groups are applied, updates the proposal selection
description and ESN can now also be configured for IKEv1.
References #1039.
Diffstat (limited to 'man')
| -rw-r--r-- | man/ipsec.conf.5.in | 27 |
1 files changed, 19 insertions, 8 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 54440c0c7..6d99e13f9 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -247,7 +247,9 @@ can be added at the end. If .B dh-group is specified, CHILD_SA/Quick Mode setup and rekeying include a separate -Diffie-Hellman exchange. +Diffie-Hellman exchange (refer to the +.B esp +keyword for details). .TP .BR also " = <name>" includes conn section @@ -410,18 +412,27 @@ exclamation mark can be added at the end. .BR Note : -As a responder the daemon accepts the first supported proposal received from -the peer. In order to restrict a responder to only accept specific cipher -suites, the strict flag +As a responder, the daemon defaults to selecting the first configured proposal +that's also supported by the peer. This may be changed via +.BR strongswan.conf (5) +to selecting the first acceptable proposal sent by the peer instead. In order to +restrict a responder to only accept specific cipher suites, the strict flag .RB ( ! , exclamation mark) can be used, e.g: aes256-sha512-modp4096! -.br + If .B dh-group -is specified, CHILD_SA/Quick Mode setup and rekeying include a separate -Diffie-Hellman exchange. Valid values for +is specified, CHILD_SA/Quick Mode rekeying and initial negotiation use a +separate Diffie-Hellman exchange using the specified group. However, for IKEv2, +the keys of the CHILD_SA created implicitly with the IKE_SA will always be +derived from the IKE_SA's key material. So any DH group specified here will only +apply when the CHILD_SA is later rekeyed or is created with a separate +CREATE_CHILD_SA exchange. Therefore, a proposal mismatch might not immediately +be noticed when the SA is established, but may later cause rekeying to fail. + +Valid values for .B esnmode -(IKEv2 only) are +are .B esn and .BR noesn . |