diff options
Diffstat (limited to 'man/ipsec.conf.5.in')
| -rw-r--r-- | man/ipsec.conf.5.in | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index c623186d9..e778ab773 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -618,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions. is required only if selecting the certificate with .B leftid is not sufficient, for example if multiple certificates use the same subject. +.br +Multiple certificate paths or PKCS#11 backends can be specified in a comma +separated list. The daemon chooses the certificate based on the received +certificate requests if possible before enforcing the first. .TP .BR leftcert2 " = <path>" Same as @@ -742,6 +746,14 @@ can be used to the same effect, e.g. .B leftprotoport=udp/%any or .BR leftprotoport=%any/53 . + +The port value can alternatively take the value +.B %opaque +for RFC 4301 OPAQUE selectors, or a numerical range in the form +.BR 1024-65535 . +None of the kernel backends currently supports opaque or port ranges and uses +.B %any +for policy installation instead. .TP .BR leftrsasigkey " = <raw rsa public key> | <path to public key>" the left participant's public key for RSA signature authentication, in RFC 2537 |