aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/starter/ipsec.conf.5278
1 files changed, 142 insertions, 136 deletions
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 295aa35d5..9e22fe6da 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -823,58 +823,104 @@ names in a
.B setup
section are:
.TP 14
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-(This parameter is used with the KLIPS IPsec stack only.)
-.TP
-.B dumpdir
-in what directory should things started by
-.I setup
-(notably the Pluto daemon) be allowed to
-dump core?
-The empty value (the default) means they are not
-allowed to.
-This feature is currently not supported by the ipsec starter.
+.B cachecrls
+certificate revocation lists (CRLs) fetched via http or ldap will be cached in
+\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
+authority's public key.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
.TP
.B charonstart
-whether to start the IKEv2 daemon Charon or not.
+whether to start the IKEv2 Charon daemon or not.
Accepted values are
.B yes
(the default)
or
.BR no .
.TP
-.B charondebug
-how much Charon debugging output should be logged.
-A comma separated list containing type level/pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).
+.B crlcheckinterval
+interval in seconds. CRL fetching is enabled if the value is greater than zero.
+Asynchronous, periodic checking for fresh CRLs is currently done by the
+IKEv1 Pluto daemon only.
+.TP
+.B dumpdir
+in what directory should things started by \fBipsec starter\fR
+(notably the Pluto and Charon daemons) be allowed to dump core?
+The empty value (the default) means they are not
+allowed to.
+This feature is currently not yet supported by \fBipsec starter\fR.
.TP
.B plutostart
-whether to start the IKEv1 daemon Pluto or not.
+whether to start the IKEv1 Pluto daemon or not.
Accepted values are
.B yes
(the default)
or
.BR no .
.TP
+.B strictcrlpolicy
+defines if a fresh CRL must be available in order for the peer authentication based
+on RSA signatures to succeed.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+IKEv2 additionally recognizes
+.B ifuri
+which reverts to
+.B yes
+if at least one CRL URI is defined and to
+.B no
+if no URI is known.
+.PP
+The following
+.B config section
+parameters are used by the IKEv1 Pluto daemon only:
+.TP
+.B keep_alive
+interval in seconds between NAT keep alive packets, the default being 20 seconds.
+.TP
+.B nat_traversal
+activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
+being able of floating to udp/4500 if a NAT situation is detected.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.B nocrsend
+no certificate request payloads will be sent.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+Used by IKEv1 only, NAT traversal always being active in IKEv2.
+.TP
+.B pkcs11module
+defines the path to a dynamically loadable PKCS #11 library.
+.TP
+.B pkcs11keepstate
+PKCS #11 login sessions will be kept during the whole lifetime of the keying
+daemon. Useful with pin-pad smart card readers.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B pkcs11proxy
+Pluto will act as a PKCS #11 proxy accessible via the whack interface.
+Accepted values are
+.B yes
+and
+.B no
+(the default).
+.TP
.B plutodebug
how much Pluto debugging output should be logged.
An empty value,
@@ -892,9 +938,9 @@ separated by white space) are enabled;
for details on available debugging types, see
.IR pluto (8).
.TP
-.B prepluto
-shell command to run before starting Pluto
-(e.g., to decrypt an encrypted copy of the
+.B postpluto
+shell command to run after starting Pluto
+(e.g., to remove a decrypted copy of the
.I ipsec.secrets
file).
It's run in a very simple way;
@@ -905,9 +951,9 @@ so running interactive commands is difficult unless they use
or equivalent for their interaction.
Default is none.
.TP
-.B postpluto
-shell command to run after starting Pluto
-(e.g., to remove a decrypted copy of the
+.B prepluto
+shell command to run before starting Pluto
+(e.g., to decrypt an encrypted copy of the
.I ipsec.secrets
file).
It's run in a very simple way;
@@ -918,27 +964,8 @@ so running interactive commands is difficult unless they use
or equivalent for their interaction.
Default is none.
.TP
-.B fragicmp
-whether a tunnel's need to fragment a packet should be reported
-back with an ICMP message,
-in an attempt to make the sender lower his PMTU estimate;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-(This parameter is used with the KLIPS IPsec stack only.)
-.TP
-.B hidetos
-whether a tunnel packet's TOS field should be set to
-.B 0
-rather than copied from the user packet inside;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-(This parameter is used with the KLIPS IPsec stack only.)
+.B virtual_private
+defines private networks using a wildcard notation.
.TP
.B uniqueids
whether a particular participant ID should be kept unique,
@@ -953,85 +980,65 @@ and
Participant IDs normally \fIare\fR unique,
so a new (automatically-keyed) connection using the same ID is
almost invariably intended to replace an old one.
+.PP
+The following
+.B config section
+parameters are used by the IKEv2 Charon daemon only:
.TP
-.B overridemtu
-value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
-overriding IPsec's (large) default.
-(This parameter is used in special situations with the KLIPS IPsec stack only.)
-.TP
-.B nat_traversal
-activates NAT traversal by accepting source ISAKMP different from udp/500 and
-floating to udp/4500 if a NAT situation is detected. Used by IKEv1 only since
-NAT traversal is always activated with IKEv2.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B keep_alive
-interval in seconds between NAT keep alive packets.
-.TP
-.B virtual_private
-.TP
-.B crlcheckinterval
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous periodic checking for fresh CRLs is done by IKEv1 only.
-.TP
-.B cachecrls
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-/etc/ipsec.d/crls under a unique file name derived from the certification
-authority's public key
-Accepted values are
-.B yes
-and
-.B no
-(the default).
+.B charondebug
+how much Charon debugging output should be logged.
+A comma separated list containing type level/pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private).
+.PP
+The following
+.B config section
+parameters only make sense if the KLIPS IPsec stack
+is used instead of the default NETKEY stack of the Linux 2.6 kernel:
.TP
-.B strictcrlpolicy
-defines if a fresh CRL must be available in order for the peer authentication based
-on RSA signatures to succeed.
-Accepted values are
+.B fragicmp
+whether a tunnel's need to fragment a packet should be reported
+back with an ICMP message,
+in an attempt to make the sender lower his PMTU estimate;
+acceptable values are
.B yes
+(the default)
and
-.B no
-(the default).
-IKEv2 additionally recognizes
-.B ifuri
-which reverts to
-.B yes
-if at least one CRL URI is defined and to
-.B no
-if no URI is known.
+.BR no .
.TP
-.B nocrsend
-no certificate request payloads will be sent.
-Accepted values are
+.B hidetos
+whether a tunnel packet's TOS field should be set to
+.B 0
+rather than copied from the user packet inside;
+acceptable values are
.B yes
+(the default)
and
-.B no
-(the default).
-Used by IKEv1 only.
+.BR no
.TP
-.B pkcs11module
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.B pkcs11keepstate
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
+.B interfaces
+virtual and physical interfaces for IPsec to use:
+a single
+\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
+by white space, or
+.BR %none .
+One of the pairs may be written as
+.BR %defaultroute ,
+which means: find the interface \fId\fR that the default route points to,
+and then act as if the value was ``\fBipsec0=\fId\fR''.
+.B %defaultroute
+is the default;
+.B %none
+must be used to denote no interfaces.
.TP
-.B pkcs11proxy
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
+.B overridemtu
+value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
+overriding IPsec's (large) default.
.SH CHOOSING A CONNECTION
.PP
When choosing a connection to apply to an outbound packet caught with a
@@ -1059,9 +1066,8 @@ information about the client subnets to complete the instantiation.
.SH SEE ALSO
ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3)
.SH HISTORY
-Written for the FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer. Extended for the strongSwan project
+Written for the FreeS/WAN project by Henry Spencer.
+Extended for the strongSwan project
<http://www.strongswan.org>
by Andreas Steffen. IKEv2-specific features by Martin Willi.
.SH BUGS
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-20 09:56:00 +0000