aboutsummaryrefslogtreecommitdiffstats
path: root/man/ipsec.conf.5.in
Commit message (Collapse)AuthorAgeFilesLines
* auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.confTobias Brunner2017-11-081-0/+6
| | | | Also document the rsa/pss prefix.
* man: Fix documentation of inbound mark behavior in ipsec.conf(5)Tobias Brunner2017-11-021-5/+5
|
* child-sa: Allow requesting different unique marks for in/outEyal Birger2017-08-071-1/+4
| | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78.
* stroke: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-261-0/+7
|
* Add an option to announce support for IKE fragmentation but not sending ↵Tobias Brunner2017-05-231-6/+15
| | | | fragments
* man: Describe the tunneling of several subnets with IKEv1 in more detailNoel Kuntze2017-03-231-1/+3
|
* man: Add note about modeconfig having to matchNoel Kuntze2017-03-231-0/+1
|
* man: Describe what happens when a FQDN is specified in left or rightNoel Kuntze2017-03-201-0/+5
|
* starter: Enable IKE fragmentation by defaultTobias Brunner2016-10-041-4/+5
|
* man: Update description of the esp keywordTobias Brunner2016-08-311-8/+19
| | | | | | | Clarifies how DH groups are applied, updates the proposal selection description and ESN can now also be configured for IKEv1. References #1039.
* man: Updated default proposals in ipsec.conf(5)Tobias Brunner2016-03-111-4/+4
|
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-4/+9
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* man: Update description of the actions performed for different dpdaction valuesTobias Brunner2015-11-181-7/+8
| | | | | For instance, charon does not unroute `auto=route` connections with `dpdaction=clear`.
* man: Clarify identity parsing and identity type prefixesTobias Brunner2015-08-171-6/+58
| | | | References #1028.
* man: Clarification of ah keyword descriptionAdrian-Ken Rueegsegger2015-05-191-1/+1
|
* man: More accurately describe features of the new parser in ipsec.conf(5)Tobias Brunner2015-03-201-46/+34
|
* man: Add documentation about IKEv2 signature schemesTobias Brunner2015-03-041-0/+15
|
* man: Describe trust chain constraints configuration for EAP methodsMartin Willi2015-03-031-1/+3
|
* ipsec-types: Support the %unique mark valueMartin Willi2015-02-201-1/+3
|
* man: Document IKEv2 fragmentation in ipsec.conf(5)Tobias Brunner2015-02-101-4/+5
|
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-1/+3
|
* man: Document identification type prefixes in ipsec.conf(5)Martin Willi2014-10-301-2/+27
|
* man: Document where left|rightsigkey searches for public key filesTobias Brunner2014-07-141-2/+3
|
* man: Document replay_window ipsec.conf optionTobias Brunner2014-06-301-0/+9
|
* ike: Restart inactivity counter after doing a CHILD_SA rekeyMartin Willi2014-01-231-1/+3
| | | | | | | | | | | | When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect.
* ipsec.conf.5: Note about ICMP[v6] message type/code addedTobias Brunner2013-10-171-0/+8
|
* ipsec.conf: Add a description for the new 'ah' keyword.Martin Willi2013-10-111-0/+41
|
* Build generated man pages via configure scriptTobias Brunner2013-09-131-1/+1
|
* man: add support for multiple addresses/ranges/subnets in ipsec.conf left=Martin Willi2013-09-041-3/+10
|
* man: update ipsec.conf modeconfig keywordMartin Willi2013-09-041-2/+1
|
* Fix various API doc issues and typosTobias Brunner2013-07-181-1/+1
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* ipsec.conf.5: closeaction is now supported for IKEv1Tobias Brunner2013-07-171-2/+1
|
* stroke: Changed how proto/port are specified in left|rightsubnetTobias Brunner2013-06-281-6/+7
| | | | Using a colon as separator conflicts with IPv6 addresses.
* man: update ipsec.conf.5, describing new proto/port definition within leftsubnetMartin Willi2013-06-191-24/+34
|
* Load any type (RSA/ECDSA) of public key via left|rightsigkeyTobias Brunner2013-05-071-4/+6
|
* left|rightrsasigkey accepts SSH keys but the key format has to be specified ↵Tobias Brunner2013-05-071-3/+9
| | | | | | | explicitly The default is now PKCS#1. With the dns: and ssh: prefixes other formats can be selected.
* Merge branch 'multi-cert'Martin Willi2013-03-011-0/+4
|\ | | | | | | | | Allows the configuration of multiple certificates in leftcert, and select the correct certificate to use based on the received certificate requests.
| * Add ipsec.conf.5 updates regarding multiple certificates in leftcertMartin Willi2013-01-181-0/+4
| |
* | Merge branch 'opaque-ports'Martin Willi2013-03-011-0/+8
|\ \ | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | Document ipsec.conf leftprotoport extensions in manpageMartin Willi2013-02-211-0/+8
| |/
* / Add ikedscp documentation to ipsec.conf.5Martin Willi2013-02-061-0/+5
|/
* Added an option that allows to force IKEv1 fragmentationTobias Brunner2013-01-121-4/+9
|
* Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-241-0/+10
|
* Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcardsMartin Willi2012-10-241-5/+7
|
* Add leftcert ipsec.conf.5 documentation about smartcard certificatesMartin Willi2012-10-241-0/+12
|
* Add ipsec.conf.5 documentation for explicit PRFs in IKE proposalsMartin Willi2012-10-241-7/+17
|
* Update ipsec.conf.5, leftsubnet can handle multiple subnets in IKEv1 with UnityMartin Willi2012-09-181-2/+3
|
* Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>Tobias Brunner2012-09-181-0/+12
|
* Some updates to ipsec.conf(5) man pageTobias Brunner2012-09-121-49/+70
|
* Add uniqueids=never to ignore INITIAL_CONTACT notifiesTobias Brunner2012-09-101-9/+16
| | | | | | With uniqueids=no the daemon still deletes any existing IKE_SA with the same peer if an INITIAL_CONTACT notify is received. With this new option it also ignores these notifies.
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-14 08:24:26 +0000