Updated ipsec.conf man page for the use of IKEv1 with pluto
This commit is contained in:
parent
c60246a618
commit
75e3d90d43
|
@ -172,9 +172,9 @@ keying, rekeying, and general control.
|
||||||
The path to control the connection is called 'ISAKMP SA' in IKEv1
|
The path to control the connection is called 'ISAKMP SA' in IKEv1
|
||||||
and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
|
and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
|
||||||
level data path, is called 'IPsec SA' or 'Child SA'.
|
level data path, is called 'IPsec SA' or 'Child SA'.
|
||||||
strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
|
strongSwan previously used two separate keying daemons, \fIpluto\fP and
|
||||||
all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
|
\fIcharon\fP. This manual does not discuss \fIpluto\fP options anymore, but
|
||||||
protocol.
|
only \fIcharon\fP that since strongSwan 5.0 supports both IKEv1 and IKEv2.
|
||||||
.PP
|
.PP
|
||||||
To avoid trivial editing of the configuration file to suit it to each system
|
To avoid trivial editing of the configuration file to suit it to each system
|
||||||
involved in a connection,
|
involved in a connection,
|
||||||
|
@ -237,16 +237,6 @@ identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
|
||||||
includes conn section
|
includes conn section
|
||||||
.BR <name> .
|
.BR <name> .
|
||||||
.TP
|
.TP
|
||||||
.BR auth " = " esp " | ah"
|
|
||||||
whether authentication should be done as part of
|
|
||||||
ESP encryption, or separately using the AH protocol;
|
|
||||||
acceptable values are
|
|
||||||
.B esp
|
|
||||||
(the default) and
|
|
||||||
.BR ah .
|
|
||||||
.br
|
|
||||||
The IKEv2 daemon currently supports ESP only.
|
|
||||||
.TP
|
|
||||||
.BR authby " = " pubkey " | rsasig | ecdsasig | psk | never | xauthpsk | xauthrsasig"
|
.BR authby " = " pubkey " | rsasig | ecdsasig | psk | never | xauthpsk | xauthrsasig"
|
||||||
how the two security gateways should authenticate each other;
|
how the two security gateways should authenticate each other;
|
||||||
acceptable values are
|
acceptable values are
|
||||||
|
@ -270,10 +260,10 @@ and
|
||||||
.B xauthrsasig
|
.B xauthrsasig
|
||||||
that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
|
that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
|
||||||
based on shared secrets or digital RSA signatures, respectively.
|
based on shared secrets or digital RSA signatures, respectively.
|
||||||
This parameter is deprecated for IKEv2 connections, as two peers do not need
|
This parameter is deprecated, as two peers do not need to agree on an
|
||||||
to agree on an authentication method. Use the
|
authentication method in IKEv2. Use the
|
||||||
.B leftauth
|
.B leftauth
|
||||||
parameter instead to define authentication methods in IKEv2.
|
parameter instead to define authentication methods.
|
||||||
.TP
|
.TP
|
||||||
.BR auto " = " ignore " | add | route | start"
|
.BR auto " = " ignore " | add | route | start"
|
||||||
what operation, if any, should be done automatically at IPsec startup;
|
what operation, if any, should be done automatically at IPsec startup;
|
||||||
|
@ -318,7 +308,8 @@ and prefer compressed.
|
||||||
A value of
|
A value of
|
||||||
.B no
|
.B no
|
||||||
prevents IPsec from proposing compression;
|
prevents IPsec from proposing compression;
|
||||||
a proposal to compress will still be accepted.
|
a proposal to compress will still be accepted. IPComp is currently not supported
|
||||||
|
with IKEv1.
|
||||||
.TP
|
.TP
|
||||||
.BR dpdaction " = " none " | clear | hold | restart"
|
.BR dpdaction " = " none " | clear | hold | restart"
|
||||||
controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
|
controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
|
||||||
|
@ -336,16 +327,9 @@ put in the hold state
|
||||||
.RB ( hold )
|
.RB ( hold )
|
||||||
or restarted
|
or restarted
|
||||||
.RB ( restart ).
|
.RB ( restart ).
|
||||||
For IKEv1, the default is
|
The default is
|
||||||
.B none
|
.B none
|
||||||
which disables the active sending of R_U_THERE notifications.
|
which disables the active sending of DPD messages.
|
||||||
Nevertheless pluto will always send the DPD Vendor ID during connection set up
|
|
||||||
in order to signal the readiness to act passively as a responder if the peer
|
|
||||||
wants to use DPD. For IKEv2,
|
|
||||||
.B none
|
|
||||||
does't make sense, since all messages are used to detect dead peers. If specified,
|
|
||||||
it has the same meaning as the default
|
|
||||||
.RB ( clear ).
|
|
||||||
.TP
|
.TP
|
||||||
.BR dpddelay " = " 30s " | <time>"
|
.BR dpddelay " = " 30s " | <time>"
|
||||||
defines the period time interval with which R_U_THERE messages/INFORMATIONAL
|
defines the period time interval with which R_U_THERE messages/INFORMATIONAL
|
||||||
|
@ -354,23 +338,16 @@ received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
|
||||||
messages and uses only standard messages (such as those to rekey) to detect
|
messages and uses only standard messages (such as those to rekey) to detect
|
||||||
dead peers.
|
dead peers.
|
||||||
.TP
|
.TP
|
||||||
.BR dpdtimeout " = " 150s " | <time>"
|
|
||||||
defines the timeout interval, after which all connections to a peer are deleted
|
|
||||||
in case of inactivity. This only applies to IKEv1, in IKEv2 the default
|
|
||||||
retransmission timeout applies, as every exchange is used to detect dead peers.
|
|
||||||
See
|
|
||||||
.IR strongswan.conf (5)
|
|
||||||
for a description of the IKEv2 retransmission timeout.
|
|
||||||
.TP
|
|
||||||
.BR closeaction " = " none " | clear | hold | restart"
|
.BR closeaction " = " none " | clear | hold | restart"
|
||||||
defines the action to take if the remote peer unexpectedly closes a CHILD_SA
|
defines the action to take if the remote peer unexpectedly closes a CHILD_SA.
|
||||||
(IKEv2 only, see dpdaction for meaning of values). A closeaction should not be
|
A closeaction should not be
|
||||||
used if the peer uses reauthentication or uniquids checking, as these events
|
used if the peer uses reauthentication or uniquids checking, as these events
|
||||||
might trigger a closeaction when not desired.
|
might trigger a closeaction when not desired. Closeactions are currently
|
||||||
|
not supported with IKEv1.
|
||||||
.TP
|
.TP
|
||||||
.BR inactivity " = <time>"
|
.BR inactivity " = <time>"
|
||||||
defines the timeout interval, after which a CHILD_SA is closed if it did
|
defines the timeout interval, after which a CHILD_SA is closed if it did
|
||||||
not send or receive any traffic. Currently supported in IKEv2 connections only.
|
not send or receive any traffic.
|
||||||
.TP
|
.TP
|
||||||
.BR eap_identity " = <id>"
|
.BR eap_identity " = <id>"
|
||||||
defines the identity the client uses to reply to a EAP Identity request.
|
defines the identity the client uses to reply to a EAP Identity request.
|
||||||
|
@ -388,15 +365,15 @@ The notation is
|
||||||
.BR encryption-integrity[-dhgroup][-esnmode] .
|
.BR encryption-integrity[-dhgroup][-esnmode] .
|
||||||
.br
|
.br
|
||||||
Defaults to
|
Defaults to
|
||||||
.BR aes128-sha1,3des-sha1
|
.BR aes128-sha1,3des-sha1 .
|
||||||
for IKEv1. The IKEv2 daemon adds its extensive default proposal to this default
|
The daemon adds its extensive default proposal to this default
|
||||||
or the configured value. To restrict it to the configured proposal an
|
or the configured value. To restrict it to the configured proposal an
|
||||||
exclamation mark
|
exclamation mark
|
||||||
.RB ( ! )
|
.RB ( ! )
|
||||||
can be added at the end.
|
can be added at the end.
|
||||||
.br
|
.br
|
||||||
.BR Note :
|
.BR Note :
|
||||||
As a responder both daemons accept the first supported proposal received from
|
As a responder the daemon accepts the first supported proposal received from
|
||||||
the peer. In order to restrict a responder to only accept specific cipher
|
the peer. In order to restrict a responder to only accept specific cipher
|
||||||
suites, the strict flag
|
suites, the strict flag
|
||||||
.RB ( ! ,
|
.RB ( ! ,
|
||||||
|
@ -404,8 +381,8 @@ exclamation mark) can be used, e.g: aes256-sha512-modp4096!
|
||||||
.br
|
.br
|
||||||
If
|
If
|
||||||
.B dh-group
|
.B dh-group
|
||||||
is specified, CHILD_SA setup and rekeying include a separate Diffie-Hellman
|
is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
|
||||||
exchange (IKEv2 only). Valid values for
|
Diffie-Hellman exchange. Valid values for
|
||||||
.B esnmode
|
.B esnmode
|
||||||
(IKEv2 only) are
|
(IKEv2 only) are
|
||||||
.B esn
|
.B esn
|
||||||
|
@ -418,7 +395,7 @@ the default is
|
||||||
.BR forceencaps " = yes | " no
|
.BR forceencaps " = yes | " no
|
||||||
force UDP encapsulation for ESP packets even if no NAT situation is detected.
|
force UDP encapsulation for ESP packets even if no NAT situation is detected.
|
||||||
This may help to surmount restrictive firewalls. In order to force the peer to
|
This may help to surmount restrictive firewalls. In order to force the peer to
|
||||||
encapsulate packets, NAT detection payloads are faked (IKEv2 only).
|
encapsulate packets, NAT detection payloads are faked.
|
||||||
.TP
|
.TP
|
||||||
.BR ike " = <cipher suites>"
|
.BR ike " = <cipher suites>"
|
||||||
comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
|
comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
|
||||||
|
@ -430,15 +407,15 @@ In IKEv2, multiple algorithms and proposals may be included, such as
|
||||||
aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
|
aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
|
||||||
.br
|
.br
|
||||||
Defaults to
|
Defaults to
|
||||||
.B aes128-sha1-modp2048,3des-sha1-modp1536
|
.B aes128-sha1-modp2048,3des-sha1-modp1536 .
|
||||||
for IKEv1. The IKEv2 daemon adds its extensive default proposal to this
|
The daemon adds its extensive default proposal to this
|
||||||
default or the configured value. To restrict it to the configured proposal an
|
default or the configured value. To restrict it to the configured proposal an
|
||||||
exclamation mark
|
exclamation mark
|
||||||
.RB ( ! )
|
.RB ( ! )
|
||||||
can be added at the end.
|
can be added at the end.
|
||||||
.br
|
.br
|
||||||
.BR Note :
|
.BR Note :
|
||||||
As a responder both daemons accept the first supported proposal received from
|
As a responder the daemon accepts the first supported proposal received from
|
||||||
the peer. In order to restrict a responder to only accept specific cipher
|
the peer. In order to restrict a responder to only accept specific cipher
|
||||||
suites, the strict flag
|
suites, the strict flag
|
||||||
.BR ( ! ,
|
.BR ( ! ,
|
||||||
|
@ -449,8 +426,8 @@ how long the keying channel of a connection (ISAKMP or IKE SA)
|
||||||
should last before being renegotiated. Also see EXPIRY/REKEY below.
|
should last before being renegotiated. Also see EXPIRY/REKEY below.
|
||||||
.TP
|
.TP
|
||||||
.BR installpolicy " = " yes " | no"
|
.BR installpolicy " = " yes " | no"
|
||||||
decides whether IPsec policies are installed in the kernel by the IKEv2
|
decides whether IPsec policies are installed in the kernel by the charon daemon
|
||||||
charon daemon for a given connection. Allows peaceful cooperation e.g. with
|
for a given connection. Allows peaceful cooperation e.g. with
|
||||||
the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
|
the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
|
||||||
Acceptable values are
|
Acceptable values are
|
||||||
.B yes
|
.B yes
|
||||||
|
@ -460,19 +437,8 @@ Acceptable values are
|
||||||
.BR keyexchange " = " ike " | ikev1 | ikev2"
|
.BR keyexchange " = " ike " | ikev1 | ikev2"
|
||||||
method of key exchange;
|
method of key exchange;
|
||||||
which protocol should be used to initialize the connection. Connections marked with
|
which protocol should be used to initialize the connection. Connections marked with
|
||||||
.B ikev1
|
|
||||||
are initiated with pluto, those marked with
|
|
||||||
.B ikev2
|
|
||||||
with charon. An incoming request from the remote peer is handled by the correct
|
|
||||||
daemon, unaffected from the
|
|
||||||
.B keyexchange
|
|
||||||
setting. Starting with strongSwan 4.5 the default value
|
|
||||||
.B ike
|
.B ike
|
||||||
is a synonym for
|
use IKEv2 when initiating, but accept any protocol version when responding.
|
||||||
.BR ikev2 ,
|
|
||||||
whereas in older strongSwan releases
|
|
||||||
.B ikev1
|
|
||||||
was assumed.
|
|
||||||
.TP
|
.TP
|
||||||
.BR keyingtries " = " 3 " | <number> | %forever"
|
.BR keyingtries " = " 3 " | <number> | %forever"
|
||||||
how many attempts (a whole number or \fB%forever\fP) should be made to
|
how many attempts (a whole number or \fB%forever\fP) should be made to
|
||||||
|
@ -504,18 +470,8 @@ or
|
||||||
may be
|
may be
|
||||||
.BR %defaultroute ,
|
.BR %defaultroute ,
|
||||||
but not both.
|
but not both.
|
||||||
The prefix
|
|
||||||
.B %
|
|
||||||
in front of a fully-qualified domain name or an IP address will implicitly set
|
|
||||||
.B leftallowany=yes.
|
|
||||||
If the domain name cannot be resolved into an IP address at IPsec startup or
|
|
||||||
update time then
|
|
||||||
.B left=%any
|
|
||||||
and
|
|
||||||
.B leftallowany=no
|
|
||||||
will be assumed.
|
|
||||||
|
|
||||||
In case of an IKEv2 connection, the value
|
The value
|
||||||
.B %any
|
.B %any
|
||||||
for the local endpoint signifies an address to be filled in (by automatic
|
for the local endpoint signifies an address to be filled in (by automatic
|
||||||
keying) during negotiation. If the local peer initiates the connection setup
|
keying) during negotiation. If the local peer initiates the connection setup
|
||||||
|
@ -523,9 +479,6 @@ the routing table will be queried to determine the correct local IP address.
|
||||||
In case the local peer is responding to a connection setup then any IP address
|
In case the local peer is responding to a connection setup then any IP address
|
||||||
that is assigned to a local interface will be accepted.
|
that is assigned to a local interface will be accepted.
|
||||||
.br
|
.br
|
||||||
Note that specifying
|
|
||||||
.B %any
|
|
||||||
for the local endpoint is not supported by the IKEv1 pluto daemon.
|
|
||||||
|
|
||||||
If
|
If
|
||||||
.B %any
|
.B %any
|
||||||
|
@ -535,30 +488,18 @@ Please note that with the usage of wildcards multiple connection descriptions
|
||||||
might match a given incoming connection attempt. The most specific description
|
might match a given incoming connection attempt. The most specific description
|
||||||
is used in that case.
|
is used in that case.
|
||||||
.TP
|
.TP
|
||||||
.BR leftallowany " = yes | " no
|
|
||||||
a modifier for
|
|
||||||
.B left
|
|
||||||
, making it behave as
|
|
||||||
.B %any
|
|
||||||
although a concrete IP address has been assigned.
|
|
||||||
Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
|
|
||||||
startup or update time.
|
|
||||||
Acceptable values are
|
|
||||||
.B yes
|
|
||||||
and
|
|
||||||
.B no
|
|
||||||
(the default).
|
|
||||||
.TP
|
|
||||||
.BR leftauth " = <auth method>"
|
.BR leftauth " = <auth method>"
|
||||||
Authentication method to use locally (left) or require from the remote (right)
|
Authentication method to use locally (left) or require from the remote (right)
|
||||||
side.
|
side.
|
||||||
This parameter is supported in IKEv2 only. Acceptable values are
|
Acceptable values are
|
||||||
.B pubkey
|
.B pubkey
|
||||||
for public key authentication (RSA/ECDSA),
|
for public key authentication (RSA/ECDSA),
|
||||||
.B psk
|
.B psk
|
||||||
for pre-shared key authentication and
|
for pre-shared key authentication,
|
||||||
.B eap
|
.B eap
|
||||||
to (require the) use of the Extensible Authentication Protocol.
|
to (require the) use of the Extensible Authentication Protocol in IKEv2, and
|
||||||
|
.B xauth
|
||||||
|
for IKEv1 eXtended Authentication.
|
||||||
To require a trustchain public key strength for the remote side, specify the
|
To require a trustchain public key strength for the remote side, specify the
|
||||||
key type followed by the strength in bits (for example
|
key type followed by the strength in bits (for example
|
||||||
.BR rsa-2048
|
.BR rsa-2048
|
||||||
|
@ -579,14 +520,26 @@ Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
|
||||||
EAP methods are defined in the form
|
EAP methods are defined in the form
|
||||||
.B eap-type-vendor
|
.B eap-type-vendor
|
||||||
.RB "(e.g. " eap-7-12345 ).
|
.RB "(e.g. " eap-7-12345 ).
|
||||||
|
For
|
||||||
|
.B xauth,
|
||||||
|
a XAuth authentication backend can be specified, such as
|
||||||
|
.B xauth-generic
|
||||||
|
or
|
||||||
|
.B xauth-eap .
|
||||||
|
If XAuth is used in
|
||||||
|
.BR leftauth ,
|
||||||
|
Hybrid authentication is used. For traditional XAuth authentication, define
|
||||||
|
XAuth in
|
||||||
|
.BR lefauth2 .
|
||||||
.TP
|
.TP
|
||||||
.BR leftauth2 " = <auth method>"
|
.BR leftauth2 " = <auth method>"
|
||||||
Same as
|
Same as
|
||||||
.BR leftauth ,
|
.BR leftauth ,
|
||||||
but defines an additional authentication exchange. IKEv2 supports multiple
|
but defines an additional authentication exchange. In IKEv1, only XAuth can be
|
||||||
|
used in the second authentication round. IKEv2 supports multiple complete
|
||||||
authentication rounds using "Multiple Authentication Exchanges" defined
|
authentication rounds using "Multiple Authentication Exchanges" defined
|
||||||
in RFC4739. This allows, for example, separated authentication
|
in RFC4739. This allows, for example, separated authentication
|
||||||
of host and user (IKEv2 only).
|
of host and user.
|
||||||
.TP
|
.TP
|
||||||
.BR leftca " = <issuer dn> | %same"
|
.BR leftca " = <issuer dn> | %same"
|
||||||
the distinguished name of a certificate authority which is required to
|
the distinguished name of a certificate authority which is required to
|
||||||
|
@ -645,8 +598,7 @@ tunnels established with IPsec are exempted from it
|
||||||
so that packets can flow unchanged through the tunnels.
|
so that packets can flow unchanged through the tunnels.
|
||||||
(This means that all subnets connected in this manner must have
|
(This means that all subnets connected in this manner must have
|
||||||
distinct, non-overlapping subnet address blocks.)
|
distinct, non-overlapping subnet address blocks.)
|
||||||
This is done by the default \fBipsec _updown\fR script (see
|
This is done by the default \fBipsec _updown\fR script.
|
||||||
.IR pluto (8)).
|
|
||||||
|
|
||||||
In situations calling for more control,
|
In situations calling for more control,
|
||||||
it may be preferable for the user to supply his own
|
it may be preferable for the user to supply his own
|
||||||
|
@ -658,12 +610,7 @@ which makes the appropriate adjustments for his system.
|
||||||
a comma separated list of group names. If the
|
a comma separated list of group names. If the
|
||||||
.B leftgroups
|
.B leftgroups
|
||||||
parameter is present then the peer must be a member of at least one
|
parameter is present then the peer must be a member of at least one
|
||||||
of the groups defined by the parameter. Group membership must be certified
|
of the groups defined by the parameter.
|
||||||
by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
|
|
||||||
been issued to the peer by a trusted Authorization Authority stored in
|
|
||||||
\fI/etc/ipsec.d/aacerts/\fP.
|
|
||||||
.br
|
|
||||||
Attribute certificates are not supported in IKEv2 yet.
|
|
||||||
.TP
|
.TP
|
||||||
.BR lefthostaccess " = yes | " no
|
.BR lefthostaccess " = yes | " no
|
||||||
inserts a pair of INPUT and OUTPUT iptables rules using the default
|
inserts a pair of INPUT and OUTPUT iptables rules using the default
|
||||||
|
@ -690,8 +637,8 @@ identity to use for a second authentication for the left participant
|
||||||
.BR leftid .
|
.BR leftid .
|
||||||
.TP
|
.TP
|
||||||
.BR leftikeport " = <port>"
|
.BR leftikeport " = <port>"
|
||||||
UDP port the left participant uses for IKE communication. Currently supported in
|
UDP port the left participant uses for IKE communication.
|
||||||
IKEv2 connections only. If unspecified, port 500 is used with the port floating
|
If unspecified, port 500 is used with the port floating
|
||||||
to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
|
to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
|
||||||
different from the default additionally requires a socket implementation that
|
different from the default additionally requires a socket implementation that
|
||||||
listens to this port.
|
listens to this port.
|
||||||
|
@ -713,29 +660,6 @@ or
|
||||||
or
|
or
|
||||||
.B leftprotoport=udp
|
.B leftprotoport=udp
|
||||||
.TP
|
.TP
|
||||||
.BR leftrsasigkey " = " %cert " | <raw rsa public key>"
|
|
||||||
the left participant's
|
|
||||||
public key for RSA signature authentication,
|
|
||||||
in RFC 2537 format using
|
|
||||||
.IR ttodata (3)
|
|
||||||
encoding.
|
|
||||||
The magic value
|
|
||||||
.B %none
|
|
||||||
means the same as not specifying a value (useful to override a default).
|
|
||||||
The value
|
|
||||||
.B %cert
|
|
||||||
(the default)
|
|
||||||
means that the key is extracted from a certificate.
|
|
||||||
The identity used for the left participant
|
|
||||||
must be a specific host, not
|
|
||||||
.B %any
|
|
||||||
or another magic value.
|
|
||||||
.B Caution:
|
|
||||||
if two connection descriptions
|
|
||||||
specify different public keys for the same
|
|
||||||
.BR leftid ,
|
|
||||||
confusion and madness will ensue.
|
|
||||||
.TP
|
|
||||||
.BR leftsendcert " = never | no | " ifasked " | always | yes"
|
.BR leftsendcert " = never | no | " ifasked " | always | yes"
|
||||||
Accepted values are
|
Accepted values are
|
||||||
.B never
|
.B never
|
||||||
|
@ -757,8 +681,7 @@ value is one of the synonyms
|
||||||
.BR %modeconfig ,
|
.BR %modeconfig ,
|
||||||
or
|
or
|
||||||
.BR %modecfg ,
|
.BR %modecfg ,
|
||||||
an address is requested from the peer. In IKEv2, a statically defined address
|
an address is requested from the peer.
|
||||||
is also requested, since the server may change it.
|
|
||||||
.TP
|
.TP
|
||||||
.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
|
.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
|
||||||
The internal source IP to use in a tunnel for the remote peer. If the
|
The internal source IP to use in a tunnel for the remote peer. If the
|
||||||
|
@ -775,16 +698,11 @@ private subnet behind the left participant, expressed as
|
||||||
\fInetwork\fB/\fInetmask\fR;
|
\fInetwork\fB/\fInetmask\fR;
|
||||||
if omitted, essentially assumed to be \fIleft\fB/32\fR,
|
if omitted, essentially assumed to be \fIleft\fB/32\fR,
|
||||||
signifying that the left end of the connection goes to the left participant
|
signifying that the left end of the connection goes to the left participant
|
||||||
only. When using IKEv2, the configured subnet of the peers may differ, the
|
only. Configured subnet of the peers may differ, the protocol narrows it to
|
||||||
protocol narrows it to the greatest common subnet. Further, IKEv2 supports
|
the greatest common subnet. In IKEv1, this may lead to problems with other
|
||||||
multiple subnets separated by commas. IKEv1 only interprets the first subnet
|
implementations, make sure to configure identical subnets in such
|
||||||
of such a definition.
|
configurations. IKEv2 supports multiple subnets separated by commas, IKEv1 only
|
||||||
.TP
|
interprets the first subnet of such a definition.
|
||||||
.BR leftsubnetwithin " = <ip subnet>"
|
|
||||||
the peer can propose any subnet or single IP address that fits within the
|
|
||||||
range defined by
|
|
||||||
.BR leftsubnetwithin.
|
|
||||||
Not relevant for IKEv2, as subnets are narrowed.
|
|
||||||
.TP
|
.TP
|
||||||
.BR leftupdown " = <path>"
|
.BR leftupdown " = <path>"
|
||||||
what ``updown'' script to run to adjust routing and/or firewalling
|
what ``updown'' script to run to adjust routing and/or firewalling
|
||||||
|
@ -794,20 +712,15 @@ changes (default
|
||||||
May include positional parameters separated by white space
|
May include positional parameters separated by white space
|
||||||
(although this requires enclosing the whole string in quotes);
|
(although this requires enclosing the whole string in quotes);
|
||||||
including shell metacharacters is unwise.
|
including shell metacharacters is unwise.
|
||||||
See
|
Relevant only locally, other end need not agree on it. Charon uses the updown
|
||||||
.IR pluto (8)
|
|
||||||
for details.
|
|
||||||
Relevant only locally, other end need not agree on it. IKEv2 uses the updown
|
|
||||||
script to insert firewall rules only, since routing has been implemented
|
script to insert firewall rules only, since routing has been implemented
|
||||||
directly into charon.
|
directly into the daemon.
|
||||||
.TP
|
.TP
|
||||||
.BR lifebytes " = <number>"
|
.BR lifebytes " = <number>"
|
||||||
the number of bytes transmitted over an IPsec SA before it expires (IKEv2
|
the number of bytes transmitted over an IPsec SA before it expires.
|
||||||
only).
|
|
||||||
.TP
|
.TP
|
||||||
.BR lifepackets " = <number>"
|
.BR lifepackets " = <number>"
|
||||||
the number of packets transmitted over an IPsec SA before it expires (IKEv2
|
the number of packets transmitted over an IPsec SA before it expires.
|
||||||
only).
|
|
||||||
.TP
|
.TP
|
||||||
.BR lifetime " = " 1h " | <time>"
|
.BR lifetime " = " 1h " | <time>"
|
||||||
how long a particular instance of a connection
|
how long a particular instance of a connection
|
||||||
|
@ -839,12 +752,12 @@ which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
|
||||||
.BR marginbytes " = <number>"
|
.BR marginbytes " = <number>"
|
||||||
how many bytes before IPsec SA expiry (see
|
how many bytes before IPsec SA expiry (see
|
||||||
.BR lifebytes )
|
.BR lifebytes )
|
||||||
should attempts to negotiate a replacement begin (IKEv2 only).
|
should attempts to negotiate a replacement begin.
|
||||||
.TP
|
.TP
|
||||||
.BR marginpackets " = <number>"
|
.BR marginpackets " = <number>"
|
||||||
how many packets before IPsec SA expiry (see
|
how many packets before IPsec SA expiry (see
|
||||||
.BR lifepackets )
|
.BR lifepackets )
|
||||||
should attempts to negotiate a replacement begin (IKEv2 only).
|
should attempts to negotiate a replacement begin.
|
||||||
.TP
|
.TP
|
||||||
.BR margintime " = " 9m " | <time>"
|
.BR margintime " = " 9m " | <time>"
|
||||||
how long before connection expiry or keying-channel expiry
|
how long before connection expiry or keying-channel expiry
|
||||||
|
@ -883,7 +796,7 @@ enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
|
||||||
.BR no .
|
.BR no .
|
||||||
If set to
|
If set to
|
||||||
.BR no ,
|
.BR no ,
|
||||||
the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
|
the charon daemon will not actively propose MOBIKE as initiator and
|
||||||
ignore the MOBIKE_SUPPORTED notify as responder.
|
ignore the MOBIKE_SUPPORTED notify as responder.
|
||||||
.TP
|
.TP
|
||||||
.BR modeconfig " = push | " pull
|
.BR modeconfig " = push | " pull
|
||||||
|
@ -893,29 +806,8 @@ Accepted values are
|
||||||
and
|
and
|
||||||
.B pull
|
.B pull
|
||||||
(the default).
|
(the default).
|
||||||
Currently relevant for IKEv1 only since IKEv2 always uses the configuration
|
Push mode is currently not supported in charon, hence this parameter has no
|
||||||
payload in pull mode. Cisco VPN gateways usually operate in
|
effect.
|
||||||
.B push
|
|
||||||
mode.
|
|
||||||
.TP
|
|
||||||
.BR pfs " = " yes " | no"
|
|
||||||
whether Perfect Forward Secrecy of keys is desired on the connection's
|
|
||||||
keying channel
|
|
||||||
(with PFS, penetration of the key-exchange protocol
|
|
||||||
does not compromise keys negotiated earlier);
|
|
||||||
acceptable values are
|
|
||||||
.B yes
|
|
||||||
(the default)
|
|
||||||
and
|
|
||||||
.BR no.
|
|
||||||
IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
|
|
||||||
PFS is enforced by defining a Diffie-Hellman modp group in the
|
|
||||||
.B esp
|
|
||||||
parameter.
|
|
||||||
.TP
|
|
||||||
.BR pfsgroup " = <modp group>"
|
|
||||||
defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
|
|
||||||
differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
|
|
||||||
.TP
|
.TP
|
||||||
.BR reauth " = " yes " | no"
|
.BR reauth " = " yes " | no"
|
||||||
whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
|
whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
|
||||||
|
@ -935,7 +827,7 @@ and
|
||||||
.BR no .
|
.BR no .
|
||||||
The two ends need not agree, but while a value of
|
The two ends need not agree, but while a value of
|
||||||
.B no
|
.B no
|
||||||
prevents pluto/charon from requesting renegotiation,
|
prevents charon from requesting renegotiation,
|
||||||
it does not prevent responding to renegotiation requested from the other end,
|
it does not prevent responding to renegotiation requested from the other end,
|
||||||
so
|
so
|
||||||
.B no
|
.B no
|
||||||
|
@ -997,17 +889,7 @@ signifying the special Mobile IPv6 transport proxy mode;
|
||||||
.BR passthrough ,
|
.BR passthrough ,
|
||||||
signifying that no IPsec processing should be done at all;
|
signifying that no IPsec processing should be done at all;
|
||||||
.BR drop ,
|
.BR drop ,
|
||||||
signifying that packets should be discarded; and
|
signifying that packets should be discarded.
|
||||||
.BR reject ,
|
|
||||||
signifying that packets should be discarded and a diagnostic ICMP returned
|
|
||||||
.RB ( reject
|
|
||||||
is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
|
|
||||||
The IKEv2 daemon charon currently supports
|
|
||||||
.BR tunnel ,
|
|
||||||
.BR transport ,
|
|
||||||
and
|
|
||||||
.BR transport_proxy
|
|
||||||
connection types, only.
|
|
||||||
.TP
|
.TP
|
||||||
.BR xauth " = " client " | server"
|
.BR xauth " = " client " | server"
|
||||||
specifies the role in the XAUTH protocol if activated by
|
specifies the role in the XAUTH protocol if activated by
|
||||||
|
@ -1080,8 +962,6 @@ synonym for
|
||||||
.BR crluri2 " = <uri>"
|
.BR crluri2 " = <uri>"
|
||||||
defines an alternative CRL distribution point (ldap, http, or file URI)
|
defines an alternative CRL distribution point (ldap, http, or file URI)
|
||||||
.TP
|
.TP
|
||||||
.BR ldaphost " = <hostname>"
|
|
||||||
defines an ldap host. Currently used by IKEv1 only.
|
|
||||||
.TP
|
.TP
|
||||||
.BR ocspuri " = <uri>"
|
.BR ocspuri " = <uri>"
|
||||||
defines an OCSP URI.
|
defines an OCSP URI.
|
||||||
|
@ -1091,7 +971,7 @@ synonym for
|
||||||
.B ocspuri.
|
.B ocspuri.
|
||||||
.TP
|
.TP
|
||||||
.BR ocspuri2 " = <uri>"
|
.BR ocspuri2 " = <uri>"
|
||||||
defines an alternative OCSP URI. Currently used by IKEv2 only.
|
defines an alternative OCSP URI.
|
||||||
.TP
|
.TP
|
||||||
.BR certuribase " = <uri>"
|
.BR certuribase " = <uri>"
|
||||||
defines the base URI for the Hash and URL feature supported by IKEv2.
|
defines the base URI for the Hash and URL feature supported by IKEv2.
|
||||||
|
@ -1104,48 +984,12 @@ At present, the only
|
||||||
section known to the IPsec software is the one named
|
section known to the IPsec software is the one named
|
||||||
.BR setup ,
|
.BR setup ,
|
||||||
which contains information used when the software is being started.
|
which contains information used when the software is being started.
|
||||||
Here's an example:
|
|
||||||
.PP
|
|
||||||
.ne 8
|
|
||||||
.nf
|
|
||||||
.ft B
|
|
||||||
.ta 1c
|
|
||||||
config setup
|
|
||||||
plutodebug=all
|
|
||||||
crlcheckinterval=10m
|
|
||||||
strictcrlpolicy=yes
|
|
||||||
.ft
|
|
||||||
.fi
|
|
||||||
.PP
|
|
||||||
Parameters are optional unless marked ``(required)''.
|
|
||||||
The currently-accepted
|
The currently-accepted
|
||||||
.I parameter
|
.I parameter
|
||||||
names in a
|
names in a
|
||||||
.B config
|
.B config
|
||||||
.B setup
|
.B setup
|
||||||
section affecting both daemons are:
|
section are:
|
||||||
.TP
|
|
||||||
.BR cachecrls " = yes | " no
|
|
||||||
certificate revocation lists (CRLs) fetched via http or ldap will be cached in
|
|
||||||
\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
|
|
||||||
authority's public key.
|
|
||||||
Accepted values are
|
|
||||||
.B yes
|
|
||||||
and
|
|
||||||
.B no
|
|
||||||
(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
|
|
||||||
.TP
|
|
||||||
.BR charonstart " = " yes " | no"
|
|
||||||
whether to start the IKEv2 charon daemon or not.
|
|
||||||
The default is
|
|
||||||
.B yes
|
|
||||||
if starter was compiled with IKEv2 support.
|
|
||||||
.TP
|
|
||||||
.BR plutostart " = " yes " | no"
|
|
||||||
whether to start the IKEv1 pluto daemon or not.
|
|
||||||
The default is
|
|
||||||
.B yes
|
|
||||||
if starter was compiled with IKEv1 support.
|
|
||||||
.TP
|
.TP
|
||||||
.BR strictcrlpolicy " = yes | ifuri | " no
|
.BR strictcrlpolicy " = yes | ifuri | " no
|
||||||
defines if a fresh CRL must be available in order for the peer authentication
|
defines if a fresh CRL must be available in order for the peer authentication
|
||||||
|
@ -1171,116 +1015,13 @@ and
|
||||||
Participant IDs normally \fIare\fR unique,
|
Participant IDs normally \fIare\fR unique,
|
||||||
so a new (automatically-keyed) connection using the same ID is
|
so a new (automatically-keyed) connection using the same ID is
|
||||||
almost invariably intended to replace an old one.
|
almost invariably intended to replace an old one.
|
||||||
The IKEv2 daemon also accepts the value
|
The daemon also accepts the value
|
||||||
.B replace
|
.B replace
|
||||||
which is identical to
|
which is identical to
|
||||||
.B yes
|
.B yes
|
||||||
and the value
|
and the value
|
||||||
.B keep
|
.B keep
|
||||||
to reject new IKE_SA setups and keep the duplicate established earlier.
|
to reject new IKE_SA setups and keep the duplicate established earlier.
|
||||||
.PP
|
|
||||||
The following
|
|
||||||
.B config section
|
|
||||||
parameters are used by the IKEv1 Pluto daemon only:
|
|
||||||
.TP
|
|
||||||
.BR crlcheckinterval " = " 0s " | <time>"
|
|
||||||
interval in seconds. CRL fetching is enabled if the value is greater than zero.
|
|
||||||
Asynchronous, periodic checking for fresh CRLs is currently done by the
|
|
||||||
IKEv1 Pluto daemon only.
|
|
||||||
.TP
|
|
||||||
.BR keep_alive " = " 20s " | <time>"
|
|
||||||
interval in seconds between NAT keep alive packets, the default being 20 seconds.
|
|
||||||
.TP
|
|
||||||
.BR nat_traversal " = yes | " no
|
|
||||||
activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
|
|
||||||
being able of floating to udp/4500 if a NAT situation is detected.
|
|
||||||
Accepted values are
|
|
||||||
.B yes
|
|
||||||
and
|
|
||||||
.B no
|
|
||||||
(the default).
|
|
||||||
Used by IKEv1 only, NAT traversal is always being active in IKEv2.
|
|
||||||
.TP
|
|
||||||
.BR nocrsend " = yes | " no
|
|
||||||
no certificate request payloads will be sent.
|
|
||||||
.TP
|
|
||||||
.BR pkcs11initargs " = <args>"
|
|
||||||
non-standard argument string for PKCS#11 C_Initialize() function;
|
|
||||||
required by NSS softoken.
|
|
||||||
.TP
|
|
||||||
.BR pkcs11module " = <args>"
|
|
||||||
defines the path to a dynamically loadable PKCS #11 library.
|
|
||||||
.TP
|
|
||||||
.BR pkcs11keepstate " = yes | " no
|
|
||||||
PKCS #11 login sessions will be kept during the whole lifetime of the keying
|
|
||||||
daemon. Useful with pin-pad smart card readers.
|
|
||||||
Accepted values are
|
|
||||||
.B yes
|
|
||||||
and
|
|
||||||
.B no
|
|
||||||
(the default).
|
|
||||||
.TP
|
|
||||||
.BR pkcs11proxy " = yes | " no
|
|
||||||
Pluto will act as a PKCS #11 proxy accessible via the whack interface.
|
|
||||||
Accepted values are
|
|
||||||
.B yes
|
|
||||||
and
|
|
||||||
.B no
|
|
||||||
(the default).
|
|
||||||
.TP
|
|
||||||
.BR plutodebug " = " none " | <debug list> | all"
|
|
||||||
how much pluto debugging output should be logged.
|
|
||||||
An empty value,
|
|
||||||
or the magic value
|
|
||||||
.BR none ,
|
|
||||||
means no debugging output (the default).
|
|
||||||
The magic value
|
|
||||||
.B all
|
|
||||||
means full output.
|
|
||||||
Otherwise only the specified types of output
|
|
||||||
(a quoted list, names without the
|
|
||||||
.B \-\-debug\-
|
|
||||||
prefix,
|
|
||||||
separated by white space) are enabled;
|
|
||||||
for details on available debugging types, see
|
|
||||||
.IR pluto (8).
|
|
||||||
.TP
|
|
||||||
.BR plutostderrlog " = <file>"
|
|
||||||
Pluto will not use syslog, but rather log to stderr, and redirect stderr
|
|
||||||
to <file>.
|
|
||||||
.TP
|
|
||||||
.BR postpluto " = <command>"
|
|
||||||
shell command to run after starting pluto
|
|
||||||
(e.g., to remove a decrypted copy of the
|
|
||||||
.I ipsec.secrets
|
|
||||||
file).
|
|
||||||
It's run in a very simple way;
|
|
||||||
complexities like I/O redirection are best hidden within a script.
|
|
||||||
Any output is redirected for logging,
|
|
||||||
so running interactive commands is difficult unless they use
|
|
||||||
.I /dev/tty
|
|
||||||
or equivalent for their interaction.
|
|
||||||
Default is none.
|
|
||||||
.TP
|
|
||||||
.BR prepluto " = <command>"
|
|
||||||
shell command to run before starting pluto
|
|
||||||
(e.g., to decrypt an encrypted copy of the
|
|
||||||
.I ipsec.secrets
|
|
||||||
file).
|
|
||||||
It's run in a very simple way;
|
|
||||||
complexities like I/O redirection are best hidden within a script.
|
|
||||||
Any output is redirected for logging,
|
|
||||||
so running interactive commands is difficult unless they use
|
|
||||||
.I /dev/tty
|
|
||||||
or equivalent for their interaction.
|
|
||||||
Default is none.
|
|
||||||
.TP
|
|
||||||
.BR virtual_private " = <networks>"
|
|
||||||
defines private networks using a wildcard notation.
|
|
||||||
.PP
|
|
||||||
The following
|
|
||||||
.B config section
|
|
||||||
parameters are used by the IKEv2 charon daemon only:
|
|
||||||
.TP
|
.TP
|
||||||
.BR charondebug " = <debug list>"
|
.BR charondebug " = <debug list>"
|
||||||
how much charon debugging output should be logged.
|
how much charon debugging output should be logged.
|
||||||
|
@ -1297,7 +1038,7 @@ is set to
|
||||||
for all types. For more flexibility see LOGGER CONFIGURATION in
|
for all types. For more flexibility see LOGGER CONFIGURATION in
|
||||||
.IR strongswan.conf (5).
|
.IR strongswan.conf (5).
|
||||||
|
|
||||||
.SH IKEv2 EXPIRY/REKEY
|
.SH SA EXPIRY/REKEY
|
||||||
The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
|
The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
|
||||||
after a specific amount of time. For IPsec SAs this can also happen after a
|
after a specific amount of time. For IPsec SAs this can also happen after a
|
||||||
specified number of transmitted packets or transmitted bytes. The following
|
specified number of transmitted packets or transmitted bytes. The following
|
||||||
|
@ -1383,7 +1124,7 @@ time equals zero and, thus, rekeying gets disabled.
|
||||||
/etc/ipsec.d/crls
|
/etc/ipsec.d/crls
|
||||||
|
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)
|
strongswan.conf(5), ipsec.secrets(5), ipsec(8)
|
||||||
.SH HISTORY
|
.SH HISTORY
|
||||||
Originally written for the FreeS/WAN project by Henry Spencer.
|
Originally written for the FreeS/WAN project by Henry Spencer.
|
||||||
Updated and extended for the strongSwan project <http://www.strongswan.org> by
|
Updated and extended for the strongSwan project <http://www.strongswan.org> by
|
||||||
|
|
Loading…
Reference in New Issue