update ipsec.conf man page
This commit is contained in:
parent
c4c916f90a
commit
7900ab1b7a
|
@ -1,4 +1,4 @@
|
||||||
.TH IPSEC.CONF 5 "20 Jan 2006"
|
.TH IPSEC.CONF 5 "27 Jun 2007"
|
||||||
.\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $
|
.\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $
|
||||||
.SH NAME
|
.SH NAME
|
||||||
ipsec.conf \- IPsec configuration and connections
|
ipsec.conf \- IPsec configuration and connections
|
||||||
|
@ -143,7 +143,7 @@ section specifies general configuration information for IPsec, a
|
||||||
.B conn
|
.B conn
|
||||||
section specifies an IPsec connection, while a
|
section specifies an IPsec connection, while a
|
||||||
.B ca
|
.B ca
|
||||||
section specifies special properties a certification authority.
|
section specifies special properties of a certification authority.
|
||||||
.SH "CONN SECTIONS"
|
.SH "CONN SECTIONS"
|
||||||
A
|
A
|
||||||
.B conn
|
.B conn
|
||||||
|
@ -158,13 +158,12 @@ Here's a simple example:
|
||||||
.ft B
|
.ft B
|
||||||
.ta 1c
|
.ta 1c
|
||||||
conn snt
|
conn snt
|
||||||
left=10.11.11.1
|
left=192.168.0.1
|
||||||
leftsubnet=10.0.1.0/24
|
leftsubnet=10.1.0.0/16
|
||||||
leftnexthop=172.16.55.66
|
right=192.168.0.2
|
||||||
right=192.168.22.1
|
rightsubnet=10.1.0.0/16
|
||||||
rightsubnet=10.0.2.0/24
|
|
||||||
rightnexthop=172.16.88.99
|
|
||||||
keyingtries=%forever
|
keyingtries=%forever
|
||||||
|
auto=add
|
||||||
.ft
|
.ft
|
||||||
.fi
|
.fi
|
||||||
.PP
|
.PP
|
||||||
|
@ -172,7 +171,7 @@ A note on terminology: There are two kinds of communications going on:
|
||||||
transmission of user IP packets, and gateway-to-gateway negotiations for
|
transmission of user IP packets, and gateway-to-gateway negotiations for
|
||||||
keying, rekeying, and general control.
|
keying, rekeying, and general control.
|
||||||
The path to control the connection is called 'ISAKMP SA' in IKEv1 and
|
The path to control the connection is called 'ISAKMP SA' in IKEv1 and
|
||||||
'IKE SA' in the IKEv2 protocol. That what is beeing negotiated, the kernel
|
'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
|
||||||
level data path, is called 'IPsec SA'.
|
level data path, is called 'IPsec SA'.
|
||||||
strongSwan currently uses two separate keying daemons. Pluto handles
|
strongSwan currently uses two separate keying daemons. Pluto handles
|
||||||
all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol.
|
all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol.
|
||||||
|
@ -244,23 +243,13 @@ connection types.
|
||||||
(required)
|
(required)
|
||||||
the IP address of the left participant's public-network interface,
|
the IP address of the left participant's public-network interface,
|
||||||
in any form accepted by
|
in any form accepted by
|
||||||
.IR ipsec_ttoaddr (3)
|
.IR ttoaddr (3)
|
||||||
or one of several magic values.
|
or one of several magic values.
|
||||||
If it is
|
If it is
|
||||||
.BR %defaultroute ,
|
.BR %defaultroute ,
|
||||||
and
|
|
||||||
the
|
|
||||||
.B config
|
|
||||||
.B setup
|
|
||||||
section's,
|
|
||||||
.B interfaces
|
|
||||||
specification contains
|
|
||||||
.BR %defaultroute,
|
|
||||||
.B left
|
.B left
|
||||||
will be filled in automatically with the local address
|
will be filled in automatically with the local address
|
||||||
of the default-route interface (as determined at IPsec startup time);
|
of the default-route interface (as determined at IPsec startup time).
|
||||||
this also overrides any value supplied for
|
|
||||||
.BR leftnexthop .
|
|
||||||
(Either
|
(Either
|
||||||
.B left
|
.B left
|
||||||
or
|
or
|
||||||
|
@ -271,50 +260,44 @@ but not both.)
|
||||||
The value
|
The value
|
||||||
.B %any
|
.B %any
|
||||||
signifies an address to be filled in (by automatic keying) during
|
signifies an address to be filled in (by automatic keying) during
|
||||||
negotiation.
|
negotiation. The prefix
|
||||||
|
.B %
|
||||||
|
in front of a fully-qualified domain name or an IP address will implicitly set
|
||||||
|
.B leftallowany=yes.
|
||||||
|
If the domain name cannot be resolved into an IP address at IPsec startup or update time
|
||||||
|
then
|
||||||
|
.B left=%any
|
||||||
|
and
|
||||||
|
.B leftallowany=no
|
||||||
|
will be assumed.
|
||||||
|
.TP
|
||||||
|
.B leftallowany
|
||||||
|
a modifier for
|
||||||
|
.B left
|
||||||
|
, making it behave as
|
||||||
|
.B %any
|
||||||
|
although a concrete IP address has been assigned.
|
||||||
|
Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or
|
||||||
|
update time.
|
||||||
|
Acceptable values are
|
||||||
|
.B yes
|
||||||
|
and
|
||||||
|
.B no
|
||||||
|
(the default).
|
||||||
.TP
|
.TP
|
||||||
.B leftsubnet
|
.B leftsubnet
|
||||||
private subnet behind the left participant, expressed as
|
private subnet behind the left participant, expressed as
|
||||||
\fInetwork\fB/\fInetmask\fR
|
\fInetwork\fB/\fInetmask\fR
|
||||||
(actually, any form acceptable to
|
(actually, any form acceptable to
|
||||||
.IR ipsec_ttosubnet (3));
|
.IR ttosubnet (3));
|
||||||
if omitted, essentially assumed to be \fIleft\fB/32\fR,
|
if omitted, essentially assumed to be \fIleft\fB/32\fR,
|
||||||
signifying that the left end of the connection goes to the left participant
|
signifying that the left end of the connection goes to the left participant
|
||||||
only. When using IKEv2, the configured subnet of the peers may differ, the
|
only. When using IKEv2, the configured subnet of the peers may differ, the
|
||||||
protocol narrows it to the greates common subnet.
|
protocol narrows it to the greates common subnet.
|
||||||
.TP
|
.TP
|
||||||
.B leftnexthop
|
.B leftnexthop
|
||||||
next-hop gateway IP address for the left participant's connection
|
this parameter is not needed any more because the NETKEY IPsec stack does
|
||||||
to the public network;
|
not require explicit routing entries for the traffic to be tunneled.
|
||||||
defaults to
|
|
||||||
.B %direct
|
|
||||||
(meaning
|
|
||||||
.IR right ).
|
|
||||||
If the value is to be overridden by the
|
|
||||||
.B left=%defaultroute
|
|
||||||
method (see above),
|
|
||||||
an explicit value must
|
|
||||||
.I not
|
|
||||||
be given.
|
|
||||||
If that method is not being used,
|
|
||||||
but
|
|
||||||
.B leftnexthop
|
|
||||||
is
|
|
||||||
.BR %defaultroute ,
|
|
||||||
and
|
|
||||||
.B interfaces=%defaultroute
|
|
||||||
is used in the
|
|
||||||
.B config
|
|
||||||
.B setup
|
|
||||||
section,
|
|
||||||
the next-hop gateway address of the default-route interface
|
|
||||||
will be used.
|
|
||||||
The magic value
|
|
||||||
.B %direct
|
|
||||||
signifies a value to be filled in (by automatic keying)
|
|
||||||
with the peer's address.
|
|
||||||
Relevant only locally, other end need not agree on it. Currently not supported
|
|
||||||
in IKEv2.
|
|
||||||
.TP
|
.TP
|
||||||
.B leftupdown
|
.B leftupdown
|
||||||
what ``updown'' script to run to adjust routing and/or firewalling
|
what ``updown'' script to run to adjust routing and/or firewalling
|
||||||
|
@ -325,7 +308,7 @@ May include positional parameters separated by white space
|
||||||
(although this requires enclosing the whole string in quotes);
|
(although this requires enclosing the whole string in quotes);
|
||||||
including shell metacharacters is unwise.
|
including shell metacharacters is unwise.
|
||||||
See
|
See
|
||||||
.IR ipsec_pluto (8)
|
.IR pluto (8)
|
||||||
for details.
|
for details.
|
||||||
Relevant only locally, other end need not agree on it. IKEv2 uses the updown
|
Relevant only locally, other end need not agree on it. IKEv2 uses the updown
|
||||||
script to insert firewall rules only. Routing is not support and will be
|
script to insert firewall rules only. Routing is not support and will be
|
||||||
|
@ -333,13 +316,14 @@ implemented directly into Charon.
|
||||||
.TP
|
.TP
|
||||||
.B leftfirewall
|
.B leftfirewall
|
||||||
whether the left participant is doing forwarding-firewalling
|
whether the left participant is doing forwarding-firewalling
|
||||||
(including masquerading) for traffic from \fIleftsubnet\fR,
|
(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
|
||||||
which should be turned off (for traffic to the other subnet)
|
which should be turned off (for traffic to the other subnet)
|
||||||
once the connection is established;
|
once the connection is established;
|
||||||
acceptable values are
|
acceptable values are
|
||||||
.B yes
|
.B yes
|
||||||
and (the default)
|
and
|
||||||
.BR no .
|
.B no
|
||||||
|
(the default).
|
||||||
May not be used in the same connection description with
|
May not be used in the same connection description with
|
||||||
.BR leftupdown .
|
.BR leftupdown .
|
||||||
Implemented as a parameter to the default
|
Implemented as a parameter to the default
|
||||||
|
@ -358,7 +342,7 @@ distinct, non-overlapping subnet address blocks.)
|
||||||
This is done by the default
|
This is done by the default
|
||||||
.I updown
|
.I updown
|
||||||
script (see
|
script (see
|
||||||
.IR ipsec_pluto (8)).
|
.IR pluto (8)).
|
||||||
|
|
||||||
In situations calling for more control,
|
In situations calling for more control,
|
||||||
it may be preferable for the user to supply his own
|
it may be preferable for the user to supply his own
|
||||||
|
@ -409,6 +393,8 @@ The IKEv2 daemon currently supports only ESP.
|
||||||
how the two security gateways should authenticate each other;
|
how the two security gateways should authenticate each other;
|
||||||
acceptable values are
|
acceptable values are
|
||||||
.B secret
|
.B secret
|
||||||
|
or
|
||||||
|
.B psk
|
||||||
for shared secrets,
|
for shared secrets,
|
||||||
.B rsasig
|
.B rsasig
|
||||||
for RSA digital signatures (the default),
|
for RSA digital signatures (the default),
|
||||||
|
@ -417,13 +403,31 @@ for either, and
|
||||||
.B never
|
.B never
|
||||||
if negotiation is never to be attempted or accepted (useful for shunt-only conns).
|
if negotiation is never to be attempted or accepted (useful for shunt-only conns).
|
||||||
Digital signatures are superior in every way to shared secrets. In IKEv2, the
|
Digital signatures are superior in every way to shared secrets. In IKEv2, the
|
||||||
two ends must not agree on this parameter, it is relevant for the own
|
two ends must not agree on this parameter, it is relevant for the
|
||||||
authentication method only. IKEv2 additionally supports the value
|
outbound authentication method only.
|
||||||
|
IKEv1 additionally supports the values
|
||||||
|
.B xauthpsk
|
||||||
|
and
|
||||||
|
.B xauthrsasig
|
||||||
|
that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
|
||||||
|
based on shared secrets or digital RSA signatures, respectively.
|
||||||
|
IKEv2 additionally supports the value
|
||||||
.B eap,
|
.B eap,
|
||||||
which indicates an initiator to request EAP authentication. The EAP method to
|
which indicates an initiator to request EAP authentication. The EAP method to
|
||||||
use is selected by the server (see
|
use is selected by the server (see
|
||||||
.B eap).
|
.B eap).
|
||||||
.TP
|
.TP
|
||||||
|
.B xauth
|
||||||
|
specifies the role in the XAUTH protocol if activated by
|
||||||
|
.B authby=xauthpsk
|
||||||
|
or
|
||||||
|
.B authby=xauthrsasig.
|
||||||
|
Accepted values are
|
||||||
|
.B server
|
||||||
|
and
|
||||||
|
.B client
|
||||||
|
(the default).
|
||||||
|
.TP
|
||||||
.B compress
|
.B compress
|
||||||
whether IPComp compression of content is proposed on the connection
|
whether IPComp compression of content is proposed on the connection
|
||||||
(link-level compression does not work on encrypted data,
|
(link-level compression does not work on encrypted data,
|
||||||
|
@ -447,24 +451,26 @@ controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
|
||||||
R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
|
R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
|
||||||
are periodically sent in order to check the
|
are periodically sent in order to check the
|
||||||
liveliness of the IPsec peer. The values
|
liveliness of the IPsec peer. The values
|
||||||
.B clear
|
.BR clear ,
|
||||||
and
|
.BR hold ,
|
||||||
.B hold
|
and
|
||||||
both activate DPD. If no activity is detected, all connections with a dead peer
|
.B restart
|
||||||
|
all activate DPD. If no activity is detected, all connections with a dead peer
|
||||||
are stopped and unrouted (
|
are stopped and unrouted (
|
||||||
.B clear
|
.B clear
|
||||||
) or put in the hold state (
|
), put in the hold state (
|
||||||
.B hold
|
.B hold
|
||||||
). For
|
) or restarted (
|
||||||
.B IKEv1
|
.B restart
|
||||||
, the default is
|
).
|
||||||
|
For IKEv1, the default is
|
||||||
.B none
|
.B none
|
||||||
which disables the active sending of R_U_THERE notifications.
|
which disables the active sending of R_U_THERE notifications.
|
||||||
Nevertheless pluto will always send the DPD Vendor ID during connection set up
|
Nevertheless pluto will always send the DPD Vendor ID during connection set up
|
||||||
in order to signal the readiness to act passively as a responder if the peer
|
in order to signal the readiness to act passively as a responder if the peer
|
||||||
wants to use DPD. For
|
wants to use DPD. For IKEv2,
|
||||||
.B IKEv2, none
|
.B none
|
||||||
does't make sense, as all messages are used to detect dead peers. If specified,
|
does't make sense, since all messages are used to detect dead peers. If specified,
|
||||||
it has the same meaning as the default (
|
it has the same meaning as the default (
|
||||||
.B clear
|
.B clear
|
||||||
).
|
).
|
||||||
|
@ -481,17 +487,6 @@ defines the timeout interval, after which all connections to a peer are deleted
|
||||||
in case of inactivity. This only applies to IKEv1, in IKEv2 the default
|
in case of inactivity. This only applies to IKEv1, in IKEv2 the default
|
||||||
retransmission timeout applies, as every exchange is used to detect dead peers.
|
retransmission timeout applies, as every exchange is used to detect dead peers.
|
||||||
.TP
|
.TP
|
||||||
.B failureshunt
|
|
||||||
what to do with packets when negotiation fails.
|
|
||||||
The default is
|
|
||||||
.BR none :
|
|
||||||
no shunt;
|
|
||||||
.BR passthrough ,
|
|
||||||
.BR drop ,
|
|
||||||
and
|
|
||||||
.B reject
|
|
||||||
have the obvious meanings. Has no effect in IKEv2 yet.
|
|
||||||
.TP
|
|
||||||
.B ikelifetime
|
.B ikelifetime
|
||||||
how long the keying channel of a connection ('ISAKMP/IKE SA')
|
how long the keying channel of a connection ('ISAKMP/IKE SA')
|
||||||
should last before being renegotiated.
|
should last before being renegotiated.
|
||||||
|
@ -553,8 +548,7 @@ to the root certification authority.
|
||||||
.B leftcert
|
.B leftcert
|
||||||
the path to the left participant's X.509 certificate. The file can be coded either in
|
the path to the left participant's X.509 certificate. The file can be coded either in
|
||||||
PEM or DER format. OpenPGP certificates are supported as well.
|
PEM or DER format. OpenPGP certificates are supported as well.
|
||||||
Both absolute paths or paths relative to
|
Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
|
||||||
.B /etc/ipsec.d/certs
|
|
||||||
are accepted. By default
|
are accepted. By default
|
||||||
.B leftcert
|
.B leftcert
|
||||||
sets
|
sets
|
||||||
|
@ -566,6 +560,40 @@ The left participant's ID can be overriden by specifying a
|
||||||
.B leftid
|
.B leftid
|
||||||
value which must be certified by the certificate, though.
|
value which must be certified by the certificate, though.
|
||||||
.TP
|
.TP
|
||||||
|
.B leftsendcert
|
||||||
|
Accepted values are
|
||||||
|
.B never
|
||||||
|
or
|
||||||
|
.BR no ,
|
||||||
|
.B always
|
||||||
|
or
|
||||||
|
.BR yes ,
|
||||||
|
and
|
||||||
|
.BR ifasked .
|
||||||
|
.TP
|
||||||
|
.B leftrsasigkey
|
||||||
|
the left participant's
|
||||||
|
public key for RSA signature authentication,
|
||||||
|
in RFC 2537 format using
|
||||||
|
.IR ttodata (3)
|
||||||
|
encoding.
|
||||||
|
The magic value
|
||||||
|
.B %none
|
||||||
|
means the same as not specifying a value (useful to override a default).
|
||||||
|
The value
|
||||||
|
.B %cert
|
||||||
|
(the default)
|
||||||
|
means that the key is extracted from a certificate.
|
||||||
|
The identity used for the left participant
|
||||||
|
must be a specific host, not
|
||||||
|
.B %any
|
||||||
|
or another magic value.
|
||||||
|
.B Caution:
|
||||||
|
if two connection descriptions
|
||||||
|
specify different public keys for the same
|
||||||
|
.BR leftid ,
|
||||||
|
confusion and madness will ensue.
|
||||||
|
.TP
|
||||||
.B leftgroups
|
.B leftgroups
|
||||||
a comma separated list of group names. If the
|
a comma separated list of group names. If the
|
||||||
.B leftgroups
|
.B leftgroups
|
||||||
|
@ -582,24 +610,20 @@ should be identified for authentication;
|
||||||
defaults to
|
defaults to
|
||||||
.BR left .
|
.BR left .
|
||||||
Can be an IP address (in any
|
Can be an IP address (in any
|
||||||
.IR ipsec_ttoaddr (3)
|
.IR ttoaddr (3)
|
||||||
syntax)
|
syntax)
|
||||||
or a fully-qualified domain name preceded by
|
or a fully-qualified domain name preceded by
|
||||||
.B @
|
.B @
|
||||||
(which is used as a literal string and not resolved).
|
(which is used as a literal string and not resolved).
|
||||||
The magic value
|
|
||||||
.B %myid
|
|
||||||
stands for the current setting of \fImyid\fP.
|
|
||||||
This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set,
|
|
||||||
it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
|
|
||||||
it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
|
|
||||||
.TP
|
.TP
|
||||||
.B leftsourceip
|
.B leftsourceip
|
||||||
The internal source IP to use in a tunnel, also known as virtual IP. If the
|
The internal source IP to use in a tunnel, also known as virtual IP. If the
|
||||||
value is
|
value is
|
||||||
.B %modeconfig
|
.BR %modeconfig ,
|
||||||
|
.BR %modecfg ,
|
||||||
|
.BR %config ,
|
||||||
or
|
or
|
||||||
.B %config,
|
.B %cfg,
|
||||||
an address is requested from the peer. In IKEv2, a defined address is requested,
|
an address is requested from the peer. In IKEv2, a defined address is requested,
|
||||||
but the server may change it. If the server does not support it, the address
|
but the server may change it. If the server does not support it, the address
|
||||||
is enforced.
|
is enforced.
|
||||||
|
@ -611,7 +635,20 @@ value is
|
||||||
on the responder side, the initiator must propose a address which is then echoed
|
on the responder side, the initiator must propose a address which is then echoed
|
||||||
back.
|
back.
|
||||||
.TP
|
.TP
|
||||||
|
.B modeconfig
|
||||||
|
defines which mode is used to assign a virtual IP.
|
||||||
|
Accepted values are
|
||||||
|
.B push
|
||||||
|
and
|
||||||
|
.B pull
|
||||||
|
(the default).
|
||||||
|
Currently relevant for IKEv1 only since IKEv2 always uses the configuration
|
||||||
|
payload in pull mode.
|
||||||
|
.TP
|
||||||
.B leftsubnetwithin
|
.B leftsubnetwithin
|
||||||
|
the peer can propose any subnet or single IP address that fits within the
|
||||||
|
range defined by
|
||||||
|
.BR leftsubnetwithin .
|
||||||
Not relevant for IKEv2, as subnets are narrowed.
|
Not relevant for IKEv2, as subnets are narrowed.
|
||||||
.TP
|
.TP
|
||||||
.B pfs
|
.B pfs
|
||||||
|
@ -623,9 +660,11 @@ acceptable values are
|
||||||
.B yes
|
.B yes
|
||||||
(the default)
|
(the default)
|
||||||
and
|
and
|
||||||
.BR no
|
.BR no.
|
||||||
. IKEv2 always uses PFS for IKE_SA rekeying. PFS for rekeying IPsec SAs is
|
IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
|
||||||
currently not supported.
|
PFS is enforced by defining a Diffie-Hellman modp group in the
|
||||||
|
.B esp
|
||||||
|
parameter.
|
||||||
.TP
|
.TP
|
||||||
.B rekey
|
.B rekey
|
||||||
whether a connection should be renegotiated when it is about to expire;
|
whether a connection should be renegotiated when it is about to expire;
|
||||||
|
@ -634,8 +673,7 @@ acceptable values are
|
||||||
(the default)
|
(the default)
|
||||||
and
|
and
|
||||||
.BR no .
|
.BR no .
|
||||||
The two ends need not agree,
|
The two ends need not agree, but while a value of
|
||||||
but while a value of
|
|
||||||
.B no
|
.B no
|
||||||
prevents Pluto/Charon from requesting renegotiation,
|
prevents Pluto/Charon from requesting renegotiation,
|
||||||
it does not prevent responding to renegotiation requested from the other end,
|
it does not prevent responding to renegotiation requested from the other end,
|
||||||
|
@ -661,7 +699,7 @@ acceptable values are an integer,
|
||||||
which may exceed 100,
|
which may exceed 100,
|
||||||
followed by a `%'
|
followed by a `%'
|
||||||
(default set by
|
(default set by
|
||||||
.IR ipsec_pluto (8),
|
.IR pluto (8),
|
||||||
currently
|
currently
|
||||||
.BR 100% ).
|
.BR 100% ).
|
||||||
The value of
|
The value of
|
||||||
|
@ -721,14 +759,25 @@ defines a path to the CA certificate either relative to
|
||||||
.B crluri
|
.B crluri
|
||||||
defines a CRL distribution point (ldap, http, or file URI)
|
defines a CRL distribution point (ldap, http, or file URI)
|
||||||
.TP
|
.TP
|
||||||
|
.B crluri1
|
||||||
|
synonym for
|
||||||
|
.B crluri.
|
||||||
|
.TP
|
||||||
.B crluri2
|
.B crluri2
|
||||||
defines an alternative CRL distribution point (ldap, http, or file URI)
|
defines an alternative CRL distribution point (ldap, http, or file URI)
|
||||||
.TP
|
.TP
|
||||||
.B ldaphost
|
.B ldaphost
|
||||||
defines an ldap host.
|
defines an ldap host. Currently used by IKEv1 only.
|
||||||
.TP
|
.TP
|
||||||
.B ocspuri
|
.B ocspuri
|
||||||
defines an OCSP URI.
|
defines an OCSP URI.
|
||||||
|
.TP
|
||||||
|
.B ocspuri1
|
||||||
|
synonym for
|
||||||
|
.B ocspuri.
|
||||||
|
.TP
|
||||||
|
.B ocspuri2
|
||||||
|
defines an alternative OCSP URI. Currently used by IKEv2 only.
|
||||||
.SH "CONFIG SECTIONS"
|
.SH "CONFIG SECTIONS"
|
||||||
At present, the only
|
At present, the only
|
||||||
.B config
|
.B config
|
||||||
|
@ -736,7 +785,7 @@ section known to the IPsec software is the one named
|
||||||
.BR setup ,
|
.BR setup ,
|
||||||
which contains information used when the software is being started
|
which contains information used when the software is being started
|
||||||
(see
|
(see
|
||||||
.IR ipsec_setup (8)).
|
.IR starter (8)).
|
||||||
Here's an example:
|
Here's an example:
|
||||||
.PP
|
.PP
|
||||||
.ne 8
|
.ne 8
|
||||||
|
@ -744,10 +793,9 @@ Here's an example:
|
||||||
.ft B
|
.ft B
|
||||||
.ta 1c
|
.ta 1c
|
||||||
config setup
|
config setup
|
||||||
interfaces="ipsec0=eth1 ipsec1=ppp0"
|
|
||||||
klipsdebug=none
|
|
||||||
plutodebug=all
|
plutodebug=all
|
||||||
manualstart=
|
crlcheckinterval=10m
|
||||||
|
strictcrlpolicy=yes
|
||||||
.ft
|
.ft
|
||||||
.fi
|
.fi
|
||||||
.PP
|
.PP
|
||||||
|
@ -759,18 +807,6 @@ names in a
|
||||||
.B setup
|
.B setup
|
||||||
section are:
|
section are:
|
||||||
.TP 14
|
.TP 14
|
||||||
.B myid
|
|
||||||
the identity to be used for
|
|
||||||
.BR %myid .
|
|
||||||
.B %myid
|
|
||||||
is used in the implicit policy group conns and can be used as
|
|
||||||
an identity in explicit conns.
|
|
||||||
If unspecified,
|
|
||||||
.B %myid
|
|
||||||
is set to the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
|
|
||||||
the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
|
|
||||||
An explicit value generally starts with ``\fB@\fP''.
|
|
||||||
.TP
|
|
||||||
.B interfaces
|
.B interfaces
|
||||||
virtual and physical interfaces for IPsec to use:
|
virtual and physical interfaces for IPsec to use:
|
||||||
a single
|
a single
|
||||||
|
@ -785,52 +821,43 @@ and then act as if the value was ``\fBipsec0=\fId\fR''.
|
||||||
is the default;
|
is the default;
|
||||||
.B %none
|
.B %none
|
||||||
must be used to denote no interfaces.
|
must be used to denote no interfaces.
|
||||||
If
|
(This parameter is used with the KLIPS IPsec stack only.)
|
||||||
.B %defaultroute
|
|
||||||
is used (implicitly or explicitly)
|
|
||||||
information about the default route and its interface is noted for
|
|
||||||
use by
|
|
||||||
.IR ipsec_manual (8)
|
|
||||||
and
|
|
||||||
.IR ipsec_auto (8).)
|
|
||||||
.TP
|
.TP
|
||||||
.B forwardcontrol
|
.B dumpdir
|
||||||
whether
|
in what directory should things started by
|
||||||
.I setup
|
.I setup
|
||||||
should turn IP forwarding on
|
(notably the Pluto daemon) be allowed to
|
||||||
(if it's not already on) as IPsec is started,
|
dump core?
|
||||||
and turn it off again (if it was off) as IPsec is stopped;
|
The empty value (the default) means they are not
|
||||||
acceptable values are
|
allowed to.
|
||||||
|
This feature is currently not supported by the ipsec starter.
|
||||||
|
.TP
|
||||||
|
.B charonstart
|
||||||
|
whether to start the IKEv2 daemon Charon or not.
|
||||||
|
Accepted values are
|
||||||
.B yes
|
.B yes
|
||||||
and (the default)
|
(the default)
|
||||||
|
or
|
||||||
.BR no .
|
.BR no .
|
||||||
For this to have full effect, forwarding must be
|
|
||||||
disabled before the hardware interfaces are brought
|
|
||||||
up (e.g.,
|
|
||||||
.B "net.ipv4.ip_forward\ =\ 0"
|
|
||||||
in Red Hat 6.x
|
|
||||||
.IR /etc/sysctl.conf ),
|
|
||||||
because IPsec doesn't get control early enough to do that.
|
|
||||||
.TP
|
.TP
|
||||||
.B rp_filter
|
.B charondebug
|
||||||
whether and how
|
how much Charon debugging output should be logged.
|
||||||
.I setup
|
A comma separated list containing type level/pairs may
|
||||||
should adjust the reverse path filtering mechanism for the
|
be specified, e.g:
|
||||||
physical devices to be used.
|
.B dmn 3, ike 1, net -1.
|
||||||
Values are \fB%unchanged\fP (to leave it alone)
|
Acceptable values for types are
|
||||||
or \fB0\fP, \fB1\fP, \fB2\fP (values to set it to).
|
.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
|
||||||
\fI/proc/sys/net/ipv4/conf/PHYS/rp_filter\fP
|
and the level is one of
|
||||||
is badly documented; it must be \fB0\fP in many cases
|
.B -1, 0, 1, 2, 3, 4
|
||||||
for ipsec to function.
|
(for silent, audit, control, controlmore, raw, private).
|
||||||
The default value for the parameter is \fB0\fP.
|
|
||||||
.TP
|
.TP
|
||||||
.B syslog
|
.B plutostart
|
||||||
the
|
whether to start the IKEv1 daemon Pluto or not.
|
||||||
.IR syslog (2)
|
Accepted values are
|
||||||
``facility'' name and priority to use for
|
.B yes
|
||||||
startup/shutdown log messages,
|
(the default)
|
||||||
default
|
or
|
||||||
.BR daemon.error .
|
.BR no .
|
||||||
.TP
|
.TP
|
||||||
.B plutodebug
|
.B plutodebug
|
||||||
how much Pluto debugging output should be logged.
|
how much Pluto debugging output should be logged.
|
||||||
|
@ -847,53 +874,7 @@ Otherwise only the specified types of output
|
||||||
prefix,
|
prefix,
|
||||||
separated by white space) are enabled;
|
separated by white space) are enabled;
|
||||||
for details on available debugging types, see
|
for details on available debugging types, see
|
||||||
.IR ipsec_pluto (8).
|
.IR pluto (8).
|
||||||
.TP
|
|
||||||
.B charondebug
|
|
||||||
how much Charon debugging output should be logged.
|
|
||||||
A comma separated list containing type level/pairs may
|
|
||||||
be specified, e.g:
|
|
||||||
.B dmn 3, ike 1, net -1.
|
|
||||||
Acceptable values for types are
|
|
||||||
.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
|
|
||||||
and the level is one of
|
|
||||||
.B -1, 0, 1, 2, 3, 4
|
|
||||||
(for silent, audit, control, controlmore, raw, private)
|
|
||||||
.TP
|
|
||||||
.B plutoopts
|
|
||||||
additional options to pass to pluto upon startup. See
|
|
||||||
.IR ipsec_pluto (8).
|
|
||||||
.TP
|
|
||||||
.B plutostderrlog
|
|
||||||
do not use syslog, but rather log to stderr, and direct stderr to the
|
|
||||||
argument file.
|
|
||||||
.TP
|
|
||||||
.B dumpdir
|
|
||||||
in what directory should things started by
|
|
||||||
.I setup
|
|
||||||
(notably the Pluto daemon) be allowed to
|
|
||||||
dump core?
|
|
||||||
The empty value (the default) means they are not
|
|
||||||
allowed to.
|
|
||||||
.TP
|
|
||||||
.B pluto
|
|
||||||
whether to start Pluto or not;
|
|
||||||
Values are
|
|
||||||
.B yes
|
|
||||||
(the default)
|
|
||||||
or
|
|
||||||
.B no
|
|
||||||
(useful only in special circumstances).
|
|
||||||
.TP
|
|
||||||
.B plutowait
|
|
||||||
should Pluto wait for each
|
|
||||||
negotiation attempt that is part of startup to
|
|
||||||
finish before proceeding with the next?
|
|
||||||
Values are
|
|
||||||
.B yes
|
|
||||||
or
|
|
||||||
.BR no
|
|
||||||
(the default).
|
|
||||||
.TP
|
.TP
|
||||||
.B prepluto
|
.B prepluto
|
||||||
shell command to run before starting Pluto
|
shell command to run before starting Pluto
|
||||||
|
@ -930,6 +911,7 @@ acceptable values are
|
||||||
(the default)
|
(the default)
|
||||||
and
|
and
|
||||||
.BR no .
|
.BR no .
|
||||||
|
(This parameter is used with the KLIPS IPsec stack only.)
|
||||||
.TP
|
.TP
|
||||||
.B hidetos
|
.B hidetos
|
||||||
whether a tunnel packet's TOS field should be set to
|
whether a tunnel packet's TOS field should be set to
|
||||||
|
@ -940,6 +922,7 @@ acceptable values are
|
||||||
(the default)
|
(the default)
|
||||||
and
|
and
|
||||||
.BR no .
|
.BR no .
|
||||||
|
(This parameter is used with the KLIPS IPsec stack only.)
|
||||||
.TP
|
.TP
|
||||||
.B uniqueids
|
.B uniqueids
|
||||||
whether a particular participant ID should be kept unique,
|
whether a particular participant ID should be kept unique,
|
||||||
|
@ -958,18 +941,81 @@ almost invariably intended to replace an old one.
|
||||||
.B overridemtu
|
.B overridemtu
|
||||||
value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
|
value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
|
||||||
overriding IPsec's (large) default.
|
overriding IPsec's (large) default.
|
||||||
This parameter is needed only in special situations.
|
(This parameter is used in special situations with the KLIPS IPsec stack only.)
|
||||||
.TP
|
.TP
|
||||||
.B nat_traversal
|
.B nat_traversal
|
||||||
|
activates NAT traversal by accepting source ISAKMP different from udp/500 and
|
||||||
|
floating to udp/4500 if a NAT situation is detected. Used by IKEv1 only since
|
||||||
|
NAT traversal is always activated with IKEv2.
|
||||||
|
Accepted values are
|
||||||
|
.B yes
|
||||||
|
and
|
||||||
|
.B no
|
||||||
|
(the default).
|
||||||
|
.TP
|
||||||
|
.B keep_alive
|
||||||
|
interval in seconds between NAT keep alive packets.
|
||||||
|
.TP
|
||||||
|
.B virtual_private
|
||||||
.TP
|
.TP
|
||||||
.B crlcheckinterval
|
.B crlcheckinterval
|
||||||
|
interval in seconds. CRL fetching is enabled if the value is greater than zero.
|
||||||
|
Asynchronous periodic checking for fresh CRLs is done by IKEv1 only.
|
||||||
|
.TP
|
||||||
|
.B cachecrls
|
||||||
|
certificate revocation lists (CRLs) fetched via http or ldap will be cached in
|
||||||
|
/etc/ipsec.d/crls under a unique file name derived from the certification
|
||||||
|
authority's public key
|
||||||
|
Accepted values are
|
||||||
|
.B yes
|
||||||
|
and
|
||||||
|
.B no
|
||||||
|
(the default).
|
||||||
.TP
|
.TP
|
||||||
.B strictcrlpolicy
|
.B strictcrlpolicy
|
||||||
|
defines if a fresh CRL must be available in order for the peer authentication based
|
||||||
|
on RSA signatures to succeed.
|
||||||
|
Accepted values are
|
||||||
|
.B yes
|
||||||
|
and
|
||||||
|
.B no
|
||||||
|
(the default).
|
||||||
|
IKEv2 additionally recognizes
|
||||||
|
.B ifuri
|
||||||
|
which reverts to
|
||||||
|
.B yes
|
||||||
|
if at least one CRL URI is defined and to
|
||||||
|
.B no
|
||||||
|
if no URI is known.
|
||||||
|
.TP
|
||||||
|
.B nocrsend
|
||||||
|
no certificate request payloads will be sent.
|
||||||
|
Accepted values are
|
||||||
|
.B yes
|
||||||
|
and
|
||||||
|
.B no
|
||||||
|
(the default).
|
||||||
|
Used by IKEv1 only.
|
||||||
.TP
|
.TP
|
||||||
.B pkcs11module
|
.B pkcs11module
|
||||||
|
defines the path to a dynamically loadable PKCS #11 library.
|
||||||
.TP
|
.TP
|
||||||
.B pkcs11keepstate
|
.B pkcs11keepstate
|
||||||
|
PKCS #11 login sessions will be kept during the whole lifetime of the keying
|
||||||
|
daemon. Useful with pin-pad smart card readers.
|
||||||
|
Accepted values are
|
||||||
|
.B yes
|
||||||
|
and
|
||||||
|
.B no
|
||||||
|
(the default).
|
||||||
|
.TP
|
||||||
|
.B pkcs11proxy
|
||||||
|
Pluto will act as a PKCS #11 proxy accessible via the whack interface.
|
||||||
|
Accepted values are
|
||||||
|
.B yes
|
||||||
|
and
|
||||||
|
.B no
|
||||||
|
(the default).
|
||||||
.SH CHOOSING A CONNECTION
|
.SH CHOOSING A CONNECTION
|
||||||
.PP
|
.PP
|
||||||
When choosing a connection to apply to an outbound packet caught with a
|
When choosing a connection to apply to an outbound packet caught with a
|
||||||
|
@ -988,87 +1034,21 @@ information about the client subnets to complete the instantiation.
|
||||||
.SH FILES
|
.SH FILES
|
||||||
.nf
|
.nf
|
||||||
/etc/ipsec.conf
|
/etc/ipsec.conf
|
||||||
|
/etc/ipsec.d/aacerts
|
||||||
|
/etc/ipsec.d/acerts
|
||||||
/etc/ipsec.d/cacerts
|
/etc/ipsec.d/cacerts
|
||||||
/etc/ipsec.d/certs
|
/etc/ipsec.d/certs
|
||||||
/etc/ipsec.d/crls
|
/etc/ipsec.d/crls
|
||||||
/etc/ipsec.d/aacerts
|
|
||||||
/etc/ipsec.d/acerts
|
|
||||||
|
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipsec(8), ipsec_ttoaddr(8), ipsec_auto(8), ipsec_manual(8), ipsec_rsasigkey(8)
|
ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3)
|
||||||
.SH HISTORY
|
.SH HISTORY
|
||||||
Written for the FreeS/WAN project
|
Written for the FreeS/WAN project
|
||||||
<http://www.freeswan.org>
|
<http://www.freeswan.org>
|
||||||
by Henry Spencer. Extended for the strongSwan project
|
by Henry Spencer. Extended for the strongSwan project
|
||||||
<http://www.strongswan.org>
|
<http://www.strongswan.org>
|
||||||
by Andreas Steffen. Updated to respect IKEv2 specific configuration
|
by Andreas Steffen. IKEv2-specific features by Martin Willi.
|
||||||
by Martin Willi.
|
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
.PP
|
.PP
|
||||||
When
|
If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
|
||||||
.B type
|
|
||||||
or
|
|
||||||
.B failureshunt
|
|
||||||
is set to
|
|
||||||
.B drop
|
|
||||||
or
|
|
||||||
.BR reject,
|
|
||||||
strongSwan blocks outbound packets using eroutes, but assumes inbound
|
|
||||||
blocking is handled by the firewall. strongSwan offers firewall hooks
|
|
||||||
via an ``updown'' script. However, the default
|
|
||||||
.B ipsec _updown
|
|
||||||
provides no help in controlling a modern firewall.
|
|
||||||
.PP
|
|
||||||
Including attributes of the keying channel
|
|
||||||
(authentication methods,
|
|
||||||
.BR ikelifetime ,
|
|
||||||
etc.)
|
|
||||||
as an attribute of a connection,
|
|
||||||
rather than of a participant pair, is dubious and incurs limitations.
|
|
||||||
.PP
|
|
||||||
.IR Ipsec_manual
|
|
||||||
is not nearly as generous about the syntax of subnets,
|
|
||||||
addresses, etc. as the usual strongSwan user interfaces.
|
|
||||||
Four-component dotted-decimal must be used for all addresses.
|
|
||||||
It
|
|
||||||
.I is
|
|
||||||
smart enough to translate bit-count netmasks to dotted-decimal form.
|
|
||||||
.PP
|
|
||||||
It would be good to have a line-continuation syntax,
|
|
||||||
especially for the very long lines involved in
|
|
||||||
RSA signature keys.
|
|
||||||
.PP
|
|
||||||
The ability to specify different identities,
|
|
||||||
.BR authby ,
|
|
||||||
and public keys for different automatic-keyed connections
|
|
||||||
between the same participants is misleading;
|
|
||||||
this doesn't work dependably because the identity of the participants
|
|
||||||
is not known early enough.
|
|
||||||
This is especially awkward for the ``Road Warrior'' case,
|
|
||||||
where the remote IP address is specified as
|
|
||||||
.BR 0.0.0.0 ,
|
|
||||||
and that is considered to be the ``participant'' for such connections.
|
|
||||||
.PP
|
|
||||||
In principle it might be necessary to control MTU on an
|
|
||||||
interface-by-interface basis,
|
|
||||||
rather than with the single global override that
|
|
||||||
.B overridemtu
|
|
||||||
provides.
|
|
||||||
.PP
|
|
||||||
A number of features which \fIcould\fR be implemented in
|
|
||||||
both manual and automatic keying
|
|
||||||
actually are not yet implemented for manual keying.
|
|
||||||
This is unlikely to be fixed any time soon.
|
|
||||||
.PP
|
|
||||||
If conns are to be added before DNS is available,
|
|
||||||
\fBleft=\fP\fIFQDN\fP,
|
|
||||||
\fBleftnextop=\fP\fIFQDN\fP,
|
|
||||||
and
|
|
||||||
.B leftrsasigkey=%dnsonload
|
|
||||||
will fail.
|
will fail.
|
||||||
.IR ipsec_pluto (8)
|
|
||||||
does not actually use the public key for our side of a conn but it
|
|
||||||
isn't generally known at a add-time which side is ours (Road Warrior
|
|
||||||
and Opportunistic conns are currently exceptions).
|
|
||||||
.PP
|
|
||||||
The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns.
|
|
||||||
|
|
Loading…
Reference in New Issue