separated pluto, charon, and klips setup config section parameters
This commit is contained in:
parent
6a39bc4061
commit
e0e7ef070d
|
@ -823,170 +823,43 @@ names in a
|
||||||
.B setup
|
.B setup
|
||||||
section are:
|
section are:
|
||||||
.TP 14
|
.TP 14
|
||||||
.B interfaces
|
.B cachecrls
|
||||||
virtual and physical interfaces for IPsec to use:
|
certificate revocation lists (CRLs) fetched via http or ldap will be cached in
|
||||||
a single
|
\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
|
||||||
\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
|
authority's public key.
|
||||||
by white space, or
|
|
||||||
.BR %none .
|
|
||||||
One of the pairs may be written as
|
|
||||||
.BR %defaultroute ,
|
|
||||||
which means: find the interface \fId\fR that the default route points to,
|
|
||||||
and then act as if the value was ``\fBipsec0=\fId\fR''.
|
|
||||||
.B %defaultroute
|
|
||||||
is the default;
|
|
||||||
.B %none
|
|
||||||
must be used to denote no interfaces.
|
|
||||||
(This parameter is used with the KLIPS IPsec stack only.)
|
|
||||||
.TP
|
|
||||||
.B dumpdir
|
|
||||||
in what directory should things started by
|
|
||||||
.I setup
|
|
||||||
(notably the Pluto daemon) be allowed to
|
|
||||||
dump core?
|
|
||||||
The empty value (the default) means they are not
|
|
||||||
allowed to.
|
|
||||||
This feature is currently not supported by the ipsec starter.
|
|
||||||
.TP
|
|
||||||
.B charonstart
|
|
||||||
whether to start the IKEv2 daemon Charon or not.
|
|
||||||
Accepted values are
|
|
||||||
.B yes
|
|
||||||
(the default)
|
|
||||||
or
|
|
||||||
.BR no .
|
|
||||||
.TP
|
|
||||||
.B charondebug
|
|
||||||
how much Charon debugging output should be logged.
|
|
||||||
A comma separated list containing type level/pairs may
|
|
||||||
be specified, e.g:
|
|
||||||
.B dmn 3, ike 1, net -1.
|
|
||||||
Acceptable values for types are
|
|
||||||
.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
|
|
||||||
and the level is one of
|
|
||||||
.B -1, 0, 1, 2, 3, 4
|
|
||||||
(for silent, audit, control, controlmore, raw, private).
|
|
||||||
.TP
|
|
||||||
.B plutostart
|
|
||||||
whether to start the IKEv1 daemon Pluto or not.
|
|
||||||
Accepted values are
|
|
||||||
.B yes
|
|
||||||
(the default)
|
|
||||||
or
|
|
||||||
.BR no .
|
|
||||||
.TP
|
|
||||||
.B plutodebug
|
|
||||||
how much Pluto debugging output should be logged.
|
|
||||||
An empty value,
|
|
||||||
or the magic value
|
|
||||||
.BR none ,
|
|
||||||
means no debugging output (the default).
|
|
||||||
The magic value
|
|
||||||
.B all
|
|
||||||
means full output.
|
|
||||||
Otherwise only the specified types of output
|
|
||||||
(a quoted list, names without the
|
|
||||||
.B \-\-debug\-
|
|
||||||
prefix,
|
|
||||||
separated by white space) are enabled;
|
|
||||||
for details on available debugging types, see
|
|
||||||
.IR pluto (8).
|
|
||||||
.TP
|
|
||||||
.B prepluto
|
|
||||||
shell command to run before starting Pluto
|
|
||||||
(e.g., to decrypt an encrypted copy of the
|
|
||||||
.I ipsec.secrets
|
|
||||||
file).
|
|
||||||
It's run in a very simple way;
|
|
||||||
complexities like I/O redirection are best hidden within a script.
|
|
||||||
Any output is redirected for logging,
|
|
||||||
so running interactive commands is difficult unless they use
|
|
||||||
.I /dev/tty
|
|
||||||
or equivalent for their interaction.
|
|
||||||
Default is none.
|
|
||||||
.TP
|
|
||||||
.B postpluto
|
|
||||||
shell command to run after starting Pluto
|
|
||||||
(e.g., to remove a decrypted copy of the
|
|
||||||
.I ipsec.secrets
|
|
||||||
file).
|
|
||||||
It's run in a very simple way;
|
|
||||||
complexities like I/O redirection are best hidden within a script.
|
|
||||||
Any output is redirected for logging,
|
|
||||||
so running interactive commands is difficult unless they use
|
|
||||||
.I /dev/tty
|
|
||||||
or equivalent for their interaction.
|
|
||||||
Default is none.
|
|
||||||
.TP
|
|
||||||
.B fragicmp
|
|
||||||
whether a tunnel's need to fragment a packet should be reported
|
|
||||||
back with an ICMP message,
|
|
||||||
in an attempt to make the sender lower his PMTU estimate;
|
|
||||||
acceptable values are
|
|
||||||
.B yes
|
|
||||||
(the default)
|
|
||||||
and
|
|
||||||
.BR no .
|
|
||||||
(This parameter is used with the KLIPS IPsec stack only.)
|
|
||||||
.TP
|
|
||||||
.B hidetos
|
|
||||||
whether a tunnel packet's TOS field should be set to
|
|
||||||
.B 0
|
|
||||||
rather than copied from the user packet inside;
|
|
||||||
acceptable values are
|
|
||||||
.B yes
|
|
||||||
(the default)
|
|
||||||
and
|
|
||||||
.BR no .
|
|
||||||
(This parameter is used with the KLIPS IPsec stack only.)
|
|
||||||
.TP
|
|
||||||
.B uniqueids
|
|
||||||
whether a particular participant ID should be kept unique,
|
|
||||||
with any new (automatically keyed)
|
|
||||||
connection using an ID from a different IP address
|
|
||||||
deemed to replace all old ones using that ID;
|
|
||||||
acceptable values are
|
|
||||||
.B yes
|
|
||||||
(the default)
|
|
||||||
and
|
|
||||||
.BR no .
|
|
||||||
Participant IDs normally \fIare\fR unique,
|
|
||||||
so a new (automatically-keyed) connection using the same ID is
|
|
||||||
almost invariably intended to replace an old one.
|
|
||||||
.TP
|
|
||||||
.B overridemtu
|
|
||||||
value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
|
|
||||||
overriding IPsec's (large) default.
|
|
||||||
(This parameter is used in special situations with the KLIPS IPsec stack only.)
|
|
||||||
.TP
|
|
||||||
.B nat_traversal
|
|
||||||
activates NAT traversal by accepting source ISAKMP different from udp/500 and
|
|
||||||
floating to udp/4500 if a NAT situation is detected. Used by IKEv1 only since
|
|
||||||
NAT traversal is always activated with IKEv2.
|
|
||||||
Accepted values are
|
Accepted values are
|
||||||
.B yes
|
.B yes
|
||||||
and
|
and
|
||||||
.B no
|
.B no
|
||||||
(the default).
|
(the default).
|
||||||
.TP
|
.TP
|
||||||
.B keep_alive
|
.B charonstart
|
||||||
interval in seconds between NAT keep alive packets.
|
whether to start the IKEv2 Charon daemon or not.
|
||||||
.TP
|
Accepted values are
|
||||||
.B virtual_private
|
.B yes
|
||||||
|
(the default)
|
||||||
|
or
|
||||||
|
.BR no .
|
||||||
.TP
|
.TP
|
||||||
.B crlcheckinterval
|
.B crlcheckinterval
|
||||||
interval in seconds. CRL fetching is enabled if the value is greater than zero.
|
interval in seconds. CRL fetching is enabled if the value is greater than zero.
|
||||||
Asynchronous periodic checking for fresh CRLs is done by IKEv1 only.
|
Asynchronous, periodic checking for fresh CRLs is currently done by the
|
||||||
|
IKEv1 Pluto daemon only.
|
||||||
.TP
|
.TP
|
||||||
.B cachecrls
|
.B dumpdir
|
||||||
certificate revocation lists (CRLs) fetched via http or ldap will be cached in
|
in what directory should things started by \fBipsec starter\fR
|
||||||
/etc/ipsec.d/crls under a unique file name derived from the certification
|
(notably the Pluto and Charon daemons) be allowed to dump core?
|
||||||
authority's public key
|
The empty value (the default) means they are not
|
||||||
|
allowed to.
|
||||||
|
This feature is currently not yet supported by \fBipsec starter\fR.
|
||||||
|
.TP
|
||||||
|
.B plutostart
|
||||||
|
whether to start the IKEv1 Pluto daemon or not.
|
||||||
Accepted values are
|
Accepted values are
|
||||||
.B yes
|
.B yes
|
||||||
and
|
(the default)
|
||||||
.B no
|
or
|
||||||
(the default).
|
.BR no .
|
||||||
.TP
|
.TP
|
||||||
.B strictcrlpolicy
|
.B strictcrlpolicy
|
||||||
defines if a fresh CRL must be available in order for the peer authentication based
|
defines if a fresh CRL must be available in order for the peer authentication based
|
||||||
|
@ -1003,7 +876,22 @@ which reverts to
|
||||||
if at least one CRL URI is defined and to
|
if at least one CRL URI is defined and to
|
||||||
.B no
|
.B no
|
||||||
if no URI is known.
|
if no URI is known.
|
||||||
|
.PP
|
||||||
|
The following
|
||||||
|
.B config section
|
||||||
|
parameters are used by the IKEv1 Pluto daemon only:
|
||||||
.TP
|
.TP
|
||||||
|
.B keep_alive
|
||||||
|
interval in seconds between NAT keep alive packets, the default being 20 seconds.
|
||||||
|
.TP
|
||||||
|
.B nat_traversal
|
||||||
|
activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
|
||||||
|
being able of floating to udp/4500 if a NAT situation is detected.
|
||||||
|
Accepted values are
|
||||||
|
.B yes
|
||||||
|
and
|
||||||
|
.B no
|
||||||
|
(the default).
|
||||||
.B nocrsend
|
.B nocrsend
|
||||||
no certificate request payloads will be sent.
|
no certificate request payloads will be sent.
|
||||||
Accepted values are
|
Accepted values are
|
||||||
|
@ -1011,7 +899,7 @@ Accepted values are
|
||||||
and
|
and
|
||||||
.B no
|
.B no
|
||||||
(the default).
|
(the default).
|
||||||
Used by IKEv1 only.
|
Used by IKEv1 only, NAT traversal always being active in IKEv2.
|
||||||
.TP
|
.TP
|
||||||
.B pkcs11module
|
.B pkcs11module
|
||||||
defines the path to a dynamically loadable PKCS #11 library.
|
defines the path to a dynamically loadable PKCS #11 library.
|
||||||
|
@ -1032,6 +920,125 @@ Accepted values are
|
||||||
and
|
and
|
||||||
.B no
|
.B no
|
||||||
(the default).
|
(the default).
|
||||||
|
.TP
|
||||||
|
.B plutodebug
|
||||||
|
how much Pluto debugging output should be logged.
|
||||||
|
An empty value,
|
||||||
|
or the magic value
|
||||||
|
.BR none ,
|
||||||
|
means no debugging output (the default).
|
||||||
|
The magic value
|
||||||
|
.B all
|
||||||
|
means full output.
|
||||||
|
Otherwise only the specified types of output
|
||||||
|
(a quoted list, names without the
|
||||||
|
.B \-\-debug\-
|
||||||
|
prefix,
|
||||||
|
separated by white space) are enabled;
|
||||||
|
for details on available debugging types, see
|
||||||
|
.IR pluto (8).
|
||||||
|
.TP
|
||||||
|
.B postpluto
|
||||||
|
shell command to run after starting Pluto
|
||||||
|
(e.g., to remove a decrypted copy of the
|
||||||
|
.I ipsec.secrets
|
||||||
|
file).
|
||||||
|
It's run in a very simple way;
|
||||||
|
complexities like I/O redirection are best hidden within a script.
|
||||||
|
Any output is redirected for logging,
|
||||||
|
so running interactive commands is difficult unless they use
|
||||||
|
.I /dev/tty
|
||||||
|
or equivalent for their interaction.
|
||||||
|
Default is none.
|
||||||
|
.TP
|
||||||
|
.B prepluto
|
||||||
|
shell command to run before starting Pluto
|
||||||
|
(e.g., to decrypt an encrypted copy of the
|
||||||
|
.I ipsec.secrets
|
||||||
|
file).
|
||||||
|
It's run in a very simple way;
|
||||||
|
complexities like I/O redirection are best hidden within a script.
|
||||||
|
Any output is redirected for logging,
|
||||||
|
so running interactive commands is difficult unless they use
|
||||||
|
.I /dev/tty
|
||||||
|
or equivalent for their interaction.
|
||||||
|
Default is none.
|
||||||
|
.TP
|
||||||
|
.B virtual_private
|
||||||
|
defines private networks using a wildcard notation.
|
||||||
|
.TP
|
||||||
|
.B uniqueids
|
||||||
|
whether a particular participant ID should be kept unique,
|
||||||
|
with any new (automatically keyed)
|
||||||
|
connection using an ID from a different IP address
|
||||||
|
deemed to replace all old ones using that ID;
|
||||||
|
acceptable values are
|
||||||
|
.B yes
|
||||||
|
(the default)
|
||||||
|
and
|
||||||
|
.BR no .
|
||||||
|
Participant IDs normally \fIare\fR unique,
|
||||||
|
so a new (automatically-keyed) connection using the same ID is
|
||||||
|
almost invariably intended to replace an old one.
|
||||||
|
.PP
|
||||||
|
The following
|
||||||
|
.B config section
|
||||||
|
parameters are used by the IKEv2 Charon daemon only:
|
||||||
|
.TP
|
||||||
|
.B charondebug
|
||||||
|
how much Charon debugging output should be logged.
|
||||||
|
A comma separated list containing type level/pairs may
|
||||||
|
be specified, e.g:
|
||||||
|
.B dmn 3, ike 1, net -1.
|
||||||
|
Acceptable values for types are
|
||||||
|
.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
|
||||||
|
and the level is one of
|
||||||
|
.B -1, 0, 1, 2, 3, 4
|
||||||
|
(for silent, audit, control, controlmore, raw, private).
|
||||||
|
.PP
|
||||||
|
The following
|
||||||
|
.B config section
|
||||||
|
parameters only make sense if the KLIPS IPsec stack
|
||||||
|
is used instead of the default NETKEY stack of the Linux 2.6 kernel:
|
||||||
|
.TP
|
||||||
|
.B fragicmp
|
||||||
|
whether a tunnel's need to fragment a packet should be reported
|
||||||
|
back with an ICMP message,
|
||||||
|
in an attempt to make the sender lower his PMTU estimate;
|
||||||
|
acceptable values are
|
||||||
|
.B yes
|
||||||
|
(the default)
|
||||||
|
and
|
||||||
|
.BR no .
|
||||||
|
.TP
|
||||||
|
.B hidetos
|
||||||
|
whether a tunnel packet's TOS field should be set to
|
||||||
|
.B 0
|
||||||
|
rather than copied from the user packet inside;
|
||||||
|
acceptable values are
|
||||||
|
.B yes
|
||||||
|
(the default)
|
||||||
|
and
|
||||||
|
.BR no
|
||||||
|
.TP
|
||||||
|
.B interfaces
|
||||||
|
virtual and physical interfaces for IPsec to use:
|
||||||
|
a single
|
||||||
|
\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
|
||||||
|
by white space, or
|
||||||
|
.BR %none .
|
||||||
|
One of the pairs may be written as
|
||||||
|
.BR %defaultroute ,
|
||||||
|
which means: find the interface \fId\fR that the default route points to,
|
||||||
|
and then act as if the value was ``\fBipsec0=\fId\fR''.
|
||||||
|
.B %defaultroute
|
||||||
|
is the default;
|
||||||
|
.B %none
|
||||||
|
must be used to denote no interfaces.
|
||||||
|
.TP
|
||||||
|
.B overridemtu
|
||||||
|
value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
|
||||||
|
overriding IPsec's (large) default.
|
||||||
.SH CHOOSING A CONNECTION
|
.SH CHOOSING A CONNECTION
|
||||||
.PP
|
.PP
|
||||||
When choosing a connection to apply to an outbound packet caught with a
|
When choosing a connection to apply to an outbound packet caught with a
|
||||||
|
@ -1059,9 +1066,8 @@ information about the client subnets to complete the instantiation.
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3)
|
ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3)
|
||||||
.SH HISTORY
|
.SH HISTORY
|
||||||
Written for the FreeS/WAN project
|
Written for the FreeS/WAN project by Henry Spencer.
|
||||||
<http://www.freeswan.org>
|
Extended for the strongSwan project
|
||||||
by Henry Spencer. Extended for the strongSwan project
|
|
||||||
<http://www.strongswan.org>
|
<http://www.strongswan.org>
|
||||||
by Andreas Steffen. IKEv2-specific features by Martin Willi.
|
by Andreas Steffen. IKEv2-specific features by Martin Willi.
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
|
|
Loading…
Reference in New Issue