1: .TH IPSEC.CONF 5 "2012-06-26" "@PACKAGE_VERSION@" "strongSwan"
2: .SH NAME
3: ipsec.conf \- IPsec configuration and connections
4: .SH DESCRIPTION
5: The optional
6: .I ipsec.conf
7: file
8: specifies most configuration and control information for the
9: strongSwan IPsec subsystem.
10: The major exception is secrets for authentication;
11: see
12: .IR ipsec.secrets (5).
13: Its contents are not security-sensitive.
14: .PP
15: The file is a text file, consisting of one or more
16: .IR sections .
17: White space followed by
18: .B #
19: followed by anything to the end of the line
20: is a comment and is ignored,
21: as are empty lines which are not within a section.
22: .PP
23: A line which contains
24: .B include
25: and a file name, separated by white space,
26: is replaced by the contents of that file.
27: If the file name is not a full pathname,
28: it is considered to be relative to the directory containing the
29: including file.
30: Such inclusions can be nested.
31: Only a single filename may be supplied, and it may not contain white space,
32: but it may include shell wildcards (see
33: .IR sh (1));
34: for example:
35: .PP
36: .B include
37: .B "ipsec.*.conf"
38: .PP
39: The intention of the include facility is mostly to permit keeping
40: information on connections, or sets of connections,
41: separate from the main configuration file.
42: This permits such connection descriptions to be changed,
43: copied to the other security gateways involved, etc.,
44: without having to constantly extract them from the configuration
45: file and then insert them back into it.
46: Note also the
47: .B also
48: parameter (described below) which permits splitting a single logical
49: section (e.g. a connection description) into several actual sections.
50: .PP
51: A section
52: begins with a line of the form:
53: .PP
54: .I type
55: .I name
56: .PP
57: where
58: .I type
59: indicates what type of section follows, and
60: .I name
61: is an arbitrary name which distinguishes the section from others
62: of the same type.
63: All subsequent non-empty lines
64: which begin with white space are part of the section.
65: Sections of the same type that share the same name are merged.
66: .PP
67: Lines within the section are generally of the form
68: .PP
69: \ \ \ \ \ \fIparameter\fB=\fIvalue\fR
70: .PP
71: (note the mandatory preceding white space).
72: There can be white space on either side of the
73: .BR = .
74: Parameter names are specific to a section type.
75: .PP
76: An empty
77: .I value
78: stands for the system default value (if any) of the parameter,
79: i.e. it is roughly equivalent to omitting the parameter line entirely. This may
80: be useful to clear a setting inherited from a
81: .B %default
82: section or via
83: .B also
84: parameter (see below).
85: A
86: .I value
87: may contain single spaces (additional white space is reduced to one space).
88: To preserve white space as written enclose the entire
89: .I value
90: in double quotes (\fB"\fR); in such values double quotes themselves may be
91: escaped by prefixing them with
92: .B \\\\
93: characters. A double-quoted string may span multiple lines by ending them with
94: .B \\\\
95: characters (following lines don't have to begin with white space, as that will
96: be preserved). Additionally, the following control characters may be encoded in
97: double-quoted strings: \\n, \\r, \\t, \\b, \\f.
98: .PP
99: Numeric values are specified to be either an ``integer''
100: (a sequence of digits) or a ``decimal number''
101: (sequence of digits optionally followed by `.' and another sequence of digits).
102: .PP
103: There is currently one parameter which is available in any type of
104: section:
105: .TP
106: .B also
107: the value is a section name; the parameters of that section are inherited by
108: the current section. Parameters in the current section always override inherited
109: parameters, even if an
110: .B also
111: follows after them.
112: The specified section must exist and must have the same section type; it doesn't
113: if it is defined before or after the current section.
114: Nesting is permitted, and there may be more than one
115: .B also
116: in a single section (parameters from referenced sections are inherited and
117: overridden in the order of these
118: .B also
119: parameters).
120: .PP
121: A section with name
122: .B %default
123: specifies defaults for sections of the same type. All parameters in it, are
124: inherited by all other sections of that type.
125: .PP
126: Currently there are three types of sections:
127: a
128: .B config
129: section specifies general configuration information for IPsec, a
130: .B conn
131: section specifies an IPsec connection, while a
132: .B ca
133: section specifies special properties of a certification authority.
134: .SH "CONN SECTIONS"
135: A
136: .B conn
137: section contains a
138: .IR "connection specification" ,
139: defining a network connection to be made using IPsec.
140: The name given is arbitrary, and is used to identify the connection.
141: Here's a simple example:
142: .PP
143: .ne 10
144: .nf
145: .ft B
146: .ta 1c
147: conn snt
148: left=192.168.0.1
149: leftsubnet=10.1.0.0/16
150: right=192.168.0.2
151: rightsubnet=10.1.0.0/16
152: keyingtries=%forever
153: auto=add
154: .ft
155: .fi
156: .PP
157: A note on terminology: There are two kinds of communications going on:
158: transmission of user IP packets, and gateway-to-gateway negotiations for
159: keying, rekeying, and general control.
160: The path to control the connection is called 'ISAKMP SA' in IKEv1
161: and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
162: level data path, is called 'IPsec SA' or 'Child SA'.
163: strongSwan previously used two separate keying daemons, \fIpluto\fP and
164: \fIcharon\fP. This manual does not discuss \fIpluto\fP options anymore, but
165: only \fIcharon\fP that since strongSwan 5.0 supports both IKEv1 and IKEv2.
166: .PP
167: To avoid trivial editing of the configuration file to suit it to each system
168: involved in a connection,
169: connection specifications are written in terms of
170: .I left
171: and
172: .I right
173: participants,
174: rather than in terms of local and remote.
175: Which participant is considered
176: .I left
177: or
178: .I right
179: is arbitrary;
180: for every connection description an attempt is made to figure out whether
181: the local endpoint should act as the
182: .I left
183: or
184: .I right
185: endpoint. This is done by matching the IP addresses defined for both endpoints
186: with the IP addresses assigned to local network interfaces. If a match is found
187: then the role (left or right) that matches is going to be considered local.
188: If no match is found during startup,
189: .I left
190: is considered local.
191: This permits using identical connection specifications on both ends.
192: There are cases where there is no symmetry; a good convention is to
193: use
194: .I left
195: for the local side and
196: .I right
197: for the remote side (the first letters are a good mnemonic).
198: .PP
199: Many of the parameters relate to one participant or the other;
200: only the ones for
201: .I left
202: are listed here, but every parameter whose name begins with
203: .B left
204: has a
205: .B right
206: counterpart,
207: whose description is the same but with
208: .B left
209: and
210: .B right
211: reversed.
212: .PP
213: Parameters are optional unless marked '(required)'.
214: .SS "CONN PARAMETERS"
215: Unless otherwise noted, for a connection to work,
216: in general it is necessary for the two ends to agree exactly
217: on the values of these parameters.
218: .TP
219: .BR aaa_identity " = <id>"
220: defines the identity of the AAA backend used during IKEv2 EAP authentication.
221: This is required if the EAP client uses a method that verifies the server
222: identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
223: .TP
224: .BR aggressive " = yes | " no
225: whether to use IKEv1 Aggressive or Main Mode (the default).
226: .TP
227: .BR ah " = <cipher suites>"
228: comma-separated list of AH algorithms to be used for the connection, e.g.
229: .BR sha1-sha256-modp1024 .
230: The notation is
231: .BR integrity[-dhgroup] .
232: For IKEv2, multiple algorithms (separated by -) of the same type can be included
233: in a single proposal. IKEv1 only includes the first algorithm in a proposal.
234: Only either the
235: .B ah
236: or
237: .B esp
238: keyword may be used, AH+ESP bundles are not supported.
239:
240: There is no default AH cipher suite since by default ESP is used.
241: The daemon adds its extensive default proposal to the configured value. To
242: restrict it to the configured proposal an
243: exclamation mark
244: .RB ( ! )
245: can be added at the end.
246:
247: If
248: .B dh-group
249: is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
250: Diffie-Hellman exchange (refer to the
251: .B esp
252: keyword for details).
253: .TP
254: .BR also " = <name>"
255: includes conn section
256: .BR <name> .
257: .TP
258: .BR auth " = <value>"
259: was used by the
260: .B pluto
261: IKEv1 daemon to use AH integrity protection for ESP encrypted packets, but is
262: not supported in charon. The
263: .B ah
264: keyword specifies algorithms to use for integrity protection with AH, but
265: without encryption. AH+ESP bundles are not supported.
266: .TP
267: .BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig"
268: how the two security gateways should authenticate each other;
269: acceptable values are
270: .B psk
271: or
272: .B secret
273: for pre-shared secrets,
274: .B pubkey
275: (the default) for public key signatures as well as the synonyms
276: .B rsasig
277: for RSA digital signatures and
278: .B ecdsasig
279: for Elliptic Curve DSA signatures.
280: .B never
281: can be used if negotiation is never to be attempted or accepted (useful for
282: shunt-only conns).
283: Digital signatures are superior in every way to shared secrets.
284: IKEv1 additionally supports the values
285: .B xauthpsk
286: and
287: .B xauthrsasig
288: that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
289: based on shared secrets or digital RSA signatures, respectively.
290: This parameter is deprecated, as two peers do not need to agree on an
291: authentication method in IKEv2. Use the
292: .B leftauth
293: parameter instead to define authentication methods.
294: .TP
295: .BR auto " = " ignore " | add | route | start"
296: what operation, if any, should be done automatically at IPsec startup;
297: currently-accepted values are
298: .BR add ,
299: .BR route ,
300: .B start
301: and
302: .B ignore
303: (the default).
304: .B add
305: loads a connection without starting it.
306: .B route
307: loads a connection and installs kernel traps. If traffic is detected between
308: .B leftsubnet
309: and
310: .BR rightsubnet ,
311: a connection is established.
312: .B start
313: loads a connection and brings it up immediately.
314: .B ignore
315: ignores the connection. This is equal to deleting a connection from the config
316: file.
317: Relevant only locally, other end need not agree on it.
318: .TP
319: .BR closeaction " = " none " | clear | hold | restart"
320: defines the action to take if the remote peer unexpectedly closes a CHILD_SA
321: (see
322: .B dpdaction
323: for meaning of values).
324: A
325: .B closeaction should not be
326: used if the peer uses reauthentication or uniqueids checking, as these events
327: might trigger the defined action when not desired.
328: .TP
329: .BR compress " = yes | " no
330: whether IPComp compression of content is proposed on the connection
331: (link-level compression does not work on encrypted data,
332: so to be effective, compression must be done \fIbefore\fR encryption);
333: acceptable values are
334: .B yes
335: and
336: .B no
337: (the default). A value of
338: .B yes
339: causes the daemon to propose both compressed and uncompressed,
340: and prefer compressed.
341: A value of
342: .B no
343: prevents the daemon from proposing or accepting compression.
344: .TP
345: .BR dpdaction " = " none " | clear | hold | restart"
346: controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
347: R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
348: are periodically sent in order to check the
349: liveliness of the IPsec peer. The values
350: .BR clear ,
351: .BR hold ,
352: and
353: .B restart
354: all activate DPD and determine the action to perform on a timeout. With
355: .B clear
356: the connection is closed with no further actions taken.
357: .B hold
358: installs a trap policy, which will catch matching traffic and tries to
359: re-negotiate the connection on demand.
360: .B restart
361: will immediately trigger an attempt to re-negotiation the connection.
362: The default is
363: .B none
364: which disables the active sending of DPD messages.
365: .TP
366: .BR dpddelay " = " 30s " | <time>"
367: defines the period time interval with which R_U_THERE messages/INFORMATIONAL
368: exchanges are sent to the peer. These are only sent if no other traffic is
369: received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
370: messages and uses only standard messages (such as those to rekey) to detect
371: dead peers.
372: .TP
373: .BR dpdtimeout " = " 150s " | <time>
374: defines the timeout interval, after which all connections to a peer are deleted
375: in case of inactivity. This only applies to IKEv1, in IKEv2 the default
376: retransmission timeout applies, as every exchange is used to detect dead peers.
377: .TP
378: .BR inactivity " = <time>"
379: defines the timeout interval, after which a CHILD_SA is closed if it did
380: not send or receive any traffic. The inactivity counter is reset during CHILD_SA
381: rekeying. This means that the inactivity timeout must be smaller than the
382: rekeying interval to have any effect.
383: .TP
384: .BR eap_identity " = <id>"
385: defines the identity the client uses to reply to an EAP Identity request.
386: If defined on the EAP server, the defined identity will be used as peer
387: identity during EAP authentication. The special value
388: .B %identity
389: uses the EAP Identity method to ask the client for an EAP identity. If not
390: defined, the IKEv2 identity will be used as EAP identity.
391: .TP
392: .BR esp " = <cipher suites>"
393: comma-separated list of ESP encryption/authentication algorithms to be used
394: for the connection, e.g.
395: .BR aes128-sha256 .
396: The notation is
397: .BR encryption-integrity[-dhgroup][-esnmode] .
398: For IKEv2, multiple algorithms (separated by -) of the same type can be included
399: in a single proposal. IKEv1 only includes the first algorithm in a proposal.
400: Only either the
401: .B ah
402: or
403: .B esp
404: keyword may be used, AH+ESP bundles are not supported.
405:
406: Defaults to
407: .BR aes128-sha256 .
408: The daemon adds its extensive default proposal to this default
409: or the configured value. To restrict it to the configured proposal an
410: exclamation mark
411: .RB ( ! )
412: can be added at the end.
413:
414: .BR Note :
415: As a responder, the daemon defaults to selecting the first configured proposal
416: that's also supported by the peer. This may be changed via
417: .BR strongswan.conf (5)
418: to selecting the first acceptable proposal sent by the peer instead. In order to
419: restrict a responder to only accept specific cipher suites, the strict flag
420: .RB ( ! ,
421: exclamation mark) can be used, e.g: aes256-sha512-modp4096!
422:
423: If
424: .B dh-group
425: is specified, CHILD_SA/Quick Mode rekeying and initial negotiation use a
426: separate Diffie-Hellman exchange using the specified group. However, for IKEv2,
427: the keys of the CHILD_SA created implicitly with the IKE_SA will always be
428: derived from the IKE_SA's key material. So any DH group specified here will only
429: apply when the CHILD_SA is later rekeyed or is created with a separate
430: CREATE_CHILD_SA exchange. Therefore, a proposal mismatch might not immediately
431: be noticed when the SA is established, but may later cause rekeying to fail.
432:
433: Valid values for
434: .B esnmode
435: are
436: .B esn
437: and
438: .BR noesn .
439: Specifying both negotiates Extended Sequence Number support with the peer,
440: the default is
441: .B noesn.
442: .TP
443: .BR forceencaps " = yes | " no
444: force UDP encapsulation for ESP packets even if no NAT situation is detected.
445: This may help to surmount restrictive firewalls. In order to force the peer to
446: encapsulate packets, NAT detection payloads are faked.
447: .TP
448: .BR fragmentation " = " yes " | accept | force | no"
449: whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2
450: fragmentation as per RFC 7383). Acceptable values are
451: .B yes
452: (the default),
453: .BR accept ,
454: .B force
455: and
456: .BR no .
457: If set to
458: .BR yes ,
459: and the peer supports it, oversized IKE messages will be sent in fragments. If
460: set to
461: .BR accept ,
462: support for fragmentation is announced to the peer but the daemon does not send
463: its own messages in fragments. If set to
464: .B force
465: (only supported for IKEv1) the initial IKE message will already be fragmented
466: if required. Finally, setting the option to
467: .B no
468: will disable announcing support for this feature.
469:
470: Note that fragmented IKE messages sent by a peer are always accepted
471: irrespective of the value of this option (even when set to
472: .BR no ).
473: .TP
474: .BR ike " = <cipher suites>"
475: comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
476: to be used, e.g.
477: .BR aes128-sha256-modp3072 .
478: The notation is
479: .BR encryption-integrity[-prf]-dhgroup .
480: If no PRF is given, the algorithms defined for integrity are used for the PRF.
481: The prf keywords are the same as the integrity algorithms, but have a
482: .B prf
483: prefix (such as
484: .BR prfsha1 ,
485: .B prfsha256
486: or
487: .BR prfaesxcbc ).
488: .br
489: In IKEv2, multiple algorithms and proposals may be included, such as
490: .BR aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024 .
491:
492: Defaults to
493: .BR aes128-sha256-modp3072 .
494: The daemon adds its extensive default proposal to this
495: default or the configured value. To restrict it to the configured proposal an
496: exclamation mark
497: .RB ( ! )
498: can be added at the end.
499:
500: .BR Note :
501: As a responder the daemon accepts the first supported proposal received from
502: the peer. In order to restrict a responder to only accept specific cipher
503: suites, the strict flag
504: .RB ( ! ,
505: exclamation mark) can be used, e.g:
506: .BR aes256-sha512-modp4096!
507: .TP
508: .BR ikedscp " = " 000000 " | <DSCP field>"
509: Differentiated Services Field Codepoint to set on outgoing IKE packets sent
510: from this connection. The value is a six digit binary encoded string defining
511: the Codepoint to set, as defined in RFC 2474.
512: .TP
513: .BR ikelifetime " = " 3h " | <time>"
514: how long the keying channel of a connection (ISAKMP or IKE SA)
515: should last before being renegotiated. Also see EXPIRY/REKEY below.
516: .TP
517: .BR installpolicy " = " yes " | no"
518: decides whether IPsec policies are installed in the kernel by the charon daemon
519: for a given connection. Allows peaceful cooperation e.g. with
520: the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
521: Acceptable values are
522: .B yes
523: (the default) and
524: .BR no .
525: .TP
526: .BR keyexchange " = " ike " | ikev1 | ikev2"
527: which key exchange protocol should be used to initiate the connection.
528: Connections marked with
529: .B ike
530: use IKEv2 when initiating, but accept any protocol version when responding.
531: .TP
532: .BR keyingtries " = " 3 " | <number> | %forever"
533: how many attempts (a whole number or \fB%forever\fP) should be made to
534: negotiate a connection, or a replacement for one, before giving up
535: (default
536: .BR 3 ).
537: The value \fB%forever\fP
538: means 'never give up'.
539: Relevant only locally, other end need not agree on it.
540: .TP
541: .BR left " = <ip address> | <fqdn> | " %any " | <range> | <subnet> "
542: The IP address of the left participant's public-network interface
543: or one of several magic values.
544: The value
545: .B %any
546: (the default) for the local endpoint signifies an address to be filled in (by
547: automatic keying) during negotiation. If the local peer initiates the
548: connection setup the routing table will be queried to determine the correct
549: local IP address.
550: In case the local peer is responding to a connection setup then any IP address
551: that is assigned to a local interface will be accepted.
552:
553: The prefix
554: .B %
555: in front of a fully-qualified domain name or an IP address will implicitly set
556: .BR leftallowany =yes.
557:
558: If
559: .B %any
560: is used for the remote endpoint it literally means any IP address.
561:
562: If an
563: .B FQDN
564: is assigned it is resolved every time a configuration lookup is done. If DNS
565: resolution times out, the lookup is delayed for that time.
566:
567: To limit the connection to a specific range of hosts, a range (
568: .BR 10.1.0.0-10.2.255.255
569: ) or a subnet (
570: .BR 10.1.0.0/16
571: ) can be specified, and multiple addresses, ranges and subnets can be separated
572: by commas. While one can freely combine these items, to initiate the connection
573: at least one non-range/subnet is required.
574:
575: Please note that with the usage of wildcards multiple connection descriptions
576: might match a given incoming connection attempt. The most specific description
577: is used in that case.
578: .TP
579: .BR leftallowany " = yes | " no
580: a modifier for
581: .BR left ,
582: making it behave as
583: .B %any
584: although a concrete IP address or domain name has been assigned.
585: .TP
586: .BR leftauth " = <auth method>"
587: Authentication method to use locally (left) or require from the remote (right)
588: side.
589: Acceptable values are
590: .B pubkey
591: for public key authentication (RSA/ECDSA),
592: .B psk
593: for pre-shared key authentication,
594: .B eap
595: to (require the) use of the Extensible Authentication Protocol in IKEv2, and
596: .B xauth
597: for IKEv1 eXtended Authentication.
598:
599: To require a trustchain public key strength for the remote side, specify the
600: key type followed by the minimum strength in bits (for example
601: .BR ecdsa-384
602: or
603: .BR rsa-2048-ecdsa-256 ).
604: To limit the acceptable set of hashing algorithms for trustchain validation,
605: append hash algorithms to
606: .BR pubkey
607: or a key strength definition (for example
608: .BR pubkey-sha256-sha512 ,
609: .BR rsa-2048-sha256-sha384-sha512 ,
610: or
611: .BR rsa-2048-sha256-ecdsa-256-sha256-sha384 ).
612: Unless disabled in
613: .BR strongswan.conf (5),
614: or explicit IKEv2 signature constraints are configured (see below), such key
615: types and hash algorithms are also applied as constraints against IKEv2
616: signature authentication schemes used by the remote side.
617:
618: If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific
619: hash algorithms to be used during IKEv2 authentication may be configured.
620: The syntax is the same as above, but with ike: prefix. For example, with
621: .B ike:pubkey-sha384-sha256
622: a public key signature scheme with either SHA-384 or SHA-256 would get used for
623: authentication, in that order and depending on the hash algorithms supported by
624: the peer. If no specific hash algorithms are configured, the default is to
625: prefer an algorithm that matches or exceeds the strength of the signature key.
626: If no constraints with ike: prefix are configured any signature scheme
627: constraint (without ike: prefix) will also apply to IKEv2 authentication, unless
628: this is disabled in
629: .BR strongswan.conf (5).
630:
631: To use or require RSASSA-PSS signatures use rsa/pss instead of rsa as in e.g.
632: .BR ike:rsa/pss-sha256 .
633: If \fBpubkey\fR or \fBrsa\fR constraints are configured RSASSA-PSS signatures
634: will only be used/accepted if enabled in
635: .BR strongswan.conf (5).
636:
637: For
638: .BR eap ,
639: an optional EAP method can be appended. Currently defined methods are
640: .BR eap-aka ,
641: .BR eap-gtc ,
642: .BR eap-md5 ,
643: .BR eap-mschapv2 ,
644: .BR eap-peap ,
645: .BR eap-sim ,
646: .BR eap-tls ,
647: .BR eap-ttls ,
648: .BR eap-dynamic ,
649: and
650: .BR eap-radius .
651: Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
652: EAP methods are defined in the form
653: .B eap-type-vendor
654: .RB "(e.g. " eap-7-12345 ).
655: To specify signature and trust chain constraints for EAP-(T)TLS, append a colon
656: to the EAP method, followed by the key type/size and hash algorithm as discussed
657: above. For
658: .B xauth,
659: an XAuth authentication backend can be specified, such as
660: .B xauth-generic
661: or
662: .BR xauth-eap .
663: If XAuth is used in
664: .BR leftauth ,
665: Hybrid authentication is used. For traditional XAuth authentication, define
666: XAuth in
667: .BR lefauth2 .
668: .TP
669: .BR leftauth2 " = <auth method>"
670: Same as
671: .BR leftauth ,
672: but defines an additional authentication exchange. In IKEv1, only XAuth can be
673: used in the second authentication round. IKEv2 supports multiple complete
674: authentication rounds using "Multiple Authentication Exchanges" defined
675: in RFC 4739. This allows, for example, separated authentication
676: of host and user.
677: .TP
678: .BR leftca " = <issuer dn> | %same"
679: the distinguished name of a certificate authority which is required to
680: lie in the trust path going from the left participant's certificate up
681: to the root certification authority.
682: .B %same
683: means that the value configured for the right participant should be reused.
684: .TP
685: .BR leftca2 " = <issuer dn> | %same"
686: Same as
687: .BR leftca ,
688: but for the second authentication round (IKEv2 only).
689: .TP
690: .BR leftcert " = <path>"
691: the path to the left participant's X.509 certificate. The file can be encoded
692: either in PEM or DER format. OpenPGP certificates are supported as well.
693: Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
694: are accepted. By default
695: .B leftcert
696: sets
697: .B leftid
698: to the distinguished name of the certificate's subject.
699: The left participant's ID can be overridden by specifying a
700: .B leftid
701: value which must be certified by the certificate, though.
702: .br
703: A value in the form
704: .B %smartcard[<slot nr>[@<module>]]:<keyid>
705: defines a specific certificate to load from a PKCS#11 backend for this
706: connection. See ipsec.secrets(5) for details about smartcard definitions.
707: .B leftcert
708: is required only if selecting the certificate with
709: .B leftid
710: is not sufficient, for example if multiple certificates use the same subject.
711: .br
712: Multiple certificate paths or PKCS#11 backends can be specified in a comma
713: separated list. The daemon chooses the certificate based on the received
714: certificate requests if possible before enforcing the first.
715: .TP
716: .BR leftcert2 " = <path>"
717: Same as
718: .B leftcert,
719: but for the second authentication round (IKEv2 only).
720: .TP
721: .BR leftcertpolicy " = <OIDs>"
722: Comma separated list of certificate policy OIDs the peer's certificate must
723: have.
724: OIDs are specified using the numerical dotted representation.
725: .TP
726: .BR leftdns " = <servers>"
727: Comma separated list of DNS server addresses to exchange as configuration
728: attributes. On the initiator, a server is a fixed IPv4/IPv6 address, or
729: .BR %config4 / %config6
730: to request attributes without an address. On the responder,
731: only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned
732: to the client.
733: .TP
734: .BR leftfirewall " = yes | " no
735: whether the left participant is doing forwarding-firewalling
736: (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
737: which should be turned off (for traffic to the other subnet)
738: once the connection is established;
739: acceptable values are
740: .B yes
741: and
742: .B no
743: (the default).
744: May not be used in the same connection description with
745: .BR leftupdown .
746: Implemented as a parameter to the default \fBipsec _updown\fR script.
747: See notes below.
748: Relevant only locally, other end need not agree on it.
749:
750: If one or both security gateways are doing forwarding firewalling
751: (possibly including masquerading),
752: and this is specified using the firewall parameters,
753: tunnels established with IPsec are exempted from it
754: so that packets can flow unchanged through the tunnels.
755: (This means that all subnets connected in this manner must have
756: distinct, non-overlapping subnet address blocks.)
757: This is done by the default \fBipsec _updown\fR script.
758:
759: In situations calling for more control,
760: it may be preferable for the user to supply his own
761: .I updown
762: script,
763: which makes the appropriate adjustments for his system.
764: .TP
765: .BR leftgroups " = <group list>"
766: a comma separated list of group names. If the
767: .B leftgroups
768: parameter is present then the peer must be a member of at least one
769: of the groups defined by the parameter.
770: .TP
771: .BR leftgroups2 " = <group list>"
772: Same as
773: .B leftgroups,
774: but for the second authentication round defined with
775: .B leftauth2.
776: .TP
777: .BR lefthostaccess " = yes | " no
778: inserts a pair of INPUT and OUTPUT iptables rules using the default
779: \fBipsec _updown\fR script, thus allowing access to the host itself
780: in the case where the host's internal interface is part of the
781: negotiated client subnet.
782: Acceptable values are
783: .B yes
784: and
785: .B no
786: (the default).
787: .TP
788: .BR leftid " = <id>"
789: how the left participant should be identified for authentication;
790: defaults to
791: .B left
792: or the subject of the certificate configured with
793: .BR leftcert .
794: If
795: .B leftcert
796: is configured the identity has to be confirmed by the certificate.
797:
798: Can be an IP address, a fully-qualified domain name, an email address or a
799: Distinguished Name for which the ID type is determined automatically and the
800: string is converted to the appropriate encoding. The rules for this conversion
801: are described in IDENTITY PARSING below.
802:
803: In certain special situations the identity parsing above might be inadequate
804: or produce the wrong result. Examples are the need to encode a FQDN as KEY_ID or
805: the string parser being unable to produce the correct binary ASN.1 encoding of
806: a certificate's DN. For these situations it is possible to enforce a specific
807: identity type and to provide the binary encoding of the identity. To do this a
808: prefix may be used, followed by a colon (:). If the number sign (#) follows the
809: colon, the remaining data is interpreted as hex encoding, otherwise the string
810: is used as is as the identification data.
811: .BR Note :
812: The latter implies that no conversion is performed for non-string identities.
813: For example,
814: \fIipv4:10.0.0.1\fP does not create a valid ID_IPV4_ADDR IKE identity, as it
815: does not get converted to binary 0x0a000001. Instead, one could use
816: \fIipv4:#0a000001\fP to get a valid identity, but just using the implicit type
817: with automatic conversion is usually simpler. The same applies to the ASN.1
818: encoded types. The following prefixes are known:
819: .BR ipv4 ,
820: .BR ipv6 ,
821: .BR rfc822 ,
822: .BR email ,
823: .BR userfqdn ,
824: .BR fqdn ,
825: .BR dns ,
826: .BR asn1dn ,
827: .B asn1gn
828: and
829: .BR keyid .
830: Custom type prefixes may be specified by surrounding the numerical type value by
831: curly brackets.
832:
833: For IKEv2 and
834: .B rightid
835: the prefix
836: .B %
837: in front of the identity prevents the daemon from sending IDr in its IKE_AUTH
838: request and will allow it to verify the configured identity against the subject
839: and subjectAltNames contained in the responder's certificate (otherwise it is
840: only compared with the IDr returned by the responder). The IDr sent by the
841: initiator might otherwise prevent the responder from finding a config if it
842: has configured a different value for
843: .BR leftid .
844: .TP
845: .BR leftid2 " = <id>"
846: identity to use for a second authentication for the left participant
847: (IKEv2 only); defaults to
848: .BR leftid .
849: .TP
850: .BR leftikeport " = <port>"
851: UDP port the left participant uses for IKE communication.
852: If unspecified, port 500 is used with the port floating
853: to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
854: different from the default additionally requires a socket implementation that
855: listens on this port.
856: .TP
857: .BR leftprotoport " = <protocol>/<port>"
858: restrict the traffic selector to a single protocol and/or port. This option
859: is now deprecated, protocol/port information can be defined for each subnet
860: directly in
861: .BR leftsubnet .
862: .TP
863: .BR leftsigkey " = <raw public key> | <path to public key>"
864: the left participant's public key for public key signature authentication,
865: in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
866: optional
867: .B dns:
868: or
869: .B ssh:
870: prefix in front of 0x or 0s, the public key is expected to be in either
871: the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
872: respectively.
873: Also accepted is the path to a file containing the public key in PEM, DER or SSH
874: encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
875: are accepted.
876: .TP
877: .BR leftsendcert " = never | no | " ifasked " | always | yes"
878: Accepted values are
879: .B never
880: or
881: .BR no ,
882: .B always
883: or
884: .BR yes ,
885: and
886: .BR ifasked " (the default),"
887: the latter meaning that the peer must send a certificate request payload in
888: order to get a certificate in return.
889: .TP
890: .BR leftsourceip " = %config4 | %config6 | <ip address>"
891: Comma separated list of internal source IPs to use in a tunnel, also known as
892: virtual IP. If the value is one of the synonyms
893: .BR %config ,
894: .BR %cfg ,
895: .BR %modeconfig ,
896: or
897: .BR %modecfg ,
898: an address (from the tunnel address family) is requested from the peer. With
899: .B %config4
900: and
901: .B %config6
902: an address of the given address family will be requested explicitly.
903: If an IP address is configured, it will be requested from the responder,
904: which is free to respond with a different address.
905: .TP
906: .BR rightsourceip " = %config | <network>/<netmask> | <from>-<to> | %poolname"
907: Comma separated list of internal source IPs to use in a tunnel for the remote
908: peer. If the value is
909: .B %config
910: on the responder side, the initiator must propose an address which is then
911: echoed back. Also supported are address pools expressed as
912: \fInetwork\fB/\fInetmask\fR
913: and
914: \fIfrom\fB-\fIto\fR
915: or the use of an external IP address pool using %\fIpoolname\fR,
916: where \fIpoolname\fR is the name of the IP address pool used for the lookup.
917: .TP
918: .BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]"
919: private subnet behind the left participant, expressed as
920: \fInetwork\fB/\fInetmask\fR;
921: if omitted, essentially assumed to be \fIleft\fB/32\fR,
922: signifying that the left end of the connection goes to the left participant
923: only. Configured subnets of the peers may differ, the protocol narrows it to
924: the greatest common subnet. In IKEv1, this may lead to problems with other
925: implementations, make sure to configure identical subnets in such
926: configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
927: interprets the first subnet of such a definition, unless the Cisco Unity
928: extension plugin is enabled. This is due to a limitation of the IKEv1 protocol,
929: which only allows a single pair of subnets per CHILD_SA. So to tunnel several
930: subnets a conn entry has to be defined and brought up for each pair of subnets.
931:
932: The optional part after each subnet enclosed in square brackets specifies a
933: protocol/port to restrict the selector for that subnet.
934:
935: Examples:
936: .BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or"
937: .BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] .
938: Instead of omitting either value
939: .B %any
940: can be used to the same effect, e.g.
941: .BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
942:
943: If the protocol is
944: .B icmp
945: or
946: .B ipv6-icmp
947: the port is interpreted as ICMP message type if it is less than 256 or as type
948: and code if it is greater or equal to 256, with the type in the most significant
949: 8 bits and the code in the least significant 8 bits.
950:
951: The port value can alternatively take the value
952: .B %opaque
953: for RFC 4301 OPAQUE selectors, or a numerical range in the form
954: .BR 1024-65535 .
955: None of the kernel backends currently supports opaque or port ranges and uses
956: .B %any
957: for policy installation instead.
958:
959: Instead of specifying a subnet,
960: .B %dynamic
961: can be used to replace it with the IKE address, having the same effect
962: as omitting
963: .B leftsubnet
964: completely. Using
965: .B %dynamic
966: can be used to define multiple dynamic selectors, each having a potentially
967: different protocol/port definition.
968:
969: .TP
970: .BR leftupdown " = <path>"
971: what ``updown'' script to run to adjust routing and/or firewalling
972: when the status of the connection
973: changes (default
974: .BR "ipsec _updown" ).
975: May include positional parameters separated by white space
976: (although this requires enclosing the whole string in quotes);
977: including shell metacharacters is unwise.
978: Relevant only locally, other end need not agree on it. Charon uses the updown
979: script to insert firewall rules only, since routing has been implemented
980: directly into the daemon.
981: .TP
982: .BR lifebytes " = <number>"
983: the number of bytes transmitted over an IPsec SA before it expires.
984: .TP
985: .BR lifepackets " = <number>"
986: the number of packets transmitted over an IPsec SA before it expires.
987: .TP
988: .BR lifetime " = " 1h " | <time>"
989: how long a particular instance of a connection
990: (a set of encryption/authentication keys for user packets) should last,
991: from successful negotiation to expiry;
992: acceptable values are an integer optionally followed by
993: .BR s
994: (a time in seconds)
995: or a decimal number followed by
996: .BR m ,
997: .BR h ,
998: or
999: .B d
1000: (a time
1001: in minutes, hours, or days respectively)
1002: (default
1003: .BR 1h ,
1004: maximum
1005: .BR 24h ).
1006: Normally, the connection is renegotiated (via the keying channel)
1007: before it expires (see
1008: .BR margintime ).
1009: The two ends need not exactly agree on
1010: .BR lifetime ,
1011: although if they do not,
1012: there will be some clutter of superseded connections on the end
1013: which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
1014: .TP
1015: .BR marginbytes " = <number>"
1016: how many bytes before IPsec SA expiry (see
1017: .BR lifebytes )
1018: should attempts to negotiate a replacement begin.
1019: .TP
1020: .BR marginpackets " = <number>"
1021: how many packets before IPsec SA expiry (see
1022: .BR lifepackets )
1023: should attempts to negotiate a replacement begin.
1024: .TP
1025: .BR margintime " = " 9m " | <time>"
1026: how long before connection expiry or keying-channel expiry
1027: should attempts to
1028: negotiate a replacement
1029: begin; acceptable values as for
1030: .B lifetime
1031: (default
1032: .BR 9m ).
1033: Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
1034: below.
1035: .TP
1036: .BR mark " = <value>[/<mask>]"
1037: sets an XFRM mark on the inbound policy and outbound
1038: IPsec SA and policy. If the mask is missing then a default
1039: mask of
1040: .B 0xffffffff
1041: is assumed. The special value
1042: .B %unique
1043: assigns a unique value to each newly created IPsec SA. To additionally
1044: make the mark unique for each IPsec SA direction (in/out) the special value
1045: .B %unique-dir
1046: may be used.
1047: .TP
1048: .BR mark_in " = <value>[/<mask>]"
1049: sets an XFRM mark on the inbound policy (not on the SA). If the mask is missing
1050: then a default mask of
1051: .B 0xffffffff
1052: is assumed.
1053: .TP
1054: .BR mark_out " = <value>[/<mask>]"
1055: sets an XFRM mark on the outbound IPsec SA and
1056: policy. If the mask is missing then a default mask of
1057: .B 0xffffffff
1058: is assumed.
1059: .TP
1060: .BR mobike " = " yes " | no"
1061: enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
1062: .B yes
1063: (the default) and
1064: .BR no .
1065: If set to
1066: .BR no ,
1067: the charon daemon will not actively propose MOBIKE as initiator and
1068: ignore the MOBIKE_SUPPORTED notify as responder.
1069: .TP
1070: .BR modeconfig " = push | " pull
1071: defines which mode is used to assign a virtual IP.
1072: Accepted values are
1073: .B push
1074: and
1075: .B pull
1076: (the default).
1077: Push mode is currently not supported with IKEv2.
1078: The setting must be the same on both sides.
1079: .TP
1080: .BR reauth " = " yes " | no"
1081: whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
1082: reauthentication is always done. In IKEv2, a value of
1083: .B no
1084: rekeys without uninstalling the IPsec SAs, a value of
1085: .B yes
1086: (the default) creates a new IKE_SA from scratch and tries to recreate
1087: all IPsec SAs.
1088: .TP
1089: .BR rekey " = " yes " | no"
1090: whether a connection should be renegotiated when it is about to expire;
1091: acceptable values are
1092: .B yes
1093: (the default)
1094: and
1095: .BR no .
1096: The two ends need not agree, but while a value of
1097: .B no
1098: prevents charon from requesting renegotiation,
1099: it does not prevent responding to renegotiation requested from the other end,
1100: so
1101: .B no
1102: will be largely ineffective unless both ends agree on it. Also see
1103: .BR reauth .
1104: .TP
1105: .BR rekeyfuzz " = " 100% " | <percentage>"
1106: maximum percentage by which
1107: .BR marginbytes ,
1108: .B marginpackets
1109: and
1110: .B margintime
1111: should be randomly increased to randomize rekeying intervals
1112: (important for hosts with many connections);
1113: acceptable values are an integer,
1114: which may exceed 100,
1115: followed by a `%'
1116: (defaults to
1117: .BR 100% ).
1118: The value of
1119: .BR marginTYPE ,
1120: after this random increase,
1121: must not exceed
1122: .B lifeTYPE
1123: (where TYPE is one of
1124: .IR bytes ,
1125: .I packets
1126: or
1127: .IR time ).
1128: The value
1129: .B 0%
1130: will suppress randomization.
1131: Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
1132: below.
1133: .TP
1134: .BR replay_window " = " \-1 " | <number>"
1135: The IPsec replay window size for this connection. With the default of \-1
1136: the value configured with
1137: .I charon.replay_window
1138: in
1139: .BR strongswan.conf (5)
1140: is used. Larger values than 32 are supported using the Netlink backend only,
1141: a value of 0 disables IPsec replay protection.
1142: .TP
1143: .BR reqid " = <number>"
1144: sets the reqid for a given connection to a pre-configured fixed value.
1145: .TP
1146: .BR sha256_96 " = " no " | yes"
1147: HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility
1148: with implementations that incorrectly use 96-bit truncation this option may be
1149: enabled to configure the shorter truncation length in the kernel. This is not
1150: negotiated, so this only works with peers that use the incorrect truncation
1151: length (or have this option enabled).
1152: .TP
1153: .BR tfc " = <value>"
1154: number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
1155: is currently supported in IKEv2 and applies to outgoing packets only. The
1156: special value
1157: .BR %mtu
1158: fills up ESP packets with padding to have the size of the MTU.
1159: .TP
1160: .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
1161: the type of the connection; currently the accepted values
1162: are
1163: .B tunnel
1164: (the default)
1165: signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
1166: .BR transport ,
1167: signifying host-to-host transport mode;
1168: .BR transport_proxy ,
1169: signifying the special Mobile IPv6 transport proxy mode;
1170: .BR passthrough ,
1171: signifying that no IPsec processing should be done at all;
1172: .BR drop ,
1173: signifying that packets should be discarded.
1174: .TP
1175: .BR xauth " = " client " | server"
1176: specifies the role in the XAuth protocol if activated by
1177: .B authby=xauthpsk
1178: or
1179: .B authby=xauthrsasig.
1180: Accepted values are
1181: .B server
1182: and
1183: .B client
1184: (the default).
1185: .TP
1186: .BR xauth_identity " = <id>"
1187: defines the identity/username the client uses to reply to an XAuth request.
1188: If not defined, the IKEv1 identity will be used as XAuth identity.
1189:
1190: .SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
1191: The following parameters are relevant to IKEv2 Mediation Extension
1192: operation only.
1193: .TP
1194: .BR mediation " = yes | " no
1195: whether this connection is a mediation connection, ie. whether this
1196: connection is used to mediate other connections. Mediation connections
1197: create no child SA. Acceptable values are
1198: .B no
1199: (the default) and
1200: .BR yes .
1201: .TP
1202: .BR mediated_by " = <name>"
1203: the name of the connection to mediate this connection through. If given,
1204: the connection will be mediated through the named mediation connection.
1205: The mediation connection must set
1206: .BR mediation=yes .
1207: .TP
1208: .BR me_peerid " = <id>"
1209: ID as which the peer is known to the mediation server, ie. which the other
1210: end of this connection uses as its
1211: .B leftid
1212: on its connection to the mediation server. This is the ID we request the
1213: mediation server to mediate us with. If
1214: .B me_peerid
1215: is not given, the
1216: .B rightid
1217: of this connection will be used as peer ID.
1218:
1219: .SH "CA SECTIONS"
1220: These are optional sections that can be used to assign special
1221: parameters to a Certification Authority (CA). Because the daemons
1222: automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
1223: there is no need to explicitly add them with a CA section, unless you
1224: want to assign special parameters (like a CRL) to a CA.
1225: .TP
1226: .BR also " = <name>"
1227: includes ca section
1228: .BR <name> .
1229: .TP
1230: .BR auto " = " ignore " | add"
1231: currently can have either the value
1232: .B ignore
1233: (the default) or
1234: .BR add .
1235: .TP
1236: .BR cacert " = <path>"
1237: defines a path to the CA certificate either relative to
1238: \fI/etc/ipsec.d/cacerts\fP or as an absolute path.
1239: .br
1240: A value in the form
1241: .B %smartcard[<slot nr>[@<module>]]:<keyid>
1242: defines a specific CA certificate to load from a PKCS#11 backend for this CA.
1243: See ipsec.secrets(5) for details about smartcard definitions.
1244: .TP
1245: .BR crluri " = <uri>"
1246: defines a CRL distribution point (ldap, http, or file URI)
1247: .TP
1248: .B crluri1
1249: synonym for
1250: .B crluri.
1251: .TP
1252: .BR crluri2 " = <uri>"
1253: defines an alternative CRL distribution point (ldap, http, or file URI)
1254: .TP
1255: .TP
1256: .BR ocspuri " = <uri>"
1257: defines an OCSP URI.
1258: .TP
1259: .B ocspuri1
1260: synonym for
1261: .B ocspuri.
1262: .TP
1263: .BR ocspuri2 " = <uri>"
1264: defines an alternative OCSP URI.
1265: .TP
1266: .BR certuribase " = <uri>"
1267: defines the base URI for the Hash and URL feature supported by IKEv2.
1268: Instead of exchanging complete certificates, IKEv2 allows one to send an URI
1269: that resolves to the DER encoded certificate. The certificate URIs are built
1270: by appending the SHA1 hash of the DER encoded certificates to this base URI.
1271: .SH "CONFIG SECTIONS"
1272: At present, the only
1273: .B config
1274: section known to the IPsec software is the one named
1275: .BR setup ,
1276: which contains information used when the software is being started.
1277: The currently-accepted
1278: .I parameter
1279: names in a
1280: .B config
1281: .B setup
1282: section are:
1283: .TP
1284: .BR cachecrls " = yes | " no
1285: if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
1286: be cached in
1287: .I /etc/ipsec.d/crls/
1288: under a unique file name derived from the certification authority's public key.
1289: .TP
1290: .BR charondebug " = <debug list>"
1291: how much charon debugging output should be logged.
1292: A comma separated list containing type/level-pairs may
1293: be specified, e.g:
1294: .B dmn 3, ike 1, net -1.
1295: Acceptable values for types are
1296: .B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls,
1297: .B tnc, imc, imv, pts
1298: and the level is one of
1299: .B -1, 0, 1, 2, 3, 4
1300: (for silent, audit, control, controlmore, raw, private). By default, the level
1301: is set to
1302: .B 1
1303: for all types. For more flexibility see LOGGER CONFIGURATION in
1304: .IR strongswan.conf (5).
1305: .TP
1306: .BR strictcrlpolicy " = yes | ifuri | " no
1307: defines if a fresh CRL must be available in order for the peer authentication
1308: based on RSA signatures to succeed.
1309: IKEv2 additionally recognizes
1310: .B ifuri
1311: which reverts to
1312: .B yes
1313: if at least one CRL URI is defined and to
1314: .B no
1315: if no URI is known.
1316: .TP
1317: .BR uniqueids " = " yes " | no | never | replace | keep"
1318: whether a particular participant ID should be kept unique,
1319: with any new IKE_SA using an ID deemed to replace all old ones using that ID;
1320: acceptable values are
1321: .B yes
1322: (the default),
1323: .B no
1324: and
1325: .BR never .
1326: Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is
1327: almost invariably intended to replace an old one. The difference between
1328: .B no
1329: and
1330: .B never
1331: is that the daemon will replace old IKE_SAs when receiving an INITIAL_CONTACT
1332: notify if the option is
1333: .B no
1334: but will ignore these notifies if
1335: .B never
1336: is configured.
1337: The daemon also accepts the value
1338: .B replace
1339: which is identical to
1340: .B yes
1341: and the value
1342: .B keep
1343: to reject new IKE_SA setups and keep the duplicate established earlier.
1344:
1345: .SH IDENTITY PARSING
1346: The type and binary encoding of identity strings specified in \fIleftid\fR
1347: are detected as follows:
1348: .IP \[bu]
1349: If the string value contains an equal sign (=) it is assumed to be a
1350: Distinguished Name, with RDNs separated by commas (,) \fIor\fR slashes (/ - the string
1351: must start with a slash to use this syntax). An attempt is made to create a
1352: binary ASN.1 encoding from this string. If that fails the type is set to KEY_ID
1353: with the literal string value adopted as encoding.
1354: .IP \[bu]
1355: If the string value contains an @ the type depends on the position of that
1356: character:
1357: .RS
1358: .IP \[bu]
1359: If the string begins with @# the type is set to KEY_ID and the string following
1360: that prefix is assumed to be the hex-encoded binary value of the identity.
1361: .IP \[bu]
1362: If the string begins with @@ the type is set to USER_FQDN and the encoding is
1363: the literal string after that prefix.
1364: .IP \[bu]
1365: If the string begins with @ the type is set to FQDN and the encoding is the
1366: literal string after that prefix.
1367: .IP \[bu]
1368: All remaining strings containing an @ are assumed to be of type USER_FQDN/RFC822
1369: with the literal string value as encoding.
1370: .RE
1371: .IP \[bu]
1372: If the value does not contain any @ or = characters it is parsed as follows:
1373: .RS
1374: .IP \[bu]
1375: If the value is an empty string, or equals %any[6], 0.0.0.0, ::, or * the
1376: type is set to ID_ANY, which matches any other identity.
1377: .IP \[bu]
1378: If the value contains a colon (:) it is assumed to be an IPv6 address. But if
1379: parsing the address and converting it to its binary encoding fails the type is
1380: set to KEY_ID and the encoding is the literal value.
1381: .IP \[bu]
1382: For all other strings an attempt at parsing them as IPv4 addresses is made. If
1383: that fails the type is set to FQDN and the literal value is adopted as
1384: encoding (this is where domain names and simple names end up).
1385: .RE
1386:
1387: .SH SA EXPIRY/REKEY
1388: The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
1389: after a specific amount of time. For IPsec SAs this can also happen after a
1390: specified number of transmitted packets or transmitted bytes. The following
1391: settings can be used to configure this:
1392: .TS
1393: l r l r,- - - -,lB s lB s,a r a r.
1394: Setting Default Setting Default
1395: IKE SA IPsec SA
1396: ikelifetime 3h lifebytes -
1397: lifepackets -
1398: lifetime 1h
1399: .TE
1400: .SS Rekeying
1401: IKE SAs as well as IPsec SAs can be rekeyed before they expire. This can be
1402: configured using the following settings:
1403: .TS
1404: l r l r,- - - -,lB s lB s,a r a r.
1405: Setting Default Setting Default
1406: IKE and IPsec SA IPsec SA
1407: margintime 9m marginbytes -
1408: marginpackets -
1409: .TE
1410: .SS Randomization
1411: To avoid collisions the specified margins are increased randomly before
1412: subtracting them from the expiration limits (see formula below). This is
1413: controlled by the
1414: .B rekeyfuzz
1415: setting:
1416: .TS
1417: l r,- -,lB s,a r.
1418: Setting Default
1419: IKE and IPsec SA
1420: rekeyfuzz 100%
1421: .TE
1422: .PP
1423: Randomization can be disabled by setting
1424: .BR rekeyfuzz " to " 0% .
1425: .SS Formula
1426: The following formula is used to calculate the rekey time of IPsec SAs:
1427: .PP
1428: .EX
1429: rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
1430: .EE
1431: .PP
1432: It applies equally to IKE SAs and byte and packet limits for IPsec SAs.
1433: .SS Example
1434: Let's consider the default configuration:
1435: .PP
1436: .EX
1437: lifetime = 1h
1438: margintime = 9m
1439: rekeyfuzz = 100%
1440: .EE
1441: .PP
1442: From the formula above follows that the rekey time lies between:
1443: .PP
1444: .EX
1445: rekeytime_min = 1h - (9m + 9m) = 42m
1446: rekeytime_max = 1h - (9m + 0m) = 51m
1447: .EE
1448: .PP
1449: Thus, the daemon will attempt to rekey the IPsec SA at a random time
1450: between 42 and 51 minutes after establishing the SA. Or, in other words,
1451: between 9 and 18 minutes before the SA expires.
1452: .SS Notes
1453: .IP \[bu]
1454: Since the rekeying of an SA needs some time, the margin values must not be
1455: too low.
1456: .IP \[bu]
1457: The value
1458: .B margin... + margin... * rekeyfuzz
1459: must not exceed the original limit. For example, specifying
1460: .B margintime = 30m
1461: in the default configuration is a bad idea as there is a chance that the rekey
1462: time equals zero and, thus, rekeying gets disabled.
1463:
1464: .SH FILES
1465: .nf
1466: /etc/ipsec.conf
1467: /etc/ipsec.d/aacerts
1468: /etc/ipsec.d/acerts
1469: /etc/ipsec.d/cacerts
1470: /etc/ipsec.d/certs
1471: /etc/ipsec.d/crls
1472:
1473: .SH SEE ALSO
1474: strongswan.conf(5), ipsec.secrets(5), ipsec(8)
1475: .SH HISTORY
1476: Originally written for the FreeS/WAN project by Henry Spencer.
1477: Updated and extended for the strongSwan project <http://www.strongswan.org> by
1478: Tobias Brunner, Andreas Steffen and Martin Willi.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>