Annotation of embedaddon/strongswan/src/swanctl/swanctl.conf, revision 1.1
1.1 ! misho 1: # Section defining IKE connection configurations.
! 2: # connections {
! 3:
! 4: # Section for an IKE connection named <conn>.
! 5: # <conn> {
! 6:
! 7: # IKE major version to use for connection.
! 8: # version = 0
! 9:
! 10: # Local address(es) to use for IKE communication, comma separated.
! 11: # local_addrs = %any
! 12:
! 13: # Remote address(es) to use for IKE communication, comma separated.
! 14: # remote_addrs = %any
! 15:
! 16: # Local UDP port for IKE communication.
! 17: # local_port = 500
! 18:
! 19: # Remote UDP port for IKE communication.
! 20: # remote_port = 500
! 21:
! 22: # Comma separated proposals to accept for IKE.
! 23: # proposals = default
! 24:
! 25: # Virtual IPs to request in configuration payload / Mode Config.
! 26: # vips =
! 27:
! 28: # Use Aggressive Mode in IKEv1.
! 29: # aggressive = no
! 30:
! 31: # Set the Mode Config mode to use.
! 32: # pull = yes
! 33:
! 34: # Differentiated Services Field Codepoint to set on outgoing IKE packets
! 35: # (six binary digits).
! 36: # dscp = 000000
! 37:
! 38: # Enforce UDP encapsulation by faking NAT-D payloads.
! 39: # encap = no
! 40:
! 41: # Enables MOBIKE on IKEv2 connections.
! 42: # mobike = yes
! 43:
! 44: # Interval of liveness checks (DPD).
! 45: # dpd_delay = 0s
! 46:
! 47: # Timeout for DPD checks (IKEV1 only).
! 48: # dpd_timeout = 0s
! 49:
! 50: # Use IKE UDP datagram fragmentation (yes, accept, no or force).
! 51: # fragmentation = yes
! 52:
! 53: # Use childless IKE_SA initiation (allow, force or never).
! 54: # childless = allow
! 55:
! 56: # Send certificate requests payloads (yes or no).
! 57: # send_certreq = yes
! 58:
! 59: # Send certificate payloads (always, never or ifasked).
! 60: # send_cert = ifasked
! 61:
! 62: # String identifying the Postquantum Preshared Key (PPK) to be used.
! 63: # ppk_id =
! 64:
! 65: # Whether a Postquantum Preshared Key (PPK) is required for this
! 66: # connection.
! 67: # ppk_required = no
! 68:
! 69: # Number of retransmission sequences to perform during initial connect.
! 70: # keyingtries = 1
! 71:
! 72: # Connection uniqueness policy (never, no, keep or replace).
! 73: # unique = no
! 74:
! 75: # Time to schedule IKE reauthentication.
! 76: # reauth_time = 0s
! 77:
! 78: # Time to schedule IKE rekeying.
! 79: # rekey_time = 4h
! 80:
! 81: # Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
! 82: # over_time = 10% of rekey_time/reauth_time
! 83:
! 84: # Range of random time to subtract from rekey/reauth times.
! 85: # rand_time = over_time
! 86:
! 87: # Comma separated list of named IP pools.
! 88: # pools =
! 89:
! 90: # Default inbound XFRM interface ID for children.
! 91: # if_id_in = 0
! 92:
! 93: # Default outbound XFRM interface ID for children.
! 94: # if_id_out = 0
! 95:
! 96: # Whether this connection is a mediation connection.
! 97: # mediation = no
! 98:
! 99: # The name of the connection to mediate this connection through.
! 100: # mediated_by =
! 101:
! 102: # Identity under which the peer is registered at the mediation server.
! 103: # mediation_peer =
! 104:
! 105: # Section for a local authentication round.
! 106: # local<suffix> {
! 107:
! 108: # Optional numeric identifier by which authentication rounds are
! 109: # sorted. If not specified rounds are ordered by their position in
! 110: # the config file/VICI message.
! 111: # round = 0
! 112:
! 113: # Comma separated list of certificate candidates to use for
! 114: # authentication.
! 115: # certs =
! 116:
! 117: # Section for a certificate candidate to use for authentication.
! 118: # cert<suffix> =
! 119:
! 120: # Comma separated list of raw public key candidates to use for
! 121: # authentication.
! 122: # pubkeys =
! 123:
! 124: # Authentication to perform locally (pubkey, psk, xauth[-backend] or
! 125: # eap[-method]).
! 126: # auth = pubkey
! 127:
! 128: # IKE identity to use for authentication round.
! 129: # id =
! 130:
! 131: # Client EAP-Identity to use in EAP-Identity exchange and the EAP
! 132: # method.
! 133: # eap_id = id
! 134:
! 135: # Server side EAP-Identity to expect in the EAP method.
! 136: # aaa_id = remote-id
! 137:
! 138: # Client XAuth username used in the XAuth exchange.
! 139: # xauth_id = id
! 140:
! 141: # cert<suffix> {
! 142:
! 143: # Absolute path to the certificate to load.
! 144: # file =
! 145:
! 146: # Hex-encoded CKA_ID of the certificate on a token.
! 147: # handle =
! 148:
! 149: # Optional slot number of the token that stores the certificate.
! 150: # slot =
! 151:
! 152: # Optional PKCS#11 module name.
! 153: # module =
! 154:
! 155: # }
! 156:
! 157: # }
! 158:
! 159: # Section for a remote authentication round.
! 160: # remote<suffix> {
! 161:
! 162: # Optional numeric identifier by which authentication rounds are
! 163: # sorted. If not specified rounds are ordered by their position in
! 164: # the config file/VICI message.
! 165: # round = 0
! 166:
! 167: # IKE identity to expect for authentication round.
! 168: # id = %any
! 169:
! 170: # Identity to use as peer identity during EAP authentication.
! 171: # eap_id = id
! 172:
! 173: # Authorization group memberships to require.
! 174: # groups =
! 175:
! 176: # Certificate policy OIDs the peer's certificate must have.
! 177: # cert_policy =
! 178:
! 179: # Comma separated list of certificate to accept for authentication.
! 180: # certs =
! 181:
! 182: # Section for a certificate to accept for authentication.
! 183: # cert<suffix> =
! 184:
! 185: # Comma separated list of CA certificates to accept for
! 186: # authentication.
! 187: # cacerts =
! 188:
! 189: # Section for a CA certificate to accept for authentication.
! 190: # cacert<suffix> =
! 191:
! 192: # Identity in CA certificate to accept for authentication.
! 193: # ca_id =
! 194:
! 195: # Comma separated list of raw public keys to accept for
! 196: # authentication.
! 197: # pubkeys =
! 198:
! 199: # Certificate revocation policy, (strict, ifuri or relaxed).
! 200: # revocation = relaxed
! 201:
! 202: # Authentication to expect from remote (pubkey, psk, xauth[-backend]
! 203: # or eap[-method]).
! 204: # auth = pubkey
! 205:
! 206: # cert<suffix> {
! 207:
! 208: # Absolute path to the certificate to load.
! 209: # file =
! 210:
! 211: # Hex-encoded CKA_ID of the certificate on a token.
! 212: # handle =
! 213:
! 214: # Optional slot number of the token that stores the certificate.
! 215: # slot =
! 216:
! 217: # Optional PKCS#11 module name.
! 218: # module =
! 219:
! 220: # }
! 221:
! 222: # cacert<suffix> {
! 223:
! 224: # Absolute path to the certificate to load.
! 225: # file =
! 226:
! 227: # Hex-encoded CKA_ID of the CA certificate on a token.
! 228: # handle =
! 229:
! 230: # Optional slot number of the token that stores the CA
! 231: # certificate.
! 232: # slot =
! 233:
! 234: # Optional PKCS#11 module name.
! 235: # module =
! 236:
! 237: # }
! 238:
! 239: # }
! 240:
! 241: # children {
! 242:
! 243: # CHILD_SA configuration sub-section.
! 244: # <child> {
! 245:
! 246: # AH proposals to offer for the CHILD_SA.
! 247: # ah_proposals =
! 248:
! 249: # ESP proposals to offer for the CHILD_SA.
! 250: # esp_proposals = default
! 251:
! 252: # Use incorrect 96-bit truncation for HMAC-SHA-256.
! 253: # sha256_96 = no
! 254:
! 255: # Local traffic selectors to include in CHILD_SA.
! 256: # local_ts = dynamic
! 257:
! 258: # Remote selectors to include in CHILD_SA.
! 259: # remote_ts = dynamic
! 260:
! 261: # Time to schedule CHILD_SA rekeying.
! 262: # rekey_time = 1h
! 263:
! 264: # Maximum lifetime before CHILD_SA gets closed, as time.
! 265: # life_time = rekey_time + 10%
! 266:
! 267: # Range of random time to subtract from rekey_time.
! 268: # rand_time = life_time - rekey_time
! 269:
! 270: # Number of bytes processed before initiating CHILD_SA rekeying.
! 271: # rekey_bytes = 0
! 272:
! 273: # Maximum bytes processed before CHILD_SA gets closed.
! 274: # life_bytes = rekey_bytes + 10%
! 275:
! 276: # Range of random bytes to subtract from rekey_bytes.
! 277: # rand_bytes = life_bytes - rekey_bytes
! 278:
! 279: # Number of packets processed before initiating CHILD_SA
! 280: # rekeying.
! 281: # rekey_packets = 0
! 282:
! 283: # Maximum number of packets processed before CHILD_SA gets
! 284: # closed.
! 285: # life_packets = rekey_packets + 10%
! 286:
! 287: # Range of random packets to subtract from packets_bytes.
! 288: # rand_packets = life_packets - rekey_packets
! 289:
! 290: # Updown script to invoke on CHILD_SA up and down events.
! 291: # updown =
! 292:
! 293: # Hostaccess variable to pass to updown script.
! 294: # hostaccess = no
! 295:
! 296: # IPsec Mode to establish (tunnel, transport, transport_proxy,
! 297: # beet, pass or drop).
! 298: # mode = tunnel
! 299:
! 300: # Whether to install IPsec policies or not.
! 301: # policies = yes
! 302:
! 303: # Whether to install outbound FWD IPsec policies or not.
! 304: # policies_fwd_out = no
! 305:
! 306: # Action to perform on DPD timeout (clear, trap or restart).
! 307: # dpd_action = clear
! 308:
! 309: # Enable IPComp compression before encryption.
! 310: # ipcomp = no
! 311:
! 312: # Timeout before closing CHILD_SA after inactivity.
! 313: # inactivity = 0s
! 314:
! 315: # Fixed reqid to use for this CHILD_SA.
! 316: # reqid = 0
! 317:
! 318: # Optional fixed priority for IPsec policies.
! 319: # priority = 0
! 320:
! 321: # Optional interface name to restrict IPsec policies.
! 322: # interface =
! 323:
! 324: # Netfilter mark and mask for input traffic.
! 325: # mark_in = 0/0x00000000
! 326:
! 327: # Whether to set *mark_in* on the inbound SA.
! 328: # mark_in_sa = no
! 329:
! 330: # Netfilter mark and mask for output traffic.
! 331: # mark_out = 0/0x00000000
! 332:
! 333: # Netfilter mark applied to packets after the inbound IPsec SA
! 334: # processed them.
! 335: # set_mark_in = 0/0x00000000
! 336:
! 337: # Netfilter mark applied to packets after the outbound IPsec SA
! 338: # processed them.
! 339: # set_mark_out = 0/0x00000000
! 340:
! 341: # Inbound XFRM interface ID.
! 342: # if_id_in = 0
! 343:
! 344: # Outbound XFRM interface ID.
! 345: # if_id_out = 0
! 346:
! 347: # Traffic Flow Confidentiality padding.
! 348: # tfc_padding = 0
! 349:
! 350: # IPsec replay window to configure for this CHILD_SA.
! 351: # replay_window = 32
! 352:
! 353: # Enable hardware offload for this CHILD_SA, if supported by the
! 354: # IPsec implementation.
! 355: # hw_offload = no
! 356:
! 357: # Whether to copy the DF bit to the outer IPv4 header in tunnel
! 358: # mode.
! 359: # copy_df = yes
! 360:
! 361: # Whether to copy the ECN header field to/from the outer IP
! 362: # header in tunnel mode.
! 363: # copy_ecn = yes
! 364:
! 365: # Whether to copy the DSCP header field to/from the outer IP
! 366: # header in tunnel mode.
! 367: # copy_dscp = out
! 368:
! 369: # Action to perform after loading the configuration (none, trap,
! 370: # start).
! 371: # start_action = none
! 372:
! 373: # Action to perform after a CHILD_SA gets closed (none, trap,
! 374: # start).
! 375: # close_action = none
! 376:
! 377: # }
! 378:
! 379: # }
! 380:
! 381: # }
! 382:
! 383: # }
! 384:
! 385: # Section defining secrets for IKE/EAP/XAuth authentication and private key
! 386: # decryption.
! 387: # secrets {
! 388:
! 389: # EAP secret section for a specific secret.
! 390: # eap<suffix> {
! 391:
! 392: # Value of the EAP/XAuth secret.
! 393: # secret =
! 394:
! 395: # Identity the EAP/XAuth secret belongs to.
! 396: # id<suffix> =
! 397:
! 398: # }
! 399:
! 400: # XAuth secret section for a specific secret.
! 401: # xauth<suffix> {
! 402:
! 403: # }
! 404:
! 405: # NTLM secret section for a specific secret.
! 406: # ntlm<suffix> {
! 407:
! 408: # Value of the NTLM secret.
! 409: # secret =
! 410:
! 411: # Identity the NTLM secret belongs to.
! 412: # id<suffix> =
! 413:
! 414: # }
! 415:
! 416: # IKE preshared secret section for a specific secret.
! 417: # ike<suffix> {
! 418:
! 419: # Value of the IKE preshared secret.
! 420: # secret =
! 421:
! 422: # IKE identity the IKE preshared secret belongs to.
! 423: # id<suffix> =
! 424:
! 425: # }
! 426:
! 427: # Postquantum Preshared Key (PPK) section for a specific secret.
! 428: # ppk<suffix> {
! 429:
! 430: # Value of the PPK.
! 431: # secret =
! 432:
! 433: # PPK identity the PPK belongs to.
! 434: # id<suffix> =
! 435:
! 436: # }
! 437:
! 438: # Private key decryption passphrase for a key in the private folder.
! 439: # private<suffix> {
! 440:
! 441: # File name in the private folder for which this passphrase should be
! 442: # used.
! 443: # file =
! 444:
! 445: # Value of decryption passphrase for private key.
! 446: # secret =
! 447:
! 448: # }
! 449:
! 450: # Private key decryption passphrase for a key in the rsa folder.
! 451: # rsa<suffix> {
! 452:
! 453: # File name in the rsa folder for which this passphrase should be used.
! 454: # file =
! 455:
! 456: # Value of decryption passphrase for RSA key.
! 457: # secret =
! 458:
! 459: # }
! 460:
! 461: # Private key decryption passphrase for a key in the ecdsa folder.
! 462: # ecdsa<suffix> {
! 463:
! 464: # File name in the ecdsa folder for which this passphrase should be
! 465: # used.
! 466: # file =
! 467:
! 468: # Value of decryption passphrase for ECDSA key.
! 469: # secret =
! 470:
! 471: # }
! 472:
! 473: # Private key decryption passphrase for a key in the pkcs8 folder.
! 474: # pkcs8<suffix> {
! 475:
! 476: # File name in the pkcs8 folder for which this passphrase should be
! 477: # used.
! 478: # file =
! 479:
! 480: # Value of decryption passphrase for PKCS#8 key.
! 481: # secret =
! 482:
! 483: # }
! 484:
! 485: # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
! 486: # pkcs12<suffix> {
! 487:
! 488: # File name in the pkcs12 folder for which this passphrase should be
! 489: # used.
! 490: # file =
! 491:
! 492: # Value of decryption passphrase for PKCS#12 container.
! 493: # secret =
! 494:
! 495: # }
! 496:
! 497: # Definition for a private key that's stored on a token/smartcard.
! 498: # token<suffix> {
! 499:
! 500: # Hex-encoded CKA_ID of the private key on the token.
! 501: # handle =
! 502:
! 503: # Optional slot number to access the token.
! 504: # slot =
! 505:
! 506: # Optional PKCS#11 module name to access the token.
! 507: # module =
! 508:
! 509: # Optional PIN required to access the key on the token. If none is
! 510: # provided the user is prompted during an interactive --load-creds call.
! 511: # pin =
! 512:
! 513: # }
! 514:
! 515: # }
! 516:
! 517: # Section defining named pools.
! 518: # pools {
! 519:
! 520: # Section defining a single pool with a unique name.
! 521: # <name> {
! 522:
! 523: # Addresses allocated in pool.
! 524: # addrs =
! 525:
! 526: # Comma separated list of additional attributes from type <attr>.
! 527: # <attr> =
! 528:
! 529: # }
! 530:
! 531: # }
! 532:
! 533: # Section defining attributes of certification authorities.
! 534: # authorities {
! 535:
! 536: # Section defining a certification authority with a unique name.
! 537: # <name> {
! 538:
! 539: # CA certificate belonging to the certification authority.
! 540: # cacert =
! 541:
! 542: # Absolute path to the certificate to load.
! 543: # file =
! 544:
! 545: # Hex-encoded CKA_ID of the CA certificate on a token.
! 546: # handle =
! 547:
! 548: # Optional slot number of the token that stores the CA certificate.
! 549: # slot =
! 550:
! 551: # Optional PKCS#11 module name.
! 552: # module =
! 553:
! 554: # Comma-separated list of CRL distribution points.
! 555: # crl_uris =
! 556:
! 557: # Comma-separated list of OCSP URIs.
! 558: # ocsp_uris =
! 559:
! 560: # Defines the base URI for the Hash and URL feature supported by IKEv2.
! 561: # cert_uri_base =
! 562:
! 563: # }
! 564:
! 565: # }
! 566:
! 567: # Include config snippets
! 568: include conf.d/*.conf
! 569:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to swanctl.conf CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / swanctl