1: # Section defining IKE connection configurations.
2: # connections {
3:
4: # Section for an IKE connection named <conn>.
5: # <conn> {
6:
7: # IKE major version to use for connection.
8: # version = 0
9:
10: # Local address(es) to use for IKE communication, comma separated.
11: # local_addrs = %any
12:
13: # Remote address(es) to use for IKE communication, comma separated.
14: # remote_addrs = %any
15:
16: # Local UDP port for IKE communication.
17: # local_port = 500
18:
19: # Remote UDP port for IKE communication.
20: # remote_port = 500
21:
22: # Comma separated proposals to accept for IKE.
23: # proposals = default
24:
25: # Virtual IPs to request in configuration payload / Mode Config.
26: # vips =
27:
28: # Use Aggressive Mode in IKEv1.
29: # aggressive = no
30:
31: # Set the Mode Config mode to use.
32: # pull = yes
33:
34: # Differentiated Services Field Codepoint to set on outgoing IKE packets
35: # (six binary digits).
36: # dscp = 000000
37:
38: # Enforce UDP encapsulation by faking NAT-D payloads.
39: # encap = no
40:
41: # Enables MOBIKE on IKEv2 connections.
42: # mobike = yes
43:
44: # Interval of liveness checks (DPD).
45: # dpd_delay = 0s
46:
47: # Timeout for DPD checks (IKEV1 only).
48: # dpd_timeout = 0s
49:
50: # Use IKE UDP datagram fragmentation (yes, accept, no or force).
51: # fragmentation = yes
52:
53: # Use childless IKE_SA initiation (allow, force or never).
54: # childless = allow
55:
56: # Send certificate requests payloads (yes or no).
57: # send_certreq = yes
58:
59: # Send certificate payloads (always, never or ifasked).
60: # send_cert = ifasked
61:
62: # String identifying the Postquantum Preshared Key (PPK) to be used.
63: # ppk_id =
64:
65: # Whether a Postquantum Preshared Key (PPK) is required for this
66: # connection.
67: # ppk_required = no
68:
69: # Number of retransmission sequences to perform during initial connect.
70: # keyingtries = 1
71:
72: # Connection uniqueness policy (never, no, keep or replace).
73: # unique = no
74:
75: # Time to schedule IKE reauthentication.
76: # reauth_time = 0s
77:
78: # Time to schedule IKE rekeying.
79: # rekey_time = 4h
80:
81: # Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
82: # over_time = 10% of rekey_time/reauth_time
83:
84: # Range of random time to subtract from rekey/reauth times.
85: # rand_time = over_time
86:
87: # Comma separated list of named IP pools.
88: # pools =
89:
90: # Default inbound XFRM interface ID for children.
91: # if_id_in = 0
92:
93: # Default outbound XFRM interface ID for children.
94: # if_id_out = 0
95:
96: # Whether this connection is a mediation connection.
97: # mediation = no
98:
99: # The name of the connection to mediate this connection through.
100: # mediated_by =
101:
102: # Identity under which the peer is registered at the mediation server.
103: # mediation_peer =
104:
105: # Section for a local authentication round.
106: # local<suffix> {
107:
108: # Optional numeric identifier by which authentication rounds are
109: # sorted. If not specified rounds are ordered by their position in
110: # the config file/VICI message.
111: # round = 0
112:
113: # Comma separated list of certificate candidates to use for
114: # authentication.
115: # certs =
116:
117: # Section for a certificate candidate to use for authentication.
118: # cert<suffix> =
119:
120: # Comma separated list of raw public key candidates to use for
121: # authentication.
122: # pubkeys =
123:
124: # Authentication to perform locally (pubkey, psk, xauth[-backend] or
125: # eap[-method]).
126: # auth = pubkey
127:
128: # IKE identity to use for authentication round.
129: # id =
130:
131: # Client EAP-Identity to use in EAP-Identity exchange and the EAP
132: # method.
133: # eap_id = id
134:
135: # Server side EAP-Identity to expect in the EAP method.
136: # aaa_id = remote-id
137:
138: # Client XAuth username used in the XAuth exchange.
139: # xauth_id = id
140:
141: # cert<suffix> {
142:
143: # Absolute path to the certificate to load.
144: # file =
145:
146: # Hex-encoded CKA_ID of the certificate on a token.
147: # handle =
148:
149: # Optional slot number of the token that stores the certificate.
150: # slot =
151:
152: # Optional PKCS#11 module name.
153: # module =
154:
155: # }
156:
157: # }
158:
159: # Section for a remote authentication round.
160: # remote<suffix> {
161:
162: # Optional numeric identifier by which authentication rounds are
163: # sorted. If not specified rounds are ordered by their position in
164: # the config file/VICI message.
165: # round = 0
166:
167: # IKE identity to expect for authentication round.
168: # id = %any
169:
170: # Identity to use as peer identity during EAP authentication.
171: # eap_id = id
172:
173: # Authorization group memberships to require.
174: # groups =
175:
176: # Certificate policy OIDs the peer's certificate must have.
177: # cert_policy =
178:
179: # Comma separated list of certificate to accept for authentication.
180: # certs =
181:
182: # Section for a certificate to accept for authentication.
183: # cert<suffix> =
184:
185: # Comma separated list of CA certificates to accept for
186: # authentication.
187: # cacerts =
188:
189: # Section for a CA certificate to accept for authentication.
190: # cacert<suffix> =
191:
192: # Identity in CA certificate to accept for authentication.
193: # ca_id =
194:
195: # Comma separated list of raw public keys to accept for
196: # authentication.
197: # pubkeys =
198:
199: # Certificate revocation policy, (strict, ifuri or relaxed).
200: # revocation = relaxed
201:
202: # Authentication to expect from remote (pubkey, psk, xauth[-backend]
203: # or eap[-method]).
204: # auth = pubkey
205:
206: # cert<suffix> {
207:
208: # Absolute path to the certificate to load.
209: # file =
210:
211: # Hex-encoded CKA_ID of the certificate on a token.
212: # handle =
213:
214: # Optional slot number of the token that stores the certificate.
215: # slot =
216:
217: # Optional PKCS#11 module name.
218: # module =
219:
220: # }
221:
222: # cacert<suffix> {
223:
224: # Absolute path to the certificate to load.
225: # file =
226:
227: # Hex-encoded CKA_ID of the CA certificate on a token.
228: # handle =
229:
230: # Optional slot number of the token that stores the CA
231: # certificate.
232: # slot =
233:
234: # Optional PKCS#11 module name.
235: # module =
236:
237: # }
238:
239: # }
240:
241: # children {
242:
243: # CHILD_SA configuration sub-section.
244: # <child> {
245:
246: # AH proposals to offer for the CHILD_SA.
247: # ah_proposals =
248:
249: # ESP proposals to offer for the CHILD_SA.
250: # esp_proposals = default
251:
252: # Use incorrect 96-bit truncation for HMAC-SHA-256.
253: # sha256_96 = no
254:
255: # Local traffic selectors to include in CHILD_SA.
256: # local_ts = dynamic
257:
258: # Remote selectors to include in CHILD_SA.
259: # remote_ts = dynamic
260:
261: # Time to schedule CHILD_SA rekeying.
262: # rekey_time = 1h
263:
264: # Maximum lifetime before CHILD_SA gets closed, as time.
265: # life_time = rekey_time + 10%
266:
267: # Range of random time to subtract from rekey_time.
268: # rand_time = life_time - rekey_time
269:
270: # Number of bytes processed before initiating CHILD_SA rekeying.
271: # rekey_bytes = 0
272:
273: # Maximum bytes processed before CHILD_SA gets closed.
274: # life_bytes = rekey_bytes + 10%
275:
276: # Range of random bytes to subtract from rekey_bytes.
277: # rand_bytes = life_bytes - rekey_bytes
278:
279: # Number of packets processed before initiating CHILD_SA
280: # rekeying.
281: # rekey_packets = 0
282:
283: # Maximum number of packets processed before CHILD_SA gets
284: # closed.
285: # life_packets = rekey_packets + 10%
286:
287: # Range of random packets to subtract from packets_bytes.
288: # rand_packets = life_packets - rekey_packets
289:
290: # Updown script to invoke on CHILD_SA up and down events.
291: # updown =
292:
293: # Hostaccess variable to pass to updown script.
294: # hostaccess = no
295:
296: # IPsec Mode to establish (tunnel, transport, transport_proxy,
297: # beet, pass or drop).
298: # mode = tunnel
299:
300: # Whether to install IPsec policies or not.
301: # policies = yes
302:
303: # Whether to install outbound FWD IPsec policies or not.
304: # policies_fwd_out = no
305:
306: # Action to perform on DPD timeout (clear, trap or restart).
307: # dpd_action = clear
308:
309: # Enable IPComp compression before encryption.
310: # ipcomp = no
311:
312: # Timeout before closing CHILD_SA after inactivity.
313: # inactivity = 0s
314:
315: # Fixed reqid to use for this CHILD_SA.
316: # reqid = 0
317:
318: # Optional fixed priority for IPsec policies.
319: # priority = 0
320:
321: # Optional interface name to restrict IPsec policies.
322: # interface =
323:
324: # Netfilter mark and mask for input traffic.
325: # mark_in = 0/0x00000000
326:
327: # Whether to set *mark_in* on the inbound SA.
328: # mark_in_sa = no
329:
330: # Netfilter mark and mask for output traffic.
331: # mark_out = 0/0x00000000
332:
333: # Netfilter mark applied to packets after the inbound IPsec SA
334: # processed them.
335: # set_mark_in = 0/0x00000000
336:
337: # Netfilter mark applied to packets after the outbound IPsec SA
338: # processed them.
339: # set_mark_out = 0/0x00000000
340:
341: # Inbound XFRM interface ID.
342: # if_id_in = 0
343:
344: # Outbound XFRM interface ID.
345: # if_id_out = 0
346:
347: # Traffic Flow Confidentiality padding.
348: # tfc_padding = 0
349:
350: # IPsec replay window to configure for this CHILD_SA.
351: # replay_window = 32
352:
353: # Enable hardware offload for this CHILD_SA, if supported by the
354: # IPsec implementation.
355: # hw_offload = no
356:
357: # Whether to copy the DF bit to the outer IPv4 header in tunnel
358: # mode.
359: # copy_df = yes
360:
361: # Whether to copy the ECN header field to/from the outer IP
362: # header in tunnel mode.
363: # copy_ecn = yes
364:
365: # Whether to copy the DSCP header field to/from the outer IP
366: # header in tunnel mode.
367: # copy_dscp = out
368:
369: # Action to perform after loading the configuration (none, trap,
370: # start).
371: # start_action = none
372:
373: # Action to perform after a CHILD_SA gets closed (none, trap,
374: # start).
375: # close_action = none
376:
377: # }
378:
379: # }
380:
381: # }
382:
383: # }
384:
385: # Section defining secrets for IKE/EAP/XAuth authentication and private key
386: # decryption.
387: # secrets {
388:
389: # EAP secret section for a specific secret.
390: # eap<suffix> {
391:
392: # Value of the EAP/XAuth secret.
393: # secret =
394:
395: # Identity the EAP/XAuth secret belongs to.
396: # id<suffix> =
397:
398: # }
399:
400: # XAuth secret section for a specific secret.
401: # xauth<suffix> {
402:
403: # }
404:
405: # NTLM secret section for a specific secret.
406: # ntlm<suffix> {
407:
408: # Value of the NTLM secret.
409: # secret =
410:
411: # Identity the NTLM secret belongs to.
412: # id<suffix> =
413:
414: # }
415:
416: # IKE preshared secret section for a specific secret.
417: # ike<suffix> {
418:
419: # Value of the IKE preshared secret.
420: # secret =
421:
422: # IKE identity the IKE preshared secret belongs to.
423: # id<suffix> =
424:
425: # }
426:
427: # Postquantum Preshared Key (PPK) section for a specific secret.
428: # ppk<suffix> {
429:
430: # Value of the PPK.
431: # secret =
432:
433: # PPK identity the PPK belongs to.
434: # id<suffix> =
435:
436: # }
437:
438: # Private key decryption passphrase for a key in the private folder.
439: # private<suffix> {
440:
441: # File name in the private folder for which this passphrase should be
442: # used.
443: # file =
444:
445: # Value of decryption passphrase for private key.
446: # secret =
447:
448: # }
449:
450: # Private key decryption passphrase for a key in the rsa folder.
451: # rsa<suffix> {
452:
453: # File name in the rsa folder for which this passphrase should be used.
454: # file =
455:
456: # Value of decryption passphrase for RSA key.
457: # secret =
458:
459: # }
460:
461: # Private key decryption passphrase for a key in the ecdsa folder.
462: # ecdsa<suffix> {
463:
464: # File name in the ecdsa folder for which this passphrase should be
465: # used.
466: # file =
467:
468: # Value of decryption passphrase for ECDSA key.
469: # secret =
470:
471: # }
472:
473: # Private key decryption passphrase for a key in the pkcs8 folder.
474: # pkcs8<suffix> {
475:
476: # File name in the pkcs8 folder for which this passphrase should be
477: # used.
478: # file =
479:
480: # Value of decryption passphrase for PKCS#8 key.
481: # secret =
482:
483: # }
484:
485: # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
486: # pkcs12<suffix> {
487:
488: # File name in the pkcs12 folder for which this passphrase should be
489: # used.
490: # file =
491:
492: # Value of decryption passphrase for PKCS#12 container.
493: # secret =
494:
495: # }
496:
497: # Definition for a private key that's stored on a token/smartcard.
498: # token<suffix> {
499:
500: # Hex-encoded CKA_ID of the private key on the token.
501: # handle =
502:
503: # Optional slot number to access the token.
504: # slot =
505:
506: # Optional PKCS#11 module name to access the token.
507: # module =
508:
509: # Optional PIN required to access the key on the token. If none is
510: # provided the user is prompted during an interactive --load-creds call.
511: # pin =
512:
513: # }
514:
515: # }
516:
517: # Section defining named pools.
518: # pools {
519:
520: # Section defining a single pool with a unique name.
521: # <name> {
522:
523: # Addresses allocated in pool.
524: # addrs =
525:
526: # Comma separated list of additional attributes from type <attr>.
527: # <attr> =
528:
529: # }
530:
531: # }
532:
533: # Section defining attributes of certification authorities.
534: # authorities {
535:
536: # Section defining a certification authority with a unique name.
537: # <name> {
538:
539: # CA certificate belonging to the certification authority.
540: # cacert =
541:
542: # Absolute path to the certificate to load.
543: # file =
544:
545: # Hex-encoded CKA_ID of the CA certificate on a token.
546: # handle =
547:
548: # Optional slot number of the token that stores the CA certificate.
549: # slot =
550:
551: # Optional PKCS#11 module name.
552: # module =
553:
554: # Comma-separated list of CRL distribution points.
555: # crl_uris =
556:
557: # Comma-separated list of OCSP URIs.
558: # ocsp_uris =
559:
560: # Defines the base URI for the Hash and URL feature supported by IKEv2.
561: # cert_uri_base =
562:
563: # }
564:
565: # }
566:
567: # Include config snippets
568: include conf.d/*.conf
569:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to swanctl.conf CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / swanctl