Provided by: strongswan-starter_4.5.2-1.1ubuntu1_i386 bug

NAME

       ipsec.conf - IPsec configuration and connections

DESCRIPTION

       The  optional  ipsec.conf file specifies most configuration and control
       information for the strongSwan IPsec subsystem.  The major exception is
       secrets for authentication; see ipsec.secrets(5).  Its contents are not
       security-sensitive.

       The file is a text file, consisting of one  or  more  sections.   White
       space  followed  by  # followed by anything to the end of the line is a
       comment and is ignored, as are empty  lines  which  are  not  within  a
       section.

       A  line  which  contains  include  and  a file name, separated by white
       space, is replaced by the contents of that file, preceded and  followed
       by  empty  lines.   If  the  file  name  is  not a full pathname, it is
       considered to be relative to the  directory  containing  the  including
       file.   Such  inclusions  can be nested.  Only a single filename may be
       supplied, and it may not contain white space, but it may include  shell
       wildcards (see sh(1)); for example:

       include ipsec.*.conf

       The  intention  of  the  include  facility  is mostly to permit keeping
       information on connections, or sets of connections, separate  from  the
       main  configuration file.  This permits such connection descriptions to
       be changed, copied to  the  other  security  gateways  involved,  etc.,
       without  having  to constantly extract them from the configuration file
       and then insert them back  into  it.   Note  also  the  also  parameter
       (described  below)  which  permits  splitting  a single logical section
       (e.g. a connection description) into several actual sections.

       A section begins with a line of the form:

       type name

       where type indicates what type of  section  follows,  and  name  is  an
       arbitrary  name which distinguishes the section from others of the same
       type.  Names must start with a letter and  may  contain  only  letters,
       digits,  periods,  underscores,  and hyphens.  All subsequent non-empty
       lines which begin with white space are part of  the  section;  comments
       within  a  section  must begin with white space too.  There may be only
       one section of a given type with a given name.

       Lines within the section are generally of the form

            parameter=value

       (note the mandatory preceding white space).  There can be  white  space
       on  either  side  of  the =.  Parameter names follow the same syntax as
       section names, and are specific to a section  type.   Unless  otherwise
       explicitly  specified, no parameter name may appear more than once in a
       section.

       An empty value stands for the system default  value  (if  any)  of  the
       parameter, i.e. it is roughly equivalent to omitting the parameter line
       entirely.  A value may contain white space only if the entire value  is
       enclosed  in  double quotes ("); a value cannot itself contain a double
       quote, nor may it be continued across more than one line.

       Numeric values are specified to be either an ``integer'' (a sequence of
       digits) or a ``decimal number'' (sequence of digits optionally followed
       by `.' and another sequence of digits).

       There is currently one parameter which is  available  in  any  type  of
       section:

       also   the  value is a section name; the parameters of that section are
              appended to this section, as if they had been written as part of
              it.   The  specified section must exist, must follow the current
              one,  and  must  have  the  same  section  type.   (Nesting   is
              permitted,  and  there  may  be  more  than one also in a single
              section, although it is forbidden to  append  the  same  section
              more than once.)

       A  section  with  name  %default specifies defaults for sections of the
       same type.  For each parameter in it, any section of  that  type  which
       does  not have a parameter of the same name gets a copy of the one from
       the %default section.  There may be multiple  %default  sections  of  a
       given  type,  but  only  one  default  may be supplied for any specific
       parameter name, and all %default sections of a given type must  precede
       all  non-%default  sections  of  that  type.  %default sections may not
       contain the also parameter.

       Currently there are three types of sections: a config section specifies
       general  configuration  information for IPsec, a conn section specifies
       an IPsec connection, while a ca section specifies special properties of
       a certification authority.

CONN SECTIONS

       A  conn section contains a connection specification, defining a network
       connection to be made using IPsec.  The name given is arbitrary, and is
       used to identify the connection.  Here's a simple example:

       conn snt
           left=192.168.0.1
           leftsubnet=10.1.0.0/16
           right=192.168.0.2
           rightsubnet=10.1.0.0/16
           keyingtries=%forever
           auto=add

       A  note on terminology: There are two kinds of communications going on:
       transmission of user IP packets,  and  gateway-to-gateway  negotiations
       for  keying,  rekeying,  and  general control.  The path to control the
       connection is called 'ISAKMP SA' in IKEv1 and 'IKE  SA'  in  the  IKEv2
       protocol. That what is being negotiated, the kernel level data path, is
       called 'IPsec  SA'  or  'Child  SA'.   strongSwan  currently  uses  two
       separate keying daemons. pluto handles all IKEv1 connections, charon is
       the daemon handling the IKEv2 protocol.

       To avoid trivial editing of the configuration file to suit it  to  each
       system  involved in a connection, connection specifications are written
       in terms of left and right participants, rather than in terms of  local
       and   remote.   Which  participant  is  considered  left  or  right  is
       arbitrary; for every connection  description  an  attempt  is  made  to
       figure  out  whether the local endpoint should act as the left or right
       endpoint. This is done by matching the IP addresses  defined  for  both
       endpoints  with  the IP addresses assigned to local network interfaces.
       If a match is found then the role (left or right) that matches is going
       to  be  considered local.  If no match is found during startup, left is
       considered   local.    This   permits   using   identical    connection
       specifications  on  both  ends.   There  are  cases  where  there is no
       symmetry; a good convention is to use left for the local side and right
       for the remote side (the first letters are a good mnemonic).

       Many of the parameters relate to one participant or the other; only the
       ones for left are listed here, but every parameter  whose  name  begins
       with  left  has  a right counterpart, whose description is the same but
       with left and right reversed.

       Parameters are optional unless marked '(required)'.

   CONN PARAMETERS
       Unless otherwise noted, for a connection to  work,  in  general  it  is
       necessary  for  the  two  ends  to agree exactly on the values of these
       parameters.

       aaa_identity = <id>
              defines the identity of the AAA backend used  during  IKEv2  EAP
              authentication.   This  is  required  if  the  EAP client uses a
              method that verifies the server identity (such as EAP-TLS),  but
              it does not match the IKEv2 gateway identity.

       also = <name>
              includes conn section <name>.

       auth = esp | ah
              whether authentication should be done as part of ESP encryption,
              or separately using the AH protocol; acceptable values  are  esp
              (the default) and ah.
              The IKEv2 daemon currently supports ESP only.

       authby = pubkey | rsasig | ecdsasig | psk | eap | never | xauth...
              how  the  two  security gateways should authenticate each other;
              acceptable values are psk  or  secret  for  pre-shared  secrets,
              pubkey  (the  default)  for public key signatures as well as the
              synonyms rsasig for RSA  digital  signatures  and  ecdsasig  for
              Elliptic Curve DSA signatures.  never can be used if negotiation
              is never to be attempted  or  accepted  (useful  for  shunt-only
              conns).   Digital signatures are superior in every way to shared
              secrets.  IKEv1 additionally supports the  values  xauthpsk  and
              xauthrsasig  that will enable eXtended AUTHentication (XAUTH) in
              addition to IKEv1 main mode based on shared secrets  or  digital
              RSA  signatures,  respectively.  IKEv2 additionally supports the
              value  eap,  which  indicates  an  initiator  to   request   EAP
              authentication.  The EAP method to use is selected by the server
              (see eap).  This parameter is deprecated for IKEv2  connections,
              as  two  peers do not need to agree on an authentication method.
              Use the leftauth  parameter  instead  to  define  authentication
              methods in IKEv2.

       auto = ignore | add | route | start
              what  operation,  if  any, should be done automatically at IPsec
              startup; currently-accepted values are  add,  route,  start  and
              ignore  (the  default).  add loads a connection without starting
              it.  route loads a connection  and  installs  kernel  traps.  If
              traffic  is  detected  between  leftsubnet  and  rightsubnet , a
              connection is established.  start loads a connection and  brings
              it  up immediatly.  ignore ignores the connection. This is equal
              to delete a connection from  the  config  file.   Relevant  only
              locally,  other end need not agree on it (but in general, for an
              intended-to-be-permanent  connection,  both  ends   should   use
              auto=start   to   ensure   that   any  reboot  causes  immediate
              renegotiation).

       compress = yes | no
              whether  IPComp  compression  of  content  is  proposed  on  the
              connection  (link-level  compression  does not work on encrypted
              data, so to  be  effective,  compression  must  be  done  before
              encryption);  acceptable  values are yes and no (the default). A
              value of  yes  causes  IPsec  to  propose  both  compressed  and
              uncompressed,  and  prefer  compressed.   A value of no prevents
              IPsec from proposing compression; a proposal  to  compress  will
              still be accepted.

       dpdaction = none | clear | hold | restart
              controls  the  use of the Dead Peer Detection protocol (DPD, RFC
              3706) where R_U_THERE notification  messages  (IKEv1)  or  empty
              INFORMATIONAL messages (IKEv2) are periodically sent in order to
              check the liveliness of the IPsec peer. The values clear,  hold,
              and  restart  all  activate DPD. If no activity is detected, all
              connections with a dead peer are stopped and  unrouted  (clear),
              put in the hold state (hold) or restarted (restart).  For IKEv1,
              the default  is  none  which  disables  the  active  sending  of
              R_U_THERE  notifications.   Nevertheless  pluto will always send
              the DPD Vendor ID during connection set up in  order  to  signal
              the  readiness to act passively as a responder if the peer wants
              to use DPD.  For  IKEv2,  none  does't  make  sense,  since  all
              messages are used to detect dead peers. If specified, it has the
              same meaning as the default (clear).

       dpddelay = 30s | <time>
              defines  the  period  time   interval   with   which   R_U_THERE
              messages/INFORMATIONAL exchanges are sent to the peer. These are
              only sent if no other traffic is received. In IKEv2, a value  of
              0  sends  no  additional  INFORMATIONAL  messages  and uses only
              standard messages (such as those to rekey) to detect dead peers.

       dpdtimeout = 150s | <time>
              defines the timeout interval, after which all connections  to  a
              peer  are  deleted  in  case of inactivity. This only applies to
              IKEv1, in IKEv2 the default retransmission timeout  applies,  as
              every   exchange   is   used   to   detect   dead   peers.   See
              strongswan.conf(5) for a description of the IKEv2 retransmission
              timeout.

       inactivity = <time>
              defines  the  timeout interval, after which a CHILD_SA is closed
              if it did not send or receive any traffic.  Currently  supported
              in IKEv2 connections only.

       eap = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
              defines the EAP type to propose as server if the client requests
              EAP authentication. Currently supported values are aka for  EAP-
              AKA,  gtc  for  EAP-GTC,  md5  for EAP-MD5, mschapv2 for EAP-MS-
              CHAPv2, radius for the EAP-RADIUS proxy  and  sim  for  EAP-SIM.
              Additionally,  IANA assigned EAP method numbers are accepted, or
              a definition in the form eap=type-vendor (e.g. eap=7-12345)  can
              be used to specify vendor specific EAP types.  This parameter is
              deprecated in the favour of leftauth.

              To forward EAP authentication to a RADIUS server using the  EAP-
              RADIUS plugin, set eap=radius.

       eap_identity = <id>
              defines  the identity the client uses to reply to a EAP Identity
              request.  If defined on the EAP  server,  the  defined  identity
              will  be  used  as  peer identity during EAP authentication. The
              special value %identity uses the EAP Identity method to ask  the
              client  for  an EAP identity. If not defined, the IKEv2 identity
              will be used as EAP identity.

       esp = <cipher suites>
              comma-separated list of ESP encryption/authentication algorithms
              to  be  used  for  the  connection,  e.g.   aes128-sha256.   The
              notation is encryption-integrity[-dhgroup][-esnmodes].
              If dh-group is specified, CHILD_SA setup and rekeying include  a
              separate  diffe  hellman  exchange  (IKEv2 only). Valid esnmodes
              (IKEv2 only) are esn  and  noesn.   Specifying  both  negotiates
              Extended  Sequence  number  support with the peer, the defaut is
              noesn.

       forceencaps = yes | no
              force UDP encapsulation for ESP packets even if no NAT situation
              is  detected.   This may help to surmount restrictive firewalls.
              In order to force the peer to encapsulate packets, NAT detection
              payloads are faked (IKEv2 only).

       ike = <cipher suites>
              comma-separated  list of IKE/ISAKMP SA encryption/authentication
              algorithms to be used, e.g.  aes128-sha1-modp2048.  The notation
              is  encryption-integrity-dhgroup.  In IKEv2, multiple algorithms
              and     proposals     may     be     included,      such      as
              aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.

       ikelifetime = 3h | <time>
              how  long  the keying channel of a connection (ISAKMP or IKE SA)
              should last before being  renegotiated.  Also  see  EXPIRY/REKEY
              below.

       installpolicy = yes | no
              decides  whether  IPsec  policies are installed in the kernel by
              the IKEv2 charon daemon for a given connection. Allows  peaceful
              cooperation  e.g. with the Mobile IPv6 daemon mip6d who wants to
              control the kernel policies.  Acceptable  values  are  yes  (the
              default) and no.

       keyexchange = ike | ikev1 | ikev2
              method  of  key  exchange;  which  protocol  should  be  used to
              initialize the connection. Connections  marked  with  ikev1  are
              initiated  with  pluto,  those marked with ikev2 with charon. An
              incoming request from the remote peer is handled by the  correct
              daemon,  unaffected  from the keyexchange setting. Starting with
              strongSwan 4.5 the default value ike is  a  synonym  for  ikev2,
              whereas in older strongSwan releases ikev1 was assumed.

       keyingtries = %forever | <number>
              how many attempts (a whole number or %forever) should be made to
              negotiate a connection, or a replacement for one, before  giving
              up  (default  %forever).   The  value %forever means 'never give
              up'.  Relevant only locally, other end need not agree on it.

       keylife
              synonym for lifetime.

       left = <ip address> | <fqdn> | %defaultroute | %any
              (required) the IP address  of  the  left  participant's  public-
              network  interface  or  one  of  several magic values.  If it is
              %defaultroute, left will be filled  in  automatically  with  the
              local  address  of the default-route interface (as determined at
              IPsec startup time and  during  configuration  update).   Either
              left  or right may be %defaultroute, but not both.  The prefix %
              in front of a fully-qualified domain name or an IP address  will
              implicitly  set  leftallowany=yes.  If the domain name cannot be
              resolved into an IP address at IPsec startup or update time then
              left=%any and leftallowany=no will be assumed.

              In  case  of  an  IKEv2 connection, the value %any for the local
              endpoint signifies an address to  be  filled  in  (by  automatic
              keying)  during  negotiation.  If  the  local peer initiates the
              connection setup the routing table will be queried to  determine
              the  correct  local  IP  address.   In  case  the  local peer is
              responding to a connection setup then any  IP  address  that  is
              assigned to a local interface will be accepted.
              Note  that  specifying  %any  for  the  local  endpoint  is  not
              supported by the IKEv1 pluto daemon.

              If %any is used for the remote endpoint it literally  means  any
              IP address.

              Please note that with the usage of wildcards multiple connection
              descriptions might match a given  incoming  connection  attempt.
              The most specific description is used in that case.

       leftallowany = yes | no
              a  modifier  for  left  ,  making  it  behave as %any although a
              concrete IP address has been assigned.  Recommended for  dynamic
              IP  addresses that can be resolved by DynDNS at IPsec startup or
              update time.  Acceptable values are yes and no (the default).

       leftauth = <auth method>
              Authentication method to use locally (left) or require from  the
              remote (right) side.  This parameter is supported in IKEv2 only.
              Acceptable values  are  pubkey  for  public  key  authentication
              (RSA/ECDSA),  psk  for  pre-shared key authentication and eap to
              (require the) use of the Extensible Authentication Protocol.  To
              require  a  trustchain  public key strength for the remote side,
              specify the key type followed  by  the  strength  in  bits  (for
              example rsa-2048 or ecdsa-256).  For eap, an optional EAP method
              can be appended. Currently defined methods are eap-aka, eap-gtc,
              eap-md5, eap-tls, eap-mschapv2 and eap-sim.  Alternatively, IANA
              assigned EAP method numbers are accepted.  Vendor  specific  EAP
              methods   are   defined   in   the  form  eap-type-vendor  (e.g.
              eap-7-12345).

       leftauth2 = <auth method>
              Same as  leftauth,  but  defines  an  additional  authentication
              exchange.  IKEv2  supports  multiple authentication rounds using
              "Multiple Authentication Exchanges"  defined  in  RFC4739.  This
              allows,  for  example, separated authentication of host and user
              (IKEv2 only).

       leftca = <issuer dn> | %same
              the distinguished name  of  a  certificate  authority  which  is
              required   to  lie  in  the  trust  path  going  from  the  left
              participant's  certificate  up   to   the   root   certification
              authority.

       leftca2 = <issuer dn> | %same
              Same  as  leftca, but for the second authentication round (IKEv2
              only).

       leftcert = <path>
              the path to the left participant's X.509 certificate.  The  file
              can be encoded either in PEM or DER format. OpenPGP certificates
              are supported as well.  Both absolute paths or paths relative to
              /etc/ipsec.d/certs are accepted. By default leftcert sets leftid
              to the distinguished  name  of  the  certificate's  subject  and
              leftca  to  the  distinguished name of the certificate's issuer.
              The left participant's ID can  be  overridden  by  specifying  a
              leftid value which must be certified by the certificate, though.

       leftcert2 = <path>
              Same as leftcert, but for the second authentication round (IKEv2
              only).

       leftcertpolicy = <OIDs>
              Comma separated  list  of  certificate  policy  OIDs  the  peers
              certificate  must  have.  OIDs are specified using the numerical
              dotted representation (IKEv2 only).

       leftfirewall = yes | no
              whether the left  participant  is  doing  forwarding-firewalling
              (including   masquerading)   using  iptables  for  traffic  from
              leftsubnet, which should be turned off (for traffic to the other
              subnet)  once  the  connection is established; acceptable values
              are yes and no (the default).  May  not  be  used  in  the  same
              connection   description  with  leftupdown.   Implemented  as  a
              parameter to the default ipsec _updown script.  See notes below.
              Relevant only locally, other end need not agree on it.

              If   one   or   both  security  gateways  are  doing  forwarding
              firewalling  (possibly  including  masquerading),  and  this  is
              specified  using  the  firewall  parameters, tunnels established
              with IPsec are  exempted  from  it  so  that  packets  can  flow
              unchanged  through  the  tunnels.   (This means that all subnets
              connected in this manner  must  have  distinct,  non-overlapping
              subnet  address  blocks.)   This  is  done  by the default ipsec
              _updown script (see pluto(8)).

              In situations calling for more control, it may be preferable for
              the  user  to  supply  his  own  updown  script, which makes the
              appropriate adjustments for his system.

       leftgroups = <group list>
              a comma  separated  list  of  group  names.  If  the  leftgroups
              parameter  is present then the peer must be a member of at least
              one of the groups defined by  the  parameter.  Group  membership
              must  be  certified  by  a valid attribute certificate stored in
              /etc/ipsec.d/acerts/ thas has been  issued  to  the  peer  by  a
              trusted Authorization Authority stored in /etc/ipsec.d/aacerts/.
              Attribute certificates are not supported in IKEv2 yet.

       lefthostaccess = yes | no
              inserts  a  pair  of  INPUT  and OUTPUT iptables rules using the
              default ipsec _updown script, thus allowing access to  the  host
              itself  in  the case where the host's internal interface is part
              of the negotiated client subnet.  Acceptable values are yes  and
              no (the default).

       leftid = <id>
              how    the   left   participant   should   be   identified   for
              authentication; defaults to left.  Can be an  IP  address  or  a
              fully-qualified  domain  name  preceded by @ (which is used as a
              literal string and not resolved).

       leftid2 = <id>
              identity to  use  for  a  second  authentication  for  the  left
              participant (IKEv2 only); defaults to leftid.

       leftikeport = <port>
              UDP  port  the  left  participant  uses  for  IKE communication.
              Currently supported in IKEv2 connections only.  If  unspecified,
              port  500  is  used  with  the port floating to 4500 if a NAT is
              detected or MOBIKE is  enabled.  Specifying  a  local  IKE  port
              different  from  the  default  additionally  requires  a  socket
              implementation that listens to this port.

       leftnexthop = %direct | %defaultroute | <ip address> | <fqdn>
              this parameter is usually not needed any more because the NETKEY
              IPsec  stack  does  not require explicit routing entries for the
              traffic to be tunneled. If leftsourceip is used with IKEv1  then
              leftnexthop  must still be set in order for the source routes to
              work properly.

       leftprotoport = <protocol>/<port>
              restrict the traffic selector to a single protocol and/or  port.
              Examples:   leftprotoport=tcp/http   or   leftprotoport=6/80  or
              leftprotoport=udp

       leftrsasigkey = %cert | <raw rsa public key>
              the  left   participant's   public   key   for   RSA   signature
              authentication,  in  RFC  2537 format using ttodata(3) encoding.
              The magic value %none means the same as not specifying  a  value
              (useful  to  override a default).  The value %cert (the default)
              means that  the  key  is  extracted  from  a  certificate.   The
              identity  used for the left participant must be a specific host,
              not %any or another magic value.   Caution:  if  two  connection
              descriptions  specify different public keys for the same leftid,
              confusion and madness will ensue.

       leftsendcert = never | no | ifasked | always | yes
              Accepted values are never or no, always or yes, and ifasked (the
              default),   the  latter  meaning  that  the  peer  must  send  a
              certificate request payload in order to  get  a  certificate  in
              return.

       leftsourceip = %config | %cfg | %modeconfig | %modecfg | <ip address>
              The internal source IP to use in a tunnel, also known as virtual
              IP.  If  the  value  is  one  of  the  synonyms  %config,  %cfg,
              %modeconfig, or %modecfg, an address is requested from the peer.
              In IKEv2, a statically defined address is also requested,  since
              the server may change it.

       rightsourceip = %config | <network>/<netmask> | %poolname
              The  internal  source IP to use in a tunnel for the remote peer.
              If the value is %config on the  responder  side,  the  initiator
              must  propose  an  address  which  is  then  echoed  back.  Also
              supported are address pools expressed as network/netmask or  the
              use  of  an  external  IP  address  pool  using %poolname, where
              poolname is the name of the IP address pool used for the lookup.

       leftsubnet = <ip subnet>
              private  subnet  behind  the  left  participant,  expressed   as
              network/netmask;  if omitted, essentially assumed to be left/32,
              signifying that the left end of the connection goes to the  left
              participant only. When using IKEv2, the configured subnet of the
              peers may differ, the protocol narrows it to the greatest common
              subnet.  Further,  IKEv2  supports multiple subnets separated by
              commas. IKEv1  only  interprets  the  first  subnet  of  such  a
              definition.

       leftsubnetwithin = <ip subnet>
              the  peer  can propose any subnet or single IP address that fits
              within the range defined by leftsubnetwithin.  Not relevant  for
              IKEv2, as subnets are narrowed.

       leftupdown = <path>
              what   ``updown''   script  to  run  to  adjust  routing  and/or
              firewalling when the status of the connection  changes  (default
              ipsec  _updown).  May include positional parameters separated by
              white space (although this requires enclosing the  whole  string
              in  quotes);  including  shell  metacharacters  is  unwise.  See
              pluto(8) for details.  Relevant only locally, other end need not
              agree  on  it.  IKEv2  uses the updown script to insert firewall
              rules only, since routing has  been  implemented  directly  into
              charon.

       lifebytes = <number>
              the  number  of  bytes  transmitted  over  an IPsec SA before it
              expires (IKEv2 only).

       lifepackets = <number>
              the number of packets transmitted over an  IPsec  SA  before  it
              expires (IKEv2 only).

       lifetime = 1h | <time>
              how  long  a  particular  instance  of  a  connection  (a set of
              encryption/authentication keys for user  packets)  should  last,
              from  successful negotiation to expiry; acceptable values are an
              integer optionally followed by  s  (a  time  in  seconds)  or  a
              decimal number followed by m, h, or d (a time in minutes, hours,
              or days respectively) (default 1h, maximum 24h).  Normally,  the
              connection  is  renegotiated  (via the keying channel) before it
              expires (see margintime).  The two ends need not  exactly  agree
              on lifetime, although if they do not, there will be some clutter
              of superseded connections on the end which thinks  the  lifetime
              is longer. Also see EXPIRY/REKEY below.

       marginbytes = <number>
              how  many  bytes  before  IPsec SA expiry (see lifebytes) should
              attempts to negotiate a replacement begin (IKEv2 only).

       marginpackets = <number>
              how many packets before IPsec SA expiry (see lifepackets) should
              attempts to negotiate a replacement begin (IKEv2 only).

       margintime = 9m | <time>
              how  long  before  connection  expiry  or  keying-channel expiry
              should attempts to negotiate  a  replacement  begin;  acceptable
              values  as  for  lifetime  (default 9m).  Relevant only locally,
              other end need not agree on it. Also see EXPIRY/REKEY below.

       mark = <value>[/<mask>]
              sets an XFRM mark in the inbound  and  outbound  IPsec  SAs  and
              policies.  If  the  mask  is  missing  then  a  default  mask of
              0xffffffff is assumed.

       mark_in = <value>[/<mask>]
              sets an XFRM mark in the inbound IPsec SA  and  policy.  If  the
              mask is missing then a default mask of 0xffffffff is assumed.

       mark_out = <value>[/<mask>]
              sets  an  XFRM  mark in the outbound IPsec SA and policy. If the
              mask is missing then a default mask of 0xffffffff is assumed.

       mobike = yes | no
              enables the IKEv2 MOBIKE protocol defined by RFC 4555.  Accepted
              values  are  yes  (the default) and no.  If set to no, the IKEv2
              charon daemon will not actively propose MOBIKE as initiator  and
              ignore the MOBIKE_SUPPORTED notify as responder.

       modeconfig = push | pull
              defines  which  mode  is  used to assign a virtual IP.  Accepted
              values are push and pull (the default).  Currently relevant  for
              IKEv1  only since IKEv2 always uses the configuration payload in
              pull mode. Cisco VPN gateways usually operate in push mode.

       pfs = yes | no
              whether Perfect Forward  Secrecy  of  keys  is  desired  on  the
              connection's  keying  channel (with PFS, penetration of the key-
              exchange protocol does not compromise keys negotiated  earlier);
              acceptable  values  are  yes (the default) and no.  IKEv2 always
              uses PFS for IKE_SA rekeying whereas for CHILD_SA  rekeying  PFS
              is  enforced  by defining a Diffie-Hellman modp group in the esp
              parameter.

       pfsgroup = <modp group>
              defines a Diffie-Hellman group for perfect  forward  secrecy  in
              IKEv1 Quick Mode differing from the DH group used for IKEv1 Main
              Mode (IKEv1 only).

       reauth = yes | no
              whether rekeying of an IKE_SA  should  also  reauthenticate  the
              peer.  In  IKEv1,  reauthentication  is always done. In IKEv2, a
              value of no rekeys without uninstalling the IPsec SAs,  a  value
              of yes (the default) creates a new IKE_SA from scratch and tries
              to recreate all IPsec SAs.

       rekey = yes | no
              whether a connection should be renegotiated when it is about  to
              expire; acceptable values are yes (the default) and no.  The two
              ends  need  not  agree,  but  while  a  value  of  no   prevents
              pluto/charon  from requesting renegotiation, it does not prevent
              responding to renegotiation requested from the other end, so  no
              will be largely ineffective unless both ends agree on it.

       rekeyfuzz = 100% | <percentage>
              maximum  percentage  by  which  marginbytes,  marginpackets  and
              margintime should be randomly increased  to  randomize  rekeying
              intervals   (important   for   hosts   with  many  connections);
              acceptable values are an integer, which may exceed 100, followed
              by  a  `%'  (defaults  to 100%).  The value of marginTYPE, after
              this random increase, must not exceed lifeTYPE  (where  TYPE  is
              one  of  bytes,  packets  or  time).  The value 0% will suppress
              randomization.  Relevant only locally, other end need not  agree
              on it. Also see EXPIRY/REKEY below.

       rekeymargin
              synonym for margintime.

       reqid = <number>
              sets  the reqid for a given connection to a pre-configured fixed
              value.

       tfc = <value>
              number of bytes  to  pad  ESP  payload  data  to.  Traffic  Flow
              Confidentiality  is  currently supported in IKEv2 and applies to
              outgoing packets only. The  special  value  %mtu  fills  up  ESP
              packets with padding to have the size of the MTU.

       type = tunnel | transport | transport_proxy | passthrough | drop
              the  type  of  the connection; currently the accepted values are
              tunnel (the default) signifying a host-to-host,  host-to-subnet,
              or  subnet-to-subnet  tunnel; transport, signifying host-to-host
              transport mode; transport_proxy, signifying the  special  Mobile
              IPv6 transport proxy mode; passthrough, signifying that no IPsec
              processing should be done at all; drop, signifying that  packets
              should  be discarded; and reject, signifying that packets should
              be discarded and a diagnostic ICMP returned (reject is currently
              not supported by the NETKEY stack of the Linux 2.6 kernel).  The
              IKEv2 daemon charon currently supports  tunnel,  transport,  and
              transport_proxy connection types, only.

       xauth = client | server
              specifies  the  role  in  the  XAUTH  protocol  if  activated by
              authby=xauthpsk  or  authby=xauthrsasig.   Accepted  values  are
              server and client (the default).

   CONN PARAMETERS: IKEv2 MEDIATION EXTENSION
       The  following  parameters  are  relevant  to IKEv2 Mediation Extension
       operation only.

       mediation = yes | no
              whether this connection is a mediation connection,  ie.  whether
              this connection is used to mediate other connections.  Mediation
              connections create no child SA. Acceptable values  are  no  (the
              default) and yes.

       mediated_by = <name>
              the  name  of the connection to mediate this connection through.
              If given, the connection will  be  mediated  through  the  named
              mediation   connection.    The  mediation  connection  must  set
              mediation=yes.

       me_peerid = <id>
              ID as which the peer is known to the mediation server, ie. which
              the  other  end  of  this  connection  uses as its leftid on its
              connection to the mediation server.  This is the ID  we  request
              the  mediation  server  to mediate us with.  If me_peerid is not
              given, the rightid of this connection will be used as peer ID.

CA SECTIONS

       These are  optional  sections  that  can  be  used  to  assign  special
       parameters  to  a  Certification  Authority  (CA).  Because the daemons
       automatically import CA certificates from  /etc/ipsec.d/cacerts,  there
       is no need to explicitly add them with a CA section, unless you want to
       assign special parameters (like a CRL) to a CA.

       also = <name>
              includes ca section <name>.

       auto = ignore | add
              currently can have either the value ignore (the default) or add.

       cacert = <path>
              defines  a  path  to  the  CA  certificate  either  relative  to
              /etc/ipsec.d/cacerts or as an absolute path.

       crluri = <uri>
              defines a CRL distribution point (ldap, http, or file URI)

       crluri1
              synonym for crluri.

       crluri2 = <uri>
              defines  an  alternative  CRL distribution point (ldap, http, or
              file URI)

       ldaphost = <hostname>
              defines an ldap host. Currently used by IKEv1 only.

       ocspuri = <uri>
              defines an OCSP URI.

       ocspuri1
              synonym for ocspuri.

       ocspuri2 = <uri>
              defines an alternative OCSP URI. Currently used by IKEv2 only.

       certuribase = <uri>
              defines the base URI for the Hash and URL feature  supported  by
              IKEv2.   Instead  of  exchanging  complete  certificates,  IKEv2
              allows  to  send  an  URI  that  resolves  to  the  DER  encoded
              certificate.  The  certificate  URIs  are built by appending the
              SHA1 hash of the DER encoded certificates to this base URI.

CONFIG SECTIONS

       At present, the only config section known to the IPsec software is  the
       one  named  setup, which contains information used when the software is
       being started.  Here's an example:

       config setup
           plutodebug=all
           crlcheckinterval=10m
           strictcrlpolicy=yes

       Parameters are optional unless marked ``(required)''.   The  currently-
       accepted  parameter  names  in  a  config  setup section affecting both
       daemons are:

       cachecrls = yes | no
              certificate revocation lists (CRLs) fetched  via  http  or  ldap
              will  be  cached  in /etc/ipsec.d/crls/ under a unique file name
              derived from the certification authority's public key.  Accepted
              values are yes and no (the default). Only relevant for IKEv1, as
              CRLs are always cached in IKEv2.

       charonstart = yes | no
              whether to start the IKEv2 charon daemon or not.  The default is
              yes if starter was compiled with IKEv2 support.

       plutostart = yes | no
              whether  to start the IKEv1 pluto daemon or not.  The default is
              yes if starter was compiled with IKEv1 support.

       strictcrlpolicy = yes | ifuri | no
              defines if a fresh CRL must be available in order for  the  peer
              authentication  based  on  RSA  signatures  to  succeed.   IKEv2
              additionally recognizes ifuri which reverts to yes if  at  least
              one CRL URI is defined and to no if no URI is known.

       uniqueids = yes | no | replace | keep
              whether  a particular participant ID should be kept unique, with
              any new (automatically keyed) connection  using  an  ID  from  a
              different  IP  address deemed to replace all old ones using that
              ID; acceptable values are yes (the default) and no.  Participant
              IDs   normally   are  unique,  so  a  new  (automatically-keyed)
              connection using the same ID is almost  invariably  intended  to
              replace  an  old  one.   The IKEv2 daemon also accepts the value
              replace wich is identical to yes and the value  keep  to  reject
              new IKE_SA setups and keep the duplicate established earlier.

       The  following  config  section  parameters are used by the IKEv1 Pluto
       daemon only:

       crlcheckinterval = 0s | <time>
              interval in seconds. CRL fetching is enabled  if  the  value  is
              greater  than  zero.   Asynchronous, periodic checking for fresh
              CRLs is currently done by the IKEv1 Pluto daemon only.

       keep_alive = 20s | <time>
              interval in seconds between NAT keep alive packets, the  default
              being 20 seconds.

       nat_traversal = yes | no
              activates   NAT  traversal  by  accepting  source  ISAKMP  ports
              different from udp/500 and being able of floating to udp/4500 if
              a  NAT  situation  is  detected.  Accepted values are yes and no
              (the default).  Used by IKEv1  only,  NAT  traversal  is  always
              being active in IKEv2.

       nocrsend = yes | no
              no certificate request payloads will be sent.

       pkcs11initargs = <args>
              non-standard   argument   string   for   PKCS#11  C_Initialize()
              function; required by NSS softoken.

       pkcs11module = <args>
              defines the path to a dynamically loadable PKCS #11 library.

       pkcs11keepstate = yes | no
              PKCS #11 login sessions will be kept during the  whole  lifetime
              of  the  keying  daemon. Useful with pin-pad smart card readers.
              Accepted values are yes and no (the default).

       pkcs11proxy = yes | no
              Pluto will act as a PKCS #11  proxy  accessible  via  the  whack
              interface.  Accepted values are yes and no (the default).

       plutodebug = none | <debug list> | all
              how  much  pluto  debugging  output  should be logged.  An empty
              value, or the magic value none, means no debugging  output  (the
              default).   The  magic  value  all means full output.  Otherwise
              only the specified types of output (a quoted list, names without
              the  --debug- prefix, separated by white space) are enabled; for
              details on available debugging types, see pluto(8).

       plutostderrlog = <file>
              Pluto will not  use  syslog,  but  rather  log  to  stderr,  and
              redirect stderr to <file>.

       postpluto = <command>
              shell  command  to  run  after starting pluto (e.g., to remove a
              decrypted copy of the ipsec.secrets file).  It's run in  a  very
              simple  way;  complexities  like I/O redirection are best hidden
              within a script.  Any  output  is  redirected  for  logging,  so
              running  interactive  commands  is  difficult  unless  they  use
              /dev/tty or equivalent for their interaction.  Default is none.

       prepluto = <command>
              shell command to run before starting pluto (e.g., to decrypt  an
              encrypted  copy  of the ipsec.secrets file).  It's run in a very
              simple way; complexities like I/O redirection  are  best  hidden
              within  a  script.   Any  output  is  redirected for logging, so
              running  interactive  commands  is  difficult  unless  they  use
              /dev/tty or equivalent for their interaction.  Default is none.

       virtual_private = <networks>
              defines private networks using a wildcard notation.

       The  following  config  section parameters are used by the IKEv2 charon
       daemon only:

       charondebug = <debug list>
              how much charon debugging output  should  be  logged.   A  comma
              separated  list  containing  type  level/pairs may be specified,
              e.g: dmn 3, ike 1, net -1.  Acceptable values for types are dmn,
              mgr, ike, chd, job, cfg, knl, net, enc, lib and the level is one
              of -1, 0, 1, 2, 3, 4 (for silent, audit,  control,  controlmore,
              raw, private).  For more flexibility see LOGGER CONFIGURATION in
              strongswan.conf(5).

IKEv2 EXPIRY/REKEY

       The IKE SAs and IPsec SAs negotiated by the daemon can be configured to
       expire  after  a  specific  amount of time. For IPsec SAs this can also
       happen after a specified number of transmitted packets  or  transmitted
       bytes. The following settings can be used to configure this:

       Setting         Default   Setting         Default
       ──────────────────────────────────────────────────
       IKE SA                    IPsec SA
        ikelifetime         3h    lifebytes            -
                                  lifepackets          -
                                  lifetime            1h

   Rekeying
       IKE  SAs  as  well as IPsec SAs can be rekeyed before they expire. This
       can be configured using the following settings:

       Setting        Default   Setting           Default
       ───────────────────────────────────────────────────
       IKE and IPsec SA         IPsec SA
        margintime         9m    marginbytes            -
                                 marginpackets          -

   Randomization
       To avoid collisions the specified margins are increased randomly before
       subtracting  them  from the expiration limits (see formula below). This
       is controlled by the rekeyfuzz setting:

       Setting       Default
       ──────────────────────
       IKE and IPsec SA
        rekeyfuzz       100%

       Randomization can be disabled by setting rekeyfuzz to 0%.

   Formula
       The following formula is used to calculate the rekey time of IPsec SAs:

        rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))

       It applies equally to IKE SAs and byte and packet limits for IPsec SAs.

   Example
       Let's consider the default configuration:

                  lifetime = 1h
                  margintime = 9m
                  rekeyfuzz = 100%

       From the formula above follows that the rekey time lies between:

                  rekeytime_min = 1h - (9m + 9m) = 42m
                  rekeytime_max = 1h - (9m + 0m) = 51m

       Thus, the daemon will attempt to rekey the IPsec SA at  a  random  time
       between  42  and  51  minutes  after  establishing the SA. Or, in other
       words, between 9 and 18 minutes before the SA expires.

   Notes
       ·      Since the rekeying of an SA needs some time, the  margin  values
              must not be too low.

       ·      The  value margin... + margin... * rekeyfuzz must not exceed the
              original limit. For example, specifying margintime = 30m in  the
              default  configuration  is  a bad idea as there is a chance that
              the rekey time equals zero and, thus, rekeying gets disabled.

FILES

       /etc/ipsec.conf
       /etc/ipsec.d/aacerts
       /etc/ipsec.d/acerts
       /etc/ipsec.d/cacerts
       /etc/ipsec.d/certs
       /etc/ipsec.d/crls

SEE ALSO

       strongswan.conf(5), ipsec.secrets(5), ipsec(8), pluto(8)

HISTORY

       Originally written for the FreeS/WAN project by Henry Spencer.  Updated
       and  extended for the strongSwan project <http://www.strongswan.org> by
       Tobias Brunner, Andreas Steffen and Martin Willi.

BUGS

       If conns are to be added before DNS is available, left=FQDN will fail.