This is required if the EAP client uses a method that verifies the server
identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
.TP
+.BR also " = <name>"
+includes conn section
+.BR <name> .
.TP
.BR auth " = " esp " | ah"
whether authentication should be done as part of
.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
how the two security gateways should authenticate each other;
acceptable values are
-.B secret
-or
.B psk
+or
+.B secret
for pre-shared secrets,
.B pubkey
(the default) for public key signatures as well as the synonyms
defines the timeout interval, after which all connections to a peer are deleted
in case of inactivity. This only applies to IKEv1, in IKEv2 the default
retransmission timeout applies, as every exchange is used to detect dead peers.
+See
+.IR strongswan.conf (5)
+for a description of the IKEv2 retransmission timeout.
.TP
.BR inactivity " = <time>"
defines the timeout interval, after which a CHILD_SA is closed if it did
.BR esp " = <cipher suites>"
comma-separated list of ESP encryption/authentication algorithms to be used
for the connection, e.g.
-.BR 3des-md5 .
+.BR aes128-sha256 .
The notation is
.BR encryption-integrity-[dh-group] .
.br
exchange (IKEv2 only).
.TP
.BR forceencaps " = yes | " no
-Force UDP encapsulation for ESP packets even if no NAT situation is detected.
+force UDP encapsulation for ESP packets even if no NAT situation is detected.
This may help to surmount restrictive firewalls. In order to force the peer to
encapsulate packets, NAT detection payloads are faked (IKEv2 only).
.TP
.B psk
for pre-shared key authentication and
.B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
+to (require the) use of the Extensible Authentication Protocol.
+To require a trustchain public key strength for the remote side, specify the
+key type followed by the strength in bits (for example
+.BR rsa-2048
+or
+.BR ecdsa-256 ).
+For
.B eap,
an optional EAP method can be appended. Currently defined methods are
.BR eap-aka ,
.B leftcert,
but for the second authentication round (IKEv2 only).
.TP
+.BR leftcertpolicy " = <OIDs>"
+Comma separated list of certificate policy OIDs the peers certificate must have.
+OIDs are specified using the numerical dotted representation (IKEv2 only).
+.TP
.BR leftfirewall " = yes | " no
whether the left participant is doing forwarding-firewalling
(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
or
.BR yes ,
and
-.BR ifasked ,
+.BR ifasked " (the default),"
the latter meaning that the peer must send a certificate request payload in
order to get a certificate in return.
.TP
.BR leftsourceip " = %config | %cfg | %modeconfig | %modecfg | <ip address>"
The internal source IP to use in a tunnel, also known as virtual IP. If the
value is one of the synonyms
-.BR %modeconfig ,
-.BR %modecfg ,
.BR %config ,
-or
.BR %cfg ,
+.BR %modeconfig ,
+or
+.BR %modecfg ,
an address is requested from the peer. In IKEv2, a statically defined address
is also requested, since the server may change it.
.TP
.BR reqid " = <number>"
sets the reqid for a given connection to a pre-configured fixed value.
.TP
+.BR tfc " = <value>"
+number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
+is currently supported in IKEv2 and applies to outgoing packets only. The
+special value
+.BR %mtu
+fills up ESP packets with padding to have the size of the MTU.
+.TP
.BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
the type of the connection; currently the accepted values
are
.BR drop ,
signifying that packets should be discarded; and
.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
+signifying that packets should be discarded and a diagnostic ICMP returned
+.RB ( reject
+is currently not supported by the NETKEY stack of the Linux 2.6 kernel).
The IKEv2 daemon charon currently supports
.BR tunnel ,
.BR transport ,
and
-.BR tunnel_proxy
+.BR transport_proxy
connection types, only.
.TP
.BR xauth " = " client " | server"
This are optional sections that can be used to assign special
parameters to a Certification Authority (CA).
.TP
+.BR also " = <name>"
+includes ca section
+.BR <name> .
+.TP
.BR auto " = " ignore " | add"
currently can have either the value
.B ignore
.B yes
and
.B no
-(the default).
+(the default). Only relevant for IKEv1, as CRLs are always cached in IKEv2.
.TP
.BR charonstart " = " yes " | no"
whether to start the IKEv2 charon daemon or not.
and
.B no
(the default).
-Used by IKEv1 only, NAT traversal always being active in IKEv2.
+Used by IKEv1 only, NAT traversal is always being active in IKEv2.
.TP
.BR nocrsend " = yes | " no
no certificate request payloads will be sent.
and the level is one of
.B -1, 0, 1, 2, 3, 4
(for silent, audit, control, controlmore, raw, private).
+For more flexibility see LOGGER CONFIGURATION in
+.IR strongswan.conf (5).
+
.SH IKEv2 EXPIRY/REKEY
The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
after a specific amount of time. For IPsec SAs this can also happen after a
projects / strongswan.git / blobdiff