Virtual Private Network (VPN) 900 VPN IP security (IPsec) parameters 901 Set auto-update interval for IPsec daemon u32:30-65535 Auto-update interval (s) Option to disable requirement for unique IDs in the Security Database Name of Encapsulating Security Payload (ESP) group ESP compression disable enable disable Disable ESP compression (default) enable Enable ESP compression ^(disable|enable)$ ESP lifetime u32:30-86400 ESP lifetime in seconds (default 3600) ESP mode tunnel transport tunnel Tunnel mode (default) transport Transport mode ^(tunnel|transport)$ ESP Perfect Forward Secrecy enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable enable Enable PFS. Use ike-groups dh-group (default) dh-group1 Enable PFS. Use Diffie-Hellman group 1 (modp768) dh-group2 Enable PFS. Use Diffie-Hellman group 2 (modp1024) dh-group5 Enable PFS. Use Diffie-Hellman group 5 (modp1536) dh-group14 Enable PFS. Use Diffie-Hellman group 14 (modp2048) dh-group15 Enable PFS. Use Diffie-Hellman group 15 (modp3072) dh-group16 Enable PFS. Use Diffie-Hellman group 16 (modp4096) dh-group17 Enable PFS. Use Diffie-Hellman group 17 (modp6144) dh-group18 Enable PFS. Use Diffie-Hellman group 18 (modp8192) dh-group19 Enable PFS. Use Diffie-Hellman group 19 (ecp256) dh-group20 Enable PFS. Use Diffie-Hellman group 20 (ecp384) dh-group21 Enable PFS. Use Diffie-Hellman group 21 (ecp521) dh-group22 Enable PFS. Use Diffie-Hellman group 22 (modp1024s160) dh-group23 Enable PFS. Use Diffie-Hellman group 23 (modp2048s224) dh-group24 Enable PFS. Use Diffie-Hellman group 24 (modp2048s256) dh-group25 Enable PFS. Use Diffie-Hellman group 25 (ecp192) dh-group26 Enable PFS. Use Diffie-Hellman group 26 (ecp224) dh-group27 Enable PFS. Use Diffie-Hellman group 27 (ecp224bp) dh-group28 Enable PFS. Use Diffie-Hellman group 28 (ecp256bp) dh-group29 Enable PFS. Use Diffie-Hellman group 29 (ecp384bp) dh-group30 Enable PFS. Use Diffie-Hellman group 30 (ecp512bp) dh-group31 Enable PFS. Use Diffie-Hellman group 31 (curve25519) dh-group32 Enable PFS. Use Diffie-Hellman group 32 (curve448) disable Disable PFS ^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$ ESP-group proposal [REQUIRED] u32:1-65535 ESP-group proposal number #include #include Name of Internet Key Exchange (IKE) group close-action_help none hold clear restart none Set action to none (default) hold Set action to hold clear Set action to clear restart Set action to restart ^(none|hold|clear|restart)$ Dead Peer Detection (DPD) Keep-alive failure action hold clear restart hold Set action to hold (default) clear Set action to clear restart Set action to restart ^(hold|clear|restart)$ Keep-alive interval u32:2-86400 Keep-alive interval in seconds (default 30) Dead-Peer-Detection keep-alive timeout (IKEv1 only) u32:2-86400 Keep-alive timeout in seconds (default 120) ikev2-reauth_help yes no yes Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug no Disable remote host re-authenticaton during an IKE rekey. (Default) ^(yes|no)$ Key Exchange Version ikev1 ikev2 ikev1 Use IKEv1 for Key Exchange [DEFAULT] ikev2 Use IKEv2 for Key Exchange ^(ikev1|ikev2)$ IKE lifetime u32:30-86400 IKE lifetime in seconds (default 28800) Enable MOBIKE Support. MOBIKE is only available for IKEv2. enable disable enable Enable MOBIKE (default for IKEv2) disable Disable MOBIKE ^(enable|disable)$ IKEv1 Phase 1 Mode Selection main aggressive main Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) aggressive Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. ^(main|aggressive)$ proposal_help u32:1-65535 IKE-group proposal 2 dh-grouphelp 1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Diffie-Hellman group 1 (modp768) 2 Diffie-Hellman group 2 (modp1024) 5 Diffie-Hellman group 5 (modp1536) 14 Diffie-Hellman group 14 (modp2048) 15 Diffie-Hellman group 15 (modp3072) 16 Diffie-Hellman group 16 (modp4096) 17 Diffie-Hellman group 17 (modp6144) 18 Diffie-Hellman group 18 (modp8192) 19 Diffie-Hellman group 19 (ecp256) 20 Diffie-Hellman group 20 (ecp384) 21 Diffie-Hellman group 21 (ecp521) 22 Diffie-Hellman group 22 (modp1024s160) 23 Diffie-Hellman group 23 (modp2048s224) 24 Diffie-Hellman group 24 (modp2048s256) 25 Diffie-Hellman group 25 (ecp192) 26 Diffie-Hellman group 26 (ecp224) 27 Diffie-Hellman group 27 (ecp224bp) 28 Diffie-Hellman group 28 (ecp256bp) 29 Diffie-Hellman group 29 (ecp384bp) 30 Diffie-Hellman group 30 (ecp512bp) 31 Diffie-Hellman group 31 (curve25519) 32 Diffie-Hellman group 32 (curve448) ^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$ #include #include Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file. Interface to use for VPN [REQUIRED] IPsec interface [REQUIRED] IPsec logging strongSwan Logger Level u32:0-2 Logger Verbosity Level (default 0) Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any dmn Debug log option for strongSwan mgr Debug log option for strongSwan ike Debug log option for strongSwan chd Debug log option for strongSwan job Debug log option for strongSwan cfg Debug log option for strongSwan knl Debug log option for strongSwan net Debug log option for strongSwan asn Debug log option for strongSwan enc Debug log option for strongSwan lib Debug log option for strongSwan esp Debug log option for strongSwan tls Debug log option for strongSwan tnc Debug log option for strongSwan imc Debug log option for strongSwan imv Debug log option for strongSwan pts Debug log option for strongSwan any Debug log option for strongSwan ^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$ Network Address Translation (NAT) networks (Obsolete) NAT networks to allow ipv4net NAT networks to allow NAT networks to exclude from allowed-networks ipv4net NAT networks to exclude from allowed-networks Network Address Translation (NAT) traversal (Obsolete) disable enable disable Disable NAT-T enable Enable NAT-T ^(disable|enable)$ Global IPsec settings Do not automatically install routes to remote networks VPN IPSec Profile Authentication [REQUIRED] Authentication mode pre-shared-secret pre-shared-secret Use pre shared secret key Pre-shared secret key txt Pre-shared secret key DMVPN crypto configuration Tunnel interface associated with this configuration profile txt Tunnel interface associated with this configuration profile ESP group name [REQUIRED] vpn ipsec esp-group IKE group name [REQUIRED] vpn ipsec ike-group Site to site VPN VPN peer ipv4 IPv4 address of the peer ipv6 IPv6 address of the peer txt Hostname of the peer <@text> ID of the peer Peer authentication [REQUIRED] ID for peer authentication txt ID used for peer authentication Authentication mode pre-shared-secret rsa x509 pre-shared-secret pre-shared-secret_description rsa rsa_description x509 x509_description ^(pre-shared-secret|rsa|x509)$ Pre-shared secret key txt Pre-shared secret key ID for remote authentication txt ID used for peer authentication RSA key name Use certificate common name as ID X.509 certificate #include #include File containing the X.509 Certificate Revocation List (CRL) txt File in /config/auth Key file and password to open it File containing the private key for the X.509 certificate for this host txt File in /config/auth Password that protects the private key txt Password that protects the private key Connection type initiate respond initiate initiate_description respond respond_description ^(initiate|respond)$ Defult ESP group name vpn ipsec esp-group VPN peer description DHCP interface to listen on Force UDP Encapsulation for ESP Payloads enable disable enable This endpoint will force UDP encapsulation for this peer disable This endpoint will not force UDP encapsulation for this peer ^(enable|disable)$ Internet Key Exchange (IKE) group name [REQUIRED] vpn ipsec ike-group Re-authentication of the remote peer during an IKE re-key. IKEv2 option only yes no inherit yes Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug no Disable remote host re-authenticaton during an IKE re-key. inherit Inherit the reauth configuration form your IKE-group (Default) ^(yes|no|inherit)$ IPv4 or IPv6 address of a local interface to use for VPN any ipv4 IPv4 address of a local interface for VPN ipv6 IPv6 address of a local interface for VPN any Allow any IPv4 address present on the system to be used for VPN ^(any)$ Peer tunnel [REQUIRED] u32 Peer tunnel [REQUIRED] Option to allow NAT networks enable disable enable Enable NAT networks disable Disable NAT networks (default) ^(enable|disable)$ Option to allow public networks enable disable enable Enable public networks disable Disable public networks (default) ^(enable|disable)$ #include ESP group name vpn ipsec esp-group Local parameters for interesting traffic Any TCP or UDP port port name Named port (any name in /etc/services, e.g., http) u32:1-65535 Numbered port Local IPv4 or IPv6 prefix ipv4 Local IPv4 prefix ipv6 Local IPv6 prefix #include Remote parameters for interesting traffic Any TCP or UDP port port name Named port (any name in /etc/services, e.g., http) u32:1-65535 Numbered port Remote IPv4 or IPv6 prefix ipv4 Remote IPv4 prefix ipv6 Remote IPv6 prefix Virtual tunnel interface [REQUIRED] VTI tunnel interface associated with this configuration [REQUIRED] ESP group name [REQUIRED] vpn ipsec esp-group