Virtual Private Network (VPN) VPN IP security (IPsec) parameters 901 Option to disable requirement for unique IDs in the Security Database Name of Encapsulating Security Payload (ESP) group ESP compression disable enable disable Disable ESP compression (default) enable Enable ESP compression ^(disable|enable)$ disable ESP lifetime u32:30-86400 ESP lifetime in seconds (default 3600) 3600 ESP mode tunnel transport tunnel Tunnel mode (default) transport Transport mode ^(tunnel|transport)$ tunnel ESP Perfect Forward Secrecy enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable enable Inherit Diffie-Hellman group from IKE group - default dh-group1 Use Diffie-Hellman group 1 (modp768) dh-group2 Use Diffie-Hellman group 2 (modp1024) dh-group5 Use Diffie-Hellman group 5 (modp1536) dh-group14 Use Diffie-Hellman group 14 (modp2048) dh-group15 Use Diffie-Hellman group 15 (modp3072) dh-group16 Use Diffie-Hellman group 16 (modp4096) dh-group17 Use Diffie-Hellman group 17 (modp6144) dh-group18 Use Diffie-Hellman group 18 (modp8192) dh-group19 Use Diffie-Hellman group 19 (ecp256) dh-group20 Use Diffie-Hellman group 20 (ecp384) dh-group21 Use Diffie-Hellman group 21 (ecp521) dh-group22 Use Diffie-Hellman group 22 (modp1024s160) dh-group23 Use Diffie-Hellman group 23 (modp2048s224) dh-group24 Use Diffie-Hellman group 24 (modp2048s256) dh-group25 Use Diffie-Hellman group 25 (ecp192) dh-group26 Use Diffie-Hellman group 26 (ecp224) dh-group27 Use Diffie-Hellman group 27 (ecp224bp) dh-group28 Use Diffie-Hellman group 28 (ecp256bp) dh-group29 Use Diffie-Hellman group 29 (ecp384bp) dh-group30 Use Diffie-Hellman group 30 (ecp512bp) dh-group31 Use Diffie-Hellman group 31 (curve25519) dh-group32 Use Diffie-Hellman group 32 (curve448) disable Disable PFS ^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$ enable ESP-group proposal [REQUIRED] u32:1-65535 ESP-group proposal number #include #include Name of Internet Key Exchange (IKE) group close-action_help none hold clear restart none Set action to none (default) hold Set action to hold clear Set action to clear restart Set action to restart ^(none|hold|clear|restart)$ Dead Peer Detection (DPD) Keep-alive failure action hold clear restart hold Set action to hold (default) clear Set action to clear restart Set action to restart ^(hold|clear|restart)$ Keep-alive interval u32:2-86400 Keep-alive interval in seconds (default 30) Dead-Peer-Detection keep-alive timeout (IKEv1 only) u32:2-86400 Keep-alive timeout in seconds (default 120) ikev2-reauth_help yes no yes Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug no Disable remote host re-authenticaton during an IKE rekey. (Default) ^(yes|no)$ Key Exchange Version ikev1 ikev2 ikev1 Use IKEv1 for Key Exchange [DEFAULT] ikev2 Use IKEv2 for Key Exchange ^(ikev1|ikev2)$ IKE lifetime u32:30-86400 IKE lifetime in seconds (default 28800) 28800 Enable MOBIKE Support. MOBIKE is only available for IKEv2. enable disable enable Enable MOBIKE (default for IKEv2) disable Disable MOBIKE ^(enable|disable)$ IKEv1 Phase 1 Mode Selection main aggressive main Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) aggressive Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. ^(main|aggressive)$ proposal_help u32:1-65535 IKE-group proposal dh-grouphelp 1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Diffie-Hellman group 1 (modp768) 2 Diffie-Hellman group 2 (modp1024) 5 Diffie-Hellman group 5 (modp1536) 14 Diffie-Hellman group 14 (modp2048) 15 Diffie-Hellman group 15 (modp3072) 16 Diffie-Hellman group 16 (modp4096) 17 Diffie-Hellman group 17 (modp6144) 18 Diffie-Hellman group 18 (modp8192) 19 Diffie-Hellman group 19 (ecp256) 20 Diffie-Hellman group 20 (ecp384) 21 Diffie-Hellman group 21 (ecp521) 22 Diffie-Hellman group 22 (modp1024s160) 23 Diffie-Hellman group 23 (modp2048s224) 24 Diffie-Hellman group 24 (modp2048s256) 25 Diffie-Hellman group 25 (ecp192) 26 Diffie-Hellman group 26 (ecp224) 27 Diffie-Hellman group 27 (ecp224bp) 28 Diffie-Hellman group 28 (ecp256bp) 29 Diffie-Hellman group 29 (ecp384bp) 30 Diffie-Hellman group 30 (ecp512bp) 31 Diffie-Hellman group 31 (curve25519) 32 Diffie-Hellman group 32 (curve448) ^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$ 2 #include #include Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file. Onterface used for IPsec communication IPsec logging strongSwan Logger Level u32:0 Very basic auditing logs e.g. SA up/SA down (default) u32:1 Generic control flow with errors, a good default to see whats going on u32:2 More detailed debugging control flow 0 Subsystem in the daemon the log comes from dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any dmn Main daemon setup/cleanup/signal handling mgr IKE_SA manager, handling synchronization for IKE_SA access ike IKE_SA/ISAKMP SA chd CHILD_SA/IPsec SA job Jobs queuing/processing and thread pool management cfg Configuration management and plugins knl IPsec/Networking kernel interface net IKE network communication asn Low-level encoding/decoding (ASN.1, X.509 etc.) enc Packet encoding/decoding encryption/decryption operations lib libstrongswan library messages esp libipsec library messages tls libtls library messages tnc Trusted Network Connect imc Integrity Measurement Collector imv Integrity Measurement Verifier pts Platform Trust Service any Any subsystem ^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$ Global IPsec settings Do not automatically install routes to remote networks VPN IPSec Profile #include Authentication [REQUIRED] Authentication mode pre-shared-secret pre-shared-secret Use pre shared secret key #include DMVPN crypto configuration Tunnel interface associated with this configuration profile interfaces tunnel txt Associated interface to this configuration profile #include #include IKEv2 remote access VPN IKEv2 VPN connection name Authentication for remote access #include #include Client authentication mode eap-tls eap-mschapv2 eap-radius eap-tls Client uses EAP-TLS authentication eap-mschapv2 Client uses EAP-MSCHAPv2 authentication eap-radius Client uses EAP-RADIUS authentication ^(eap-tls|eap-mschapv2|eap-radius)$ eap-mschapv2 #include Server authentication mode pre-shared-secret x509 pre-shared-secret pre-shared-secret_description x509 x509_description ^(pre-shared-secret|x509)$ x509 #include #include #include #include #include #include #include Timeout to close connection if no data is transmitted u32:0 Disable inactivity checks u32:1-86400 Timeout in seconds (default 28800) 28800 Pool name used for IP address assignments vpn ipsec remote-access pool dhcp radius txt Name of predefined IP pool dhcp Forward requests for virtual IP addresses to a DHCP server radius Forward requests for virtual IP addresses to a RADIUS server Connection uniqueness policy to enforce never keep replace never Never enforce connection uniqueness policy keep Rejects new connection attempts if the same user already has an active connection replace Delete any existing connection if a new one for the same user gets established ^(never|keep|replace)$ DHCP pool options for remote-access Interface with DHCP server to use DHCP server address ipv4 DHCP server IPv4 address IP address pool for remote-access users Local IPv4 or IPv6 pool prefix exclusions ipv4 Local IPv4 pool prefix exclusion ipv6 Local IPv6 pool prefix exclusion Local IPv4 or IPv6 pool prefix ipv4 Local IPv4 pool prefix ipv6 Local IPv6 pool prefix #include #include #include #include Site-to-site VPN VPN peer ipv4 IPv4 address of the peer ipv6 IPv6 address of the peer txt Hostname of the peer <@text> ID of the peer #include Peer authentication [REQUIRED] #include #include #include Authentication mode pre-shared-secret rsa x509 pre-shared-secret pre-shared-secret_description rsa rsa_description x509 x509_description ^(pre-shared-secret|rsa|x509)$ #include ID for remote authentication txt ID used for peer authentication Use certificate common name as ID Connection type initiate respond initiate initiate_description respond respond_description ^(initiate|respond)$ Defult ESP group name vpn ipsec esp-group #include #include Force UDP Encapsulation for ESP Payloads enable disable enable This endpoint will force UDP encapsulation for this peer disable This endpoint will not force UDP encapsulation for this peer ^(enable|disable)$ #include Re-authentication of the remote peer during an IKE re-key. IKEv2 option only yes no inherit yes Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug no Disable remote host re-authenticaton during an IKE re-key. inherit Inherit the reauth configuration form your IKE-group (Default) ^(yes|no|inherit)$ #include Peer tunnel [REQUIRED] u32 Peer tunnel [REQUIRED] #include #include #include #include Remote parameters for interesting traffic #include Remote IPv4 or IPv6 prefix ipv4 Remote IPv4 prefix ipv6 Remote IPv6 prefix Virtual tunnel interface [REQUIRED] VTI tunnel interface associated with this configuration interfaces vti #include