Virtual Private Network (VPN) VPN IP security (IPsec) parameters 901 Disable requirement for unique IDs in the Security Database Encapsulated Security Payload (ESP) group name ESP compression disable enable disable Disable ESP compression (default) enable Enable ESP compression ^(disable|enable)$ disable ESP lifetime u32:30-86400 ESP lifetime in seconds (default: 3600) 3600 ESP life in bytes u32:1024-26843545600000 ESP life in bytes ESP life in packets u32:1000-26843545600000 ESP life in packets ESP mode tunnel transport tunnel Tunnel mode (default) transport Transport mode ^(tunnel|transport)$ tunnel ESP Perfect Forward Secrecy enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable enable Inherit Diffie-Hellman group from the IKE group (default) dh-group1 Use Diffie-Hellman group 1 (modp768) dh-group2 Use Diffie-Hellman group 2 (modp1024) dh-group5 Use Diffie-Hellman group 5 (modp1536) dh-group14 Use Diffie-Hellman group 14 (modp2048) dh-group15 Use Diffie-Hellman group 15 (modp3072) dh-group16 Use Diffie-Hellman group 16 (modp4096) dh-group17 Use Diffie-Hellman group 17 (modp6144) dh-group18 Use Diffie-Hellman group 18 (modp8192) dh-group19 Use Diffie-Hellman group 19 (ecp256) dh-group20 Use Diffie-Hellman group 20 (ecp384) dh-group21 Use Diffie-Hellman group 21 (ecp521) dh-group22 Use Diffie-Hellman group 22 (modp1024s160) dh-group23 Use Diffie-Hellman group 23 (modp2048s224) dh-group24 Use Diffie-Hellman group 24 (modp2048s256) dh-group25 Use Diffie-Hellman group 25 (ecp192) dh-group26 Use Diffie-Hellman group 26 (ecp224) dh-group27 Use Diffie-Hellman group 27 (ecp224bp) dh-group28 Use Diffie-Hellman group 28 (ecp256bp) dh-group29 Use Diffie-Hellman group 29 (ecp384bp) dh-group30 Use Diffie-Hellman group 30 (ecp512bp) dh-group31 Use Diffie-Hellman group 31 (curve25519) dh-group32 Use Diffie-Hellman group 32 (curve448) disable Disable PFS ^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$ enable ESP group proposal [REQUIRED] u32:1-65535 ESP group proposal number #include #include Internet Key Exchange (IKE) group name Action to take if a child SA is unexpectedly closed none hold clear restart none Do nothing (default) hold Attempt to re-negotiate when matching traffic is seen clear Remove the connection immediately restart Attempt to re-negotiate the connection immediately ^(none|hold|clear|restart)$ Dead Peer Detection (DPD) Keep-alive failure action hold clear restart hold Attempt to re-negotiate the connection when matching traffic is seen (default) clear Remove the connection immediately restart Attempt to re-negotiate the connection immediately ^(hold|clear|restart)$ Keep-alive interval u32:2-86400 Keep-alive interval in seconds (default: 30) Dead Peer Detection keep-alive timeout (IKEv1 only) u32:2-86400 Keep-alive timeout in seconds (default 120) Re-authentication of the remote peer during an IKE re-key. IKEv2 option only yes no yes Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug no Disable remote host re-authenticaton during an IKE rekey. (default) ^(yes|no)$ IKE version ikev1 ikev2 ikev1 Use IKEv1 for key exchange ikev2 Use IKEv2 for key exchange ^(ikev1|ikev2)$ IKE lifetime u32:30-86400 IKE lifetime in seconds (default: 28800) 28800 Enable MOBIKE Support (IKEv2 only) enable disable enable Enable MOBIKE (default for IKEv2) disable Disable MOBIKE ^(enable|disable)$ IKEv1 phase 1 mode selection main aggressive main Use the main mode (recommended, default) aggressive Use the aggressive mode (insecure, not recommended) ^(main|aggressive)$ IKE proposal u32:1-65535 IKE group proposal dh-grouphelp 1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Diffie-Hellman group 1 (modp768) 2 Diffie-Hellman group 2 (modp1024) 5 Diffie-Hellman group 5 (modp1536) 14 Diffie-Hellman group 14 (modp2048) 15 Diffie-Hellman group 15 (modp3072) 16 Diffie-Hellman group 16 (modp4096) 17 Diffie-Hellman group 17 (modp6144) 18 Diffie-Hellman group 18 (modp8192) 19 Diffie-Hellman group 19 (ecp256) 20 Diffie-Hellman group 20 (ecp384) 21 Diffie-Hellman group 21 (ecp521) 22 Diffie-Hellman group 22 (modp1024s160) 23 Diffie-Hellman group 23 (modp2048s224) 24 Diffie-Hellman group 24 (modp2048s256) 25 Diffie-Hellman group 25 (ecp192) 26 Diffie-Hellman group 26 (ecp224) 27 Diffie-Hellman group 27 (ecp224bp) 28 Diffie-Hellman group 28 (ecp256bp) 29 Diffie-Hellman group 29 (ecp384bp) 30 Diffie-Hellman group 30 (ecp512bp) 31 Diffie-Hellman group 31 (curve25519) 32 Diffie-Hellman group 32 (curve448) ^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$ 2 #include #include Absolute path to specify a strongSwan config include file Absolute path to a strongSwan secrets include file #include IPsec logging strongSwan logging Level 0 Very basic auditing logs e.g. SA up/SA down (default) 1 Generic control flow with errors, a good default to see whats going on 2 More detailed debugging control flow 0 Subsystem logging levels dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any dmn Main daemon setup/cleanup/signal handling mgr IKE_SA manager, handling synchronization for IKE_SA access ike IKE_SA/ISAKMP SA chd CHILD_SA/IPsec SA job Jobs queuing/processing and thread pool management cfg Configuration management and plugins knl IPsec/Networking kernel interface net IKE network communication asn Low-level encoding/decoding (ASN.1, X.509 etc.) enc Packet encoding/decoding encryption/decryption operations lib libstrongswan library messages esp libipsec library messages tls libtls library messages tnc Trusted Network Connect imc Integrity Measurement Collector imv Integrity Measurement Verifier pts Platform Trust Service any Any subsystem ^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$ Global IPsec settings Do not automatically install routes to remote networks Allow FlexVPN vendor ID payload (IKEv2 only) #include Allow install virtual-ip addresses VPN IPSec profile #include Authentication [REQUIRED] Authentication mode pre-shared-secret pre-shared-secret Use a pre-shared secret key #include DMVPN crypto configuration Tunnel interface associated with this profile interfaces tunnel txt Associated interface to this profile #include #include IKEv2 remote access VPN IKEv2 VPN connection name Authentication for remote access #include #include Client authentication mode eap-tls eap-mschapv2 eap-radius eap-tls Use EAP-TLS authentication eap-mschapv2 Use EAP-MSCHAPv2 authentication eap-radius Use EAP-RADIUS authentication ^(eap-tls|eap-mschapv2|eap-radius)$ eap-mschapv2 #include Server authentication mode pre-shared-secret x509 pre-shared-secret Use a pre-shared secret key x509 Use x.509 certificate ^(pre-shared-secret|x509)$ x509 #include #include #include #include #include #include #include Timeout to close connection if no data is transmitted u32:0 Disable inactivity checks u32:1-86400 Timeout in seconds (default: 28800) 28800 IP address pool vpn ipsec remote-access pool dhcp radius txt Predefined IP pool name dhcp Forward requests for virtual IP addresses to a DHCP server radius Forward requests for virtual IP addresses to a RADIUS server Connection uniqueness enforcement policy never keep replace never Never enforce connection uniqueness keep Reject new connection attempts if the same user already has an active connection replace Delete any existing connection if a new one for the same user gets established ^(never|keep|replace)$ DHCP pool options for remote access #include DHCP server address ipv4 DHCP server IPv4 address IP address pool for remote access users Local IPv4 or IPv6 pool prefix exclusions ipv4 Local IPv4 pool prefix exclusion ipv6 Local IPv6 pool prefix exclusion Local IPv4 or IPv6 pool prefix ipv4 Local IPv4 pool prefix ipv6 Local IPv6 pool prefix #include #include #include #include Site-to-site VPN VPN peer ipv4 IPv4 address of the peer ipv6 IPv6 address of the peer txt Hostname of the peer <@text> ID of the peer #include Peer authentication [REQUIRED] #include #include #include Authentication mode pre-shared-secret rsa x509 pre-shared-secret Use pre-shared secret key rsa Use RSA key x509 Use x.509 certificate ^(pre-shared-secret|rsa|x509)$ #include ID for remote authentication txt ID used for peer authentication Use certificate common name as ID Connection type initiate respond none initiate Bring the connection up immediately respond Bring the connection up only if traffic is detected none Load the connection only ^(initiate|respond|none)$ Defult ESP group name vpn ipsec esp-group #include #include Force UDP Encapsulation for ESP payloads enable disable enable Force UDP encapsulation disable Do not force UDP encapsulation ^(enable|disable)$ #include Re-authentication of the remote peer during an IKE re-key (IKEv2 only) yes no inherit yes Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug no Disable remote host re-authenticaton during an IKE re-key. inherit Inherit the reauth configuration form your IKE-group (default) ^(yes|no|inherit)$ #include Peer tunnel [REQUIRED] u32 Peer tunnel [REQUIRED] #include #include #include #include Priority for IPSec policy (lowest value more preferable) u32:1-100 Priority for IPSec policy (lowest value more preferable) Match remote addresses #include Remote IPv4 or IPv6 prefix ipv4 Remote IPv4 prefix ipv6 Remote IPv6 prefix Initiator request virtual-address from peer ipv4 Request IPv4 address from peer ipv6 Request IPv6 address from peer Virtual tunnel interface [REQUIRED] VTI tunnel interface associated with this configuration interfaces vti #include