Virtual Private Network (VPN) VPN IP security (IPsec) parameters 901 Authentication Pre-shared key name #include ID for authentication txt ID used for authentication IKE pre-shared secret key txt IKE pre-shared secret key Secret type base64 plaintext (base64|plaintext) plaintext Disable requirement for unique IDs in the Security Database Encapsulating Security Payload (ESP) group name Enable ESP compression Security Association time to expire u32:30-86400 SA lifetime in seconds 3600 Security Association byte count to expire u32:1024-26843545600000 SA life in bytes Security Association packet count to expire u32:1000-26843545600000 SA life in packets Do not locally initiate a re-key of the SA, remote peer must re-key before expiration ESP mode tunnel transport tunnel Tunnel mode transport Transport mode (tunnel|transport) tunnel ESP Perfect Forward Secrecy enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable enable Inherit Diffie-Hellman group from the IKE group dh-group1 Use Diffie-Hellman group 1 (modp768) dh-group2 Use Diffie-Hellman group 2 (modp1024) dh-group5 Use Diffie-Hellman group 5 (modp1536) dh-group14 Use Diffie-Hellman group 14 (modp2048) dh-group15 Use Diffie-Hellman group 15 (modp3072) dh-group16 Use Diffie-Hellman group 16 (modp4096) dh-group17 Use Diffie-Hellman group 17 (modp6144) dh-group18 Use Diffie-Hellman group 18 (modp8192) dh-group19 Use Diffie-Hellman group 19 (ecp256) dh-group20 Use Diffie-Hellman group 20 (ecp384) dh-group21 Use Diffie-Hellman group 21 (ecp521) dh-group22 Use Diffie-Hellman group 22 (modp1024s160) dh-group23 Use Diffie-Hellman group 23 (modp2048s224) dh-group24 Use Diffie-Hellman group 24 (modp2048s256) dh-group25 Use Diffie-Hellman group 25 (ecp192) dh-group26 Use Diffie-Hellman group 26 (ecp224) dh-group27 Use Diffie-Hellman group 27 (ecp224bp) dh-group28 Use Diffie-Hellman group 28 (ecp256bp) dh-group29 Use Diffie-Hellman group 29 (ecp384bp) dh-group30 Use Diffie-Hellman group 30 (ecp512bp) dh-group31 Use Diffie-Hellman group 31 (curve25519) dh-group32 Use Diffie-Hellman group 32 (curve448) disable Disable PFS (enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable) enable ESP group proposal u32:1-65535 ESP group proposal number #include #include Internet Key Exchange (IKE) group name Action to take if a child SA is unexpectedly closed none trap start none Do nothing trap Attempt to re-negotiate when matching traffic is seen start Attempt to re-negotiate the connection immediately (none|trap|start) none Dead Peer Detection (DPD) Keep-alive failure action trap clear restart trap Attempt to re-negotiate the connection when matching traffic is seen clear Remove the connection immediately restart Attempt to re-negotiate the connection immediately (trap|clear|restart) clear Keep-alive interval u32:2-86400 Keep-alive interval in seconds 30 Dead Peer Detection keep-alive timeout (IKEv1 only) u32:2-86400 Keep-alive timeout in seconds 120 Re-authentication of the remote peer during an IKE re-key (IKEv2 only) IKE version ikev1 ikev2 ikev1 Use IKEv1 for key exchange ikev2 Use IKEv2 for key exchange (ikev1|ikev2) IKE lifetime u32:0-86400 IKE lifetime in seconds 28800 Disable MOBIKE Support (IKEv2 only) IKEv1 phase 1 mode main aggressive main Use the main mode (recommended) aggressive Use the aggressive mode (insecure, not recommended) (main|aggressive) main IKE proposal u32:1-65535 IKE group proposal dh-grouphelp 1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Diffie-Hellman group 1 (modp768) 2 Diffie-Hellman group 2 (modp1024) 5 Diffie-Hellman group 5 (modp1536) 14 Diffie-Hellman group 14 (modp2048) 15 Diffie-Hellman group 15 (modp3072) 16 Diffie-Hellman group 16 (modp4096) 17 Diffie-Hellman group 17 (modp6144) 18 Diffie-Hellman group 18 (modp8192) 19 Diffie-Hellman group 19 (ecp256) 20 Diffie-Hellman group 20 (ecp384) 21 Diffie-Hellman group 21 (ecp521) 22 Diffie-Hellman group 22 (modp1024s160) 23 Diffie-Hellman group 23 (modp2048s224) 24 Diffie-Hellman group 24 (modp2048s256) 25 Diffie-Hellman group 25 (ecp192) 26 Diffie-Hellman group 26 (ecp224) 27 Diffie-Hellman group 27 (ecp224bp) 28 Diffie-Hellman group 28 (ecp256bp) 29 Diffie-Hellman group 29 (ecp384bp) 30 Diffie-Hellman group 30 (ecp512bp) 31 Diffie-Hellman group 31 (curve25519) 32 Diffie-Hellman group 32 (curve448) (1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32) 2 Pseudo-Random Functions prfmd5 prfsha1 prfaesxcbc prfaescmac prfsha256 prfsha384 prfsha512 prfmd5 MD5 PRF prfsha1 SHA1 PRF prfaesxcbc AES XCBC PRF prfaescmac AES CMAC PRF prfsha256 SHA2_256 PRF prfsha384 SHA2_384 PRF prfsha512 SHA2_512 PRF (prfmd5|prfsha1|prfaesxcbc|prfaescmac|prfsha256|prfsha384|prfsha512) #include #include #include IPsec logging Global IPsec logging Level 0 Very basic auditing logs (e.g., SA up/SA down) 1 Generic control flow with errors, a good default to see whats going on 2 More detailed debugging control flow 0 Subsystem logging levels dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any dmn Main daemon setup/cleanup/signal handling mgr IKE_SA manager, handling synchronization for IKE_SA access ike IKE_SA/ISAKMP SA chd CHILD_SA/IPsec SA job Jobs queuing/processing and thread pool management cfg Configuration management and plugins knl IPsec/Networking kernel interface net IKE network communication asn Low-level encoding/decoding (ASN.1, X.509 etc.) enc Packet encoding/decoding encryption/decryption operations lib libstrongswan library messages esp libipsec library messages tls libtls library messages tnc Trusted Network Connect imc Integrity Measurement Collector imv Integrity Measurement Verifier pts Platform Trust Service any Any subsystem (dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any) Global IPsec settings Do not automatically install routes to remote networks Allow FlexVPN vendor ID payload (IKEv2 only) #include Allow install virtual-ip addresses VPN IPsec profile txt Profile name [a-zA-Z][0-9a-zA-Z_-]+ Profile name must be alphanumeric and can contain hyphen(s) and underscore(s) #include Authentication Authentication mode pre-shared-secret pre-shared-secret Use a pre-shared secret key #include DMVPN tunnel configuration Tunnel interface associated with this profile interfaces tunnel txt Associated interface to this profile #include #include IKEv2 remote access VPN IKEv2 VPN connection name txt Connection name [a-zA-Z][0-9a-zA-Z_-]+ Profile name must be alphanumeric and can contain hyphen(s) and underscore(s) Authentication for remote access #include #include Remote EAP ID for client authentication txt Remote EAP ID for client authentication any any Allow any EAP ID [[:ascii:]]{1,64} any Client authentication mode x509 eap-tls eap-mschapv2 eap-radius x509 Use IPsec x.509 certificate authentication eap-tls Use EAP-TLS authentication eap-mschapv2 Use EAP-MSCHAPv2 authentication eap-radius Use EAP-RADIUS authentication (x509|eap-tls|eap-mschapv2|eap-radius) eap-mschapv2 #include Server authentication mode pre-shared-secret x509 pre-shared-secret Use a pre-shared secret key x509 Use x.509 certificate (pre-shared-secret|x509) x509 #include #include #include #include #include #include #include #include #include #include Timeout to close connection if no data is transmitted u32:0 Disable inactivity checks u32:1-86400 Timeout in seconds 28800 IP address pool vpn ipsec remote-access pool dhcp radius txt Predefined IP pool name dhcp Forward requests for virtual IP addresses to a DHCP server radius Forward requests for virtual IP addresses to a RADIUS server Connection uniqueness enforcement policy never keep replace never Never enforce connection uniqueness keep Reject new connection attempts if the same user already has an active connection replace Delete any existing connection if a new one for the same user gets established (never|keep|replace) DHCP pool options for remote access #include DHCP server address ipv4 DHCP server IPv4 address IP address pool for remote access users Local IPv4 or IPv6 pool prefix exclusions ipv4net Local IPv4 pool prefix exclusion ipv6net Local IPv6 pool prefix exclusion Local IPv4 or IPv6 pool prefix ipv4net Local IPv4 pool prefix ipv6net Local IPv6 pool prefix Local IPv4 or IPv6 pool range First IP address for local pool range ipv4 IPv4 start address of pool ipv6 IPv6 start address of pool Last IP address for local pool range ipv4 IPv4 end address of pool ipv6 IPv6 end address of pool #include #include #include #include #include Site-to-site VPN Connection name of the peer txt Connection name of the peer [-_a-zA-Z0-9|@]+ Peer connection name must be alphanumeric and can contain hyphen and underscores #include Peer authentication #include #include #include Authentication mode pre-shared-secret rsa x509 pre-shared-secret Use pre-shared secret key rsa Use RSA key x509 Use x.509 certificate (pre-shared-secret|rsa|x509) ID for remote authentication txt ID used for peer authentication %any Use certificate common name as ID Connection type initiate respond none initiate Bring the connection up immediately respond Wait for the peer to initiate the connection none Load the connection only (initiate|respond|none) Defult ESP group name vpn ipsec esp-group #include #include Force UDP encapsulation #include Re-authentication of the remote peer during an IKE re-key (IKEv2 only) yes no inherit yes Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug no Disable remote host re-authenticaton during an IKE re-key. inherit Inherit the reauth configuration form your IKE-group (yes|no|inherit) #include #include #include Peer tunnel u32 Peer tunnel #include #include #include #include Priority for IPsec policy (lowest value more preferable) u32:1-100 Priority for IPsec policy (lowest value more preferable) Match remote addresses #include Remote IPv4 or IPv6 prefix ipv4net Remote IPv4 prefix ipv6net Remote IPv6 prefix Initiator request virtual-address from peer ipv4 Request IPv4 address from peer ipv6 Request IPv6 address from peer Virtual tunnel interface #include #include