[svn-upgrade] new version strongswan (4.5.0)

14 files changed, 218 insertions, 2948 deletions

diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 9813a0c06..75297f767 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -9,6 +9,7 @@ INCLUDES = \
 -I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto \
 -I$(top_srcdir)/src/whack \
 -I$(top_srcdir)/src/stroke
@@ -23,9 +24,8 @@ AM_CFLAGS = \
 -DDEBUG
 
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in
-dist_man_MANS = ipsec.conf.5 starter.8
-CLEANFILES = ipsec.conf.5
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+dist_man_MANS = starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 
 PLUTODIR=$(top_srcdir)/src/pluto
@@ -43,11 +43,6 @@ if USE_LOAD_WARNING
   AM_CFLAGS += -DLOAD_WARNING
 endif
 
-ipsec.conf.5:	ipsec.conf.5.in
-		sed \
-		-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-		$(srcdir)/$@.in > $@
-
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
 
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index d06c8974d..446f183f1 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -49,14 +49,14 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/config/lt~obsolete.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
 	$(top_srcdir)/configure.in
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
-	"$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
 PROGRAMS = $(ipsec_PROGRAMS)
 am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
 	starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
@@ -106,7 +106,6 @@ am__nobase_list = $(am__nobase_strip_setup); \
 am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
 MANS = $(dist_man_MANS)
@@ -178,6 +177,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
 PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PTHREADLIB = @PTHREADLIB@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
@@ -209,14 +210,17 @@ build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
+c_plugins = @c_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
 default_pkcs11 = @default_pkcs11@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -231,24 +235,31 @@ ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
+libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
 libexecdir = @libexecdir@
-libhydra_plugins = @libhydra_plugins@
-libstrongswan_plugins = @libstrongswan_plugins@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
 lt_ECHO = @lt_ECHO@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
 mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
 mkdir_p = @mkdir_p@
 nm_CFLAGS = @nm_CFLAGS@
 nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+p_plugins = @p_plugins@
 pdfdir = @pdfdir@
 piddir = @piddir@
+pki_plugins = @pki_plugins@
 plugindir = @plugindir@
 pluto_plugins = @pluto_plugins@
+pool_plugins = @pool_plugins@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
@@ -256,7 +267,10 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
 sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
@@ -278,6 +292,7 @@ INCLUDES = \
 -I${linux_headers} \
 -I$(top_srcdir)/src/libstrongswan \
 -I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libhydra \
 -I$(top_srcdir)/src/pluto \
 -I$(top_srcdir)/src/whack \
 -I$(top_srcdir)/src/stroke
@@ -288,9 +303,8 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
 	-DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \
 	$(am__append_2) $(am__append_3)
 starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
-EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in
-dist_man_MANS = ipsec.conf.5 starter.8
-CLEANFILES = ipsec.conf.5
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+dist_man_MANS = starter.8
 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
 PLUTODIR = $(top_srcdir)/src/pluto
 SCEPCLIENTDIR = $(top_srcdir)/src/scepclient
@@ -424,44 +438,6 @@ mostlyclean-libtool:
 
 clean-libtool:
 	-rm -rf .libs _libs
-install-man5: $(dist_man_MANS)
-	@$(NORMAL_INSTALL)
-	test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | while read p; do \
-	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
-	  echo "$$d$$p"; echo "$$p"; \
-	done | \
-	sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
-	sed 'N;N;s,\n, ,g' | { \
-	list=; while read file base inst; do \
-	  if test "$$base" = "$$inst"; then list="$$list $$file"; else \
-	    echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
-	    $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \
-	  fi; \
-	done; \
-	for i in $$list; do echo "$$i"; done | $(am__base_list) | \
-	while read files; do \
-	  test -z "$$files" || { \
-	    echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \
-	    $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \
-	done; }
-
-uninstall-man5:
-	@$(NORMAL_UNINSTALL)
-	@list=''; test -n "$(man5dir)" || exit 0; \
-	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.5[a-z]*$$/p'; \
-	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
-	test -z "$$files" || { \
-	  echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
-	  cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
 	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
@@ -600,7 +576,7 @@ check-am: all-am
 check: check-am
 all-am: Makefile $(PROGRAMS) $(MANS)
 installdirs:
-	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
 	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: install-am
@@ -620,7 +596,6 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -669,7 +644,7 @@ install-info: install-info-am
 
 install-info-am:
 
-install-man: install-man5 install-man8
+install-man: install-man8
 
 install-pdf: install-pdf-am
 
@@ -701,7 +676,7 @@ ps-am:
 
 uninstall-am: uninstall-ipsecPROGRAMS uninstall-man
 
-uninstall-man: uninstall-man5 uninstall-man8
+uninstall-man: uninstall-man8
 
 .MAKE: install-am install-strip
 
@@ -712,20 +687,14 @@ uninstall-man: uninstall-man5 uninstall-man8
 	install install-am install-data install-data-am install-dvi \
 	install-dvi-am install-exec install-exec-am install-exec-local \
 	install-html install-html-am install-info install-info-am \
-	install-ipsecPROGRAMS install-man install-man5 install-man8 \
-	install-pdf install-pdf-am install-ps install-ps-am \
-	install-strip installcheck installcheck-am installdirs \
-	maintainer-clean maintainer-clean-generic mostlyclean \
-	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
-	pdf pdf-am ps ps-am tags uninstall uninstall-am \
-	uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \
-	uninstall-man8
-
-
-ipsec.conf.5:	ipsec.conf.5.in
-		sed \
-		-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
-		$(srcdir)/$@.in > $@
+	install-ipsecPROGRAMS install-man install-man8 install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipsecPROGRAMS \
+	uninstall-man uninstall-man8
+
 
 lex.yy.c:	$(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h
 		$(LEX) $(srcdir)/parser.l
diff --git a/src/starter/README b/src/starter/README
index 12a60a11d..4aff64978 100644
--- a/src/starter/README
+++ b/src/starter/README
@@ -18,8 +18,6 @@ Usage:
 FEATURES
 --------
 
-o Load and unload KLIPS (ipsec.o kernel module)
-
 o Load modules of the native Linux 2.6 IPsec stack
 
 o Launch and monitor pluto
@@ -50,8 +48,7 @@ o /var/run/dynip/xxxx can be used to use a virtual interface name in
 
 o %auto can be used to automaticaly name the connections
 
-o kill -TERM can be used to stop FS. pluto will be stopped and KLIPS unloaded
-  (if it has been loaded).
+o kill -TERM can be used to stop FS. pluto will be stopped.
 
 o Can be used to start strongSwan and load lots of connections in a few
   seconds.
diff --git a/src/starter/args.c b/src/starter/args.c
index ab6b60509..37d600283 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -208,6 +208,7 @@ static const token_info_t token_info[] =
 	{ ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_EAP */                                              },
 	{ ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
+	{ ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
 	{ ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
 	{ ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 399e17844..3367616ca 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -19,6 +19,8 @@
 
 #include <freeswan.h>
 
+#include <eap/eap.h>
+
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/log.h"
@@ -461,7 +463,7 @@ static void handle_firewall(const char *label, starter_end_t *end,
 	}
 }
 
-static bool handle_mark(char *value, mark_t *mark)	
+static bool handle_mark(char *value, mark_t *mark)
 {
 	char *pos, *endptr;
 
@@ -671,31 +673,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				}
 				break;
 			}
-			if (streq(kw->value, "aka"))
-			{
-				conn->eap_type = 23;
-			}
-			else if (streq(kw->value, "sim"))
-			{
-				conn->eap_type = 18;
-			}
-			else if (streq(kw->value, "md5"))
-			{
-				conn->eap_type = 4;
-			}
-			else if (streq(kw->value, "gtc"))
-			{
-				conn->eap_type = 6;
-			}
-			else if (streq(kw->value, "mschapv2"))
-			{
-				conn->eap_type = 26;
-			}
-			else if (streq(kw->value, "radius"))
-			{	/* pseudo-type */
-				conn->eap_type = 253;
-			}
-			else
+			conn->eap_type = eap_type_from_string(kw->value);
+			if (conn->eap_type == 0)
 			{
 				conn->eap_type = atoi(kw->value);
 				if (conn->eap_type == 0)
@@ -739,7 +718,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				if (*endptr != '\0')
 				{
 					plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
-		    		cfg->err++;
+					cfg->err++;
 				}
 			}
 			break;
@@ -815,7 +794,7 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 				DBG(DBG_CONTROL,
 					DBG_log("  also=%s", kw->value)
 				)
-	    	}
+			}
 			continue;
 		}
 
@@ -879,7 +858,7 @@ static void load_also_conns(starter_conn_t *conn, also_t *also,
 /*
  * find a conn included by also
  */
-static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, 
+static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
 								 starter_config_t *cfg)
 {
 	starter_conn_t *c = cfg->conn_first;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 5e4356ea3..982d1d206 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -95,13 +95,6 @@ struct also {
 		also_t          *next;
 };
 
-typedef struct mark_t mark_t;
-
-struct mark_t{
-		u_int32_t value;
-		u_int32_t mask;
-};
-
 typedef struct starter_conn starter_conn_t;
 
 struct starter_conn {
@@ -117,6 +110,7 @@ struct starter_conn {
 		u_int32_t       eap_type;
 		u_int32_t       eap_vendor;
 		char            *eap_identity;
+		char            *aaa_identity;
 		char            *xauth_identity;
 		lset_t          policy;
 		time_t          sa_ike_life_seconds;
@@ -129,8 +123,8 @@ struct starter_conn {
 		unsigned long   sa_keying_tries;
 		unsigned long   sa_rekey_fuzz;
 		u_int32_t       reqid;
-		mark_t			mark_in;
-		mark_t			mark_out;
+		mark_t          mark_in;
+		mark_t          mark_out;
 		sa_family_t     addr_family;
 		sa_family_t     tunnel_addr_family;
 		bool            install_policy;
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index 92b2c74a4..ef26cdce5 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -56,7 +56,7 @@ get_defaultroute(defaultroute_t *defaultroute)
 	ssize_t msglen;
 	int fd;
 
-	bzero(&rtu, sizeof(rtu));
+	memset(&rtu, 0, sizeof(rtu));
 	rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt));
 	rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
 	rtu.m.nh.nlmsg_type = RTM_GETROUTE;
@@ -142,7 +142,7 @@ get_defaultroute(defaultroute_t *defaultroute)
 				plog("could not open AF_INET socket");
 				break;
 			}
-			bzero(&req, sizeof(req));
+			memset(&req, 0, sizeof(req));
 			req.ifr_ifindex = iface_idx;
 			if (ioctl(fd, SIOCGIFNAME, &req) < 0 ||
 				ioctl(fd, SIOCGIFADDR, &req) < 0)
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
deleted file mode 100644
index b1ae15825..000000000
--- a/src/starter/ipsec.conf.5
+++ /dev/null
@@ -1,1330 +0,0 @@
-.TH IPSEC.CONF 5 "2010-05-30" "4.4.1rc3" "strongSwan"
-.SH NAME
-ipsec.conf \- IPsec configuration and connections
-.SH DESCRIPTION
-The optional
-.I ipsec.conf
-file
-specifies most configuration and control information for the
-strongSwan IPsec subsystem.
-The major exception is secrets for authentication;
-see
-.IR ipsec.secrets (5).
-Its contents are not security-sensitive.
-.PP
-The file is a text file, consisting of one or more
-.IR sections .
-White space followed by
-.B #
-followed by anything to the end of the line
-is a comment and is ignored,
-as are empty lines which are not within a section.
-.PP
-A line which contains
-.B include
-and a file name, separated by white space,
-is replaced by the contents of that file,
-preceded and followed by empty lines.
-If the file name is not a full pathname,
-it is considered to be relative to the directory containing the
-including file.
-Such inclusions can be nested.
-Only a single filename may be supplied, and it may not contain white space,
-but it may include shell wildcards (see
-.IR sh (1));
-for example:
-.PP
-.B include
-.B "ipsec.*.conf"
-.PP
-The intention of the include facility is mostly to permit keeping
-information on connections, or sets of connections,
-separate from the main configuration file.
-This permits such connection descriptions to be changed,
-copied to the other security gateways involved, etc.,
-without having to constantly extract them from the configuration
-file and then insert them back into it.
-Note also the
-.B also
-parameter (described below) which permits splitting a single logical
-section (e.g. a connection description) into several actual sections.
-.PP
-A section
-begins with a line of the form:
-.PP
-.I type
-.I name
-.PP
-where
-.I type
-indicates what type of section follows, and
-.I name
-is an arbitrary name which distinguishes the section from others
-of the same type.
-Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.
-All subsequent non-empty lines
-which begin with white space are part of the section;
-comments within a section must begin with white space too.
-There may be only one section of a given type with a given name.
-.PP
-Lines within the section are generally of the form
-.PP
-\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
-.PP
-(note the mandatory preceding white space).
-There can be white space on either side of the
-.BR = .
-Parameter names follow the same syntax as section names,
-and are specific to a section type.
-Unless otherwise explicitly specified,
-no parameter name may appear more than once in a section.
-.PP
-An empty
-.I value
-stands for the system default value (if any) of the parameter,
-i.e. it is roughly equivalent to omitting the parameter line entirely.
-A
-.I value
-may contain white space only if the entire
-.I value
-is enclosed in double quotes (\fB"\fR);
-a
-.I value
-cannot itself contain a double quote,
-nor may it be continued across more than one line.
-.PP
-Numeric values are specified to be either an ``integer''
-(a sequence of digits) or a ``decimal number''
-(sequence of digits optionally followed by `.' and another sequence of digits).
-.PP
-There is currently one parameter which is available in any type of
-section:
-.TP
-.B also
-the value is a section name;
-the parameters of that section are appended to this section,
-as if they had been written as part of it.
-The specified section must exist, must follow the current one,
-and must have the same section type.
-(Nesting is permitted,
-and there may be more than one
-.B also
-in a single section,
-although it is forbidden to append the same section more than once.)
-.PP
-A section with name
-.B %default
-specifies defaults for sections of the same type.
-For each parameter in it,
-any section of that type which does not have a parameter of the same name
-gets a copy of the one from the
-.B %default
-section.
-There may be multiple
-.B %default
-sections of a given type,
-but only one default may be supplied for any specific parameter name,
-and all
-.B %default
-sections of a given type must precede all non-\c
-.B %default
-sections of that type.
-.B %default
-sections may not contain the
-.B also
-parameter.
-.PP
-Currently there are three types of sections:
-a
-.B config
-section specifies general configuration information for IPsec, a
-.B conn
-section specifies an IPsec connection, while a
-.B ca
-section specifies special properties of a certification authority.
-.SH "CONN SECTIONS"
-A
-.B conn
-section contains a
-.IR "connection specification" ,
-defining a network connection to be made using IPsec.
-The name given is arbitrary, and is used to identify the connection.
-Here's a simple example:
-.PP
-.ne 10
-.nf
-.ft B
-.ta 1c
-conn snt
-	left=192.168.0.1
-	leftsubnet=10.1.0.0/16
-	right=192.168.0.2
-	rightsubnet=10.1.0.0/16
-	keyingtries=%forever
-	auto=add
-.ft
-.fi
-.PP
-A note on terminology: There are two kinds of communications going on:
-transmission of user IP packets, and gateway-to-gateway negotiations for
-keying, rekeying, and general control.
-The path to control the connection is called 'ISAKMP SA' in IKEv1
-and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
-level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
-all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
-protocol.
-.PP
-To avoid trivial editing of the configuration file to suit it to each system
-involved in a connection,
-connection specifications are written in terms of
-.I left
-and
-.I right
-participants,
-rather than in terms of local and remote.
-Which participant is considered
-.I left
-or
-.I right
-is arbitrary;
-for every connection description an attempt is made to figure out whether
-the local endpoint should act as the
-.I left
-or
-.I right
-endpoint. This is done by matching the IP addresses defined for both endpoints
-with the IP addresses assigned to local network interfaces. If a match is found
-then the role (left or right) that matches is going to be considered local.
-If no match is found during startup,
-.I left
-is considered local.
-This permits using identical connection specifications on both ends.
-There are cases where there is no symmetry; a good convention is to
-use
-.I left
-for the local side and
-.I right
-for the remote side (the first letters are a good mnemonic).
-.PP
-Many of the parameters relate to one participant or the other;
-only the ones for
-.I left
-are listed here, but every parameter whose name begins with
-.B left
-has a
-.B right
-counterpart,
-whose description is the same but with
-.B left
-and
-.B right
-reversed.
-.PP
-Parameters are optional unless marked '(required)'.
-.SS "CONN PARAMETERS"
-Unless otherwise noted, for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-.TP 14
-.B ah
-AH authentication algorithm to be used
-for the connection, e.g.
-.B hmac-md5.
-.TP
-.B auth
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.br
-The IKEv2 daemon currently supports ESP only.
-.TP
-.B authby
-how the two security gateways should authenticate each other;
-acceptable values are
-.B secret
-or
-.B psk
-for pre-shared secrets,
-.B pubkey
-(the default) for public key signatures as well as the synonyms
-.B rsasig
-for RSA digital signatures and
-.B ecdsasig
-for Elliptic Curve DSA signatures.
-.B never
-can be used if negotiation is never to be attempted or accepted (useful for
-shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
-IKEv1 additionally supports the values
-.B xauthpsk
-and
-.B xauthrsasig
-that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
-This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
-.B leftauth
-parameter instead to define authentication methods in IKEv2.
-.TP
-.B auto
-what operation, if any, should be done automatically at IPsec startup;
-currently-accepted values are
-.BR add ,
-.BR route ,
-.B start
-and
-.B ignore
-(the default).
-.B add
-loads a connection without starting it.
-.B route
-loads a connection and installs kernel traps. If traffic is detected between
-.B leftsubnet
-and
-.B rightsubnet
-, a connection is established.
-.B start
-loads a connection and brings it up immediatly.
-.B ignore
-ignores the connection. This is equal to delete a connection from the config
-file.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
-.TP
-.B compress
-whether IPComp compression of content is proposed on the connection
-(link-level compression does not work on encrypted data,
-so to be effective, compression must be done \fIbefore\fR encryption);
-acceptable values are
-.B yes
-and
-.B no
-(the default). A value of
-.B yes
-causes IPsec to propose both compressed and uncompressed,
-and prefer compressed.
-A value of
-.B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
-.TP
-.B dpdaction
-controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
-R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
-are periodically sent in order to check the
-liveliness of the IPsec peer. The values
-.BR clear ,
-.BR hold ,
-and
-.B restart
-all activate DPD. If no activity is detected, all connections with a dead peer
-are stopped and unrouted
-.RB ( clear ),
-put in the hold state
-.RB ( hold )
-or restarted
-.RB ( restart ).
-For IKEv1, the default is
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For IKEv2,
-.B none
-does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default
-.RB ( clear ).
-.TP
-.B dpddelay
-defines the period time interval with which R_U_THERE messages/INFORMATIONAL
-exchanges are sent to the peer. These are only sent if no other traffic is
-received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
-messages and uses only standard messages (such as those to rekey) to detect
-dead peers.
-.TP
-.B dpdtimeout
-defines the timeout interval, after which all connections to a peer are deleted
-in case of inactivity. This only applies to IKEv1, in IKEv2 the default
-retransmission timeout applies, as every exchange is used to detect dead peers.
-.TP
-.B inactivity
-defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic. Currently supported in IKEv2 connections only.
-.TP
-.B eap
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B radius
-for the EAP-RADIUS proxy and
-.B sim
-for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
-.TP
-.B eap_identity
-defines the identity the client uses to reply to a EAP Identity request.
-If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value
-.B %identity
-uses the EAP Identity method to ask the client for an EAP identity. If not
-defined, the IKEv2 identity will be used as EAP identity.
-.TP
-.B esp
-comma-separated list of ESP encryption/authentication algorithms to be used
-for the connection, e.g.
-.BR 3des-md5 .
-The notation is
-.BR encryption-integrity-[dh-group] .
-.br
-If
-.B dh-group
-is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
-.TP
-.B forceencaps
-Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked (IKEv2 only).
-.TP
-.B ike
-comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
-to be used, e.g.
-.BR aes128-sha1-modp2048 .
-The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
-.TP
-.B ikelifetime
-how long the keying channel of a connection (ISAKMP or IKE SA)
-should last before being renegotiated.
-.TP
-.B installpolicy
-decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful cooperation e.g. with
-the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
-Acceptable values are
-.B yes
-(the default) and
-.BR no .
-.TP
-.B keyexchange
-method of key exchange;
-which protocol should be used to initialize the connection. Connections marked with
-.B ikev1
-are initiated with pluto, those marked with
-.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
-.B keyexchange
-setting. The default value
-.B ike
-currently is a synonym for
-.BR ikev1 .
-.TP
-.B keyingtries
-how many attempts (a whole number or \fB%forever\fP) should be made to
-negotiate a connection, or a replacement for one, before giving up
-(default
-.BR %forever ).
-The value \fB%forever\fP
-means 'never give up'.
-Relevant only locally, other end need not agree on it.
-.TP
-.B keylife
-synonym for
-.BR lifetime .
-.TP
-.B left
-(required)
-the IP address of the left participant's public-network interface
-or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-The prefix
-.B  %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or
-update time then
-.B left=%any
-and
-.B leftallowany=no
-will be assumed.
-
-In case of an IKEv2 connection, the value
-.B %any
-for the local endpoint signifies an address to be filled in (by automatic
-keying) during negotiation. If the local peer initiates the connection setup
-the routing table will be queried to determine the correct local IP address.
-In case the local peer is responding to a connection setup then any IP address
-that is assigned to a local interface will be accepted.
-.br
-Note that specifying
-.B %any
-for the local endpoint is not supported by the IKEv1 pluto daemon.
-
-If
-.B %any
-is used for the remote endpoint it literally means any IP address.
-
-Please note that with the usage of wildcards multiple connection descriptions
-might match a given incoming connection attempt. The most specific description
-is used in that case.
-.TP
-.B leftallowany
-a modifier for
-.B left
-, making it behave as
-.B %any
-although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
-startup or update time.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B leftauth
-Authentication method to use locally (left) or require from the remote (right)
-side.
-This parameter is supported in IKEv2 only. Acceptable values are
-.B pubkey
-for public key authentication (RSA/ECDSA),
-.B psk
-for pre-shared key authentication and
-.B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
-.B eap,
-an optional EAP method can be appended. Currently defined methods are
-.BR eap-aka ,
-.BR eap-gtc ,
-.BR eap-md5 ,
-.B eap-mschapv2
-and
-.BR eap-sim .
-Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
-EAP methods are defined in the form
-.B eap-type-vendor
-.RB "(e.g. " eap-7-12345 ).
-.TP
-.B leftauth2
-Same as
-.BR leftauth ,
-but defines an additional authentication exchange. IKEv2 supports multiple
-authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC4739. This allows, for example, separated authentication
-of host and user (IKEv2 only).
-.TP
-.B leftca
-the distinguished name of a certificate authority which is required to
-lie in the trust path going from the left participant's certificate up
-to the root certification authority.
-.TP
-.B leftca2
-Same as
-.B leftca,
-but for the second authentication round (IKEv2 only).
-.TP
-.B leftcert
-the path to the left participant's X.509 certificate. The file can be encoded
-either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-are accepted. By default
-.B leftcert
-sets
-.B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
-The left participant's ID can be overriden by specifying a
-.B leftid
-value which must be certified by the certificate, though.
-.TP
-.B leftcert2
-Same as
-.B leftcert,
-but for the second authentication round (IKEv2 only).
-.TP
-.B leftfirewall
-whether the left participant is doing forwarding-firewalling
-(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
-which should be turned off (for traffic to the other subnet)
-once the connection is established;
-acceptable values are
-.B yes
-and
-.B no
-(the default).
-May not be used in the same connection description with
-.BR leftupdown .
-Implemented as a parameter to the default \fBipsec _updown\fR script.
-See notes below.
-Relevant only locally, other end need not agree on it.
-
-If one or both security gateways are doing forwarding firewalling
-(possibly including masquerading),
-and this is specified using the firewall parameters,
-tunnels established with IPsec are exempted from it
-so that packets can flow unchanged through the tunnels.
-(This means that all subnets connected in this manner must have
-distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script (see
-.IR pluto (8)).
-
-In situations calling for more control,
-it may be preferable for the user to supply his own
-.I updown
-script,
-which makes the appropriate adjustments for his system.
-.TP
-.B leftgroups
-a comma separated list of group names. If the
-.B leftgroups
-parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
-been issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP.
-.br
-Attribute certificates are not supported in IKEv2 yet.
-.TP
-.B lefthostaccess
-inserts a pair of INPUT and OUTPUT iptables rules using the default
-\fBipsec _updown\fR script, thus allowing access to the host itself
-in the case where the host's internal interface is part of the
-negotiated client subnet.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B leftid
-how the left participant should be identified for authentication;
-defaults to
-.BR left .
-Can be an IP address or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
-.TP
-.B leftid2
-identity to use for a second authentication for the left participant
-(IKEv2 only); defaults to
-.BR leftid .
-.TP
-.B leftikeport
-UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with the port floating
-to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
-different from the default additionally requires a socket implementation that
-listens to this port.
-.TP
-.B leftnexthop
-this parameter is usually not needed any more because the NETKEY IPsec stack
-does not require explicit routing entries for the traffic to be tunneled. If
-.B leftsourceip
-is used with IKEv1 then
-.B leftnexthop
-must still be set in order for the source routes to work properly.
-.TP
-.B leftprotoport
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
-or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
-.TP
-.B leftrsasigkey
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ttodata (3)
-encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The identity used for the left participant
-must be a specific host, not
-.B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
-.TP
-.B leftsendcert
-Accepted values are
-.B never
-or
-.BR no ,
-.B always
-or
-.BR yes ,
-and
-.BR ifasked ,
-the latter meaning that the peer must send a certificate request payload in
-order to get a certificate in return.
-.TP
-.B leftsourceip
-The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is one of the synonyms
-.BR %modeconfig ,
-.BR %modecfg ,
-.BR %config ,
-or
-.BR %cfg ,
-an address is requested from the peer. In IKEv2, a statically defined address
-is also requested, since the server may change it.
-.TP
-.B rightsourceip
-The internal source IP to use in a tunnel for the remote peer. If the
-value is
-.B %config
-on the responder side, the initiator must propose an address which is then
-echoed back. Also supported are address pools expressed as
-\fInetwork\fB/\fInetmask\fR
-or the use of an external IP address pool using %\fIpoolname\fR,
-where \fIpoolname\fR is the name of the IP address pool used for the lookup.
-.TP
-.B leftsubnet
-private subnet behind the left participant, expressed as
-\fInetwork\fB/\fInetmask\fR;
-if omitted, essentially assumed to be \fIleft\fB/32\fR,
-signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greatest common subnet. Further, IKEv2 supports
-multiple subnets separated by commas. IKEv1 only interprets the first subnet
-of such a definition.
-.TP
-.B leftsubnetwithin
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin.
-Not relevant for IKEv2, as subnets are narrowed.
-.TP
-.B leftupdown
-what ``updown'' script to run to adjust routing and/or firewalling
-when the status of the connection
-changes (default
-.BR "ipsec _updown" ).
-May include positional parameters separated by white space
-(although this requires enclosing the whole string in quotes);
-including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
-script to insert firewall rules only, since routing has been implemented
-directly into charon.
-.TP
-.B lifebytes
-the number of bytes transmitted over an IPsec SA before it expires (IKEv2
-only).
-.TP
-.B lifepackets
-the number of packets transmitted over an IPsec SA before it expires (IKEv2
-only).
-.TP
-.B lifetime
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires (see
-.BR margintime ).
-The two ends need not exactly agree on
-.BR lifetime ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
-.TP
-.B marginbytes
-how many bytes before IPsec SA expiry (see
-.BR lifebytes )
-should attempts to negotiate a replacement begin (IKEv2 only).
-.TP
-.B marginpackets
-how many packets before IPsec SA expiry (see
-.BR lifepackets )
-should attempts to negotiate a replacement begin (IKEv2 only).
-.TP
-.B margintime
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B lifetime
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it.
-.TP
-.B mark
-sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound
-IPsec SAs and policies (IKEv2 only). If the mask is missing then a default
-mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mark_in
-sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mark_out
-sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mobike
-enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
-.B yes
-(the default) and
-.BR no .
-If set to
-.BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
-ignore the MOBIKE_SUPPORTED notify as responder.
-.TP
-.B modeconfig
-defines which mode is used to assign a virtual IP.
-Accepted values are
-.B push
-and
-.B pull
-(the default).
-Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode. Cisco VPN gateways usually operate in
-.B push
-mode.
-.TP
-.B pfs
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no.
-IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
-PFS is enforced by defining a Diffie-Hellman modp group in the
-.B esp
-parameter.
-.TP
-.B pfsgroup
-defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
-differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
-.TP
-.B reauth
-whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
-reauthentication is always done. In IKEv2, a value of
-.B no
-rekeys without uninstalling the IPsec SAs, a value of
-.B yes
-(the default) creates a new IKE_SA from scratch and tries to recreate
-all IPsec SAs.
-.TP
-.B rekey
-whether a connection should be renegotiated when it is about to expire;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-The two ends need not agree, but while a value of
-.B no
-prevents pluto/charon from requesting renegotiation,
-it does not prevent responding to renegotiation requested from the other end,
-so
-.B no
-will be largely ineffective unless both ends agree on it.
-.TP
-.B rekeyfuzz
-maximum percentage by which
-.BR marginbytes ,
-.B marginpackets
-and
-.B margintime
-should be randomly increased to randomize rekeying intervals
-(important for hosts with many connections);
-acceptable values are an integer,
-which may exceed 100,
-followed by a `%'
-(defaults to
-.BR 100% ).
-The value of
-.BR marginTYPE ,
-after this random increase,
-must not exceed
-.B lifeTYPE
-(where TYPE is one of
-.IR bytes ,
-.I packets
-or
-.IR time ).
-The value
-.B 0%
-will suppress randomization.
-Relevant only locally, other end need not agree on it.
-.TP
-.B rekeymargin
-synonym for
-.BR margintime .
-.TP
-.B reqid
-sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).
-.TP
-.B type
-the type of the connection; currently the accepted values
-are
-.B tunnel
-(the default)
-signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
-.BR transport ,
-signifying host-to-host transport mode;
-.BR transport_proxy ,
-signifying the special Mobile IPv6 transport proxy mode;
-.BR passthrough ,
-signifying that no IPsec processing should be done at all;
-.BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
-The IKEv2 daemon charon currently supports
-.BR tunnel ,
-.BR transport ,
-and
-.BR tunnel_proxy
-connection types, only.
-.TP
-.B xauth
-specifies the role in the XAUTH protocol if activated by
-.B authby=xauthpsk
-or
-.B authby=xauthrsasig.
-Accepted values are
-.B server
-and
-.B client
-(the default).
-
-.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension
-operation only.
-.TP 14
-.B mediation
-whether this connection is a mediation connection, ie. whether this
-connection is used to mediate other connections.  Mediation connections
-create no child SA. Acceptable values are
-.B no
-(the default) and
-.BR yes .
-.TP
-.B mediated_by
-the name of the connection to mediate this connection through.  If given,
-the connection will be mediated through the named mediation connection.
-The mediation connection must set
-.BR mediation=yes .
-.TP
-.B me_peerid
-ID as which the peer is known to the mediation server, ie. which the other
-end of this connection uses as its
-.B leftid
-on its connection to the mediation server.  This is the ID we request the
-mediation server to mediate us with.  If
-.B me_peerid
-is not given, the
-.B rightid
-of this connection will be used as peer ID.
-
-.SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
-.TP 10
-.B auto
-currently can have either the value
-.B ignore
-or
-.B add
-.
-.TP
-.B cacert
-defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
-.TP
-.B crluri
-defines a CRL distribution point (ldap, http, or file URI)
-.TP
-.B crluri1
-synonym for
-.B crluri.
-.TP
-.B crluri2
-defines an alternative CRL distribution point (ldap, http, or file URI)
-.TP
-.B ldaphost
-defines an ldap host. Currently used by IKEv1 only.
-.TP
-.B ocspuri
-defines an OCSP URI.
-.TP
-.B ocspuri1
-synonym for
-.B ocspuri.
-.TP
-.B ocspuri2
-defines an alternative OCSP URI. Currently used by IKEv2 only.
-.TP
-.B certuribase
-defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows to send an URI
-that resolves to the DER encoded certificate. The certificate URIs are built
-by appending the SHA1 hash of the DER encoded certificates to this base URI.
-.SH "CONFIG SECTIONS"
-At present, the only
-.B config
-section known to the IPsec software is the one named
-.BR setup ,
-which contains information used when the software is being started.
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	plutodebug=all
-	crlcheckinterval=10m
-	strictcrlpolicy=yes
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
-The currently-accepted
-.I parameter
-names in a
-.B config
-.B setup
-section affecting both daemons are:
-.TP 14
-.B cachecrls
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
-authority's public key.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B charonstart
-whether to start the IKEv2 Charon daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
-The default is
-.B yes
-if starter was compiled with IKEv2 support.
-.TP
-.B dumpdir
-in what directory should things started by \fBipsec starter\fR
-(notably the Pluto and Charon daemons) be allowed to dump core?
-The empty value (the default) means they are not
-allowed to.
-This feature is currently not yet supported by \fBipsec starter\fR.
-.TP
-.B plutostart
-whether to start the IKEv1 Pluto daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
-The default is
-.B yes
-if starter was compiled with IKEv1 support.
-.TP
-.B strictcrlpolicy
-defines if a fresh CRL must be available in order for the peer authentication based
-on RSA signatures to succeed.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-IKEv2 additionally recognizes
-.B ifuri
-which reverts to
-.B yes
-if at least one CRL URI is defined and to
-.B no
-if no URI is known.
-.TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
-.B replace
-wich is identical to
-.B yes
-and the value
-.B keep
-to reject new IKE_SA setups and keep the duplicate established earlier.
-.PP
-The following
-.B config section
-parameters are used by the IKEv1 Pluto daemon only:
-.TP
-.B crlcheckinterval
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
-.B keep_alive
-interval in seconds between NAT keep alive packets, the default being 20 seconds.
-.TP
-.B nat_traversal
-activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
-being able of floating to udp/4500 if a NAT situation is detected.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-Used by IKEv1 only, NAT traversal always being active in IKEv2.
-.TP
-.B nocrsend
-no certificate request payloads will be sent.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B pkcs11initargs
-non-standard argument string for PKCS#11 C_Initialize() function;
-required by NSS softoken.
-.TP
-.B pkcs11module
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.B pkcs11keepstate
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B pkcs11proxy
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B plutodebug
-how much Pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR pluto (8).
-.TP
-.B plutostderrlog
-Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to the argument file.
-.TP
-.B postpluto
-shell command to run after starting Pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B prepluto
-shell command to run before starting Pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B virtual_private
-defines private networks using a wildcard notation.
-.PP
-The following
-.B config section
-parameters are used by the IKEv2 Charon daemon only:
-.TP
-.B charondebug
-how much Charon debugging output should be logged.
-A comma separated list containing type level/pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).
-.PP
-The following
-.B config section
-parameters only make sense if the KLIPS IPsec stack
-is used instead of the default NETKEY stack of the Linux 2.6 kernel:
-.TP
-.B fragicmp
-whether a tunnel's need to fragment a packet should be reported
-back with an ICMP message,
-in an attempt to make the sender lower his PMTU estimate;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B hidetos
-whether a tunnel packet's TOS field should be set to
-.B 0
-rather than copied from the user packet inside;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no
-.TP
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-.TP
-.B overridemtu
-value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
-overriding IPsec's (large) default.
-.SH FILES
-.nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
-
-.SH SEE ALSO
-ipsec(8), pluto(8), starter(8)
-.SH HISTORY
-Originally written for the FreeS/WAN project by Henry Spencer.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner, Andreas Steffen and Martin Willi.
-.SH BUGS
-.PP
-If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
-will fail.
diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in
deleted file mode 100644
index 3d2940a66..000000000
--- a/src/starter/ipsec.conf.5.in
+++ /dev/null
@@ -1,1330 +0,0 @@
-.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan"
-.SH NAME
-ipsec.conf \- IPsec configuration and connections
-.SH DESCRIPTION
-The optional
-.I ipsec.conf
-file
-specifies most configuration and control information for the
-strongSwan IPsec subsystem.
-The major exception is secrets for authentication;
-see
-.IR ipsec.secrets (5).
-Its contents are not security-sensitive.
-.PP
-The file is a text file, consisting of one or more
-.IR sections .
-White space followed by
-.B #
-followed by anything to the end of the line
-is a comment and is ignored,
-as are empty lines which are not within a section.
-.PP
-A line which contains
-.B include
-and a file name, separated by white space,
-is replaced by the contents of that file,
-preceded and followed by empty lines.
-If the file name is not a full pathname,
-it is considered to be relative to the directory containing the
-including file.
-Such inclusions can be nested.
-Only a single filename may be supplied, and it may not contain white space,
-but it may include shell wildcards (see
-.IR sh (1));
-for example:
-.PP
-.B include
-.B "ipsec.*.conf"
-.PP
-The intention of the include facility is mostly to permit keeping
-information on connections, or sets of connections,
-separate from the main configuration file.
-This permits such connection descriptions to be changed,
-copied to the other security gateways involved, etc.,
-without having to constantly extract them from the configuration
-file and then insert them back into it.
-Note also the
-.B also
-parameter (described below) which permits splitting a single logical
-section (e.g. a connection description) into several actual sections.
-.PP
-A section
-begins with a line of the form:
-.PP
-.I type
-.I name
-.PP
-where
-.I type
-indicates what type of section follows, and
-.I name
-is an arbitrary name which distinguishes the section from others
-of the same type.
-Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.
-All subsequent non-empty lines
-which begin with white space are part of the section;
-comments within a section must begin with white space too.
-There may be only one section of a given type with a given name.
-.PP
-Lines within the section are generally of the form
-.PP
-\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
-.PP
-(note the mandatory preceding white space).
-There can be white space on either side of the
-.BR = .
-Parameter names follow the same syntax as section names,
-and are specific to a section type.
-Unless otherwise explicitly specified,
-no parameter name may appear more than once in a section.
-.PP
-An empty
-.I value
-stands for the system default value (if any) of the parameter,
-i.e. it is roughly equivalent to omitting the parameter line entirely.
-A
-.I value
-may contain white space only if the entire
-.I value
-is enclosed in double quotes (\fB"\fR);
-a
-.I value
-cannot itself contain a double quote,
-nor may it be continued across more than one line.
-.PP
-Numeric values are specified to be either an ``integer''
-(a sequence of digits) or a ``decimal number''
-(sequence of digits optionally followed by `.' and another sequence of digits).
-.PP
-There is currently one parameter which is available in any type of
-section:
-.TP
-.B also
-the value is a section name;
-the parameters of that section are appended to this section,
-as if they had been written as part of it.
-The specified section must exist, must follow the current one,
-and must have the same section type.
-(Nesting is permitted,
-and there may be more than one
-.B also
-in a single section,
-although it is forbidden to append the same section more than once.)
-.PP
-A section with name
-.B %default
-specifies defaults for sections of the same type.
-For each parameter in it,
-any section of that type which does not have a parameter of the same name
-gets a copy of the one from the
-.B %default
-section.
-There may be multiple
-.B %default
-sections of a given type,
-but only one default may be supplied for any specific parameter name,
-and all
-.B %default
-sections of a given type must precede all non-\c
-.B %default
-sections of that type.
-.B %default
-sections may not contain the
-.B also
-parameter.
-.PP
-Currently there are three types of sections:
-a
-.B config
-section specifies general configuration information for IPsec, a
-.B conn
-section specifies an IPsec connection, while a
-.B ca
-section specifies special properties of a certification authority.
-.SH "CONN SECTIONS"
-A
-.B conn
-section contains a
-.IR "connection specification" ,
-defining a network connection to be made using IPsec.
-The name given is arbitrary, and is used to identify the connection.
-Here's a simple example:
-.PP
-.ne 10
-.nf
-.ft B
-.ta 1c
-conn snt
-	left=192.168.0.1
-	leftsubnet=10.1.0.0/16
-	right=192.168.0.2
-	rightsubnet=10.1.0.0/16
-	keyingtries=%forever
-	auto=add
-.ft
-.fi
-.PP
-A note on terminology: There are two kinds of communications going on:
-transmission of user IP packets, and gateway-to-gateway negotiations for
-keying, rekeying, and general control.
-The path to control the connection is called 'ISAKMP SA' in IKEv1
-and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
-level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan currently uses two separate keying daemons. \fIpluto\fP handles
-all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2
-protocol.
-.PP
-To avoid trivial editing of the configuration file to suit it to each system
-involved in a connection,
-connection specifications are written in terms of
-.I left
-and
-.I right
-participants,
-rather than in terms of local and remote.
-Which participant is considered
-.I left
-or
-.I right
-is arbitrary;
-for every connection description an attempt is made to figure out whether
-the local endpoint should act as the
-.I left
-or
-.I right
-endpoint. This is done by matching the IP addresses defined for both endpoints
-with the IP addresses assigned to local network interfaces. If a match is found
-then the role (left or right) that matches is going to be considered local.
-If no match is found during startup,
-.I left
-is considered local.
-This permits using identical connection specifications on both ends.
-There are cases where there is no symmetry; a good convention is to
-use
-.I left
-for the local side and
-.I right
-for the remote side (the first letters are a good mnemonic).
-.PP
-Many of the parameters relate to one participant or the other;
-only the ones for
-.I left
-are listed here, but every parameter whose name begins with
-.B left
-has a
-.B right
-counterpart,
-whose description is the same but with
-.B left
-and
-.B right
-reversed.
-.PP
-Parameters are optional unless marked '(required)'.
-.SS "CONN PARAMETERS"
-Unless otherwise noted, for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-.TP 14
-.B ah
-AH authentication algorithm to be used
-for the connection, e.g.
-.B hmac-md5.
-.TP
-.B auth
-whether authentication should be done as part of
-ESP encryption, or separately using the AH protocol;
-acceptable values are
-.B esp
-(the default) and
-.BR ah .
-.br
-The IKEv2 daemon currently supports ESP only.
-.TP
-.B authby
-how the two security gateways should authenticate each other;
-acceptable values are
-.B secret
-or
-.B psk
-for pre-shared secrets,
-.B pubkey
-(the default) for public key signatures as well as the synonyms
-.B rsasig
-for RSA digital signatures and
-.B ecdsasig
-for Elliptic Curve DSA signatures.
-.B never
-can be used if negotiation is never to be attempted or accepted (useful for
-shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
-IKEv1 additionally supports the values
-.B xauthpsk
-and
-.B xauthrsasig
-that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
-This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
-.B leftauth
-parameter instead to define authentication methods in IKEv2.
-.TP
-.B auto
-what operation, if any, should be done automatically at IPsec startup;
-currently-accepted values are
-.BR add ,
-.BR route ,
-.B start
-and
-.B ignore
-(the default).
-.B add
-loads a connection without starting it.
-.B route
-loads a connection and installs kernel traps. If traffic is detected between
-.B leftsubnet
-and
-.B rightsubnet
-, a connection is established.
-.B start
-loads a connection and brings it up immediatly.
-.B ignore
-ignores the connection. This is equal to delete a connection from the config
-file.
-Relevant only locally, other end need not agree on it
-(but in general, for an intended-to-be-permanent connection,
-both ends should use
-.B auto=start
-to ensure that any reboot causes immediate renegotiation).
-.TP
-.B compress
-whether IPComp compression of content is proposed on the connection
-(link-level compression does not work on encrypted data,
-so to be effective, compression must be done \fIbefore\fR encryption);
-acceptable values are
-.B yes
-and
-.B no
-(the default). A value of
-.B yes
-causes IPsec to propose both compressed and uncompressed,
-and prefer compressed.
-A value of
-.B no
-prevents IPsec from proposing compression;
-a proposal to compress will still be accepted.
-.TP
-.B dpdaction
-controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
-R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
-are periodically sent in order to check the
-liveliness of the IPsec peer. The values
-.BR clear ,
-.BR hold ,
-and
-.B restart
-all activate DPD. If no activity is detected, all connections with a dead peer
-are stopped and unrouted
-.RB ( clear ),
-put in the hold state
-.RB ( hold )
-or restarted
-.RB ( restart ).
-For IKEv1, the default is
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. For IKEv2,
-.B none
-does't make sense, since all messages are used to detect dead peers. If specified,
-it has the same meaning as the default
-.RB ( clear ).
-.TP
-.B dpddelay
-defines the period time interval with which R_U_THERE messages/INFORMATIONAL
-exchanges are sent to the peer. These are only sent if no other traffic is
-received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
-messages and uses only standard messages (such as those to rekey) to detect
-dead peers.
-.TP
-.B dpdtimeout
-defines the timeout interval, after which all connections to a peer are deleted
-in case of inactivity. This only applies to IKEv1, in IKEv2 the default
-retransmission timeout applies, as every exchange is used to detect dead peers.
-.TP
-.B inactivity
-defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic. Currently supported in IKEv2 connections only.
-.TP
-.B eap
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B radius
-for the EAP-RADIUS proxy and
-.B sim
-for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
-.TP
-.B eap_identity
-defines the identity the client uses to reply to a EAP Identity request.
-If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value
-.B %identity
-uses the EAP Identity method to ask the client for an EAP identity. If not
-defined, the IKEv2 identity will be used as EAP identity.
-.TP
-.B esp
-comma-separated list of ESP encryption/authentication algorithms to be used
-for the connection, e.g.
-.BR 3des-md5 .
-The notation is
-.BR encryption-integrity-[dh-group] .
-.br
-If
-.B dh-group
-is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
-.TP
-.B forceencaps
-Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked (IKEv2 only).
-.TP
-.B ike
-comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
-to be used, e.g.
-.BR aes128-sha1-modp2048 .
-The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
-.TP
-.B ikelifetime
-how long the keying channel of a connection (ISAKMP or IKE SA)
-should last before being renegotiated.
-.TP
-.B installpolicy
-decides whether IPsec policies are installed in the kernel by the IKEv2
-charon daemon for a given connection. Allows peaceful cooperation e.g. with
-the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
-Acceptable values are
-.B yes
-(the default) and
-.BR no .
-.TP
-.B keyexchange
-method of key exchange;
-which protocol should be used to initialize the connection. Connections marked with
-.B ikev1
-are initiated with pluto, those marked with
-.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
-.B keyexchange
-setting. The default value
-.B ike
-currently is a synonym for
-.BR ikev1 .
-.TP
-.B keyingtries
-how many attempts (a whole number or \fB%forever\fP) should be made to
-negotiate a connection, or a replacement for one, before giving up
-(default
-.BR %forever ).
-The value \fB%forever\fP
-means 'never give up'.
-Relevant only locally, other end need not agree on it.
-.TP
-.B keylife
-synonym for
-.BR lifetime .
-.TP
-.B left
-(required)
-the IP address of the left participant's public-network interface
-or one of several magic values.
-If it is
-.BR %defaultroute ,
-.B left
-will be filled in automatically with the local address
-of the default-route interface (as determined at IPsec startup time and
-during configuration update).
-Either
-.B left
-or
-.B right
-may be
-.BR %defaultroute ,
-but not both.
-The prefix
-.B  %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.B leftallowany=yes.
-If the domain name cannot be resolved into an IP address at IPsec startup or
-update time then
-.B left=%any
-and
-.B leftallowany=no
-will be assumed.
-
-In case of an IKEv2 connection, the value
-.B %any
-for the local endpoint signifies an address to be filled in (by automatic
-keying) during negotiation. If the local peer initiates the connection setup
-the routing table will be queried to determine the correct local IP address.
-In case the local peer is responding to a connection setup then any IP address
-that is assigned to a local interface will be accepted.
-.br
-Note that specifying
-.B %any
-for the local endpoint is not supported by the IKEv1 pluto daemon.
-
-If
-.B %any
-is used for the remote endpoint it literally means any IP address.
-
-Please note that with the usage of wildcards multiple connection descriptions
-might match a given incoming connection attempt. The most specific description
-is used in that case.
-.TP
-.B leftallowany
-a modifier for
-.B left
-, making it behave as
-.B %any
-although a concrete IP address has been assigned.
-Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec
-startup or update time.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B leftauth
-Authentication method to use locally (left) or require from the remote (right)
-side.
-This parameter is supported in IKEv2 only. Acceptable values are
-.B pubkey
-for public key authentication (RSA/ECDSA),
-.B psk
-for pre-shared key authentication and
-.B eap
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
-.B eap,
-an optional EAP method can be appended. Currently defined methods are
-.BR eap-aka ,
-.BR eap-gtc ,
-.BR eap-md5 ,
-.B eap-mschapv2
-and
-.BR eap-sim .
-Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
-EAP methods are defined in the form
-.B eap-type-vendor
-.RB "(e.g. " eap-7-12345 ).
-.TP
-.B leftauth2
-Same as
-.BR leftauth ,
-but defines an additional authentication exchange. IKEv2 supports multiple
-authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC4739. This allows, for example, separated authentication
-of host and user (IKEv2 only).
-.TP
-.B leftca
-the distinguished name of a certificate authority which is required to
-lie in the trust path going from the left participant's certificate up
-to the root certification authority.
-.TP
-.B leftca2
-Same as
-.B leftca,
-but for the second authentication round (IKEv2 only).
-.TP
-.B leftcert
-the path to the left participant's X.509 certificate. The file can be encoded
-either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-are accepted. By default
-.B leftcert
-sets
-.B leftid
-to the distinguished name of the certificate's subject and
-.B leftca
-to the distinguished name of the certificate's issuer.
-The left participant's ID can be overriden by specifying a
-.B leftid
-value which must be certified by the certificate, though.
-.TP
-.B leftcert2
-Same as
-.B leftcert,
-but for the second authentication round (IKEv2 only).
-.TP
-.B leftfirewall
-whether the left participant is doing forwarding-firewalling
-(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
-which should be turned off (for traffic to the other subnet)
-once the connection is established;
-acceptable values are
-.B yes
-and
-.B no
-(the default).
-May not be used in the same connection description with
-.BR leftupdown .
-Implemented as a parameter to the default \fBipsec _updown\fR script.
-See notes below.
-Relevant only locally, other end need not agree on it.
-
-If one or both security gateways are doing forwarding firewalling
-(possibly including masquerading),
-and this is specified using the firewall parameters,
-tunnels established with IPsec are exempted from it
-so that packets can flow unchanged through the tunnels.
-(This means that all subnets connected in this manner must have
-distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script (see
-.IR pluto (8)).
-
-In situations calling for more control,
-it may be preferable for the user to supply his own
-.I updown
-script,
-which makes the appropriate adjustments for his system.
-.TP
-.B leftgroups
-a comma separated list of group names. If the
-.B leftgroups
-parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter. Group membership must be certified
-by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has
-been issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts/\fP.
-.br
-Attribute certificates are not supported in IKEv2 yet.
-.TP
-.B lefthostaccess
-inserts a pair of INPUT and OUTPUT iptables rules using the default
-\fBipsec _updown\fR script, thus allowing access to the host itself
-in the case where the host's internal interface is part of the
-negotiated client subnet.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B leftid
-how the left participant should be identified for authentication;
-defaults to
-.BR left .
-Can be an IP address or a fully-qualified domain name preceded by
-.B @
-(which is used as a literal string and not resolved).
-.TP
-.B leftid2
-identity to use for a second authentication for the left participant
-(IKEv2 only); defaults to
-.BR leftid .
-.TP
-.B leftikeport
-UDP port the left participant uses for IKE communication. Currently supported in
-IKEv2 connections only. If unspecified, port 500 is used with the port floating
-to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
-different from the default additionally requires a socket implementation that
-listens to this port.
-.TP
-.B leftnexthop
-this parameter is usually not needed any more because the NETKEY IPsec stack
-does not require explicit routing entries for the traffic to be tunneled. If
-.B leftsourceip
-is used with IKEv1 then
-.B leftnexthop
-must still be set in order for the source routes to work properly.
-.TP
-.B leftprotoport
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
-or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
-.TP
-.B leftrsasigkey
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ttodata (3)
-encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The identity used for the left participant
-must be a specific host, not
-.B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
-.TP
-.B leftsendcert
-Accepted values are
-.B never
-or
-.BR no ,
-.B always
-or
-.BR yes ,
-and
-.BR ifasked ,
-the latter meaning that the peer must send a certificate request payload in
-order to get a certificate in return.
-.TP
-.B leftsourceip
-The internal source IP to use in a tunnel, also known as virtual IP. If the
-value is one of the synonyms
-.BR %modeconfig ,
-.BR %modecfg ,
-.BR %config ,
-or
-.BR %cfg ,
-an address is requested from the peer. In IKEv2, a statically defined address
-is also requested, since the server may change it.
-.TP
-.B rightsourceip
-The internal source IP to use in a tunnel for the remote peer. If the
-value is
-.B %config
-on the responder side, the initiator must propose an address which is then
-echoed back. Also supported are address pools expressed as
-\fInetwork\fB/\fInetmask\fR
-or the use of an external IP address pool using %\fIpoolname\fR,
-where \fIpoolname\fR is the name of the IP address pool used for the lookup.
-.TP
-.B leftsubnet
-private subnet behind the left participant, expressed as
-\fInetwork\fB/\fInetmask\fR;
-if omitted, essentially assumed to be \fIleft\fB/32\fR,
-signifying that the left end of the connection goes to the left participant
-only. When using IKEv2, the configured subnet of the peers may differ, the
-protocol narrows it to the greatest common subnet. Further, IKEv2 supports
-multiple subnets separated by commas. IKEv1 only interprets the first subnet
-of such a definition.
-.TP
-.B leftsubnetwithin
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin.
-Not relevant for IKEv2, as subnets are narrowed.
-.TP
-.B leftupdown
-what ``updown'' script to run to adjust routing and/or firewalling
-when the status of the connection
-changes (default
-.BR "ipsec _updown" ).
-May include positional parameters separated by white space
-(although this requires enclosing the whole string in quotes);
-including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
-script to insert firewall rules only, since routing has been implemented
-directly into charon.
-.TP
-.B lifebytes
-the number of bytes transmitted over an IPsec SA before it expires (IKEv2
-only).
-.TP
-.B lifepackets
-the number of packets transmitted over an IPsec SA before it expires (IKEv2
-only).
-.TP
-.B lifetime
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires (see
-.BR margintime ).
-The two ends need not exactly agree on
-.BR lifetime ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
-.TP
-.B marginbytes
-how many bytes before IPsec SA expiry (see
-.BR lifebytes )
-should attempts to negotiate a replacement begin (IKEv2 only).
-.TP
-.B marginpackets
-how many packets before IPsec SA expiry (see
-.BR lifepackets )
-should attempts to negotiate a replacement begin (IKEv2 only).
-.TP
-.B margintime
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B lifetime
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it.
-.TP
-.B mark
-sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound
-IPsec SAs and policies (IKEv2 only). If the mask is missing then a default
-mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mark_in
-sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mark_out
-sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy
-(IKEv2 only). If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.B mobike
-enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
-.B yes
-(the default) and
-.BR no .
-If set to
-.BR no ,
-the IKEv2 charon daemon will not actively propose MOBIKE as initiator and
-ignore the MOBIKE_SUPPORTED notify as responder.
-.TP
-.B modeconfig
-defines which mode is used to assign a virtual IP.
-Accepted values are
-.B push
-and
-.B pull
-(the default).
-Currently relevant for IKEv1 only since IKEv2 always uses the configuration
-payload in pull mode. Cisco VPN gateways usually operate in
-.B push
-mode.
-.TP
-.B pfs
-whether Perfect Forward Secrecy of keys is desired on the connection's
-keying channel
-(with PFS, penetration of the key-exchange protocol
-does not compromise keys negotiated earlier);
-acceptable values are
-.B yes
-(the default)
-and
-.BR no.
-IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying
-PFS is enforced by defining a Diffie-Hellman modp group in the
-.B esp
-parameter.
-.TP
-.B pfsgroup
-defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
-differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
-.TP
-.B reauth
-whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
-reauthentication is always done. In IKEv2, a value of
-.B no
-rekeys without uninstalling the IPsec SAs, a value of
-.B yes
-(the default) creates a new IKE_SA from scratch and tries to recreate
-all IPsec SAs.
-.TP
-.B rekey
-whether a connection should be renegotiated when it is about to expire;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-The two ends need not agree, but while a value of
-.B no
-prevents pluto/charon from requesting renegotiation,
-it does not prevent responding to renegotiation requested from the other end,
-so
-.B no
-will be largely ineffective unless both ends agree on it.
-.TP
-.B rekeyfuzz
-maximum percentage by which
-.BR marginbytes ,
-.B marginpackets
-and
-.B margintime
-should be randomly increased to randomize rekeying intervals
-(important for hosts with many connections);
-acceptable values are an integer,
-which may exceed 100,
-followed by a `%'
-(defaults to
-.BR 100% ).
-The value of
-.BR marginTYPE ,
-after this random increase,
-must not exceed
-.B lifeTYPE
-(where TYPE is one of
-.IR bytes ,
-.I packets
-or
-.IR time ).
-The value
-.B 0%
-will suppress randomization.
-Relevant only locally, other end need not agree on it.
-.TP
-.B rekeymargin
-synonym for
-.BR margintime .
-.TP
-.B reqid
-sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only).
-.TP
-.B type
-the type of the connection; currently the accepted values
-are
-.B tunnel
-(the default)
-signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
-.BR transport ,
-signifying host-to-host transport mode;
-.BR transport_proxy ,
-signifying the special Mobile IPv6 transport proxy mode;
-.BR passthrough ,
-signifying that no IPsec processing should be done at all;
-.BR drop ,
-signifying that packets should be discarded; and
-.BR reject ,
-signifying that packets should be discarded and a diagnostic ICMP returned.
-The IKEv2 daemon charon currently supports
-.BR tunnel ,
-.BR transport ,
-and
-.BR tunnel_proxy
-connection types, only.
-.TP
-.B xauth
-specifies the role in the XAUTH protocol if activated by
-.B authby=xauthpsk
-or
-.B authby=xauthrsasig.
-Accepted values are
-.B server
-and
-.B client
-(the default).
-
-.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension
-operation only.
-.TP 14
-.B mediation
-whether this connection is a mediation connection, ie. whether this
-connection is used to mediate other connections.  Mediation connections
-create no child SA. Acceptable values are
-.B no
-(the default) and
-.BR yes .
-.TP
-.B mediated_by
-the name of the connection to mediate this connection through.  If given,
-the connection will be mediated through the named mediation connection.
-The mediation connection must set
-.BR mediation=yes .
-.TP
-.B me_peerid
-ID as which the peer is known to the mediation server, ie. which the other
-end of this connection uses as its
-.B leftid
-on its connection to the mediation server.  This is the ID we request the
-mediation server to mediate us with.  If
-.B me_peerid
-is not given, the
-.B rightid
-of this connection will be used as peer ID.
-
-.SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
-.TP 10
-.B auto
-currently can have either the value
-.B ignore
-or
-.B add
-.
-.TP
-.B cacert
-defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
-.TP
-.B crluri
-defines a CRL distribution point (ldap, http, or file URI)
-.TP
-.B crluri1
-synonym for
-.B crluri.
-.TP
-.B crluri2
-defines an alternative CRL distribution point (ldap, http, or file URI)
-.TP
-.B ldaphost
-defines an ldap host. Currently used by IKEv1 only.
-.TP
-.B ocspuri
-defines an OCSP URI.
-.TP
-.B ocspuri1
-synonym for
-.B ocspuri.
-.TP
-.B ocspuri2
-defines an alternative OCSP URI. Currently used by IKEv2 only.
-.TP
-.B certuribase
-defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows to send an URI
-that resolves to the DER encoded certificate. The certificate URIs are built
-by appending the SHA1 hash of the DER encoded certificates to this base URI.
-.SH "CONFIG SECTIONS"
-At present, the only
-.B config
-section known to the IPsec software is the one named
-.BR setup ,
-which contains information used when the software is being started.
-Here's an example:
-.PP
-.ne 8
-.nf
-.ft B
-.ta 1c
-config setup
-	plutodebug=all
-	crlcheckinterval=10m
-	strictcrlpolicy=yes
-.ft
-.fi
-.PP
-Parameters are optional unless marked ``(required)''.
-The currently-accepted
-.I parameter
-names in a
-.B config
-.B setup
-section affecting both daemons are:
-.TP 14
-.B cachecrls
-certificate revocation lists (CRLs) fetched via http or ldap will be cached in
-\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification
-authority's public key.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B charonstart
-whether to start the IKEv2 Charon daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
-The default is
-.B yes
-if starter was compiled with IKEv2 support.
-.TP
-.B dumpdir
-in what directory should things started by \fBipsec starter\fR
-(notably the Pluto and Charon daemons) be allowed to dump core?
-The empty value (the default) means they are not
-allowed to.
-This feature is currently not yet supported by \fBipsec starter\fR.
-.TP
-.B plutostart
-whether to start the IKEv1 Pluto daemon or not.
-Accepted values are
-.B yes
-or
-.BR no .
-The default is
-.B yes
-if starter was compiled with IKEv1 support.
-.TP
-.B strictcrlpolicy
-defines if a fresh CRL must be available in order for the peer authentication based
-on RSA signatures to succeed.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-IKEv2 additionally recognizes
-.B ifuri
-which reverts to
-.B yes
-if at least one CRL URI is defined and to
-.B no
-if no URI is known.
-.TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
-.B replace
-wich is identical to
-.B yes
-and the value
-.B keep
-to reject new IKE_SA setups and keep the duplicate established earlier.
-.PP
-The following
-.B config section
-parameters are used by the IKEv1 Pluto daemon only:
-.TP
-.B crlcheckinterval
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
-.B keep_alive
-interval in seconds between NAT keep alive packets, the default being 20 seconds.
-.TP
-.B nat_traversal
-activates NAT traversal by accepting source ISAKMP ports different from udp/500 and
-being able of floating to udp/4500 if a NAT situation is detected.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-Used by IKEv1 only, NAT traversal always being active in IKEv2.
-.TP
-.B nocrsend
-no certificate request payloads will be sent.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B pkcs11initargs
-non-standard argument string for PKCS#11 C_Initialize() function;
-required by NSS softoken.
-.TP
-.B pkcs11module
-defines the path to a dynamically loadable PKCS #11 library.
-.TP
-.B pkcs11keepstate
-PKCS #11 login sessions will be kept during the whole lifetime of the keying
-daemon. Useful with pin-pad smart card readers.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B pkcs11proxy
-Pluto will act as a PKCS #11 proxy accessible via the whack interface.
-Accepted values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.B plutodebug
-how much Pluto debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names without the
-.B \-\-debug\-
-prefix,
-separated by white space) are enabled;
-for details on available debugging types, see
-.IR pluto (8).
-.TP
-.B plutostderrlog
-Pluto will not use syslog, but rather log to stderr, and redirect stderr
-to the argument file.
-.TP
-.B postpluto
-shell command to run after starting Pluto
-(e.g., to remove a decrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B prepluto
-shell command to run before starting Pluto
-(e.g., to decrypt an encrypted copy of the
-.I ipsec.secrets
-file).
-It's run in a very simple way;
-complexities like I/O redirection are best hidden within a script.
-Any output is redirected for logging,
-so running interactive commands is difficult unless they use
-.I /dev/tty
-or equivalent for their interaction.
-Default is none.
-.TP
-.B virtual_private
-defines private networks using a wildcard notation.
-.PP
-The following
-.B config section
-parameters are used by the IKEv2 Charon daemon only:
-.TP
-.B charondebug
-how much Charon debugging output should be logged.
-A comma separated list containing type level/pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private).
-.PP
-The following
-.B config section
-parameters only make sense if the KLIPS IPsec stack
-is used instead of the default NETKEY stack of the Linux 2.6 kernel:
-.TP
-.B fragicmp
-whether a tunnel's need to fragment a packet should be reported
-back with an ICMP message,
-in an attempt to make the sender lower his PMTU estimate;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-.TP
-.B hidetos
-whether a tunnel packet's TOS field should be set to
-.B 0
-rather than copied from the user packet inside;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no
-.TP
-.B interfaces
-virtual and physical interfaces for IPsec to use:
-a single
-\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated
-by white space, or
-.BR %none .
-One of the pairs may be written as
-.BR %defaultroute ,
-which means: find the interface \fId\fR that the default route points to,
-and then act as if the value was ``\fBipsec0=\fId\fR''.
-.B %defaultroute
-is the default;
-.B %none
-must be used to denote no interfaces.
-.TP
-.B overridemtu
-value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
-overriding IPsec's (large) default.
-.SH FILES
-.nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
-
-.SH SEE ALSO
-ipsec(8), pluto(8), starter(8)
-.SH HISTORY
-Originally written for the FreeS/WAN project by Henry Spencer.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner, Andreas Steffen and Martin Willi.
-.SH BUGS
-.PP
-If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP
-will fail.
diff --git a/src/starter/keywords.c b/src/starter/keywords.c
index 1d7cae00b..0c24c7dcf 100644
--- a/src/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.3 */
 /* Command-line: /usr/bin/gperf -m 10 -C -G -D -t  */
-/* Computed positions: -k'1-2,6,$' */
+/* Computed positions: -k'2-3,6,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -54,12 +54,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 126
+#define TOTAL_KEYWORDS 127
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 20
-#define MAX_HASH_VALUE 220
-/* maximum key range = 201, duplicates = 0 */
+#define MIN_HASH_VALUE 12
+#define MAX_HASH_VALUE 238
+/* maximum key range = 227, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -75,32 +75,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221,  35,
-       77, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221,   8, 221,  31, 221,  20,
-       28,   5,  75,  26,  88,   5, 221,  97,   5,  50,
-       39,  67,  29, 221,   7,  13,   6,  89,  15, 221,
-        5,  24,   7, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221, 221, 221, 221, 221,
-      221, 221, 221, 221, 221, 221
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239,   2,
+      104, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239,  15, 239,  20,  14,  58,
+       51,   1,   7,   1,  81,   1, 239, 132,  47,   4,
+        1,  49,  10,   9,  23,   1,  20,  48,   4, 239,
+      239,  35,   1, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239, 239, 239, 239, 239,
+      239, 239, 239, 239, 239, 239
     };
   register int hval = len;
 
@@ -112,11 +112,10 @@ hash (str, len)
       case 5:
       case 4:
       case 3:
+        hval += asso_values[(unsigned char)str[2]];
+      /*FALLTHROUGH*/
       case 2:
         hval += asso_values[(unsigned char)str[1]];
-      /*FALLTHROUGH*/
-      case 1:
-        hval += asso_values[(unsigned char)str[0]];
         break;
     }
   return hval + asso_values[(unsigned char)str[len - 1]];
@@ -124,159 +123,161 @@ hash (str, len)
 
 static const struct kw_entry wordlist[] =
   {
-    {"left",              KW_LEFT},
-    {"right",             KW_RIGHT},
+    {"pfs",               KW_PFS},
+    {"uniqueids",         KW_UNIQUEIDS},
+    {"rightgroups",       KW_RIGHTGROUPS},
     {"lifetime",          KW_KEYLIFE},
+    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
+    {"rightnatip",        KW_RIGHTNATIP},
+    {"esp",               KW_ESP},
+    {"rightnexthop",      KW_RIGHTNEXTHOP},
+    {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"right",             KW_RIGHT},
+    {"leftupdown",        KW_LEFTUPDOWN},
+    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"left",              KW_LEFT},
+    {"keep_alive",        KW_KEEP_ALIVE},
+    {"rightsubnet",       KW_RIGHTSUBNET},
+    {"rightikeport",      KW_RIGHTIKEPORT},
+    {"rightsendcert",     KW_RIGHTSENDCERT},
     {"leftcert",          KW_LEFTCERT,},
-    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"interfaces",        KW_INTERFACES},
+    {"lifepackets",       KW_LIFEPACKETS},
     {"leftsendcert",      KW_LEFTSENDCERT},
-    {"rightikeport",      KW_RIGHTIKEPORT},
-    {"leftprotoport",     KW_LEFTPROTOPORT},
-    {"type",              KW_TYPE},
     {"leftgroups",        KW_LEFTGROUPS},
-    {"rekey",             KW_REKEY},
-    {"rightsubnet",       KW_RIGHTSUBNET},
-    {"crluri",            KW_CRLURI},
-    {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"reqid",             KW_REQID},
-    {"rightcert",         KW_RIGHTCERT},
-    {"certuribase",       KW_CERTURIBASE},
-    {"esp",               KW_ESP},
-    {"leftallowany",      KW_LEFTALLOWANY},
-    {"rightid",           KW_RIGHTID},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
-    {"leftnexthop",       KW_LEFTNEXTHOP},
+    {"eap",               KW_EAP},
+    {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"leftnatip",         KW_LEFTNATIP},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {"type",              KW_TYPE},
+    {"keylife",           KW_KEYLIFE},
+    {"mark_in",           KW_MARK_IN},
     {"lifebytes",         KW_LIFEBYTES},
-    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"leftca",            KW_LEFTCA},
+    {"margintime",        KW_REKEYMARGIN},
+    {"marginbytes",       KW_MARGINBYTES},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
-    {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"rightgroups",       KW_RIGHTGROUPS},
-    {"plutostart",        KW_PLUTOSTART},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {"lifepackets",       KW_LIFEPACKETS},
-    {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {"eap",               KW_EAP},
-    {"cacert",            KW_CACERT},
-    {"rightca",           KW_RIGHTCA},
+    {"marginpackets",     KW_MARGINPACKETS},
+    {"certuribase",       KW_CERTURIBASE},
     {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {"leftid",            KW_LEFTID},
-    {"crluri1",           KW_CRLURI},
-    {"ldapbase",          KW_LDAPBASE},
-    {"leftca",            KW_LEFTCA},
-    {"leftnatip",         KW_LEFTNATIP},
-    {"rightallowany",     KW_RIGHTALLOWANY},
-    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"xauth_identity",    KW_XAUTH_IDENTITY},
+    {"rightid",           KW_RIGHTID},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {"compress",          KW_COMPRESS},
+    {"leftprotoport",     KW_LEFTPROTOPORT},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {"reqid",             KW_REQID},
     {"inactivity",        KW_INACTIVITY},
-    {"packetdefault",     KW_PACKETDEFAULT},
-    {"installpolicy",     KW_INSTALLPOLICY},
-    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
-    {"leftupdown",        KW_LEFTUPDOWN},
-    {"rightnatip",        KW_RIGHTNATIP},
-    {"rightnexthop",      KW_RIGHTNEXTHOP},
-    {"cachecrls",         KW_CACHECRLS},
-    {"dpddelay",          KW_DPDDELAY},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"mediated_by",       KW_MEDIATED_BY},
-    {"me_peerid",         KW_ME_PEERID},
-    {"plutodebug",        KW_PLUTODEBUG},
-    {"eap_identity",      KW_EAP_IDENTITY},
-    {"leftcert2",         KW_LEFTCERT2,},
-    {"rightid2",          KW_RIGHTID2},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"leftfirewall",      KW_LEFTFIREWALL},
     {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"ocspuri",           KW_OCSPURI},
-    {"also",              KW_ALSO},
+    {"rightallowany",     KW_RIGHTALLOWANY},
+    {"mobike",	           KW_MOBIKE},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
+    {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
+    {"pfsgroup",          KW_PFSGROUP},
+    {"me_peerid",         KW_ME_PEERID},
+    {"crluri",            KW_CRLURI},
+    {"leftsourceip",      KW_LEFTSOURCEIP},
+    {"crluri1",           KW_CRLURI},
     {"mediation",         KW_MEDIATION},
-    {"ike",               KW_IKE},
-    {"dpdaction",         KW_DPDACTION},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"compress",          KW_COMPRESS},
-    {"ldaphost",          KW_LDAPHOST},
+    {"dumpdir",           KW_DUMPDIR},
+    {"forceencaps",       KW_FORCEENCAPS},
     {"leftsubnet",        KW_LEFTSUBNET},
-    {"crluri2",           KW_CRLURI2},
-    {"rightca2",          KW_RIGHTCA2},
-    {"leftsourceip",      KW_LEFTSOURCEIP},
-    {"rightcert2",        KW_RIGHTCERT2},
-    {"pfs",               KW_PFS},
-    {"leftid2",           KW_LEFTID2},
+    {"rightca",           KW_RIGHTCA},
+    {"rightcert",         KW_RIGHTCERT},
+    {"ocspuri",           KW_OCSPURI},
+    {"dpdaction",         KW_DPDACTION},
+    {"ocspuri1",          KW_OCSPURI},
     {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"leftikeport",       KW_LEFTIKEPORT},
-    {"leftca2",           KW_LEFTCA2},
+    {"installpolicy",     KW_INSTALLPOLICY},
     {"righthostaccess",   KW_RIGHTHOSTACCESS},
-    {"xauth",             KW_XAUTH},
-    {"rightauth2",        KW_RIGHTAUTH2},
-    {"mark_in",           KW_MARK_IN},
-    {"mobike",	           KW_MOBIKE},
-    {"margintime",        KW_REKEYMARGIN},
-    {"dumpdir",           KW_DUMPDIR},
-    {"ocspuri1",          KW_OCSPURI},
+    {"ldapbase",          KW_LDAPBASE},
+    {"also",              KW_ALSO},
+    {"leftallowany",      KW_LEFTALLOWANY},
+    {"force_keepalive",   KW_FORCE_KEEPALIVE},
     {"keyexchange",       KW_KEYEXCHANGE},
-    {"fragicmp",          KW_FRAGICMP},
+    {"hidetos",           KW_HIDETOS},
+    {"klipsdebug",        KW_KLIPSDEBUG},
+    {"plutostderrlog",    KW_PLUTOSTDERRLOG},
     {"rightauth",         KW_RIGHTAUTH},
-    {"interfaces",        KW_INTERFACES},
-    {"marginbytes",       KW_MARGINBYTES},
-    {"marginpackets",     KW_MARGINPACKETS},
-    {"nocrsend",          KW_NOCRSEND},
-    {"keep_alive",        KW_KEEP_ALIVE},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"keyingtries",       KW_KEYINGTRIES},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"uniqueids",         KW_UNIQUEIDS},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"rightid2",          KW_RIGHTID2},
+    {"leftid",            KW_LEFTID},
+    {"mediated_by",       KW_MEDIATED_BY},
+    {"fragicmp",          KW_FRAGICMP},
     {"mark_out",          KW_MARK_OUT},
+    {"auto",              KW_AUTO},
+    {"leftcert2",         KW_LEFTCERT2,},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {"cacert",            KW_CACERT},
+    {"plutostart",        KW_PLUTOSTART},
+    {"eap_identity",      KW_EAP_IDENTITY},
+    {"prepluto",          KW_PREPLUTO},
+    {"packetdefault",     KW_PACKETDEFAULT},
+    {"xauth_identity",    KW_XAUTH_IDENTITY},
     {"charonstart",       KW_CHARONSTART},
-    {"klipsdebug",        KW_KLIPSDEBUG},
-    {"force_keepalive",   KW_FORCE_KEEPALIVE},
-    {"forceencaps",       KW_FORCEENCAPS},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {"rightauth2",        KW_RIGHTAUTH2},
+    {"ike",               KW_IKE},
+    {"aaa_identity",      KW_AAA_IDENTITY},
+    {"leftca2",           KW_LEFTCA2},
     {"authby",            KW_AUTHBY},
+    {"leftauth",          KW_LEFTAUTH},
+    {"cachecrls",         KW_CACHECRLS},
+    {"ldaphost",          KW_LDAPHOST},
+    {"rekeymargin",       KW_REKEYMARGIN},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"dpddelay",          KW_DPDDELAY},
+    {"ikelifetime",       KW_IKELIFETIME},
+    {"auth",              KW_AUTH},
+    {"xauth",             KW_XAUTH},
     {"postpluto",         KW_POSTPLUTO},
-    {"pkcs11module",      KW_PKCS11MODULE},
-    {"ocspuri2",          KW_OCSPURI2},
-    {"hidetos",           KW_HIDETOS},
-    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"mark",              KW_MARK},
-    {"charondebug",       KW_CHARONDEBUG},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"modeconfig",        KW_MODECONFIG},
+    {"nocrsend",          KW_NOCRSEND},
     {"leftauth2",         KW_LEFTAUTH2},
-    {"overridemtu",       KW_OVERRIDEMTU},
-    {"pkcs11initargs",    KW_PKCS11INITARGS},
-    {"keylife",           KW_KEYLIFE},
-    {"auto",              KW_AUTO},
-    {"ikelifetime",       KW_IKELIFETIME},
+    {"leftid2",           KW_LEFTID2},
+    {"leftikeport",       KW_LEFTIKEPORT},
+    {"rightca2",          KW_RIGHTCA2},
+    {"rekey",             KW_REKEY},
+    {"rightcert2",        KW_RIGHTCERT2},
+    {"mark",              KW_MARK},
+    {"crluri2",           KW_CRLURI2},
     {"reauth",            KW_REAUTH},
-    {"leftauth",          KW_LEFTAUTH},
-    {"pkcs11proxy",       KW_PKCS11PROXY},
-    {"prepluto",          KW_PREPLUTO},
-    {"pfsgroup",          KW_PFSGROUP},
-    {"auth",              KW_AUTH},
-    {"modeconfig",        KW_MODECONFIG}
+    {"ocspuri2",          KW_OCSPURI2},
+    {"pkcs11module",      KW_PKCS11MODULE},
+    {"pkcs11initargs",    KW_PKCS11INITARGS},
+    {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
+    {"pkcs11proxy",       KW_PKCS11PROXY}
   };
 
 static const short lookup[] =
   {
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,   0,   1,  -1,   2,  -1,  -1,   3,  -1,
+     -1,   4,  -1,   5,   6,   7,   8,   9,  -1,  10,
+     11,  -1,  12,  13,  14,  15,  16,  17,  -1,  18,
+     19,  20,  21,  22,  -1,  -1,  23,  24,  -1,  25,
+     26,  27,  28,  29,  30,  31,  32,  33,  34,  35,
+     36,  37,  38,  39,  40,  41,  42,  43,  44,  45,
+     46,  47,  48,  49,  50,  51,  -1,  52,  53,  54,
+     55,  -1,  56,  57,  -1,  58,  59,  60,  -1,  61,
+     62,  63,  64,  -1,  -1,  65,  -1,  66,  -1,  67,
+     68,  69,  70,  71,  -1,  -1,  72,  -1,  -1,  73,
+     74,  75,  76,  77,  78,  79,  80,  -1,  81,  82,
+     83,  84,  85,  86,  87,  -1,  88,  -1,  89,  90,
+     -1,  91,  92,  93,  94,  -1,  95,  96,  97,  98,
+     -1,  -1,  -1,  -1,  99, 100, 101,  -1, 102, 103,
+    104, 105, 106, 107, 108, 109,  -1, 110,  -1,  -1,
+    111,  -1,  -1,  -1,  -1,  -1,  -1, 112,  -1, 113,
+    114, 115, 116, 117, 118,  -1,  -1,  -1,  -1, 119,
+     -1,  -1, 120,  -1,  -1,  -1,  -1,  -1,  -1, 121,
+     -1,  -1,  -1,  -1, 122,  -1,  -1,  -1,  -1,  -1,
+     -1,  -1,  -1,  -1,  -1, 123,  -1, 124, 125,  -1,
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
      -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-      0,  -1,  -1,   1,  -1,  -1,  -1,  -1,   2,   3,
-     -1,  -1,   4,   5,  -1,   6,   7,  -1,  -1,   8,
-      9,  10,  11,  12,  13,  14,  -1,  15,  16,  -1,
-     17,  18,  19,  20,  -1,  21,  22,  23,  -1,  -1,
-     24,  25,  26,  27,  28,  29,  -1,  30,  31,  32,
-     33,  34,  35,  -1,  36,  -1,  -1,  37,  38,  39,
-     40,  41,  42,  43,  -1,  44,  45,  46,  47,  -1,
-     48,  -1,  49,  50,  51,  52,  53,  54,  55,  -1,
-     56,  57,  58,  59,  60,  61,  62,  63,  -1,  64,
-     65,  66,  67,  68,  69,  70,  71,  72,  73,  74,
-     75,  -1,  76,  77,  78,  79,  -1,  -1,  80,  81,
-     82,  -1,  83,  84,  -1,  85,  86,  87,  88,  89,
-     90,  -1,  91,  -1,  92,  -1,  93,  94,  95,  -1,
-     -1,  96,  97,  -1,  98,  99,  -1,  -1,  -1,  -1,
-     -1,  -1, 100,  -1, 101,  -1, 102,  -1,  -1,  -1,
-    103, 104,  -1,  -1, 105,  -1,  -1, 106, 107, 108,
-    109, 110, 111,  -1, 112, 113,  -1, 114, 115, 116,
-     -1, 117,  -1, 118, 119, 120, 121,  -1,  -1,  -1,
-    122,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 123,  -1,
-     -1,  -1, 124,  -1,  -1,  -1,  -1,  -1,  -1,  -1,
-    125
+     -1,  -1,  -1,  -1,  -1,  -1,  -1,  -1, 126
   };
 
 #ifdef __GNUC__
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 25d2ce4b9..1dae65a99 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -71,6 +71,7 @@ typedef enum {
 	KW_AUTHBY,
 	KW_EAP,
 	KW_EAP_IDENTITY,
+	KW_AAA_IDENTITY,
 	KW_MOBIKE,
 	KW_FORCEENCAPS,
 	KW_IKELIFETIME,
@@ -122,8 +123,8 @@ typedef enum {
 
    /* end keywords */
 	KW_HOST,
-	KW_NEXTHOP,
 	KW_IKEPORT,
+	KW_NEXTHOP,
 	KW_SUBNET,
 	KW_SUBNETWITHIN,
 	KW_PROTOPORT,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index fcdc60cff..06705635a 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -49,6 +49,7 @@ force_keepalive,   KW_FORCE_KEEPALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
 eap,               KW_EAP
 eap_identity,      KW_EAP_IDENTITY
+aaa_identity,      KW_AAA_IDENTITY
 mobike,	           KW_MOBIKE
 forceencaps,       KW_FORCEENCAPS
 pkcs11module,      KW_PKCS11MODULE
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 9c69ab9e5..9ba569d47 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -40,15 +40,6 @@
 #define IPV6_LEN	16
 
 /**
- * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h
- */
-enum ipsec_mode_t {
-	MODE_TRANSPORT = 1,
-	MODE_TUNNEL,
-	MODE_BEET
-};
-
-/**
  * Authentication methods, must be the same as in charons authenticator.h
  */
 enum auth_method_t {
@@ -204,7 +195,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	memset(&msg, 0, sizeof(msg));
 	msg.type = STR_ADD_CONN;
 	msg.length = offsetof(stroke_msg_t, buffer);
-	msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
+	msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1;
 	msg.add_conn.name = push_string(&msg, connection_name(conn));
 
 	/* PUBKEY is preferred to PSK and EAP */
@@ -223,6 +214,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.eap_type = conn->eap_type;
 	msg.add_conn.eap_vendor = conn->eap_vendor;
 	msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
+	msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
 
 	if (conn->policy & POLICY_TUNNEL)
 	{
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 58034d96b..b7d916eae 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -277,7 +277,7 @@ int starter_whack_add_conn(starter_conn_t *conn)
 	msg.whack_connection = TRUE;
 	msg.name = connection_name(conn, name, sizeof(name));
 
-	msg.ikev1                 = conn->keyexchange != KEY_EXCHANGE_IKEV2;
+	msg.ikev1                 = conn->keyexchange == KEY_EXCHANGE_IKEV1;
 	msg.addr_family           = conn->addr_family;
 	msg.tunnel_addr_family    = conn->tunnel_addr_family;
 	msg.sa_ike_life_seconds   = conn->sa_ike_life_seconds;