diff options
Diffstat (limited to 'man/ipsec.conf.5.in')
-rw-r--r-- | man/ipsec.conf.5.in | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 9a789acef..295100444 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -409,12 +409,20 @@ comma-separated list of ESP encryption/authentication algorithms to be used for the connection, e.g. .BR aes128-sha256 . The notation is -.BR encryption-integrity-[dh-group] . +.BR encryption-integrity[-dhgroup][-esnmodes] . .br If .B dh-group is specified, CHILD_SA setup and rekeying include a separate diffe hellman -exchange (IKEv2 only). +exchange (IKEv2 only). Valid +.B esnmodes +(IKEv2 only) are +.B esn +and +.B noesn. +Specifying both negotiates Extended Sequence number support with the peer, +the defaut is +.B noesn. .TP .BR forceencaps " = yes | " no force UDP encapsulation for ESP packets even if no NAT situation is detected. @@ -1035,8 +1043,11 @@ is not given, the of this connection will be used as peer ID. .SH "CA SECTIONS" -This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). +These are optional sections that can be used to assign special +parameters to a Certification Authority (CA). Because the daemons +automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP, +there is no need to explicitly add them with a CA section, unless you +want to assign special parameters (like a CRL) to a CA. .TP .BR also " = <name>" includes ca section |