summaryrefslogtreecommitdiff
path: root/man/ipsec.conf.5.in
diff options
context:
space:
mode:
Diffstat (limited to 'man/ipsec.conf.5.in')
-rw-r--r--man/ipsec.conf.5.in17
1 files changed, 17 insertions, 0 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 2766cc4ed..e778ab773 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -452,6 +452,11 @@ suites, the strict flag
exclamation mark) can be used, e.g:
.BR aes256-sha512-modp4096!
.TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)
should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions.
is required only if selecting the certificate with
.B leftid
is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
.TP
.BR leftcert2 " = <path>"
Same as
@@ -737,6 +746,14 @@ can be used to the same effect, e.g.
.B leftprotoport=udp/%any
or
.BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
.TP
.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
the left participant's public key for RSA signature authentication, in RFC 2537