summaryrefslogtreecommitdiff
path: root/src/starter/ipsec.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'src/starter/ipsec.conf.5')
-rw-r--r--src/starter/ipsec.conf.518
1 files changed, 15 insertions, 3 deletions
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 3e59190e3..c80c5166b 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -600,7 +600,16 @@ value is
.B %modeconfig
or
.B %config,
-an address is requested from the peer.
+an address is requested from the peer. In IKEv2, a defined address is requested,
+but the server may change it. If the server does not support it, the address
+is enforced.
+.TP
+.B rightsourceip
+The internal source IP to use in a tunnel for the remote peer. If the
+value is
+.B %config
+on the responder side, the initiator must propose a address which is then echoed
+back.
.TP
.B leftsubnetwithin
Not relevant for IKEv2, as subnets are narrowed.
@@ -678,13 +687,16 @@ Relevant only locally, other end need not agree on it.
.B ike
IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g.
.B aes128-sha1-modp2048
-(encryption-integrity-dhgroup).
+(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals
+may be included, such as
+.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
.TP
.B esp
ESP encryption/authentication algorithm to be used
for the connection, e.g.
.B 3des-md5
-(encryption-integrity).
+(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup
+and rekeying include a separate diffe hellman exchange (IKEv2 only).
.TP
.B ah
AH authentication algorithm to be used
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 05:39:35 +0000