summaryrefslogtreecommitdiff
path: root/src/starter/ipsec.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'src/starter/ipsec.conf.5')
-rw-r--r--src/starter/ipsec.conf.5163
1 files changed, 100 insertions, 63 deletions
diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 31e676324..d4dd7238f 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -248,7 +248,7 @@ for Elliptic Curve DSA signatures.
.B never
can be used if negotiation is never to be attempted or accepted (useful for
shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
+Digital signatures are superior in every way to shared secrets.
IKEv1 additionally supports the values
.B xauthpsk
and
@@ -256,7 +256,7 @@ and
that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
based on shared secrets or digital RSA signatures, respectively.
This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
+to agree on an authentication method. Use the
.B leftauth
parameter instead to define authentication methods in IKEv2.
.TP
@@ -282,7 +282,7 @@ and
loads a connection and brings it up immediatly.
.B ignore
ignores the connection. This is equal to delete a connection from the config
-file.
+file.
Relevant only locally, other end need not agree on it
(but in general, for an intended-to-be-permanent connection,
both ends should use
@@ -314,7 +314,7 @@ are periodically sent in order to check the
liveliness of the IPsec peer. The values
.BR clear ,
.BR hold ,
-and
+and
.B restart
all activate DPD. If no activity is detected, all connections with a dead peer
are stopped and unrouted (
@@ -348,19 +348,23 @@ defines the timeout interval, after which all connections to a peer are deleted
in case of inactivity. This only applies to IKEv1, in IKEv2 the default
retransmission timeout applies, as every exchange is used to detect dead peers.
.TP
+.B inactivity
+defines the timeout interval, after which a CHILD_SA is closed if it did
+not send or receive any traffic. Currently supported in IKEv2 connections only.
+.TP
.B eap
defines the EAP type to propose as server if the client requests EAP
authentication. This parameter is deprecated in the favour of
.B leftauth.
To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
+set
.B eap=radius
.TP
.B eap_identity
defines the identity the client uses to reply to a EAP Identity request.
If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value
+identity during EAP authentication. The special value
.B %identity
uses the EAP Identity method to ask the client for a EAP identity. If not
defined, the IKEv2 identity will be used as EAP identity.
@@ -374,7 +378,7 @@ and rekeying include a separate diffe hellman exchange (IKEv2 only).
.TP
.B forceencaps
Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to hurdle restrictive firewalls. To enforce the peer to
+This may help to hurdle restrictive firewalls. To enforce the peer to
encapsulate packets, NAT detection payloads are faked (IKEv2 only).
.TP
.B ike
@@ -403,8 +407,8 @@ which protocol should be used to initialize the connection. Connections marked w
.B ikev1
are initiated with pluto, those marked with
.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
+with charon. An incoming request from the remote peer is handled by the correct
+daemon, unaffected from the
.B keyexchange
setting. The default value
.B ike
@@ -421,30 +425,8 @@ means 'never give up'.
Relevant only locally, other end need not agree on it.
.TP
.B keylife
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires.
-The two ends need not exactly agree on
-.BR keylife ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer.
+synonym for
+.BR lifetime .
.TP
.B left
(required)
@@ -494,14 +476,14 @@ and
.TP
.B leftauth
Authentication method to use (local) or require (remote) in this connection.
-This parameter is supported in IKEv2 only. Acceptable values are
+This parameter is supported in IKEv2 only. Acceptable values are
.B pubkey
-for public key authentication (RSA/ECDSA),
+for public key authentication (RSA/ECDSA),
.B psk
for pre-shared key authentication and
.B eap
to (require the) use of the Extensible Authentication Protocol. In the case
-of
+of
.B eap,
an optional EAP method can be appended. Currently defined methods are
.B eap-aka, eap-sim, eap-gtc, eap-md5
@@ -515,7 +497,7 @@ EAP methods are defined in the form
).
.TP
.B leftauth2
-Same as
+Same as
.B leftauth,
but defines an additional authentication exchange. IKEv2 supports multiple
authentication rounds using "Multiple Authentication Exchanges" defined
@@ -525,7 +507,7 @@ of host and user (IKEv2 only).
.B leftca
the distinguished name of a certificate authority which is required to
lie in the trust path going from the left participant's certificate up
-to the root certification authority.
+to the root certification authority.
.TP
.B leftca2
Same as
@@ -538,7 +520,7 @@ PEM or DER format. OpenPGP certificates are supported as well.
Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
are accepted. By default
.B leftcert
-sets
+sets
.B leftid
to the distinguished name of the certificate's subject and
.B leftca
@@ -679,7 +661,7 @@ or
.B %cfg,
an address is requested from the peer. In IKEv2, a defined address is requested,
but the server may change it. If the server does not support it, the address
-is enforced.
+is enforced.
.TP
.B rightsourceip
The internal source IP to use in a tunnel for the remote peer. If the
@@ -724,6 +706,61 @@ Relevant only locally, other end need not agree on it. IKEv2 uses the updown
script to insert firewall rules only. Routing is not support and will be
implemented directly into Charon.
.TP
+.B lifebytes
+the number of bytes transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.B lifepackets
+the number of packets transmitted over an IPsec SA before it expires (IKEv2
+only).
+.TP
+.B lifetime
+how long a particular instance of a connection
+(a set of encryption/authentication keys for user packets) should last,
+from successful negotiation to expiry;
+acceptable values are an integer optionally followed by
+.BR s
+(a time in seconds)
+or a decimal number followed by
+.BR m ,
+.BR h ,
+or
+.B d
+(a time
+in minutes, hours, or days respectively)
+(default
+.BR 1h ,
+maximum
+.BR 24h ).
+Normally, the connection is renegotiated (via the keying channel)
+before it expires (see
+.BR margintime ).
+The two ends need not exactly agree on
+.BR lifetime ,
+although if they do not,
+there will be some clutter of superseded connections on the end
+which thinks the lifetime is longer.
+.TP
+.B marginbytes
+how many bytes before IPsec SA expiry (see
+.BR lifebytes )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.B marginpackets
+how many packets before IPsec SA expiry (see
+.BR lifepackets )
+should attempts to negotiate a replacement begin (IKEv2 only).
+.TP
+.B margintime
+how long before connection expiry or keying-channel expiry
+should attempts to
+negotiate a replacement
+begin; acceptable values as for
+.B lifetime
+(default
+.BR 9m ).
+Relevant only locally, other end need not agree on it.
+.TP
.B mobike
enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
.B yes
@@ -759,7 +796,7 @@ PFS is enforced by defining a Diffie-Hellman modp group in the
.B esp
parameter.
.TP
-.B pfsgroup
+.B pfsgroup
defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
.TP
@@ -789,35 +826,35 @@ will be largely ineffective unless both ends agree on it.
.TP
.B rekeyfuzz
maximum percentage by which
-.B rekeymargin
+.BR marginbytes ,
+.B marginpackets
+and
+.B margintime
should be randomly increased to randomize rekeying intervals
(important for hosts with many connections);
acceptable values are an integer,
which may exceed 100,
followed by a `%'
-(default set by
-.IR pluto (8),
-currently
+(defaults to
.BR 100% ).
The value of
-.BR rekeymargin ,
+.BR marginTYPE ,
after this random increase,
must not exceed
-.BR keylife .
+.B lifeTYPE
+(where TYPE is one of
+.IR bytes ,
+.I packets
+or
+.IR time ).
The value
.B 0%
-will suppress time randomization.
+will suppress randomization.
Relevant only locally, other end need not agree on it.
.TP
.B rekeymargin
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B keylife
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it.
+synonym for
+.BR margintime .
.TP
.B type
the type of the connection; currently the accepted values
@@ -854,7 +891,7 @@ and
(the default).
.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension
+The following parameters are relevant to IKEv2 Mediation Extension
operation only.
.TP 14
.B mediation
@@ -884,7 +921,7 @@ of this connection will be used as peer ID.
.SH "CA SECTIONS"
This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA). These parameters are not
+parameters to a Certification Authority (CA). These parameters are not
supported in IKEv2 yet.
.TP 10
.B auto
@@ -892,10 +929,10 @@ currently can have either the value
.B ignore
or
.B add
-.
+.
.TP
.B cacert
-defines a path to the CA certificate either relative to
+defines a path to the CA certificate either relative to
\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
.TP
.B crluri
@@ -970,7 +1007,7 @@ Accepted values are
.B yes
or
.BR no .
-The default is
+The default is
.B yes
if starter was compiled with IKEv2 support.
.TP
@@ -987,7 +1024,7 @@ Accepted values are
.B yes
or
.BR no .
-The default is
+The default is
.B yes
if starter was compiled with IKEv1 support.
.TP
@@ -1192,7 +1229,7 @@ value that the MTU of the ipsec\fIn\fR interface(s) should be set to,
overriding IPsec's (large) default.
.SH CHOOSING A CONNECTION
.PP
-When choosing a connection to apply to an outbound packet caught with a
+When choosing a connection to apply to an outbound packet caught with a
.BR %trap,
the system prefers the one with the most specific eroute that
includes the packet's source and destination IP addresses.
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-20 03:01:20 +0000