summaryrefslogtreecommitdiff
path: root/src/swanctl/swanctl.conf.5.main
diff options
context:
space:
mode:
Diffstat (limited to 'src/swanctl/swanctl.conf.5.main')
-rw-r--r--src/swanctl/swanctl.conf.5.main63
1 files changed, 47 insertions, 16 deletions
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 013e35fb7..697bd406a 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -151,22 +151,23 @@ compatibility reasons, with IKEv1 a custom interval may be specified; this
option has no effect on connections using IKE2.
.TP
-.BR connections.<conn>.fragmentation " [no]"
+.BR connections.<conn>.fragmentation " [yes]"
Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
fragmentation). Acceptable values are
-.RI "" "yes" ","
+.RI "" "yes" ""
+(the default),
.RI "" "force" ""
and
-.RI "" "no" ""
-(the default).
-Fragmented IKE messages sent by a peer are always accepted irrespective of the
-value of this option. If set to
+.RI "" "no" "."
+Fragmented IKE messages sent by a peer are always accepted irrespective of
+the value of this option. If set to
.RI "" "yes" ","
-and the peer supports it, oversized IKE
-messages will be sent in fragments. If set to
+and the peer supports it,
+oversized IKE messages will be sent in fragments. If set to
.RI "" "force" ""
-(only supported for
-IKEv1) the initial IKE message will already be fragmented if required.
+(only
+supported for IKEv1) the initial IKE message will already be fragmented if
+required.
.TP
.BR connections.<conn>.send_certreq " [yes]"
@@ -594,7 +595,9 @@ the CHILD_SA configuration, which must be unique within the connection.
AH proposals to offer for the CHILD_SA. A proposal is a set of algorithms. For
AH, this includes an integrity algorithm and an optional Diffie\-Hellman group.
If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation
-uses a separate Diffie\-Hellman exchange using the specified group.
+uses a separate Diffie\-Hellman exchange using the specified group (refer to
+.RI "" "esp_proposals" ""
+for details).
In IKEv2, multiple algorithms of the same kind can be specified in a single
proposal, from which one gets selected. In IKEv1, only one algorithm per kind is
@@ -617,14 +620,19 @@ algorithm, an optional Diffie\-Hellman group and an optional Extended Sequence
Number Mode indicator. For AEAD proposals, a combined mode algorithm is used
instead of the separate encryption/integrity algorithms.
-If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial (non
-IKE_AUTH piggybacked) negotiation uses a separate Diffie\-Hellman exchange using
-the specified group. Extended Sequence Number support may be indicated with the
+If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation
+use a separate Diffie\-Hellman exchange using the specified group. However, for
+IKEv2, the keys of the CHILD_SA created implicitly with the IKE_SA will always
+be derived from the IKE_SA's key material. So any DH group specified here will
+only apply when the CHILD_SA is later rekeyed or is created with a separate
+CREATE_CHILD_SA exchange. A proposal mismatch might, therefore, not immediately
+be noticed when the SA is established, but may later cause rekeying to fail.
+
+Extended Sequence Number support may be indicated with the
.RI "" "esn" ""
and
.RI "" "noesn" ""
-values, both may be included to indicate support for both
-modes. If omitted,
+values, both may be included to indicate support for both modes. If omitted,
.RI "" "noesn" ""
is assumed.
@@ -821,6 +829,12 @@ Whether to install IPsec policies or not. Disabling this can be useful in some
scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
.TP
+.BR connections.<conn>.children.<child>.policies_fwd_out " [no]"
+Whether to install outbound FWD IPsec policies or not. Enabling this is required
+in case there is a drop policy that would match and block forwarded traffic for
+this CHILD_SA.
+
+.TP
.BR connections.<conn>.children.<child>.dpd_action " [clear]"
Action to perform for this CHILD_SA on DPD timeout. The default
.RI "" "clear" ""
@@ -1022,6 +1036,23 @@ prefix, if a secret is shared between multiple
peers.
.TP
+.B secrets.private<suffix>
+.br
+Private key decryption passphrase for a key in the
+.RI "" "private" ""
+folder.
+
+.TP
+.BR secrets.private<suffix>.file " []"
+File name in the
+.RI "" "private" ""
+folder for which this passphrase should be used.
+
+.TP
+.BR secrets.private<suffix>.secret " []"
+Value of decryption passphrase for private key.
+
+.TP
.B secrets.rsa<suffix>
.br
Private key decryption passphrase for a key in the
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 15:37:32 +0000