summaryrefslogtreecommitdiff
path: root/src/swanctl/swanctl.conf.5.main
diff options
context:
space:
mode:
Diffstat (limited to 'src/swanctl/swanctl.conf.5.main')
-rw-r--r--src/swanctl/swanctl.conf.5.main253
1 files changed, 242 insertions, 11 deletions
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 697bd406a..6e1e9adfb 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -35,6 +35,9 @@ As initiator, the first non\-range/non\-subnet is used to initiate the connectio
from. As responder, the local destination address must match at least to one of
the specified addresses, subnets or ranges.
+If FQDNs are assigned they are resolved every time a configuration lookup is
+done. If DNS resolution times out, the lookup is delayed for that time.
+
.TP
.BR connections.<conn>.remote_addrs " [%any]"
Remote address(es) to use for IKE communication, comma separated. Takes single
@@ -44,6 +47,9 @@ As initiator, the first non\-range/non\-subnet is used to initiate the connectio
to. As responder, the initiator source address must match at least to one of the
specified addresses, subnets or ranges.
+If FQDNs are assigned they are resolved every time a configuration lookup is
+done. If DNS resolution times out, the lookup is delayed for that time.
+
To initiate a connection, at least one specific address or DNS name must be
specified.
@@ -118,6 +124,12 @@ Push mode is currently supported for IKEv1, but not in IKEv2. It is used by a
few implementations only, pull mode is recommended.
.TP
+.BR connections.<conn>.dscp " [000000]"
+Differentiated Services Field Codepoint to set on outgoing IKE packets for this
+connection. The value is a six digit binary encoded string specifying the
+Codepoint to set, as defined in RFC 2474.
+
+.TP
.BR connections.<conn>.encap " [no]"
To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the NAT
detection payloads. This makes the peer believe that NAT takes place on the
@@ -303,6 +315,30 @@ either the
section or an external pool.
.TP
+.BR connections.<conn>.mediation " [no]"
+Whether this connection is a mediation connection, that is, whether this
+connection is used to mediate other connections using the IKEv2 Mediation
+Extension. Mediation connections create no CHILD_SA.
+
+.TP
+.BR connections.<conn>.mediated_by " []"
+The name of the connection to mediate this connection through. If given, the
+connection will be mediated through the named mediation connection. The
+mediation connection must have
+.RB "" "mediation" ""
+enabled.
+
+.TP
+.BR connections.<conn>.mediation_peer " []"
+Identity under which the peer is registered at the mediation server, that is,
+the IKE identity the other end of this connection uses as its local identity on
+its connection to the mediation server. This is the identity we request the
+mediation server to mediate us with. Only relevant on connections that set
+.RB "" "mediated_by" "."
+If it is not given, the remote IKE identity of the first
+authentication round of this connection will be used.
+
+.TP
.B connections.<conn>.local<suffix>
.br
Section for a local authentication round. A local authentication round defines
@@ -334,6 +370,37 @@ certificate request payloads. If no appropriate CA can be located, the first
certificate is used.
.TP
+.BR connections.<conn>.local<suffix>.cert<suffix> " []"
+Section for a certificate candidate to use for authentication. Certificates in
+.RI "" "certs" ""
+are transmitted as binary blobs, these sections offer more flexibility.
+
+.TP
+.BR connections.<conn>.local<suffix>.cert<suffix>.file " []"
+Absolute path to the certificate to load. Passed as\-is to the daemon, so it must
+be readable by it.
+
+Configure either this or
+.RI "" "handle" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.local<suffix>.cert<suffix>.handle " []"
+Hex\-encoded CKA_ID of the certificate on a token.
+
+Configure either this or
+.RI "" "file" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.local<suffix>.cert<suffix>.slot " []"
+Optional slot number of the token that stores the certificate.
+
+.TP
+.BR connections.<conn>.local<suffix>.cert<suffix>.module " []"
+Optional PKCS#11 module name.
+
+.TP
.BR connections.<conn>.local<suffix>.pubkeys " []"
Comma separated list of raw public key candidates to use for authentication. The
public keys may use a relative path from the
@@ -498,6 +565,11 @@ certified by different means, for example by appropriate Attribute Certificates
or by an AAA backend involved in the authentication.
.TP
+.BR connections.<conn>.remote<suffix>.cert_policy " []"
+Comma separated list of certificate policy OIDs the peer's certificate must
+have. OIDs are specified using the numerical dotted representation.
+
+.TP
.BR connections.<conn>.remote<suffix>.certs " []"
Comma separated list of certificates to accept for authentication. The
certificates may use a relative path from the
@@ -507,6 +579,37 @@ directory or an
absolute path.
.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix> " []"
+Section for a certificate to accept for authentication. Certificates in
+.RI "" "certs" ""
+are transmitted as binary blobs, these sections offer more flexibility.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix>.file " []"
+Absolute path to the certificate to load. Passed as\-is to the daemon, so it must
+be readable by it.
+
+Configure either this or
+.RI "" "handle" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix>.handle " []"
+Hex\-encoded CKA_ID of the certificate on a token.
+
+Configure either this or
+.RI "" "file" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix>.slot " []"
+Optional slot number of the token that stores the certificate.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix>.module " []"
+Optional PKCS#11 module name.
+
+.TP
.BR connections.<conn>.remote<suffix>.cacerts " []"
Comma separated list of CA certificates to accept for authentication. The
certificates may use a relative path from the
@@ -516,6 +619,38 @@ directory or
an absolute path.
.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix> " []"
+Section for a CA certificate to accept for authentication. Certificates in
+.RI "" "cacerts" ""
+are transmitted as binary blobs, these sections offer more
+flexibility.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix>.file " []"
+Absolute path to the certificate to load. Passed as\-is to the daemon, so it must
+be readable by it.
+
+Configure either this or
+.RI "" "handle" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix>.handle " []"
+Hex\-encoded CKA_ID of the CA certificate on a token.
+
+Configure either this or
+.RI "" "file" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix>.slot " []"
+Optional slot number of the token that stores the CA certificate.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix>.module " []"
+Optional PKCS#11 module name.
+
+.TP
.BR connections.<conn>.remote<suffix>.pubkeys " []"
Comma separated list of raw public keys to accept for authentication. The public
keys may use a relative path from the
@@ -673,9 +808,16 @@ for RFC 4301
OPAQUE selectors. Port ranges may be specified as well, none of the kernel
backends currently support port ranges, though.
-Unless the Unity extension is used, IKEv1 supports the first specified selector
-only. IKEv1 uses very similar traffic selector narrowing as it is supported in
-the IKEv2 protocol.
+When IKEv1 is used only the first selector is interpreted, except if the Cisco
+Unity extension plugin is used. This is due to a limitation of the IKEv1
+protocol, which only allows a single pair of selectors per CHILD_SA. So to
+tunnel traffic matched by several pairs of selectors when using IKEv1 several
+children (CHILD_SAs) have to be defined that cover the selectors.
+
+The IKE daemon uses traffic selector narrowing for IKEv1, the same way it is
+standardized and implemented for IKEv2. However, this may lead to problems with
+other implementations. To avoid that, configure identical selectors in such
+scenarios.
.TP
.BR connections.<conn>.children.<child>.remote_ts " [dynamic]"
@@ -803,10 +945,12 @@ negotiates the CHILD_SA in IPsec
Tunnel Mode, whereas
.RI "" "transport" ""
uses IPsec Transport Mode.
+.RI "" "transport_proxy" ""
+signifying the special Mobile IPv6 Transport Proxy Mode.
.RI "" "beet" ""
-is the Bound
-End to End Tunnel mixture mode, working with fixed inner addresses without the
-need to include them in each packet.
+is the Bound End
+to End Tunnel mixture mode, working with fixed inner addresses without the need
+to include them in each packet.
Both
.RI "" "transport" ""
@@ -1011,6 +1155,33 @@ secrets under both section prefixes are used for both EAP and XAuth
authentication.
.TP
+.B secrets.ntlm<suffix>
+.br
+NTLM secret section for a specific secret. Each NTLM secret is defined in a
+unique section having the
+.RI "" "ntlm" ""
+prefix. NTLM secrets may only be used for
+EAP\-MSCHAPv2 authentication.
+
+.TP
+.BR secrets.ntlm<suffix>.secret " []"
+Value of the NTLM secret, which is the NT Hash of the actual secret, that is,
+MD4(UTF\-16LE(secret)). The resulting 16\-byte value may either be given as a hex
+encoded string with a
+.RI "" "0x" ""
+prefix or as a Base64 encoded string with a
+.RI "" "0s" ""
+prefix.
+
+.TP
+.BR secrets.ntlm<suffix>.id<suffix> " []"
+Identity the NTLM secret belongs to. Multiple unique identities may be
+specified, each having an
+.RI "" "id" ""
+prefix, if a secret is shared between multiple
+users.
+
+.TP
.B secrets.ike<suffix>
.br
IKE preshared secret section for a specific secret. Each IKE PSK is defined in a
@@ -1121,6 +1292,28 @@ folder for which this passphrase should be used.
Value of decryption passphrase for PKCS#12 container.
.TP
+.B secrets.token<suffix>
+.br
+Definition for a private key that's stored on a token/smartcard.
+
+.TP
+.BR secrets.token<suffix>.handle " []"
+Hex\-encoded CKA_ID of the private key on the token.
+
+.TP
+.BR secrets.token<suffix>.slot " []"
+Optional slot number to access the token.
+
+.TP
+.BR secrets.token<suffix>.module " []"
+Optional PKCS#11 module name to access the token.
+
+.TP
+.BR secrets.token<suffix>.pin " []"
+Optional PIN required to access the key on the token. If none is provided the
+user is prompted during an interactive \-\-load\-creds call.
+
+.TP
.B pools
.br
Section defining named pools. Named pools may be referenced by connections with
@@ -1172,19 +1365,57 @@ Section defining a certification authority with a unique name.
.TP
.BR authorities.<name>.cacert " []"
-The certificates may use a relative path from the
+CA certificate belonging to the certification authority. The certificates may
+use a relative path from the
.RB "" "swanctl" ""
.RI "" "x509ca" ""
-directory
-or an absolute path.
+directory or an absolute path.
+
+Configure one of
+.RI "" "cacert" ","
+.RI "" "file" ","
+or
+.RI "" "handle" ""
+per section.
+
+.TP
+.BR authorities.<name>.file " []"
+Absolute path to the certificate to load. Passed as\-is to the daemon, so it must
+be readable by it.
+
+Configure one of
+.RI "" "cacert" ","
+.RI "" "file" ","
+or
+.RI "" "handle" ""
+per section.
+
+.TP
+.BR authorities.<name>.handle " []"
+Hex\-encoded CKA_ID of the CA certificate on a token.
+
+Configure one of
+.RI "" "cacert" ","
+.RI "" "file" ","
+or
+.RI "" "handle" ""
+per section.
+
+.TP
+.BR authorities.<name>.slot " []"
+Optional slot number of the token that stores the CA certificate.
+
+.TP
+.BR authorities.<name>.module " []"
+Optional PKCS#11 module name.
.TP
.BR authorities.<name>.crl_uris " []"
-Comma\-separated list of CRL distribution points (ldap, http, or file URI)
+Comma\-separated list of CRL distribution points (ldap, http, or file URI).
.TP
.BR authorities.<name>.ocsp_uris " []"
-Comma\-separated list of OCSP URIs
+Comma\-separated list of OCSP URIs.
.TP
.BR authorities.<name>.cert_uri_base " []"
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 06:51:54 +0000