summaryrefslogtreecommitdiff
path: root/src/swanctl/swanctl.conf
diff options
context:
space:
mode:
Diffstat (limited to 'src/swanctl/swanctl.conf')
-rw-r--r--src/swanctl/swanctl.conf306
1 files changed, 306 insertions, 0 deletions
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
new file mode 100644
index 000000000..8cff81feb
--- /dev/null
+++ b/src/swanctl/swanctl.conf
@@ -0,0 +1,306 @@
+# Section defining IKE connection configurations.
+# connections {
+
+ # Section for an IKE connection named <conn>.
+ # <conn> {
+
+ # IKE major version to use for connection.
+ # version = 0
+
+ # Local address(es) to use for IKE communication, comma separated.
+ # local_addrs = %any
+
+ # Remote address(es) to use for IKE communication, comma separated.
+ # remote_addrs = %any
+
+ # Local UPD port for IKE communication.
+ # local_port = 500
+
+ # Remote UDP port for IKE communication.
+ # remote_port = 500
+
+ # Comma separated proposals to accept for IKE.
+ # proposals = default
+
+ # Virtual IPs to request in configuration payload / Mode Config.
+ # vips =
+
+ # Use Aggressive Mode in IKEv1.
+ # aggressive = no
+
+ # Set the Mode Config mode to use.
+ # pull = yes
+
+ # Enforce UDP encapsulation by faking NAT-D payloads.
+ # encap = no
+
+ # Enables MOBIKE on IKEv2 connections.
+ # mobike = yes
+
+ # Interval of liveness checks (DPD).
+ # dpd_delay = 0s
+
+ # Timeout for DPD checks (IKEV1 only).
+ # dpd_timeout = 0s
+
+ # Use IKEv1 UDP packet fragmentation (yes, no or force).
+ # fragmentation = no
+
+ # Send certificate requests payloads (yes or no).
+ # send_certreq = yes
+
+ # Send certificate payloads (yes, no or ifasked).
+ # send_cert = ifasked
+
+ # Number of retransmission sequences to perform during initial connect.
+ # keyingtries = 1
+
+ # Connection uniqueness policy (never, no, keep or replace).
+ # unique = no
+
+ # Time to schedule IKE reauthentication.
+ # reauth_time = 0s
+
+ # Time to schedule IKE rekeying.
+ # rekey_time = 4h
+
+ # Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
+ # over_time = 10% of rekey_time/reauth_time
+
+ # Range of random time to subtract from rekey/reauth times.
+ # rand_time = over_time
+
+ # Comma separated list of named IP pools.
+ # pools =
+
+ # Section for a local authentication round.
+ # local<suffix> {
+
+ # Comma separated list of certificate candidates to use for
+ # authentication.
+ # certs =
+
+ # Authentication to perform locally (pubkey, psk, xauth[-backend] or
+ # eap[-method]).
+ # auth = pubkey
+
+ # IKE identity to use for authentication round.
+ # id =
+
+ # Client EAP-Identity to use in EAP-Identity exchange and the EAP
+ # method.
+ # eap_id = id
+
+ # Server side EAP-Identity to expect in the EAP method.
+ # aaa_id = remote-id
+
+ # Client XAuth username used in the XAuth exchange.
+ # xauth_id = id
+
+ # }
+
+ # Section for a remote authentication round.
+ # remote<suffix> {
+
+ # IKE identity to expect for authentication round.
+ # id = %any
+
+ # Authorization group memberships to require.
+ # groups =
+
+ # Comma separated list of certificate to accept for authentication.
+ # certs =
+
+ # Comma separated list of CA certificates to accept for
+ # authentication.
+ # cacert =
+
+ # Certificate revocation policy, (strict, ifuri or relaxed).
+ # revocation = relaxed
+
+ # Authentication to expect from remote (pubkey, psk, xauth[-backend]
+ # or eap[-method]).
+ # auth = pubkey
+
+ # }
+
+ # children {
+
+ # CHILD_SA configuration sub-section.
+ # <child> {
+
+ # AH proposals to offer for the CHILD_SA.
+ # ah_proposals =
+
+ # ESP proposals to offer for the CHILD_SA.
+ # esp_proposals = default
+
+ # Local traffic selectors to include in CHILD_SA.
+ # local_ts = dynamic
+
+ # Remote selectors to include in CHILD_SA.
+ # remote_ts = dynamic
+
+ # Time to schedule CHILD_SA rekeying.
+ # rekey_time = 1h
+
+ # Maximum lifetime before CHILD_SA gets closed, as time.
+ # life_time = rekey_time + 10%
+
+ # Range of random time to subtract from rekey_time.
+ # rand_time = life_time - rekey_time
+
+ # Number of bytes processed before initiating CHILD_SA rekeying.
+ # rekey_bytes = 0
+
+ # Maximum bytes processed before CHILD_SA gets closed.
+ # life_bytes = rekey_bytes + 10%
+
+ # Range of random bytes to subtract from rekey_bytes.
+ # rand_bytes = life_bytes - rekey_bytes
+
+ # Number of packets processed before initiating CHILD_SA
+ # rekeying.
+ # rekey_packets = 0
+
+ # Maximum number of packets processed before CHILD_SA gets
+ # closed.
+ # life_packets = rekey_packets + 10%
+
+ # Range of random packets to subtract from packets_bytes.
+ # rand_packets = life_packets - rekey_packets
+
+ # Updown script to invoke on CHILD_SA up and down events.
+ # updown =
+
+ # Hostaccess variable to pass to updown script.
+ # hostaccess = yes
+
+ # IPsec Mode to establish (tunnel, transport, beet, pass or
+ # drop).
+ # mode = tunnel
+
+ # Action to perform on DPD timeout (clear, trap or restart).
+ # dpd_action = clear
+
+ # Enable IPComp compression before encryption.
+ # ipcomp = no
+
+ # Timeout before closing CHILD_SA after inactivity.
+ # inactivity = 0s
+
+ # Fixed reqid to use for this CHILD_SA.
+ # reqid = 0
+
+ # Netfilter mark and mask for input traffic.
+ # mark_in = 0/0x00000000
+
+ # Netfilter mark and mask for output traffic.
+ # mark_out = 0/0x00000000
+
+ # Traffic Flow Confidentiality padding.
+ # tfc_padding = 0
+
+ # IPsec replay window to configure for this CHILD_SA.
+ # replay_window = 32
+
+ # Action to perform after loading the configuration (none, trap,
+ # start).
+ # start_action = none
+
+ # Action to perform after a CHILD_SA gets closed (none, trap,
+ # start).
+ # close_action = none
+
+ # }
+
+ # }
+
+ # }
+
+# }
+
+# Section defining secrets for IKE/EAP/XAuth authentication and private key
+# decryption.
+# secrets {
+
+ # EAP secret section for a specific secret.
+ # eap<suffix> {
+
+ # Value of the EAP/XAuth secret.
+ # secret =
+
+ # Identity the EAP/XAuth secret belongs to.
+ # id<suffix> =
+
+ # }
+
+ # XAuth secret section for a specific secret.
+ # xauth<suffix> {
+
+ # }
+
+ # IKE preshared secret section for a specific secret.
+ # ike<suffix> {
+
+ # Value of the IKE preshared secret.
+ # secret =
+
+ # IKE identity the IKE preshared secret belongs to.
+ # id<suffix> =
+
+ # }
+
+ # Private key decryption passphrase for a key in the rsa folder.
+ # rsa<suffix> {
+
+ # File name in the rsa folder for which this passphrase should be used.
+ # file =
+
+ # Value of decryption passphrase for RSA key.
+ # secret =
+
+ # }
+
+ # Private key decryption passphrase for a key in the ecdsa folder.
+ # ecdsa<suffix> {
+
+ # File name in the ecdsa folder for which this passphrase should be
+ # used.
+ # file =
+
+ # Value of decryption passphrase for ECDSA key.
+ # secret =
+
+ # }
+
+ # Private key decryption passphrase for a key in the pkcs8 folder.
+ # pkcs8<suffix> {
+
+ # File name in the pkcs8 folder for which this passphrase should be
+ # used.
+ # file =
+
+ # Value of decryption passphrase for PKCS#8 key.
+ # secret =
+
+ # }
+
+# }
+
+# Section defining named pools.
+# pools {
+
+ # Section defining a single pool with a unique name.
+ # <name> {
+
+ # Subnet defining addresses allocated in pool.
+ # addrs =
+
+ # Comma separated list of additional attributes from type <attr>.
+ # <attr> =
+
+ # }
+
+# }
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 16:09:46 +0000