From 7585facf05d927eb6df3929ce09ed5e60d905437 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 7 Feb 2013 13:27:27 +0100 Subject: Imported Upstream version 5.0.2 --- man/ipsec.conf.5.in | 53 ++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 7 deletions(-) (limited to 'man/ipsec.conf.5.in') diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index f4d7ed1d6..2766cc4ed 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -369,7 +369,7 @@ for the connection, e.g. .BR aes128-sha256 . The notation is .BR encryption-integrity[-dhgroup][-esnmode] . -.br + Defaults to .BR aes128-sha1,3des-sha1 . The daemon adds its extensive default proposal to this default @@ -377,7 +377,7 @@ or the configured value. To restrict it to the configured proposal an exclamation mark .RB ( ! ) can be added at the end. -.br + .BR Note : As a responder the daemon accepts the first supported proposal received from the peer. In order to restrict a responder to only accept specific cipher @@ -403,15 +403,39 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected. This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked. .TP +.BR fragmentation " = yes | force | " no +whether to use IKE fragmentation (proprietary IKEv1 extension). Acceptable +values are +.BR yes , +.B force +and +.B no +(the default). Fragmented messages sent by a peer are always accepted +irrespective of the value of this option. If set to +.BR yes , +and the peer supports it, larger IKE messages will be sent in fragments. +If set to +.B force +the initial IKE message will already be fragmented if required. +.TP .BR ike " = " comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms to be used, e.g. .BR aes128-sha1-modp2048 . The notation is -.BR encryption-integrity-dhgroup . -In IKEv2, multiple algorithms and proposals may be included, such as -aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. +.BR encryption-integrity[-prf]-dhgroup . +If no PRF is given, the algorithms defined for integrity are used for the PRF. +The prf keywords are the same as the integrity algorithms, but have a +.B prf +prefix (such as +.BR prfsha1 , +.B prfsha256 +or +.BR prfaesxcbc ). .br +In IKEv2, multiple algorithms and proposals may be included, such as +.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 . + Defaults to .BR aes128-sha1-modp2048,3des-sha1-modp1536 . The daemon adds its extensive default proposal to this @@ -419,13 +443,14 @@ default or the configured value. To restrict it to the configured proposal an exclamation mark .RB ( ! ) can be added at the end. -.br + .BR Note : As a responder the daemon accepts the first supported proposal received from the peer. In order to restrict a responder to only accept specific cipher suites, the strict flag .RB ( ! , -exclamation mark) can be used, e.g: aes256-sha512-modp4096! +exclamation mark) can be used, e.g: +.BR aes256-sha512-modp4096! .TP .BR ikelifetime " = " 3h " |