# Section defining IKE connection configurations. # connections { # Section for an IKE connection named . # { # IKE major version to use for connection. # version = 0 # Local address(es) to use for IKE communication, comma separated. # local_addrs = %any # Remote address(es) to use for IKE communication, comma separated. # remote_addrs = %any # Local UPD port for IKE communication. # local_port = 500 # Remote UDP port for IKE communication. # remote_port = 500 # Comma separated proposals to accept for IKE. # proposals = default # Virtual IPs to request in configuration payload / Mode Config. # vips = # Use Aggressive Mode in IKEv1. # aggressive = no # Set the Mode Config mode to use. # pull = yes # Enforce UDP encapsulation by faking NAT-D payloads. # encap = no # Enables MOBIKE on IKEv2 connections. # mobike = yes # Interval of liveness checks (DPD). # dpd_delay = 0s # Timeout for DPD checks (IKEV1 only). # dpd_timeout = 0s # Use IKEv1 UDP packet fragmentation (yes, no or force). # fragmentation = no # Send certificate requests payloads (yes or no). # send_certreq = yes # Send certificate payloads (yes, no or ifasked). # send_cert = ifasked # Number of retransmission sequences to perform during initial connect. # keyingtries = 1 # Connection uniqueness policy (never, no, keep or replace). # unique = no # Time to schedule IKE reauthentication. # reauth_time = 0s # Time to schedule IKE rekeying. # rekey_time = 4h # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. # over_time = 10% of rekey_time/reauth_time # Range of random time to subtract from rekey/reauth times. # rand_time = over_time # Comma separated list of named IP pools. # pools = # Section for a local authentication round. # local { # Comma separated list of certificate candidates to use for # authentication. # certs = # Authentication to perform locally (pubkey, psk, xauth[-backend] or # eap[-method]). # auth = pubkey # IKE identity to use for authentication round. # id = # Client EAP-Identity to use in EAP-Identity exchange and the EAP # method. # eap_id = id # Server side EAP-Identity to expect in the EAP method. # aaa_id = remote-id # Client XAuth username used in the XAuth exchange. # xauth_id = id # } # Section for a remote authentication round. # remote { # IKE identity to expect for authentication round. # id = %any # Authorization group memberships to require. # groups = # Comma separated list of certificate to accept for authentication. # certs = # Comma separated list of CA certificates to accept for # authentication. # cacert = # Certificate revocation policy, (strict, ifuri or relaxed). # revocation = relaxed # Authentication to expect from remote (pubkey, psk, xauth[-backend] # or eap[-method]). # auth = pubkey # } # children { # CHILD_SA configuration sub-section. # { # AH proposals to offer for the CHILD_SA. # ah_proposals = # ESP proposals to offer for the CHILD_SA. # esp_proposals = default # Local traffic selectors to include in CHILD_SA. # local_ts = dynamic # Remote selectors to include in CHILD_SA. # remote_ts = dynamic # Time to schedule CHILD_SA rekeying. # rekey_time = 1h # Maximum lifetime before CHILD_SA gets closed, as time. # life_time = rekey_time + 10% # Range of random time to subtract from rekey_time. # rand_time = life_time - rekey_time # Number of bytes processed before initiating CHILD_SA rekeying. # rekey_bytes = 0 # Maximum bytes processed before CHILD_SA gets closed. # life_bytes = rekey_bytes + 10% # Range of random bytes to subtract from rekey_bytes. # rand_bytes = life_bytes - rekey_bytes # Number of packets processed before initiating CHILD_SA # rekeying. # rekey_packets = 0 # Maximum number of packets processed before CHILD_SA gets # closed. # life_packets = rekey_packets + 10% # Range of random packets to subtract from packets_bytes. # rand_packets = life_packets - rekey_packets # Updown script to invoke on CHILD_SA up and down events. # updown = # Hostaccess variable to pass to updown script. # hostaccess = yes # IPsec Mode to establish (tunnel, transport, beet, pass or # drop). # mode = tunnel # Action to perform on DPD timeout (clear, trap or restart). # dpd_action = clear # Enable IPComp compression before encryption. # ipcomp = no # Timeout before closing CHILD_SA after inactivity. # inactivity = 0s # Fixed reqid to use for this CHILD_SA. # reqid = 0 # Netfilter mark and mask for input traffic. # mark_in = 0/0x00000000 # Netfilter mark and mask for output traffic. # mark_out = 0/0x00000000 # Traffic Flow Confidentiality padding. # tfc_padding = 0 # IPsec replay window to configure for this CHILD_SA. # replay_window = 32 # Action to perform after loading the configuration (none, trap, # start). # start_action = none # Action to perform after a CHILD_SA gets closed (none, trap, # start). # close_action = none # } # } # } # } # Section defining secrets for IKE/EAP/XAuth authentication and private key # decryption. # secrets { # EAP secret section for a specific secret. # eap { # Value of the EAP/XAuth secret. # secret = # Identity the EAP/XAuth secret belongs to. # id = # } # XAuth secret section for a specific secret. # xauth { # } # IKE preshared secret section for a specific secret. # ike { # Value of the IKE preshared secret. # secret = # IKE identity the IKE preshared secret belongs to. # id = # } # Private key decryption passphrase for a key in the rsa folder. # rsa { # File name in the rsa folder for which this passphrase should be used. # file = # Value of decryption passphrase for RSA key. # secret = # } # Private key decryption passphrase for a key in the ecdsa folder. # ecdsa { # File name in the ecdsa folder for which this passphrase should be # used. # file = # Value of decryption passphrase for ECDSA key. # secret = # } # Private key decryption passphrase for a key in the pkcs8 folder. # pkcs8 { # File name in the pkcs8 folder for which this passphrase should be # used. # file = # Value of decryption passphrase for PKCS#8 key. # secret = # } # } # Section defining named pools. # pools { # Section defining a single pool with a unique name. # { # Subnet defining addresses allocated in pool. # addrs = # Comma separated list of additional attributes from type . # = # } # }