ipsec.conf: conn <название_подключения>

Обратите внимание: полужирным шрифтом выделены значения по-умолчанию

Общие параметры настройки для подключения


defines the identity of the AAA backend used during IKEv2 EAP authentication. This is required if the EAP client uses a method that verifies the server identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.

comma-separated list of AH algorithms to be used for the connection, e.g. sha1-sha256-modp1024. The notation is integrity[-dhgroup]. For IKEv2, multiple algorithms (separated by -) of the same type can be included in a single proposal. IKEv1 only includes the first algorithm in a proposal. Only either the ah or the esp keyword may be used, AH+ESP bundles are not supported.

There is no default, by default ESP is used. The daemon adds its extensive default proposal to the configured value. To restrict it to the configured proposal an exclamation mark (!) can be added at the end.

Note: As a responder the daemon accepts the first supported proposal received from the peer. In order to restrict a responder to only accept specific cipher suites, the strict flag (!, exclamation mark) can be used, e.g: sha256-sha512-modp2048!

If dh-group is specified, CHILD_SA/Quick Mode setup and rekeying include a separate Diffe-Hellman exchange.

Refer to IKEv1CipherSuites and IKEv2CipherSuites for a list of valid keywords.

Available since 5.1.1.

whether to use IKEv1 Aggressive or Main Mode (the default). Available since 5.0.0.

includes conn section <name>.

how the two security gateways should authenticate each other; acceptable values are secret or psk for pre-shared secrets, pubkey (the default) for public key signatures as well as the synonyms rsasig for RSA digital signatures and ecdsasig for Elliptic Curve DSA signatures. never can be used if negotiation is never to be attempted or accepted (useful for shunt-only conns). Digital signatures are superior in every way to shared secrets. IKEv1 additionally supports the values xauthpsk and xauthrsasig that will enable eXtended Authentication (XAuth) in addition to IKEv1 main mode based on shared secrets or digital RSA signatures, respectively. This parameter is deprecated for IKEv2 connections (and IKEv1 connections since 5.0.0), as two peers do not need to agree on an authentication method. Use the left|rightauth parameter instead to define authentication methods.

what operation, if any, should be done automatically at IPsec startup. add loads a connection without starting it. route loads a connection and installs kernel traps. If traffic is detected between leftsubnet and rightsubnet, a connection is established. start loads a connection and brings it up immediately. ignore ignores the connection. This is equal to deleting a connection from the config file. Relevant only locally, other end need not agree on it.

defines the action to take if the remote peer unexpectedly closes a CHILD_SA (IKEv2 only, see dpdaction for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids checking, as these events might trigger the defined action when not desired.

whether IPComp compression of content is proposed on the connection (link-level compression does not work on encrypted data, so to be effective, compression must be done before encryption). A value of yes causes the daemon to propose both compressed and uncompressed, and prefer compressed. A value of no prevents the daemon from proposing or accepting compression.

controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD. If no activity is detected, all connections with a dead peer are stopped and unrouted (clear), put in the hold state (hold) or restarted (restart). The default is none which disables the active sending of DPD messages.

defines the period time interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer. These are only sent if no other traffic is received. In IKEv2, a value of 0 sends no additional INFORMATIONAL messages and uses only standard messages (such as those to rekey) to detect dead peers.

defines the timeout interval, after which all connections to a peer are deleted in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers.

defines the timeout interval, after which a CHILD_SA is closed if it did not send or receive any traffic. Not supported for IKEv1 connections prior to 5.0.0.

defines the identity the client uses to reply to an EAP Identity request. If defined on the EAP server, the defined identity will be used as peer identity during EAP authentication. The special value %identity uses the EAP Identity method to ask the client for a EAP identity. If not defined, the IKEv2 identity will be used as EAP identity.

comma-separated list of ESP encryption/authentication algorithms to be used for the connection, e.g. aes128-sha256. The notation is encryption-integrity[-dhgroup][-esnmode]. For IKEv2, multiple algorithms (separated by -) of the same type can be included in a single proposal. IKEv1 only includes the first algorithm in a proposal. Only either the ah or the esp keyword may be used, AH+ESP bundles are not supported.

Defaults to aes128-sha1,3des-sha1. The daemon adds its extensive default proposal to this default or the configured value. To restrict it to the configured proposal an exclamation mark (!) can be added at the end.

Note: As a responder both daemons accept the first supported proposal received from the peer. In order to restrict a responder to only accept specific cipher suites, the strict flag (!, exclamation mark) can be used, e.g: aes256-sha512-modp4096!

If dh-group is specified, CHILD_SA setup and rekeying include a separate Diffe-Hellman exchange (since 5.0.0 this also applies to IKEv1 Quick Mode).

Valid values for esnmode (IKEv2 only) are esn and noesn. Specifying both negotiates extended sequence number support with the peer, the default is noesn.

Refer to IKEv1CipherSuites and IKEv2CipherSuites for a list of valid keywords.

force UDP encapsulation for ESP packets even if no NAT situation is detected. This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked. Not supported for IKEv1 connections prior to 5.0.0.

whether to use IKE fragmentation (proprietary IKEv1 extension). Fragmented messages sent by a peer are always accepted irrespective of the value of this option. If set to yes and the peer supports it, larger IKE messages will be sent in fragments (the maximum fragment size can be configured in strongswan.conf). If set to force the initial IKE message will already be fragmented if required. Available for IKEv1 connections since 5.0.2.

comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms to be used, e.g. aes128-sha1-modp2048. The notation is encryption-integrity[-prf]-dhgroup. In IKEv2, multiple algorithms and proposals may be included, such as aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.

The ability to configure a PRF algorithm different to that defined for integrity protection was added with 5.0.2. If no PRF is configured, the algorithms defined for integrity are proposed as PRF. The prf keywords are the same as the integrity algorithms, but have a prf prefix (such as prfsha1, prfsha256 or prfaesxcbc).

Defaults to aes128-sha1-modp2048,3des-sha1-modp1536 for IKEv1. The daemon adds its extensive default proposal to this default or the configured value. To restrict it to the configured proposal an exclamation mark (!) can be added at the end. Refer to IKEv1CipherSuites and IKEv2CipherSuites for a list of valid keywords.

Note: As a responder both daemons accept the first supported proposal received from the peer. In order to restrict a responder to only accept specific cipher suites, the strict flag (!, exclamation mark) can be used, e.g: aes256-sha512-modp4096!

Differentiated Services Field Codepoint to set on outgoing IKE packets sent from this connection. The value is a six digit binary encoded string defining the Codepoint to set, as defined in RFC 2474.

how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated. Also see Expiry and Rekey.

decides whether IPsec policies are installed in the kernel by the charon daemon for a given connection. Allows peaceful cooperation e.g. with the Mobile IPv6 mip6d daemon who wants to control the kernel policies.

method of key exchange; which protocol should be used to initialize the connection. Prior to 5.0.0 connections marked with ikev1 were initiated with Pluto, those marked with ikev2 with Charon. An incoming request from the remote peer was handled by the correct daemon, unaffected from the keyexchange setting. Starting with strongSwan 4.5.0 the default value ike is a synonym for ikev2, whereas in older strongSwan releases ikev1 was assumed. Since 5.0.0 both protocols are handled by Charon and connections marked with ike will use IKEv2 when initiating, but accept any protocol version when responding.

how many attempts (a positive integer or %forever) should be made to negotiate a connection, or a replacement for one, before giving up (default 3). The value %forever means 'never give up'. Relevant only locally, other end need not agree on it.

synonym for lifetime.

the number of bytes transmitted over an IPsec SA before it expires. Not supported for IKEv1 connections prior to 5.0.0.

the number of packets transmitted over an IPsec SA before it expires. Not supported for IKEv1 connections prior to 5.0.0.

how long a particular instance of a connection (a set of encryption/authentication keys for user packets) should last, from successful negotiation to expiry; acceptable values are an integer optionally followed by s (a time in seconds) or a decimal number followed by m, h, or d (a time in minutes, hours, or days respectively) (default 1h, maximum 24h). Normally, the connection is renegotiated (via the keying channel) before it expires (see margintime). The two ends need not exactly agree on lifetime, although if they do not, there will be some clutter of superseded connections on the end which thinks the lifetime is longer. Also see Expiry and Rekey.

how many bytes before IPsec SA expiry (see lifebytes) should attempts to negotiate a replacement begin.

how many packets before IPsec SA expiry (see lifepackets) should attempts to negotiate a replacement begin.

how long before connection expiry or keying-channel expiry should attempts to negotiate a replacement begin; acceptable values as for lifetime (default 9m). Relevant only locally, other end need not agree on it. Also see Expiry and Rekey.

sets an XFRM mark in the inbound and outbound IPsec SAs and policies. If the mask is missing then a default mask of 0xffffffff is assumed.

sets an XFRM mark in the inbound IPsec SA and policy. If the mask is missing then a default mask of 0xffffffff is assumed.

sets an XFRM mark in the outbound IPsec SA and policy. If the mask is missing then a default mask of 0xffffffff is assumed.

enables the IKEv2 MOBIKE protocol defined by RFC 4555. If set to no, the charon daemon will not actively propose MOBIKE as initiator and ignore the MOBIKE_SUPPORTED notify as responder.

defines which mode is used to assign a virtual IP. Currently relevant for IKEv1 only since IKEv2 always uses the configuration payload in pull mode. Cisco VPN gateways usually operate in push mode. In versions prior to 5.1.1 the charon daemon did not support push mode.

whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done. In IKEv2, a value of no rekeys without uninstalling the IPsec SAs, a value of yes (the default) creates a new IKE_SA from scratch and tries to recreate all IPsec SAs.

whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but while a value of no prevents the daemon from requesting renegotiation, it does not prevent responding to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it. Also see reauth.

maximum percentage by which marginbytes, marginpackets and margintime should be randomly increased to randomize rekeying intervals (important for hosts with many connections); acceptable values are an integer, which may exceed 100, followed by a '%' . The value of marginTYPE, after this random increase, must not exceed lifeTYPE (where TYPE is one of bytes, packets or type). The value 0% will suppress randomization. Relevant only locally, other end need not agree on it. Also see Expiry and Rekey.

synonym for margintime.

sets the reqid for a given connection to a pre-configured fixed value.

number of bytes to pad ESP payload data to. Traffic Flow Confidentiality is currently supported in IKEv2 and applies to outgoing packets only. The special value %mtu fills up ESP packets with padding to have the size of the MTU.

the type of the connection; currently the accepted values are tunnel, signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; transport, signifying host-to-host transport mode; transport_proxy, signifying the special Mobile IPv6 transport proxy mode; passthrough, signifying that no IPsec processing should be done at all; drop, signifying that packets should be discarded.

specifies the role in the XAuth protocol if activated by authby=xauthpsk or authby=xauthrsasig.

defines the identity/username the client uses to reply to an XAuth request. If not defined, the IKEv1 identity will be used as XAuth identity.

left|right End Parameters


Connection descriptions are defined in terms of a left endpoint and a right endpoint. For example, the two parameters leftid and rightid specify the identity of the left and the right endpoint. For every connection description an attempt is made to figure out whether the local endpoint should act as the left or the right endpoint. This is done by matching the IP addresses defined for both endpoints with the IP addresses assigned to local network interfaces. If a match is found then the role (left or right) that matches is going to be considered "local". If no match is found during startup, "left" is considered "local".

The IP address of the participant's public-network interface or one of several magic values. The value %any for the local endpoint signifies an address to be filled in (by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table will be queried to determine the correct local IP address. In case the local peer is responding to a connection setup then any IP address that is assigned to a local interface will be accepted.

Prior to 5.0.0 specifying %any for the local endpoint was not supported for IKEv1 connections, instead the keyword %defaultroute could be used, causing the value to be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time and during configuration update). Either left or right may be %defaultroute, but not both.

The prefix % in front of a fully-qualified domain name or an IP address will implicitly set left|rightallowany=yes.

If %any is used for the remote endpoint it literally means any IP address.

Since 5.1.1 connections can be limited to a specific range of hosts. To do so a range (10.1.0.0-10.2.255.255) or a subnet (10.1.0.0/16) can be specified, and multiple addresses, ranges and subnets can be separated by commas. While one can freely combine these items, to initiate the connection at least one non-range/subnet is required.

Please note that with the usage of wildcards multiple connection descriptions might match a given incoming connection attempt. The most specific description is used in that case.

a modifier for left|right, making it behave as %any although a concrete IP address has been assigned. Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or update time.

Authentication method to use locally (left) or require from the remote (right) side. Acceptable values are pubkey for public key encryption (RSA/ECDSA), psk for pre-shared key authentication, eap to [require the] use of the Extensible Authentication Protocol, and xauth for IKEv1 eXtended Authentication. To require a trustchain public key strength for the remote side, specify the key type followed by the minimum strength iin bits (for example ecdsa-384 or rsa-2048-ecdsa-256). To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to pubkey or a key strength definition (for example pubkey-sha1-sha256 or rsa-2048-ecdsa-256-sha256-sha384-sha512). In the case of eap, an optional EAP method can be appended. Currently defined methods are eap-aka, eap-gtc, eap-md5, eap-mschapv2, eap-peap, eap-sim, eap-tls, eap-ttls, eap-dynamic, and eap-radius. Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific EAP methods are defined in the form eap-type-vendor (e.g. eap-7-12345). For xauth, an XAuth authentication backend can be specified, such as xauth-generic or xauth-eap. If XAuth is used in leftauth, Hybrid authentication is used. For traditional XAuth authentication, define XAuth in leftauth2.

Not supported for IKEv1 connections prior to 5.0.0.

Same as left|rightauth, but defines an additional authentication exchange. In IKEv1, only XAuth can be used in the second authentication round. IKEv2 supports multiple complete authentication rounds using Multiple Authentication Exchanges defined in RFC 4739. This allows e.g. a separate authentication of host and user.

Not supported for IKEv1 connections prior to 5.0.0.

the distinguished name of a certificate authority which is required to lie in the trust path going from the left|right participant's certificate up to the root certification authority. %same means that the value configured for the other participant should be reused.

Same as left|rightca but for the second authentication (IKev2 only).

the path to the left|right participant's X.509 certificate. The file can be coded either in PEM or DER format. OpenPGP certificates are supported as well. Both absolute paths or paths relative to /etc/ipsec.d/certs are accepted. By default left|rightcert sets left|rightid to the distinguished name of the certificate's subject. The left|right participant's ID can be overridden by specifying a left|rightid value which must be certified by the certificate, though.

Since 5.0.2 certificates can be configured in the form %smartcard[<slot nr>[@<module>]]:<keyid>, which defines a specific certificate to load from a PKCS#11 backend for this connection (e.g. via the pkcs11 plugin). See ipsec.secrets for details about smartcard definitions. Defining a certificate on a smartcard with left|rightcert is only required if the automatic selection via left|rightid is not sufficient, for example, if multiple certificates use the same subject.

Since 5.0.3 multiple certificate paths or PKCS#11 backends can be specified in a comma separated list. The daemon chooses the certificate based on the received certificate requests, if possible, before enforcing the first.

Same as left|rightcert but for the second authentication round (IKEv2 only).

Comma separated list of certificate policy OIDs the peer's certificate must have. OIDs are specified using the numerical dotted representation. Not supported for IKEv1 connections prior to 5.0.0.

Comma separated list of DNS server addresses to exchange as configuration attributes. On the initiator, a server is a fixed IPv4/IPv6 address, or %config4/%config6 to request attributes without an address. On the responder, only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned to the client. Available since 5.0.1.

whether the left|right participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from left|rightsubnet, which should be turned off for traffic to the other subnet) once the connection is established. May not be used in the same connection description with left|rightupdown. Implemented as a parameter to the default ipsec _updown script. Relevant only locally, other end need not agree on it.

If one or both security gateways are doing forwarding firewalling (possibly including masquerading), and this is specified using the firewall parameters, tunnels established with IPsec are exempted from it so that packets can flow unchanged through the tunnels. (This means that all subnets connected in this manner must have distinct, non-overlapping subnet address blocks.) This is done by the default ipsec _updown script.

In situations calling for more control, it may be preferable for the user to supply his own updown script, which makes the appropriate adjustments for his system.

a comma-separated list of group names. If the left|rightgroups parameter is present then the peer must be a member of at least one of the groups defined by the parameter. Groups may be used together with the eap-radius plugin.

Same as left|rightgroups but for the second authentication round defined with left|rightauth2. Available since 5.0.1.

inserts a pair of INPUT and OUTPUT iptables rules using the default ipsec _updown script, thus allowing access to the host itself in the case where the host's internal interface is part of the negotiated client subnet.

how the left|right participant should be identified for authentication; defaults to left|right or the subject of the certificate configured with left|rightcert. Can be an IP address, a fully-qualified domain name, an email address, or a keyid. Prior to 5.0.0 fully-qualified domain names can be preceded by an @ to avoid them being resolved to an IP address.

Since 5.0.1 rightid for IKEv2 connections optionally takes a % as prefix in front of the identity. If given it prevents the daemon from sending IDr in its IKE_AUTH request and will allow it to verify the configured identity against the subject and subjectAltNames contained in the responder's certificate (otherwise, it is only compared with the IDr returned by the responder). The IDr sent by the initiator might otherwise prevent the responder from finding a config if it has configured a different value for leftid.

Identity to use for the second authentication of the left participant (IKEv2 only). Defaults to left|rightid.

UDP port the left participant uses for IKE communication. If unspecified, port 500 is used with the port floating to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port different from the default additionally requires a socket implementation that listens to this port. Not supported for IKEv1 connections prior to 5.0.0.

restrict the traffic selector to a single protocol and/or port. Since 5.1.0 this option is deprecated as protocol/port information can be defined for each subnet directly in left|rightsubnet.

Since 5.1.0 a synonym for left|rightsigkey. Before that it denoted the left|right participant's public key for RSA signature authentication, in RFC 2537 format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is the path to a file containing the public key in PEM or DER encoding.

Added with 5.1.0. The left|right participant's public key for public key signature authenticaiton, in PKCS#1 format using using hex (0x prefix) or base64 (0s prefix) encoding. With the optional dns: or ssh: prefix in front of 0x or 0x, the public key is expected in either the RFC 3110 (not the full RR, only the RSA key part) or RFC 4253 public key format, respectively. Also accepted is the path to a file containing the public key in PEM or DER encoding.

Accepted values are never or no, always or yes, and ifasked, the latter meaning that the peer must send a certificate request (CR) payload in order to get a certificate in return.

The internal source IP to use in a tunnel, also known as virtual IP. If the value is one of the synonyms %config, %cfg, %modeconfig or %modecfg, an address (from the tunnel address family) is requested from the peer. Since 5.0.1 a comma-separated list is accepted to request multiple addresses, and with %config4 and %config6 an address of the given address family will be requested explicitly. If an IP address is configured, it will be requested from the responder, which is free to respond with a different address.

The internal source IP to use in a tunnel for the remote peer. If the value is config on the responder side, the initiator must propose an address which is then echoed back. Also supported are address pools expressed as <network>/<netmask> or the use of an external IP address pool using %poolname where poolname is the name of the IP address pool used for the lookup (see virtual IP for details). Since 5.0.1 a comma-separated list of IP addresses / pools is accepted, for instance, to define pools of different address families.

private subnet behind the left participant, expressed as network/netmask; if omitted, essentially assumed to be left/32|128, signifying that the left|right end of the connection goes to the left|right participant only. The configured subnets of the peers may differ, the protocol narrows it to the greatest common subnet. Since 5.0.0 this is also done for IKEv1, but as this may lead to problems with other implementations, make sure to configure identical subnets in such configurations. IKEv2 supports multiple subnets separated by commas, IKEv1 only interprets the first subnet of such a definition, unless the Cisco Unity extension plugin is enabled (available since 5.0.1).

Since 5.1.0 the optional part after each subnet enclosed in square brackets specifies a protocol/port to restrict the selector for that subnet. Examples: leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] or leftsubnet=fec1::1[udp],10.0.0.0/16[/53]. Instead of omitting either value %any can be used to the same effect, e.g. leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53].

Since 5.1.1, if the protocol is icmp or ipv6-icmp the port is interpreted as ICMP message type if it is less than 256, or as type and code if it greater or equal to 256, with the type in the most significant 8 bits and the code in the least significant 8 bits.

The port value can alternatively take the value %opaque for RFC 4301 OPAQUE selectors, or a numerical range in the form 1024-65535. None of the kernel backends currently supports opaque or port ranges and uses %any for policy installation instead.

Instead of specifying a subnet, %dynamic can be used to replace it with the IKE address, having the same effect as omitting left|rightsubnet completely. Using %dynamic can be used to define multiple dynamic selectors, each having a potentially different protocol/port definition.

what updown script to run to adjust routing and/or firewalling when the status of the connection changes (default ipsec _updown). Relevant only locally, other end need not agree on it. Charon uses the updown script to insert firewall rules only, since routing has been implemented directly into the daemon.

IKEv2 Mediation Extension Parameters


The following parameters are relevant to IKEv2 Mediation Extension operation only.

whether this connection is a mediation connection, ie. whether this connection is used to mediate other connections. Mediation connections create no child SA. Acceptable values are no (the default) and yes.

the name of the connection to mediate this connection through. If given, the connection will be mediated through the named mediation connection. The mediation connection must set mediation=yes.

ID as which the peer is known to the mediation server, ie. which the other end of this connection uses as its leftid on its connection to the mediation server. This is the ID we request the mediation server to mediate us with. If me_peerid is not given, the rightid of this connection will be used as peer ID. Removed parameters (since 5.0.0)

whether authentication should be done as part of ESP encryption, or separately using the AH protocol. Only supported by the IKEv1 daemon pluto.

Since 5.1.1 the ah keyword can be used to configure AH with the charon IKE daemon.

whether Perfect Forward Secrecy of keys is desired on the connection's keying channel (with PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier). IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying PFS is enforced by defining a Diffie-Hellman dhgroup in the esp parameter. Since 5.0.0 the latter also applies to IKEv1 and this parameter has no effect anymore.

defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode differing from the DH group used for IKEv1 Main Mode (IKEv1 pluto daemon only).

This parameter is usually not needed any more because the NETKEY IPsec stack does not require explicit routing entries for the traffic to be tunneled. If left|sourceip is used with IKEv1 then left|rightnexthop must still be set in order for the source routes to work properly.

the peer can propose any subnet or single IP address that fits within the range defined by left|rightsubnetwithin. Is a synonym for left|rightsubnet since 5.0.0, as subnets are narrowed.