Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:strongswan:configuration [2021/06/25 20:52] – [remote] thermi | docs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| Linux Charon IPsec daemon can be configured through ''/ | Linux Charon IPsec daemon can be configured through ''/ | ||
| - | **Note**: this has been updated to the '' | + | **Note**: this has been updated to the '' |
| ===== Sections ===== | ===== Sections ===== | ||
| Line 19: | Line 19: | ||
| |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| | |local_gateway|ipaddr|no|(none)|IP address or FQDN of the tunnel local endpoint| | ||
| |local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/ | |local_sourceip|ipaddr|no|(none)|Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/ | ||
| - | |local_leftip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| | + | |local_ip|ipaddr|no|(none)|Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs)| |
| |local_identifier|string|no|(none)|Local identifier for IKE (phase 1)| | |local_identifier|string|no|(none)|Local identifier for IKE (phase 1)| | ||
| |remote_identifier|string|no|(none)|Remote identifier for IKE (phase 1)| | |remote_identifier|string|no|(none)|Remote identifier for IKE (phase 1)| | ||
| Line 29: | Line 29: | ||
| |dpddelay|interval|no|30s|Liveness interval for IKE| | |dpddelay|interval|no|30s|Liveness interval for IKE| | ||
| |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| | |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| | ||
| - | |keyexchange|string|no|ikev2|Version of IKE to negotiation (" | ||
| |fragmentation|string|no|yes|Use IKE fragmentation (maybe " | |fragmentation|string|no|yes|Use IKE fragmentation (maybe " | ||
| |mobike|string|no|yes|Enable MOBIKE on IKEv2| | |mobike|string|no|yes|Enable MOBIKE on IKEv2| | ||
| Line 37: | Line 36: | ||
| |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| | |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| | ||
| |overtime|interval|no|(none)|Limit on time to complete rekeying/ | |overtime|interval|no|(none)|Limit on time to complete rekeying/ | ||
| + | |keyexchange|string|no|ikev2|Version of IKE to negotiation (" | ||
| ==== crypto_proposal ==== | ==== crypto_proposal ==== | ||
| Line 51: | Line 51: | ||
| ^Name^Type^Required^Default^Description^ | ^Name^Type^Required^Default^Description^ | ||
| - | |local_subnet|subnet|yes|(none)|Local network (can be a comma seperated list)| | + | |local_subnet|list|yes|(none)|Local network(s) one per line| |
| - | |remote_subnet|subnet|yes|(none)|Remote network (can be a comma seperated list)| | + | |remote_subnet|list|yes|(none)|Remote network(s) one per line| |
| |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs: | |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs: | ||
| |crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals| | |crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals| | ||
| Line 62: | Line 62: | ||
| |closeaction|string|no|route|Action done when CHILD_SA is closed (may be " | |closeaction|string|no|route|Action done when CHILD_SA is closed (may be " | ||
| |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with " | |if_id|string|no|(none)|XFRM interface ID set on input and output interfaces (should be coordinated with " | ||
| + | |priority|string|no|(none)|Priority of the CHILD_SA| | ||
| + | |ipcomp|bool|no|false|Enable ipcomp compression| | ||
| + | |hw_offload|bool|no|false|Enable H/W offload| | ||
| Local configuration for ''/ | Local configuration for ''/ | ||
| Line 75: | Line 78: | ||
| option ' | option ' | ||
| # address of wan device | # address of wan device | ||
| - | option 'left_ip' ' | + | option 'local_ip' ' |
| # peer has routable DHCP'd address which changes | # peer has routable DHCP'd address which changes | ||
| option ' | option ' | ||
| Line 85: | Line 88: | ||
| option ' | option ' | ||
| option ' | option ' | ||
| - | option 'keyingtries' ' | + | option 'keyingretries' ' |
| option ' | option ' | ||
| option ' | option ' | ||
| Line 99: | Line 102: | ||
| # we don't specify subnets because we're going to use XFRM-interfaced based routes instead | # we don't specify subnets because we're going to use XFRM-interfaced based routes instead | ||
| config ' | config ' | ||
| - | | + | |
| - | | + | |
| option ' | option ' | ||
| option ' | option ' | ||
| Line 222: | Line 225: | ||
| config ' | config ' | ||
| option ' | option ' | ||
| - | option 'local_leftip' ' | + | option 'local_ip' ' |
| option ' | option ' | ||
| option ' | option ' | ||
| Line 232: | Line 235: | ||
| option ' | option ' | ||
| option ' | option ' | ||
| - | option 'keyingtries' ' | + | option 'keyingretries' ' |
| option ' | option ' | ||
| list ' | list ' | ||
| Line 244: | Line 247: | ||
| | | ||
| config tunnel ' | config tunnel ' | ||
| - | | + | |
| - | | + | |
| option ' | option ' | ||
| option ' | option ' | ||
| option ' | option ' | ||
| option ' | option ' | ||
| + | option ' | ||
| list ' | list ' | ||