Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:strongswan:configuration [2021/06/28 20:39] – Update to 5.9.2-12 philippdocs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump
Line 2: Line 2:
 Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''. Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''.
  
-**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.2-12'' packaging.  For previous versions, use the Wiki's page history functionality.+**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.5'' packaging.  For previous versions, use the Wiki's page history functionality.
  
 ===== Sections ===== ===== Sections =====
Line 29: Line 29:
 |dpddelay|interval|no|30s|Liveness interval for IKE| |dpddelay|interval|no|30s|Liveness interval for IKE|
 |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA|
-|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)| 
 |fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")| |fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")|
 |mobike|string|no|yes|Enable MOBIKE on IKEv2| |mobike|string|no|yes|Enable MOBIKE on IKEv2|
Line 37: Line 36:
 |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime|
 |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)| |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)|
 +|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)|
  
 ==== crypto_proposal ==== ==== crypto_proposal ====
Line 78: Line 78:
   option 'enabled' '1'   option 'enabled' '1'
   # address of wan device   # address of wan device
-  option 'left_ip' '6.6.6.6'+  option 'local_ip' '6.6.6.6'
   # peer has routable DHCP'd address which changes   # peer has routable DHCP'd address which changes
   option 'gateway' 'any'   option 'gateway' 'any'
Line 88: Line 88:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' '0'   option 'mobike' '0'
   option 'fragmentation' '1'   option 'fragmentation' '1'
Line 102: Line 102:
 # we don't specify subnets because we're going to use XFRM-interfaced based routes instead # we don't specify subnets because we're going to use XFRM-interfaced based routes instead
 config 'tunnel' 'tun_soho' config 'tunnel' 'tun_soho'
-  option 'local_subnet' '0.0.0.0/0' +  list   'local_subnet' '0.0.0.0/0' 
-  option 'remote_subnet' '0.0.0.0/0'+  list   'remote_subnet' '0.0.0.0/0'
   option 'if_id' '357'   option 'if_id' '357'
   option 'rekeytime' '1h'   option 'rekeytime' '1h'
Line 225: Line 225:
 config 'remote' 'headquarters' config 'remote' 'headquarters'
   option 'enabled' '1'   option 'enabled' '1'
-  option 'local_leftip' '%any'+  option 'local_ip' '%any'
   option 'gateway' '6.6.6.6'   option 'gateway' '6.6.6.6'
   option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho'   option 'local_identifier' 'C=US, O=Acme Corporation, CN=soho'
Line 235: Line 235:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' 0   option 'mobike' 0
   list 'crypto_proposal' 'ike_proposal'   list 'crypto_proposal' 'ike_proposal'
Line 247: Line 247:
      
 config tunnel 'tun_headquarters' config tunnel 'tun_headquarters'
-  option 'local_subnet' '0.0.0.0/0' +  list   'local_subnet' '0.0.0.0/0' 
-  option 'remote_subnet' '0.0.0.0/0'+  list   'remote_subnet' '0.0.0.0/0'
   option 'if_id' '308'   option 'if_id' '308'
   option 'rekeytime' '1h'   option 'rekeytime' '1h'
   option 'startaction' 'trap'   option 'startaction' 'trap'
   option 'closeaction' 'none'   option 'closeaction' 'none'
 +  option 'dpdaction' 'restart'
   list 'crypto_proposal' 'esp_proposal'   list 'crypto_proposal' 'esp_proposal'
  
  • Last modified: 2024/12/01 18:36
  • by kevinoid