Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:strongswan:configuration [2021/06/28 20:41] – Missed some 5.9.2-12 updates on the configs philippdocs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump
Line 2: Line 2:
 Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''. Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''.
  
-**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.2-12'' packaging.  For previous versions, use the Wiki's page history functionality.+**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.5'' packaging.  For previous versions, use the Wiki's page history functionality.
  
 ===== Sections ===== ===== Sections =====
Line 29: Line 29:
 |dpddelay|interval|no|30s|Liveness interval for IKE| |dpddelay|interval|no|30s|Liveness interval for IKE|
 |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA| |inactivity|interval|no|(none)|Interval before closing an inactive CHILD_SA|
-|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)| 
 |fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")| |fragmentation|string|no|yes|Use IKE fragmentation (maybe "yes", "accept", "force", or "no")|
 |mobike|string|no|yes|Enable MOBIKE on IKEv2| |mobike|string|no|yes|Enable MOBIKE on IKEv2|
Line 37: Line 36:
 |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime|
 |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)| |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)|
 +|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)|
  
 ==== crypto_proposal ==== ==== crypto_proposal ====
Line 78: Line 78:
   option 'enabled' '1'   option 'enabled' '1'
   # address of wan device   # address of wan device
-  option 'left_ip' '6.6.6.6'+  option 'local_ip' '6.6.6.6'
   # peer has routable DHCP'd address which changes   # peer has routable DHCP'd address which changes
   option 'gateway' 'any'   option 'gateway' 'any'
Line 88: Line 88:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' '0'   option 'mobike' '0'
   option 'fragmentation' '1'   option 'fragmentation' '1'
Line 235: Line 235:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' 0   option 'mobike' 0
   list 'crypto_proposal' 'ike_proposal'   list 'crypto_proposal' 'ike_proposal'
Line 253: Line 253:
   option 'startaction' 'trap'   option 'startaction' 'trap'
   option 'closeaction' 'none'   option 'closeaction' 'none'
 +  option 'dpdaction' 'restart'
   list 'crypto_proposal' 'esp_proposal'   list 'crypto_proposal' 'esp_proposal'
  
  • Last modified: 2024/12/01 18:36
  • by kevinoid