Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:strongswan:configuration [2021/07/24 04:42] – Correct typo in 'home' config; add DPD. philippdocs:guide-user:services:vpn:strongswan:configuration [2022/12/12 00:25] – Fix examples: 'keyingtries' -> 'keyingretries' pcrump
Line 2: Line 2:
 Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''. Linux Charon IPsec daemon can be configured through ''/etc/config/ipsec''.
  
-**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.2-12'' packaging.  For previous versions, use the Wiki's page history functionality.+**Note**: this has been updated to the ''swanctl''-based configuration, and is current as of ''5.9.5'' packaging.  For previous versions, use the Wiki's page history functionality.
  
 ===== Sections ===== ===== Sections =====
Line 36: Line 36:
 |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime| |rekeytime|interval|no|(none)|IKEv2 interval to refresh keying material; also used to compute lifetime|
 |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)| |overtime|interval|no|(none)|Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime)|
 +|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)|
  
 ==== crypto_proposal ==== ==== crypto_proposal ====
Line 54: Line 55:
 |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]| |local_nat|subnet|no|(none)|NAT range for tunnels with [[docs:guide-user:services:vpn:strongswan:overlappingsubnets|overlapping IP addresses]]|
 |crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals| |crypto_proposal|list|yes|(none)|List of ESP (phase two) proposals|
-|keyexchange|string|no|ikev2|Version of IKE to negotiation ("ikev1", "ikev2", or "ike" for both)| 
 |startaction|string|no|route|Action on initial configuration load (none, start, route)| |startaction|string|no|route|Action on initial configuration load (none, start, route)|
 |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events| |updown|string|no|(none)|Path to script to run on CHILD_SA up/down events|
Line 88: Line 88:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' '0'   option 'mobike' '0'
   option 'fragmentation' '1'   option 'fragmentation' '1'
Line 235: Line 235:
   option 'ca_cert' 'acme.crt'   option 'ca_cert' 'acme.crt'
   option 'rekeytime' '4h'   option 'rekeytime' '4h'
-  option 'keyingtries' '0'+  option 'keyingretries' '0'
   option 'mobike' 0   option 'mobike' 0
   list 'crypto_proposal' 'ike_proposal'   list 'crypto_proposal' 'ike_proposal'
  • Last modified: 2024/12/01 18:36
  • by kevinoid