programs/_confread/README.conf.V2

   1 Subject: [Design] changes to ipsec.conf
   2 # RCSID $Id: README.conf.V2,v 1.1 2004/03/15 20:35:27 as Exp $
   3
   4 We are changing ipsec.conf for the 2.0 series of FreeS/WAN.
   5
   6 OE is enabled by default.  This is accomplished by automatically
   7 defining a conn "OEself" UNLESS the sysadmin defines one with the same
   8 name:
   9
  10 conn OEself
  11         # authby=rsasig   # default
  12         left=%defaultroute
  13         leftrsasigkey=%dnsondemand      # default
  14         right=%opportunistic
  15         rightrsasigkey=%dnsondemand     # default
  16         keyingtries=3
  17         ikelifetime=1h
  18         keylife=1h      # default
  19         rekey=no
  20         # disablearrivalcheck=no  # default
  21         auto=route
  22
  23 This will only work if %defaultroute works.
  24 The leftid will be the resulting IP address (won't work if
  25 you haven't filled in the reverse DNS entry).
  26 Unlike other conns, nothing in this implicit conn is changed by conn %default.
  27
  28 We'd like a better name.  A conn name starting with % cannot be
  29 defined by the sysadmin, so that is out.  Names that haven't grabbed
  30 us: OEhost, OElocalhost, OEthishost, OEforself, OE4self.
  31
  32 There is no requirement to have /etc/ipsec.conf.  If you do, the first
  33 significant line (non-blank, non-comment) must be (not indented):
  34 version 2.0
  35 This signifies that the file was intended for FreeS/WAN version 2.0.
  36
  37
  38 The following table shows most changes.  "-" means that the option
  39 doesn't exist.  "Recent Boilerplate" shows the effect of the "conn
  40 %default" in the automatically installed /etc/ipsec.conf (not
  41 installed if you already had one).
  42
  43 Option          Old Default     Recent Boilerplate      New Default
  44 ======          ===========     ==================      ===========
  45
  46 config setup:
  47 interfaces      ""              %defaultroute           %defaultroute
  48 plutoload       ""              %search                 - [same as %search]
  49 plutostart      ""              %search                 - [same as %search]
  50 uniqueids       no              yes                     yes
  51 rp_filter       -               -                       0
  52 plutowait       yes             yes                     no
  53 dump            no              no                      - [use dumpdir]
  54 plutobackgroundload ignored     ignored                 -
  55 no_eroute_pass  no              no                      - [use packetdefault]
  56
  57 conn %default:
  58 keyingtries     3               0                       %forever [0 means this]
  59 disablearrivalcheck  yes        no                      no
  60 authby          secret          rsasig                  rsasig
  61 leftrsasigkey   ""              %dnsondemand            %dnsondemand
  62 rightrsasigkey  ""              %dnsondemand            %dnsondemand
  63 lifetime        ==keylife       ==keylife               - [use keylife]
  64 rekeystart      ==rekeymargin   ==rekeymargin           - [use rekeymargin]
  65 rekeytries      ==keyingtries   ==keyingtries           - [use keyingtries]
  66
  67 ======          ===========     ==================      ===========
  68 Option          Old Default     Recent Boilerplate      New Default
  69
  70
  71 The auto= mechanism has been extended to support manual conns.  If you
  72 specify auto=manual in a conn, an "ipsec manual" will be performed on
  73 it at startup (ipsec setup start).
  74
  75
  76 There is a new config setup option "rp_filter".  It controls
  77         /proc/sys/net/ipv4/conf/PHYS/rp_filter
  78 for each PHYSical IP interface used by FreeS/WAN.  Settings are:
  79         %unchanged      do not touch (but warn if wrong)
  80         0               set to 0; default; means: no filtering
  81         1               set to 1; means: loose filter
  82         2               set to 1; means: strict filter
  83 0 is often necessary for FreeS/WAN to function.  Some folks
  84 want other settings.  Shutting down FreeS/WAN does not restore
  85 the original value.
  86
  87 Currently ikelife defaults to 1 hour and keylife defaults to 8 hours.
  88 There have been some rumblings that these are the wrong defaults, but
  89 it isn't clear what would be best.  Perhaps both should be closer.
  90 Any thoughts of what these should be?  Any Road Warrior or OE conn
  91 should probably have carefully thought-out values explicitly
  92 specified.  The settings don't matter much for VPN connections.
  93
  94 keyingtries=%forever is the new improved notation for keyingtries=0.
  95 Eventually the 0 notation will be eliminated.
  96
  97 Some options can now be set to %none to signify no setting.  Otherwise
  98 there would be no way for the user to override a default setting:
  99         leftrsasigkey, rightrsasigkey [added in 1.98]
 100         interfaces
 101
 102 Hugh Redelmeier
 103 hugh@mimosa.com  voice: +1 416 482-8253