.B never
can be used if negotiation is never to be attempted or accepted (useful for
shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
+Digital signatures are superior in every way to shared secrets.
IKEv1 additionally supports the values
.B xauthpsk
and
that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
based on shared secrets or digital RSA signatures, respectively.
This parameter is deprecated for IKEv2 connections, as two peers do not need
-to agree on an authentication method. Use the
+to agree on an authentication method. Use the
.B leftauth
parameter instead to define authentication methods in IKEv2.
.TP
loads a connection and brings it up immediatly.
.B ignore
ignores the connection. This is equal to delete a connection from the config
-file.
+file.
Relevant only locally, other end need not agree on it
(but in general, for an intended-to-be-permanent connection,
both ends should use
liveliness of the IPsec peer. The values
.BR clear ,
.BR hold ,
-and
+and
.B restart
all activate DPD. If no activity is detected, all connections with a dead peer
are stopped and unrouted (
in case of inactivity. This only applies to IKEv1, in IKEv2 the default
retransmission timeout applies, as every exchange is used to detect dead peers.
.TP
+.B inactivity
+defines the timeout interval, after which a CHILD_SA is closed if it did
+not send or receive any traffic. Currently supported in IKEv2 connections only.
+.TP
.B eap
defines the EAP type to propose as server if the client requests EAP
authentication. This parameter is deprecated in the favour of
.B leftauth.
To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
+set
.B eap=radius
.TP
.B eap_identity
defines the identity the client uses to reply to a EAP Identity request.
If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value
+identity during EAP authentication. The special value
.B %identity
uses the EAP Identity method to ask the client for a EAP identity. If not
defined, the IKEv2 identity will be used as EAP identity.
.TP
.B forceencaps
Force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to hurdle restrictive firewalls. To enforce the peer to
+This may help to hurdle restrictive firewalls. To enforce the peer to
encapsulate packets, NAT detection payloads are faked (IKEv2 only).
.TP
.B ike
.B ikev1
are initiated with pluto, those marked with
.B ikev2
-with charon. An incoming request from the remote peer is handled by the correct
-daemon, unaffected from the
+with charon. An incoming request from the remote peer is handled by the correct
+daemon, unaffected from the
.B keyexchange
setting. The default value
.B ike
.TP
.B leftauth
Authentication method to use (local) or require (remote) in this connection.
-This parameter is supported in IKEv2 only. Acceptable values are
+This parameter is supported in IKEv2 only. Acceptable values are
.B pubkey
-for public key authentication (RSA/ECDSA),
+for public key authentication (RSA/ECDSA),
.B psk
for pre-shared key authentication and
.B eap
to (require the) use of the Extensible Authentication Protocol. In the case
-of
+of
.B eap,
an optional EAP method can be appended. Currently defined methods are
.B eap-aka, eap-sim, eap-gtc, eap-md5
).
.TP
.B leftauth2
-Same as
+Same as
.B leftauth,
but defines an additional authentication exchange. IKEv2 supports multiple
authentication rounds using "Multiple Authentication Exchanges" defined
.B leftca
the distinguished name of a certificate authority which is required to
lie in the trust path going from the left participant's certificate up
-to the root certification authority.
+to the root certification authority.
.TP
.B leftca2
Same as
Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
are accepted. By default
.B leftcert
-sets
+sets
.B leftid
to the distinguished name of the certificate's subject and
.B leftca
.B %cfg,
an address is requested from the peer. In IKEv2, a defined address is requested,
but the server may change it. If the server does not support it, the address
-is enforced.
+is enforced.
.TP
.B rightsourceip
The internal source IP to use in a tunnel for the remote peer. If the
.B esp
parameter.
.TP
-.B pfsgroup
+.B pfsgroup
defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode
differing from the DH group used for IKEv1 Main Mode (IKEv1 only).
.TP
(the default).
.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension
+The following parameters are relevant to IKEv2 Mediation Extension
operation only.
.TP 14
.B mediation
.SH "CA SECTIONS"
This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA). These parameters are not
+parameters to a Certification Authority (CA). These parameters are not
supported in IKEv2 yet.
.TP 10
.B auto
.B ignore
or
.B add
-.
+.
.TP
.B cacert
-defines a path to the CA certificate either relative to
+defines a path to the CA certificate either relative to
\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
.TP
.B crluri
.B yes
or
.BR no .
-The default is
+The default is
.B yes
if starter was compiled with IKEv2 support.
.TP
.B yes
or
.BR no .
-The default is
+The default is
.B yes
if starter was compiled with IKEv1 support.
.TP
overriding IPsec's (large) default.
.SH CHOOSING A CONNECTION
.PP
-When choosing a connection to apply to an outbound packet caught with a
+When choosing a connection to apply to an outbound packet caught with a
.BR %trap,
the system prefers the one with the most specific eroute that
includes the packet's source and destination IP addresses.
projects / thirdparty / strongswan.git / commitdiff
