From: Tobias Brunner Date: Mon, 31 Mar 2025 14:01:27 +0000 (+0200) Subject: swanctl: Document "none" keyword for ESP proposals X-Git-Tag: 6.0.2dr1~44 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8cb36be1886044f890ac42e296d3f1e0495ec8de;p=thirdparty%2Fstrongswan.git swanctl: Document "none" keyword for ESP proposals --- diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 70dac8ee49..c71baef300 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -726,19 +726,22 @@ connections..children..esp_proposals = default mode algorithm is used instead of the separate encryption/integrity algorithms. - If a key exchange method is specified, CHILD_SA/Quick Mode rekeying and + If a key exchange method is negotiated, CHILD_SA/Quick Mode rekeying and initial negotiation use a separate key exchange using the specified method. However, for IKEv2, the keys of the CHILD_SA created implicitly with the IKE_SA will always be derived from the IKE_SA's key material. So any key exchange method specified here will only apply when the CHILD_SA is later rekeyed or is created with a separate CREATE_CHILD_SA exchange. A proposal mismatch might, therefore, not immediately be noticed when the SA is - established, but may later cause rekeying to fail. + established, but may later cause rekeying to fail. If one or more key + exchange methods are configured in a proposal, the key exchange can be made + optional by also adding **none**. With peers that support multiple IKEv2 key exchanges (RFC 9370), up to seven additional key exchanges may be negotiated. They can be configured by prefixing the algorithm keyword with **keX_** (where X is a number between - 1 and 7). + 1 and 7). Additional key exchanges can be made optional by adding + **keX_none** to a proposal. Extended Sequence Number support may be indicated with the _esn_ and _noesn_ values, both may be included to indicate support for both modes. If omitted,