• view
• edit
• upload
• print
• history

ipsec.conf

Global Parameters

• version
• include

Config Sections

 config setup
     param=value

• myid
• interfaces
• forwardcontrol
• rp_filter
• syslog
• klipsdebug
• plutodebug
• plutoopts
• plutostderrlog
• dumpdir
• manualstart
• pluto
• plutowait
• prepluto
• postpluto
• fragicmp
• hidetos
• uniqueids
• overridemtu
• nat_traversal

Connection Sections

  conn name
      param=value

 name must be alphanumeric with no spaces, or use the special name %default?

Special Parameters

• also

General Parameters

• type
• connaddrfamily
• left
• leftsubnet
• leftnexthop
• leftupdown
• leftfirewall
• leftsendcert
• leftcertype
• leftsourceip
• forceencaps

 Automatic Keying

• keyexchange
• auth
• authby
• ike
• esp
• pfsgroup
• leftid
• leftrsasigkey
• leftrsasigkey2
• leftcert
• xauth
• aggrmode (>= 2.3.0)
• pfs
• keylife
• rekey?
• rekeymargin?
• rekeyfuzz?
• keyringtries
• ikelifetime
• compress?
• disablearrivalcheck?
• failureshunt?

Manual Keying

• spi?
• spibase?
• espenckey?
• espauthkey?
• espreplay_window?
• leftespspi?
• ah?
• ahkey?
• ahreplay_window?
• leftahspi?

For a very good, well updated reference to ipsec.conf, see this page.

ipsec.secrets

ipsec.secrets - secrets for IKE/IPsec authentication

DESCRIPTION

       The  file  ipsec.secrets  holds  a table of secrets.  These secrets are
       used by ipsec_pluto(8), the  Open  Internet  Key  Exchange  daemon,  to
       authenticate  other  hosts.   Currently there are two kinds of secrets:
       preshared secrets and RSA private keys.

       It is vital that these secrets be protected.  The file should be  owned
       by  the  super-user,  and  its  permissions  should be set to block all
       access by others.

       The file is a sequence of entries and include directives.  Here  is  an
       example.  Each entry or directive must start at the left margin, but if
       it continues beyond a single  line,  each  continuation  line  must  be
       indented.

              # sample /etc/ipsec.secrets file for 10.1.0.1
              10.1.0.1 10.2.0.1: PSK "secret shared by two hosts"

              # an entry may be split across lines,
              # but indentation matters
              www.xs4all.nl @www.kremvax.ru
                  10.6.0.1 10.7.0.1 1.8.0.1: PSK "secret shared by 5 different peers"

              # an RSA private key.
              # note that the lines are too wide for a
              # man page, so ... has been substituted for
              # the truncated part
              @my.com: rsa {
                  Modulus: 0syXpo/6waam+ZhSs8Lt6jnBzu3C4grtt...
                  PublicExponent: 0sAw==
                  PrivateExponent: 0shlGbVR1m8Z+7rhzSyenCaBN...
                  Prime1: 0s8njV7WTxzVzRz7AP+0OraDxmEAt1BL5l...
                  Prime2: 0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0...
                  Exponent1: 0soaXj85ihM5M2inVf/NfHmtLutVz4r...
                  Exponent2: 0sjdAL9VFizF+BKU4ohguJFzOd55OG6...
                  Coefficient: 0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ...
                  }

              # X.509 Certs
              : RSA toronto.xelerance.com.key "passphrase to unlock the key"


              include ipsec.*.secrets  # get secrets from other files

See Also:

 ImplicitConns?, PolicyGroups