User Tools

Site Tools


doc:uci:ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:uci:ipsec [2013/01/20 19:01]
birnenschnitzel
doc:uci:ipsec [2015/04/17 16:27] (current)
folke [p2_proposal] tunnel changed to remote
Line 1: Line 1:
 ====== Strongswan IPsec Configuration ====== ====== Strongswan IPsec Configuration ======
  
-Linux Charon IPsec daemon can be configured through /​etc/​config/​ipsec. ​This document is in an early alpha state.  +Linux Charon IPsec daemon can be configured through /​etc/​config/​ipsec.
 ===== Sections ===== ===== Sections =====
  
Line 9: Line 8:
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
 |zone|string|no|vpn|Firewall zone. Has to match the defined [[doc:​howto:​vpn.ipsec.firewall#​zones|firewall zone]]| |zone|string|no|vpn|Firewall zone. Has to match the defined [[doc:​howto:​vpn.ipsec.firewall#​zones|firewall zone]]|
 +|listen|list|yes|''​|Interface that accept VPN traffic (empty for all interfaces, multiple lines for several interfaces)| 
 +|debug|string|no|0|Trace level. Logs are written to /​var/​log/​charon.log|
 ==== remote ==== ==== remote ====
  
Line 18: Line 18:
 |gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint. | |gateway|ipaddr|yes|(none)|IP address or FQDN name of the tunnel remote endpoint. |
 |exchange_mode|string|no|main|Phase 1 negotiation (main, aggressive)| ​ |exchange_mode|string|no|main|Phase 1 negotiation (main, aggressive)| ​
-|my_identifier|string|no|(none)|identifier for phase 1 | +|local_identifier|string|no|(none)|local identifier for phase 1 | 
-|pre_shared_key|string|yes|(none)|The preshared key for the tunnel|+|remote_identifier|string|no|(none)|remote identifier ​for phase 1 |
 |authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk| |authentication_method|string|yes|(none)|Phase 1 authentication. Only allowed value ath the moment is psk|
-|pre_shared_key|string|no|(none)|The preshared key if authentication is psk|+|pre_shared_key|string|no|(none)|The preshared key for the tunnel ​if authentication is psk|
 |p1_proposal|list|yes|(none)|Name of phase 1 proposal (see below)| |p1_proposal|list|yes|(none)|Name of phase 1 proposal (see below)|
 |tunnel|list|yes|(none)|Name of phase 2 section (see below)| |tunnel|list|yes|(none)|Name of phase 2 section (see below)|
Line 27: Line 27:
 ==== p1_proposal ==== ==== p1_proposal ====
  
-Definition of phase 1 proposals+Definition of phase 1 proposals. Derived from [[https://​wiki.strongswan.org/​projects/​strongswan/​wiki/​IKEv1CipherSuites|stronSwan cipher suites]]
  
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
-|encrpytion_algorithm|string|yes|(none)|Phase 1 encryption method (aes128, aes192, aes256, 3des)|+|encryption_algorithm|string|yes|(none)|Phase 1 encryption method (aes128, aes192, aes256, 3des)|
 |hash_alogrithm|string|yes|(none)|Phase 1 hash alogrithm (md5,sha1) | |hash_alogrithm|string|yes|(none)|Phase 1 hash alogrithm (md5,sha1) |
-|dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, ​modep1024, ...|+|dh_group|string|yes|(none)|Diffie-Hellman exponentiation (modp768, ​modp1024, ...|
  
 ==== tunnel ==== ==== tunnel ====
Line 46: Line 46:
 ==== p2_proposal ==== ==== p2_proposal ====
  
-Definition of phase 2 proposal+Definition of phase 2 proposal. Derived from [[https://​wiki.strongswan.org/​projects/​strongswan/​wiki/​IKEv1CipherSuites|stronSwan cipher suites]]
  
 ^Name^Type^Required^Default^Description^ ^Name^Type^Required^Default^Description^
Line 59: Line 59:
   option '​zone'​ '​vpn'​   option '​zone'​ '​vpn'​
  
-config 'tunnel' '​acme'​+config 'remote' '​acme'​
   option '​enabled'​ '​1'​   option '​enabled'​ '​1'​
   option '​gateway'​ '​7.7.7.7'​   option '​gateway'​ '​7.7.7.7'​
doc/uci/ipsec.1358704890.txt.bz2 · Last modified: 2013/01/20 19:01 by birnenschnitzel