···
1
+
# See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
3
+
# When strongSwan is upgraded please update the parameters in this file. You can
4
+
# see which parameters should be deleted, changed or added by diffing
7
+
# git clone https://github.com/strongswan/strongswan.git
9
+
# git diff 5.5.3..5.6.0 src/swanctl/swanctl.opt
11
+
lib: with (import ./param-constructors.nix lib);
15
+
file = mkOptionalStrParam ''
16
+
Absolute path to the certificate to load. Passed as-is to the daemon, so
17
+
it must be readable by it.
19
+
Configure either this or <option>handle</option>, but not both, in one section.
22
+
handle = mkOptionalHexParam ''
23
+
Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
26
+
Configure either this or <option>file</option>, but not both, in one section.
29
+
slot = mkOptionalIntParam ''
30
+
Optional slot number of the token that stores the certificate.
33
+
module = mkOptionalStrParam ''
34
+
Optional PKCS#11 module name.
38
+
authorities = mkAttrsOfParams ({
40
+
cacert = mkOptionalStrParam ''
41
+
The certificates may use a relative path from the swanctl
42
+
<literal>x509ca</literal> directory or an absolute path.
44
+
Configure one of <option>cacert</option>,
45
+
<option>file</option>, or
46
+
<option>handle</option> per section.
49
+
cert_uri_base = mkOptionalStrParam ''
50
+
Defines the base URI for the Hash and URL feature supported by
51
+
IKEv2. Instead of exchanging complete certificates, IKEv2 allows one to
52
+
send an URI that resolves to the DER encoded certificate. The certificate
53
+
URIs are built by appending the SHA1 hash of the DER encoded certificates
57
+
crl_uris = mkCommaSepListParam [] ''
58
+
List of CRL distribution points (ldap, http, or file URI).
61
+
ocsp_uris = mkCommaSepListParam [] ''
66
+
Section defining complementary attributes of certification authorities, each
67
+
in its own subsection with an arbitrary yet unique name
70
+
connections = mkAttrsOfParams {
72
+
version = mkIntParam 0 ''
73
+
IKE major version to use for connection.
75
+
<listitem><para>1 uses IKEv1 aka ISAKMP,</para></listitem>
76
+
<listitem><para>2 uses IKEv2.</para></listitem>
77
+
<listitem><para>A connection using the default of 0 accepts both IKEv1 and IKEv2 as
78
+
responder, and initiates the connection actively with IKEv2.</para></listitem>
82
+
local_addrs = mkCommaSepListParam [] ''
83
+
Local address(es) to use for IKE communication. Takes
84
+
single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.
86
+
As initiator, the first non-range/non-subnet is used to initiate the
87
+
connection from. As responder, the local destination address must match at
88
+
least to one of the specified addresses, subnets or ranges.
90
+
If FQDNs are assigned they are resolved every time a configuration lookup
91
+
is done. If DNS resolution times out, the lookup is delayed for that time.
94
+
remote_addrs = mkCommaSepListParam [] ''
95
+
Remote address(es) to use for IKE communication. Takes
96
+
single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.
98
+
As initiator, the first non-range/non-subnet is used to initiate the
99
+
connection to. As responder, the initiator source address must match at
100
+
least to one of the specified addresses, subnets or ranges.
102
+
If FQDNs are assigned they are resolved every time a configuration lookup
103
+
is done. If DNS resolution times out, the lookup is delayed for that time.
104
+
To initiate a connection, at least one specific address or DNS name must
108
+
local_port = mkIntParam 500 ''
109
+
Local UDP port for IKE communication. By default the port of the socket
110
+
backend is used, which is usually <literal>500</literal>. If port
111
+
<literal>500</literal> is used, automatic IKE port floating to port
112
+
<literal>4500</literal> is used to work around NAT issues.
114
+
Using a non-default local IKE port requires support from the socket
115
+
backend in use (socket-dynamic).
118
+
remote_port = mkIntParam 500 ''
119
+
Remote UDP port for IKE communication. If the default of port
120
+
<literal>500</literal> is used, automatic IKE port floating to port
121
+
<literal>4500</literal> is used to work around NAT issues.
124
+
proposals = mkCommaSepListParam ["default"] ''
125
+
A proposal is a set of algorithms. For non-AEAD algorithms, this includes
126
+
for IKE an encryption algorithm, an integrity algorithm, a pseudo random
127
+
function and a Diffie-Hellman group. For AEAD algorithms, instead of
128
+
encryption and integrity algorithms, a combined algorithm is used.
130
+
In IKEv2, multiple algorithms of the same kind can be specified in a
131
+
single proposal, from which one gets selected. In IKEv1, only one
132
+
algorithm per kind is allowed per proposal, more algorithms get implicitly
133
+
stripped. Use multiple proposals to offer different algorithms
134
+
combinations in IKEv1.
136
+
Algorithm keywords get separated using dashes. Multiple proposals may be
137
+
specified in a list. The special value <literal>default</literal> forms a
138
+
default proposal of supported algorithms considered safe, and is usually a
139
+
good choice for interoperability.
142
+
vips = mkCommaSepListParam [] ''
143
+
List of virtual IPs to request in IKEv2 configuration payloads or IKEv1
144
+
Mode Config. The wildcard addresses <literal>0.0.0.0</literal> and
145
+
<literal>::</literal> request an arbitrary address, specific addresses may
146
+
be defined. The responder may return a different address, though, or none
150
+
aggressive = mkYesNoParam no ''
151
+
Enables Aggressive Mode instead of Main Mode with Identity
152
+
Protection. Aggressive Mode is considered less secure, because the ID and
153
+
HASH payloads are exchanged unprotected. This allows a passive attacker to
154
+
snoop peer identities, and even worse, start dictionary attacks on the
158
+
pull = mkYesNoParam yes ''
159
+
If the default of yes is used, Mode Config works in pull mode, where the
160
+
initiator actively requests a virtual IP. With no, push mode is used,
161
+
where the responder pushes down a virtual IP to the initiating peer.
163
+
Push mode is currently supported for IKEv1, but not in IKEv2. It is used
164
+
by a few implementations only, pull mode is recommended.
167
+
dscp = mkStrParam "000000" ''
168
+
Differentiated Services Field Codepoint to set on outgoing IKE packets for
169
+
this connection. The value is a six digit binary encoded string specifying
170
+
the Codepoint to set, as defined in RFC 2474.
173
+
encap = mkYesNoParam no ''
174
+
To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the
175
+
NAT detection payloads. This makes the peer believe that NAT takes place
176
+
on the path, forcing it to encapsulate ESP packets in UDP.
178
+
Usually this is not required, but it can help to work around connectivity
179
+
issues with too restrictive intermediary firewalls.
182
+
mobike = mkYesNoParam yes ''
183
+
Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2
184
+
connections, and allows mobility of clients and multi-homing on servers by
185
+
migrating active IPsec tunnels.
187
+
Usually keeping MOBIKE enabled is unproblematic, as it is not used if the
188
+
peer does not indicate support for it. However, due to the design of
189
+
MOBIKE, IKEv2 always floats to port 4500 starting from the second
190
+
exchange. Some implementations don't like this behavior, hence it can be
194
+
dpd_delay = mkDurationParam "0s" ''
195
+
Interval to check the liveness of a peer actively using IKEv2
196
+
INFORMATIONAL exchanges or IKEv1 R_U_THERE messages. Active DPD checking
197
+
is only enforced if no IKE or ESP/AH packet has been received for the
198
+
configured DPD delay.
201
+
dpd_timeout = mkDurationParam "0s" ''
202
+
Charon by default uses the normal retransmission mechanism and timeouts to
203
+
check the liveness of a peer, as all messages are used for liveness
204
+
checking. For compatibility reasons, with IKEv1 a custom interval may be
205
+
specified; this option has no effect on connections using IKEv2.
208
+
fragmentation = mkEnumParam ["yes" "accept" "force" "no"] "yes" ''
209
+
Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
210
+
fragmentation). Acceptable values are <literal>yes</literal> (the default
211
+
since 5.5.1), <literal>accept</literal> (since versions:5.5.3),
212
+
<literal>force</literal> and <literal>no</literal>.
214
+
<listitem><para>If set to <literal>yes</literal>, and the peer
215
+
supports it, oversized IKE messages will be sent in fragments.</para></listitem>
216
+
<listitem><para>If set to
217
+
<literal>accept</literal>, support for fragmentation is announced to the peer but the daemon
218
+
does not send its own messages in fragments.</para></listitem>
219
+
<listitem><para>If set to <literal>force</literal> (only
220
+
supported for IKEv1) the initial IKE message will already be fragmented if
221
+
required.</para></listitem>
222
+
<listitem><para>Finally, setting the option to <literal>no</literal> will disable announcing
223
+
support for this feature.</para></listitem>
226
+
Note that fragmented IKE messages sent by a peer are always processed
227
+
irrespective of the value of this option (even when set to no).
230
+
send_certreq = mkYesNoParam yes ''
231
+
Send certificate request payloads to offer trusted root CA certificates to
232
+
the peer. Certificate requests help the peer to choose an appropriate
233
+
certificate/private key for authentication and are enabled by default.
234
+
Disabling certificate requests can be useful if too many trusted root CA
235
+
certificates are installed, as each certificate request increases the size
236
+
of the initial IKE packets.
239
+
send_cert = mkEnumParam ["always" "never" "ifasked" ] "ifasked" ''
240
+
Send certificate payloads when using certificate authentication.
242
+
<listitem><para>With the default of <literal>ifasked</literal> the daemon sends
243
+
certificate payloads only if certificate requests have been received.</para></listitem>
244
+
<listitem><para><literal>never</literal> disables sending of certificate payloads
245
+
altogether,</para></listitem>
246
+
<listitem><para><literal>always</literal> causes certificate payloads to be sent
247
+
unconditionally whenever certificate authentication is used.</para></listitem>
251
+
keyingtries = mkIntParam 1 ''
252
+
Number of retransmission sequences to perform during initial
253
+
connect. Instead of giving up initiation after the first retransmission
254
+
sequence with the default value of <literal>1</literal>, additional
255
+
sequences may be started according to the configured value. A value of
256
+
<literal>0</literal> initiates a new sequence until the connection
257
+
establishes or fails with a permanent error.
260
+
unique = mkEnumParam ["no" "never" "keep" "replace"] "no" ''
261
+
Connection uniqueness policy to enforce. To avoid multiple connections
262
+
from the same user, a uniqueness policy can be enforced.
266
+
The value <literal>never</literal> does never enforce such a policy, even
267
+
if a peer included INITIAL_CONTACT notification messages,
270
+
whereas <literal>no</literal> replaces existing connections for the same
271
+
identity if a new one has the INITIAL_CONTACT notify.
274
+
<literal>keep</literal> rejects new connection attempts if the same user
275
+
already has an active connection,
278
+
<literal>replace</literal> deletes any existing connection if a new one
279
+
for the same user gets established.
282
+
To compare connections for uniqueness, the remote IKE identity is used. If
283
+
EAP or XAuth authentication is involved, the EAP-Identity or XAuth
284
+
username is used to enforce the uniqueness policy instead.
286
+
On initiators this setting specifies whether an INITIAL_CONTACT notify is
287
+
sent during IKE_AUTH if no existing connection is found with the remote
288
+
peer (determined by the identities of the first authentication
289
+
round). Only if set to keep or replace will the client send a notify.
292
+
reauth_time = mkDurationParam "0s" ''
293
+
Time to schedule IKE reauthentication. IKE reauthentication recreates the
294
+
IKE/ISAKMP SA from scratch and re-evaluates the credentials. In asymmetric
295
+
configurations (with EAP or configuration payloads) it might not be
296
+
possible to actively reauthenticate as responder. The IKEv2
297
+
reauthentication lifetime negotiation can instruct the client to perform
300
+
Reauthentication is disabled by default. Enabling it usually may lead to
301
+
small connection interruptions, as strongSwan uses a break-before-make
302
+
policy with IKEv2 to avoid any conflicts with associated tunnel resources.
305
+
rekey_time = mkDurationParam "4h" ''
306
+
IKE rekeying refreshes key material using a Diffie-Hellman exchange, but
307
+
does not re-check associated credentials. It is supported in IKEv2 only,
308
+
IKEv1 performs a reauthentication procedure instead.
310
+
With the default value IKE rekeying is scheduled every 4 hours, minus the
311
+
configured rand_time. If a reauth_time is configured, rekey_time defaults
312
+
to zero, disabling rekeying; explicitly set both to enforce rekeying and
316
+
over_time = mkOptionalDurationParam ''
317
+
Hard IKE_SA lifetime if rekey/reauth does not complete, as time. To avoid
318
+
having an IKE/ISAKMP kept alive if IKE reauthentication or rekeying fails
319
+
perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails
320
+
to rekey or reauthenticate within the specified time, the IKE_SA gets
323
+
In contrast to CHILD_SA rekeying, over_time is relative in time to the
324
+
rekey_time and reauth_time values, as it applies to both.
326
+
The default is 10% of the longer of <option>rekey_time</option> and
327
+
<option>reauth_time</option>.
330
+
rand_time = mkOptionalDurationParam ''
331
+
Time range from which to choose a random value to subtract from
332
+
rekey/reauth times. To avoid having both peers initiating the rekey/reauth
333
+
procedure simultaneously, a random time gets subtracted from the
334
+
rekey/reauth times.
336
+
The default is equal to the configured <option>over_time</option>.
339
+
pools = mkCommaSepListParam [] ''
340
+
List of named IP pools to allocate virtual IP addresses
341
+
and other configuration attributes from. Each name references a pool by
342
+
name from either the pools section or an external pool.
345
+
mediation = mkYesNoParam no ''
346
+
Whether this connection is a mediation connection, that is, whether this
347
+
connection is used to mediate other connections using the IKEv2 Mediation
348
+
Extension. Mediation connections create no CHILD_SA.
351
+
mediated_by = mkOptionalStrParam ''
352
+
The name of the connection to mediate this connection through. If given,
353
+
the connection will be mediated through the named mediation
354
+
connection. The mediation connection must have mediation enabled.
357
+
mediation_peer = mkOptionalStrParam ''
358
+
Identity under which the peer is registered at the mediation server, that
359
+
is, the IKE identity the other end of this connection uses as its local
360
+
identity on its connection to the mediation server. This is the identity
361
+
we request the mediation server to mediate us with. Only relevant on
362
+
connections that set mediated_by. If it is not given, the remote IKE
363
+
identity of the first authentication round of this connection will be
367
+
local = mkPrefixedAttrsOfParams {
369
+
round = mkIntParam 0 ''
370
+
Optional numeric identifier by which authentication rounds are
371
+
sorted. If not specified rounds are ordered by their position in the
372
+
config file/vici message.
375
+
certs = mkCommaSepListParam [] ''
376
+
List of certificate candidates to use for
377
+
authentication. The certificates may use a relative path from the
378
+
swanctl <literal>x509</literal> directory or an absolute path.
380
+
The certificate used for authentication is selected based on the
381
+
received certificate request payloads. If no appropriate CA can be
382
+
located, the first certificate is used.
385
+
cert = mkPostfixedAttrsOfParams certParams ''
386
+
Section for a certificate candidate to use for
387
+
authentication. Certificates in certs are transmitted as binary blobs,
388
+
these sections offer more flexibility.
391
+
pubkeys = mkCommaSepListParam [] ''
392
+
List of raw public key candidates to use for
393
+
authentication. The public keys may use a relative path from the swanctl
394
+
<literal>pubkey</literal> directory or an absolute path.
396
+
Even though multiple local public keys could be defined in principle,
397
+
only the first public key in the list is used for authentication.
400
+
auth = mkStrParam "pubkey" ''
401
+
Authentication to perform locally.
404
+
The default <literal>pubkey</literal> uses public key authentication
405
+
using a private key associated to a usable certificate.
408
+
<literal>psk</literal> uses pre-shared key authentication.
411
+
The IKEv1 specific <literal>xauth</literal> is used for XAuth or Hybrid
415
+
while the IKEv2 specific <literal>eap</literal> keyword defines EAP
419
+
For <literal>xauth</literal>, a specific backend name may be appended,
420
+
separated by a dash. The appropriate <literal>xauth</literal> backend is
421
+
selected to perform the XAuth exchange. For traditional XAuth, the
422
+
<literal>xauth</literal> method is usually defined in the second
423
+
authentication round following an initial <literal>pubkey</literal> (or
424
+
<literal>psk</literal>) round. Using <literal>xauth</literal> in the
425
+
first round performs Hybrid Mode client authentication.
428
+
For <literal>eap</literal>, a specific EAP method name may be appended, separated by a
429
+
dash. An EAP module implementing the appropriate method is selected to
430
+
perform the EAP conversation.
433
+
Since 5.4.0, if both peers support RFC 7427 ("Signature Authentication
434
+
in IKEv2") specific hash algorithms to be used during IKEv2
435
+
authentication may be configured. To do so use <literal>ike:</literal>
436
+
followed by a trust chain signature scheme constraint (see description
437
+
of the <option>remote</option> section's <option>auth</option>
438
+
keyword). For example, with <literal>ike:pubkey-sha384-sha256</literal>
439
+
a public key signature scheme with either SHA-384 or SHA-256 would get
440
+
used for authentication, in that order and depending on the hash
441
+
algorithms supported by the peer. If no specific hash algorithms are
442
+
configured, the default is to prefer an algorithm that matches or
443
+
exceeds the strength of the signature key. If no constraints with
444
+
<literal>ike:</literal> prefix are configured any signature scheme
445
+
constraint (without <literal>ike:</literal> prefix) will also apply to
446
+
IKEv2 authentication, unless this is disabled in
447
+
<literal>strongswan.conf</literal>.
452
+
id = mkOptionalStrParam ''
453
+
IKE identity to use for authentication round. When using certificate
454
+
authentication, the IKE identity must be contained in the certificate,
455
+
either as subject or as subjectAltName.
458
+
eap_id = mkOptionalStrParam ''
459
+
Client EAP-Identity to use in EAP-Identity exchange and the EAP method.
462
+
aaa_id = mkOptionalStrParam ''
463
+
Server side EAP-Identity to expect in the EAP method. Some EAP methods,
464
+
such as EAP-TLS, use an identity for the server to perform mutual
465
+
authentication. This identity may differ from the IKE identity,
466
+
especially when EAP authentication is delegated from the IKE responder
469
+
For EAP-(T)TLS, this defines the identity for which the server must
470
+
provide a certificate in the TLS exchange.
473
+
xauth_id = mkOptionalStrParam ''
474
+
Client XAuth username used in the XAuth exchange.
478
+
Section for a local authentication round. A local authentication round
479
+
defines the rules how authentication is performed for the local
480
+
peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple
481
+
Authentication or IKEv1 XAuth.
483
+
Each round is defined in a section having <literal>local</literal> as
484
+
prefix, and an optional unique suffix. To define a single authentication
485
+
round, the suffix may be omitted.
488
+
remote = mkPrefixedAttrsOfParams {
490
+
round = mkIntParam 0 ''
491
+
Optional numeric identifier by which authentication rounds are
492
+
sorted. If not specified rounds are ordered by their position in the
493
+
config file/vici message.
496
+
id = mkStrParam "%any" ''
497
+
IKE identity to expect for authentication round. When using certificate
498
+
authentication, the IKE identity must be contained in the certificate,
499
+
either as subject or as subjectAltName.
502
+
eap_id = mkOptionalStrParam ''
503
+
Identity to use as peer identity during EAP authentication. If set to
504
+
<literal>%any</literal> the EAP-Identity method will be used to ask the
505
+
client for an EAP identity.
508
+
groups = mkCommaSepListParam [] ''
509
+
Authorization group memberships to require. The peer
510
+
must prove membership to at least one of the specified groups. Group
511
+
membership can be certified by different means, for example by
512
+
appropriate Attribute Certificates or by an AAA backend involved in the
516
+
cert_policy = mkCommaSepListParam [] ''
517
+
List of certificate policy OIDs the peer's certificate
518
+
must have. OIDs are specified using the numerical dotted representation.
521
+
certs = mkCommaSepListParam [] ''
522
+
List of certificates to accept for authentication. The certificates may
523
+
use a relative path from the swanctl <literal>x509</literal> directory
524
+
or an absolute path.
527
+
cert = mkPostfixedAttrsOfParams certParams ''
528
+
Section for a certificate candidate to use for
529
+
authentication. Certificates in certs are transmitted as binary blobs,
530
+
these sections offer more flexibility.
533
+
cacerts = mkCommaSepListParam [] ''
534
+
List of CA certificates to accept for
535
+
authentication. The certificates may use a relative path from the
536
+
swanctl <literal>x509ca</literal> directory or an absolute path.
539
+
cacert = mkPostfixedAttrsOfParams certParams ''
540
+
Section for a CA certificate to accept for authentication. Certificates
541
+
in cacerts are transmitted as binary blobs, these sections offer more
545
+
pubkeys = mkCommaSepListParam [] ''
546
+
List of raw public keys to accept for
547
+
authentication. The public keys may use a relative path from the swanctl
548
+
<literal>pubkey</literal> directory or an absolute path.
551
+
revocation = mkEnumParam ["strict" "ifuri" "relaxed"] "relaxed" ''
552
+
Certificate revocation policy for CRL or OCSP revocation.
555
+
A <literal>strict</literal> revocation policy fails if no revocation information is
556
+
available, i.e. the certificate is not known to be unrevoked.
559
+
<literal>ifuri</literal> fails only if a CRL/OCSP URI is available, but certificate
560
+
revocation checking fails, i.e. there should be revocation information
561
+
available, but it could not be obtained.
564
+
The default revocation policy <literal>relaxed</literal> fails only if a certificate is
565
+
revoked, i.e. it is explicitly known that it is bad.
570
+
auth = mkStrParam "pubkey" ''
571
+
Authentication to expect from remote. See the <option>local</option>
572
+
section's <option>auth</option> keyword description about the details of
573
+
supported mechanisms.
575
+
Since 5.4.0, to require a trustchain public key strength for the remote
576
+
side, specify the key type followed by the minimum strength in bits (for
577
+
example <literal>ecdsa-384</literal> or
578
+
<literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of
579
+
hashing algorithms for trustchain validation, append hash algorithms to
580
+
pubkey or a key strength definition (for example
581
+
<literal>pubkey-sha1-sha256</literal> or
582
+
<literal>rsa-2048-ecdsa-256-sha256-sha384-sha512</literal>). Unless
583
+
disabled in <literal>strongswan.conf</literal>, or explicit IKEv2
584
+
signature constraints are configured (refer to the description of the
585
+
<option>local</option> section's <option>auth</option> keyword for
586
+
details), such key types and hash algorithms are also applied as
587
+
constraints against IKEv2 signature authentication schemes used by the
590
+
To specify trust chain constraints for EAP-(T)TLS, append a colon to the
591
+
EAP method, followed by the key type/size and hash algorithm as
592
+
discussed above (e.g. <literal>eap-tls:ecdsa-384-sha384</literal>).
596
+
Section for a remote authentication round. A remote authentication round
597
+
defines the constraints how the peers must authenticate to use this
598
+
connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple
599
+
Authentication or IKEv1 XAuth.
601
+
Each round is defined in a section having <literal>remote</literal> as
602
+
prefix, and an optional unique suffix. To define a single authentication
603
+
round, the suffix may be omitted.
606
+
children = mkAttrsOfParams {
607
+
ah_proposals = mkCommaSepListParam [] ''
608
+
AH proposals to offer for the CHILD_SA. A proposal is a set of
609
+
algorithms. For AH, this includes an integrity algorithm and an optional
610
+
Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode
611
+
rekeying and initial negotiation uses a separate Diffie-Hellman exchange
612
+
using the specified group (refer to esp_proposals for details).
614
+
In IKEv2, multiple algorithms of the same kind can be specified in a
615
+
single proposal, from which one gets selected. In IKEv1, only one
616
+
algorithm per kind is allowed per proposal, more algorithms get
617
+
implicitly stripped. Use multiple proposals to offer different algorithms
618
+
combinations in IKEv1.
620
+
Algorithm keywords get separated using dashes. Multiple proposals may be
621
+
specified in a list. The special value <literal>default</literal> forms
622
+
a default proposal of supported algorithms considered safe, and is
623
+
usually a good choice for interoperability. By default no AH proposals
624
+
are included, instead ESP is proposed.
627
+
esp_proposals = mkCommaSepListParam ["default"] ''
628
+
ESP proposals to offer for the CHILD_SA. A proposal is a set of
629
+
algorithms. For ESP non-AEAD proposals, this includes an integrity
630
+
algorithm, an encryption algorithm, an optional Diffie-Hellman group and
631
+
an optional Extended Sequence Number Mode indicator. For AEAD proposals,
632
+
a combined mode algorithm is used instead of the separate
633
+
encryption/integrity algorithms.
635
+
If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
636
+
negotiation use a separate Diffie-Hellman exchange using the specified
637
+
group. However, for IKEv2, the keys of the CHILD_SA created implicitly
638
+
with the IKE_SA will always be derived from the IKE_SA's key material. So
639
+
any DH group specified here will only apply when the CHILD_SA is later
640
+
rekeyed or is created with a separate CREATE_CHILD_SA exchange. A
641
+
proposal mismatch might, therefore, not immediately be noticed when the
642
+
SA is established, but may later cause rekeying to fail.
644
+
Extended Sequence Number support may be indicated with the
645
+
<literal>esn</literal> and <literal>noesn</literal> values, both may be
646
+
included to indicate support for both modes. If omitted,
647
+
<literal>noesn</literal> is assumed.
649
+
In IKEv2, multiple algorithms of the same kind can be specified in a
650
+
single proposal, from which one gets selected. In IKEv1, only one
651
+
algorithm per kind is allowed per proposal, more algorithms get
652
+
implicitly stripped. Use multiple proposals to offer different algorithms
653
+
combinations in IKEv1.
655
+
Algorithm keywords get separated using dashes. Multiple proposals may be
656
+
specified as a list. The special value <literal>default</literal> forms
657
+
a default proposal of supported algorithms considered safe, and is
658
+
usually a good choice for interoperability. If no algorithms are
659
+
specified for AH nor ESP, the default set of algorithms for ESP is
663
+
sha256_96 = mkYesNoParam no ''
664
+
HMAC-SHA-256 is used with 128-bit truncation with IPsec. For
665
+
compatibility with implementations that incorrectly use 96-bit truncation
666
+
this option may be enabled to configure the shorter truncation length in
667
+
the kernel. This is not negotiated, so this only works with peers that
668
+
use the incorrect truncation length (or have this option enabled).
671
+
local_ts = mkCommaSepListParam ["dynamic"] ''
672
+
List of local traffic selectors to include in CHILD_SA. Each selector is
673
+
a CIDR subnet definition, followed by an optional proto/port
674
+
selector. The special value <literal>dynamic</literal> may be used
675
+
instead of a subnet definition, which gets replaced by the tunnel outer
676
+
address or the virtual IP, if negotiated. This is the default.
678
+
A protocol/port selector is surrounded by opening and closing square
679
+
brackets. Between these brackets, a numeric or getservent(3) protocol
680
+
name may be specified. After the optional protocol restriction, an
681
+
optional port restriction may be specified, separated by a slash. The
682
+
port restriction may be numeric, a getservent(3) service name, or the
683
+
special value <literal>opaque</literal> for RFC 4301 OPAQUE
684
+
selectors. Port ranges may be specified as well, none of the kernel
685
+
backends currently support port ranges, though.
687
+
When IKEv1 is used only the first selector is interpreted, except if the
688
+
Cisco Unity extension plugin is used. This is due to a limitation of the
689
+
IKEv1 protocol, which only allows a single pair of selectors per
690
+
CHILD_SA. So to tunnel traffic matched by several pairs of selectors when
691
+
using IKEv1 several children (CHILD_SAs) have to be defined that cover
692
+
the selectors. The IKE daemon uses traffic selector narrowing for IKEv1,
693
+
the same way it is standardized and implemented for IKEv2. However, this
694
+
may lead to problems with other implementations. To avoid that, configure
695
+
identical selectors in such scenarios.
698
+
remote_ts = mkCommaSepListParam ["dynamic"] ''
699
+
List of remote selectors to include in CHILD_SA. See
700
+
<option>local_ts</option> for a description of the selector syntax.
703
+
rekey_time = mkDurationParam "1h" ''
704
+
Time to schedule CHILD_SA rekeying. CHILD_SA rekeying refreshes key
705
+
material, optionally using a Diffie-Hellman exchange if a group is
706
+
specified in the proposal. To avoid rekey collisions initiated by both
707
+
ends simultaneously, a value in the range of <option>rand_time</option>
708
+
gets subtracted to form the effective soft lifetime.
710
+
By default CHILD_SA rekeying is scheduled every hour, minus
711
+
<option>rand_time</option>.
714
+
life_time = mkOptionalDurationParam ''
715
+
Maximum lifetime before CHILD_SA gets closed. Usually this hard lifetime
716
+
is never reached, because the CHILD_SA gets rekeyed before. If that fails
717
+
for whatever reason, this limit closes the CHILD_SA. The default is 10%
718
+
more than the <option>rekey_time</option>.
721
+
rand_time = mkOptionalDurationParam ''
722
+
Time range from which to choose a random value to subtract from
723
+
<option>rekey_time</option>. The default is the difference between
724
+
<option>life_time</option> and <option>rekey_time</option>.
727
+
rekey_bytes = mkIntParam 0 ''
728
+
Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA
729
+
rekeying refreshes key material, optionally using a Diffie-Hellman
730
+
exchange if a group is specified in the proposal.
732
+
To avoid rekey collisions initiated by both ends simultaneously, a value
733
+
in the range of <option>rand_bytes</option> gets subtracted to form the
734
+
effective soft volume limit.
736
+
Volume based CHILD_SA rekeying is disabled by default.
739
+
life_bytes = mkOptionalIntParam ''
740
+
Maximum bytes processed before CHILD_SA gets closed. Usually this hard
741
+
volume limit is never reached, because the CHILD_SA gets rekeyed
742
+
before. If that fails for whatever reason, this limit closes the
743
+
CHILD_SA. The default is 10% more than <option>rekey_bytes</option>.
746
+
rand_bytes = mkOptionalIntParam ''
747
+
Byte range from which to choose a random value to subtract from
748
+
<option>rekey_bytes</option>. The default is the difference between
749
+
<option>life_bytes</option> and <option>rekey_bytes</option>.
752
+
rekey_packets = mkIntParam 0 ''
753
+
Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA
754
+
rekeying refreshes key material, optionally using a Diffie-Hellman
755
+
exchange if a group is specified in the proposal.
757
+
To avoid rekey collisions initiated by both ends simultaneously, a value
758
+
in the range of <option>rand_packets</option> gets subtracted to form
759
+
the effective soft packet count limit.
761
+
Packet count based CHILD_SA rekeying is disabled by default.
764
+
life_packets = mkOptionalIntParam ''
765
+
Maximum number of packets processed before CHILD_SA gets closed. Usually
766
+
this hard packets limit is never reached, because the CHILD_SA gets
767
+
rekeyed before. If that fails for whatever reason, this limit closes the
770
+
The default is 10% more than <option>rekey_bytes</option>.
773
+
rand_packets = mkOptionalIntParam ''
774
+
Packet range from which to choose a random value to subtract from
775
+
<option>rekey_packets</option>. The default is the difference between
776
+
<option>life_packets</option> and <option>rekey_packets</option>.
779
+
updown = mkOptionalStrParam ''
780
+
Updown script to invoke on CHILD_SA up and down events.
783
+
hostaccess = mkYesNoParam yes ''
784
+
Hostaccess variable to pass to <literal>updown</literal> script.
787
+
mode = mkEnumParam [ "tunnel"
794
+
IPsec Mode to establish CHILD_SA with.
797
+
<literal>tunnel</literal> negotiates the CHILD_SA in IPsec Tunnel Mode,
800
+
whereas <literal>transport</literal> uses IPsec Transport Mode.
803
+
<literal>transport_proxy</literal> signifying the special Mobile IPv6
804
+
Transport Proxy Mode.
807
+
<literal>beet</literal> is the Bound End to End Tunnel mixture mode,
808
+
working with fixed inner addresses without the need to include them in
812
+
Both <literal>transport</literal> and <literal>beet</literal> modes are
813
+
subject to mode negotiation; <literal>tunnel</literal> mode is
814
+
negotiated if the preferred mode is not available.
817
+
<literal>pass</literal> and <literal>drop</literal> are used to install
818
+
shunt policies which explicitly bypass the defined traffic from IPsec
819
+
processing or drop it, respectively.
824
+
policies = mkYesNoParam yes ''
825
+
Whether to install IPsec policies or not. Disabling this can be useful in
826
+
some scenarios e.g. MIPv6, where policies are not managed by the IKE
827
+
daemon. Since 5.3.3.
830
+
policies_fwd_out = mkYesNoParam no ''
831
+
Whether to install outbound FWD IPsec policies or not. Enabling this is
832
+
required in case there is a drop policy that would match and block
833
+
forwarded traffic for this CHILD_SA. Since 5.5.1.
836
+
dpd_action = mkEnumParam ["clear" "trap" "restart"] "clear" ''
837
+
Action to perform for this CHILD_SA on DPD timeout. The default clear
838
+
closes the CHILD_SA and does not take further action. trap installs a
839
+
trap policy, which will catch matching traffic and tries to re-negotiate
840
+
the tunnel on-demand. restart immediately tries to re-negotiate the
841
+
CHILD_SA under a fresh IKE_SA.
844
+
ipcomp = mkYesNoParam no ''
845
+
Enable IPComp compression before encryption. If enabled, IKE tries to
846
+
negotiate IPComp compression to compress ESP payload data prior to
850
+
inactivity = mkDurationParam "0s" ''
851
+
Timeout before closing CHILD_SA after inactivity. If no traffic has been
852
+
processed in either direction for the configured timeout, the CHILD_SA
853
+
gets closed due to inactivity. The default value of 0 disables inactivity
857
+
reqid = mkIntParam 0 ''
858
+
Fixed reqid to use for this CHILD_SA. This might be helpful in some
859
+
scenarios, but works only if each CHILD_SA configuration is instantiated
860
+
not more than once. The default of 0 uses dynamic reqids, allocated
864
+
priority = mkIntParam 0 ''
865
+
Optional fixed priority for IPsec policies. This could be useful to
866
+
install high-priority drop policies. The default of 0 uses dynamically
867
+
calculated priorities based on the size of the traffic selectors.
870
+
interface = mkOptionalStrParam ''
871
+
Optional interface name to restrict outbound IPsec policies.
874
+
mark_in = mkStrParam "0/0x00000000" ''
875
+
Netfilter mark and mask for input traffic. On Linux Netfilter may
876
+
require marks on each packet to match an SA having that option set. This
877
+
allows Netfilter rules to select specific tunnels for incoming
878
+
traffic. The special value <literal>%unique</literal> sets a unique mark
879
+
on each CHILD_SA instance, beyond that the value
880
+
<literal>%unique-dir</literal> assigns a different unique mark for each
881
+
CHILD_SA direction (in/out).
883
+
An additional mask may be appended to the mark, separated by
884
+
<literal>/</literal>. The default mask if omitted is
885
+
<literal>0xffffffff</literal>.
888
+
mark_out = mkStrParam "0/0x00000000" ''
889
+
Netfilter mark and mask for output traffic. On Linux Netfilter may
890
+
require marks on each packet to match a policy having that option
891
+
set. This allows Netfilter rules to select specific tunnels for outgoing
892
+
traffic. The special value <literal>%unique</literal> sets a unique mark
893
+
on each CHILD_SA instance, beyond that the value
894
+
<literal>%unique-dir</literal> assigns a different unique mark for each
895
+
CHILD_SA direction (in/out).
897
+
An additional mask may be appended to the mark, separated by
898
+
<literal>/</literal>. The default mask if omitted is
899
+
<literal>0xffffffff</literal>.
902
+
tfc_padding = mkParamOfType (with lib.types; either int (enum ["mtu"])) 0 ''
903
+
Pads ESP packets with additional data to have a consistent ESP packet
904
+
size for improved Traffic Flow Confidentiality. The padding defines the
905
+
minimum size of all ESP packets sent. The default value of
906
+
<literal>0</literal> disables TFC padding, the special value
907
+
<literal>mtu</literal> adds TFC padding to create a packet size equal to
908
+
the Path Maximum Transfer Unit.
911
+
replay_window = mkIntParam 32 ''
912
+
IPsec replay window to configure for this CHILD_SA. Larger values than
913
+
the default of <literal>32</literal> are supported using the Netlink
914
+
backend only, a value of <literal>0</literal> disables IPsec replay
918
+
hw_offload = mkYesNoParam no ''
919
+
Enable hardware offload for this CHILD_SA, if supported by the IPsec
923
+
start_action = mkEnumParam ["none" "trap" "start"] "none" ''
924
+
Action to perform after loading the configuration.
927
+
The default of <literal>none</literal> loads the connection only, which
928
+
then can be manually initiated or used as a responder configuration.
931
+
The value <literal>trap</literal> installs a trap policy, which triggers
932
+
the tunnel as soon as matching traffic has been detected.
935
+
The value <literal>start</literal> initiates the connection actively.
938
+
When unloading or replacing a CHILD_SA configuration having a
939
+
<option>start_action</option> different from <literal>none</literal>,
940
+
the inverse action is performed. Configurations with
941
+
<literal>start</literal> get closed, while such with
942
+
<literal>trap</literal> get uninstalled.
945
+
close_action = mkEnumParam ["none" "trap" "start"] "none" ''
946
+
Action to perform after a CHILD_SA gets closed by the peer.
949
+
The default of <literal>none</literal> does not take any action,
952
+
<literal>trap</literal> installs a trap policy for the CHILD_SA.
955
+
<literal>start</literal> tries to re-create the CHILD_SA.
959
+
<option>close_action</option> does not provide any guarantee that the
960
+
CHILD_SA is kept alive. It acts on explicit close messages only, but not
961
+
on negotiation failures. Use trap policies to reliably re-create failed
966
+
CHILD_SA configuration sub-section. Each connection definition may have
967
+
one or more sections in its <option>children</option> subsection. The
968
+
section name defines the name of the CHILD_SA configuration, which must be
969
+
unique within the connection (denoted <child> below).
972
+
Section defining IKE connection configurations, each in its own subsection
973
+
with an arbitrary yet unique name
977
+
mkEapXauthParams = mkPrefixedAttrsOfParams {
978
+
secret = mkOptionalStrParam ''
979
+
Value of the EAP/XAuth secret. It may either be an ASCII string, a hex
980
+
encoded string if it has a 0x prefix or a Base64 encoded string if it
981
+
has a 0s prefix in its value.
984
+
id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
985
+
Identity the EAP/XAuth secret belongs to. Multiple unique identities may
986
+
be specified, each having an <literal>id</literal> prefix, if a secret
987
+
is shared between multiple users.
991
+
EAP secret section for a specific secret. Each EAP secret is defined in a
992
+
unique section having the <literal>eap</literal> prefix. EAP secrets are
993
+
used for XAuth authentication as well.
998
+
eap = mkEapXauthParams;
999
+
xauth = mkEapXauthParams;
1001
+
ntlm = mkPrefixedAttrsOfParams {
1002
+
secret = mkOptionalStrParam ''
1003
+
Value of the NTLM secret, which is the NT Hash of the actual secret,
1004
+
that is, MD4(UTF-16LE(secret)). The resulting 16-byte value may either
1005
+
be given as a hex encoded string with a 0x prefix or as a Base64 encoded
1006
+
string with a 0s prefix.
1009
+
id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
1010
+
Identity the NTLM secret belongs to. Multiple unique identities may be
1011
+
specified, each having an id prefix, if a secret is shared between
1015
+
NTLM secret section for a specific secret. Each NTLM secret is defined in
1016
+
a unique section having the <literal>ntlm</literal> prefix. NTLM secrets
1017
+
may only be used for EAP-MSCHAPv2 authentication.
1020
+
ike = mkPrefixedAttrsOfParams {
1021
+
secret = mkOptionalStrParam ''
1022
+
Value of the IKE preshared secret. It may either be an ASCII string, a
1023
+
hex encoded string if it has a 0x prefix or a Base64 encoded string if
1024
+
it has a 0s prefix in its value.
1027
+
id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
1028
+
IKE identity the IKE preshared secret belongs to. Multiple unique
1029
+
identities may be specified, each having an <literal>id</literal>
1030
+
prefix, if a secret is shared between multiple peers.
1033
+
IKE preshared secret section for a specific secret. Each IKE PSK is
1034
+
defined in a unique section having the <literal>ike</literal> prefix.
1037
+
private = mkPrefixedAttrsOfParams {
1038
+
file = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
1039
+
File name in the private folder for which this passphrase should be used.
1042
+
secret = mkOptionalStrParam ''
1043
+
Value of decryption passphrase for private key.
1046
+
Private key decryption passphrase for a key in the
1047
+
<literal>private</literal> folder.
1050
+
rsa = mkPrefixedAttrsOfParams {
1051
+
file = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
1052
+
File name in the <literal>rsa</literal> folder for which this passphrase
1055
+
secret = mkOptionalStrParam ''
1056
+
Value of decryption passphrase for RSA key.
1059
+
Private key decryption passphrase for a key in the <literal>rsa</literal>
1063
+
ecdsa = mkPrefixedAttrsOfParams {
1064
+
file = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
1065
+
File name in the <literal>ecdsa</literal> folder for which this
1066
+
passphrase should be used.
1068
+
secret = mkOptionalStrParam ''
1069
+
Value of decryption passphrase for ECDSA key.
1072
+
Private key decryption passphrase for a key in the
1073
+
<literal>ecdsa</literal> folder.
1076
+
pkcs8 = mkPrefixedAttrsOfParams {
1077
+
file = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
1078
+
File name in the <literal>pkcs8</literal> folder for which this
1079
+
passphrase should be used.
1081
+
secret = mkOptionalStrParam ''
1082
+
Value of decryption passphrase for PKCS#8 key.
1085
+
Private key decryption passphrase for a key in the
1086
+
<literal>pkcs8</literal> folder.
1089
+
pkcs12 = mkPrefixedAttrsOfParams {
1090
+
file = mkPrefixedAttrsOfParam (mkOptionalStrParam "") ''
1091
+
File name in the <literal>pkcs12</literal> folder for which this
1092
+
passphrase should be used.
1094
+
secret = mkOptionalStrParam ''
1095
+
Value of decryption passphrase for PKCS#12 container.
1098
+
PKCS#12 decryption passphrase for a container in the
1099
+
<literal>pkcs12</literal> folder.
1102
+
token = mkPrefixedAttrsOfParams {
1103
+
handle = mkOptionalHexParam ''
1104
+
Hex-encoded CKA_ID or handle of the private key on the token or TPM,
1108
+
slot = mkOptionalIntParam ''
1109
+
Optional slot number to access the token.
1112
+
module = mkOptionalStrParam ''
1113
+
Optional PKCS#11 module name to access the token.
1116
+
pin = mkOptionalStrParam ''
1117
+
Optional PIN required to access the key on the token. If none is
1118
+
provided the user is prompted during an interactive
1119
+
<literal>--load-creds</literal> call.
1121
+
} ''Definition for a private key that's stored on a token/smartcard/TPM.'';
1125
+
pools = mkAttrsOfParams {
1126
+
addrs = mkOptionalStrParam ''
1127
+
Subnet or range defining addresses allocated in pool. Accepts a single
1128
+
CIDR subnet defining the pool to allocate addresses from or an address
1129
+
range (<from>-<to>). Pools must be unique and non-overlapping.
1132
+
dns = mkCommaSepListParam [] "Address or CIDR subnets";
1133
+
nbns = mkCommaSepListParam [] "Address or CIDR subnets";
1134
+
dhcp = mkCommaSepListParam [] "Address or CIDR subnets";
1135
+
netmask = mkCommaSepListParam [] "Address or CIDR subnets";
1136
+
server = mkCommaSepListParam [] "Address or CIDR subnets";
1137
+
subnet = mkCommaSepListParam [] "Address or CIDR subnets";
1138
+
split_include = mkCommaSepListParam [] "Address or CIDR subnets";
1139
+
split_exclude = mkCommaSepListParam [] "Address or CIDR subnets";
1141
+
Section defining named pools. Named pools may be referenced by connections
1142
+
with the pools option to assign virtual IPs and other configuration
1143
+
attributes. Each pool must have a unique name (denoted <name> below).
pyrox.dev