/etc/swanctl/swanctl.conf is in strongswan-swanctl 5.5.1-4+deb9u4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 | # Section defining IKE connection configurations.
# connections {
# Section for an IKE connection named <conn>.
# <conn> {
# IKE major version to use for connection.
# version = 0
# Local address(es) to use for IKE communication, comma separated.
# local_addrs = %any
# Remote address(es) to use for IKE communication, comma separated.
# remote_addrs = %any
# Local UDP port for IKE communication.
# local_port = 500
# Remote UDP port for IKE communication.
# remote_port = 500
# Comma separated proposals to accept for IKE.
# proposals = default
# Virtual IPs to request in configuration payload / Mode Config.
# vips =
# Use Aggressive Mode in IKEv1.
# aggressive = no
# Set the Mode Config mode to use.
# pull = yes
# Enforce UDP encapsulation by faking NAT-D payloads.
# encap = no
# Enables MOBIKE on IKEv2 connections.
# mobike = yes
# Interval of liveness checks (DPD).
# dpd_delay = 0s
# Timeout for DPD checks (IKEV1 only).
# dpd_timeout = 0s
# Use IKE UDP datagram fragmentation. (yes, no or force).
# fragmentation = yes
# Send certificate requests payloads (yes or no).
# send_certreq = yes
# Send certificate payloads (always, never or ifasked).
# send_cert = ifasked
# Number of retransmission sequences to perform during initial connect.
# keyingtries = 1
# Connection uniqueness policy (never, no, keep or replace).
# unique = no
# Time to schedule IKE reauthentication.
# reauth_time = 0s
# Time to schedule IKE rekeying.
# rekey_time = 4h
# Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
# over_time = 10% of rekey_time/reauth_time
# Range of random time to subtract from rekey/reauth times.
# rand_time = over_time
# Comma separated list of named IP pools.
# pools =
# Section for a local authentication round.
# local<suffix> {
# Optional numeric identifier by which authentication rounds are
# sorted. If not specified rounds are ordered by their position in
# the config file/VICI message.
# round = 0
# Comma separated list of certificate candidates to use for
# authentication.
# certs =
# Comma separated list of raw public key candidates to use for
# authentication.
# pubkeys =
# Authentication to perform locally (pubkey, psk, xauth[-backend] or
# eap[-method]).
# auth = pubkey
# IKE identity to use for authentication round.
# id =
# Client EAP-Identity to use in EAP-Identity exchange and the EAP
# method.
# eap_id = id
# Server side EAP-Identity to expect in the EAP method.
# aaa_id = remote-id
# Client XAuth username used in the XAuth exchange.
# xauth_id = id
# }
# Section for a remote authentication round.
# remote<suffix> {
# Optional numeric identifier by which authentication rounds are
# sorted. If not specified rounds are ordered by their position in
# the config file/VICI message.
# round = 0
# IKE identity to expect for authentication round.
# id = %any
# Authorization group memberships to require.
# groups =
# Comma separated list of certificate to accept for authentication.
# certs =
# Comma separated list of CA certificates to accept for
# authentication.
# cacerts =
# Comma separated list of raw public keys to accept for
# authentication.
# pubkeys =
# Certificate revocation policy, (strict, ifuri or relaxed).
# revocation = relaxed
# Authentication to expect from remote (pubkey, psk, xauth[-backend]
# or eap[-method]).
# auth = pubkey
# }
# children {
# CHILD_SA configuration sub-section.
# <child> {
# AH proposals to offer for the CHILD_SA.
# ah_proposals =
# ESP proposals to offer for the CHILD_SA.
# esp_proposals = default
# Local traffic selectors to include in CHILD_SA.
# local_ts = dynamic
# Remote selectors to include in CHILD_SA.
# remote_ts = dynamic
# Time to schedule CHILD_SA rekeying.
# rekey_time = 1h
# Maximum lifetime before CHILD_SA gets closed, as time.
# life_time = rekey_time + 10%
# Range of random time to subtract from rekey_time.
# rand_time = life_time - rekey_time
# Number of bytes processed before initiating CHILD_SA rekeying.
# rekey_bytes = 0
# Maximum bytes processed before CHILD_SA gets closed.
# life_bytes = rekey_bytes + 10%
# Range of random bytes to subtract from rekey_bytes.
# rand_bytes = life_bytes - rekey_bytes
# Number of packets processed before initiating CHILD_SA
# rekeying.
# rekey_packets = 0
# Maximum number of packets processed before CHILD_SA gets
# closed.
# life_packets = rekey_packets + 10%
# Range of random packets to subtract from packets_bytes.
# rand_packets = life_packets - rekey_packets
# Updown script to invoke on CHILD_SA up and down events.
# updown =
# Hostaccess variable to pass to updown script.
# hostaccess = yes
# IPsec Mode to establish (tunnel, transport, beet, pass or
# drop).
# mode = tunnel
# Whether to install IPsec policies or not.
# policies = yes
# Whether to install outbound FWD IPsec policies or not.
# policies_fwd_out = no
# Action to perform on DPD timeout (clear, trap or restart).
# dpd_action = clear
# Enable IPComp compression before encryption.
# ipcomp = no
# Timeout before closing CHILD_SA after inactivity.
# inactivity = 0s
# Fixed reqid to use for this CHILD_SA.
# reqid = 0
# Optional fixed priority for IPsec policies.
# priority = 0
# Optional interface name to restrict IPsec policies.
# interface =
# Netfilter mark and mask for input traffic.
# mark_in = 0/0x00000000
# Netfilter mark and mask for output traffic.
# mark_out = 0/0x00000000
# Traffic Flow Confidentiality padding.
# tfc_padding = 0
# IPsec replay window to configure for this CHILD_SA.
# replay_window = 32
# Action to perform after loading the configuration (none, trap,
# start).
# start_action = none
# Action to perform after a CHILD_SA gets closed (none, trap,
# start).
# close_action = none
# }
# }
# }
# }
# Section defining secrets for IKE/EAP/XAuth authentication and private key
# decryption.
# secrets {
# EAP secret section for a specific secret.
# eap<suffix> {
# Value of the EAP/XAuth secret.
# secret =
# Identity the EAP/XAuth secret belongs to.
# id<suffix> =
# }
# XAuth secret section for a specific secret.
# xauth<suffix> {
# }
# IKE preshared secret section for a specific secret.
# ike<suffix> {
# Value of the IKE preshared secret.
# secret =
# IKE identity the IKE preshared secret belongs to.
# id<suffix> =
# }
# Private key decryption passphrase for a key in the private folder.
# private<suffix> {
# File name in the private folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for private key.
# secret =
# }
# Private key decryption passphrase for a key in the rsa folder.
# rsa<suffix> {
# File name in the rsa folder for which this passphrase should be used.
# file =
# Value of decryption passphrase for RSA key.
# secret =
# }
# Private key decryption passphrase for a key in the ecdsa folder.
# ecdsa<suffix> {
# File name in the ecdsa folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for ECDSA key.
# secret =
# }
# Private key decryption passphrase for a key in the pkcs8 folder.
# pkcs8<suffix> {
# File name in the pkcs8 folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for PKCS#8 key.
# secret =
# }
# PKCS#12 decryption passphrase for a container in the pkcs12 folder.
# pkcs12<suffix> {
# File name in the pkcs12 folder for which this passphrase should be
# used.
# file =
# Value of decryption passphrase for PKCS#12 container.
# secret =
# }
# }
# Section defining named pools.
# pools {
# Section defining a single pool with a unique name.
# <name> {
# Addresses allocated in pool.
# addrs =
# Comma separated list of additional attributes from type <attr>.
# <attr> =
# }
# }
# Section defining attributes of certification authorities.
# authorities {
# Section defining a certification authority with a unique name.
# <name> {
# CA certificate belonging to the certification authority.
# cacert =
# Comma-separated list of CRL distribution points
# crl_uris =
# Comma-separated list of OCSP URIs
# ocsp_uris =
# Defines the base URI for the Hash and URL feature supported by IKEv2.
# cert_uri_base =
# }
# }
|