conf/strongswan.conf.5.head.in - third_party/strongswan/strongswan - Git at Google

 .TH STRONGSWAN.CONF 5 "" "@PACKAGE_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
 While the
 .IR ipsec.conf (5)
 configuration file is well suited to define IPsec related configuration
 parameters, it is not useful for other strongSwan applications to read options
 from this file.
 The file is hard to parse and only
 .I ipsec starter
 is capable of doing so. As the number of components of the strongSwan project
 is continually growing, a more flexible configuration file was needed, one that
 is easy to extend and can be used by all components. With strongSwan 4.2.1
 .IR strongswan.conf (5)
 was introduced which meets these requirements.

 .SH SYNTAX
 The format of the strongswan.conf file consists of hierarchical
 .B sections
 and a list of
 .B key/value pairs
 in each section. Each section has a name, followed by C-Style curly brackets
 defining the section body. Each section body contains a set of subsections
 and key/value pairs:
 .PP
 .EX
 	settings := (section|keyvalue)*
 	section  := name { settings }
 	keyvalue := key = value\\n
 .EE
 .PP
 Values must be terminated by a newline.
 .PP
 Comments are possible using the \fB#\fP-character.
 .PP
 Section names and keys may contain any printable character except:
 .PP
 .EX
 	. , : { } = " # \\n \\t space
 .EE
 .PP
 An example file in this format might look like this:
 .PP
 .EX
 	a = b
 	section-one {
 		somevalue = asdf
 		subsection {
 			othervalue = xxx
 		}
 		# yei, a comment
 		yetanother = zz
 	}
 	section-two {
 		x = 12
 	}
 .EE
 .PP
 Indentation is optional, you may use tabs or spaces.

 .SH NUMBER FORMATS
 Options that define an integer value can be specified as decimal (the default)
 or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted).
 Locale-dependent strings (e.g. the thousands separator of the current locale)
 may also be accepted in locales other than "C".
 .PP
 Options that define a floating-point value can be specified as decimal (the
 default) or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted).
 The radix character (decimal separator) in either case is locale-dependent,
 usually ".".

 .SH TIME FORMATS
 Unless stated otherwise, options that define a time are specified in seconds.
 The "s", "m", "h" and "d" suffixes may be used to automatically convert values
 given in seconds, minutes, hours or days (for instance, instead of configuring
 a rekey time of 4 hours as "14400" seconds, "4h" may be used).
 .PP
 There are some global options that don't accept these suffixes as they are
 configured as integer values in seconds or milliseconds, or even as
 floating-point numbers (e.g. the retransmission timeout). Options that accept
 the suffixes have a corresponding default value.

 .SH REFERENCING OTHER SECTIONS
 It is possible to inherit settings and sections from another section. This
 feature is mainly useful in swanctl.conf (which uses the same file format).
 The syntax is as follows:
 .PP
 .EX
 	section    := name : references { settings }
 	references := absname[, absname]*
 	absname    := name[.name]*
 .EE
 .PP
 All key/value pairs and all subsections of the referenced sections will be
 inherited by the section that references them via their absolute name. Values
 may be overridden in the section or any of its sub-sections (use an empty
 assignment to clear a value so its default value, if any, will apply). It is
 currently not possible to limit the inclusion level or clear/remove inherited
 sub-sections.

 If the order is important (e.g. for auth rounds in a connection, if \fIround\fR
 is not used), it should be noted that inherited settings/sections will follow
 those defined in the current section (if multiple sections are referenced, their
 settings are enumerated left to right).

 References are evaluated dynamically at runtime, so referring to sections later
 in the config file or included via other files is no problem.

 Here is an example of how this might look like:
 .PP
 .EX
 	conn-defaults {
 		# default settings for all conns (e.g. a cert, or IP pools)
 	}
 	eap-defaults {
 		# defaults if eap is used (e.g. a remote auth round)
 	}
 	child-defaults {
 		# defaults for child configs (e.g. traffic selectors)
 	}
 	connections {
 		conn-a : conn-defaults, eap-defaults {
 			# set/override stuff specific to this connection
 			children {
 				child-a : child-defaults {
 					# set/override stuff specific to this child
 				}
 			}
 		}
 		conn-b : conn-defaults {
 			# set/override stuff specific to this connection
 			children {
 				child-b : child-defaults {
 					# set/override stuff specific to this child
 				}
 			}
 		}
 		conn-c : connections.conn-a {
 			# everything is inherited, including everything conn-a
 			# already inherits from the sections it and its
 			# sub-section reference
 		}
 	}
 .EE
 .PP

 .SH INCLUDING FILES
 Using the
 .B include
 statement it is possible to include other files into strongswan.conf, e.g.
 .PP
 .EX
 	include /some/path/*.conf
 .EE
 .PP
 If the file name is not an absolute path, it is considered to be relative
 to the directory of the file containing the include statement. The file name
 may include shell wildcards (see
 .IR sh (1)).
 Also, such inclusions can be nested.
 .PP
 Sections loaded from included files
 .I extend
 previously loaded sections; already existing values are
 .IR replaced .
 It is important to note that settings are added relative to the section the
 include statement is in.
 .PP
 As an example, the following three files result in the same final
 config as the one given above:
 .PP
 .EX
 	a = b
 	section-one {
 		somevalue = before include
 		include include.conf
 	}
 	include other.conf

 include.conf:
 	# settings loaded from this file are added to section-one
 	# the following replaces the previous value
 	somevalue = asdf
 	subsection {
 		othervalue = yyy
 	}
 	yetanother = zz

 other.conf:
 	# this extends section-one and subsection
 	section-one {
 		subsection {
 			# this replaces the previous value
 			othervalue = xxx
 		}
 	}
 	section-two {
 		x = 12
 	}
 .EE

 .SH READING VALUES
 Values are accessed using a dot-separated section list and a key.
 With reference to the example above, accessing
 .B section-one.subsection.othervalue
 will return
 .BR xxx .

 .SH DEFINED KEYS
 The following keys are currently defined (using dot notation). The default
 value (if any) is listed in brackets after the key.
	.TH STRONGSWAN.CONF 5 "" "@PACKAGE_VERSION@" "strongSwan"
	.SH NAME
	strongswan.conf \- strongSwan configuration file
	.SH DESCRIPTION
	While the
	.IR ipsec.conf (5)
	configuration file is well suited to define IPsec related configuration
	parameters, it is not useful for other strongSwan applications to read options
	from this file.
	The file is hard to parse and only
	.I ipsec starter
	is capable of doing so. As the number of components of the strongSwan project
	is continually growing, a more flexible configuration file was needed, one that
	is easy to extend and can be used by all components. With strongSwan 4.2.1
	.IR strongswan.conf (5)
	was introduced which meets these requirements.

	.SH SYNTAX
	The format of the strongswan.conf file consists of hierarchical
	.B sections
	and a list of
	.B key/value pairs
	in each section. Each section has a name, followed by C-Style curly brackets
	defining the section body. Each section body contains a set of subsections
	and key/value pairs:
	.PP
	.EX
	settings := (section\|keyvalue)*
	section := name { settings }
	keyvalue := key = value\\n
	.EE
	.PP
	Values must be terminated by a newline.
	.PP
	Comments are possible using the \fB#\fP-character.
	.PP
	Section names and keys may contain any printable character except:
	.PP
	.EX
	. , : { } = " # \\n \\t space
	.EE
	.PP
	An example file in this format might look like this:
	.PP
	.EX
	a = b
	section-one {
	somevalue = asdf
	subsection {
	othervalue = xxx
	}
	# yei, a comment
	yetanother = zz
	}
	section-two {
	x = 12
	}
	.EE
	.PP
	Indentation is optional, you may use tabs or spaces.

	.SH NUMBER FORMATS
	Options that define an integer value can be specified as decimal (the default)
	or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted).
	Locale-dependent strings (e.g. the thousands separator of the current locale)
	may also be accepted in locales other than "C".
	.PP
	Options that define a floating-point value can be specified as decimal (the
	default) or hexadecimal ("0x" prefix, upper- or lowercase letters are accepted).
	The radix character (decimal separator) in either case is locale-dependent,
	usually ".".

	.SH TIME FORMATS
	Unless stated otherwise, options that define a time are specified in seconds.
	The "s", "m", "h" and "d" suffixes may be used to automatically convert values
	given in seconds, minutes, hours or days (for instance, instead of configuring
	a rekey time of 4 hours as "14400" seconds, "4h" may be used).
	.PP
	There are some global options that don't accept these suffixes as they are
	configured as integer values in seconds or milliseconds, or even as
	floating-point numbers (e.g. the retransmission timeout). Options that accept
	the suffixes have a corresponding default value.

	.SH REFERENCING OTHER SECTIONS
	It is possible to inherit settings and sections from another section. This
	feature is mainly useful in swanctl.conf (which uses the same file format).
	The syntax is as follows:
	.PP
	.EX
	section := name : references { settings }
	references := absname[, absname]*
	absname := name[.name]*
	.EE
	.PP
	All key/value pairs and all subsections of the referenced sections will be
	inherited by the section that references them via their absolute name. Values
	may be overridden in the section or any of its sub-sections (use an empty
	assignment to clear a value so its default value, if any, will apply). It is
	currently not possible to limit the inclusion level or clear/remove inherited
	sub-sections.

	If the order is important (e.g. for auth rounds in a connection, if \fIround\fR
	is not used), it should be noted that inherited settings/sections will follow
	those defined in the current section (if multiple sections are referenced, their
	settings are enumerated left to right).

	References are evaluated dynamically at runtime, so referring to sections later
	in the config file or included via other files is no problem.

	Here is an example of how this might look like:
	.PP
	.EX
	conn-defaults {
	# default settings for all conns (e.g. a cert, or IP pools)
	}
	eap-defaults {
	# defaults if eap is used (e.g. a remote auth round)
	}
	child-defaults {
	# defaults for child configs (e.g. traffic selectors)
	}
	connections {
	conn-a : conn-defaults, eap-defaults {
	# set/override stuff specific to this connection
	children {
	child-a : child-defaults {
	# set/override stuff specific to this child
	}
	}
	}
	conn-b : conn-defaults {
	# set/override stuff specific to this connection
	children {
	child-b : child-defaults {
	# set/override stuff specific to this child
	}
	}
	}
	conn-c : connections.conn-a {
	# everything is inherited, including everything conn-a
	# already inherits from the sections it and its
	# sub-section reference
	}
	}
	.EE
	.PP

	.SH INCLUDING FILES
	Using the
	.B include
	statement it is possible to include other files into strongswan.conf, e.g.
	.PP
	.EX
	include /some/path/*.conf
	.EE
	.PP
	If the file name is not an absolute path, it is considered to be relative
	to the directory of the file containing the include statement. The file name
	may include shell wildcards (see
	.IR sh (1)).
	Also, such inclusions can be nested.
	.PP
	Sections loaded from included files
	.I extend
	previously loaded sections; already existing values are
	.IR replaced .
	It is important to note that settings are added relative to the section the
	include statement is in.
	.PP
	As an example, the following three files result in the same final
	config as the one given above:
	.PP
	.EX
	a = b
	section-one {
	somevalue = before include
	include include.conf
	}
	include other.conf

	include.conf:
	# settings loaded from this file are added to section-one
	# the following replaces the previous value
	somevalue = asdf
	subsection {
	othervalue = yyy
	}
	yetanother = zz

	other.conf:
	# this extends section-one and subsection
	section-one {
	subsection {
	# this replaces the previous value
	othervalue = xxx
	}
	}
	section-two {
	x = 12
	}
	.EE

	.SH READING VALUES
	Values are accessed using a dot-separated section list and a key.
	With reference to the example above, accessing
	.B section-one.subsection.othervalue
	will return
	.BR xxx .

	.SH DEFINED KEYS
	The following keys are currently defined (using dot notation). The default
	value (if any) is listed in brackets after the key.