table of contents
NM-SETTINGS-LIBRESWAN(5) | File Formats Manual | NM-SETTINGS-LIBRESWAN(5) |
NAME¶
nm-setting-libreswan - NetworkManager Libreswan plugin supported options
DESCRIPTION¶
NetworkManager is based on the concept of connection profiles made up of settings containing the network configuration (see nm-settings(5) for details). The data and secret keys belonging to the vpn setting take dictionaries of key/value pairs which depends on the specific VPN plugin. Here the list of the allowed key/value pairs for the NetworkManager Libreswan plugin.
VPN.DATA¶
Many key/value pairs in the vpn.data property are passed unchanged to the Libreswan service. The configuration is first validated by the NetworkManager plugin, which will also add some extra Libreswan parameters and defaults as needed. There are some key/value pairs used for the plugin configuration only, e.g., the flags used to manage the secrets needed by the connection. Here the full list of the allowed parameters:
- right
- contains the address of the remote VPN endpoint. Corresponds to the Libreswan parameter of the same name. Always Required.
- rightid
- specifies the remote identifier to be used during IKE negotiation. Corresponds to the Libreswan parameter of the same name.
- rightrsasigkey
- specifies the remote's public key for RSA authentication. When the 'leftcert' key is defined a default value of "%cert" is assumed.
- authby
- How the two security gateways should authenticate each other. Corresponds to the Libreswan parameter of the same name.
- left
- contains the local address that should be used during IKE negotiation. If not specified, the value "%defaultroute" is assumed. Corresponds to the Libreswan parameter of the same name.
- leftid
- specifies the local identifier to be used during IKE negotiation. When this property is specified and the IKEv1 protocol is used the key exchange will be performed in aggressive mode. Corresponds to the Libreswan parameter of the same name.
- leftrsasigkey
- specifies the local public key for RSA authentication. The key should be already installed in the *swan NSS database. When the 'leftcert' key is defined a default value of "%cert" is assumed.
- leftcert
- this defines the certificate nickname of your certificate in the NSS database. The certificate should be already installed in the NSS database.
- leftxauthusername or leftusername
- the username to be used during XAUTH authentication. If not specified, the current user will be implicitly assumed. Corresponds to the Libreswan parameter of the same name.
- dhgroup
- ignored.
- pfsgroup
- ignored.
- dpdtimeout
- the length of time that we will idle without hearing back from our peer. After this period has elapsed with no response and no traffic, we will declare the peer dead, and remove the SA. Set value bigger than dpddelay to enable. If dpdtimeout is set, dpddelay also needs to be set. Must be a number optionally followed by a time unit: 's' (seconds), 'm' (minutes), 'h', (hours) or 'd' (days); if the unit is not specified, it defaults to seconds. Corresponds to the Libreswan parameter of the same name.
- dpddelay
- the delay between Dead Peer Detection (IKEv1 RFC 3706) or IKEv2 Liveness keepalives that are sent for this connection. Must be a number optionally followed by a time unit: 's' (seconds), 'm' (minutes), 'h', (hours) or 'd' (days); if the unit is not specified, it defaults to seconds. Corresponds to the Libreswan parameter of the same name.
- dpdaction
- When a DPD enabled peer is declared dead, what action should be taken. "hold" (default) means the eroute will be put into %hold status, while "clear" means the eroute and SA with both be cleared. "restart" means that ALL SAs to the dead peer will renegotiated. Corresponds to the Libreswan parameter of the same name.
- ike
- allowed ciphers to be negotiated to establish the IKE SAs. Corresponds to the Libreswan parameter of the same name. Default value depends on Libreswan but for IKEv1 aggressive negotiation: in that case the default is forced to 'aes256-sha1;modp1536'.
- esp
- allowed ciphers for establishing phase2 SAs. Matches the Libreswan parameter of the same name. Default value depends on Libreswan but for IKEv1 aggressive negotiation: in that case the default is forced to 'aes256-sha1'.
- ikelifetime
- how long the phase1 SA of a connection should last. Matches the Libreswan parameter of the same name. Default value is '24h'.
- salifetime
- how long the phase2 SA of a connection should last. Matches the Libreswan parameter of the same name. Default value is '24h'.
- vendor
- when equals 'Cisco', the 'cisco-unity=yes' will be passed to Libreswan, to allow ending the CISCO_UNITY payload to the peer. The option is ignored otherwise.
- rightsubnet
- the destination subnet that should be reached through the VPN. If omitted, will be filled with '0.0.0.0/0'. Matches the Libreswan parameter of the same name.
- ikev2
- use IKEv2 negotiation. Allowed values are: 'permit', 'no'/'never', 'yes'/'propose' and 'insist'. Matches the Libreswan parameter of the same name.
- narrowing
- only effective in IKEv2 negotiation. Allowed values are: 'yes' and 'no'. Matches the Libreswan parameter of the same name.
- rekey
- Allowed values are: 'yes' and 'no'. Defaults to 'yes'. Matches the Libreswan parameter of the same name.
- fragmentation
- Allowed values are: 'yes' and 'no'. Matches the Libreswan parameter of the same name.
- mobike
- Allowed values are: 'yes' and 'no'. Matches the Libreswan parameter of the same name.
- ipsec-interface
- If set, create or use an existing virtual interface ipsecXXX for "Routing based VPNs" (as opposed to "Policy based VPNs"). Valid options are 'yes', 'no' or a number. When using a number, the IPsec interface created and/or used will use that number as part of the interface name. Corresponds to the Libreswan parameter of the same name.
- pskinputmodes
- where the 'pskvalue' can be retrieved. Used internally by the plugin. Allowed values are: 'unused', 'save', 'ask'.
- xauthpasswordinputmodes
- where the 'xauthpassword' can be retrieved. Used internally by the plugin. Allowed values are: 'unused', 'save', 'ask'.
- pskvalue-flags
- how to handle the 'pskvalue' secret. See the "Secret flag type" section at nm-settings(5) for details.
- xauthpassword-flags
- how to handle the 'xauthpassword' secret. See the "Secret flag type" section at nm-settings(5) for details.
VPN.SECRETS¶
The vpn.secrets property holds the secrets stored in the connection (if any). The allowed keys are:
- pskvalue
- if specified, its value is configured in the Libreswan secret file for the authentication of the connection.
- xauthpassword
- if specified, its value is provided to Libreswan during XAUTH authentication.
SEE ALSO¶
9 July 2018 |