sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

Add ipsec.conf.5 documentation for explicit PRFs in IKE proposals

Browse Source
This commit is contained in:
Martin Willi 2012-10-10 14:17:43 +02:00
parent 7ee16e4b85
commit 5b2e669ba2
1 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
man/ipsec.conf.5.in
View File

@ -369,7 +369,7 @@ for the connection, e.g.
.BR aes128-sha256 .
The notation is
.BR encryption-integrity[-dhgroup][-esnmode] .
.br
Defaults to
.BR aes128-sha1,3des-sha1 .
The daemon adds its extensive default proposal to this default
@ -377,7 +377,7 @@ or the configured value. To restrict it to the configured proposal an
exclamation mark
.RB ( ! )
can be added at the end.
.br
.BR Note :
As a responder the daemon accepts the first supported proposal received from
the peer. In order to restrict a responder to only accept specific cipher
@ -408,10 +408,19 @@ comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
to be used, e.g.
.BR aes128-sha1-modp2048 .
The notation is
.BR encryption-integrity-dhgroup .
In IKEv2, multiple algorithms and proposals may be included, such as
aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
.BR encryption-integrity[-prf]-dhgroup .
If no PRF is given, the algorithms defined for integrity are used for the PRF.
The prf keywords are the same as the integrity algorithms, but have a
.B prf
prefix (such as
.BR prfsha1 ,
.B prfsha256
or
.BR prfaesxcbc ).
.br
In IKEv2, multiple algorithms and proposals may be included, such as
.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
Defaults to
.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
The daemon adds its extensive default proposal to this
@ -419,13 +428,14 @@ default or the configured value. To restrict it to the configured proposal an
exclamation mark
.RB ( ! )
can be added at the end.
.br
.BR Note :
As a responder the daemon accepts the first supported proposal received from
the peer. In order to restrict a responder to only accept specific cipher
suites, the strict flag
.RB ( ! ,
exclamation mark) can be used, e.g: aes256-sha512-modp4096!
exclamation mark) can be used, e.g:
.BR aes256-sha512-modp4096!
.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)