| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.local_port | Local UDP port for IKE communication
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.reauth_time | Time to schedule IKE reauthentication
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.proposals | A proposal is a set of algorithms
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.pull | If the default of yes is used, Mode Config works in pull mode, where the
initiator actively requests a virtual IP
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.version | IKE major version to use for connection.
- 1 uses IKEv1 aka ISAKMP,
- 2 uses IKEv2.
- A connection using the default of 0 accepts both IKEv1 and IKEv2 as
responder, and initiates the connection actively with IKEv2
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.mobike | Enables MOBIKE on IKEv2 connections
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.send_cert | Send certificate payloads when using certificate authentication.
- With the default of
ifasked the daemon sends
certificate payloads only if certificate requests have been received.
never disables sending of certificate payloads
altogether,always causes certificate payloads to be sent
unconditionally whenever certificate authentication is used
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.remote_port | Remote UDP port for IKE communication
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.dpd_timeout | Charon by default uses the normal retransmission mechanism and timeouts to
check the liveness of a peer, as all messages are used for liveness
checking
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.keyingtries | Number of retransmission sequences to perform during initial
connect
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.rekey_time | IKE rekeying refreshes key material using a Diffie-Hellman exchange, but
does not re-check associated credentials
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.send_certreq | Send certificate request payloads to offer trusted root CA certificates to
the peer
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.childless | Use childless IKE_SA initiation (allow, prefer, force or never)
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.fragmentation | Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
fragmentation)
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.pools | List of named IP pools to allocate virtual IP addresses
and other configuration attributes from
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.dscp | Differentiated Services Field Codepoint to set on outgoing IKE packets for
this connection
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.vips | List of virtual IPs to request in IKEv2 configuration payloads or IKEv1
Mode Config
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.encap | To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the
NAT detection payloads
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.mediation | Whether this connection is a mediation connection, that is, whether this
connection is used to mediate other connections using the IKEv2 Mediation
Extension
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.dpd_delay | Interval to check the liveness of a peer actively using IKEv2
INFORMATIONAL exchanges or IKEv1 R_U_THERE messages
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.rand_time | Time range from which to choose a random value to subtract from
rekey/reauth times
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.if_id_in | XFRM interface ID set on inbound policies/SA, can be overridden by child
config, see there for details
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.ppk_required | Whether a Postquantum Preshared Key (PPK) is required for this connection
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.if_id_out | XFRM interface ID set on outbound policies/SA, can be overridden by child
config, see there for details
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.aggressive | Enables Aggressive Mode instead of Main Mode with Identity
Protection
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.over_time | Hard IKE_SA lifetime if rekey/reauth does not complete, as time
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.local_addrs | Local address(es) to use for IKE communication
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.unique | Connection uniqueness policy to enforce
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.remote_addrs | Remote address(es) to use for IKE communication
|