List of named IP pools to allocate virtual IP addresses and other configuration attributes from

CHILD_SA configuration sub-section

The name of the connection to mediate this connection through

String identifying the Postquantum Preshared Key (PPK) to be used.

Differentiated Services Field Codepoint to set on outgoing IKE packets for this connection

List of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config

If the default of yes is used, Mode Config works in pull mode, where the initiator actively requests a virtual IP

To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the NAT detection payloads

Remote address(es) to use for IKE communication

Section for a local authentication round

IKE major version to use for connection.

• 1 uses IKEv1 aka ISAKMP,
• 2 uses IKEv2.
• A connection using the default of 0 accepts both IKEv1 and IKEv2 as responder, and initiates the connection actively with IKEv2

Section for a remote authentication round

Whether this connection is a mediation connection, that is, whether this connection is used to mediate other connections using the IKEv2 Mediation Extension

Enables MOBIKE on IKEv2 connections

Interval to check the liveness of a peer actively using IKEv2 INFORMATIONAL exchanges or IKEv1 R_U_THERE messages

Time range from which to choose a random value to subtract from rekey/reauth times

XFRM interface ID set on inbound policies/SA, can be overridden by child config, see there for details

Send certificate payloads when using certificate authentication.

• With the default of ifasked the daemon sends certificate payloads only if certificate requests have been received.
• never disables sending of certificate payloads altogether,
• always causes certificate payloads to be sent unconditionally whenever certificate authentication is used

XFRM interface ID set on outbound policies/SA, can be overridden by child config, see there for details

Enables Aggressive Mode instead of Main Mode with Identity Protection

Remote UDP port for IKE communication

Whether a Postquantum Preshared Key (PPK) is required for this connection

Hard IKE_SA lifetime if rekey/reauth does not complete, as time

Charon by default uses the normal retransmission mechanism and timeouts to check the liveness of a peer, as all messages are used for liveness checking

Local UDP port for IKE communication

IKE rekeying refreshes key material using a Diffie-Hellman exchange, but does not re-check associated credentials

Number of retransmission sequences to perform during initial connect

Connection uniqueness policy to enforce

Local address(es) to use for IKE communication

Send certificate request payloads to offer trusted root CA certificates to the peer

Time to schedule IKE reauthentication

Use childless IKE_SA initiation (allow, prefer, force or never)

A proposal is a set of algorithms

Identity under which the peer is registered at the mediation server, that is, the IKE identity the other end of this connection uses as its local identity on its connection to the mediation server

Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 fragmentation)