services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth ‐ NixOS ‐ Searchix

services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth

Authentication to perform locally.

The default pubkey uses public key authentication using a private key associated to a usable certificate.
psk uses pre-shared key authentication.
The IKEv1 specific xauth is used for XAuth or Hybrid authentication,
while the IKEv2 specific eap keyword defines EAP authentication.
For xauth, a specific backend name may be appended, separated by a dash. The appropriate xauth backend is selected to perform the XAuth exchange. For traditional XAuth, the xauth method is usually defined in the second authentication round following an initial pubkey (or psk) round. Using xauth in the first round performs Hybrid Mode client authentication.
For eap, a specific EAP method name may be appended, separated by a dash. An EAP module implementing the appropriate method is selected to perform the EAP conversation.
Since 5.4.0, if both peers support RFC 7427 ("Signature Authentication in IKEv2") specific hash algorithms to be used during IKEv2 authentication may be configured. To do so use ike: followed by a trust chain signature scheme constraint (see description of the remote section's auth keyword). For example, with ike:pubkey-sha384-sha256 a public key signature scheme with either SHA-384 or SHA-256 would get used for authentication, in that order and depending on the hash algorithms supported by the peer. If no specific hash algorithms are configured, the default is to prefer an algorithm that matches or exceeds the strength of the signature key. If no constraints with ike: prefix are configured any signature scheme constraint (without ike: prefix) will also apply to IKEv2 authentication, unless this is disabled in strongswan.conf. To use RSASSA-PSS signatures use rsa/pss instead of pubkey or rsa as in e.g. ike:rsa/pss-sha256. If pubkey or rsa constraints are configured RSASSA-PSS signatures will only be used if enabled in strongswan.conf(5).

StrongSwan default: "pubkey"

Type

null or string

Default

null

Declared