services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.auth
Authentication to expect from remote. See the local
section's auth keyword description about the details of
supported mechanisms.
Since 5.4.0, to require a trustchain public key strength for the remote
side, specify the key type followed by the minimum strength in bits (for
example ecdsa-384 or
rsa-2048-ecdsa-256). To limit the acceptable set of
hashing algorithms for trustchain validation, append hash algorithms to
pubkey or a key strength definition (for example
pubkey-sha256-sha512,
rsa-2048-sha256-sha384-sha512 or
rsa-2048-sha256-ecdsa-256-sha256-sha384).
Unless disabled in strongswan.conf, or explicit IKEv2
signature constraints are configured (refer to the description of the
local section's auth keyword for
details), such key types and hash algorithms are also applied as
constraints against IKEv2 signature authentication schemes used by the
remote side. To require RSASSA-PSS signatures use
rsa/pss instead of pubkey or
rsa as in e.g. rsa/pss-sha256. If
pubkey or rsa constraints are
configured RSASSA-PSS signatures will only be accepted if enabled in
strongswan.conf(5).
To specify trust chain constraints for EAP-(T)TLS, append a colon to the
EAP method, followed by the key type/size and hash algorithm as
discussed above (e.g. eap-tls:ecdsa-384-sha384).
StrongSwan default: "pubkey"
- Type
null or string- Default
null- Declared
- <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>