1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
# @@CONFDIR@@/ipsec.conf - Libreswan 4.x configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
# If logfile= is unset, syslog is used to send log messages too.
# Note that on busy VPN servers, the amount of logging can trigger
# syslogd (or journald) to rate limit messages.
#logfile=@@LOGDIR@@/pluto.log
# Debugging should only be used to find bugs, not configuration issues!
# "base" regular debug, "tmi" is excessive (!) and "private" will log
# sensitive key material (not available in FIPS mode). The "cpu-usage"
# value logs timing information and should not be used with other
# debug options as it will defeat getting accurate timing information.
# Default is "none"
# plutodebug="base"
# plutodebug="tmi"
#plutodebug="none"
# Whether to log IP addresses of incoming connections. Disable when
# logfile privacy is required.
#logip=yes
# The startup mode of the DDoS defense mechanism. Acceptable values
# are busy, unlimited or auto (the default). This option can also be
# given to the IKE daemon while running, for example by issuing ipsec
# whack --ddos--busy. When in busy mode, pluto activates the IKEv2
# anti-DDoS # counter measures.
#ddos-mode=auto
# DDoS defense mechanism threshold
# The number of half-open IKE SAs before the pluto IKE daemon will be
# placed in (anti-ddos) busy mode. The default is 25000.
# IKEv1 policy (accept, reject or drop)
# See RFC XXX - Deprecation of IKEv1 and obsoleted algorithms
#ikev1-policy=accept
# IKEv2 global redirect (during IKE_SA_INIT)
# Whether to send requests for the remote peer to redirect IKE/IPsec
# SA's during IKE_SA_INIT. Valid options are no (the default), yes
# and auto, where auto means that the requests will be sent if DDoS
# mode is active (see ddos-mode). If set, the option
# global-redirect-to= must also be set to indicate where to redirect
# peers to. this can be given to the IKE daemon while running using
# ipsec whack --global-redirect{-to}
#global-redirect=no
#global-redirect-to=<ip or hostname>, ...
# The number of half-open IKE SAs before the IKE daemon starts
# refusing all new IKE attempts. Established IKE peers are not
# affected.
#max-halfopen-ike=5000
# Whether pluto performs DNSSEC validation.
#dnssec-enable=yes
# To accept IKE and IPsec encapsulation over TCP. Requires at least
# Linux 5.7 kernel or a kernel with TCP backport (like RHEL8 4.18.0-291)
# To enable IKE and IPsec over TCP for VPN client, also specify
# tcp-remote-port=4500 in the client's conn section.
#listen-tcp=no
# SECCOMP syscall filtering (enabled,disabled or tolerant)
# Whether to log (when tolerant) or restart (when enabled) when
# a rogue syscall is attempted by pluto indicating a remote code
# exploit attempt. # If using custom _updown scripts, this might
# trigger false positives.
#seccomp=disabled
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config
# It is best to add your IPsec connections as separate files
# in @@IPSEC_CONFDDIR@@/
include @@IPSEC_CONFDDIR@@/*.conf
|
