1NM-SETTINGS-LIBRESWAN(5) File Formats Manual NM-SETTINGS-LIBRESWAN(5)
2
6 nm-setting-libreswan - NetworkManager Libreswan plugin supported
7 options
8
11 NetworkManager is based on the concept of connection profiles made up
12 of settings containing the network configuration (see nm-settings(5)
13 for details). The data and secret keys belonging to the vpn setting
14 take dictionaries of key/value pairs which depends on the specific VPN
15 plugin. Here the list of the allowed key/value pairs for the Network‐
16 Manager Libreswan plugin.
17
20 Many key/value pairs in the vpn.data property are passed unchanged to
21 the Libreswan service. The configuration is first validated by the
22 NetworkManager plugin, which will also add some extra Libreswan parame‐
23 ters and defaults as needed. There are some key/value pairs used for
24 the plugin configuration only, e.g., the flags used to manage the
25 secrets needed by the connection. Here the full list of the allowed
26 parameters:
27 right contains the address of the remote VPN endpoint. Corresponds to
29 the Libreswan parameter of the same name. Always Required.
30 rightid
32 specifies the remote identifier to be used during IKE negotia‐
33 tion. Corresponds to the Libreswan parameter of the same name.
34 rightrsasigkey
36 specifies the remote's public key for RSA authentication. When
37 the 'leftcert' key is defined a default value of "%cert" is
38 assumed.
39 left contains the local address that should be used during IKE nego‐
41 tiation. If not specified, the value "%defaultroute" is assumed.
42 Corresponds to the Libreswan parameter of the same name.
43 leftid specifies the local identifier to be used during IKE negotia‐
45 tion. When this property is specified and the IKEv1 protocol is
46 used the key exchange will be performed in aggressive mode.
47 Corresponds to the Libreswan parameter of the same name.
48 leftrsasigkey
50 specifies the local public key for RSA authentication. The key
51 should be already installed in the *swan NSS database. When the
52 'leftcert' key is defined a default value of "%cert" is assumed.
53 leftcert
55 this defines the certificate nickname of your certificate in the
56 NSS database. The certificate should be already installed in
57 the NSS database.
58 leftxauthusername or leftusername
60 the username to be used during XAUTH authentication. If not
61 specified, the current user will be implicitly assumed. Corre‐
62 sponds to the Libreswan parameter of the same name.
63 dhgroup
65 ignored.
66 pfsgroup
68 ignored.
69 dpdtimeout
71 ignored.
72 ike allowed ciphers to be negotiatied to establish the IKE SAs. Cor‐
74 responds to the Libreswan parameter of the same name. Default
75 value depends on Libreswan but for IKEv1 aggressive negotiation:
76 in that case the default is forced to 'aes256-sha1;modp1536'.
77 esp allowed ciphers for establishing phase2 SAs. Matches the
79 Libreswan parameter of the same name. Default value depends on
80 Libreswan but for IKEv1 aggressive negotiation: in that case the
81 default is forced to 'aes256-sha1'.
82 ikelifetime
84 how long the phase1 SA of a connection should last. Matches the
85 Libreswan parameter of the same name. Default value is '24h'.
86 salifetime
88 how long the pashe2 SA of a connection should last. Matches the
89 Libreswan parameter of the same name. Default value is '24h'.
90 vendor when equals 'Cisco', the 'cisco-unity=yes' will be passed to
92 Libreswan, to allow ending the CISCO_UNITY payload to the peer.
93 The option is ignored otherwise.
94 rightsubnet
96 the destination subnet that should be reached throught the VPN.
97 If omitted, will be filled with '0.0.0.0/0'. Matches the
98 Libreswan parameter of the same name.
99 ikev2 use IKEv2 negotiation. Allowed values are: 'permit',
101 'no'/'never', 'yes'/'propose' and 'insist'. Matches the
102 Libreswan parameter of the same name.
103 narrowing
105 only effective in IKEv2 negotiation. Allowed values are: 'yes'
106 and 'no'. Matches the Libreswan parameter of the same name.
107 rekey Allowed values are: 'yes' and 'no'. Defaults to 'yes'. Matches
109 the Libreswan parameter of the same name.
110 fragmentation
112 Allowed values are: 'yes' and 'no'. Matches the Libreswan
113 parameter of the same name.
114 mobike Allowed values are: 'yes' and 'no'. Matches the Libreswan
116 parameter of the same name.
117 pskinputmodes
119 where the 'pskvalue' can be retrieved. Used internally by the
120 plugin. Allowed values are: 'unused', 'save', 'ask'.
121 xauthpasswordinputmodes
123 where the 'xauthpassword' can be retrieved. Used internally by
124 the plugin. Allowed values are: 'unused', 'save', 'ask'.
125 pskvalue-flags
127 how to handle the 'pskvalue' secret. See the "Secret flag type"
128 section at nm-settings(5) for details.
129 xauthpassword-flags
131 how to handle the 'xauthpassword' secret. See the "Secret flag
132 type" section at nm-settings(5) for details.
133
136 The vpn.secrets property holds the secrets stored in the connection (if
137 any). The allowed keys are:
138 pskvalue
140 if specified, its value is configured in the Libreswan secret
141 file for the authentication of the connection.
142 xauthpassword
144 if specified, its value is provided to Libreswan during XAUTH
145 authentication.
146
149 NetworkManager(8), nm-settings(5).
150 9 July 2018 NM-SETTINGS-LIBRESWAN(5)