1NM-SETTINGS-LIBRESWAN(5)      File Formats Manual     NM-SETTINGS-LIBRESWAN(5)
2
3
4

NAME

6       nm-setting-libreswan  -  NetworkManager  Libreswan plugin supported op‐
7       tions
8
9

DESCRIPTION

11       NetworkManager is based on the concept of connection profiles  made  up
12       of  settings  containing  the network configuration (see nm-settings(5)
13       for details).  The data and secret keys belonging to  the  vpn  setting
14       take  dictionaries of key/value pairs which depends on the specific VPN
15       plugin. Here the list of the allowed key/value pairs for  the  Network‐
16       Manager Libreswan plugin.
17
18

VPN.DATA

20       Many  key/value  pairs in the vpn.data property are passed unchanged to
21       the Libreswan service.  The configuration is  first  validated  by  the
22       NetworkManager plugin, which will also add some extra Libreswan parame‐
23       ters and defaults as needed. There are some key/value  pairs  used  for
24       the  plugin  configuration only, e.g., the flags used to manage the se‐
25       crets needed by the connection.  Here the full list of the allowed  pa‐
26       rameters:
27
28       right  contains  the address of the remote VPN endpoint. Corresponds to
29              the Libreswan parameter of the same name.  Always Required.
30
31       rightid
32              specifies the remote identifier to be used during  IKE  negotia‐
33              tion. Corresponds to the Libreswan parameter of the same name.
34
35       rightrsasigkey
36              specifies  the remote's public key for RSA authentication.  When
37              the 'leftcert' key is defined a default value of "%cert" is  as‐
38              sumed.
39
40       left   contains  the local address that should be used during IKE nego‐
41              tiation. If not specified, the value "%defaultroute" is assumed.
42              Corresponds to the Libreswan parameter of the same name.
43
44       leftid specifies  the  local  identifier to be used during IKE negotia‐
45              tion. When this property is specified and the IKEv1 protocol  is
46              used  the  key  exchange  will  be performed in aggressive mode.
47              Corresponds to the Libreswan parameter of the same name.
48
49       leftrsasigkey
50              specifies the local public key for RSA authentication.  The  key
51              should be already installed in the *swan NSS database.  When the
52              'leftcert' key is defined a default value of "%cert" is assumed.
53
54       leftcert
55              this defines the certificate nickname of your certificate in the
56              NSS  database.   The  certificate should be already installed in
57              the NSS database.
58
59       leftxauthusername or leftusername
60              the username to be used  during  XAUTH  authentication.  If  not
61              specified,  the  current user will be implicitly assumed. Corre‐
62              sponds to the Libreswan parameter of the same name.
63
64       dhgroup
65              ignored.
66
67       pfsgroup
68              ignored.
69
70       dpdtimeout
71              ignored.
72
73       ike    allowed ciphers to be negotiated to establish the IKE SAs.  Cor‐
74              responds  to  the  Libreswan parameter of the same name. Default
75              value depends on Libreswan but for IKEv1 aggressive negotiation:
76              in that case the default is forced to 'aes256-sha1;modp1536'.
77
78       esp    allowed  ciphers  for  establishing  phase2 SAs. Matches the Li‐
79              breswan parameter of the same name. Default value depends on Li‐
80              breswan  but  for IKEv1 aggressive negotiation: in that case the
81              default is forced to 'aes256-sha1'.
82
83       ikelifetime
84              how long the phase1 SA of a connection should last. Matches  the
85              Libreswan parameter of the same name. Default value is '24h'.
86
87       salifetime
88              how  long the phase2 SA of a connection should last. Matches the
89              Libreswan parameter of the same name. Default value is '24h'.
90
91       vendor when equals 'Cisco', the 'cisco-unity=yes' will be passed to Li‐
92              breswan,  to  allow  ending the CISCO_UNITY payload to the peer.
93              The option is ignored otherwise.
94
95       rightsubnet
96              the destination subnet that should be reached through  the  VPN.
97              If  omitted,  will  be  filled with '0.0.0.0/0'. Matches the Li‐
98              breswan parameter of the same name.
99
100       ikev2  use   IKEv2   negotiation.   Allowed   values   are:   'permit',
101              'no'/'never',  'yes'/'propose'  and  'insist'.   Matches the Li‐
102              breswan parameter of the same name.
103
104       narrowing
105              only effective in IKEv2 negotiation. Allowed values  are:  'yes'
106              and 'no'.  Matches the Libreswan parameter of the same name.
107
108       rekey  Allowed values are: 'yes' and 'no'.  Defaults to 'yes'.  Matches
109              the Libreswan parameter of the same name.
110
111       fragmentation
112              Allowed values are: 'yes' and 'no'.  Matches the  Libreswan  pa‐
113              rameter of the same name.
114
115       mobike Allowed  values  are: 'yes' and 'no'.  Matches the Libreswan pa‐
116              rameter of the same name.
117
118       pskinputmodes
119              where the 'pskvalue' can be retrieved. Used  internally  by  the
120              plugin. Allowed values are: 'unused', 'save', 'ask'.
121
122       xauthpasswordinputmodes
123              where  the  'xauthpassword' can be retrieved. Used internally by
124              the plugin. Allowed values are: 'unused', 'save', 'ask'.
125
126       pskvalue-flags
127              how to handle the 'pskvalue' secret. See the "Secret flag  type"
128              section at nm-settings(5) for details.
129
130       xauthpassword-flags
131              how  to  handle the 'xauthpassword' secret. See the "Secret flag
132              type" section at nm-settings(5) for details.
133
134

VPN.SECRETS

136       The vpn.secrets property holds the secrets stored in the connection (if
137       any).  The allowed keys are:
138
139       pskvalue
140              if  specified,  its  value is configured in the Libreswan secret
141              file for the authentication of the connection.
142
143       xauthpassword
144              if specified, its value is provided to  Libreswan  during  XAUTH
145              authentication.
146
147

SEE ALSO

149       NetworkManager(8), nm-settings(5).
150
151
152
153                                  9 July 2018         NM-SETTINGS-LIBRESWAN(5)
Impressum