Configuration file is in Hjson format:
{
IKEAlgos: [
aes256gcm16-aesxcbc-curve25519
aes128gcm16-aesxcbc-curve25519
]
ESPAlgos: [
aes256gcm16-noesn
aes128gcm16-noesn
]
SigHashes: [
sha512
sha256
]
DPDTimeout: 300
Peers: [
{
Autostart: false
OurIP: fc00::dc
TheirIP: fc00::ac
# TheirPort: 501
OurId: gamma.stargrave.org
TheirId: CN=example.com
OurTSS: [
fc00::dc/128[tcp]
fc00::dc/128[udp/53]
]
TheirTSS: [
fc00::ac/128
]
Mode: transport
# PSK is not used if signature-based authentication is enabled
PSK: DEADBABE
# Optional SHA256 of expected certificate's SPKI for remote side
# signature authentication
TheirCertHash: a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
# Path to PEM encoded certificate and private key
# Optional if PSK is used
OurCert: gamma.stargrave.org.cer.pem
OurPrvKey: gamma.stargrave.org.key.pem
# Enable TFC if set and greater than zero
TFC: 1200
}
]
}
List of supported IKE SA proposals, with strongSwan-like names, in order of preference. All of corresponding transformations will be sent in initiator mode.
aes128gcm16-aesxcbc-curve25519
aes256gcm16-aesxcbc-curve25519
gost128-vko512
gost128-vko256
gost64-vko512
gost64-vko256
List of supported ESP SA proposals, with strongSwan-like names, in order of preference. All of corresponding transformations will be sent in initiator mode.
aes128gcm16-noesn, aes128gcm16-esn
aes256gcm16-noesn, aes256gcm16-esn
gost128, gost128-esn
gost64, gost64-esn
List of supported X.509 signature authentication hash algorithms,
in order of preference. SIGNATURE_HASH_ALGORITHMS
notification contains all of that algorithms. That notification will
be sent if SigHashes is not empty. Available:
sha1
sha256
sha384
sha512
streebog256
streebog512
Time in seconds when Dead Peer Detection notification is sent to remote peer. After 3 DPD timeouts, peer is considered dead
List of known peers configurations
Do we automatically initiate connection, or wait as a responder
Our and remote IP-addresses. It is used for tunnel endpoints and for sending IKE packets
Optional IKE port override of remote side
Our FQDN name. If signature authentication is used, then it will be
automatically replaced with DN identification based on
OurCert certificate’s subject
Expected identification from remote side. If PSK authentication is
used, then it is FQDN value. With signature authentication it is
human readable remote peer’s certificate’s subject representation,
like CN=example.com for example
strongSwan-like traffic selectors specification. Mask is necessary for IP addresses. You can not specify IP-ranges, but starting IP with mask applied to it. Protocol and port specification are optional. You can not specify port-ranges. Allowable formats:
IP/PREFIXLEN
IP/PREFIXLEN[PROTO]
IP/PREFIXLEN[PROTO/PORT]
PROTO is one of: tcp, udp, icmp, icmp6.
Either transport or tunnel
Pre-shared key for PSK authentication in hexadecimal format. If both peers are expected to use signature authentication, then that option is not used
If not empty, then require X.509 certificate signature authentication. This is hexadecimal SHA256 of expected certificate’s SPKI
If not empty, then we will authenticate using X.509 certificate signature. It is path to PEM-encoded certificate we will send to remote peer
Path to PEM-encoded private key (EC PRIVATE KEY for ECDSA and
PRIVATE KEY with PrivateKeyInfo structure for GOST
34.10-2012). Required if OurCert is in use
If greater than zero, then negotiate TFC usage to pad ESP packet’s payload up to that number of bytes