Configuration file is in Hjson format:
{ IKEAlgos: [ aes256gcm16-aesxcbc-curve25519 aes128gcm16-aesxcbc-curve25519 ] ESPAlgos: [ aes256gcm16-noesn aes128gcm16-noesn ] SigHashes: [ sha512 sha256 ] DPDTimeout: 300 Peers: [ { Autostart: false OurIP: fc00::dc TheirIP: fc00::ac # TheirPort: 501 OurId: gamma.stargrave.org TheirId: CN=example.com OurTSS: [ fc00::dc/128[tcp] fc00::dc/128[udp/53] ] TheirTSS: [ fc00::ac/128 ] Mode: transport # PSK is not used if signature-based authentication is enabled PSK: DEADBABE # Optional SHA256 of expected certificate's SPKI for remote side # signature authentication TheirCertHash: a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447 # Path to PEM encoded certificate and private key # Optional if PSK is used OurCert: gamma.stargrave.org.cer.pem OurPrvKey: gamma.stargrave.org.key.pem # Enable TFC if set and greater than zero TFC: 1200 } ] }
List of supported IKE SA proposals, with strongSwan-like names, in order of preference. All of corresponding transformations will be sent in initiator mode.
aes128gcm16-aesxcbc-curve25519
aes256gcm16-aesxcbc-curve25519
gost128-vko512
gost128-vko256
gost64-vko512
gost64-vko256
List of supported ESP SA proposals, with strongSwan-like names, in order of preference. All of corresponding transformations will be sent in initiator mode.
aes128gcm16-noesn
, aes128gcm16-esn
aes256gcm16-noesn
, aes256gcm16-esn
gost128
, gost128-esn
gost64
, gost64-esn
List of supported X.509 signature authentication hash algorithms,
in order of preference. SIGNATURE_HASH_ALGORITHMS
notification contains all of that algorithms. That notification will
be sent if SigHashes
is not empty. Available:
sha1
sha256
sha384
sha512
streebog256
streebog512
Time in seconds when Dead Peer Detection notification is sent to remote peer. After 3 DPD timeouts, peer is considered dead
List of known peers configurations
Do we automatically initiate connection, or wait as a responder
Our and remote IP-addresses. It is used for tunnel endpoints and for sending IKE packets
Optional IKE port override of remote side
Our FQDN name. If signature authentication is used, then it will be
automatically replaced with DN identification based on
OurCert
certificate’s subject
Expected identification from remote side. If PSK authentication is
used, then it is FQDN value. With signature authentication it is
human readable remote peer’s certificate’s subject representation,
like CN=example.com
for example
strongSwan-like traffic selectors specification. Mask is necessary for IP addresses. You can not specify IP-ranges, but starting IP with mask applied to it. Protocol and port specification are optional. You can not specify port-ranges. Allowable formats:
IP/PREFIXLEN
IP/PREFIXLEN[PROTO]
IP/PREFIXLEN[PROTO/PORT]
PROTO
is one of: tcp
, udp
, icmp
, icmp6
.
Either transport
or tunnel
Pre-shared key for PSK authentication in hexadecimal format. If both peers are expected to use signature authentication, then that option is not used
If not empty, then require X.509 certificate signature authentication. This is hexadecimal SHA256 of expected certificate’s SPKI
If not empty, then we will authenticate using X.509 certificate signature. It is path to PEM-encoded certificate we will send to remote peer
Path to PEM-encoded private key (EC PRIVATE KEY
for ECDSA and
PRIVATE KEY
with PrivateKeyInfo
structure for GOST
34.10-2012). Required if OurCert is in use
If greater than zero, then negotiate TFC usage to pad ESP packet’s payload up to that number of bytes