User guide
Appendix G - IPSEC
User Guide 399
Conn Parameters: Automatic Keying
The following parameters are relevant only to automatic keying, and are ignored in manual
keying. Unless otherwise noted, for a connection to work, in general it is necessary for the
two ends to agree exactly on the values of these parameters.
type The type of the connection. Currently the accepted values are:
tunnel (the default) signifying a host-to-host, host-to-subnet, or subnet-to-
subnet tunnel;
transport, signifying host-to-host transport mode; and
passthrough (supported only for manual keying), signifying that no IPsec
processing should be done at all.
left Required. The IP address of the left participant's public-network interface.
If it is the magic value %defaultroute, and interfaces=%defaultroute is
used in the config setup section, left will be filled in automatically with
the local address of the default-route interface (as determined at IPsec star-
tup time). This also overrides any value supplied for leftnexthop. (Either
left or right may be %defaultroute, but not both.) The magic value %any
signifies an address to be filled in (by automatic keying) during negotia-
tion; the magic value %opportunistic signifies that both left and left-
nexthop are to be filled in (by automatic keying) from DNS data for left's
client.
leftsubnet Private subnet behind the left participant, expressed as network/
netmask. If omitted, essentially assumed to be left/32, signifying that the
left end of the connection goes to the left participant only.
leftnexthop Next-hop gateway IP address for the left participant's connection to the
public network. Defaults to %direct (meaning right).
leftupdown What updown script to run to adjust routing and/or firewalling when the
status of the connection changes.