Manualshelf

User guide

ManualsBrandsBlack Box ManualsComputer equipmentACS120
391392393394395396397398399400
Appendix G - IPSEC
400 BLACK BOX ® Advanced Console Server
auto What operation, if any, should be done automatically at IPsec startup; cur-
rently-accepted values are add (signifying an ipsec auto --add), route (sig-
nifying that plus an ipsec auto --route), start (signifying that plus an ipsec
auto --up), and ignore (also the default) (signifying no automatic startup
operation). This parameter is ignored unless the plutoload or plutostart
configuration parameter is set suitably; see the config setup discussion
below.
auth Whether authentication should be done as part of ESP encryption, or sep-
arately using the AH protocol, acceptable values are esp (the default) and
ah.
authby How the two security gateways should authenticate each other. Accept-
able values are secret for shared secrets (the default) and rsasig for RSA
digital signatures.
leftid How the left participant should be identified for authentication. Defaults
to left. Can be an IP address or a fully-qualified domain name preceded by
@ (which is used as a literal string and not resolved).
leftrsasigkey The left participant's public key for RSA signature authentication, in RFC
2537 format. The magic value %none means the same as not specifying a
value (useful to override a default). The value %dnsondemand means the
key is to be fetched from DNS at the time it is needed. The value %dnson-
load means the key is to be fetched from DNS at the time the connection
description is read from ipsec.conf. Currently this is treated as %none if
right=%any or right=%opportunistic. The value %dns is currently treated
as %dnsonload but will change to %dnsondemand in the future. The
identity used for the left participant must be a specific host, not %any or
another magic value. Caution: if two connection descriptions specify dif-
ferent public keys for the same leftid, confusion and madness will ensue.
pfs Whether Perfect Forward Secrecy of keys is desired on the connection's
keying channel. (With PFS, penetration of the key-exchange protocol
does not compromise keys negotiated earlier.) Acceptable values are yes
(the default) and no.