275 This value is optional, if omitted soft expiry occurs after 90% of
276 the lifetime specified by p2_lifetime_secs. The value specified by
277 p2_softlife_secs is ignored if p2_lifetime_secs is not specified.
278
279 Setting p2_softlife_secs to the same value as p2_lifetime_secs
280 disables soft expires.
281
282
283 p2_idletime_secs num
284
285 The idle lifetime of a phase 2 SA, in seconds. If the value is
286 specified, the value specifies the lifetime of the SA, if the
287 security association is not used before the SA is revalidated.
288
289
290 p2_lifetime_kb num
291
292 The lifetime of an SA can optionally be specified in kilobytes.
293 This parameter specifies the default value. If lifetimes are
294 specified in both seconds and kilobytes, the SA expires when either
295 the seconds or kilobyte threshholds are passed.
296
297
298 p2_softlife_kb num
299
300 This value is the number of kilobytes that can be protected by an
301 SA before a soft expire occurs (see p2_softlife_secs, above).
302
303 This value is optional. If omitted, soft expiry occurs after 90% of
304 the lifetime specified by p2_lifetime_kb. The value specified by
305 p2_softlife_kb is ignored if p2_lifetime_kb is not specified.
306
307
308 p2_nonce_len num
309
310 The length in bytes of the phase 2 (quick mode) nonce data. This
311 cannot be specified on a per-rule basis.
312
313
314 local_id_type p1-id-type
315
366 26 (ECP 224-bit)
367
368
369 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc,
370 aes, aes-cbc}
371
372 An encryption algorithm, as in ipsecconf(1M). However, of the
373 ciphers listed above, only aes and aes-cbc allow optional key-
374 size setting, using the "low value-to-high value" syntax. To
375 specify a single AES key size, the low value must equal the
376 high value. If no range is specified, all three AES key sizes
377 are allowed.
378
379
380 auth_alg {md5, sha, sha1, sha256, sha384, sha512}
381
382 An authentication algorithm.
383
384 Use ipsecalgs(1M) with the -l option to list the IPsec
385 protocols and algorithms currently defined on a system. The
386 cryptoadm list command diplays a list of installed providers
387 and their mechanisms. See cryptoadm(1M).
388
389
390 auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
391
392 The authentication method used for IKE phase 1.
393
394
395 p1_lifetime_secs num
396
397 Optional. The lifetime for a phase 1 SA.
398
399
400
401 p2_lifetime_secs num
402
403 If configuring the kernel defaults is not sufficient for different
404 tasks, this parameter can be used on a per-rule basis to set the
405 IPsec SA lifetimes in seconds.
406
|
275 This value is optional, if omitted soft expiry occurs after 90% of
276 the lifetime specified by p2_lifetime_secs. The value specified by
277 p2_softlife_secs is ignored if p2_lifetime_secs is not specified.
278
279 Setting p2_softlife_secs to the same value as p2_lifetime_secs
280 disables soft expires.
281
282
283 p2_idletime_secs num
284
285 The idle lifetime of a phase 2 SA, in seconds. If the value is
286 specified, the value specifies the lifetime of the SA, if the
287 security association is not used before the SA is revalidated.
288
289
290 p2_lifetime_kb num
291
292 The lifetime of an SA can optionally be specified in kilobytes.
293 This parameter specifies the default value. If lifetimes are
294 specified in both seconds and kilobytes, the SA expires when either
295 the seconds or kilobyte thresholds are passed.
296
297
298 p2_softlife_kb num
299
300 This value is the number of kilobytes that can be protected by an
301 SA before a soft expire occurs (see p2_softlife_secs, above).
302
303 This value is optional. If omitted, soft expiry occurs after 90% of
304 the lifetime specified by p2_lifetime_kb. The value specified by
305 p2_softlife_kb is ignored if p2_lifetime_kb is not specified.
306
307
308 p2_nonce_len num
309
310 The length in bytes of the phase 2 (quick mode) nonce data. This
311 cannot be specified on a per-rule basis.
312
313
314 local_id_type p1-id-type
315
366 26 (ECP 224-bit)
367
368
369 encr_alg {3des, 3des-cbc, blowfish, blowfish-cdc, des, des-cbc,
370 aes, aes-cbc}
371
372 An encryption algorithm, as in ipsecconf(1M). However, of the
373 ciphers listed above, only aes and aes-cbc allow optional key-
374 size setting, using the "low value-to-high value" syntax. To
375 specify a single AES key size, the low value must equal the
376 high value. If no range is specified, all three AES key sizes
377 are allowed.
378
379
380 auth_alg {md5, sha, sha1, sha256, sha384, sha512}
381
382 An authentication algorithm.
383
384 Use ipsecalgs(1M) with the -l option to list the IPsec
385 protocols and algorithms currently defined on a system. The
386 cryptoadm list command displays a list of installed providers
387 and their mechanisms. See cryptoadm(1M).
388
389
390 auth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}
391
392 The authentication method used for IKE phase 1.
393
394
395 p1_lifetime_secs num
396
397 Optional. The lifetime for a phase 1 SA.
398
399
400
401 p2_lifetime_secs num
402
403 If configuring the kernel defaults is not sufficient for different
404 tasks, this parameter can be used on a per-rule basis to set the
405 IPsec SA lifetimes in seconds.
406
|