Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Profiles define a set of parameters that will be used for IKE negotiation during Phase 1. These parameters may be common with other peer configurations.


dh-group (modp768 | modp1024  | modp1536 | modp2048 | modp3072 | modp4096 | modp6144 | modp8192 | ecp256 | ecp384 | ecp521; Default: modp1024,modp2048)Diffie-Hellman group (cipher strength)
dpd-interval (time | disable-dpd; Default: 2m)Dead peer detection interval. If set to disable-dpd, dead peer detection will not be used.
dpd-maximum-failures (integer: 1..100; Default: 5)Maximum count of failures until peer is considered to be dead. Applicable if DPD is enabled.
enc-algorithm (3des | aes-128 | aes-192 | aes-256 | blowfish | camellia-128 | camellia-192 | camellia-256 | des; Default: aes-128)List of encryption algorithms that will be used by the peer.
hash-algorithm (md5 | sha1 | sha256 | sha512; Default: sha1)Hashing algorithm. SHA (Secure Hash Algorithm) is stronger, but slower. MD5 uses 128-bit key, sha1-160bit key.
lifebytes (Integer: 0..4294967295; Default: 0)Phase 1 lifebytes is used only as administrative value which is added to proposal. Used in cases if remote peer requires specific lifebytes value to establish phase 1.
lifetime (time; Default: 1d)Phase 1 lifetime: specifies how long the SA will be valid.
name (string; Default: )
nat-traversal (yes | no; Default: yes)Use Linux NAT-T mechanism to solve IPsec incompatibility with NAT routers between IPsec peers. This can only be used with ESP protocol (AH is not supported by design, as it signs the complete packet, including the IP header, which is changed by NAT, rendering AH signature invalid). The method encapsulates IPsec ESP traffic into UDP streams in order to overcome some minor issues that made ESP incompatible with NAT.
proposal-check (claim | exact | obey | strict; Default: obey)Phase 2 lifetime check logic:
  • claim - take shortest of proposed and configured lifetimes and notify initiator about it
  • exact - require lifetimes to be the same
  • obey - accept whatever is sent by an initiator
  • strict - if the proposed lifetime is longer than the default then reject the proposal otherwise accept a proposed lifetime


Identities are configuration parameters that are specific to the remote peer. The main purpose of identity is to handle authentication and verify the peer's integrity.


dynamic (yes | no)Whether this is a dynamically added entry by a different service (e.g L2TP).

Active Peers

This menu provides various statistics about remote peers that currently have established phase 1 connection.