network-ipsec - Configure IPsec VPN connections


network vpn ipsec [new|destroy] NAME…
network vpn ipsec NAME COMMAND …


With help of the vpn ipsec, it is possible to create, destroy and edit IPsec VPN connections.


The following commands are understood:

new NAME

A new IPsec VPN connection may be created with the new command.
NAME does not allow any spaces.

destroy NAME

A IPsec VPN connection can be destroyed with this command.

For all other commands, the name of the IPsec VPN connection needs to be passed first:

NAME show

Shows the configuration of the IPsec VPN connection

NAME authentication mode

Set the authentication mode out of the following available modes:

  • psk

NAME authentication psk PSK

Set the pre-shared-key to PSK, only useful when the authentication mode is psk:

color set <color>

The color is set with this command and required to be passed in RGB hex formatting
NOTE: The color is being used to make identification of network devices easier on the command line and web user interface.

color reset

Resets the color to blank.

description edit

This command opens an editor and allows you to edit title and description.
NOTE: The formation of the description is similar to a git commit. Every description has a title, the first line of the description. The title is shown on the status page and in the web user interface. It should be something short like "Office Lan" or "DMZ". After the title can follow a longer description.

description show

Prints the description.

NAME down

Shutdown a etablished IPsec VPN connection

NAME inactivity-timeout TIME

Set the inactivity timeout with TIME in seconds or in the format hh:mm:ss

NAME local id ID

Specify the identity of the local system.
The ID must be in one of the following formats:

  • IP address

  • FQDN

  • a string which starts with @


Specify the subnets of the local system which should be made available to the remote peer.

NAME mode [transport|tunnel]

Set the mode of the IPsec VPN connection.


Set the peer to which the IPsec VPN connection should be etablished.

NAME remote id ID

Specify the identity of the remote machine.
The ID must be in one of the following formats:

  • IP address

  • FQDN

  • A string which starts with @

NAME remote prefix [PREFIX-LIST|+PREFIX …|-PREFIX …]

Specify the subnets which the remote side makes available to us.

NAME security-policy

Set the security policy which the connection uses.
See network-vpn-security-policies(8) for details.


Establishes the IPsec VPN connection to the remote peer.

NAME zone

When you specify a zone of type ip-tunnel here the IPsec connection is established over a vti tunnel. The remote and local prefixes are ignored. Imagine a fiber connection between this two machines, and how you would use it. The IPsec VPN connection works in the same way. You must configure routes and IP addresses of the ip-tunnel hook manually.


Michael Tremer, Jonatan Schlag