/etc/ipsec.d - main directory. Stores Openswan related files.

/etc/ipsec.conf - master configuration file. Further *.conf configuration files can be created in /etc/ipsec.d for individual configurations.

/etc/ipsec.secrets - master secrets file. Further *.secrets files can be created in /etc/ipsec.d for individual configurations.

/etc/ipsec.d/cert*.db - Certificate database files. The old default NSS database file is cert8.db. From Red Hat Enterprise Linux 6 onwards, NSS sqlite databases are used in the cert9.db file.

/etc/ipsec.d/key*.db - Key database files. The old default NSS database file is key3.db. From Red Hat Enterprise Linux 6 onwards, NSS sqlite databases are used in the key4.db file.

/etc/ipsec.d/cacerts - Location for Certificate Authority (CA) certificates.

/etc/ipsec.d/certs - Location for user certificates. Not needed when using NSS.

/etc/ipsec.d/policies - Groups policies. Policies can be defined as block, clear, clear-or-private, private, private-or-clear.

/etc/ipsec.d/nsspassword - NSS password file. This file does not exist by default, and is required if the NSS database in use is created with a password.

protostack - defines which protocol stack is used. The default option in Red Hat Enterprise Linux 6 is netkey. Other valid values are auto, klips and mast.

nat_traversal - defines if NAT workaround for connections is accepted. Default is no.

dumpdir - defines the location for core dump files.

nhelpers - When using NSS, defines the number of threads used for cryptographic operations. When not using NSS, defines the number of processes used for cryptographic operations.

virtual_private - subnets allowed for the client connection. Ranges that may exist behind a NAT router through which a client connects.

plutorestartoncrash - set to yes by default.

plutostderr - path for pluto error log. Points to syslog location by default.

connaddrfamily - can be set to either ipv4 or ipv6.