Annotation of elwix/config/etc/default/strongswan/strongswan.d/charon.conf, revision 1.2
1.2 ! misho 1: # Options for the charon IKE daemon.
! 2: charon {
! 3:
! 4: # Deliberately violate the IKE standard's requirement and allow the use of
! 5: # private algorithm identifiers, even if the peer implementation is unknown.
! 6: # accept_private_algs = no
! 7:
! 8: # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
! 9: # accept_unencrypted_mainmode_messages = no
! 10:
! 11: # Maximum number of half-open IKE_SAs for a single peer IP.
! 12: # block_threshold = 5
! 13:
! 14: # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
! 15: # should be saved under a unique file name derived from the public key of
! 16: # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
! 17: # /etc/swanctl/x509crl (vici), respectively.
! 18: # cache_crls = no
! 19:
! 20: # Whether relations in validated certificate chains should be cached in
! 21: # memory.
! 22: # cert_cache = yes
! 23:
! 24: # Send Cisco Unity vendor ID payload (IKEv1 only).
! 25: # cisco_unity = no
! 26:
! 27: # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
! 28: # close_ike_on_child_failure = no
! 29:
! 30: # Number of half-open IKE_SAs that activate the cookie mechanism.
! 31: # cookie_threshold = 10
! 32:
! 33: # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
! 34: # delete_rekeyed = no
! 35:
! 36: # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
! 37: # (IKEv2 only).
! 38: # delete_rekeyed_delay = 5
! 39:
! 40: # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
! 41: # strength.
! 42: # dh_exponent_ansi_x9_42 = yes
! 43:
! 44: # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
! 45: # missing symbols immediately.
! 46: # dlopen_use_rtld_now = no
! 47:
! 48: # DNS server assigned to peer via configuration payload (CP).
! 49: # dns1 =
! 50:
! 51: # DNS server assigned to peer via configuration payload (CP).
! 52: # dns2 =
! 53:
! 54: # Enable Denial of Service protection using cookies and aggressiveness
! 55: # checks.
! 56: # dos_protection = yes
! 57:
! 58: # Compliance with the errata for RFC 4753.
! 59: # ecp_x_coordinate_only = yes
! 60:
! 61: # Free objects during authentication (might conflict with plugins).
! 62: # flush_auth_cfg = no
! 63:
! 64: # Whether to follow IKEv2 redirects (RFC 5685).
! 65: # follow_redirects = yes
! 66:
! 67: # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
! 68: # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
! 69: # to 1280 (use 0 for address family specific default values, which uses a
! 70: # lower value for IPv4). If specified this limit is used for both IPv4 and
! 71: # IPv6.
! 72: # fragment_size = 1280
! 73:
! 74: # Name of the group the daemon changes to after startup.
! 75: # group =
! 76:
! 77: # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
! 78: # half_open_timeout = 30
! 79:
! 80: # Enable hash and URL support.
! 81: # hash_and_url = no
! 82:
! 83: # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
! 84: # i_dont_care_about_security_and_use_aggressive_mode_psk = no
! 85:
! 86: # Whether to ignore the traffic selectors from the kernel's acquire events
! 87: # for IKEv2 connections (they are not used for IKEv1).
! 88: # ignore_acquire_ts = no
! 89:
! 90: # A space-separated list of routing tables to be excluded from route
! 91: # lookups.
! 92: # ignore_routing_tables =
! 93:
! 94: # Maximum number of IKE_SAs that can be established at the same time before
! 95: # new connection attempts are blocked.
! 96: # ikesa_limit = 0
! 97:
! 98: # Number of exclusively locked segments in the hash table.
! 99: # ikesa_table_segments = 1
! 100:
! 101: # Size of the IKE_SA hash table.
! 102: # ikesa_table_size = 1
! 103:
! 104: # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
! 105: # inactivity_close_ike = no
! 106:
! 107: # Limit new connections based on the current number of half open IKE_SAs,
! 108: # see IKE_SA_INIT DROPPING in strongswan.conf(5).
! 109: # init_limit_half_open = 0
! 110:
! 111: # Limit new connections based on the number of queued jobs.
! 112: # init_limit_job_load = 0
! 113:
! 114: # Causes charon daemon to ignore IKE initiation requests.
! 115: # initiator_only = no
! 116:
! 117: # Install routes into a separate routing table for established IPsec
! 118: # tunnels.
! 119: # install_routes = yes
! 120:
! 121: # Install virtual IP addresses.
! 122: # install_virtual_ip = yes
! 123:
! 124: # The name of the interface on which virtual IP addresses should be
! 125: # installed.
! 126: # install_virtual_ip_on =
! 127:
! 128: # Check daemon, libstrongswan and plugin integrity at startup.
! 129: # integrity_test = no
! 130:
! 131: # A comma-separated list of network interfaces that should be ignored, if
! 132: # interfaces_use is specified this option has no effect.
! 133: # interfaces_ignore =
! 134:
! 135: # A comma-separated list of network interfaces that should be used by
! 136: # charon. All other interfaces are ignored.
! 137: # interfaces_use =
! 138:
! 139: # NAT keep alive interval.
! 140: # keep_alive = 20s
! 141:
! 142: # Plugins to load in the IKE daemon charon.
! 143: # load =
! 144:
! 145: # Determine plugins to load via each plugin's load option.
! 146: # load_modular = no
! 147:
! 148: # Initiate IKEv2 reauthentication with a make-before-break scheme.
! 149: # make_before_break = no
! 150:
! 151: # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
! 152: # and track concurrently.
! 153: # max_ikev1_exchanges = 3
! 154:
! 155: # Maximum packet size accepted by charon.
! 156: # max_packet = 10000
! 157:
! 158: # Enable multiple authentication exchanges (RFC 4739).
! 159: # multiple_authentication = yes
! 160:
! 161: # WINS servers assigned to peer via configuration payload (CP).
! 162: # nbns1 =
! 163:
! 164: # WINS servers assigned to peer via configuration payload (CP).
! 165: # nbns2 =
! 166:
! 167: # UDP port used locally. If set to 0 a random port will be allocated.
! 168: # port = 500
! 169:
! 170: # UDP port used locally in case of NAT-T. If set to 0 a random port will be
! 171: # allocated. Has to be different from charon.port, otherwise a random port
! 172: # will be allocated.
! 173: # port_nat_t = 4500
! 174:
! 175: # Whether to prefer updating SAs to the path with the best route.
! 176: # prefer_best_path = no
! 177:
! 178: # Prefer locally configured proposals for IKE/IPsec over supplied ones as
! 179: # responder (disabling this can avoid keying retries due to
! 180: # INVALID_KE_PAYLOAD notifies).
! 181: # prefer_configured_proposals = yes
! 182:
! 183: # Controls whether permanent or temporary IPv6 addresses are used as source,
! 184: # or announced as additional addresses if MOBIKE is used.
! 185: # prefer_temporary_addrs = no
! 186:
! 187: # Process RTM_NEWROUTE and RTM_DELROUTE events.
! 188: # process_route = yes
! 189:
! 190: # How RDNs in subject DNs of certificates are matched against configured
! 191: # identities (strict, reordered, or relaxed).
! 192: # rdn_matching = strict
! 193:
! 194: # Delay in ms for receiving packets, to simulate larger RTT.
! 195: # receive_delay = 0
! 196:
! 197: # Delay request messages.
! 198: # receive_delay_request = yes
! 199:
! 200: # Delay response messages.
! 201: # receive_delay_response = yes
! 202:
! 203: # Specific IKEv2 message type to delay, 0 for any.
! 204: # receive_delay_type = 0
! 205:
! 206: # Size of the AH/ESP replay window, in packets.
! 207: # replay_window = 32
! 208:
! 209: # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
! 210: # in strongswan.conf(5).
! 211: # retransmit_base = 1.8
! 212:
! 213: # Maximum jitter in percent to apply randomly to calculated retransmission
! 214: # timeout (0 to disable).
! 215: # retransmit_jitter = 0
! 216:
! 217: # Upper limit in seconds for calculated retransmission timeout (0 to
! 218: # disable).
! 219: # retransmit_limit = 0
! 220:
! 221: # Timeout in seconds before sending first retransmit.
! 222: # retransmit_timeout = 4.0
! 223:
! 224: # Number of times to retransmit a packet before giving up.
! 225: # retransmit_tries = 5
! 226:
! 227: # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
! 228: # DNS resolution failed), 0 to disable retries.
! 229: # retry_initiate_interval = 0
! 230:
! 231: # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
! 232: # reuse_ikesa = yes
! 233:
! 234: # Numerical routing table to install routes to.
! 235: # routing_table =
! 236:
! 237: # Priority of the routing table.
! 238: # routing_table_prio =
! 239:
! 240: # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
! 241: # rsa_pss = no
! 242:
! 243: # Delay in ms for sending packets, to simulate larger RTT.
! 244: # send_delay = 0
! 245:
! 246: # Delay request messages.
! 247: # send_delay_request = yes
! 248:
! 249: # Delay response messages.
! 250: # send_delay_response = yes
! 251:
! 252: # Specific IKEv2 message type to delay, 0 for any.
! 253: # send_delay_type = 0
! 254:
! 255: # Send strongSwan vendor ID payload
! 256: # send_vendor_id = no
! 257:
! 258: # Whether to enable Signature Authentication as per RFC 7427.
! 259: # signature_authentication = yes
! 260:
! 261: # Whether to enable constraints against IKEv2 signature schemes.
! 262: # signature_authentication_constraints = yes
! 263:
! 264: # Value mixed into the local IKE SPIs after applying spi_mask.
! 265: # spi_label = 0x0000000000000000
! 266:
! 267: # Mask applied to local IKE SPIs before mixing in spi_label (bits set will
! 268: # be replaced with spi_label).
! 269: # spi_mask = 0x0000000000000000
! 270:
! 271: # The upper limit for SPIs requested from the kernel for IPsec SAs.
! 272: # spi_max = 0xcfffffff
! 273:
! 274: # The lower limit for SPIs requested from the kernel for IPsec SAs.
! 275: # spi_min = 0xc0000000
! 276:
! 277: # Number of worker threads in charon.
! 278: # threads = 16
! 279:
! 280: # Name of the user the daemon changes to after startup.
! 281: # user =
! 282:
! 283: crypto_test {
! 284:
! 285: # Benchmark crypto algorithms and order them by efficiency.
! 286: # bench = no
! 287:
! 288: # Buffer size used for crypto benchmark.
! 289: # bench_size = 1024
! 290:
! 291: # Time in ms during which crypto algorithm performance is measured.
! 292: # bench_time = 50
! 293:
! 294: # Test crypto algorithms during registration (requires test vectors
! 295: # provided by the test-vectors plugin).
! 296: # on_add = no
! 297:
! 298: # Test crypto algorithms on each crypto primitive instantiation.
! 299: # on_create = no
! 300:
! 301: # Strictly require at least one test vector to enable an algorithm.
! 302: # required = no
! 303:
! 304: # Whether to test RNG with TRUE quality; requires a lot of entropy.
! 305: # rng_true = no
! 306:
! 307: }
! 308:
! 309: host_resolver {
! 310:
! 311: # Maximum number of concurrent resolver threads (they are terminated if
! 312: # unused).
! 313: # max_threads = 3
! 314:
! 315: # Minimum number of resolver threads to keep around.
! 316: # min_threads = 0
! 317:
! 318: }
! 319:
! 320: leak_detective {
! 321:
! 322: # Includes source file names and line numbers in leak detective output.
! 323: # detailed = yes
! 324:
! 325: # Threshold in bytes for leaks to be reported (0 to report all).
! 326: # usage_threshold = 10240
! 327:
! 328: # Threshold in number of allocations for leaks to be reported (0 to
! 329: # report all).
! 330: # usage_threshold_count = 0
! 331:
! 332: }
! 333:
! 334: processor {
! 335:
! 336: # Section to configure the number of reserved threads per priority class
! 337: # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
! 338: priority_threads {
! 339:
! 340: }
! 341:
! 342: }
! 343:
! 344: # Section containing a list of scripts (name = path) that are executed when
! 345: # the daemon is started.
! 346: start-scripts {
! 347:
! 348: }
! 349:
! 350: # Section containing a list of scripts (name = path) that are executed when
! 351: # the daemon is terminated.
! 352: stop-scripts {
! 353:
! 354: }
! 355:
! 356: tls {
! 357:
! 358: # List of TLS encryption ciphers.
! 359: # cipher =
! 360:
! 361: # List of TLS key exchange methods.
! 362: # key_exchange =
! 363:
! 364: # List of TLS MAC algorithms.
! 365: # mac =
! 366:
! 367: # List of TLS cipher suites.
! 368: # suites =
! 369:
! 370: }
! 371:
! 372: x509 {
! 373:
! 374: # Discard certificates with unsupported or unknown critical extensions.
! 375: # enforce_critical = yes
! 376:
! 377: }
! 378:
! 379: }
! 380:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to charon.conf CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default / strongswan / strongswan.d