|
version 1.1, 2020/06/03 09:46:43
|
version 1.1.1.2, 2021/03/17 00:20:08
|
|
Line 21 charon {
|
Line 21 charon {
|
| # memory. |
# memory. |
| # cert_cache = yes |
# cert_cache = yes |
| |
|
| |
# Whether to use DPD to check if the current path still works after any |
| |
# changes to interfaces/addresses. |
| |
# check_current_path = no |
| |
|
| |
# Send the Cisco FlexVPN vendor ID payload (IKEv2 only). |
| |
# cisco_flexvpn = no |
| |
|
| # Send Cisco Unity vendor ID payload (IKEv1 only). |
# Send Cisco Unity vendor ID payload (IKEv1 only). |
| # cisco_unity = no |
# cisco_unity = no |
| |
|
|
Line 55 charon {
|
Line 62 charon {
|
| # checks. |
# checks. |
| # dos_protection = yes |
# dos_protection = yes |
| |
|
| # Compliance with the errata for RFC 4753. |
|
| # ecp_x_coordinate_only = yes |
|
| |
|
| # Free objects during authentication (might conflict with plugins). |
# Free objects during authentication (might conflict with plugins). |
| # flush_auth_cfg = no |
# flush_auth_cfg = no |
| |
|
| # Whether to follow IKEv2 redirects (RFC 5685). |
# Whether to follow IKEv2 redirects (RFC 5685). |
| # follow_redirects = yes |
# follow_redirects = yes |
| |
|
| |
# Violate RFC 5998 and use EAP-only authentication even if the peer did not |
| |
# send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH. |
| |
# force_eap_only_authentication = no |
| |
|
| # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment |
# Maximum size (complete IP datagram size in bytes) of a sent IKE fragment |
| # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults |
# when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults |
| # to 1280 (use 0 for address family specific default values, which uses a |
# to 1280 (use 0 for address family specific default values, which uses a |
|
Line 139 charon {
|
Line 147 charon {
|
| # NAT keep alive interval. |
# NAT keep alive interval. |
| # keep_alive = 20s |
# keep_alive = 20s |
| |
|
| |
# Number of seconds the keep alive interval may be exceeded before a DPD is |
| |
# sent instead of a NAT keep alive (0 to disable). This is only useful if a |
| |
# clock is used that includes time spent suspended (e.g. CLOCK_BOOTTIME). |
| |
# keep_alive_dpd_margin = 0s |
| |
|
| # Plugins to load in the IKE daemon charon. |
# Plugins to load in the IKE daemon charon. |
| # load = |
# load = |
| |
|
|
Line 358 charon {
|
Line 371 charon {
|
| # List of TLS encryption ciphers. |
# List of TLS encryption ciphers. |
| # cipher = |
# cipher = |
| |
|
| |
# List of TLS key exchange groups. |
| |
# ke_group = |
| |
|
| # List of TLS key exchange methods. |
# List of TLS key exchange methods. |
| # key_exchange = |
# key_exchange = |
| |
|
| # List of TLS MAC algorithms. |
# List of TLS MAC algorithms. |
| # mac = |
# mac = |
| |
|
| |
# Whether to include CAs in a server's CertificateRequest message. |
| |
# send_certreq_authorities = yes |
| |
|
| |
# List of TLS signature schemes. |
| |
# signature = |
| |
|
| # List of TLS cipher suites. |
# List of TLS cipher suites. |
| # suites = |
# suites = |
| |
|
| |
# Maximum TLS version to negotiate. |
| |
# version_max = 1.2 |
| |
|
| |
# Minimum TLS version to negotiate. |
| |
# version_min = 1.2 |
| |
|
| } |
} |
| |
|
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to charon.conf CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / options