Annotation of embedaddon/strongswan/conf/options/charon.conf, revision 1.1.1.1
1.1 misho 1: # Options for the charon IKE daemon.
2: charon {
3:
4: # Deliberately violate the IKE standard's requirement and allow the use of
5: # private algorithm identifiers, even if the peer implementation is unknown.
6: # accept_private_algs = no
7:
8: # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
9: # accept_unencrypted_mainmode_messages = no
10:
11: # Maximum number of half-open IKE_SAs for a single peer IP.
12: # block_threshold = 5
13:
14: # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
15: # should be saved under a unique file name derived from the public key of
16: # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
17: # /etc/swanctl/x509crl (vici), respectively.
18: # cache_crls = no
19:
20: # Whether relations in validated certificate chains should be cached in
21: # memory.
22: # cert_cache = yes
23:
24: # Send Cisco Unity vendor ID payload (IKEv1 only).
25: # cisco_unity = no
26:
27: # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
28: # close_ike_on_child_failure = no
29:
30: # Number of half-open IKE_SAs that activate the cookie mechanism.
31: # cookie_threshold = 10
32:
33: # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
34: # delete_rekeyed = no
35:
36: # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
37: # (IKEv2 only).
38: # delete_rekeyed_delay = 5
39:
40: # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
41: # strength.
42: # dh_exponent_ansi_x9_42 = yes
43:
44: # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
45: # missing symbols immediately.
46: # dlopen_use_rtld_now = no
47:
48: # DNS server assigned to peer via configuration payload (CP).
49: # dns1 =
50:
51: # DNS server assigned to peer via configuration payload (CP).
52: # dns2 =
53:
54: # Enable Denial of Service protection using cookies and aggressiveness
55: # checks.
56: # dos_protection = yes
57:
58: # Compliance with the errata for RFC 4753.
59: # ecp_x_coordinate_only = yes
60:
61: # Free objects during authentication (might conflict with plugins).
62: # flush_auth_cfg = no
63:
64: # Whether to follow IKEv2 redirects (RFC 5685).
65: # follow_redirects = yes
66:
67: # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
68: # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
69: # to 1280 (use 0 for address family specific default values, which uses a
70: # lower value for IPv4). If specified this limit is used for both IPv4 and
71: # IPv6.
72: # fragment_size = 1280
73:
74: # Name of the group the daemon changes to after startup.
75: # group =
76:
77: # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
78: # half_open_timeout = 30
79:
80: # Enable hash and URL support.
81: # hash_and_url = no
82:
83: # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
84: # i_dont_care_about_security_and_use_aggressive_mode_psk = no
85:
86: # Whether to ignore the traffic selectors from the kernel's acquire events
87: # for IKEv2 connections (they are not used for IKEv1).
88: # ignore_acquire_ts = no
89:
90: # A space-separated list of routing tables to be excluded from route
91: # lookups.
92: # ignore_routing_tables =
93:
94: # Maximum number of IKE_SAs that can be established at the same time before
95: # new connection attempts are blocked.
96: # ikesa_limit = 0
97:
98: # Number of exclusively locked segments in the hash table.
99: # ikesa_table_segments = 1
100:
101: # Size of the IKE_SA hash table.
102: # ikesa_table_size = 1
103:
104: # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
105: # inactivity_close_ike = no
106:
107: # Limit new connections based on the current number of half open IKE_SAs,
108: # see IKE_SA_INIT DROPPING in strongswan.conf(5).
109: # init_limit_half_open = 0
110:
111: # Limit new connections based on the number of queued jobs.
112: # init_limit_job_load = 0
113:
114: # Causes charon daemon to ignore IKE initiation requests.
115: # initiator_only = no
116:
117: # Install routes into a separate routing table for established IPsec
118: # tunnels.
119: # install_routes = yes
120:
121: # Install virtual IP addresses.
122: # install_virtual_ip = yes
123:
124: # The name of the interface on which virtual IP addresses should be
125: # installed.
126: # install_virtual_ip_on =
127:
128: # Check daemon, libstrongswan and plugin integrity at startup.
129: # integrity_test = no
130:
131: # A comma-separated list of network interfaces that should be ignored, if
132: # interfaces_use is specified this option has no effect.
133: # interfaces_ignore =
134:
135: # A comma-separated list of network interfaces that should be used by
136: # charon. All other interfaces are ignored.
137: # interfaces_use =
138:
139: # NAT keep alive interval.
140: # keep_alive = 20s
141:
142: # Plugins to load in the IKE daemon charon.
143: # load =
144:
145: # Determine plugins to load via each plugin's load option.
146: # load_modular = no
147:
148: # Initiate IKEv2 reauthentication with a make-before-break scheme.
149: # make_before_break = no
150:
151: # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
152: # and track concurrently.
153: # max_ikev1_exchanges = 3
154:
155: # Maximum packet size accepted by charon.
156: # max_packet = 10000
157:
158: # Enable multiple authentication exchanges (RFC 4739).
159: # multiple_authentication = yes
160:
161: # WINS servers assigned to peer via configuration payload (CP).
162: # nbns1 =
163:
164: # WINS servers assigned to peer via configuration payload (CP).
165: # nbns2 =
166:
167: # UDP port used locally. If set to 0 a random port will be allocated.
168: # port = 500
169:
170: # UDP port used locally in case of NAT-T. If set to 0 a random port will be
171: # allocated. Has to be different from charon.port, otherwise a random port
172: # will be allocated.
173: # port_nat_t = 4500
174:
175: # Whether to prefer updating SAs to the path with the best route.
176: # prefer_best_path = no
177:
178: # Prefer locally configured proposals for IKE/IPsec over supplied ones as
179: # responder (disabling this can avoid keying retries due to
180: # INVALID_KE_PAYLOAD notifies).
181: # prefer_configured_proposals = yes
182:
183: # Controls whether permanent or temporary IPv6 addresses are used as source,
184: # or announced as additional addresses if MOBIKE is used.
185: # prefer_temporary_addrs = no
186:
187: # Process RTM_NEWROUTE and RTM_DELROUTE events.
188: # process_route = yes
189:
190: # How RDNs in subject DNs of certificates are matched against configured
191: # identities (strict, reordered, or relaxed).
192: # rdn_matching = strict
193:
194: # Delay in ms for receiving packets, to simulate larger RTT.
195: # receive_delay = 0
196:
197: # Delay request messages.
198: # receive_delay_request = yes
199:
200: # Delay response messages.
201: # receive_delay_response = yes
202:
203: # Specific IKEv2 message type to delay, 0 for any.
204: # receive_delay_type = 0
205:
206: # Size of the AH/ESP replay window, in packets.
207: # replay_window = 32
208:
209: # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
210: # in strongswan.conf(5).
211: # retransmit_base = 1.8
212:
213: # Maximum jitter in percent to apply randomly to calculated retransmission
214: # timeout (0 to disable).
215: # retransmit_jitter = 0
216:
217: # Upper limit in seconds for calculated retransmission timeout (0 to
218: # disable).
219: # retransmit_limit = 0
220:
221: # Timeout in seconds before sending first retransmit.
222: # retransmit_timeout = 4.0
223:
224: # Number of times to retransmit a packet before giving up.
225: # retransmit_tries = 5
226:
227: # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
228: # DNS resolution failed), 0 to disable retries.
229: # retry_initiate_interval = 0
230:
231: # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
232: # reuse_ikesa = yes
233:
234: # Numerical routing table to install routes to.
235: # routing_table =
236:
237: # Priority of the routing table.
238: # routing_table_prio =
239:
240: # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
241: # rsa_pss = no
242:
243: # Delay in ms for sending packets, to simulate larger RTT.
244: # send_delay = 0
245:
246: # Delay request messages.
247: # send_delay_request = yes
248:
249: # Delay response messages.
250: # send_delay_response = yes
251:
252: # Specific IKEv2 message type to delay, 0 for any.
253: # send_delay_type = 0
254:
255: # Send strongSwan vendor ID payload
256: # send_vendor_id = no
257:
258: # Whether to enable Signature Authentication as per RFC 7427.
259: # signature_authentication = yes
260:
261: # Whether to enable constraints against IKEv2 signature schemes.
262: # signature_authentication_constraints = yes
263:
264: # Value mixed into the local IKE SPIs after applying spi_mask.
265: # spi_label = 0x0000000000000000
266:
267: # Mask applied to local IKE SPIs before mixing in spi_label (bits set will
268: # be replaced with spi_label).
269: # spi_mask = 0x0000000000000000
270:
271: # The upper limit for SPIs requested from the kernel for IPsec SAs.
272: # spi_max = 0xcfffffff
273:
274: # The lower limit for SPIs requested from the kernel for IPsec SAs.
275: # spi_min = 0xc0000000
276:
277: # Number of worker threads in charon.
278: # threads = 16
279:
280: # Name of the user the daemon changes to after startup.
281: # user =
282:
283: crypto_test {
284:
285: # Benchmark crypto algorithms and order them by efficiency.
286: # bench = no
287:
288: # Buffer size used for crypto benchmark.
289: # bench_size = 1024
290:
291: # Time in ms during which crypto algorithm performance is measured.
292: # bench_time = 50
293:
294: # Test crypto algorithms during registration (requires test vectors
295: # provided by the test-vectors plugin).
296: # on_add = no
297:
298: # Test crypto algorithms on each crypto primitive instantiation.
299: # on_create = no
300:
301: # Strictly require at least one test vector to enable an algorithm.
302: # required = no
303:
304: # Whether to test RNG with TRUE quality; requires a lot of entropy.
305: # rng_true = no
306:
307: }
308:
309: host_resolver {
310:
311: # Maximum number of concurrent resolver threads (they are terminated if
312: # unused).
313: # max_threads = 3
314:
315: # Minimum number of resolver threads to keep around.
316: # min_threads = 0
317:
318: }
319:
320: leak_detective {
321:
322: # Includes source file names and line numbers in leak detective output.
323: # detailed = yes
324:
325: # Threshold in bytes for leaks to be reported (0 to report all).
326: # usage_threshold = 10240
327:
328: # Threshold in number of allocations for leaks to be reported (0 to
329: # report all).
330: # usage_threshold_count = 0
331:
332: }
333:
334: processor {
335:
336: # Section to configure the number of reserved threads per priority class
337: # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
338: priority_threads {
339:
340: }
341:
342: }
343:
344: # Section containing a list of scripts (name = path) that are executed when
345: # the daemon is started.
346: start-scripts {
347:
348: }
349:
350: # Section containing a list of scripts (name = path) that are executed when
351: # the daemon is terminated.
352: stop-scripts {
353:
354: }
355:
356: tls {
357:
358: # List of TLS encryption ciphers.
359: # cipher =
360:
361: # List of TLS key exchange methods.
362: # key_exchange =
363:
364: # List of TLS MAC algorithms.
365: # mac =
366:
367: # List of TLS cipher suites.
368: # suites =
369:
370: }
371:
372: x509 {
373:
374: # Discard certificates with unsupported or unknown critical extensions.
375: # enforce_critical = yes
376:
377: }
378:
379: }
380:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>