Annotation of embedaddon/strongswan/conf/options/charon.conf, revision 1.1.1.2

1.1       misho       1: # Options for the charon IKE daemon.
                      2: charon {
                      3: 
                      4:     # Deliberately violate the IKE standard's requirement and allow the use of
                      5:     # private algorithm identifiers, even if the peer implementation is unknown.
                      6:     # accept_private_algs = no
                      7: 
                      8:     # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
                      9:     # accept_unencrypted_mainmode_messages = no
                     10: 
                     11:     # Maximum number of half-open IKE_SAs for a single peer IP.
                     12:     # block_threshold = 5
                     13: 
                     14:     # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
                     15:     # should be saved under a unique file name derived from the public key of
                     16:     # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
                     17:     # /etc/swanctl/x509crl (vici), respectively.
                     18:     # cache_crls = no
                     19: 
                     20:     # Whether relations in validated certificate chains should be cached in
                     21:     # memory.
                     22:     # cert_cache = yes
                     23: 
1.1.1.2 ! misho      24:     # Whether to use DPD to check if the current path still works after any
        !            25:     # changes to interfaces/addresses.
        !            26:     # check_current_path = no
        !            27: 
        !            28:     # Send the Cisco FlexVPN vendor ID payload (IKEv2 only).
        !            29:     # cisco_flexvpn = no
        !            30: 
1.1       misho      31:     # Send Cisco Unity vendor ID payload (IKEv1 only).
                     32:     # cisco_unity = no
                     33: 
                     34:     # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
                     35:     # close_ike_on_child_failure = no
                     36: 
                     37:     # Number of half-open IKE_SAs that activate the cookie mechanism.
                     38:     # cookie_threshold = 10
                     39: 
                     40:     # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
                     41:     # delete_rekeyed = no
                     42: 
                     43:     # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
                     44:     # (IKEv2 only).
                     45:     # delete_rekeyed_delay = 5
                     46: 
                     47:     # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
                     48:     # strength.
                     49:     # dh_exponent_ansi_x9_42 = yes
                     50: 
                     51:     # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
                     52:     # missing symbols immediately.
                     53:     # dlopen_use_rtld_now = no
                     54: 
                     55:     # DNS server assigned to peer via configuration payload (CP).
                     56:     # dns1 =
                     57: 
                     58:     # DNS server assigned to peer via configuration payload (CP).
                     59:     # dns2 =
                     60: 
                     61:     # Enable Denial of Service protection using cookies and aggressiveness
                     62:     # checks.
                     63:     # dos_protection = yes
                     64: 
                     65:     # Free objects during authentication (might conflict with plugins).
                     66:     # flush_auth_cfg = no
                     67: 
                     68:     # Whether to follow IKEv2 redirects (RFC 5685).
                     69:     # follow_redirects = yes
                     70: 
1.1.1.2 ! misho      71:     # Violate RFC 5998 and use EAP-only authentication even if the peer did not
        !            72:     # send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
        !            73:     # force_eap_only_authentication = no
        !            74: 
1.1       misho      75:     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
                     76:     # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
                     77:     # to 1280 (use 0 for address family specific default values, which uses a
                     78:     # lower value for IPv4).  If specified this limit is used for both IPv4 and
                     79:     # IPv6.
                     80:     # fragment_size = 1280
                     81: 
                     82:     # Name of the group the daemon changes to after startup.
                     83:     # group =
                     84: 
                     85:     # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
                     86:     # half_open_timeout = 30
                     87: 
                     88:     # Enable hash and URL support.
                     89:     # hash_and_url = no
                     90: 
                     91:     # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
                     92:     # i_dont_care_about_security_and_use_aggressive_mode_psk = no
                     93: 
                     94:     # Whether to ignore the traffic selectors from the kernel's acquire events
                     95:     # for IKEv2 connections (they are not used for IKEv1).
                     96:     # ignore_acquire_ts = no
                     97: 
                     98:     # A space-separated list of routing tables to be excluded from route
                     99:     # lookups.
                    100:     # ignore_routing_tables =
                    101: 
                    102:     # Maximum number of IKE_SAs that can be established at the same time before
                    103:     # new connection attempts are blocked.
                    104:     # ikesa_limit = 0
                    105: 
                    106:     # Number of exclusively locked segments in the hash table.
                    107:     # ikesa_table_segments = 1
                    108: 
                    109:     # Size of the IKE_SA hash table.
                    110:     # ikesa_table_size = 1
                    111: 
                    112:     # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
                    113:     # inactivity_close_ike = no
                    114: 
                    115:     # Limit new connections based on the current number of half open IKE_SAs,
                    116:     # see IKE_SA_INIT DROPPING in strongswan.conf(5).
                    117:     # init_limit_half_open = 0
                    118: 
                    119:     # Limit new connections based on the number of queued jobs.
                    120:     # init_limit_job_load = 0
                    121: 
                    122:     # Causes charon daemon to ignore IKE initiation requests.
                    123:     # initiator_only = no
                    124: 
                    125:     # Install routes into a separate routing table for established IPsec
                    126:     # tunnels.
                    127:     # install_routes = yes
                    128: 
                    129:     # Install virtual IP addresses.
                    130:     # install_virtual_ip = yes
                    131: 
                    132:     # The name of the interface on which virtual IP addresses should be
                    133:     # installed.
                    134:     # install_virtual_ip_on =
                    135: 
                    136:     # Check daemon, libstrongswan and plugin integrity at startup.
                    137:     # integrity_test = no
                    138: 
                    139:     # A comma-separated list of network interfaces that should be ignored, if
                    140:     # interfaces_use is specified this option has no effect.
                    141:     # interfaces_ignore =
                    142: 
                    143:     # A comma-separated list of network interfaces that should be used by
                    144:     # charon. All other interfaces are ignored.
                    145:     # interfaces_use =
                    146: 
                    147:     # NAT keep alive interval.
                    148:     # keep_alive = 20s
                    149: 
1.1.1.2 ! misho     150:     # Number of seconds the keep alive interval may be exceeded before a DPD is
        !           151:     # sent instead of a NAT keep alive (0 to disable).  This is only useful if a
        !           152:     # clock is used that includes time spent suspended (e.g. CLOCK_BOOTTIME).
        !           153:     # keep_alive_dpd_margin = 0s
        !           154: 
1.1       misho     155:     # Plugins to load in the IKE daemon charon.
                    156:     # load =
                    157: 
                    158:     # Determine plugins to load via each plugin's load option.
                    159:     # load_modular = no
                    160: 
                    161:     # Initiate IKEv2 reauthentication with a make-before-break scheme.
                    162:     # make_before_break = no
                    163: 
                    164:     # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
                    165:     # and track concurrently.
                    166:     # max_ikev1_exchanges = 3
                    167: 
                    168:     # Maximum packet size accepted by charon.
                    169:     # max_packet = 10000
                    170: 
                    171:     # Enable multiple authentication exchanges (RFC 4739).
                    172:     # multiple_authentication = yes
                    173: 
                    174:     # WINS servers assigned to peer via configuration payload (CP).
                    175:     # nbns1 =
                    176: 
                    177:     # WINS servers assigned to peer via configuration payload (CP).
                    178:     # nbns2 =
                    179: 
                    180:     # UDP port used locally. If set to 0 a random port will be allocated.
                    181:     # port = 500
                    182: 
                    183:     # UDP port used locally in case of NAT-T. If set to 0 a random port will be
                    184:     # allocated.  Has to be different from charon.port, otherwise a random port
                    185:     # will be allocated.
                    186:     # port_nat_t = 4500
                    187: 
                    188:     # Whether to prefer updating SAs to the path with the best route.
                    189:     # prefer_best_path = no
                    190: 
                    191:     # Prefer locally configured proposals for IKE/IPsec over supplied ones as
                    192:     # responder (disabling this can avoid keying retries due to
                    193:     # INVALID_KE_PAYLOAD notifies).
                    194:     # prefer_configured_proposals = yes
                    195: 
                    196:     # Controls whether permanent or temporary IPv6 addresses are used as source,
                    197:     # or announced as additional addresses if MOBIKE is used.
                    198:     # prefer_temporary_addrs = no
                    199: 
                    200:     # Process RTM_NEWROUTE and RTM_DELROUTE events.
                    201:     # process_route = yes
                    202: 
                    203:     # How RDNs in subject DNs of certificates are matched against configured
                    204:     # identities (strict, reordered, or relaxed).
                    205:     # rdn_matching = strict
                    206: 
                    207:     # Delay in ms for receiving packets, to simulate larger RTT.
                    208:     # receive_delay = 0
                    209: 
                    210:     # Delay request messages.
                    211:     # receive_delay_request = yes
                    212: 
                    213:     # Delay response messages.
                    214:     # receive_delay_response = yes
                    215: 
                    216:     # Specific IKEv2 message type to delay, 0 for any.
                    217:     # receive_delay_type = 0
                    218: 
                    219:     # Size of the AH/ESP replay window, in packets.
                    220:     # replay_window = 32
                    221: 
                    222:     # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
                    223:     # in strongswan.conf(5).
                    224:     # retransmit_base = 1.8
                    225: 
                    226:     # Maximum jitter in percent to apply randomly to calculated retransmission
                    227:     # timeout (0 to disable).
                    228:     # retransmit_jitter = 0
                    229: 
                    230:     # Upper limit in seconds for calculated retransmission timeout (0 to
                    231:     # disable).
                    232:     # retransmit_limit = 0
                    233: 
                    234:     # Timeout in seconds before sending first retransmit.
                    235:     # retransmit_timeout = 4.0
                    236: 
                    237:     # Number of times to retransmit a packet before giving up.
                    238:     # retransmit_tries = 5
                    239: 
                    240:     # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
                    241:     # DNS resolution failed), 0 to disable retries.
                    242:     # retry_initiate_interval = 0
                    243: 
                    244:     # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
                    245:     # reuse_ikesa = yes
                    246: 
                    247:     # Numerical routing table to install routes to.
                    248:     # routing_table =
                    249: 
                    250:     # Priority of the routing table.
                    251:     # routing_table_prio =
                    252: 
                    253:     # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
                    254:     # rsa_pss = no
                    255: 
                    256:     # Delay in ms for sending packets, to simulate larger RTT.
                    257:     # send_delay = 0
                    258: 
                    259:     # Delay request messages.
                    260:     # send_delay_request = yes
                    261: 
                    262:     # Delay response messages.
                    263:     # send_delay_response = yes
                    264: 
                    265:     # Specific IKEv2 message type to delay, 0 for any.
                    266:     # send_delay_type = 0
                    267: 
                    268:     # Send strongSwan vendor ID payload
                    269:     # send_vendor_id = no
                    270: 
                    271:     # Whether to enable Signature Authentication as per RFC 7427.
                    272:     # signature_authentication = yes
                    273: 
                    274:     # Whether to enable constraints against IKEv2 signature schemes.
                    275:     # signature_authentication_constraints = yes
                    276: 
                    277:     # Value mixed into the local IKE SPIs after applying spi_mask.
                    278:     # spi_label = 0x0000000000000000
                    279: 
                    280:     # Mask applied to local IKE SPIs before mixing in spi_label (bits set will
                    281:     # be replaced with spi_label).
                    282:     # spi_mask = 0x0000000000000000
                    283: 
                    284:     # The upper limit for SPIs requested from the kernel for IPsec SAs.
                    285:     # spi_max = 0xcfffffff
                    286: 
                    287:     # The lower limit for SPIs requested from the kernel for IPsec SAs.
                    288:     # spi_min = 0xc0000000
                    289: 
                    290:     # Number of worker threads in charon.
                    291:     # threads = 16
                    292: 
                    293:     # Name of the user the daemon changes to after startup.
                    294:     # user =
                    295: 
                    296:     crypto_test {
                    297: 
                    298:         # Benchmark crypto algorithms and order them by efficiency.
                    299:         # bench = no
                    300: 
                    301:         # Buffer size used for crypto benchmark.
                    302:         # bench_size = 1024
                    303: 
                    304:         # Time in ms during which crypto algorithm performance is measured.
                    305:         # bench_time = 50
                    306: 
                    307:         # Test crypto algorithms during registration (requires test vectors
                    308:         # provided by the test-vectors plugin).
                    309:         # on_add = no
                    310: 
                    311:         # Test crypto algorithms on each crypto primitive instantiation.
                    312:         # on_create = no
                    313: 
                    314:         # Strictly require at least one test vector to enable an algorithm.
                    315:         # required = no
                    316: 
                    317:         # Whether to test RNG with TRUE quality; requires a lot of entropy.
                    318:         # rng_true = no
                    319: 
                    320:     }
                    321: 
                    322:     host_resolver {
                    323: 
                    324:         # Maximum number of concurrent resolver threads (they are terminated if
                    325:         # unused).
                    326:         # max_threads = 3
                    327: 
                    328:         # Minimum number of resolver threads to keep around.
                    329:         # min_threads = 0
                    330: 
                    331:     }
                    332: 
                    333:     leak_detective {
                    334: 
                    335:         # Includes source file names and line numbers in leak detective output.
                    336:         # detailed = yes
                    337: 
                    338:         # Threshold in bytes for leaks to be reported (0 to report all).
                    339:         # usage_threshold = 10240
                    340: 
                    341:         # Threshold in number of allocations for leaks to be reported (0 to
                    342:         # report all).
                    343:         # usage_threshold_count = 0
                    344: 
                    345:     }
                    346: 
                    347:     processor {
                    348: 
                    349:         # Section to configure the number of reserved threads per priority class
                    350:         # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
                    351:         priority_threads {
                    352: 
                    353:         }
                    354: 
                    355:     }
                    356: 
                    357:     # Section containing a list of scripts (name = path) that are executed when
                    358:     # the daemon is started.
                    359:     start-scripts {
                    360: 
                    361:     }
                    362: 
                    363:     # Section containing a list of scripts (name = path) that are executed when
                    364:     # the daemon is terminated.
                    365:     stop-scripts {
                    366: 
                    367:     }
                    368: 
                    369:     tls {
                    370: 
                    371:         # List of TLS encryption ciphers.
                    372:         # cipher =
                    373: 
1.1.1.2 ! misho     374:         # List of TLS key exchange groups.
        !           375:         # ke_group =
        !           376: 
1.1       misho     377:         # List of TLS key exchange methods.
                    378:         # key_exchange =
                    379: 
                    380:         # List of TLS MAC algorithms.
                    381:         # mac =
                    382: 
1.1.1.2 ! misho     383:         # Whether to include CAs in a server's CertificateRequest message.
        !           384:         # send_certreq_authorities = yes
        !           385: 
        !           386:         # List of TLS signature schemes.
        !           387:         # signature =
        !           388: 
1.1       misho     389:         # List of TLS cipher suites.
                    390:         # suites =
                    391: 
1.1.1.2 ! misho     392:         # Maximum TLS version to negotiate.
        !           393:         # version_max = 1.2
        !           394: 
        !           395:         # Minimum TLS version to negotiate.
        !           396:         # version_min = 1.2
        !           397: 
1.1       misho     398:     }
                    399: 
                    400:     x509 {
                    401: 
                    402:         # Discard certificates with unsupported or unknown critical extensions.
                    403:         # enforce_critical = yes
                    404: 
                    405:     }
                    406: 
                    407: }
                    408: 

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>