1: # Options for the charon IKE daemon.
2: charon {
3:
4: # Deliberately violate the IKE standard's requirement and allow the use of
5: # private algorithm identifiers, even if the peer implementation is unknown.
6: # accept_private_algs = no
7:
8: # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
9: # accept_unencrypted_mainmode_messages = no
10:
11: # Maximum number of half-open IKE_SAs for a single peer IP.
12: # block_threshold = 5
13:
14: # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
15: # should be saved under a unique file name derived from the public key of
16: # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
17: # /etc/swanctl/x509crl (vici), respectively.
18: # cache_crls = no
19:
20: # Whether relations in validated certificate chains should be cached in
21: # memory.
22: # cert_cache = yes
23:
24: # Whether to use DPD to check if the current path still works after any
25: # changes to interfaces/addresses.
26: # check_current_path = no
27:
28: # Send the Cisco FlexVPN vendor ID payload (IKEv2 only).
29: # cisco_flexvpn = no
30:
31: # Send Cisco Unity vendor ID payload (IKEv1 only).
32: # cisco_unity = no
33:
34: # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
35: # close_ike_on_child_failure = no
36:
37: # Number of half-open IKE_SAs that activate the cookie mechanism.
38: # cookie_threshold = 10
39:
40: # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
41: # delete_rekeyed = no
42:
43: # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
44: # (IKEv2 only).
45: # delete_rekeyed_delay = 5
46:
47: # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
48: # strength.
49: # dh_exponent_ansi_x9_42 = yes
50:
51: # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
52: # missing symbols immediately.
53: # dlopen_use_rtld_now = no
54:
55: # DNS server assigned to peer via configuration payload (CP).
56: # dns1 =
57:
58: # DNS server assigned to peer via configuration payload (CP).
59: # dns2 =
60:
61: # Enable Denial of Service protection using cookies and aggressiveness
62: # checks.
63: # dos_protection = yes
64:
65: # Free objects during authentication (might conflict with plugins).
66: # flush_auth_cfg = no
67:
68: # Whether to follow IKEv2 redirects (RFC 5685).
69: # follow_redirects = yes
70:
71: # Violate RFC 5998 and use EAP-only authentication even if the peer did not
72: # send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
73: # force_eap_only_authentication = no
74:
75: # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
76: # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
77: # to 1280 (use 0 for address family specific default values, which uses a
78: # lower value for IPv4). If specified this limit is used for both IPv4 and
79: # IPv6.
80: # fragment_size = 1280
81:
82: # Name of the group the daemon changes to after startup.
83: # group =
84:
85: # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
86: # half_open_timeout = 30
87:
88: # Enable hash and URL support.
89: # hash_and_url = no
90:
91: # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
92: # i_dont_care_about_security_and_use_aggressive_mode_psk = no
93:
94: # Whether to ignore the traffic selectors from the kernel's acquire events
95: # for IKEv2 connections (they are not used for IKEv1).
96: # ignore_acquire_ts = no
97:
98: # A space-separated list of routing tables to be excluded from route
99: # lookups.
100: # ignore_routing_tables =
101:
102: # Maximum number of IKE_SAs that can be established at the same time before
103: # new connection attempts are blocked.
104: # ikesa_limit = 0
105:
106: # Number of exclusively locked segments in the hash table.
107: # ikesa_table_segments = 1
108:
109: # Size of the IKE_SA hash table.
110: # ikesa_table_size = 1
111:
112: # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
113: # inactivity_close_ike = no
114:
115: # Limit new connections based on the current number of half open IKE_SAs,
116: # see IKE_SA_INIT DROPPING in strongswan.conf(5).
117: # init_limit_half_open = 0
118:
119: # Limit new connections based on the number of queued jobs.
120: # init_limit_job_load = 0
121:
122: # Causes charon daemon to ignore IKE initiation requests.
123: # initiator_only = no
124:
125: # Install routes into a separate routing table for established IPsec
126: # tunnels.
127: # install_routes = yes
128:
129: # Install virtual IP addresses.
130: # install_virtual_ip = yes
131:
132: # The name of the interface on which virtual IP addresses should be
133: # installed.
134: # install_virtual_ip_on =
135:
136: # Check daemon, libstrongswan and plugin integrity at startup.
137: # integrity_test = no
138:
139: # A comma-separated list of network interfaces that should be ignored, if
140: # interfaces_use is specified this option has no effect.
141: # interfaces_ignore =
142:
143: # A comma-separated list of network interfaces that should be used by
144: # charon. All other interfaces are ignored.
145: # interfaces_use =
146:
147: # NAT keep alive interval.
148: # keep_alive = 20s
149:
150: # Number of seconds the keep alive interval may be exceeded before a DPD is
151: # sent instead of a NAT keep alive (0 to disable). This is only useful if a
152: # clock is used that includes time spent suspended (e.g. CLOCK_BOOTTIME).
153: # keep_alive_dpd_margin = 0s
154:
155: # Plugins to load in the IKE daemon charon.
156: # load =
157:
158: # Determine plugins to load via each plugin's load option.
159: # load_modular = no
160:
161: # Initiate IKEv2 reauthentication with a make-before-break scheme.
162: # make_before_break = no
163:
164: # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
165: # and track concurrently.
166: # max_ikev1_exchanges = 3
167:
168: # Maximum packet size accepted by charon.
169: # max_packet = 10000
170:
171: # Enable multiple authentication exchanges (RFC 4739).
172: # multiple_authentication = yes
173:
174: # WINS servers assigned to peer via configuration payload (CP).
175: # nbns1 =
176:
177: # WINS servers assigned to peer via configuration payload (CP).
178: # nbns2 =
179:
180: # UDP port used locally. If set to 0 a random port will be allocated.
181: # port = 500
182:
183: # UDP port used locally in case of NAT-T. If set to 0 a random port will be
184: # allocated. Has to be different from charon.port, otherwise a random port
185: # will be allocated.
186: # port_nat_t = 4500
187:
188: # Whether to prefer updating SAs to the path with the best route.
189: # prefer_best_path = no
190:
191: # Prefer locally configured proposals for IKE/IPsec over supplied ones as
192: # responder (disabling this can avoid keying retries due to
193: # INVALID_KE_PAYLOAD notifies).
194: # prefer_configured_proposals = yes
195:
196: # Controls whether permanent or temporary IPv6 addresses are used as source,
197: # or announced as additional addresses if MOBIKE is used.
198: # prefer_temporary_addrs = no
199:
200: # Process RTM_NEWROUTE and RTM_DELROUTE events.
201: # process_route = yes
202:
203: # How RDNs in subject DNs of certificates are matched against configured
204: # identities (strict, reordered, or relaxed).
205: # rdn_matching = strict
206:
207: # Delay in ms for receiving packets, to simulate larger RTT.
208: # receive_delay = 0
209:
210: # Delay request messages.
211: # receive_delay_request = yes
212:
213: # Delay response messages.
214: # receive_delay_response = yes
215:
216: # Specific IKEv2 message type to delay, 0 for any.
217: # receive_delay_type = 0
218:
219: # Size of the AH/ESP replay window, in packets.
220: # replay_window = 32
221:
222: # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
223: # in strongswan.conf(5).
224: # retransmit_base = 1.8
225:
226: # Maximum jitter in percent to apply randomly to calculated retransmission
227: # timeout (0 to disable).
228: # retransmit_jitter = 0
229:
230: # Upper limit in seconds for calculated retransmission timeout (0 to
231: # disable).
232: # retransmit_limit = 0
233:
234: # Timeout in seconds before sending first retransmit.
235: # retransmit_timeout = 4.0
236:
237: # Number of times to retransmit a packet before giving up.
238: # retransmit_tries = 5
239:
240: # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
241: # DNS resolution failed), 0 to disable retries.
242: # retry_initiate_interval = 0
243:
244: # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
245: # reuse_ikesa = yes
246:
247: # Numerical routing table to install routes to.
248: # routing_table =
249:
250: # Priority of the routing table.
251: # routing_table_prio =
252:
253: # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
254: # rsa_pss = no
255:
256: # Delay in ms for sending packets, to simulate larger RTT.
257: # send_delay = 0
258:
259: # Delay request messages.
260: # send_delay_request = yes
261:
262: # Delay response messages.
263: # send_delay_response = yes
264:
265: # Specific IKEv2 message type to delay, 0 for any.
266: # send_delay_type = 0
267:
268: # Send strongSwan vendor ID payload
269: # send_vendor_id = no
270:
271: # Whether to enable Signature Authentication as per RFC 7427.
272: # signature_authentication = yes
273:
274: # Whether to enable constraints against IKEv2 signature schemes.
275: # signature_authentication_constraints = yes
276:
277: # Value mixed into the local IKE SPIs after applying spi_mask.
278: # spi_label = 0x0000000000000000
279:
280: # Mask applied to local IKE SPIs before mixing in spi_label (bits set will
281: # be replaced with spi_label).
282: # spi_mask = 0x0000000000000000
283:
284: # The upper limit for SPIs requested from the kernel for IPsec SAs.
285: # spi_max = 0xcfffffff
286:
287: # The lower limit for SPIs requested from the kernel for IPsec SAs.
288: # spi_min = 0xc0000000
289:
290: # Number of worker threads in charon.
291: # threads = 16
292:
293: # Name of the user the daemon changes to after startup.
294: # user =
295:
296: crypto_test {
297:
298: # Benchmark crypto algorithms and order them by efficiency.
299: # bench = no
300:
301: # Buffer size used for crypto benchmark.
302: # bench_size = 1024
303:
304: # Time in ms during which crypto algorithm performance is measured.
305: # bench_time = 50
306:
307: # Test crypto algorithms during registration (requires test vectors
308: # provided by the test-vectors plugin).
309: # on_add = no
310:
311: # Test crypto algorithms on each crypto primitive instantiation.
312: # on_create = no
313:
314: # Strictly require at least one test vector to enable an algorithm.
315: # required = no
316:
317: # Whether to test RNG with TRUE quality; requires a lot of entropy.
318: # rng_true = no
319:
320: }
321:
322: host_resolver {
323:
324: # Maximum number of concurrent resolver threads (they are terminated if
325: # unused).
326: # max_threads = 3
327:
328: # Minimum number of resolver threads to keep around.
329: # min_threads = 0
330:
331: }
332:
333: leak_detective {
334:
335: # Includes source file names and line numbers in leak detective output.
336: # detailed = yes
337:
338: # Threshold in bytes for leaks to be reported (0 to report all).
339: # usage_threshold = 10240
340:
341: # Threshold in number of allocations for leaks to be reported (0 to
342: # report all).
343: # usage_threshold_count = 0
344:
345: }
346:
347: processor {
348:
349: # Section to configure the number of reserved threads per priority class
350: # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
351: priority_threads {
352:
353: }
354:
355: }
356:
357: # Section containing a list of scripts (name = path) that are executed when
358: # the daemon is started.
359: start-scripts {
360:
361: }
362:
363: # Section containing a list of scripts (name = path) that are executed when
364: # the daemon is terminated.
365: stop-scripts {
366:
367: }
368:
369: tls {
370:
371: # List of TLS encryption ciphers.
372: # cipher =
373:
374: # List of TLS key exchange groups.
375: # ke_group =
376:
377: # List of TLS key exchange methods.
378: # key_exchange =
379:
380: # List of TLS MAC algorithms.
381: # mac =
382:
383: # Whether to include CAs in a server's CertificateRequest message.
384: # send_certreq_authorities = yes
385:
386: # List of TLS signature schemes.
387: # signature =
388:
389: # List of TLS cipher suites.
390: # suites =
391:
392: # Maximum TLS version to negotiate.
393: # version_max = 1.2
394:
395: # Minimum TLS version to negotiate.
396: # version_min = 1.2
397:
398: }
399:
400: x509 {
401:
402: # Discard certificates with unsupported or unknown critical extensions.
403: # enforce_critical = yes
404:
405: }
406:
407: }
408:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to charon.conf CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / options