|
version 1.1.1.1, 2020/06/03 09:46:43
|
version 1.1.1.2, 2021/03/17 00:20:08
|
|
Line 40 charon.cache_crls = no
|
Line 40 charon.cache_crls = no
|
| Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or |
Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or |
| **/etc/swanctl/x509crl** (vici), respectively. |
**/etc/swanctl/x509crl** (vici), respectively. |
| |
|
| |
charon.check_current_path = no |
| |
Whether to use DPD to check if the current path still works after any |
| |
changes to interfaces/addresses. |
| |
|
| |
By default, after detecting any changes to interfaces and/or addresses no |
| |
action is taken if the current path to the remote peer still looks usable. |
| |
Enabling this option will use DPD to check if the path actually still works, |
| |
or, for instance, the peer removed the state after a longer phase without |
| |
connectivity. It will also trigger a MOBIKE update if NAT mappings were |
| |
removed during the downtime. |
| |
|
| |
charon.cisco_flexvpn = no |
| |
Send the Cisco FlexVPN vendor ID payload (IKEv2 only). |
| |
|
| |
Send the Cisco FlexVPN vendor ID payload, which is required in order to make |
| |
Cisco brand devices allow negotiating a local traffic selector (from |
| |
strongSwan's point of view) that is not the assigned virtual IP address if |
| |
such an address is requested by strongSwan. Sending the Cisco FlexVPN |
| |
vendor ID prevents the peer from narrowing the initiator's local traffic |
| |
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 |
| |
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco |
| |
template but should also work for GRE encapsulation. |
| |
|
| charon.cisco_unity = no |
charon.cisco_unity = no |
| Send Cisco Unity vendor ID payload (IKEv1 only). |
Send Cisco Unity vendor ID payload (IKEv1 only). |
| |
|
|
Line 106 charon.dns2
|
Line 129 charon.dns2
|
| charon.dos_protection = yes |
charon.dos_protection = yes |
| Enable Denial of Service protection using cookies and aggressiveness checks. |
Enable Denial of Service protection using cookies and aggressiveness checks. |
| |
|
| charon.ecp_x_coordinate_only = yes |
|
| Compliance with the errata for RFC 4753. |
|
| |
|
| charon.flush_auth_cfg = no |
charon.flush_auth_cfg = no |
| Free objects during authentication (might conflict with plugins). |
Free objects during authentication (might conflict with plugins). |
| |
|
|
Line 120 charon.flush_auth_cfg = no
|
Line 140 charon.flush_auth_cfg = no
|
| charon.follow_redirects = yes |
charon.follow_redirects = yes |
| Whether to follow IKEv2 redirects (RFC 5685). |
Whether to follow IKEv2 redirects (RFC 5685). |
| |
|
| |
charon.force_eap_only_authentication = no |
| |
Violate RFC 5998 and use EAP-only authentication even if the peer did not |
| |
send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH. |
| |
|
| charon.fragment_size = 1280 |
charon.fragment_size = 1280 |
| Maximum size (complete IP datagram size in bytes) of a sent IKE fragment |
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment |
| when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults |
when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults |
|
Line 216 charon.interfaces_use
|
Line 240 charon.interfaces_use
|
| charon.keep_alive = 20s |
charon.keep_alive = 20s |
| NAT keep alive interval. |
NAT keep alive interval. |
| |
|
| |
charon.keep_alive_dpd_margin = 0s |
| |
Number of seconds the keep alive interval may be exceeded before a DPD is |
| |
sent instead of a NAT keep alive (0 to disable). This is only useful if a |
| |
clock is used that includes time spent suspended (e.g. CLOCK_BOOTTIME). |
| |
|
| charon.leak_detective.detailed = yes |
charon.leak_detective.detailed = yes |
| Includes source file names and line numbers in leak detective output. |
Includes source file names and line numbers in leak detective output. |
| |
|
|
Line 443 charon.tls.mac
|
Line 472 charon.tls.mac
|
| |
|
| charon.tls.suites |
charon.tls.suites |
| List of TLS cipher suites. |
List of TLS cipher suites. |
| |
|
| |
charon.tls.ke_group |
| |
List of TLS key exchange groups. |
| |
|
| |
charon.tls.signature |
| |
List of TLS signature schemes. |
| |
|
| |
charon.tls.send_certreq_authorities = yes |
| |
Whether to include CAs in a server's CertificateRequest message. |
| |
|
| |
Whether to include CAs in a server's CertificateRequest message. May be |
| |
disabled if clients can't handle a long list of CAs. |
| |
|
| |
charon.tls.version_min = 1.2 |
| |
Minimum TLS version to negotiate. |
| |
|
| |
charon.tls.version_max = 1.2 |
| |
Maximum TLS version to negotiate. |
| |
|
| charon.user |
charon.user |
| Name of the user the daemon changes to after startup. |
Name of the user the daemon changes to after startup. |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to charon.opt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / options