version 1.1.1.1, 2020/06/03 09:46:43
|
version 1.1.1.2, 2021/03/17 00:20:08
|
Line 40 charon.cache_crls = no
|
Line 40 charon.cache_crls = no
|
Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or |
Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or |
**/etc/swanctl/x509crl** (vici), respectively. |
**/etc/swanctl/x509crl** (vici), respectively. |
|
|
|
charon.check_current_path = no |
|
Whether to use DPD to check if the current path still works after any |
|
changes to interfaces/addresses. |
|
|
|
By default, after detecting any changes to interfaces and/or addresses no |
|
action is taken if the current path to the remote peer still looks usable. |
|
Enabling this option will use DPD to check if the path actually still works, |
|
or, for instance, the peer removed the state after a longer phase without |
|
connectivity. It will also trigger a MOBIKE update if NAT mappings were |
|
removed during the downtime. |
|
|
|
charon.cisco_flexvpn = no |
|
Send the Cisco FlexVPN vendor ID payload (IKEv2 only). |
|
|
|
Send the Cisco FlexVPN vendor ID payload, which is required in order to make |
|
Cisco brand devices allow negotiating a local traffic selector (from |
|
strongSwan's point of view) that is not the assigned virtual IP address if |
|
such an address is requested by strongSwan. Sending the Cisco FlexVPN |
|
vendor ID prevents the peer from narrowing the initiator's local traffic |
|
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 |
|
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco |
|
template but should also work for GRE encapsulation. |
|
|
charon.cisco_unity = no |
charon.cisco_unity = no |
Send Cisco Unity vendor ID payload (IKEv1 only). |
Send Cisco Unity vendor ID payload (IKEv1 only). |
|
|
Line 106 charon.dns2
|
Line 129 charon.dns2
|
charon.dos_protection = yes |
charon.dos_protection = yes |
Enable Denial of Service protection using cookies and aggressiveness checks. |
Enable Denial of Service protection using cookies and aggressiveness checks. |
|
|
charon.ecp_x_coordinate_only = yes |
|
Compliance with the errata for RFC 4753. |
|
|
|
charon.flush_auth_cfg = no |
charon.flush_auth_cfg = no |
Free objects during authentication (might conflict with plugins). |
Free objects during authentication (might conflict with plugins). |
|
|
Line 120 charon.flush_auth_cfg = no
|
Line 140 charon.flush_auth_cfg = no
|
charon.follow_redirects = yes |
charon.follow_redirects = yes |
Whether to follow IKEv2 redirects (RFC 5685). |
Whether to follow IKEv2 redirects (RFC 5685). |
|
|
|
charon.force_eap_only_authentication = no |
|
Violate RFC 5998 and use EAP-only authentication even if the peer did not |
|
send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH. |
|
|
charon.fragment_size = 1280 |
charon.fragment_size = 1280 |
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment |
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment |
when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults |
when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults |
Line 216 charon.interfaces_use
|
Line 240 charon.interfaces_use
|
charon.keep_alive = 20s |
charon.keep_alive = 20s |
NAT keep alive interval. |
NAT keep alive interval. |
|
|
|
charon.keep_alive_dpd_margin = 0s |
|
Number of seconds the keep alive interval may be exceeded before a DPD is |
|
sent instead of a NAT keep alive (0 to disable). This is only useful if a |
|
clock is used that includes time spent suspended (e.g. CLOCK_BOOTTIME). |
|
|
charon.leak_detective.detailed = yes |
charon.leak_detective.detailed = yes |
Includes source file names and line numbers in leak detective output. |
Includes source file names and line numbers in leak detective output. |
|
|
Line 443 charon.tls.mac
|
Line 472 charon.tls.mac
|
|
|
charon.tls.suites |
charon.tls.suites |
List of TLS cipher suites. |
List of TLS cipher suites. |
|
|
|
charon.tls.ke_group |
|
List of TLS key exchange groups. |
|
|
|
charon.tls.signature |
|
List of TLS signature schemes. |
|
|
|
charon.tls.send_certreq_authorities = yes |
|
Whether to include CAs in a server's CertificateRequest message. |
|
|
|
Whether to include CAs in a server's CertificateRequest message. May be |
|
disabled if clients can't handle a long list of CAs. |
|
|
|
charon.tls.version_min = 1.2 |
|
Minimum TLS version to negotiate. |
|
|
|
charon.tls.version_max = 1.2 |
|
Maximum TLS version to negotiate. |
|
|
charon.user |
charon.user |
Name of the user the daemon changes to after startup. |
Name of the user the daemon changes to after startup. |