Annotation of embedaddon/strongswan/conf/options/charon.opt, revision 1.1
1.1 ! misho 1: charon {}
! 2: Options for the charon IKE daemon.
! 3:
! 4: Options for the charon IKE daemon.
! 5:
! 6: **Note**: Many of the options in this section also apply to **charon-cmd**
! 7: and other **charon** derivatives. Just use their respective name (e.g.
! 8: **charon-cmd** instead of **charon**). For many options defaults can be
! 9: defined in the **libstrongswan** section.
! 10:
! 11: charon.accept_private_algs = no
! 12: Deliberately violate the IKE standard's requirement and allow the use of
! 13: private algorithm identifiers, even if the peer implementation is unknown.
! 14:
! 15: charon.accept_unencrypted_mainmode_messages = no
! 16: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
! 17:
! 18: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
! 19:
! 20: Some implementations send the third Main Mode message unencrypted, probably
! 21: to find the PSKs for the specified ID for authentication. This is very
! 22: similar to Aggressive Mode, and has the same security implications: A
! 23: passive attacker can sniff the negotiated Identity, and start brute forcing
! 24: the PSK using the HASH payload.
! 25:
! 26: It is recommended to keep this option to no, unless you know exactly
! 27: what the implications are and require compatibility to such devices (for
! 28: example, some SonicWall boxes).
! 29:
! 30: charon.block_threshold = 5
! 31: Maximum number of half-open IKE_SAs for a single peer IP.
! 32:
! 33: charon.cert_cache = yes
! 34: Whether relations in validated certificate chains should be cached in
! 35: memory.
! 36:
! 37: charon.cache_crls = no
! 38: Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
! 39: be saved under a unique file name derived from the public key of the
! 40: Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
! 41: **/etc/swanctl/x509crl** (vici), respectively.
! 42:
! 43: charon.cisco_unity = no
! 44: Send Cisco Unity vendor ID payload (IKEv1 only).
! 45:
! 46: charon.close_ike_on_child_failure = no
! 47: Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
! 48:
! 49: charon.cookie_threshold = 10
! 50: Number of half-open IKE_SAs that activate the cookie mechanism.
! 51:
! 52: charon.crypto_test.bench = no
! 53: Benchmark crypto algorithms and order them by efficiency.
! 54:
! 55: charon.crypto_test.bench_size = 1024
! 56: Buffer size used for crypto benchmark.
! 57:
! 58: charon.crypto_test.bench_time = 50
! 59: Time in ms during which crypto algorithm performance is measured.
! 60:
! 61: charon.crypto_test.on_add = no
! 62: Test crypto algorithms during registration (requires test vectors provided
! 63: by the _test-vectors_ plugin).
! 64:
! 65: charon.crypto_test.on_create = no
! 66: Test crypto algorithms on each crypto primitive instantiation.
! 67:
! 68: charon.crypto_test.required = no
! 69: Strictly require at least one test vector to enable an algorithm.
! 70:
! 71: charon.crypto_test.rng_true = no
! 72: Whether to test RNG with TRUE quality; requires a lot of entropy.
! 73:
! 74: charon.delete_rekeyed = no
! 75: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
! 76:
! 77: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
! 78: Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
! 79: However, this might cause problems with implementations that continue to
! 80: use rekeyed SAs until they expire.
! 81:
! 82: charon.delete_rekeyed_delay = 5
! 83: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
! 84: only).
! 85:
! 86: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
! 87: only). To process delayed packets the inbound part of a CHILD_SA is kept
! 88: installed up to the configured number of seconds after it got replaced
! 89: during a rekeying. If set to 0 the CHILD_SA will be kept installed until it
! 90: expires (if no lifetime is set it will be destroyed immediately).
! 91:
! 92: charon.dh_exponent_ansi_x9_42 = yes
! 93: Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
! 94: strength.
! 95:
! 96: charon.dlopen_use_rtld_now = no
! 97: Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
! 98: symbols immediately.
! 99:
! 100: charon.dns1
! 101: DNS server assigned to peer via configuration payload (CP).
! 102:
! 103: charon.dns2
! 104: DNS server assigned to peer via configuration payload (CP).
! 105:
! 106: charon.dos_protection = yes
! 107: Enable Denial of Service protection using cookies and aggressiveness checks.
! 108:
! 109: charon.ecp_x_coordinate_only = yes
! 110: Compliance with the errata for RFC 4753.
! 111:
! 112: charon.flush_auth_cfg = no
! 113: Free objects during authentication (might conflict with plugins).
! 114:
! 115: If enabled objects used during authentication (certificates, identities
! 116: etc.) are released to free memory once an IKE_SA is established. Enabling
! 117: this might conflict with plugins that later need access to e.g. the used
! 118: certificates.
! 119:
! 120: charon.follow_redirects = yes
! 121: Whether to follow IKEv2 redirects (RFC 5685).
! 122:
! 123: charon.fragment_size = 1280
! 124: Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
! 125: when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
! 126: to 1280 (use 0 for address family specific default values, which uses a
! 127: lower value for IPv4). If specified this limit is used for both IPv4 and
! 128: IPv6.
! 129:
! 130: charon.group
! 131: Name of the group the daemon changes to after startup.
! 132:
! 133: charon.half_open_timeout = 30
! 134: Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
! 135:
! 136: charon.hash_and_url = no
! 137: Enable hash and URL support.
! 138:
! 139: charon.host_resolver.max_threads = 3
! 140: Maximum number of concurrent resolver threads (they are terminated if
! 141: unused).
! 142:
! 143: charon.host_resolver.min_threads = 0
! 144: Minimum number of resolver threads to keep around.
! 145:
! 146: charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
! 147: Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
! 148:
! 149: If enabled responders are allowed to use IKEv1 Aggressive Mode with
! 150: pre-shared keys, which is discouraged due to security concerns (offline
! 151: attacks on the openly transmitted hash of the PSK).
! 152:
! 153: charon.ignore_routing_tables
! 154: A space-separated list of routing tables to be excluded from route lookups.
! 155:
! 156: charon.ignore_acquire_ts = no
! 157: Whether to ignore the traffic selectors from the kernel's acquire events for
! 158: IKEv2 connections (they are not used for IKEv1).
! 159:
! 160: If this is disabled the traffic selectors from the kernel's acquire events,
! 161: which are derived from the triggering packet, are prepended to the traffic
! 162: selectors from the configuration for IKEv2 connection. By enabling this,
! 163: such specific traffic selectors will be ignored and only the ones in the
! 164: config will be sent. This always happens for IKEv1 connections as the
! 165: protocol only supports one set of traffic selectors per CHILD_SA.
! 166:
! 167: charon.ikesa_limit = 0
! 168: Maximum number of IKE_SAs that can be established at the same time before
! 169: new connection attempts are blocked.
! 170:
! 171: charon.ikesa_table_segments = 1
! 172: Number of exclusively locked segments in the hash table.
! 173:
! 174: charon.ikesa_table_size = 1
! 175: Size of the IKE_SA hash table.
! 176:
! 177: charon.inactivity_close_ike = no
! 178: Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
! 179:
! 180: charon.init_limit_half_open = 0
! 181: Limit new connections based on the current number of half open IKE_SAs, see
! 182: IKE_SA_INIT DROPPING in **strongswan.conf**(5).
! 183:
! 184: charon.init_limit_job_load = 0
! 185: Limit new connections based on the number of queued jobs.
! 186:
! 187: Limit new connections based on the number of jobs currently queued for
! 188: processing (see IKE_SA_INIT DROPPING).
! 189:
! 190: charon.initiator_only = no
! 191: Causes charon daemon to ignore IKE initiation requests.
! 192:
! 193: charon.install_routes = yes
! 194: Install routes into a separate routing table for established IPsec tunnels.
! 195:
! 196: charon.install_virtual_ip = yes
! 197: Install virtual IP addresses.
! 198:
! 199: charon.install_virtual_ip_on
! 200: The name of the interface on which virtual IP addresses should be installed.
! 201:
! 202: The name of the interface on which virtual IP addresses should be installed.
! 203: If not specified the addresses will be installed on the outbound interface.
! 204:
! 205: charon.integrity_test = no
! 206: Check daemon, libstrongswan and plugin integrity at startup.
! 207:
! 208: charon.interfaces_ignore
! 209: A comma-separated list of network interfaces that should be ignored, if
! 210: **interfaces_use** is specified this option has no effect.
! 211:
! 212: charon.interfaces_use
! 213: A comma-separated list of network interfaces that should be used by charon.
! 214: All other interfaces are ignored.
! 215:
! 216: charon.keep_alive = 20s
! 217: NAT keep alive interval.
! 218:
! 219: charon.leak_detective.detailed = yes
! 220: Includes source file names and line numbers in leak detective output.
! 221:
! 222: charon.leak_detective.usage_threshold = 10240
! 223: Threshold in bytes for leaks to be reported (0 to report all).
! 224:
! 225: charon.leak_detective.usage_threshold_count = 0
! 226: Threshold in number of allocations for leaks to be reported (0 to report
! 227: all).
! 228:
! 229: charon.load
! 230: Plugins to load in the IKE daemon charon.
! 231:
! 232: charon.load_modular = no
! 233: Determine plugins to load via each plugin's load option.
! 234:
! 235: If enabled, the list of plugins to load is determined via the value of the
! 236: _charon.plugins.<name>.load_ options. In addition to a simple boolean flag
! 237: that option may take an integer value indicating the priority of a plugin,
! 238: which would influence the order of a plugin in the plugin list (the default
! 239: is 1). If two plugins have the same priority their order in the default
! 240: plugin list is preserved. Enabled plugins not found in that list are ordered
! 241: alphabetically before other plugins with the same priority.
! 242:
! 243: charon.max_ikev1_exchanges = 3
! 244: Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
! 245: track concurrently.
! 246:
! 247: charon.max_packet = 10000
! 248: Maximum packet size accepted by charon.
! 249:
! 250: charon.make_before_break = no
! 251: Initiate IKEv2 reauthentication with a make-before-break scheme.
! 252:
! 253: Initiate IKEv2 reauthentication with a make-before-break instead of a
! 254: break-before-make scheme. Make-before-break uses overlapping IKE and
! 255: CHILD_SA during reauthentication by first recreating all new SAs before
! 256: deleting the old ones. This behavior can be beneficial to avoid connectivity
! 257: gaps during reauthentication, but requires support for overlapping SAs by
! 258: the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
! 259:
! 260: charon.multiple_authentication = yes
! 261: Enable multiple authentication exchanges (RFC 4739).
! 262:
! 263: charon.nbns1
! 264: WINS servers assigned to peer via configuration payload (CP).
! 265:
! 266: charon.nbns2
! 267: WINS servers assigned to peer via configuration payload (CP).
! 268:
! 269: charon.port = 500
! 270: UDP port used locally. If set to 0 a random port will be allocated.
! 271:
! 272: charon.port_nat_t = 4500
! 273: UDP port used locally in case of NAT-T. If set to 0 a random port will be
! 274: allocated. Has to be different from **charon.port**, otherwise a random
! 275: port will be allocated.
! 276:
! 277: charon.prefer_best_path = no
! 278: Whether to prefer updating SAs to the path with the best route.
! 279:
! 280: By default, charon keeps SAs on the routing path with addresses it
! 281: previously used if that path is still usable. By setting this option to
! 282: yes, it tries more aggressively to update SAs with MOBIKE on routing
! 283: priority changes using the cheapest path. This adds more noise, but allows
! 284: to dynamically adapt SAs to routing priority changes. This option has no
! 285: effect if MOBIKE is not supported or disabled.
! 286:
! 287: charon.prefer_configured_proposals = yes
! 288: Prefer locally configured proposals for IKE/IPsec over supplied ones as
! 289: responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
! 290: notifies).
! 291:
! 292: charon.prefer_temporary_addrs = no
! 293: Controls whether permanent or temporary IPv6 addresses are used as source,
! 294: or announced as additional addresses if MOBIKE is used.
! 295:
! 296: By default, permanent IPv6 source addresses are preferred over temporary
! 297: ones (RFC 4941), to make connections more stable. Enable this option to
! 298: reverse this.
! 299:
! 300: It also affects which IPv6 addresses are announced as additional addresses
! 301: if MOBIKE is used. If the option is disabled, only permanent addresses are
! 302: sent, and only temporary ones if it is enabled.
! 303:
! 304: charon.process_route = yes
! 305: Process RTM_NEWROUTE and RTM_DELROUTE events.
! 306:
! 307: charon.processor.priority_threads {}
! 308: Section to configure the number of reserved threads per priority class
! 309: see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
! 310:
! 311: charon.rdn_matching = strict
! 312: How RDNs in subject DNs of certificates are matched against configured
! 313: identities (_strict_, _reordered_, or _relaxed_).
! 314:
! 315: How RDNs in subject DNs of certificates are matched against configured
! 316: identities. Possible values are _strict_ (the default), _reordered_, and
! 317: _relaxed_. With _strict_ the number, type and order of all RDNs has to
! 318: match, wildcards (*) for the values of RDNs are allowed (that's the case
! 319: for all three variants). Using _reordered_ also matches DNs if the RDNs
! 320: appear in a different order, the number and type still has to match.
! 321: Finally, _relaxed_ also allows matches of DNs that contain more RDNs than
! 322: the configured identity (missing RDNs are treated like a wildcard match).
! 323:
! 324: Note that _reordered_ and _relaxed_ impose a considerable overhead on memory
! 325: usage and runtime, in particular, for mismatches, compared to _strict_.
! 326:
! 327: charon.receive_delay = 0
! 328: Delay in ms for receiving packets, to simulate larger RTT.
! 329:
! 330: charon.receive_delay_response = yes
! 331: Delay response messages.
! 332:
! 333: charon.receive_delay_request = yes
! 334: Delay request messages.
! 335:
! 336: charon.receive_delay_type = 0
! 337: Specific IKEv2 message type to delay, 0 for any.
! 338:
! 339: charon.replay_window = 32
! 340: Size of the AH/ESP replay window, in packets.
! 341:
! 342: charon.retransmit_base = 1.8
! 343: Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
! 344: in **strongswan.conf**(5).
! 345:
! 346: charon.retransmit_timeout = 4.0
! 347: Timeout in seconds before sending first retransmit.
! 348:
! 349: charon.retransmit_tries = 5
! 350: Number of times to retransmit a packet before giving up.
! 351:
! 352: charon.retransmit_jitter = 0
! 353: Maximum jitter in percent to apply randomly to calculated retransmission
! 354: timeout (0 to disable).
! 355:
! 356: charon.retransmit_limit = 0
! 357: Upper limit in seconds for calculated retransmission timeout (0 to disable).
! 358:
! 359: charon.retry_initiate_interval = 0
! 360: Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
! 361: resolution failed), 0 to disable retries.
! 362:
! 363: charon.reuse_ikesa = yes
! 364: Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
! 365:
! 366: charon.routing_table
! 367: Numerical routing table to install routes to.
! 368:
! 369: charon.routing_table_prio
! 370: Priority of the routing table.
! 371:
! 372: charon.rsa_pss = no
! 373: Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
! 374:
! 375: charon.send_delay = 0
! 376: Delay in ms for sending packets, to simulate larger RTT.
! 377:
! 378: charon.send_delay_response = yes
! 379: Delay response messages.
! 380:
! 381: charon.send_delay_request = yes
! 382: Delay request messages.
! 383:
! 384: charon.send_delay_type = 0
! 385: Specific IKEv2 message type to delay, 0 for any.
! 386:
! 387: charon.send_vendor_id = no
! 388: Send strongSwan vendor ID payload
! 389:
! 390: charon.signature_authentication = yes
! 391: Whether to enable Signature Authentication as per RFC 7427.
! 392:
! 393: charon.signature_authentication_constraints = yes
! 394: Whether to enable constraints against IKEv2 signature schemes.
! 395:
! 396: If enabled, signature schemes configured in _rightauth_, in addition to
! 397: getting used as constraints against signature schemes employed in the
! 398: certificate chain, are also used as constraints against the signature scheme
! 399: used by peers during IKEv2.
! 400:
! 401: charon.spi_label = 0x0000000000000000
! 402: Value mixed into the local IKE SPIs after applying _spi_mask_.
! 403:
! 404: charon.spi_mask = 0x0000000000000000
! 405: Mask applied to local IKE SPIs before mixing in _spi_label_ (bits set will
! 406: be replaced with _spi_label_).
! 407:
! 408: charon.spi_min = 0xc0000000
! 409: The lower limit for SPIs requested from the kernel for IPsec SAs.
! 410:
! 411: The lower limit for SPIs requested from the kernel for IPsec SAs. Should not
! 412: be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved
! 413: by IANA.
! 414:
! 415: charon.spi_max = 0xcfffffff
! 416: The upper limit for SPIs requested from the kernel for IPsec SAs.
! 417:
! 418: charon.start-scripts {}
! 419: Section containing a list of scripts (name = path) that are executed when
! 420: the daemon is started.
! 421:
! 422: charon.stop-scripts {}
! 423: Section containing a list of scripts (name = path) that are executed when
! 424: the daemon is terminated.
! 425:
! 426: charon.threads = 16
! 427: Number of worker threads in charon.
! 428:
! 429: Number of worker threads in charon. Several of these are reserved for long
! 430: running tasks in internal modules and plugins. Therefore, make sure you
! 431: don't set this value too low. The number of idle worker threads listed in
! 432: _ipsec statusall_ might be used as indicator on the number of reserved
! 433: threads.
! 434:
! 435: charon.tls.cipher
! 436: List of TLS encryption ciphers.
! 437:
! 438: charon.tls.key_exchange
! 439: List of TLS key exchange methods.
! 440:
! 441: charon.tls.mac
! 442: List of TLS MAC algorithms.
! 443:
! 444: charon.tls.suites
! 445: List of TLS cipher suites.
! 446:
! 447: charon.user
! 448: Name of the user the daemon changes to after startup.
! 449:
! 450: charon.x509.enforce_critical = yes
! 451: Discard certificates with unsupported or unknown critical extensions.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to charon.opt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / options