Annotation of embedaddon/strongswan/conf/options/charon.opt, revision 1.1.1.1
1.1 misho 1: charon {}
2: Options for the charon IKE daemon.
3:
4: Options for the charon IKE daemon.
5:
6: **Note**: Many of the options in this section also apply to **charon-cmd**
7: and other **charon** derivatives. Just use their respective name (e.g.
8: **charon-cmd** instead of **charon**). For many options defaults can be
9: defined in the **libstrongswan** section.
10:
11: charon.accept_private_algs = no
12: Deliberately violate the IKE standard's requirement and allow the use of
13: private algorithm identifiers, even if the peer implementation is unknown.
14:
15: charon.accept_unencrypted_mainmode_messages = no
16: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
17:
18: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
19:
20: Some implementations send the third Main Mode message unencrypted, probably
21: to find the PSKs for the specified ID for authentication. This is very
22: similar to Aggressive Mode, and has the same security implications: A
23: passive attacker can sniff the negotiated Identity, and start brute forcing
24: the PSK using the HASH payload.
25:
26: It is recommended to keep this option to no, unless you know exactly
27: what the implications are and require compatibility to such devices (for
28: example, some SonicWall boxes).
29:
30: charon.block_threshold = 5
31: Maximum number of half-open IKE_SAs for a single peer IP.
32:
33: charon.cert_cache = yes
34: Whether relations in validated certificate chains should be cached in
35: memory.
36:
37: charon.cache_crls = no
38: Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
39: be saved under a unique file name derived from the public key of the
40: Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
41: **/etc/swanctl/x509crl** (vici), respectively.
42:
43: charon.cisco_unity = no
44: Send Cisco Unity vendor ID payload (IKEv1 only).
45:
46: charon.close_ike_on_child_failure = no
47: Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
48:
49: charon.cookie_threshold = 10
50: Number of half-open IKE_SAs that activate the cookie mechanism.
51:
52: charon.crypto_test.bench = no
53: Benchmark crypto algorithms and order them by efficiency.
54:
55: charon.crypto_test.bench_size = 1024
56: Buffer size used for crypto benchmark.
57:
58: charon.crypto_test.bench_time = 50
59: Time in ms during which crypto algorithm performance is measured.
60:
61: charon.crypto_test.on_add = no
62: Test crypto algorithms during registration (requires test vectors provided
63: by the _test-vectors_ plugin).
64:
65: charon.crypto_test.on_create = no
66: Test crypto algorithms on each crypto primitive instantiation.
67:
68: charon.crypto_test.required = no
69: Strictly require at least one test vector to enable an algorithm.
70:
71: charon.crypto_test.rng_true = no
72: Whether to test RNG with TRUE quality; requires a lot of entropy.
73:
74: charon.delete_rekeyed = no
75: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
76:
77: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
78: Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
79: However, this might cause problems with implementations that continue to
80: use rekeyed SAs until they expire.
81:
82: charon.delete_rekeyed_delay = 5
83: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
84: only).
85:
86: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
87: only). To process delayed packets the inbound part of a CHILD_SA is kept
88: installed up to the configured number of seconds after it got replaced
89: during a rekeying. If set to 0 the CHILD_SA will be kept installed until it
90: expires (if no lifetime is set it will be destroyed immediately).
91:
92: charon.dh_exponent_ansi_x9_42 = yes
93: Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
94: strength.
95:
96: charon.dlopen_use_rtld_now = no
97: Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
98: symbols immediately.
99:
100: charon.dns1
101: DNS server assigned to peer via configuration payload (CP).
102:
103: charon.dns2
104: DNS server assigned to peer via configuration payload (CP).
105:
106: charon.dos_protection = yes
107: Enable Denial of Service protection using cookies and aggressiveness checks.
108:
109: charon.ecp_x_coordinate_only = yes
110: Compliance with the errata for RFC 4753.
111:
112: charon.flush_auth_cfg = no
113: Free objects during authentication (might conflict with plugins).
114:
115: If enabled objects used during authentication (certificates, identities
116: etc.) are released to free memory once an IKE_SA is established. Enabling
117: this might conflict with plugins that later need access to e.g. the used
118: certificates.
119:
120: charon.follow_redirects = yes
121: Whether to follow IKEv2 redirects (RFC 5685).
122:
123: charon.fragment_size = 1280
124: Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
125: when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
126: to 1280 (use 0 for address family specific default values, which uses a
127: lower value for IPv4). If specified this limit is used for both IPv4 and
128: IPv6.
129:
130: charon.group
131: Name of the group the daemon changes to after startup.
132:
133: charon.half_open_timeout = 30
134: Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
135:
136: charon.hash_and_url = no
137: Enable hash and URL support.
138:
139: charon.host_resolver.max_threads = 3
140: Maximum number of concurrent resolver threads (they are terminated if
141: unused).
142:
143: charon.host_resolver.min_threads = 0
144: Minimum number of resolver threads to keep around.
145:
146: charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
147: Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
148:
149: If enabled responders are allowed to use IKEv1 Aggressive Mode with
150: pre-shared keys, which is discouraged due to security concerns (offline
151: attacks on the openly transmitted hash of the PSK).
152:
153: charon.ignore_routing_tables
154: A space-separated list of routing tables to be excluded from route lookups.
155:
156: charon.ignore_acquire_ts = no
157: Whether to ignore the traffic selectors from the kernel's acquire events for
158: IKEv2 connections (they are not used for IKEv1).
159:
160: If this is disabled the traffic selectors from the kernel's acquire events,
161: which are derived from the triggering packet, are prepended to the traffic
162: selectors from the configuration for IKEv2 connection. By enabling this,
163: such specific traffic selectors will be ignored and only the ones in the
164: config will be sent. This always happens for IKEv1 connections as the
165: protocol only supports one set of traffic selectors per CHILD_SA.
166:
167: charon.ikesa_limit = 0
168: Maximum number of IKE_SAs that can be established at the same time before
169: new connection attempts are blocked.
170:
171: charon.ikesa_table_segments = 1
172: Number of exclusively locked segments in the hash table.
173:
174: charon.ikesa_table_size = 1
175: Size of the IKE_SA hash table.
176:
177: charon.inactivity_close_ike = no
178: Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
179:
180: charon.init_limit_half_open = 0
181: Limit new connections based on the current number of half open IKE_SAs, see
182: IKE_SA_INIT DROPPING in **strongswan.conf**(5).
183:
184: charon.init_limit_job_load = 0
185: Limit new connections based on the number of queued jobs.
186:
187: Limit new connections based on the number of jobs currently queued for
188: processing (see IKE_SA_INIT DROPPING).
189:
190: charon.initiator_only = no
191: Causes charon daemon to ignore IKE initiation requests.
192:
193: charon.install_routes = yes
194: Install routes into a separate routing table for established IPsec tunnels.
195:
196: charon.install_virtual_ip = yes
197: Install virtual IP addresses.
198:
199: charon.install_virtual_ip_on
200: The name of the interface on which virtual IP addresses should be installed.
201:
202: The name of the interface on which virtual IP addresses should be installed.
203: If not specified the addresses will be installed on the outbound interface.
204:
205: charon.integrity_test = no
206: Check daemon, libstrongswan and plugin integrity at startup.
207:
208: charon.interfaces_ignore
209: A comma-separated list of network interfaces that should be ignored, if
210: **interfaces_use** is specified this option has no effect.
211:
212: charon.interfaces_use
213: A comma-separated list of network interfaces that should be used by charon.
214: All other interfaces are ignored.
215:
216: charon.keep_alive = 20s
217: NAT keep alive interval.
218:
219: charon.leak_detective.detailed = yes
220: Includes source file names and line numbers in leak detective output.
221:
222: charon.leak_detective.usage_threshold = 10240
223: Threshold in bytes for leaks to be reported (0 to report all).
224:
225: charon.leak_detective.usage_threshold_count = 0
226: Threshold in number of allocations for leaks to be reported (0 to report
227: all).
228:
229: charon.load
230: Plugins to load in the IKE daemon charon.
231:
232: charon.load_modular = no
233: Determine plugins to load via each plugin's load option.
234:
235: If enabled, the list of plugins to load is determined via the value of the
236: _charon.plugins.<name>.load_ options. In addition to a simple boolean flag
237: that option may take an integer value indicating the priority of a plugin,
238: which would influence the order of a plugin in the plugin list (the default
239: is 1). If two plugins have the same priority their order in the default
240: plugin list is preserved. Enabled plugins not found in that list are ordered
241: alphabetically before other plugins with the same priority.
242:
243: charon.max_ikev1_exchanges = 3
244: Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
245: track concurrently.
246:
247: charon.max_packet = 10000
248: Maximum packet size accepted by charon.
249:
250: charon.make_before_break = no
251: Initiate IKEv2 reauthentication with a make-before-break scheme.
252:
253: Initiate IKEv2 reauthentication with a make-before-break instead of a
254: break-before-make scheme. Make-before-break uses overlapping IKE and
255: CHILD_SA during reauthentication by first recreating all new SAs before
256: deleting the old ones. This behavior can be beneficial to avoid connectivity
257: gaps during reauthentication, but requires support for overlapping SAs by
258: the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
259:
260: charon.multiple_authentication = yes
261: Enable multiple authentication exchanges (RFC 4739).
262:
263: charon.nbns1
264: WINS servers assigned to peer via configuration payload (CP).
265:
266: charon.nbns2
267: WINS servers assigned to peer via configuration payload (CP).
268:
269: charon.port = 500
270: UDP port used locally. If set to 0 a random port will be allocated.
271:
272: charon.port_nat_t = 4500
273: UDP port used locally in case of NAT-T. If set to 0 a random port will be
274: allocated. Has to be different from **charon.port**, otherwise a random
275: port will be allocated.
276:
277: charon.prefer_best_path = no
278: Whether to prefer updating SAs to the path with the best route.
279:
280: By default, charon keeps SAs on the routing path with addresses it
281: previously used if that path is still usable. By setting this option to
282: yes, it tries more aggressively to update SAs with MOBIKE on routing
283: priority changes using the cheapest path. This adds more noise, but allows
284: to dynamically adapt SAs to routing priority changes. This option has no
285: effect if MOBIKE is not supported or disabled.
286:
287: charon.prefer_configured_proposals = yes
288: Prefer locally configured proposals for IKE/IPsec over supplied ones as
289: responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
290: notifies).
291:
292: charon.prefer_temporary_addrs = no
293: Controls whether permanent or temporary IPv6 addresses are used as source,
294: or announced as additional addresses if MOBIKE is used.
295:
296: By default, permanent IPv6 source addresses are preferred over temporary
297: ones (RFC 4941), to make connections more stable. Enable this option to
298: reverse this.
299:
300: It also affects which IPv6 addresses are announced as additional addresses
301: if MOBIKE is used. If the option is disabled, only permanent addresses are
302: sent, and only temporary ones if it is enabled.
303:
304: charon.process_route = yes
305: Process RTM_NEWROUTE and RTM_DELROUTE events.
306:
307: charon.processor.priority_threads {}
308: Section to configure the number of reserved threads per priority class
309: see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
310:
311: charon.rdn_matching = strict
312: How RDNs in subject DNs of certificates are matched against configured
313: identities (_strict_, _reordered_, or _relaxed_).
314:
315: How RDNs in subject DNs of certificates are matched against configured
316: identities. Possible values are _strict_ (the default), _reordered_, and
317: _relaxed_. With _strict_ the number, type and order of all RDNs has to
318: match, wildcards (*) for the values of RDNs are allowed (that's the case
319: for all three variants). Using _reordered_ also matches DNs if the RDNs
320: appear in a different order, the number and type still has to match.
321: Finally, _relaxed_ also allows matches of DNs that contain more RDNs than
322: the configured identity (missing RDNs are treated like a wildcard match).
323:
324: Note that _reordered_ and _relaxed_ impose a considerable overhead on memory
325: usage and runtime, in particular, for mismatches, compared to _strict_.
326:
327: charon.receive_delay = 0
328: Delay in ms for receiving packets, to simulate larger RTT.
329:
330: charon.receive_delay_response = yes
331: Delay response messages.
332:
333: charon.receive_delay_request = yes
334: Delay request messages.
335:
336: charon.receive_delay_type = 0
337: Specific IKEv2 message type to delay, 0 for any.
338:
339: charon.replay_window = 32
340: Size of the AH/ESP replay window, in packets.
341:
342: charon.retransmit_base = 1.8
343: Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
344: in **strongswan.conf**(5).
345:
346: charon.retransmit_timeout = 4.0
347: Timeout in seconds before sending first retransmit.
348:
349: charon.retransmit_tries = 5
350: Number of times to retransmit a packet before giving up.
351:
352: charon.retransmit_jitter = 0
353: Maximum jitter in percent to apply randomly to calculated retransmission
354: timeout (0 to disable).
355:
356: charon.retransmit_limit = 0
357: Upper limit in seconds for calculated retransmission timeout (0 to disable).
358:
359: charon.retry_initiate_interval = 0
360: Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
361: resolution failed), 0 to disable retries.
362:
363: charon.reuse_ikesa = yes
364: Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
365:
366: charon.routing_table
367: Numerical routing table to install routes to.
368:
369: charon.routing_table_prio
370: Priority of the routing table.
371:
372: charon.rsa_pss = no
373: Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
374:
375: charon.send_delay = 0
376: Delay in ms for sending packets, to simulate larger RTT.
377:
378: charon.send_delay_response = yes
379: Delay response messages.
380:
381: charon.send_delay_request = yes
382: Delay request messages.
383:
384: charon.send_delay_type = 0
385: Specific IKEv2 message type to delay, 0 for any.
386:
387: charon.send_vendor_id = no
388: Send strongSwan vendor ID payload
389:
390: charon.signature_authentication = yes
391: Whether to enable Signature Authentication as per RFC 7427.
392:
393: charon.signature_authentication_constraints = yes
394: Whether to enable constraints against IKEv2 signature schemes.
395:
396: If enabled, signature schemes configured in _rightauth_, in addition to
397: getting used as constraints against signature schemes employed in the
398: certificate chain, are also used as constraints against the signature scheme
399: used by peers during IKEv2.
400:
401: charon.spi_label = 0x0000000000000000
402: Value mixed into the local IKE SPIs after applying _spi_mask_.
403:
404: charon.spi_mask = 0x0000000000000000
405: Mask applied to local IKE SPIs before mixing in _spi_label_ (bits set will
406: be replaced with _spi_label_).
407:
408: charon.spi_min = 0xc0000000
409: The lower limit for SPIs requested from the kernel for IPsec SAs.
410:
411: The lower limit for SPIs requested from the kernel for IPsec SAs. Should not
412: be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved
413: by IANA.
414:
415: charon.spi_max = 0xcfffffff
416: The upper limit for SPIs requested from the kernel for IPsec SAs.
417:
418: charon.start-scripts {}
419: Section containing a list of scripts (name = path) that are executed when
420: the daemon is started.
421:
422: charon.stop-scripts {}
423: Section containing a list of scripts (name = path) that are executed when
424: the daemon is terminated.
425:
426: charon.threads = 16
427: Number of worker threads in charon.
428:
429: Number of worker threads in charon. Several of these are reserved for long
430: running tasks in internal modules and plugins. Therefore, make sure you
431: don't set this value too low. The number of idle worker threads listed in
432: _ipsec statusall_ might be used as indicator on the number of reserved
433: threads.
434:
435: charon.tls.cipher
436: List of TLS encryption ciphers.
437:
438: charon.tls.key_exchange
439: List of TLS key exchange methods.
440:
441: charon.tls.mac
442: List of TLS MAC algorithms.
443:
444: charon.tls.suites
445: List of TLS cipher suites.
446:
447: charon.user
448: Name of the user the daemon changes to after startup.
449:
450: charon.x509.enforce_critical = yes
451: Discard certificates with unsupported or unknown critical extensions.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to charon.opt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / options