--- embedaddon/strongswan/conf/strongswan.conf.5.main 2020/06/03 09:46:43 1.1.1.1 +++ embedaddon/strongswan/conf/strongswan.conf.5.main 2021/03/17 00:20:08 1.1.1.2 @@ -69,6 +69,26 @@ Authority (CA) to Whether relations in validated certificate chains should be cached in memory. .TP +.BR charon.check_current_path " [no]" +By default, after detecting any changes to interfaces and/or addresses no action +is taken if the current path to the remote peer still looks usable. Enabling +this option will use DPD to check if the path actually still works, or, for +instance, the peer removed the state after a longer phase without connectivity. +It will also trigger a MOBIKE update if NAT mappings were removed during the +downtime. + +.TP +.BR charon.cisco_flexvpn " [no]" +Send the Cisco FlexVPN vendor ID payload, which is required in order to make +Cisco brand devices allow negotiating a local traffic selector (from +strongSwan's point of view) that is not the assigned virtual IP address if such +an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID +prevents the peer from narrowing the initiator's local traffic selector and +allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has +been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work +for GRE encapsulation. + +.TP .BR charon.cisco_unity " [no]" Send Cisco Unity vendor ID payload (IKEv1 only). @@ -149,10 +169,6 @@ DNS server assigned to peer via configuration payload Enable Denial of Service protection using cookies and aggressiveness checks. .TP -.BR charon.ecp_x_coordinate_only " [yes]" -Compliance with the errata for RFC 4753. - -.TP .B charon.filelog .br Section to define file loggers, see LOGGER CONFIGURATION in @@ -190,6 +206,10 @@ Prefix each log entry with the connection name and a u for each IKE_SA. .TP +.BR charon.filelog..log_level " [no]" +Add the log level of each message after the subsystem (e.g. [IKE2]). + +.TP .BR charon.filelog..path " []" Optional path to the log file. Overrides the section name. Must be used if the path contains characters that aren't allowed in section names. @@ -219,6 +239,11 @@ conflict with plugins that later need access to e.g. t Whether to follow IKEv2 redirects (RFC 5685). .TP +.BR charon.force_eap_only_authentication " [no]" +Violate RFC 5998 and use EAP\-only authentication even if the peer did not send +an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH. + +.TP .BR charon.fragment_size " [1280]" Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280 @@ -362,6 +387,12 @@ other interfaces are ignored. NAT keep alive interval. .TP +.BR charon.keep_alive_dpd_margin " [0s]" +Number of seconds the keep alive interval may be exceeded before a DPD is sent +instead of a NAT keep alive (0 to disable). This is only useful if a clock is +used that includes time spent suspended (e.g. CLOCK_BOOTTIME). + +.TP .BR charon.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output. @@ -479,6 +510,12 @@ Enable logging of SQL IP pool leases. Use the enhanced BLISS\-B key generation and signature algorithm. .TP +.BR charon.plugins.botan.internal_rng_only " [no]" +If enabled, only Botan's internal RNG will be used throughout the plugin. +Otherwise, and if supported by Botan, rng_t implementations provided by other +loaded plugins will be used as RNG. + +.TP .BR charon.plugins.bypass-lan.interfaces_ignore " []" A comma\-separated list of network interfaces for which connected subnets should be ignored, if @@ -1316,7 +1353,7 @@ IKE proposal to use in load test. .TP .BR charon.plugins.load-tester.request_virtual_ip " [no]" -Request an INTERNAL_IPV4_ADDR from the server. +Request an INTERNAL_IPV4_ADDR and INTERNAL_IPV6_ADDR from the server. .TP .BR charon.plugins.load-tester.responder " [127.0.0.1]" @@ -2032,6 +2069,10 @@ Prefix each log entry with the connection name and a u for each IKE_SA. .TP +.BR charon.syslog..log_level " [no]" +Add the log level of each message after the subsystem (e.g. [IKE2]). + +.TP .BR charon.syslog.identifier " []" Global identifier used for an .RB "" "openlog" "(3)" @@ -2054,6 +2095,10 @@ might be used as indicator on the number of reserved t List of TLS encryption ciphers. .TP +.BR charon.tls.ke_group " []" +List of TLS key exchange groups. + +.TP .BR charon.tls.key_exchange " []" List of TLS key exchange methods. @@ -2062,10 +2107,27 @@ List of TLS key exchange methods. List of TLS MAC algorithms. .TP +.BR charon.tls.send_certreq_authorities " [yes]" +Whether to include CAs in a server's CertificateRequest message. May be disabled +if clients can't handle a long list of CAs. + +.TP +.BR charon.tls.signature " []" +List of TLS signature schemes. + +.TP .BR charon.tls.suites " []" List of TLS cipher suites. .TP +.BR charon.tls.version_max " [1.2]" +Maximum TLS version to negotiate. + +.TP +.BR charon.tls.version_min " [1.2]" +Minimum TLS version to negotiate. + +.TP .BR charon.tnc.tnc_config " [/etc/tnc_config]" TNC IMC/IMV configuration file. @@ -2145,6 +2207,10 @@ AIK object handle. AIK public key file. .TP +.BR libimcv.plugins.imc-attestation.hash_algorithm " [sha384]" +Preferred measurement hash algorithm. + +.TP .BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]" Enforce mandatory Diffie\-Hellman groups. @@ -2181,6 +2247,10 @@ Dummy measurement value extended into PCR17 if the TBO Whether to send pcr_before and pcr_after info. .TP +.BR libimcv.plugins.imc-attestation.pcr_padding " [no]" +Whether to pad IMA SHA1 measurements values when extending into SHA256 PCR bank. + +.TP .BR libimcv.plugins.imc-attestation.use_quote2 " [yes]" Use Quote2 AIK signature instead of Quote signature. @@ -2370,7 +2440,7 @@ Path to directory with AIK cacerts. Preferred Diffie\-Hellman group. .TP -.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" +.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha384]" Preferred measurement hash algorithm. .TP