|
version 1.1, 2020/06/03 09:46:43
|
version 1.1.1.2, 2021/03/17 00:20:08
|
|
Line 69 Authority (CA) to
|
Line 69 Authority (CA) to
|
| Whether relations in validated certificate chains should be cached in memory. |
Whether relations in validated certificate chains should be cached in memory. |
| |
|
| .TP |
.TP |
| |
.BR charon.check_current_path " [no]" |
| |
By default, after detecting any changes to interfaces and/or addresses no action |
| |
is taken if the current path to the remote peer still looks usable. Enabling |
| |
this option will use DPD to check if the path actually still works, or, for |
| |
instance, the peer removed the state after a longer phase without connectivity. |
| |
It will also trigger a MOBIKE update if NAT mappings were removed during the |
| |
downtime. |
| |
|
| |
.TP |
| |
.BR charon.cisco_flexvpn " [no]" |
| |
Send the Cisco FlexVPN vendor ID payload, which is required in order to make |
| |
Cisco brand devices allow negotiating a local traffic selector (from |
| |
strongSwan's point of view) that is not the assigned virtual IP address if such |
| |
an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID |
| |
prevents the peer from narrowing the initiator's local traffic selector and |
| |
allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has |
| |
been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work |
| |
for GRE encapsulation. |
| |
|
| |
.TP |
| .BR charon.cisco_unity " [no]" |
.BR charon.cisco_unity " [no]" |
| Send Cisco Unity vendor ID payload (IKEv1 only). |
Send Cisco Unity vendor ID payload (IKEv1 only). |
| |
|
|
Line 149 DNS server assigned to peer via configuration payload
|
Line 169 DNS server assigned to peer via configuration payload
|
| Enable Denial of Service protection using cookies and aggressiveness checks. |
Enable Denial of Service protection using cookies and aggressiveness checks. |
| |
|
| .TP |
.TP |
| .BR charon.ecp_x_coordinate_only " [yes]" |
|
| Compliance with the errata for RFC 4753. |
|
| |
|
| .TP |
|
| .B charon.filelog |
.B charon.filelog |
| .br |
.br |
| Section to define file loggers, see LOGGER CONFIGURATION in |
Section to define file loggers, see LOGGER CONFIGURATION in |
|
Line 190 Prefix each log entry with the connection name and a u
|
Line 206 Prefix each log entry with the connection name and a u
|
| for each IKE_SA. |
for each IKE_SA. |
| |
|
| .TP |
.TP |
| |
.BR charon.filelog.<name>.log_level " [no]" |
| |
Add the log level of each message after the subsystem (e.g. [IKE2]). |
| |
|
| |
.TP |
| .BR charon.filelog.<name>.path " []" |
.BR charon.filelog.<name>.path " []" |
| Optional path to the log file. Overrides the section name. Must be used if the |
Optional path to the log file. Overrides the section name. Must be used if the |
| path contains characters that aren't allowed in section names. |
path contains characters that aren't allowed in section names. |
|
Line 219 conflict with plugins that later need access to e.g. t
|
Line 239 conflict with plugins that later need access to e.g. t
|
| Whether to follow IKEv2 redirects (RFC 5685). |
Whether to follow IKEv2 redirects (RFC 5685). |
| |
|
| .TP |
.TP |
| |
.BR charon.force_eap_only_authentication " [no]" |
| |
Violate RFC 5998 and use EAP\-only authentication even if the peer did not send |
| |
an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH. |
| |
|
| |
.TP |
| .BR charon.fragment_size " [1280]" |
.BR charon.fragment_size " [1280]" |
| Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when |
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when |
| using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280 |
using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280 |
|
Line 362 other interfaces are ignored.
|
Line 387 other interfaces are ignored.
|
| NAT keep alive interval. |
NAT keep alive interval. |
| |
|
| .TP |
.TP |
| |
.BR charon.keep_alive_dpd_margin " [0s]" |
| |
Number of seconds the keep alive interval may be exceeded before a DPD is sent |
| |
instead of a NAT keep alive (0 to disable). This is only useful if a clock is |
| |
used that includes time spent suspended (e.g. CLOCK_BOOTTIME). |
| |
|
| |
.TP |
| .BR charon.leak_detective.detailed " [yes]" |
.BR charon.leak_detective.detailed " [yes]" |
| Includes source file names and line numbers in leak detective output. |
Includes source file names and line numbers in leak detective output. |
| |
|
|
Line 479 Enable logging of SQL IP pool leases.
|
Line 510 Enable logging of SQL IP pool leases.
|
| Use the enhanced BLISS\-B key generation and signature algorithm. |
Use the enhanced BLISS\-B key generation and signature algorithm. |
| |
|
| .TP |
.TP |
| |
.BR charon.plugins.botan.internal_rng_only " [no]" |
| |
If enabled, only Botan's internal RNG will be used throughout the plugin. |
| |
Otherwise, and if supported by Botan, rng_t implementations provided by other |
| |
loaded plugins will be used as RNG. |
| |
|
| |
.TP |
| .BR charon.plugins.bypass-lan.interfaces_ignore " []" |
.BR charon.plugins.bypass-lan.interfaces_ignore " []" |
| A comma\-separated list of network interfaces for which connected subnets should |
A comma\-separated list of network interfaces for which connected subnets should |
| be ignored, if |
be ignored, if |
|
Line 1316 IKE proposal to use in load test.
|
Line 1353 IKE proposal to use in load test.
|
| |
|
| .TP |
.TP |
| .BR charon.plugins.load-tester.request_virtual_ip " [no]" |
.BR charon.plugins.load-tester.request_virtual_ip " [no]" |
| Request an INTERNAL_IPV4_ADDR from the server. | Request an INTERNAL_IPV4_ADDR and INTERNAL_IPV6_ADDR from the server. |
| |
|
| .TP |
.TP |
| .BR charon.plugins.load-tester.responder " [127.0.0.1]" |
.BR charon.plugins.load-tester.responder " [127.0.0.1]" |
|
Line 2032 Prefix each log entry with the connection name and a u
|
Line 2069 Prefix each log entry with the connection name and a u
|
| for each IKE_SA. |
for each IKE_SA. |
| |
|
| .TP |
.TP |
| |
.BR charon.syslog.<facility>.log_level " [no]" |
| |
Add the log level of each message after the subsystem (e.g. [IKE2]). |
| |
|
| |
.TP |
| .BR charon.syslog.identifier " []" |
.BR charon.syslog.identifier " []" |
| Global identifier used for an |
Global identifier used for an |
| .RB "" "openlog" "(3)" |
.RB "" "openlog" "(3)" |
|
Line 2054 might be used as indicator on the number of reserved t
|
Line 2095 might be used as indicator on the number of reserved t
|
| List of TLS encryption ciphers. |
List of TLS encryption ciphers. |
| |
|
| .TP |
.TP |
| |
.BR charon.tls.ke_group " []" |
| |
List of TLS key exchange groups. |
| |
|
| |
.TP |
| .BR charon.tls.key_exchange " []" |
.BR charon.tls.key_exchange " []" |
| List of TLS key exchange methods. |
List of TLS key exchange methods. |
| |
|
|
Line 2062 List of TLS key exchange methods.
|
Line 2107 List of TLS key exchange methods.
|
| List of TLS MAC algorithms. |
List of TLS MAC algorithms. |
| |
|
| .TP |
.TP |
| |
.BR charon.tls.send_certreq_authorities " [yes]" |
| |
Whether to include CAs in a server's CertificateRequest message. May be disabled |
| |
if clients can't handle a long list of CAs. |
| |
|
| |
.TP |
| |
.BR charon.tls.signature " []" |
| |
List of TLS signature schemes. |
| |
|
| |
.TP |
| .BR charon.tls.suites " []" |
.BR charon.tls.suites " []" |
| List of TLS cipher suites. |
List of TLS cipher suites. |
| |
|
| .TP |
.TP |
| |
.BR charon.tls.version_max " [1.2]" |
| |
Maximum TLS version to negotiate. |
| |
|
| |
.TP |
| |
.BR charon.tls.version_min " [1.2]" |
| |
Minimum TLS version to negotiate. |
| |
|
| |
.TP |
| .BR charon.tnc.tnc_config " [/etc/tnc_config]" |
.BR charon.tnc.tnc_config " [/etc/tnc_config]" |
| TNC IMC/IMV configuration file. |
TNC IMC/IMV configuration file. |
| |
|
|
Line 2145 AIK object handle.
|
Line 2207 AIK object handle.
|
| AIK public key file. |
AIK public key file. |
| |
|
| .TP |
.TP |
| |
.BR libimcv.plugins.imc-attestation.hash_algorithm " [sha384]" |
| |
Preferred measurement hash algorithm. |
| |
|
| |
.TP |
| .BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]" |
.BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]" |
| Enforce mandatory Diffie\-Hellman groups. |
Enforce mandatory Diffie\-Hellman groups. |
| |
|
|
Line 2181 Dummy measurement value extended into PCR17 if the TBO
|
Line 2247 Dummy measurement value extended into PCR17 if the TBO
|
| Whether to send pcr_before and pcr_after info. |
Whether to send pcr_before and pcr_after info. |
| |
|
| .TP |
.TP |
| |
.BR libimcv.plugins.imc-attestation.pcr_padding " [no]" |
| |
Whether to pad IMA SHA1 measurements values when extending into SHA256 PCR bank. |
| |
|
| |
.TP |
| .BR libimcv.plugins.imc-attestation.use_quote2 " [yes]" |
.BR libimcv.plugins.imc-attestation.use_quote2 " [yes]" |
| Use Quote2 AIK signature instead of Quote signature. |
Use Quote2 AIK signature instead of Quote signature. |
| |
|
|
Line 2370 Path to directory with AIK cacerts.
|
Line 2440 Path to directory with AIK cacerts.
|
| Preferred Diffie\-Hellman group. |
Preferred Diffie\-Hellman group. |
| |
|
| .TP |
.TP |
| .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" | .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha384]" |
| Preferred measurement hash algorithm. |
Preferred measurement hash algorithm. |
| |
|
| .TP |
.TP |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to strongswan.conf.5.main CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf