Diff for /embedaddon/strongswan/conf/strongswan.conf.5.main between versions 1.1 and 1.1.1.2

version 1.1, 2020/06/03 09:46:43 version 1.1.1.2, 2021/03/17 00:20:08
Line 69  Authority (CA) to Line 69  Authority (CA) to
 Whether relations in validated certificate chains should be cached in memory.  Whether relations in validated certificate chains should be cached in memory.
   
 .TP  .TP
   .BR charon.check_current_path " [no]"
   By default, after detecting any changes to interfaces and/or addresses no action
   is taken if the current path to the remote peer still looks usable. Enabling
   this option will use DPD to check if the path actually still works, or, for
   instance, the peer removed the state after a longer phase without connectivity.
   It will also trigger a MOBIKE update if NAT mappings were removed during the
   downtime.
   
   .TP
   .BR charon.cisco_flexvpn " [no]"
   Send the Cisco FlexVPN vendor ID payload, which is required in order to make
   Cisco brand devices allow negotiating a local traffic selector (from
   strongSwan's point of view) that is not the assigned virtual IP address if such
   an address is requested by    strongSwan.  Sending the Cisco FlexVPN vendor ID
   prevents the peer from narrowing the initiator's local traffic selector and
   allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead.  This has
   been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work
   for GRE encapsulation.
   
   .TP
 .BR charon.cisco_unity " [no]"  .BR charon.cisco_unity " [no]"
 Send Cisco Unity vendor ID payload (IKEv1 only).  Send Cisco Unity vendor ID payload (IKEv1 only).
   
Line 149  DNS server assigned to peer via configuration payload  Line 169  DNS server assigned to peer via configuration payload 
 Enable Denial of Service protection using cookies and aggressiveness checks.  Enable Denial of Service protection using cookies and aggressiveness checks.
   
 .TP  .TP
 .BR charon.ecp_x_coordinate_only " [yes]"  
 Compliance with the errata for RFC 4753.  
   
 .TP  
 .B charon.filelog  .B charon.filelog
 .br  .br
 Section to define file loggers, see LOGGER CONFIGURATION in  Section to define file loggers, see LOGGER CONFIGURATION in
Line 190  Prefix each log entry with the connection name and a u Line 206  Prefix each log entry with the connection name and a u
 for each IKE_SA.  for each IKE_SA.
   
 .TP  .TP
   .BR charon.filelog.<name>.log_level " [no]"
   Add the log level of each message after the subsystem (e.g. [IKE2]).
   
   .TP
 .BR charon.filelog.<name>.path " []"  .BR charon.filelog.<name>.path " []"
 Optional path to the log file. Overrides the section name. Must be used if the  Optional path to the log file. Overrides the section name. Must be used if the
 path contains characters that aren't allowed in section names.  path contains characters that aren't allowed in section names.
Line 219  conflict with plugins that later need access to e.g. t Line 239  conflict with plugins that later need access to e.g. t
 Whether to follow IKEv2 redirects (RFC 5685).  Whether to follow IKEv2 redirects (RFC 5685).
   
 .TP  .TP
   .BR charon.force_eap_only_authentication " [no]"
   Violate RFC 5998 and use EAP\-only authentication even if the peer did not send
   an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
   
   .TP
 .BR charon.fragment_size " [1280]"  .BR charon.fragment_size " [1280]"
 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when  Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
 using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280  using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280
Line 362  other interfaces are ignored. Line 387  other interfaces are ignored.
 NAT keep alive interval.  NAT keep alive interval.
   
 .TP  .TP
   .BR charon.keep_alive_dpd_margin " [0s]"
   Number of seconds the keep alive interval may be exceeded before a DPD is sent
   instead of a NAT keep alive (0 to disable).  This is only useful if a clock is
   used that includes time spent suspended (e.g. CLOCK_BOOTTIME).
   
   .TP
 .BR charon.leak_detective.detailed " [yes]"  .BR charon.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output.  Includes source file names and line numbers in leak detective output.
   
Line 479  Enable logging of SQL IP pool leases. Line 510  Enable logging of SQL IP pool leases.
 Use the enhanced BLISS\-B key generation and signature algorithm.  Use the enhanced BLISS\-B key generation and signature algorithm.
   
 .TP  .TP
   .BR charon.plugins.botan.internal_rng_only " [no]"
   If enabled, only Botan's internal RNG will be used throughout the plugin.
   Otherwise, and if supported by Botan, rng_t implementations provided by other
   loaded plugins will be used as RNG.
   
   .TP
 .BR charon.plugins.bypass-lan.interfaces_ignore " []"  .BR charon.plugins.bypass-lan.interfaces_ignore " []"
 A comma\-separated list of network interfaces for which connected subnets should  A comma\-separated list of network interfaces for which connected subnets should
 be ignored, if  be ignored, if
Line 1316  IKE proposal to use in load test. Line 1353  IKE proposal to use in load test.
   
 .TP  .TP
 .BR charon.plugins.load-tester.request_virtual_ip " [no]"  .BR charon.plugins.load-tester.request_virtual_ip " [no]"
Request an INTERNAL_IPV4_ADDR from the server.Request an INTERNAL_IPV4_ADDR and INTERNAL_IPV6_ADDR from the server.
   
 .TP  .TP
 .BR charon.plugins.load-tester.responder " [127.0.0.1]"  .BR charon.plugins.load-tester.responder " [127.0.0.1]"
Line 2032  Prefix each log entry with the connection name and a u Line 2069  Prefix each log entry with the connection name and a u
 for each IKE_SA.  for each IKE_SA.
   
 .TP  .TP
   .BR charon.syslog.<facility>.log_level " [no]"
   Add the log level of each message after the subsystem (e.g. [IKE2]).
   
   .TP
 .BR charon.syslog.identifier " []"  .BR charon.syslog.identifier " []"
 Global identifier used for an  Global identifier used for an
 .RB "" "openlog" "(3)"  .RB "" "openlog" "(3)"
Line 2054  might be used as indicator on the number of reserved t Line 2095  might be used as indicator on the number of reserved t
 List of TLS encryption ciphers.  List of TLS encryption ciphers.
   
 .TP  .TP
   .BR charon.tls.ke_group " []"
   List of TLS key exchange groups.
   
   .TP
 .BR charon.tls.key_exchange " []"  .BR charon.tls.key_exchange " []"
 List of TLS key exchange methods.  List of TLS key exchange methods.
   
Line 2062  List of TLS key exchange methods. Line 2107  List of TLS key exchange methods.
 List of TLS MAC algorithms.  List of TLS MAC algorithms.
   
 .TP  .TP
   .BR charon.tls.send_certreq_authorities " [yes]"
   Whether to include CAs in a server's CertificateRequest message. May be disabled
   if clients can't handle a long list of CAs.
   
   .TP
   .BR charon.tls.signature " []"
   List of TLS signature schemes.
   
   .TP
 .BR charon.tls.suites " []"  .BR charon.tls.suites " []"
 List of TLS cipher suites.  List of TLS cipher suites.
   
 .TP  .TP
   .BR charon.tls.version_max " [1.2]"
   Maximum TLS version to negotiate.
   
   .TP
   .BR charon.tls.version_min " [1.2]"
   Minimum TLS version to negotiate.
   
   .TP
 .BR charon.tnc.tnc_config " [/etc/tnc_config]"  .BR charon.tnc.tnc_config " [/etc/tnc_config]"
 TNC IMC/IMV configuration file.  TNC IMC/IMV configuration file.
   
Line 2145  AIK object handle. Line 2207  AIK object handle.
 AIK public key file.  AIK public key file.
   
 .TP  .TP
   .BR libimcv.plugins.imc-attestation.hash_algorithm " [sha384]"
   Preferred measurement hash algorithm.
   
   .TP
 .BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]"  .BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]"
 Enforce mandatory Diffie\-Hellman groups.  Enforce mandatory Diffie\-Hellman groups.
   
Line 2181  Dummy measurement value extended into PCR17 if the TBO Line 2247  Dummy measurement value extended into PCR17 if the TBO
 Whether to send pcr_before and pcr_after info.  Whether to send pcr_before and pcr_after info.
   
 .TP  .TP
   .BR libimcv.plugins.imc-attestation.pcr_padding " [no]"
   Whether to pad IMA SHA1 measurements values when extending into SHA256 PCR bank.
   
   .TP
 .BR libimcv.plugins.imc-attestation.use_quote2 " [yes]"  .BR libimcv.plugins.imc-attestation.use_quote2 " [yes]"
 Use Quote2 AIK signature instead of Quote signature.  Use Quote2 AIK signature instead of Quote signature.
   
Line 2370  Path to directory with AIK cacerts. Line 2440  Path to directory with AIK cacerts.
 Preferred Diffie\-Hellman group.  Preferred Diffie\-Hellman group.
   
 .TP  .TP
.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]".BR libimcv.plugins.imv-attestation.hash_algorithm " [sha384]"
 Preferred measurement hash algorithm.  Preferred measurement hash algorithm.
   
 .TP  .TP

Removed from v.1.1  
changed lines
  Added in v.1.1.1.2


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>