version 1.1.1.1, 2020/06/03 09:46:43
|
version 1.1.1.2, 2021/03/17 00:20:08
|
Line 69 Authority (CA) to
|
Line 69 Authority (CA) to
|
Whether relations in validated certificate chains should be cached in memory. |
Whether relations in validated certificate chains should be cached in memory. |
|
|
.TP |
.TP |
|
.BR charon.check_current_path " [no]" |
|
By default, after detecting any changes to interfaces and/or addresses no action |
|
is taken if the current path to the remote peer still looks usable. Enabling |
|
this option will use DPD to check if the path actually still works, or, for |
|
instance, the peer removed the state after a longer phase without connectivity. |
|
It will also trigger a MOBIKE update if NAT mappings were removed during the |
|
downtime. |
|
|
|
.TP |
|
.BR charon.cisco_flexvpn " [no]" |
|
Send the Cisco FlexVPN vendor ID payload, which is required in order to make |
|
Cisco brand devices allow negotiating a local traffic selector (from |
|
strongSwan's point of view) that is not the assigned virtual IP address if such |
|
an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID |
|
prevents the peer from narrowing the initiator's local traffic selector and |
|
allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has |
|
been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work |
|
for GRE encapsulation. |
|
|
|
.TP |
.BR charon.cisco_unity " [no]" |
.BR charon.cisco_unity " [no]" |
Send Cisco Unity vendor ID payload (IKEv1 only). |
Send Cisco Unity vendor ID payload (IKEv1 only). |
|
|
Line 149 DNS server assigned to peer via configuration payload
|
Line 169 DNS server assigned to peer via configuration payload
|
Enable Denial of Service protection using cookies and aggressiveness checks. |
Enable Denial of Service protection using cookies and aggressiveness checks. |
|
|
.TP |
.TP |
.BR charon.ecp_x_coordinate_only " [yes]" |
|
Compliance with the errata for RFC 4753. |
|
|
|
.TP |
|
.B charon.filelog |
.B charon.filelog |
.br |
.br |
Section to define file loggers, see LOGGER CONFIGURATION in |
Section to define file loggers, see LOGGER CONFIGURATION in |
Line 190 Prefix each log entry with the connection name and a u
|
Line 206 Prefix each log entry with the connection name and a u
|
for each IKE_SA. |
for each IKE_SA. |
|
|
.TP |
.TP |
|
.BR charon.filelog.<name>.log_level " [no]" |
|
Add the log level of each message after the subsystem (e.g. [IKE2]). |
|
|
|
.TP |
.BR charon.filelog.<name>.path " []" |
.BR charon.filelog.<name>.path " []" |
Optional path to the log file. Overrides the section name. Must be used if the |
Optional path to the log file. Overrides the section name. Must be used if the |
path contains characters that aren't allowed in section names. |
path contains characters that aren't allowed in section names. |
Line 219 conflict with plugins that later need access to e.g. t
|
Line 239 conflict with plugins that later need access to e.g. t
|
Whether to follow IKEv2 redirects (RFC 5685). |
Whether to follow IKEv2 redirects (RFC 5685). |
|
|
.TP |
.TP |
|
.BR charon.force_eap_only_authentication " [no]" |
|
Violate RFC 5998 and use EAP\-only authentication even if the peer did not send |
|
an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH. |
|
|
|
.TP |
.BR charon.fragment_size " [1280]" |
.BR charon.fragment_size " [1280]" |
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when |
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when |
using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280 |
using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280 |
Line 362 other interfaces are ignored.
|
Line 387 other interfaces are ignored.
|
NAT keep alive interval. |
NAT keep alive interval. |
|
|
.TP |
.TP |
|
.BR charon.keep_alive_dpd_margin " [0s]" |
|
Number of seconds the keep alive interval may be exceeded before a DPD is sent |
|
instead of a NAT keep alive (0 to disable). This is only useful if a clock is |
|
used that includes time spent suspended (e.g. CLOCK_BOOTTIME). |
|
|
|
.TP |
.BR charon.leak_detective.detailed " [yes]" |
.BR charon.leak_detective.detailed " [yes]" |
Includes source file names and line numbers in leak detective output. |
Includes source file names and line numbers in leak detective output. |
|
|
Line 479 Enable logging of SQL IP pool leases.
|
Line 510 Enable logging of SQL IP pool leases.
|
Use the enhanced BLISS\-B key generation and signature algorithm. |
Use the enhanced BLISS\-B key generation and signature algorithm. |
|
|
.TP |
.TP |
|
.BR charon.plugins.botan.internal_rng_only " [no]" |
|
If enabled, only Botan's internal RNG will be used throughout the plugin. |
|
Otherwise, and if supported by Botan, rng_t implementations provided by other |
|
loaded plugins will be used as RNG. |
|
|
|
.TP |
.BR charon.plugins.bypass-lan.interfaces_ignore " []" |
.BR charon.plugins.bypass-lan.interfaces_ignore " []" |
A comma\-separated list of network interfaces for which connected subnets should |
A comma\-separated list of network interfaces for which connected subnets should |
be ignored, if |
be ignored, if |
Line 1316 IKE proposal to use in load test.
|
Line 1353 IKE proposal to use in load test.
|
|
|
.TP |
.TP |
.BR charon.plugins.load-tester.request_virtual_ip " [no]" |
.BR charon.plugins.load-tester.request_virtual_ip " [no]" |
Request an INTERNAL_IPV4_ADDR from the server. | Request an INTERNAL_IPV4_ADDR and INTERNAL_IPV6_ADDR from the server. |
|
|
.TP |
.TP |
.BR charon.plugins.load-tester.responder " [127.0.0.1]" |
.BR charon.plugins.load-tester.responder " [127.0.0.1]" |
Line 2032 Prefix each log entry with the connection name and a u
|
Line 2069 Prefix each log entry with the connection name and a u
|
for each IKE_SA. |
for each IKE_SA. |
|
|
.TP |
.TP |
|
.BR charon.syslog.<facility>.log_level " [no]" |
|
Add the log level of each message after the subsystem (e.g. [IKE2]). |
|
|
|
.TP |
.BR charon.syslog.identifier " []" |
.BR charon.syslog.identifier " []" |
Global identifier used for an |
Global identifier used for an |
.RB "" "openlog" "(3)" |
.RB "" "openlog" "(3)" |
Line 2054 might be used as indicator on the number of reserved t
|
Line 2095 might be used as indicator on the number of reserved t
|
List of TLS encryption ciphers. |
List of TLS encryption ciphers. |
|
|
.TP |
.TP |
|
.BR charon.tls.ke_group " []" |
|
List of TLS key exchange groups. |
|
|
|
.TP |
.BR charon.tls.key_exchange " []" |
.BR charon.tls.key_exchange " []" |
List of TLS key exchange methods. |
List of TLS key exchange methods. |
|
|
Line 2062 List of TLS key exchange methods.
|
Line 2107 List of TLS key exchange methods.
|
List of TLS MAC algorithms. |
List of TLS MAC algorithms. |
|
|
.TP |
.TP |
|
.BR charon.tls.send_certreq_authorities " [yes]" |
|
Whether to include CAs in a server's CertificateRequest message. May be disabled |
|
if clients can't handle a long list of CAs. |
|
|
|
.TP |
|
.BR charon.tls.signature " []" |
|
List of TLS signature schemes. |
|
|
|
.TP |
.BR charon.tls.suites " []" |
.BR charon.tls.suites " []" |
List of TLS cipher suites. |
List of TLS cipher suites. |
|
|
.TP |
.TP |
|
.BR charon.tls.version_max " [1.2]" |
|
Maximum TLS version to negotiate. |
|
|
|
.TP |
|
.BR charon.tls.version_min " [1.2]" |
|
Minimum TLS version to negotiate. |
|
|
|
.TP |
.BR charon.tnc.tnc_config " [/etc/tnc_config]" |
.BR charon.tnc.tnc_config " [/etc/tnc_config]" |
TNC IMC/IMV configuration file. |
TNC IMC/IMV configuration file. |
|
|
Line 2145 AIK object handle.
|
Line 2207 AIK object handle.
|
AIK public key file. |
AIK public key file. |
|
|
.TP |
.TP |
|
.BR libimcv.plugins.imc-attestation.hash_algorithm " [sha384]" |
|
Preferred measurement hash algorithm. |
|
|
|
.TP |
.BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]" |
.BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]" |
Enforce mandatory Diffie\-Hellman groups. |
Enforce mandatory Diffie\-Hellman groups. |
|
|
Line 2181 Dummy measurement value extended into PCR17 if the TBO
|
Line 2247 Dummy measurement value extended into PCR17 if the TBO
|
Whether to send pcr_before and pcr_after info. |
Whether to send pcr_before and pcr_after info. |
|
|
.TP |
.TP |
|
.BR libimcv.plugins.imc-attestation.pcr_padding " [no]" |
|
Whether to pad IMA SHA1 measurements values when extending into SHA256 PCR bank. |
|
|
|
.TP |
.BR libimcv.plugins.imc-attestation.use_quote2 " [yes]" |
.BR libimcv.plugins.imc-attestation.use_quote2 " [yes]" |
Use Quote2 AIK signature instead of Quote signature. |
Use Quote2 AIK signature instead of Quote signature. |
|
|
Line 2370 Path to directory with AIK cacerts.
|
Line 2440 Path to directory with AIK cacerts.
|
Preferred Diffie\-Hellman group. |
Preferred Diffie\-Hellman group. |
|
|
.TP |
.TP |
.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" | .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha384]" |
Preferred measurement hash algorithm. |
Preferred measurement hash algorithm. |
|
|
.TP |
.TP |