Annotation of embedaddon/strongswan/conf/strongswan.conf.5.main, revision 1.1
1.1 ! misho 1: .TP
! 2: .BR aikgen.load " []"
! 3: Plugins to load in ipsec aikgen tool.
! 4:
! 5: .TP
! 6: .BR attest.database " []"
! 7: File measurement information database URI. If it contains a password, make sure
! 8: to adjust the permissions of the config file accordingly.
! 9:
! 10: .TP
! 11: .BR attest.load " []"
! 12: Plugins to load in ipsec attest tool.
! 13:
! 14: .TP
! 15: .B charon
! 16: .br
! 17: Options for the charon IKE daemon.
! 18:
! 19: .RB "" "Note" ":"
! 20: Many of the options in this section also apply to
! 21: .RB "" "charon\-cmd" ""
! 22: and
! 23: other
! 24: .RB "" "charon" ""
! 25: derivatives. Just use their respective name (e.g.
! 26: .RB "" "charon\-cmd" ""
! 27: instead of
! 28: .RB "" "charon" ")."
! 29: For many options defaults can be defined
! 30: in the
! 31: .RB "" "libstrongswan" ""
! 32: section.
! 33:
! 34: .TP
! 35: .BR charon.accept_private_algs " [no]"
! 36: Deliberately violate the IKE standard's requirement and allow the use of private
! 37: algorithm identifiers, even if the peer implementation is unknown.
! 38:
! 39: .TP
! 40: .BR charon.accept_unencrypted_mainmode_messages " [no]"
! 41: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
! 42:
! 43: Some implementations send the third Main Mode message unencrypted, probably to
! 44: find the PSKs for the specified ID for authentication. This is very similar to
! 45: Aggressive Mode, and has the same security implications: A passive attacker can
! 46: sniff the negotiated Identity, and start brute forcing the PSK using the HASH
! 47: payload.
! 48:
! 49: It is recommended to keep this option to no, unless you know exactly what the
! 50: implications are and require compatibility to such devices (for example, some
! 51: SonicWall boxes).
! 52:
! 53: .TP
! 54: .BR charon.block_threshold " [5]"
! 55: Maximum number of half\-open IKE_SAs for a single peer IP.
! 56:
! 57: .TP
! 58: .BR charon.cache_crls " [no]"
! 59: Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
! 60: saved under a unique file name derived from the public key of the Certification
! 61: Authority (CA) to
! 62: .RB "" "/etc/ipsec.d/crls" ""
! 63: (stroke) or
! 64: .RB "" "/etc/swanctl/x509crl" ""
! 65: (vici), respectively.
! 66:
! 67: .TP
! 68: .BR charon.cert_cache " [yes]"
! 69: Whether relations in validated certificate chains should be cached in memory.
! 70:
! 71: .TP
! 72: .BR charon.cisco_unity " [no]"
! 73: Send Cisco Unity vendor ID payload (IKEv1 only).
! 74:
! 75: .TP
! 76: .BR charon.close_ike_on_child_failure " [no]"
! 77: Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
! 78:
! 79: .TP
! 80: .BR charon.cookie_threshold " [10]"
! 81: Number of half\-open IKE_SAs that activate the cookie mechanism.
! 82:
! 83: .TP
! 84: .BR charon.crypto_test.bench " [no]"
! 85: Benchmark crypto algorithms and order them by efficiency.
! 86:
! 87: .TP
! 88: .BR charon.crypto_test.bench_size " [1024]"
! 89: Buffer size used for crypto benchmark.
! 90:
! 91: .TP
! 92: .BR charon.crypto_test.bench_time " [50]"
! 93: Time in ms during which crypto algorithm performance is measured.
! 94:
! 95: .TP
! 96: .BR charon.crypto_test.on_add " [no]"
! 97: Test crypto algorithms during registration (requires test vectors provided by
! 98: the
! 99: .RI "" "test\-vectors" ""
! 100: plugin).
! 101:
! 102: .TP
! 103: .BR charon.crypto_test.on_create " [no]"
! 104: Test crypto algorithms on each crypto primitive instantiation.
! 105:
! 106: .TP
! 107: .BR charon.crypto_test.required " [no]"
! 108: Strictly require at least one test vector to enable an algorithm.
! 109:
! 110: .TP
! 111: .BR charon.crypto_test.rng_true " [no]"
! 112: Whether to test RNG with TRUE quality; requires a lot of entropy.
! 113:
! 114: .TP
! 115: .BR charon.delete_rekeyed " [no]"
! 116: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). Reduces
! 117: the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However,
! 118: this might cause problems with implementations that continue to use rekeyed SAs
! 119: until they expire.
! 120:
! 121: .TP
! 122: .BR charon.delete_rekeyed_delay " [5]"
! 123: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
! 124: only). To process delayed packets the inbound part of a CHILD_SA is kept
! 125: installed up to the configured number of seconds after it got replaced during a
! 126: rekeying. If set to 0 the CHILD_SA will be kept installed until it expires (if
! 127: no lifetime is set it will be destroyed immediately).
! 128:
! 129: .TP
! 130: .BR charon.dh_exponent_ansi_x9_42 " [yes]"
! 131: Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
! 132: strength.
! 133:
! 134: .TP
! 135: .BR charon.dlopen_use_rtld_now " [no]"
! 136: Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
! 137: symbols immediately.
! 138:
! 139: .TP
! 140: .BR charon.dns1 " []"
! 141: DNS server assigned to peer via configuration payload (CP).
! 142:
! 143: .TP
! 144: .BR charon.dns2 " []"
! 145: DNS server assigned to peer via configuration payload (CP).
! 146:
! 147: .TP
! 148: .BR charon.dos_protection " [yes]"
! 149: Enable Denial of Service protection using cookies and aggressiveness checks.
! 150:
! 151: .TP
! 152: .BR charon.ecp_x_coordinate_only " [yes]"
! 153: Compliance with the errata for RFC 4753.
! 154:
! 155: .TP
! 156: .B charon.filelog
! 157: .br
! 158: Section to define file loggers, see LOGGER CONFIGURATION in
! 159: .RB "" "strongswan.conf" "(5)."
! 160:
! 161:
! 162: .TP
! 163: .B charon.filelog.<name>
! 164: .br
! 165: <name> may be the full path to the log file if it only contains characters
! 166: permitted in section names. Is ignored if
! 167: .RI "" "path" ""
! 168: is specified.
! 169:
! 170: .TP
! 171: .BR charon.filelog.<name>.<subsystem> " [<default>]"
! 172: Loglevel for a specific subsystem.
! 173:
! 174: .TP
! 175: .BR charon.filelog.<name>.append " [yes]"
! 176: If this option is enabled log entries are appended to the existing file.
! 177:
! 178: .TP
! 179: .BR charon.filelog.<name>.default " [1]"
! 180: Specifies the default loglevel to be used for subsystems for which no specific
! 181: loglevel is defined.
! 182:
! 183: .TP
! 184: .BR charon.filelog.<name>.flush_line " [no]"
! 185: Enabling this option disables block buffering and enables line buffering.
! 186:
! 187: .TP
! 188: .BR charon.filelog.<name>.ike_name " [no]"
! 189: Prefix each log entry with the connection name and a unique numerical identifier
! 190: for each IKE_SA.
! 191:
! 192: .TP
! 193: .BR charon.filelog.<name>.path " []"
! 194: Optional path to the log file. Overrides the section name. Must be used if the
! 195: path contains characters that aren't allowed in section names.
! 196:
! 197: .TP
! 198: .BR charon.filelog.<name>.time_add_ms " [no]"
! 199: Adds the milliseconds within the current second after the timestamp (separated
! 200: by a dot, so
! 201: .RI "" "time_format" ""
! 202: should end with %S or %T).
! 203:
! 204: .TP
! 205: .BR charon.filelog.<name>.time_format " []"
! 206: Prefix each log entry with a timestamp. The option accepts a format string as
! 207: passed to
! 208: .RB "" "strftime" "(3)."
! 209:
! 210:
! 211: .TP
! 212: .BR charon.flush_auth_cfg " [no]"
! 213: If enabled objects used during authentication (certificates, identities etc.)
! 214: are released to free memory once an IKE_SA is established. Enabling this might
! 215: conflict with plugins that later need access to e.g. the used certificates.
! 216:
! 217: .TP
! 218: .BR charon.follow_redirects " [yes]"
! 219: Whether to follow IKEv2 redirects (RFC 5685).
! 220:
! 221: .TP
! 222: .BR charon.fragment_size " [1280]"
! 223: Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
! 224: using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280
! 225: (use 0 for address family specific default values, which uses a lower value for
! 226: IPv4). If specified this limit is used for both IPv4 and IPv6.
! 227:
! 228: .TP
! 229: .BR charon.group " []"
! 230: Name of the group the daemon changes to after startup.
! 231:
! 232: .TP
! 233: .BR charon.half_open_timeout " [30]"
! 234: Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
! 235:
! 236: .TP
! 237: .BR charon.hash_and_url " [no]"
! 238: Enable hash and URL support.
! 239:
! 240: .TP
! 241: .BR charon.host_resolver.max_threads " [3]"
! 242: Maximum number of concurrent resolver threads (they are terminated if unused).
! 243:
! 244: .TP
! 245: .BR charon.host_resolver.min_threads " [0]"
! 246: Minimum number of resolver threads to keep around.
! 247:
! 248: .TP
! 249: .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
! 250: If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared
! 251: keys, which is discouraged due to security concerns (offline attacks on the
! 252: openly transmitted hash of the PSK).
! 253:
! 254: .TP
! 255: .BR charon.ignore_acquire_ts " [no]"
! 256: If this is disabled the traffic selectors from the kernel's acquire events,
! 257: which are derived from the triggering packet, are prepended to the traffic
! 258: selectors from the configuration for IKEv2 connection. By enabling this, such
! 259: specific traffic selectors will be ignored and only the ones in the config will
! 260: be sent. This always happens for IKEv1 connections as the protocol only supports
! 261: one set of traffic selectors per CHILD_SA.
! 262:
! 263: .TP
! 264: .BR charon.ignore_routing_tables " []"
! 265: A space\-separated list of routing tables to be excluded from route lookups.
! 266:
! 267: .TP
! 268: .BR charon.ikesa_limit " [0]"
! 269: Maximum number of IKE_SAs that can be established at the same time before new
! 270: connection attempts are blocked.
! 271:
! 272: .TP
! 273: .BR charon.ikesa_table_segments " [1]"
! 274: Number of exclusively locked segments in the hash table.
! 275:
! 276: .TP
! 277: .BR charon.ikesa_table_size " [1]"
! 278: Size of the IKE_SA hash table.
! 279:
! 280: .TP
! 281: .B charon.imcv
! 282: .br
! 283: Defaults for options in this section can be configured in the
! 284: .RI "" "libimcv" ""
! 285: section.
! 286:
! 287: .TP
! 288: .BR charon.imcv.assessment_result " [yes]"
! 289: Whether IMVs send a standard IETF Assessment Result attribute.
! 290:
! 291: .TP
! 292: .BR charon.imcv.database " []"
! 293: Global IMV policy database URI. If it contains a password, make sure to adjust
! 294: the permissions of the config file accordingly.
! 295:
! 296: .TP
! 297: .BR charon.imcv.os_info.default_password_enabled " [no]"
! 298: Manually set whether a default password is enabled
! 299:
! 300: .TP
! 301: .BR charon.imcv.os_info.name " []"
! 302: Manually set the name of the client OS (e.g. Ubuntu).
! 303:
! 304: .TP
! 305: .BR charon.imcv.os_info.version " []"
! 306: Manually set the version of the client OS (e.g. 12.04 i686).
! 307:
! 308: .TP
! 309: .BR charon.imcv.policy_script " [ipsec _imv_policy]"
! 310: Script called for each TNC connection to generate IMV policies.
! 311:
! 312: .TP
! 313: .BR charon.inactivity_close_ike " [no]"
! 314: Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
! 315:
! 316: .TP
! 317: .BR charon.init_limit_half_open " [0]"
! 318: Limit new connections based on the current number of half open IKE_SAs, see
! 319: IKE_SA_INIT DROPPING in
! 320: .RB "" "strongswan.conf" "(5)."
! 321:
! 322:
! 323: .TP
! 324: .BR charon.init_limit_job_load " [0]"
! 325: Limit new connections based on the number of jobs currently queued for
! 326: processing (see IKE_SA_INIT DROPPING).
! 327:
! 328: .TP
! 329: .BR charon.initiator_only " [no]"
! 330: Causes charon daemon to ignore IKE initiation requests.
! 331:
! 332: .TP
! 333: .BR charon.install_routes " [yes]"
! 334: Install routes into a separate routing table for established IPsec tunnels.
! 335:
! 336: .TP
! 337: .BR charon.install_virtual_ip " [yes]"
! 338: Install virtual IP addresses.
! 339:
! 340: .TP
! 341: .BR charon.install_virtual_ip_on " []"
! 342: The name of the interface on which virtual IP addresses should be installed. If
! 343: not specified the addresses will be installed on the outbound interface.
! 344:
! 345: .TP
! 346: .BR charon.integrity_test " [no]"
! 347: Check daemon, libstrongswan and plugin integrity at startup.
! 348:
! 349: .TP
! 350: .BR charon.interfaces_ignore " []"
! 351: A comma\-separated list of network interfaces that should be ignored, if
! 352: .RB "" "interfaces_use" ""
! 353: is specified this option has no effect.
! 354:
! 355: .TP
! 356: .BR charon.interfaces_use " []"
! 357: A comma\-separated list of network interfaces that should be used by charon. All
! 358: other interfaces are ignored.
! 359:
! 360: .TP
! 361: .BR charon.keep_alive " [20s]"
! 362: NAT keep alive interval.
! 363:
! 364: .TP
! 365: .BR charon.leak_detective.detailed " [yes]"
! 366: Includes source file names and line numbers in leak detective output.
! 367:
! 368: .TP
! 369: .BR charon.leak_detective.usage_threshold " [10240]"
! 370: Threshold in bytes for leaks to be reported (0 to report all).
! 371:
! 372: .TP
! 373: .BR charon.leak_detective.usage_threshold_count " [0]"
! 374: Threshold in number of allocations for leaks to be reported (0 to report all).
! 375:
! 376: .TP
! 377: .BR charon.load " []"
! 378: Plugins to load in the IKE daemon charon.
! 379:
! 380: .TP
! 381: .BR charon.load_modular " [no]"
! 382: If enabled, the list of plugins to load is determined via the value of the
! 383: .RI "" "charon.plugins.<name>.load" ""
! 384: options. In addition to a simple boolean flag that
! 385: option may take an integer value indicating the priority of a plugin, which
! 386: would influence the order of a plugin in the plugin list (the default is 1). If
! 387: two plugins have the same priority their order in the default plugin list is
! 388: preserved. Enabled plugins not found in that list are ordered alphabetically
! 389: before other plugins with the same priority.
! 390:
! 391: .TP
! 392: .BR charon.make_before_break " [no]"
! 393: Initiate IKEv2 reauthentication with a make\-before\-break instead of a
! 394: break\-before\-make scheme. Make\-before\-break uses overlapping IKE and CHILD_SA
! 395: during reauthentication by first recreating all new SAs before deleting the old
! 396: ones. This behavior can be beneficial to avoid connectivity gaps during
! 397: reauthentication, but requires support for overlapping SAs by the peer.
! 398: strongSwan can handle such overlapping SAs since version 5.3.0.
! 399:
! 400: .TP
! 401: .BR charon.max_ikev1_exchanges " [3]"
! 402: Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
! 403: track concurrently.
! 404:
! 405: .TP
! 406: .BR charon.max_packet " [10000]"
! 407: Maximum packet size accepted by charon.
! 408:
! 409: .TP
! 410: .BR charon.multiple_authentication " [yes]"
! 411: Enable multiple authentication exchanges (RFC 4739).
! 412:
! 413: .TP
! 414: .BR charon.nbns1 " []"
! 415: WINS servers assigned to peer via configuration payload (CP).
! 416:
! 417: .TP
! 418: .BR charon.nbns2 " []"
! 419: WINS servers assigned to peer via configuration payload (CP).
! 420:
! 421: .TP
! 422: .BR charon.plugin.ha.buflen " [2048]"
! 423: Buffer size for received HA messages. For IKEv1 the public DH factors are also
! 424: transmitted so depending on the DH group the HA messages can get quite big (the
! 425: default should be fine up to
! 426: .RI "" "modp4096" ")."
! 427:
! 428:
! 429: .TP
! 430: .BR charon.plugins.addrblock.strict " [yes]"
! 431: If set to yes, a subject certificate without an addrblock extension is rejected
! 432: if the issuer certificate has such an addrblock extension. If set to no, subject
! 433: certificates issued without the addrblock extension are accepted without any
! 434: traffic selector checks and no policy is enforced by the plugin.
! 435:
! 436: .TP
! 437: .BR charon.plugins.android_log.loglevel " [1]"
! 438: Loglevel for logging to Android specific logger.
! 439:
! 440: .TP
! 441: .B charon.plugins.attr
! 442: .br
! 443: Section to specify arbitrary attributes that are assigned to a peer via
! 444: configuration payload (CP).
! 445:
! 446: .TP
! 447: .BR charon.plugins.attr.<attr> " []"
! 448: .RB "" "<attr>" ""
! 449: can be either
! 450: .RI "" "address" ","
! 451: .RI "" "netmask" ","
! 452: .RI "" "dns" ","
! 453: .RI "" "nbns" ","
! 454: .RI "" "dhcp" ","
! 455: .RI "" "subnet" ","
! 456: .RI "" "split\-include" ","
! 457: .RI "" "split\-exclude" ""
! 458: or the numeric identifier of the attribute
! 459: type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation
! 460: or an arbitrary value depending on the attribute type. For some attribute types
! 461: multiple values may be specified as a comma separated list.
! 462:
! 463: .TP
! 464: .BR charon.plugins.attr-sql.crash_recovery " [yes]"
! 465: Release all online leases during startup. Disable this to share the DB between
! 466: multiple VPN gateways.
! 467:
! 468: .TP
! 469: .BR charon.plugins.attr-sql.database " []"
! 470: Database URI for attr\-sql plugin used by charon. If it contains a password, make
! 471: sure to adjust the permissions of the config file accordingly.
! 472:
! 473: .TP
! 474: .BR charon.plugins.attr-sql.lease_history " [yes]"
! 475: Enable logging of SQL IP pool leases.
! 476:
! 477: .TP
! 478: .BR charon.plugins.bliss.use_bliss_b " [yes]"
! 479: Use the enhanced BLISS\-B key generation and signature algorithm.
! 480:
! 481: .TP
! 482: .BR charon.plugins.bypass-lan.interfaces_ignore " []"
! 483: A comma\-separated list of network interfaces for which connected subnets should
! 484: be ignored, if
! 485: .RB "" "interfaces_use" ""
! 486: is specified this option has no effect.
! 487:
! 488: .TP
! 489: .BR charon.plugins.bypass-lan.interfaces_use " []"
! 490: A comma\-separated list of network interfaces for which connected subnets should
! 491: be considered. All other interfaces are ignored.
! 492:
! 493: .TP
! 494: .BR charon.plugins.certexpire.csv.cron " []"
! 495: Cron style string specifying CSV export times.
! 496:
! 497: .TP
! 498: .BR charon.plugins.certexpire.csv.empty_string " []"
! 499: String to use in empty intermediate CA fields.
! 500:
! 501: .TP
! 502: .BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
! 503: Use a fixed intermediate CA field count.
! 504:
! 505: .TP
! 506: .BR charon.plugins.certexpire.csv.force " [yes]"
! 507: Force export of all trustchains we have a private key for.
! 508:
! 509: .TP
! 510: .BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
! 511: .RB "" "strftime" "(3)"
! 512: format string to export expiration dates as.
! 513:
! 514: .TP
! 515: .BR charon.plugins.certexpire.csv.local " []"
! 516: .RB "" "strftime" "(3)"
! 517: format string for the CSV file name to export local certificates
! 518: to.
! 519:
! 520: .TP
! 521: .BR charon.plugins.certexpire.csv.remote " []"
! 522: .RB "" "strftime" "(3)"
! 523: format string for the CSV file name to export remote
! 524: certificates to.
! 525:
! 526: .TP
! 527: .BR charon.plugins.certexpire.csv.separator " [,]"
! 528: CSV field separator.
! 529:
! 530: .TP
! 531: .BR charon.plugins.coupling.file " []"
! 532: File to store coupling list to.
! 533:
! 534: .TP
! 535: .BR charon.plugins.coupling.hash " [sha1]"
! 536: Hashing algorithm to fingerprint coupled certificates.
! 537:
! 538: .TP
! 539: .BR charon.plugins.coupling.max " [1]"
! 540: Maximum number of coupling entries to create.
! 541:
! 542: .TP
! 543: .BR charon.plugins.curl.redir " [-1]"
! 544: Maximum number of redirects followed by the plugin, set to 0 to disable
! 545: following redirects, set to \-1 for no limit.
! 546:
! 547: .TP
! 548: .BR charon.plugins.dhcp.force_server_address " [no]"
! 549: Always use the configured server address. This might be helpful if the DHCP
! 550: server runs on the same host as strongSwan, and the DHCP daemon does not listen
! 551: on the loopback interface. In that case the server cannot be reached via
! 552: unicast (or even 255.255.255.255) as that would be routed via loopback. Setting
! 553: this option to yes and configuring the local broadcast address (e.g.
! 554: 192.168.0.255) as server address might work.
! 555:
! 556: .TP
! 557: .BR charon.plugins.dhcp.identity_lease " [no]"
! 558: Derive user\-defined MAC address from hash of IKE identity and send client
! 559: identity DHCP option.
! 560:
! 561: .TP
! 562: .BR charon.plugins.dhcp.interface " []"
! 563: Interface name the plugin uses for address allocation. The default is to bind to
! 564: any (0.0.0.0) and let the system decide which way to route the packets to the
! 565: DHCP server.
! 566:
! 567: .TP
! 568: .BR charon.plugins.dhcp.server " [255.255.255.255]"
! 569: DHCP server unicast or broadcast IP address.
! 570:
! 571: .TP
! 572: .BR charon.plugins.dhcp.use_server_port " [no]"
! 573: Use the DHCP server port (67) as source port, instead of the DHCP client port
! 574: (68), when a unicast server address is configured and the plugin acts as relay
! 575: agent. When replying in this mode the DHCP server will always send packets to
! 576: the DHCP server port and if no process binds that port an ICMP port unreachables
! 577: will be sent back, which might be problematic for some DHCP servers. To avoid
! 578: that, enabling this option will cause the plugin to bind the DHCP server port to
! 579: send its requests when acting as relay agent. This is not necessary if a DHCP
! 580: server is already running on the same host and might even cause conflicts (and
! 581: since the server port is already bound, ICMPs should not be an issue).
! 582:
! 583: .TP
! 584: .BR charon.plugins.dnscert.enable " [no]"
! 585: Enable fetching of CERT RRs via DNS.
! 586:
! 587: .TP
! 588: .BR charon.plugins.drbg.max_drbg_requests " [4294967294]"
! 589: Number of pseudo\-random bit requests from the DRBG before an automatic reseeding
! 590: occurs.
! 591:
! 592: .TP
! 593: .BR charon.plugins.duplicheck.enable " [yes]"
! 594: Enable duplicheck plugin (if loaded).
! 595:
! 596: .TP
! 597: .BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
! 598: Socket provided by the duplicheck plugin.
! 599:
! 600: .TP
! 601: .BR charon.plugins.eap-aka.request_identity " [yes]"
! 602: .TP
! 603: .BR charon.plugins.eap-aka-3gpp.seq_check " []"
! 604: Enable to activate sequence check of the AKA SQN values in order to trigger
! 605: resync cycles.
! 606:
! 607: .TP
! 608: .BR charon.plugins.eap-aka-3gpp2.seq_check " []"
! 609: Enable to activate sequence check of the AKA SQN values in order to trigger
! 610: resync cycles.
! 611:
! 612: .TP
! 613: .BR charon.plugins.eap-dynamic.prefer_user " [no]"
! 614: If enabled the EAP methods proposed in an EAP\-Nak message sent by the peer are
! 615: preferred over the methods registered locally.
! 616:
! 617: .TP
! 618: .BR charon.plugins.eap-dynamic.preferred " []"
! 619: The preferred EAP method(s) to be used. If it is not given the first registered
! 620: method will be used initially. If a comma separated list is given the methods
! 621: are tried in the given order before trying the rest of the registered methods.
! 622:
! 623: .TP
! 624: .BR charon.plugins.eap-gtc.backend " [pam]"
! 625: XAuth backend to be used for credential verification.
! 626:
! 627: .TP
! 628: .BR charon.plugins.eap-peap.fragment_size " [1024]"
! 629: Maximum size of an EAP\-PEAP packet.
! 630:
! 631: .TP
! 632: .BR charon.plugins.eap-peap.include_length " [no]"
! 633: Include length in non\-fragmented EAP\-PEAP packets.
! 634:
! 635: .TP
! 636: .BR charon.plugins.eap-peap.max_message_count " [32]"
! 637: Maximum number of processed EAP\-PEAP packets (0 = no limit).
! 638:
! 639: .TP
! 640: .BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
! 641: Phase2 EAP client authentication method.
! 642:
! 643: .TP
! 644: .BR charon.plugins.eap-peap.phase2_piggyback " [no]"
! 645: Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
! 646:
! 647: .TP
! 648: .BR charon.plugins.eap-peap.phase2_tnc " [no]"
! 649: Start phase2 EAP TNC protocol after successful client authentication.
! 650:
! 651: .TP
! 652: .BR charon.plugins.eap-peap.request_peer_auth " [no]"
! 653: Request peer authentication based on a client certificate.
! 654:
! 655: .TP
! 656: .BR charon.plugins.eap-radius.accounting " [no]"
! 657: Send RADIUS accounting information to RADIUS servers.
! 658:
! 659: .TP
! 660: .BR charon.plugins.eap-radius.accounting_close_on_timeout " [yes]"
! 661: Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
! 662:
! 663: .TP
! 664: .BR charon.plugins.eap-radius.accounting_interval " [0]"
! 665: Interval in seconds for interim RADIUS accounting updates, if not specified by
! 666: the RADIUS server in the Access\-Accept message.
! 667:
! 668: .TP
! 669: .BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
! 670: If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
! 671: Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
! 672:
! 673: .TP
! 674: .BR charon.plugins.eap-radius.accounting_send_class " [no]"
! 675: If enabled, adds the Class attributes received in Access\-Accept message to the
! 676: RADIUS accounting messages.
! 677:
! 678: .TP
! 679: .BR charon.plugins.eap-radius.class_group " [no]"
! 680: Use the
! 681: .RI "" "class" ""
! 682: attribute sent in the RADIUS\-Accept message as group membership
! 683: information that is compared to the groups specified in the
! 684: .RB "" "rightgroups" ""
! 685: option in
! 686: .RB "" "ipsec.conf" "(5)."
! 687:
! 688:
! 689: .TP
! 690: .BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
! 691: Closes all IKE_SAs if communication with the RADIUS server times out. If it is
! 692: not set only the current IKE_SA is closed.
! 693:
! 694: .TP
! 695: .BR charon.plugins.eap-radius.dae.enable " [no]"
! 696: Enables support for the Dynamic Authorization Extension (RFC 5176).
! 697:
! 698: .TP
! 699: .BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
! 700: Address to listen for DAE messages from the RADIUS server.
! 701:
! 702: .TP
! 703: .BR charon.plugins.eap-radius.dae.port " [3799]"
! 704: Port to listen for DAE requests.
! 705:
! 706: .TP
! 707: .BR charon.plugins.eap-radius.dae.secret " []"
! 708: Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
! 709: permissions of the config file accordingly.
! 710:
! 711: .TP
! 712: .BR charon.plugins.eap-radius.eap_start " [no]"
! 713: Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation.
! 714:
! 715: .TP
! 716: .BR charon.plugins.eap-radius.filter_id " [no]"
! 717: If the RADIUS
! 718: .RI "" "tunnel_type" ""
! 719: attribute with value
! 720: .RB "" "ESP" ""
! 721: is received, use the
! 722: .RI "" "filter_id" ""
! 723: attribute sent in the RADIUS\-Accept message as group membership
! 724: information that is compared to the groups specified in the
! 725: .RB "" "rightgroups" ""
! 726: option in
! 727: .RB "" "ipsec.conf" "(5)."
! 728:
! 729:
! 730: .TP
! 731: .BR charon.plugins.eap-radius.forward.ike_to_radius " []"
! 732: RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
! 733: or attribute number, a colon can be used to specify vendor\-specific attributes,
! 734: e.g. Reply\-Message, or 11, or 36906:12).
! 735:
! 736: .TP
! 737: .BR charon.plugins.eap-radius.forward.radius_to_ike " []"
! 738: Same as
! 739: .RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
! 740: but from RADIUS to
! 741: IKEv2, a strongSwan specific private notify (40969) is used to transmit the
! 742: attributes.
! 743:
! 744: .TP
! 745: .BR charon.plugins.eap-radius.id_prefix " []"
! 746: Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP
! 747: method.
! 748:
! 749: .TP
! 750: .BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
! 751: NAS\-Identifier to include in RADIUS messages.
! 752:
! 753: .TP
! 754: .BR charon.plugins.eap-radius.port " [1812]"
! 755: Port of RADIUS server (authentication).
! 756:
! 757: .TP
! 758: .BR charon.plugins.eap-radius.retransmit_base " [1.4]"
! 759: Base to use for calculating exponential back off.
! 760:
! 761: .TP
! 762: .BR charon.plugins.eap-radius.retransmit_timeout " [2.0]"
! 763: Timeout in seconds before sending first retransmit.
! 764:
! 765: .TP
! 766: .BR charon.plugins.eap-radius.retransmit_tries " [4]"
! 767: Number of times to retransmit a packet before giving up.
! 768:
! 769: .TP
! 770: .BR charon.plugins.eap-radius.secret " []"
! 771: Shared secret between RADIUS and NAS. If set, make sure to adjust the
! 772: permissions of the config file accordingly.
! 773:
! 774: .TP
! 775: .BR charon.plugins.eap-radius.server " []"
! 776: IP/Hostname of RADIUS server.
! 777:
! 778: .TP
! 779: .B charon.plugins.eap-radius.servers
! 780: .br
! 781: Section to specify multiple RADIUS servers. The
! 782: .RB "" "nas_identifier" ","
! 783: .RB "" "secret" ","
! 784: .RB "" "sockets" ""
! 785: and
! 786: .RB "" "port" ""
! 787: (or
! 788: .RB "" "auth_port" ")"
! 789: options can be specified for each
! 790: server. A server's IP/Hostname can be configured using the
! 791: .RB "" "address" ""
! 792: option.
! 793: The
! 794: .RB "" "acct_port" ""
! 795: [1813] option can be used to specify the port used for RADIUS
! 796: accounting. For each RADIUS server a priority can be specified using the
! 797: .RB "" "preference" ""
! 798: [0] option. The retransmission time for each server can set set
! 799: using
! 800: .RB "" "retransmit_base" ","
! 801: .RB "" "retransmit_timeout" ""
! 802: and
! 803: .RB "" "retransmit_tries" "."
! 804:
! 805:
! 806: .TP
! 807: .BR charon.plugins.eap-radius.sockets " [1]"
! 808: Number of sockets (ports) to use, increase for high load.
! 809:
! 810: .TP
! 811: .BR charon.plugins.eap-radius.station_id_with_port " [yes]"
! 812: Whether to include the UDP port in the Called\- and Calling\-Station\-Id RADIUS
! 813: attributes.
! 814:
! 815: .TP
! 816: .B charon.plugins.eap-radius.xauth
! 817: .br
! 818: Section to configure multiple XAuth authentication rounds via RADIUS. The
! 819: subsections define so called authentication profiles with arbitrary names. In
! 820: each profile section one or more XAuth types can be configured, with an assigned
! 821: message. For each type a separate XAuth exchange will be initiated and all
! 822: replies get concatenated into the User\-Password attribute, which then gets
! 823: verified over RADIUS.
! 824:
! 825: Available XAuth types are
! 826: .RB "" "password" ","
! 827: .RB "" "passcode" ","
! 828: .RB "" "nextpin" ","
! 829: and
! 830: .RB "" "answer" "."
! 831: This type is not relevant to strongSwan or the AAA server, but the
! 832: client may show a different dialog (along with the configured message).
! 833:
! 834: To use the configured profiles, they have to be configured in the respective
! 835: connection in
! 836: .RB "" "ipsec.conf" "(5)"
! 837: by appending the profile name, separated by a
! 838: colon, to the
! 839: .RB "" "xauth\-radius" ""
! 840: XAauth backend configuration in
! 841: .RI "" "rightauth" ""
! 842: or
! 843: .RI "" "rightauth2" ","
! 844: for instance,
! 845: .RI "" "rightauth2=xauth\-radius:profile" "."
! 846:
! 847:
! 848: .TP
! 849: .BR charon.plugins.eap-sim.request_identity " [yes]"
! 850: .TP
! 851: .BR charon.plugins.eap-simaka-sql.database " []"
! 852: .TP
! 853: .BR charon.plugins.eap-simaka-sql.remove_used " [no]"
! 854: .TP
! 855: .BR charon.plugins.eap-tls.fragment_size " [1024]"
! 856: Maximum size of an EAP\-TLS packet.
! 857:
! 858: .TP
! 859: .BR charon.plugins.eap-tls.include_length " [yes]"
! 860: Include length in non\-fragmented EAP\-TLS packets.
! 861:
! 862: .TP
! 863: .BR charon.plugins.eap-tls.max_message_count " [32]"
! 864: Maximum number of processed EAP\-TLS packets (0 = no limit).
! 865:
! 866: .TP
! 867: .BR charon.plugins.eap-tnc.max_message_count " [10]"
! 868: Maximum number of processed EAP\-TNC packets (0 = no limit).
! 869:
! 870: .TP
! 871: .BR charon.plugins.eap-tnc.protocol " [tnccs-2.0]"
! 872: IF\-TNCCS protocol version to be used
! 873: .RI "(" "tnccs\-1.1" ","
! 874: .RI "" "tnccs\-2.0" ","
! 875: .RI "" "tnccs\-dynamic" ")."
! 876:
! 877:
! 878: .TP
! 879: .BR charon.plugins.eap-ttls.fragment_size " [1024]"
! 880: Maximum size of an EAP\-TTLS packet.
! 881:
! 882: .TP
! 883: .BR charon.plugins.eap-ttls.include_length " [yes]"
! 884: Include length in non\-fragmented EAP\-TTLS packets.
! 885:
! 886: .TP
! 887: .BR charon.plugins.eap-ttls.max_message_count " [32]"
! 888: Maximum number of processed EAP\-TTLS packets (0 = no limit).
! 889:
! 890: .TP
! 891: .BR charon.plugins.eap-ttls.phase2_method " [md5]"
! 892: Phase2 EAP client authentication method.
! 893:
! 894: .TP
! 895: .BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
! 896: Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
! 897:
! 898: .TP
! 899: .BR charon.plugins.eap-ttls.phase2_tnc " [no]"
! 900: Start phase2 EAP TNC protocol after successful client authentication.
! 901:
! 902: .TP
! 903: .BR charon.plugins.eap-ttls.phase2_tnc_method " [pt]"
! 904: Phase2 EAP TNC transport protocol
! 905: .RI "(" "pt" ""
! 906: as IETF standard or legacy
! 907: .RI "" "tnc" ")"
! 908:
! 909:
! 910: .TP
! 911: .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
! 912: Request peer authentication based on a client certificate.
! 913:
! 914: .TP
! 915: .BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
! 916: Socket provided by the error\-notify plugin.
! 917:
! 918: .TP
! 919: .BR charon.plugins.ext-auth.script " []"
! 920: Command to pass to the system shell for peer authorization. Authorization is
! 921: considered successful if the command executes normally with an exit code of
! 922: zero. For all other exit codes IKE_SA authorization is rejected.
! 923:
! 924: The following environment variables get passed to the script:
! 925: .RI "" "IKE_UNIQUE_ID" ":"
! 926: The IKE_SA numerical unique identifier.
! 927: .RI "" "IKE_NAME" ":"
! 928: The peer configuration
! 929: connection name.
! 930: .RI "" "IKE_LOCAL_HOST" ":"
! 931: Local IKE IP address.
! 932: .RI "" "IKE_REMOTE_HOST" ":"
! 933: Remote IKE IP address.
! 934: .RI "" "IKE_LOCAL_ID" ":"
! 935: Local IKE identity.
! 936: .RI "" "IKE_REMOTE_ID" ":"
! 937: Remote IKE identity.
! 938: .RI "" "IKE_REMOTE_EAP_ID" ":"
! 939: Remote EAP or XAuth identity, if used.
! 940:
! 941: .TP
! 942: .BR charon.plugins.forecast.groups " [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]"
! 943: Comma separated list of multicast groups to join locally. The local host
! 944: receives and forwards packets in the local LAN for joined multicast groups only.
! 945: Packets matching the list of multicast groups get forwarded to connected
! 946: clients. The default group includes host multicasts, IGMP, mDNS, LLMNR and
! 947: SSDP/WS\-Discovery, and is usually a good choice for Windows clients.
! 948:
! 949: .TP
! 950: .BR charon.plugins.forecast.interface " []"
! 951: Name of the local interface to listen for broadcasts messages to forward. If no
! 952: interface is configured, the first usable interface is used, which is usually
! 953: just fine for single\-homed hosts. If your host has multiple interfaces, set this
! 954: option to the local LAN interface you want to forward broadcasts from/to.
! 955:
! 956: .TP
! 957: .BR charon.plugins.forecast.reinject " []"
! 958: Comma separated list of CHILD_SA configuration names for which to perform
! 959: multi/broadcast reinjection. For clients connecting over such a configuration,
! 960: any multi/broadcast received over the tunnel gets reinjected to all active
! 961: tunnels. This makes the broadcasts visible to other peers, and for examples
! 962: allows clients to see others shares. If disabled, multi/broadcast messages
! 963: received over a tunnel are injected to the local network only, but not to other
! 964: IPsec clients.
! 965:
! 966: .TP
! 967: .BR charon.plugins.gcrypt.quick_random " [no]"
! 968: Use faster random numbers in gcrypt; for testing only, produces weak keys!
! 969:
! 970: .TP
! 971: .BR charon.plugins.ha.autobalance " [0]"
! 972: Interval in seconds to automatically balance handled segments between nodes. Set
! 973: to 0 to disable.
! 974:
! 975: .TP
! 976: .BR charon.plugins.ha.fifo_interface " [yes]"
! 977: .TP
! 978: .BR charon.plugins.ha.heartbeat_delay " [1000]"
! 979: .TP
! 980: .BR charon.plugins.ha.heartbeat_timeout " [2100]"
! 981: .TP
! 982: .BR charon.plugins.ha.local " []"
! 983: .TP
! 984: .BR charon.plugins.ha.monitor " [yes]"
! 985: .TP
! 986: .BR charon.plugins.ha.pools " []"
! 987: .TP
! 988: .BR charon.plugins.ha.remote " []"
! 989: .TP
! 990: .BR charon.plugins.ha.resync " [yes]"
! 991: .TP
! 992: .BR charon.plugins.ha.secret " []"
! 993: .TP
! 994: .BR charon.plugins.ha.segment_count " [1]"
! 995: .TP
! 996: .BR charon.plugins.ipseckey.enable " [no]"
! 997: Enable fetching of IPSECKEY RRs via DNS.
! 998:
! 999: .TP
! 1000: .BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
! 1001: Allow that the remote traffic selector equals the IKE peer. The route installed
! 1002: for such traffic (via TUN device) usually prevents further IKE traffic. The
! 1003: fwmark options for the
! 1004: .RI "" "kernel\-netlink" ""
! 1005: and
! 1006: .RI "" "socket\-default" ""
! 1007: plugins can be used
! 1008: to circumvent that problem.
! 1009:
! 1010: .TP
! 1011: .BR charon.plugins.kernel-netlink.buflen " [<min(PAGE_SIZE, 8192)>]"
! 1012: Buffer size for received Netlink messages.
! 1013:
! 1014: .TP
! 1015: .BR charon.plugins.kernel-netlink.force_receive_buffer_size " [no]"
! 1016: If the maximum Netlink socket receive buffer in bytes set by
! 1017: .RI "" "receive_buffer_size" ""
! 1018: exceeds the system\-wide maximum from
! 1019: /proc/sys/net/core/rmem_max, this option can be used to override the limit.
! 1020: Enabling this option requires special privileges (CAP_NET_ADMIN).
! 1021:
! 1022: .TP
! 1023: .BR charon.plugins.kernel-netlink.fwmark " []"
! 1024: Firewall mark to set on the routing rule that directs traffic to our routing
! 1025: table. The format is [!]mark[/mask], where the optional exclamation mark inverts
! 1026: the meaning (i.e. the rule only applies to packets that don't match the mark).
! 1027:
! 1028: .TP
! 1029: .BR charon.plugins.kernel-netlink.hw_offload_feature_interface " [lo]"
! 1030: If the kernel supports hardware offloading, the plugin needs to find the feature
! 1031: flag which represents hardware offloading support for network devices. Using the
! 1032: loopback device for this purpose is usually fine, since it should always be
! 1033: present. For rare cases in which the loopback device cannot be used to obtain
! 1034: the appropriate feature flag, this option can be used to specify an alternative
! 1035: interface for offload feature detection.
! 1036:
! 1037: .TP
! 1038: .BR charon.plugins.kernel-netlink.ignore_retransmit_errors " [no]"
! 1039: Whether to ignore errors potentially resulting from a retransmission.
! 1040:
! 1041: .TP
! 1042: .BR charon.plugins.kernel-netlink.mss " [0]"
! 1043: MSS to set on installed routes, 0 to disable.
! 1044:
! 1045: .TP
! 1046: .BR charon.plugins.kernel-netlink.mtu " [0]"
! 1047: MTU to set on installed routes, 0 to disable.
! 1048:
! 1049: .TP
! 1050: .BR charon.plugins.kernel-netlink.parallel_route " [no]"
! 1051: Whether to perform concurrent Netlink ROUTE queries on a single socket. While
! 1052: parallel queries can improve throughput, it has more overhead. On vanilla Linux,
! 1053: DUMP queries fail with EBUSY and must be retried, further decreasing
! 1054: performance.
! 1055:
! 1056: .TP
! 1057: .BR charon.plugins.kernel-netlink.parallel_xfrm " [no]"
! 1058: Whether to perform concurrent Netlink XFRM queries on a single socket.
! 1059:
! 1060: .TP
! 1061: .BR charon.plugins.kernel-netlink.policy_update " [no]"
! 1062: Whether to always use XFRM_MSG_UPDPOLICY to install policies.
! 1063:
! 1064: .TP
! 1065: .BR charon.plugins.kernel-netlink.port_bypass " [no]"
! 1066: Whether to use port or socket based IKE XFRM bypass policies. IKE bypass
! 1067: policies are used to exempt IKE traffic from XFRM processing. The default socket
! 1068: based policies are directly tied to the IKE UDP sockets, port based policies use
! 1069: global XFRM bypass policies for the used IKE UDP ports.
! 1070:
! 1071: .TP
! 1072: .BR charon.plugins.kernel-netlink.process_rules " [no]"
! 1073: Whether to process changes in routing rules to trigger roam events. This is
! 1074: currently only useful if the kernel based route lookup is used (i.e. if route
! 1075: installation is disabled or an inverted fwmark match is configured).
! 1076:
! 1077: .TP
! 1078: .BR charon.plugins.kernel-netlink.receive_buffer_size " [0]"
! 1079: Maximum Netlink socket receive buffer in bytes. This value controls how many
! 1080: bytes of Netlink messages can be received on a Netlink socket. The default value
! 1081: is set by /proc/sys/net/core/rmem_default. The specified value cannot exceed the
! 1082: system\-wide maximum from /proc/sys/net/core/rmem_max, unless
! 1083: .RI "" "force_receive_buffer_size" ""
! 1084: is enabled.
! 1085:
! 1086: .TP
! 1087: .BR charon.plugins.kernel-netlink.retries " [0]"
! 1088: Number of Netlink message retransmissions to send on timeout.
! 1089:
! 1090: .TP
! 1091: .BR charon.plugins.kernel-netlink.roam_events " [yes]"
! 1092: Whether to trigger roam events when interfaces, addresses or routes change.
! 1093:
! 1094: .TP
! 1095: .BR charon.plugins.kernel-netlink.set_proto_port_transport_sa " [no]"
! 1096: Whether to set protocol and ports in the selector installed on transport mode
! 1097: IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
! 1098: it also prevents the use of a single IPsec SA by more than one traffic selector.
! 1099:
! 1100: .TP
! 1101: .B charon.plugins.kernel-netlink.spdh_thresh
! 1102: .br
! 1103: XFRM policy hashing threshold configuration for IPv4 and IPv6.
! 1104:
! 1105: The section defines hashing thresholds to configure in the kernel during daemon
! 1106: startup. Each address family takes a threshold for the local subnet of an IPsec
! 1107: policy (src in out\-policies, dst in in\- and forward\-policies) and the remote
! 1108: subnet (dst in out\-policies, src in in\- and forward\-policies).
! 1109:
! 1110: If the subnet has more or equal net bits than the threshold, the first threshold
! 1111: bits are used to calculate a hash to lookup the policy.
! 1112:
! 1113: Policy hashing thresholds are not supported before Linux 3.18 and might conflict
! 1114: with socket policies before Linux 4.8.
! 1115:
! 1116: .TP
! 1117: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits " [32]"
! 1118: Local subnet XFRM policy hashing threshold for IPv4.
! 1119:
! 1120: .TP
! 1121: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits " [32]"
! 1122: Remote subnet XFRM policy hashing threshold for IPv4.
! 1123:
! 1124: .TP
! 1125: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits " [128]"
! 1126: Local subnet XFRM policy hashing threshold for IPv6.
! 1127:
! 1128: .TP
! 1129: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits " [128]"
! 1130: Remote subnet XFRM policy hashing threshold for IPv6.
! 1131:
! 1132: .TP
! 1133: .BR charon.plugins.kernel-netlink.timeout " [0]"
! 1134: Netlink message retransmission timeout, 0 to disable retransmissions.
! 1135:
! 1136: .TP
! 1137: .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
! 1138: Lifetime of XFRM acquire state created by the kernel when traffic matches a trap
! 1139: policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
! 1140: Indirectly controls the delay between XFRM acquire messages triggered by the
! 1141: kernel for a trap policy. The same value is used as timeout for SPIs allocated
! 1142: by the kernel. The default value equals the total retransmission timeout for
! 1143: IKE messages, see IKEv2 RETRANSMISSION in
! 1144: .RB "" "strongswan.conf" "(5)."
! 1145:
! 1146:
! 1147: .TP
! 1148: .BR charon.plugins.kernel-pfkey.events_buffer_size " [0]"
! 1149: Size of the receive buffer for the event socket (0 for default size). Because
! 1150: events are received asynchronously installing e.g. lots of policies may require
! 1151: a larger buffer than the default on certain platforms in order to receive all
! 1152: messages.
! 1153:
! 1154: .TP
! 1155: .BR charon.plugins.kernel-pfkey.route_via_internal " [no]"
! 1156: Whether to use the internal or external interface in installed routes. The
! 1157: internal interface is the one where the IP address contained in the local
! 1158: traffic selector is located, the external interface is the one over which the
! 1159: destination address of the IPsec tunnel can be reached. This is not relevant if
! 1160: virtual IPs are used, for which a TUN device is created that's used in the
! 1161: routes.
! 1162:
! 1163: .TP
! 1164: .BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
! 1165: Time in ms to wait until virtual IP addresses appear/disappear before failing.
! 1166:
! 1167: .TP
! 1168: .BR charon.plugins.led.activity_led " []"
! 1169: .TP
! 1170: .BR charon.plugins.led.blink_time " [50]"
! 1171: .TP
! 1172: .B charon.plugins.load-tester
! 1173: .br
! 1174: Section to configure the load\-tester plugin, see LOAD TESTS in
! 1175: .RB "" "strongswan.conf" "(5)"
! 1176: for details.
! 1177:
! 1178: .TP
! 1179: .B charon.plugins.load-tester.addrs
! 1180: .br
! 1181: Section that contains key/value pairs with address pools (in CIDR notation) to
! 1182: use for a specific network interface e.g. eth0 = 10.10.0.0/16.
! 1183:
! 1184: .TP
! 1185: .BR charon.plugins.load-tester.addrs_keep " [no]"
! 1186: Whether to keep dynamic addresses even after the associated SA got terminated.
! 1187:
! 1188: .TP
! 1189: .BR charon.plugins.load-tester.addrs_prefix " [16]"
! 1190: Network prefix length to use when installing dynamic addresses. If set to \-1 the
! 1191: full address is used (i.e. 32 or 128).
! 1192:
! 1193: .TP
! 1194: .BR charon.plugins.load-tester.ca_dir " []"
! 1195: Directory to load (intermediate) CA certificates from.
! 1196:
! 1197: .TP
! 1198: .BR charon.plugins.load-tester.child_rekey " [600]"
! 1199: Seconds to start CHILD_SA rekeying after setup.
! 1200:
! 1201: .TP
! 1202: .BR charon.plugins.load-tester.crl " []"
! 1203: URI to a CRL to include as certificate distribution point in generated
! 1204: certificates.
! 1205:
! 1206: .TP
! 1207: .BR charon.plugins.load-tester.delay " [0]"
! 1208: Delay between initiations for each thread.
! 1209:
! 1210: .TP
! 1211: .BR charon.plugins.load-tester.delete_after_established " [no]"
! 1212: Delete an IKE_SA as soon as it has been established.
! 1213:
! 1214: .TP
! 1215: .BR charon.plugins.load-tester.digest " [sha1]"
! 1216: Digest algorithm used when issuing certificates.
! 1217:
! 1218: .TP
! 1219: .BR charon.plugins.load-tester.dpd_delay " [0]"
! 1220: DPD delay to use in load test.
! 1221:
! 1222: .TP
! 1223: .BR charon.plugins.load-tester.dynamic_port " [0]"
! 1224: Base port to be used for requests (each client uses a different port).
! 1225:
! 1226: .TP
! 1227: .BR charon.plugins.load-tester.eap_password " [default-pwd]"
! 1228: EAP secret to use in load test.
! 1229:
! 1230: .TP
! 1231: .BR charon.plugins.load-tester.enable " [no]"
! 1232: Enable the load testing plugin.
! 1233: .RB "" "WARNING" ":"
! 1234: Never enable this plugin on
! 1235: productive systems. It provides preconfigured credentials and allows an attacker
! 1236: to authenticate as any user.
! 1237:
! 1238: .TP
! 1239: .BR charon.plugins.load-tester.esp " [aes128-sha1]"
! 1240: CHILD_SA proposal to use for load tests.
! 1241:
! 1242: .TP
! 1243: .BR charon.plugins.load-tester.fake_kernel " [no]"
! 1244: Fake the kernel interface to allow load\-testing against self.
! 1245:
! 1246: .TP
! 1247: .BR charon.plugins.load-tester.ike_rekey " [0]"
! 1248: Seconds to start IKE_SA rekeying after setup.
! 1249:
! 1250: .TP
! 1251: .BR charon.plugins.load-tester.init_limit " [0]"
! 1252: Global limit of concurrently established SAs during load test.
! 1253:
! 1254: .TP
! 1255: .BR charon.plugins.load-tester.initiator " [0.0.0.0]"
! 1256: Address to initiate from.
! 1257:
! 1258: .TP
! 1259: .BR charon.plugins.load-tester.initiator_auth " [pubkey]"
! 1260: Authentication method(s) the initiator uses.
! 1261:
! 1262: .TP
! 1263: .BR charon.plugins.load-tester.initiator_id " []"
! 1264: Initiator ID used in load test.
! 1265:
! 1266: .TP
! 1267: .BR charon.plugins.load-tester.initiator_match " []"
! 1268: Initiator ID to match against as responder.
! 1269:
! 1270: .TP
! 1271: .BR charon.plugins.load-tester.initiator_tsi " []"
! 1272: Traffic selector on initiator side, as proposed by initiator.
! 1273:
! 1274: .TP
! 1275: .BR charon.plugins.load-tester.initiator_tsr " []"
! 1276: Traffic selector on responder side, as proposed by initiator.
! 1277:
! 1278: .TP
! 1279: .BR charon.plugins.load-tester.initiators " [0]"
! 1280: Number of concurrent initiator threads to use in load test.
! 1281:
! 1282: .TP
! 1283: .BR charon.plugins.load-tester.issuer_cert " []"
! 1284: Path to the issuer certificate (if not configured a hard\-coded default value is
! 1285: used).
! 1286:
! 1287: .TP
! 1288: .BR charon.plugins.load-tester.issuer_key " []"
! 1289: Path to private key that is used to issue certificates (if not configured a
! 1290: hard\-coded default value is used).
! 1291:
! 1292: .TP
! 1293: .BR charon.plugins.load-tester.iterations " [1]"
! 1294: Number of IKE_SAs to initiate by each initiator in load test.
! 1295:
! 1296: .TP
! 1297: .BR charon.plugins.load-tester.mode " [tunnel]"
! 1298: IPsec mode to use, one of
! 1299: .RI "" "tunnel" ","
! 1300: .RI "" "transport" ","
! 1301: or
! 1302: .RI "" "beet" "."
! 1303:
! 1304:
! 1305: .TP
! 1306: .BR charon.plugins.load-tester.pool " []"
! 1307: Provide INTERNAL_IPV4_ADDRs from a named pool.
! 1308:
! 1309: .TP
! 1310: .BR charon.plugins.load-tester.preshared_key " [<default-psk>]"
! 1311: Preshared key to use in load test.
! 1312:
! 1313: .TP
! 1314: .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
! 1315: IKE proposal to use in load test.
! 1316:
! 1317: .TP
! 1318: .BR charon.plugins.load-tester.request_virtual_ip " [no]"
! 1319: Request an INTERNAL_IPV4_ADDR from the server.
! 1320:
! 1321: .TP
! 1322: .BR charon.plugins.load-tester.responder " [127.0.0.1]"
! 1323: Address to initiation connections to.
! 1324:
! 1325: .TP
! 1326: .BR charon.plugins.load-tester.responder_auth " [pubkey]"
! 1327: Authentication method(s) the responder uses.
! 1328:
! 1329: .TP
! 1330: .BR charon.plugins.load-tester.responder_id " []"
! 1331: Responder ID used in load test.
! 1332:
! 1333: .TP
! 1334: .BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
! 1335: Traffic selector on initiator side, as narrowed by responder.
! 1336:
! 1337: .TP
! 1338: .BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
! 1339: Traffic selector on responder side, as narrowed by responder.
! 1340:
! 1341: .TP
! 1342: .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
! 1343: Shutdown the daemon after all IKE_SAs have been established.
! 1344:
! 1345: .TP
! 1346: .BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
! 1347: Socket provided by the load\-tester plugin.
! 1348:
! 1349: .TP
! 1350: .BR charon.plugins.load-tester.version " [0]"
! 1351: IKE version to use (0 means use IKEv2 as initiator and accept any version as
! 1352: responder).
! 1353:
! 1354: .TP
! 1355: .BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
! 1356: Socket provided by the lookip plugin.
! 1357:
! 1358: .TP
! 1359: .BR charon.plugins.ntru.parameter_set " [optimum]"
! 1360: The following parameter sets are available:
! 1361: .RB "" "x9_98_speed" ","
! 1362: .RB "" "x9_98_bandwidth" ","
! 1363: .RB "" "x9_98_balance" ""
! 1364: and
! 1365: .RB "" "optimum" ","
! 1366: the last set not being
! 1367: part of the X9.98 standard but having the best performance.
! 1368:
! 1369: .TP
! 1370: .BR charon.plugins.openssl.engine_id " [pkcs11]"
! 1371: ENGINE ID to use in the OpenSSL plugin.
! 1372:
! 1373: .TP
! 1374: .BR charon.plugins.openssl.fips_mode " [0]"
! 1375: Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
! 1376:
! 1377: .TP
! 1378: .BR charon.plugins.osx-attr.append " [yes]"
! 1379: Whether DNS servers are appended to existing entries, instead of replacing them.
! 1380:
! 1381: .TP
! 1382: .B charon.plugins.p-cscf.enable
! 1383: .br
! 1384: Section to enable requesting P\-CSCF server addresses for individual connections.
! 1385:
! 1386: .TP
! 1387: .BR charon.plugins.p-cscf.enable.<conn> " [no]"
! 1388: <conn> is the name of a connection with an ePDG from which to request P\-CSCF
! 1389: server addresses. Requests will be sent for addresses of the same families for
! 1390: which internal IPs are requested.
! 1391:
! 1392: .TP
! 1393: .B charon.plugins.pkcs11.modules
! 1394: .br
! 1395: List of available PKCS#11 modules.
! 1396:
! 1397: .TP
! 1398: .BR charon.plugins.pkcs11.modules.<name>.load_certs " [yes]"
! 1399: Whether to automatically load certificates from tokens.
! 1400:
! 1401: .TP
! 1402: .BR charon.plugins.pkcs11.modules.<name>.os_locking " [no]"
! 1403: Whether OS locking should be enabled for this module.
! 1404:
! 1405: .TP
! 1406: .BR charon.plugins.pkcs11.modules.<name>.path " []"
! 1407: Full path to the shared object file of this PKCS#11 module.
! 1408:
! 1409: .TP
! 1410: .BR charon.plugins.pkcs11.reload_certs " [no]"
! 1411: Reload certificates from all tokens if charon receives a SIGHUP.
! 1412:
! 1413: .TP
! 1414: .BR charon.plugins.pkcs11.use_dh " [no]"
! 1415: Whether the PKCS#11 modules should be used for DH and ECDH (see
! 1416: .RI "" "use_ecc" ""
! 1417: option).
! 1418:
! 1419: .TP
! 1420: .BR charon.plugins.pkcs11.use_ecc " [no]"
! 1421: Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
! 1422: operations. ECDSA private keys can be used regardless of this option.
! 1423:
! 1424: .TP
! 1425: .BR charon.plugins.pkcs11.use_hasher " [no]"
! 1426: Whether the PKCS#11 modules should be used to hash data.
! 1427:
! 1428: .TP
! 1429: .BR charon.plugins.pkcs11.use_pubkey " [no]"
! 1430: Whether the PKCS#11 modules should be used for public key operations, even for
! 1431: keys not stored on tokens.
! 1432:
! 1433: .TP
! 1434: .BR charon.plugins.pkcs11.use_rng " [no]"
! 1435: Whether the PKCS#11 modules should be used as RNG.
! 1436:
! 1437: .TP
! 1438: .BR charon.plugins.radattr.dir " []"
! 1439: Directory where RADIUS attributes are stored in client\-ID specific files.
! 1440:
! 1441: .TP
! 1442: .BR charon.plugins.radattr.message_id " [-1]"
! 1443: Attributes are added to all IKE_AUTH messages by default (\-1), or only to the
! 1444: IKE_AUTH message with the given IKEv2 message ID.
! 1445:
! 1446: .TP
! 1447: .BR charon.plugins.random.random " [${random_device}]"
! 1448: File to read random bytes from.
! 1449:
! 1450: .TP
! 1451: .BR charon.plugins.random.strong_equals_true " [no]"
! 1452: If set to yes the RNG_STRONG class reads random bytes from the same source as
! 1453: the RNG_TRUE class.
! 1454:
! 1455: .TP
! 1456: .BR charon.plugins.random.urandom " [${urandom_device}]"
! 1457: File to read pseudo random bytes from.
! 1458:
! 1459: .TP
! 1460: .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
! 1461: File where to add DNS server entries.
! 1462:
! 1463: .TP
! 1464: .BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]"
! 1465: Prefix used for interface names sent to
! 1466: .RB "" "resolvconf" "(8)."
! 1467: The nameserver
! 1468: address is appended to this prefix to make it unique. The result has to be a
! 1469: valid interface name according to the rules defined by resolvconf. Also, it
! 1470: should have a high priority according to the order defined in
! 1471: .RB "" "interface\-order" "(5)."
! 1472:
! 1473:
! 1474: .TP
! 1475: .BR charon.plugins.revocation.enable_crl " [yes]"
! 1476: Whether CRL validation should be enabled.
! 1477:
! 1478: .TP
! 1479: .BR charon.plugins.revocation.enable_ocsp " [yes]"
! 1480: Whether OCSP validation should be enabled.
! 1481:
! 1482: .TP
! 1483: .BR charon.plugins.save-keys.esp " [no]"
! 1484: Whether to save ESP keys.
! 1485:
! 1486: .TP
! 1487: .BR charon.plugins.save-keys.ike " [no]"
! 1488: Whether to save IKE keys.
! 1489:
! 1490: .TP
! 1491: .BR charon.plugins.save-keys.load " [no]"
! 1492: Whether to load the plugin.
! 1493:
! 1494: .TP
! 1495: .BR charon.plugins.save-keys.wireshark_keys " []"
! 1496: Directory where the keys are stored in the format supported by Wireshark. IKEv1
! 1497: keys are stored in the
! 1498: .RI "" "ikev1_decryption_table" ""
! 1499: file. IKEv2 keys are stored in
! 1500: the
! 1501: .RI "" "ikev2_decryption_table" ""
! 1502: file. Keys for ESP CHILD_SAs are stored in the
! 1503: .RI "" "esp_sa" ""
! 1504: file.
! 1505:
! 1506: .TP
! 1507: .BR charon.plugins.socket-default.fwmark " []"
! 1508: Firewall mark to set on outbound packets.
! 1509:
! 1510: .TP
! 1511: .BR charon.plugins.socket-default.set_source " [yes]"
! 1512: Set source address on outbound packets, if possible.
! 1513:
! 1514: .TP
! 1515: .BR charon.plugins.socket-default.set_sourceif " [no]"
! 1516: Force sending interface on outbound packets, if possible. This allows using IPv6
! 1517: link\-local addresses as tunnel endpoints.
! 1518:
! 1519: .TP
! 1520: .BR charon.plugins.socket-default.use_ipv4 " [yes]"
! 1521: Listen on IPv4, if possible.
! 1522:
! 1523: .TP
! 1524: .BR charon.plugins.socket-default.use_ipv6 " [yes]"
! 1525: Listen on IPv6, if possible.
! 1526:
! 1527: .TP
! 1528: .BR charon.plugins.sql.database " []"
! 1529: Database URI for charon's SQL plugin. If it contains a password, make sure to
! 1530: adjust the permissions of the config file accordingly.
! 1531:
! 1532: .TP
! 1533: .BR charon.plugins.sql.loglevel " [-1]"
! 1534: Loglevel for logging to SQL database.
! 1535:
! 1536: .TP
! 1537: .BR charon.plugins.stroke.allow_swap " [yes]"
! 1538: Analyze addresses/hostnames in
! 1539: .RI "" "left|right" ""
! 1540: to detect which side is local and
! 1541: swap configuration options if necessary. If disabled
! 1542: .RI "" "left" ""
! 1543: is always
! 1544: .RI "" "local" "."
! 1545:
! 1546:
! 1547: .TP
! 1548: .BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
! 1549: Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
! 1550: certificates even if they don't contain a CA basic constraint.
! 1551:
! 1552: .TP
! 1553: .BR charon.plugins.stroke.max_concurrent " [4]"
! 1554: Maximum number of stroke messages handled concurrently.
! 1555:
! 1556: .TP
! 1557: .BR charon.plugins.stroke.prevent_loglevel_changes " [no]"
! 1558: If enabled log level changes via stroke socket are not allowed.
! 1559:
! 1560: .TP
! 1561: .BR charon.plugins.stroke.secrets_file " [${sysconfdir}/ipsec.secrets]"
! 1562: Location of the ipsec.secrets file
! 1563:
! 1564: .TP
! 1565: .BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
! 1566: Socket provided by the stroke plugin.
! 1567:
! 1568: .TP
! 1569: .BR charon.plugins.stroke.timeout " [0]"
! 1570: Timeout in ms for any stroke command. Use 0 to disable the timeout.
! 1571:
! 1572: .TP
! 1573: .BR charon.plugins.systime-fix.interval " [0]"
! 1574: Interval in seconds to check system time for validity. 0 disables the check.
! 1575:
! 1576: .TP
! 1577: .BR charon.plugins.systime-fix.reauth " [no]"
! 1578: Whether to use reauth or delete if an invalid cert lifetime is detected.
! 1579:
! 1580: .TP
! 1581: .BR charon.plugins.systime-fix.threshold " []"
! 1582: Threshold date where system time is considered valid. Disabled if not specified.
! 1583:
! 1584: .TP
! 1585: .BR charon.plugins.systime-fix.threshold_format " [%Y]"
! 1586: .RB "" "strptime" "(3)"
! 1587: format used to parse threshold option.
! 1588:
! 1589: .TP
! 1590: .BR charon.plugins.systime-fix.timeout " [0s]"
! 1591: How long to wait for a valid system time if an interval is configured. 0 to
! 1592: recheck indefinitely.
! 1593:
! 1594: .TP
! 1595: .BR charon.plugins.tnc-ifmap.client_cert " []"
! 1596: Path to X.509 certificate file of IF\-MAP client.
! 1597:
! 1598: .TP
! 1599: .BR charon.plugins.tnc-ifmap.client_key " []"
! 1600: Path to private key file of IF\-MAP client.
! 1601:
! 1602: .TP
! 1603: .BR charon.plugins.tnc-ifmap.device_name " []"
! 1604: Unique name of strongSwan server as a PEP and/or PDP device.
! 1605:
! 1606: .TP
! 1607: .BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
! 1608: Interval in seconds between periodic IF\-MAP RenewSession requests.
! 1609:
! 1610: .TP
! 1611: .BR charon.plugins.tnc-ifmap.server_cert " []"
! 1612: Path to X.509 certificate file of IF\-MAP server.
! 1613:
! 1614: .TP
! 1615: .BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
! 1616: URI of the form [https://]servername[:port][/path].
! 1617:
! 1618: .TP
! 1619: .BR charon.plugins.tnc-ifmap.username_password " []"
! 1620: Credentials of IF\-MAP client of the form username:password. If set, make sure to
! 1621: adjust the permissions of the config file accordingly.
! 1622:
! 1623: .TP
! 1624: .BR charon.plugins.tnc-imc.dlclose " [yes]"
! 1625: Unload IMC after use.
! 1626:
! 1627: .TP
! 1628: .BR charon.plugins.tnc-imc.preferred_language " [en]"
! 1629: Preferred language for TNC recommendations.
! 1630:
! 1631: .TP
! 1632: .BR charon.plugins.tnc-imv.dlclose " [yes]"
! 1633: Unload IMV after use.
! 1634:
! 1635: .TP
! 1636: .BR charon.plugins.tnc-imv.recommendation_policy " [default]"
! 1637: TNC recommendation policy, one of
! 1638: .RI "" "default" ","
! 1639: .RI "" "any" ","
! 1640: or
! 1641: .RI "" "all" "."
! 1642:
! 1643:
! 1644: .TP
! 1645: .BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
! 1646: Enable PT\-TLS protocol on the strongSwan PDP.
! 1647:
! 1648: .TP
! 1649: .BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
! 1650: PT\-TLS server port the strongSwan PDP is listening on.
! 1651:
! 1652: .TP
! 1653: .BR charon.plugins.tnc-pdp.radius.enable " [yes]"
! 1654: Enable RADIUS protocol on the strongSwan PDP.
! 1655:
! 1656: .TP
! 1657: .BR charon.plugins.tnc-pdp.radius.method " [ttls]"
! 1658: EAP tunnel method to be used.
! 1659:
! 1660: .TP
! 1661: .BR charon.plugins.tnc-pdp.radius.port " [1812]"
! 1662: RADIUS server port the strongSwan PDP is listening on.
! 1663:
! 1664: .TP
! 1665: .BR charon.plugins.tnc-pdp.radius.secret " []"
! 1666: Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust
! 1667: the permissions of the config file accordingly.
! 1668:
! 1669: .TP
! 1670: .BR charon.plugins.tnc-pdp.server " []"
! 1671: Name of the strongSwan PDP as contained in the AAA certificate.
! 1672:
! 1673: .TP
! 1674: .BR charon.plugins.tnc-pdp.timeout " []"
! 1675: Timeout in seconds before closing incomplete connections.
! 1676:
! 1677: .TP
! 1678: .BR charon.plugins.tnccs-11.max_message_size " [45000]"
! 1679: Maximum size of a PA\-TNC message (XML & Base64 encoding).
! 1680:
! 1681: .TP
! 1682: .BR charon.plugins.tnccs-20.max_batch_size " [65522]"
! 1683: Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529).
! 1684:
! 1685: .TP
! 1686: .BR charon.plugins.tnccs-20.max_message_size " [65490]"
! 1687: Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497).
! 1688:
! 1689: .TP
! 1690: .BR charon.plugins.tnccs-20.mutual " [no]"
! 1691: Enable PB\-TNC mutual protocol.
! 1692:
! 1693: .TP
! 1694: .BR charon.plugins.tnccs-20.tests.pb_tnc_noskip " [no]"
! 1695: Send an unsupported PB\-TNC message type with the NOSKIP flag set.
! 1696:
! 1697: .TP
! 1698: .BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]"
! 1699: Send a PB\-TNC batch with a modified PB\-TNC version.
! 1700:
! 1701: .TP
! 1702: .BR charon.plugins.tpm.fips_186_4 " [no]"
! 1703: Is the TPM 2.0 FIPS\-186\-4 compliant, forcing e.g. the use of the default salt
! 1704: length instead of maximum salt length with RSAPSS padding.
! 1705:
! 1706: .TP
! 1707: .BR charon.plugins.tpm.tcti.name " [device|tabrmd]"
! 1708: Name of TPM 2.0 TCTI library. Valid values:
! 1709: .RI "" "tabrmd" ","
! 1710: .RI "" "device" ""
! 1711: or
! 1712: .RI "" "mssim" "."
! 1713: Defaults are
! 1714: .RI "" "device" ""
! 1715: if the
! 1716: .RI "" "/dev/tpmrm0" ""
! 1717: in\-kernel TPM 2.0 resource manager
! 1718: device exists, and
! 1719: .RI "" "tabrmd" ""
! 1720: otherwise, requiring the d\-bus based TPM 2.0 access
! 1721: broker and resource manager to be available.
! 1722:
! 1723: .TP
! 1724: .BR charon.plugins.tpm.tcti.opts " [/dev/tpmrm0|<none>]"
! 1725: Options for the TPM 2.0 TCTI library. Defaults are
! 1726: .RI "" "/dev/tpmrm0" ""
! 1727: if the TCTI
! 1728: library name is
! 1729: .RI "" "device" ""
! 1730: and no options otherwise.
! 1731:
! 1732: .TP
! 1733: .BR charon.plugins.tpm.use_rng " [no]"
! 1734: Whether the TPM should be used as RNG.
! 1735:
! 1736: .TP
! 1737: .BR charon.plugins.unbound.dlv_anchors " []"
! 1738: File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
! 1739: the same format as
! 1740: .RI "" "trust_anchors" "."
! 1741: Only one DLV can be configured, which is
! 1742: then used as a root trusted DLV, this means that it is a lookaside for the root.
! 1743:
! 1744: .TP
! 1745: .BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
! 1746: File to read DNS resolver configuration from.
! 1747:
! 1748: .TP
! 1749: .BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
! 1750: File to read DNSSEC trust anchors from (usually root zone KSK). The format of
! 1751: the file is the standard DNS Zone file format, anchors can be stored as DS or
! 1752: DNSKEY entries in the file.
! 1753:
! 1754: .TP
! 1755: .BR charon.plugins.updown.dns_handler " [no]"
! 1756: Whether the updown script should handle DNS servers assigned via IKEv1 Mode
! 1757: Config or IKEv2 Config Payloads (if enabled they can't be handled by other
! 1758: plugins, like resolve)
! 1759:
! 1760: .TP
! 1761: .BR charon.plugins.vici.socket " [unix://${piddir}/charon.vici]"
! 1762: Socket the vici plugin serves clients.
! 1763:
! 1764: .TP
! 1765: .BR charon.plugins.whitelist.enable " [yes]"
! 1766: Enable loaded whitelist plugin.
! 1767:
! 1768: .TP
! 1769: .BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
! 1770: Socket provided by the whitelist plugin.
! 1771:
! 1772: .TP
! 1773: .BR charon.plugins.wolfssl.fips_mode " [no]"
! 1774: Enable to prevent loading the plugin if wolfSSL is not in FIPS mode.
! 1775:
! 1776: .TP
! 1777: .BR charon.plugins.xauth-eap.backend " [radius]"
! 1778: EAP plugin to be used as backend for XAuth credential verification.
! 1779:
! 1780: .TP
! 1781: .BR charon.plugins.xauth-pam.pam_service " [login]"
! 1782: PAM service to be used for authentication.
! 1783:
! 1784: .TP
! 1785: .BR charon.plugins.xauth-pam.session " [no]"
! 1786: Open/close a PAM session for each active IKE_SA.
! 1787:
! 1788: .TP
! 1789: .BR charon.plugins.xauth-pam.trim_email " [yes]"
! 1790: If an email address is received as an XAuth username, trim it to just the
! 1791: username part.
! 1792:
! 1793: .TP
! 1794: .BR charon.port " [500]"
! 1795: UDP port used locally. If set to 0 a random port will be allocated.
! 1796:
! 1797: .TP
! 1798: .BR charon.port_nat_t " [4500]"
! 1799: UDP port used locally in case of NAT\-T. If set to 0 a random port will be
! 1800: allocated. Has to be different from
! 1801: .RB "" "charon.port" ","
! 1802: otherwise a random port
! 1803: will be allocated.
! 1804:
! 1805: .TP
! 1806: .BR charon.prefer_best_path " [no]"
! 1807: By default, charon keeps SAs on the routing path with addresses it previously
! 1808: used if that path is still usable. By setting this option to yes, it tries more
! 1809: aggressively to update SAs with MOBIKE on routing priority changes using the
! 1810: cheapest path. This adds more noise, but allows to dynamically adapt SAs to
! 1811: routing priority changes. This option has no effect if MOBIKE is not supported
! 1812: or disabled.
! 1813:
! 1814: .TP
! 1815: .BR charon.prefer_configured_proposals " [yes]"
! 1816: Prefer locally configured proposals for IKE/IPsec over supplied ones as
! 1817: responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
! 1818: notifies).
! 1819:
! 1820: .TP
! 1821: .BR charon.prefer_temporary_addrs " [no]"
! 1822: By default, permanent IPv6 source addresses are preferred over temporary ones
! 1823: (RFC 4941), to make connections more stable. Enable this option to reverse this.
! 1824:
! 1825: It also affects which IPv6 addresses are announced as additional addresses if
! 1826: MOBIKE is used. If the option is disabled, only permanent addresses are sent,
! 1827: and only temporary ones if it is enabled.
! 1828:
! 1829: .TP
! 1830: .BR charon.process_route " [yes]"
! 1831: Process RTM_NEWROUTE and RTM_DELROUTE events.
! 1832:
! 1833: .TP
! 1834: .B charon.processor.priority_threads
! 1835: .br
! 1836: Section to configure the number of reserved threads per priority class see JOB
! 1837: PRIORITY MANAGEMENT in
! 1838: .RB "" "strongswan.conf" "(5)."
! 1839:
! 1840:
! 1841: .TP
! 1842: .BR charon.rdn_matching " [strict]"
! 1843: How RDNs in subject DNs of certificates are matched against configured
! 1844: identities. Possible values are
! 1845: .RI "" "strict" ""
! 1846: (the default),
! 1847: .RI "" "reordered" ","
! 1848: and
! 1849: .RI "" "relaxed" "."
! 1850: With
! 1851: .RI "" "strict" ""
! 1852: the number, type and order of all RDNs has to match,
! 1853: wildcards (*) for the values of RDNs are allowed (that's the case for all three
! 1854: variants). Using
! 1855: .RI "" "reordered" ""
! 1856: also matches DNs if the RDNs appear in a different
! 1857: order, the number and type still has to match. Finally,
! 1858: .RI "" "relaxed" ""
! 1859: also allows
! 1860: matches of DNs that contain more RDNs than the configured identity (missing RDNs
! 1861: are treated like a wildcard match).
! 1862:
! 1863: Note that
! 1864: .RI "" "reordered" ""
! 1865: and
! 1866: .RI "" "relaxed" ""
! 1867: impose a considerable overhead on memory
! 1868: usage and runtime, in particular, for mismatches, compared to
! 1869: .RI "" "strict" "."
! 1870:
! 1871:
! 1872: .TP
! 1873: .BR charon.receive_delay " [0]"
! 1874: Delay in ms for receiving packets, to simulate larger RTT.
! 1875:
! 1876: .TP
! 1877: .BR charon.receive_delay_request " [yes]"
! 1878: Delay request messages.
! 1879:
! 1880: .TP
! 1881: .BR charon.receive_delay_response " [yes]"
! 1882: Delay response messages.
! 1883:
! 1884: .TP
! 1885: .BR charon.receive_delay_type " [0]"
! 1886: Specific IKEv2 message type to delay, 0 for any.
! 1887:
! 1888: .TP
! 1889: .BR charon.replay_window " [32]"
! 1890: Size of the AH/ESP replay window, in packets.
! 1891:
! 1892: .TP
! 1893: .BR charon.retransmit_base " [1.8]"
! 1894: Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
! 1895: .RB "" "strongswan.conf" "(5)."
! 1896:
! 1897:
! 1898: .TP
! 1899: .BR charon.retransmit_jitter " [0]"
! 1900: Maximum jitter in percent to apply randomly to calculated retransmission timeout
! 1901: (0 to disable).
! 1902:
! 1903: .TP
! 1904: .BR charon.retransmit_limit " [0]"
! 1905: Upper limit in seconds for calculated retransmission timeout (0 to disable).
! 1906:
! 1907: .TP
! 1908: .BR charon.retransmit_timeout " [4.0]"
! 1909: Timeout in seconds before sending first retransmit.
! 1910:
! 1911: .TP
! 1912: .BR charon.retransmit_tries " [5]"
! 1913: Number of times to retransmit a packet before giving up.
! 1914:
! 1915: .TP
! 1916: .BR charon.retry_initiate_interval " [0]"
! 1917: Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
! 1918: resolution failed), 0 to disable retries.
! 1919:
! 1920: .TP
! 1921: .BR charon.reuse_ikesa " [yes]"
! 1922: Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
! 1923:
! 1924: .TP
! 1925: .BR charon.routing_table " []"
! 1926: Numerical routing table to install routes to.
! 1927:
! 1928: .TP
! 1929: .BR charon.routing_table_prio " []"
! 1930: Priority of the routing table.
! 1931:
! 1932: .TP
! 1933: .BR charon.rsa_pss " [no]"
! 1934: Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
! 1935:
! 1936: .TP
! 1937: .BR charon.send_delay " [0]"
! 1938: Delay in ms for sending packets, to simulate larger RTT.
! 1939:
! 1940: .TP
! 1941: .BR charon.send_delay_request " [yes]"
! 1942: Delay request messages.
! 1943:
! 1944: .TP
! 1945: .BR charon.send_delay_response " [yes]"
! 1946: Delay response messages.
! 1947:
! 1948: .TP
! 1949: .BR charon.send_delay_type " [0]"
! 1950: Specific IKEv2 message type to delay, 0 for any.
! 1951:
! 1952: .TP
! 1953: .BR charon.send_vendor_id " [no]"
! 1954: Send strongSwan vendor ID payload
! 1955:
! 1956: .TP
! 1957: .BR charon.signature_authentication " [yes]"
! 1958: Whether to enable Signature Authentication as per RFC 7427.
! 1959:
! 1960: .TP
! 1961: .BR charon.signature_authentication_constraints " [yes]"
! 1962: If enabled, signature schemes configured in
! 1963: .RI "" "rightauth" ","
! 1964: in addition to getting
! 1965: used as constraints against signature schemes employed in the certificate chain,
! 1966: are also used as constraints against the signature scheme used by peers during
! 1967: IKEv2.
! 1968:
! 1969: .TP
! 1970: .BR charon.spi_label " [0x0000000000000000]"
! 1971: Value mixed into the local IKE SPIs after applying
! 1972: .RI "" "spi_mask" "."
! 1973:
! 1974:
! 1975: .TP
! 1976: .BR charon.spi_mask " [0x0000000000000000]"
! 1977: Mask applied to local IKE SPIs before mixing in
! 1978: .RI "" "spi_label" ""
! 1979: (bits set will be
! 1980: replaced with
! 1981: .RI "" "spi_label" ")."
! 1982:
! 1983:
! 1984: .TP
! 1985: .BR charon.spi_max " [0xcfffffff]"
! 1986: The upper limit for SPIs requested from the kernel for IPsec SAs.
! 1987:
! 1988: .TP
! 1989: .BR charon.spi_min " [0xc0000000]"
! 1990: The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be
! 1991: set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved by IANA.
! 1992:
! 1993: .TP
! 1994: .B charon.start-scripts
! 1995: .br
! 1996: Section containing a list of scripts (name = path) that are executed when the
! 1997: daemon is started.
! 1998:
! 1999: .TP
! 2000: .B charon.stop-scripts
! 2001: .br
! 2002: Section containing a list of scripts (name = path) that are executed when the
! 2003: daemon is terminated.
! 2004:
! 2005: .TP
! 2006: .B charon.syslog
! 2007: .br
! 2008: Section to define syslog loggers, see LOGGER CONFIGURATION in
! 2009: .RB "" "strongswan.conf" "(5)."
! 2010:
! 2011:
! 2012: .TP
! 2013: .B charon.syslog.<facility>
! 2014: .br
! 2015: <facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION
! 2016: in
! 2017: .RB "" "strongswan.conf" "(5)."
! 2018:
! 2019:
! 2020: .TP
! 2021: .BR charon.syslog.<facility>.<subsystem> " [<default>]"
! 2022: Loglevel for a specific subsystem.
! 2023:
! 2024: .TP
! 2025: .BR charon.syslog.<facility>.default " [1]"
! 2026: Specifies the default loglevel to be used for subsystems for which no specific
! 2027: loglevel is defined.
! 2028:
! 2029: .TP
! 2030: .BR charon.syslog.<facility>.ike_name " [no]"
! 2031: Prefix each log entry with the connection name and a unique numerical identifier
! 2032: for each IKE_SA.
! 2033:
! 2034: .TP
! 2035: .BR charon.syslog.identifier " []"
! 2036: Global identifier used for an
! 2037: .RB "" "openlog" "(3)"
! 2038: call, prepended to each log message
! 2039: by syslog. If not configured,
! 2040: .RB "" "openlog" "(3)"
! 2041: is not called, so the value will
! 2042: depend on system defaults (often the program name).
! 2043:
! 2044: .TP
! 2045: .BR charon.threads " [16]"
! 2046: Number of worker threads in charon. Several of these are reserved for long
! 2047: running tasks in internal modules and plugins. Therefore, make sure you don't
! 2048: set this value too low. The number of idle worker threads listed in
! 2049: .RI "" "ipsec statusall" ""
! 2050: might be used as indicator on the number of reserved threads.
! 2051:
! 2052: .TP
! 2053: .BR charon.tls.cipher " []"
! 2054: List of TLS encryption ciphers.
! 2055:
! 2056: .TP
! 2057: .BR charon.tls.key_exchange " []"
! 2058: List of TLS key exchange methods.
! 2059:
! 2060: .TP
! 2061: .BR charon.tls.mac " []"
! 2062: List of TLS MAC algorithms.
! 2063:
! 2064: .TP
! 2065: .BR charon.tls.suites " []"
! 2066: List of TLS cipher suites.
! 2067:
! 2068: .TP
! 2069: .BR charon.tnc.tnc_config " [/etc/tnc_config]"
! 2070: TNC IMC/IMV configuration file.
! 2071:
! 2072: .TP
! 2073: .BR charon.user " []"
! 2074: Name of the user the daemon changes to after startup.
! 2075:
! 2076: .TP
! 2077: .BR charon.x509.enforce_critical " [yes]"
! 2078: Discard certificates with unsupported or unknown critical extensions.
! 2079:
! 2080: .TP
! 2081: .BR charon-nm.ca_dir " [<default>]"
! 2082: Directory from which to load CA certificates if no certificate is configured.
! 2083:
! 2084: .TP
! 2085: .B charon-systemd.journal
! 2086: .br
! 2087: Section to configure native systemd journal logger, very similar to the syslog
! 2088: logger as described in LOGGER CONFIGURATION in
! 2089: .RB "" "strongswan.conf" "(5)."
! 2090:
! 2091:
! 2092: .TP
! 2093: .BR charon-systemd.journal.<subsystem> " [<default>]"
! 2094: Loglevel for a specific subsystem.
! 2095:
! 2096: .TP
! 2097: .BR charon-systemd.journal.default " [1]"
! 2098: Specifies the default loglevel to be used for subsystems for which no specific
! 2099: loglevel is defined.
! 2100:
! 2101: .TP
! 2102: .BR imv_policy_manager.command_allow " []"
! 2103: Shell command to be executed with recommendation allow.
! 2104:
! 2105: .TP
! 2106: .BR imv_policy_manager.command_block " []"
! 2107: Shell command to be executed with all other recommendations.
! 2108:
! 2109: .TP
! 2110: .BR imv_policy_manager.database " []"
! 2111: Database URI for the database that stores the package information. If it
! 2112: contains a password, make sure to adjust the permissions of the config file
! 2113: accordingly.
! 2114:
! 2115: .TP
! 2116: .BR imv_policy_manager.load " [sqlite]"
! 2117: Plugins to load in IMV policy manager.
! 2118:
! 2119: .TP
! 2120: .BR libimcv.debug_level " [1]"
! 2121: Debug level for a stand\-alone
! 2122: .RI "" "libimcv" ""
! 2123: library.
! 2124:
! 2125: .TP
! 2126: .BR libimcv.load " [random nonce gmp pubkey x509]"
! 2127: Plugins to load in IMC/IMVs with stand\-alone
! 2128: .RI "" "libimcv" ""
! 2129: library.
! 2130:
! 2131: .TP
! 2132: .BR libimcv.plugins.imc-attestation.aik_blob " []"
! 2133: AIK encrypted private key blob file.
! 2134:
! 2135: .TP
! 2136: .BR libimcv.plugins.imc-attestation.aik_cert " []"
! 2137: AIK certificate file.
! 2138:
! 2139: .TP
! 2140: .BR libimcv.plugins.imc-attestation.aik_handle " []"
! 2141: AIK object handle.
! 2142:
! 2143: .TP
! 2144: .BR libimcv.plugins.imc-attestation.aik_pubkey " []"
! 2145: AIK public key file.
! 2146:
! 2147: .TP
! 2148: .BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]"
! 2149: Enforce mandatory Diffie\-Hellman groups.
! 2150:
! 2151: .TP
! 2152: .BR libimcv.plugins.imc-attestation.nonce_len " [20]"
! 2153: DH nonce length.
! 2154:
! 2155: .TP
! 2156: .BR libimcv.plugins.imc-attestation.pcr17_after " []"
! 2157: PCR17 value after measurement.
! 2158:
! 2159: .TP
! 2160: .BR libimcv.plugins.imc-attestation.pcr17_before " []"
! 2161: PCR17 value before measurement.
! 2162:
! 2163: .TP
! 2164: .BR libimcv.plugins.imc-attestation.pcr17_meas " []"
! 2165: Dummy measurement value extended into PCR17 if the TBOOT log is not available.
! 2166:
! 2167: .TP
! 2168: .BR libimcv.plugins.imc-attestation.pcr18_after " []"
! 2169: PCR18 value after measurement.
! 2170:
! 2171: .TP
! 2172: .BR libimcv.plugins.imc-attestation.pcr18_before " []"
! 2173: PCR18 value before measurement.
! 2174:
! 2175: .TP
! 2176: .BR libimcv.plugins.imc-attestation.pcr18_meas " []"
! 2177: Dummy measurement value extended into PCR17 if the TBOOT log is not available.
! 2178:
! 2179: .TP
! 2180: .BR libimcv.plugins.imc-attestation.pcr_info " [no]"
! 2181: Whether to send pcr_before and pcr_after info.
! 2182:
! 2183: .TP
! 2184: .BR libimcv.plugins.imc-attestation.use_quote2 " [yes]"
! 2185: Use Quote2 AIK signature instead of Quote signature.
! 2186:
! 2187: .TP
! 2188: .BR libimcv.plugins.imc-attestation.use_version_info " [no]"
! 2189: Version Info is included in Quote2 signature.
! 2190:
! 2191: .TP
! 2192: .BR libimcv.plugins.imc-hcd.push_info " [yes]"
! 2193: Send quadruple info without being prompted.
! 2194:
! 2195: .TP
! 2196: .BR libimcv.plugins.imc-hcd.subtypes " []"
! 2197: Section to define PWG HCD PA subtypes.
! 2198:
! 2199: .TP
! 2200: .BR libimcv.plugins.imc-hcd.subtypes.<section> " []"
! 2201: Defines a PWG HCD PA subtype section. Recognized subtype section names are
! 2202: .RI "" "system" ","
! 2203: .RI "" "control" ","
! 2204: .RI "" "marker" ","
! 2205: .RI "" "finisher" ","
! 2206: .RI "" "interface" ""
! 2207: and
! 2208: .RI "" "scanner" "."
! 2209:
! 2210:
! 2211: .TP
! 2212: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> " []"
! 2213: Defines a software type section. Recognized software type section names are
! 2214: .RI "" "firmware" ","
! 2215: .RI "" "resident_application" ""
! 2216: and
! 2217: .RI "" "user_application" "."
! 2218:
! 2219:
! 2220: .TP
! 2221: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> " []"
! 2222: Defines a software section having an arbitrary name.
! 2223:
! 2224: .TP
! 2225: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name " []"
! 2226: Name of the software installed on the hardcopy device.
! 2227:
! 2228: .TP
! 2229: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches " []"
! 2230: String describing all patches applied to the given software on this hardcopy
! 2231: device. The individual patches are separated by a newline character '\\n'.
! 2232:
! 2233: .TP
! 2234: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.string_version " []"
! 2235: String describing the version of the given software on this hardcopy device.
! 2236:
! 2237: .TP
! 2238: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version " []"
! 2239: Hex\-encoded version string with a length of 16 octets consisting of the fields
! 2240: major version number (4 octets), minor version number (4 octets), build number
! 2241: (4 octets), service pack major number (2 octets) and service pack minor number
! 2242: (2 octets).
! 2243:
! 2244: .TP
! 2245: .BR libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language " [en]"
! 2246: Variable length natural language tag conforming to RFC 5646 specifies the
! 2247: language to be used in the health assessment message of a given subtype.
! 2248:
! 2249: .TP
! 2250: .BR libimcv.plugins.imc-hcd.subtypes.system.certification_state " []"
! 2251: Hex\-encoded certification state.
! 2252:
! 2253: .TP
! 2254: .BR libimcv.plugins.imc-hcd.subtypes.system.configuration_state " []"
! 2255: Hex\-encoded configuration state.
! 2256:
! 2257: .TP
! 2258: .BR libimcv.plugins.imc-hcd.subtypes.system.machine_type_model " []"
! 2259: String specifying the machine type and model of the hardcopy device.
! 2260:
! 2261: .TP
! 2262: .BR libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled " [no]"
! 2263: Specifies if a PSTN facsimile interface is installed and enabled on the hardcopy
! 2264: device.
! 2265:
! 2266: .TP
! 2267: .BR libimcv.plugins.imc-hcd.subtypes.system.time_source " []"
! 2268: String specifying the hostname of the network time server used by the hardcopy
! 2269: device.
! 2270:
! 2271: .TP
! 2272: .BR libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled " [no]"
! 2273: Specifies if users can dynamically download and execute applications on the
! 2274: hardcopy device.
! 2275:
! 2276: .TP
! 2277: .BR libimcv.plugins.imc-hcd.subtypes.system.user_application_persistence_enabled " [no]"
! 2278: Specifies if user dynamically downloaded applications can persist outside the
! 2279: boundaries of a single job on the hardcopy device.
! 2280:
! 2281: .TP
! 2282: .BR libimcv.plugins.imc-hcd.subtypes.system.vendor_name " []"
! 2283: String specifying the manufacturer of the hardcopy device.
! 2284:
! 2285: .TP
! 2286: .BR libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code " []"
! 2287: Integer specifying the globally unique 24\-bit SMI code assigned to the
! 2288: manufacturer of the hardcopy device.
! 2289:
! 2290: .TP
! 2291: .BR libimcv.plugins.imc-os.device_cert " []"
! 2292: Manually set the path to the client device certificate (e.g.
! 2293: /etc/pts/aikCert.der)
! 2294:
! 2295: .TP
! 2296: .BR libimcv.plugins.imc-os.device_handle " []"
! 2297: Manually set handle to a private key bound to a smartcard or TPM (e.g.
! 2298: 0x81010004)
! 2299:
! 2300: .TP
! 2301: .BR libimcv.plugins.imc-os.device_id " []"
! 2302: Manually set the client device ID in hexadecimal format (e.g.
! 2303: 1083f03988c9762703b1c1080c2e46f72b99cc31)
! 2304:
! 2305: .TP
! 2306: .BR libimcv.plugins.imc-os.device_pubkey " []"
! 2307: Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der)
! 2308:
! 2309: .TP
! 2310: .BR libimcv.plugins.imc-os.push_info " [yes]"
! 2311: Send operating system info without being prompted.
! 2312:
! 2313: .TP
! 2314: .BR libimcv.plugins.imc-scanner.push_info " [yes]"
! 2315: Send open listening ports without being prompted.
! 2316:
! 2317: .TP
! 2318: .BR libimcv.plugins.imc-swima.eid_epoch " [0x11223344]"
! 2319: Set 32 bit epoch value for event IDs manually if software collector database is
! 2320: not available.
! 2321:
! 2322: .TP
! 2323: .BR libimcv.plugins.imc-swima.subscriptions " [no]"
! 2324: Accept SW Inventory or SW Events subscriptions.
! 2325:
! 2326: .TP
! 2327: .BR libimcv.plugins.imc-swima.swid_database " []"
! 2328: URI to software collector database containing event timestamps, software
! 2329: creation and deletion events and collected software identifiers. If it contains
! 2330: a password, make sure to adjust the permissions of the config file accordingly.
! 2331:
! 2332: .TP
! 2333: .BR libimcv.plugins.imc-swima.swid_directory " [${prefix}/share]"
! 2334: Directory where SWID tags are located.
! 2335:
! 2336: .TP
! 2337: .BR libimcv.plugins.imc-swima.swid_full " [no]"
! 2338: Include file information in the XML\-encoded SWID tags.
! 2339:
! 2340: .TP
! 2341: .BR libimcv.plugins.imc-swima.swid_pretty " [no]"
! 2342: Generate XML\-encoded SWID tags with pretty indentation.
! 2343:
! 2344: .TP
! 2345: .BR libimcv.plugins.imc-test.additional_ids " [0]"
! 2346: Number of additional IMC IDs.
! 2347:
! 2348: .TP
! 2349: .BR libimcv.plugins.imc-test.command " [none]"
! 2350: Command to be sent to the Test IMV.
! 2351:
! 2352: .TP
! 2353: .BR libimcv.plugins.imc-test.dummy_size " [0]"
! 2354: Size of dummy attribute to be sent to the Test IMV (0 = disabled).
! 2355:
! 2356: .TP
! 2357: .BR libimcv.plugins.imc-test.retry " [no]"
! 2358: Do a handshake retry.
! 2359:
! 2360: .TP
! 2361: .BR libimcv.plugins.imc-test.retry_command " []"
! 2362: Command to be sent to the Test IMV in the handshake retry.
! 2363:
! 2364: .TP
! 2365: .BR libimcv.plugins.imv-attestation.cadir " []"
! 2366: Path to directory with AIK cacerts.
! 2367:
! 2368: .TP
! 2369: .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
! 2370: Preferred Diffie\-Hellman group.
! 2371:
! 2372: .TP
! 2373: .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]"
! 2374: Preferred measurement hash algorithm.
! 2375:
! 2376: .TP
! 2377: .BR libimcv.plugins.imv-attestation.mandatory_dh_groups " [yes]"
! 2378: Enforce mandatory Diffie\-Hellman groups.
! 2379:
! 2380: .TP
! 2381: .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
! 2382: DH minimum nonce length.
! 2383:
! 2384: .TP
! 2385: .BR libimcv.plugins.imv-os.remediation_uri " []"
! 2386: URI pointing to operating system remediation instructions.
! 2387:
! 2388: .TP
! 2389: .BR libimcv.plugins.imv-scanner.remediation_uri " []"
! 2390: URI pointing to scanner remediation instructions.
! 2391:
! 2392: .TP
! 2393: .BR libimcv.plugins.imv-swima.rest_api.timeout " [120]"
! 2394: Timeout of SWID REST API HTTP POST transaction.
! 2395:
! 2396: .TP
! 2397: .BR libimcv.plugins.imv-swima.rest_api.uri " []"
! 2398: HTTP URI of the SWID REST API.
! 2399:
! 2400: .TP
! 2401: .BR libimcv.plugins.imv-test.rounds " [0]"
! 2402: Number of IMC\-IMV retry rounds.
! 2403:
! 2404: .TP
! 2405: .BR libimcv.stderr_quiet " [no]"
! 2406: Disable output to stderr with a stand\-alone
! 2407: .RI "" "libimcv" ""
! 2408: library.
! 2409:
! 2410: .TP
! 2411: .BR libimcv.swid_gen.command " [/usr/local/bin/swid_generator]"
! 2412: SWID generator command to be executed.
! 2413:
! 2414: .TP
! 2415: .BR libimcv.swid_gen.tag_creator.name " [strongSwan Project]"
! 2416: Name of the tagCreator entity.
! 2417:
! 2418: .TP
! 2419: .BR libimcv.swid_gen.tag_creator.regid " [strongswan.org]"
! 2420: regid of the tagCreator entity.
! 2421:
! 2422: .TP
! 2423: .BR manager.database " []"
! 2424: Credential database URI for manager. If it contains a password, make sure to
! 2425: adjust the permissions of the config file accordingly.
! 2426:
! 2427: .TP
! 2428: .BR manager.debug " [no]"
! 2429: Enable debugging in manager.
! 2430:
! 2431: .TP
! 2432: .BR manager.load " []"
! 2433: Plugins to load in manager.
! 2434:
! 2435: .TP
! 2436: .BR manager.socket " []"
! 2437: FastCGI socket of manager, to run it statically.
! 2438:
! 2439: .TP
! 2440: .BR manager.threads " [10]"
! 2441: Threads to use for request handling.
! 2442:
! 2443: .TP
! 2444: .BR manager.timeout " [15m]"
! 2445: Session timeout for manager.
! 2446:
! 2447: .TP
! 2448: .BR medsrv.database " []"
! 2449: Mediation server database URI. If it contains a password, make sure to adjust
! 2450: the permissions of the config file accordingly.
! 2451:
! 2452: .TP
! 2453: .BR medsrv.debug " [no]"
! 2454: Debugging in mediation server web application.
! 2455:
! 2456: .TP
! 2457: .BR medsrv.dpd " [5m]"
! 2458: DPD timeout to use in mediation server plugin.
! 2459:
! 2460: .TP
! 2461: .BR medsrv.load " []"
! 2462: Plugins to load in mediation server plugin.
! 2463:
! 2464: .TP
! 2465: .BR medsrv.password_length " [6]"
! 2466: Minimum password length required for mediation server user accounts.
! 2467:
! 2468: .TP
! 2469: .BR medsrv.rekey " [20m]"
! 2470: Rekeying time on mediation connections in mediation server plugin.
! 2471:
! 2472: .TP
! 2473: .BR medsrv.socket " []"
! 2474: Run Mediation server web application statically on socket.
! 2475:
! 2476: .TP
! 2477: .BR medsrv.threads " [5]"
! 2478: Number of thread for mediation service web application.
! 2479:
! 2480: .TP
! 2481: .BR medsrv.timeout " [15m]"
! 2482: Session timeout for mediation service.
! 2483:
! 2484: .TP
! 2485: .BR pki.load " []"
! 2486: Plugins to load in ipsec pki tool.
! 2487:
! 2488: .TP
! 2489: .BR pool.database " []"
! 2490: Database URI for the database that stores IP pools and configuration attributes.
! 2491: If it contains a password, make sure to adjust the permissions of the
! 2492: config file accordingly.
! 2493:
! 2494: .TP
! 2495: .BR pool.load " []"
! 2496: Plugins to load in ipsec pool tool.
! 2497:
! 2498: .TP
! 2499: .BR scepclient.load " []"
! 2500: Plugins to load in ipsec scepclient tool.
! 2501:
! 2502: .TP
! 2503: .B sec-updater
! 2504: .br
! 2505: Options for the sec\-updater tool.
! 2506:
! 2507: .TP
! 2508: .BR sec-updater.database " []"
! 2509: Global IMV policy database URI. If it contains a password, make sure to adjust
! 2510: the permissions of the config file accordingly.
! 2511:
! 2512: .TP
! 2513: .BR sec-updater.load " []"
! 2514: Plugins to load in sec\-updater tool.
! 2515:
! 2516: .TP
! 2517: .BR sec-updater.swid_gen.command " [/usr/local/bin/swid_generator]"
! 2518: SWID generator command to be executed.
! 2519:
! 2520: .TP
! 2521: .BR sec-updater.swid_gen.tag_creator.name " [strongSwan Project]"
! 2522: Name of the tagCreator entity.
! 2523:
! 2524: .TP
! 2525: .BR sec-updater.swid_gen.tag_creator.regid " [strongswan.org]"
! 2526: regid of the tagCreator entity.
! 2527:
! 2528: .TP
! 2529: .BR sec-updater.tmp.deb_file " [/tmp/sec-updater.deb]"
! 2530: Temporary storage for downloaded deb package file.
! 2531:
! 2532: .TP
! 2533: .BR sec-updater.tmp.tag_file " [/tmp/sec-updater.tag]"
! 2534: Temporary storage for generated SWID tags.
! 2535:
! 2536: .TP
! 2537: .BR sec-updater.tnc_manage_command " [/var/www/tnc/manage.py]"
! 2538: strongTNC manage.py command used to import SWID tags.
! 2539:
! 2540: .TP
! 2541: .BR starter.config_file " [${sysconfdir}/ipsec.conf]"
! 2542: Location of the ipsec.conf file
! 2543:
! 2544: .TP
! 2545: .BR starter.load_warning " [yes]"
! 2546: Disable charon plugin load option warning.
! 2547:
! 2548: .TP
! 2549: .B sw-collector
! 2550: .br
! 2551: Options for the sw\-collector tool.
! 2552:
! 2553: .TP
! 2554: .BR sw-collector.database " []"
! 2555: URI to software collector database containing event timestamps, software
! 2556: creation and deletion events and collected software identifiers. If it contains
! 2557: a password, make sure to adjust the permissions of the config file accordingly.
! 2558:
! 2559: .TP
! 2560: .BR sw-collector.first_file " [/var/log/bootstrap.log]"
! 2561: Path pointing to file created when the Linux OS was installed.
! 2562:
! 2563: .TP
! 2564: .BR sw-collector.first_time " [0000-00-00T00:00:00Z]"
! 2565: Time in UTC when the Linux OS was installed.
! 2566:
! 2567: .TP
! 2568: .BR sw-collector.history " []"
! 2569: Path pointing to apt history.log file.
! 2570:
! 2571: .TP
! 2572: .BR sw-collector.load " []"
! 2573: Plugins to load in sw\-collector tool.
! 2574:
! 2575: .TP
! 2576: .BR sw-collector.rest_api.timeout " [120]"
! 2577: Timeout of REST API HTTP POST transaction.
! 2578:
! 2579: .TP
! 2580: .BR sw-collector.rest_api.uri " []"
! 2581: HTTP URI of the central collector's REST API.
! 2582:
! 2583: .TP
! 2584: .BR swanctl.load " []"
! 2585: Plugins to load in swanctl.
! 2586:
! 2587: .TP
! 2588: .BR swanctl.socket " [unix://${piddir}/charon.vici]"
! 2589: VICI socket to connect to by default.
! 2590:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to strongswan.conf.5.main CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf