Annotation of embedaddon/strongswan/conf/strongswan.conf.5.main, revision 1.1.1.1
1.1 misho 1: .TP
2: .BR aikgen.load " []"
3: Plugins to load in ipsec aikgen tool.
4:
5: .TP
6: .BR attest.database " []"
7: File measurement information database URI. If it contains a password, make sure
8: to adjust the permissions of the config file accordingly.
9:
10: .TP
11: .BR attest.load " []"
12: Plugins to load in ipsec attest tool.
13:
14: .TP
15: .B charon
16: .br
17: Options for the charon IKE daemon.
18:
19: .RB "" "Note" ":"
20: Many of the options in this section also apply to
21: .RB "" "charon\-cmd" ""
22: and
23: other
24: .RB "" "charon" ""
25: derivatives. Just use their respective name (e.g.
26: .RB "" "charon\-cmd" ""
27: instead of
28: .RB "" "charon" ")."
29: For many options defaults can be defined
30: in the
31: .RB "" "libstrongswan" ""
32: section.
33:
34: .TP
35: .BR charon.accept_private_algs " [no]"
36: Deliberately violate the IKE standard's requirement and allow the use of private
37: algorithm identifiers, even if the peer implementation is unknown.
38:
39: .TP
40: .BR charon.accept_unencrypted_mainmode_messages " [no]"
41: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
42:
43: Some implementations send the third Main Mode message unencrypted, probably to
44: find the PSKs for the specified ID for authentication. This is very similar to
45: Aggressive Mode, and has the same security implications: A passive attacker can
46: sniff the negotiated Identity, and start brute forcing the PSK using the HASH
47: payload.
48:
49: It is recommended to keep this option to no, unless you know exactly what the
50: implications are and require compatibility to such devices (for example, some
51: SonicWall boxes).
52:
53: .TP
54: .BR charon.block_threshold " [5]"
55: Maximum number of half\-open IKE_SAs for a single peer IP.
56:
57: .TP
58: .BR charon.cache_crls " [no]"
59: Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
60: saved under a unique file name derived from the public key of the Certification
61: Authority (CA) to
62: .RB "" "/etc/ipsec.d/crls" ""
63: (stroke) or
64: .RB "" "/etc/swanctl/x509crl" ""
65: (vici), respectively.
66:
67: .TP
68: .BR charon.cert_cache " [yes]"
69: Whether relations in validated certificate chains should be cached in memory.
70:
71: .TP
72: .BR charon.cisco_unity " [no]"
73: Send Cisco Unity vendor ID payload (IKEv1 only).
74:
75: .TP
76: .BR charon.close_ike_on_child_failure " [no]"
77: Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
78:
79: .TP
80: .BR charon.cookie_threshold " [10]"
81: Number of half\-open IKE_SAs that activate the cookie mechanism.
82:
83: .TP
84: .BR charon.crypto_test.bench " [no]"
85: Benchmark crypto algorithms and order them by efficiency.
86:
87: .TP
88: .BR charon.crypto_test.bench_size " [1024]"
89: Buffer size used for crypto benchmark.
90:
91: .TP
92: .BR charon.crypto_test.bench_time " [50]"
93: Time in ms during which crypto algorithm performance is measured.
94:
95: .TP
96: .BR charon.crypto_test.on_add " [no]"
97: Test crypto algorithms during registration (requires test vectors provided by
98: the
99: .RI "" "test\-vectors" ""
100: plugin).
101:
102: .TP
103: .BR charon.crypto_test.on_create " [no]"
104: Test crypto algorithms on each crypto primitive instantiation.
105:
106: .TP
107: .BR charon.crypto_test.required " [no]"
108: Strictly require at least one test vector to enable an algorithm.
109:
110: .TP
111: .BR charon.crypto_test.rng_true " [no]"
112: Whether to test RNG with TRUE quality; requires a lot of entropy.
113:
114: .TP
115: .BR charon.delete_rekeyed " [no]"
116: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). Reduces
117: the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However,
118: this might cause problems with implementations that continue to use rekeyed SAs
119: until they expire.
120:
121: .TP
122: .BR charon.delete_rekeyed_delay " [5]"
123: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
124: only). To process delayed packets the inbound part of a CHILD_SA is kept
125: installed up to the configured number of seconds after it got replaced during a
126: rekeying. If set to 0 the CHILD_SA will be kept installed until it expires (if
127: no lifetime is set it will be destroyed immediately).
128:
129: .TP
130: .BR charon.dh_exponent_ansi_x9_42 " [yes]"
131: Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
132: strength.
133:
134: .TP
135: .BR charon.dlopen_use_rtld_now " [no]"
136: Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
137: symbols immediately.
138:
139: .TP
140: .BR charon.dns1 " []"
141: DNS server assigned to peer via configuration payload (CP).
142:
143: .TP
144: .BR charon.dns2 " []"
145: DNS server assigned to peer via configuration payload (CP).
146:
147: .TP
148: .BR charon.dos_protection " [yes]"
149: Enable Denial of Service protection using cookies and aggressiveness checks.
150:
151: .TP
152: .BR charon.ecp_x_coordinate_only " [yes]"
153: Compliance with the errata for RFC 4753.
154:
155: .TP
156: .B charon.filelog
157: .br
158: Section to define file loggers, see LOGGER CONFIGURATION in
159: .RB "" "strongswan.conf" "(5)."
160:
161:
162: .TP
163: .B charon.filelog.<name>
164: .br
165: <name> may be the full path to the log file if it only contains characters
166: permitted in section names. Is ignored if
167: .RI "" "path" ""
168: is specified.
169:
170: .TP
171: .BR charon.filelog.<name>.<subsystem> " [<default>]"
172: Loglevel for a specific subsystem.
173:
174: .TP
175: .BR charon.filelog.<name>.append " [yes]"
176: If this option is enabled log entries are appended to the existing file.
177:
178: .TP
179: .BR charon.filelog.<name>.default " [1]"
180: Specifies the default loglevel to be used for subsystems for which no specific
181: loglevel is defined.
182:
183: .TP
184: .BR charon.filelog.<name>.flush_line " [no]"
185: Enabling this option disables block buffering and enables line buffering.
186:
187: .TP
188: .BR charon.filelog.<name>.ike_name " [no]"
189: Prefix each log entry with the connection name and a unique numerical identifier
190: for each IKE_SA.
191:
192: .TP
193: .BR charon.filelog.<name>.path " []"
194: Optional path to the log file. Overrides the section name. Must be used if the
195: path contains characters that aren't allowed in section names.
196:
197: .TP
198: .BR charon.filelog.<name>.time_add_ms " [no]"
199: Adds the milliseconds within the current second after the timestamp (separated
200: by a dot, so
201: .RI "" "time_format" ""
202: should end with %S or %T).
203:
204: .TP
205: .BR charon.filelog.<name>.time_format " []"
206: Prefix each log entry with a timestamp. The option accepts a format string as
207: passed to
208: .RB "" "strftime" "(3)."
209:
210:
211: .TP
212: .BR charon.flush_auth_cfg " [no]"
213: If enabled objects used during authentication (certificates, identities etc.)
214: are released to free memory once an IKE_SA is established. Enabling this might
215: conflict with plugins that later need access to e.g. the used certificates.
216:
217: .TP
218: .BR charon.follow_redirects " [yes]"
219: Whether to follow IKEv2 redirects (RFC 5685).
220:
221: .TP
222: .BR charon.fragment_size " [1280]"
223: Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
224: using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280
225: (use 0 for address family specific default values, which uses a lower value for
226: IPv4). If specified this limit is used for both IPv4 and IPv6.
227:
228: .TP
229: .BR charon.group " []"
230: Name of the group the daemon changes to after startup.
231:
232: .TP
233: .BR charon.half_open_timeout " [30]"
234: Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
235:
236: .TP
237: .BR charon.hash_and_url " [no]"
238: Enable hash and URL support.
239:
240: .TP
241: .BR charon.host_resolver.max_threads " [3]"
242: Maximum number of concurrent resolver threads (they are terminated if unused).
243:
244: .TP
245: .BR charon.host_resolver.min_threads " [0]"
246: Minimum number of resolver threads to keep around.
247:
248: .TP
249: .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
250: If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared
251: keys, which is discouraged due to security concerns (offline attacks on the
252: openly transmitted hash of the PSK).
253:
254: .TP
255: .BR charon.ignore_acquire_ts " [no]"
256: If this is disabled the traffic selectors from the kernel's acquire events,
257: which are derived from the triggering packet, are prepended to the traffic
258: selectors from the configuration for IKEv2 connection. By enabling this, such
259: specific traffic selectors will be ignored and only the ones in the config will
260: be sent. This always happens for IKEv1 connections as the protocol only supports
261: one set of traffic selectors per CHILD_SA.
262:
263: .TP
264: .BR charon.ignore_routing_tables " []"
265: A space\-separated list of routing tables to be excluded from route lookups.
266:
267: .TP
268: .BR charon.ikesa_limit " [0]"
269: Maximum number of IKE_SAs that can be established at the same time before new
270: connection attempts are blocked.
271:
272: .TP
273: .BR charon.ikesa_table_segments " [1]"
274: Number of exclusively locked segments in the hash table.
275:
276: .TP
277: .BR charon.ikesa_table_size " [1]"
278: Size of the IKE_SA hash table.
279:
280: .TP
281: .B charon.imcv
282: .br
283: Defaults for options in this section can be configured in the
284: .RI "" "libimcv" ""
285: section.
286:
287: .TP
288: .BR charon.imcv.assessment_result " [yes]"
289: Whether IMVs send a standard IETF Assessment Result attribute.
290:
291: .TP
292: .BR charon.imcv.database " []"
293: Global IMV policy database URI. If it contains a password, make sure to adjust
294: the permissions of the config file accordingly.
295:
296: .TP
297: .BR charon.imcv.os_info.default_password_enabled " [no]"
298: Manually set whether a default password is enabled
299:
300: .TP
301: .BR charon.imcv.os_info.name " []"
302: Manually set the name of the client OS (e.g. Ubuntu).
303:
304: .TP
305: .BR charon.imcv.os_info.version " []"
306: Manually set the version of the client OS (e.g. 12.04 i686).
307:
308: .TP
309: .BR charon.imcv.policy_script " [ipsec _imv_policy]"
310: Script called for each TNC connection to generate IMV policies.
311:
312: .TP
313: .BR charon.inactivity_close_ike " [no]"
314: Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
315:
316: .TP
317: .BR charon.init_limit_half_open " [0]"
318: Limit new connections based on the current number of half open IKE_SAs, see
319: IKE_SA_INIT DROPPING in
320: .RB "" "strongswan.conf" "(5)."
321:
322:
323: .TP
324: .BR charon.init_limit_job_load " [0]"
325: Limit new connections based on the number of jobs currently queued for
326: processing (see IKE_SA_INIT DROPPING).
327:
328: .TP
329: .BR charon.initiator_only " [no]"
330: Causes charon daemon to ignore IKE initiation requests.
331:
332: .TP
333: .BR charon.install_routes " [yes]"
334: Install routes into a separate routing table for established IPsec tunnels.
335:
336: .TP
337: .BR charon.install_virtual_ip " [yes]"
338: Install virtual IP addresses.
339:
340: .TP
341: .BR charon.install_virtual_ip_on " []"
342: The name of the interface on which virtual IP addresses should be installed. If
343: not specified the addresses will be installed on the outbound interface.
344:
345: .TP
346: .BR charon.integrity_test " [no]"
347: Check daemon, libstrongswan and plugin integrity at startup.
348:
349: .TP
350: .BR charon.interfaces_ignore " []"
351: A comma\-separated list of network interfaces that should be ignored, if
352: .RB "" "interfaces_use" ""
353: is specified this option has no effect.
354:
355: .TP
356: .BR charon.interfaces_use " []"
357: A comma\-separated list of network interfaces that should be used by charon. All
358: other interfaces are ignored.
359:
360: .TP
361: .BR charon.keep_alive " [20s]"
362: NAT keep alive interval.
363:
364: .TP
365: .BR charon.leak_detective.detailed " [yes]"
366: Includes source file names and line numbers in leak detective output.
367:
368: .TP
369: .BR charon.leak_detective.usage_threshold " [10240]"
370: Threshold in bytes for leaks to be reported (0 to report all).
371:
372: .TP
373: .BR charon.leak_detective.usage_threshold_count " [0]"
374: Threshold in number of allocations for leaks to be reported (0 to report all).
375:
376: .TP
377: .BR charon.load " []"
378: Plugins to load in the IKE daemon charon.
379:
380: .TP
381: .BR charon.load_modular " [no]"
382: If enabled, the list of plugins to load is determined via the value of the
383: .RI "" "charon.plugins.<name>.load" ""
384: options. In addition to a simple boolean flag that
385: option may take an integer value indicating the priority of a plugin, which
386: would influence the order of a plugin in the plugin list (the default is 1). If
387: two plugins have the same priority their order in the default plugin list is
388: preserved. Enabled plugins not found in that list are ordered alphabetically
389: before other plugins with the same priority.
390:
391: .TP
392: .BR charon.make_before_break " [no]"
393: Initiate IKEv2 reauthentication with a make\-before\-break instead of a
394: break\-before\-make scheme. Make\-before\-break uses overlapping IKE and CHILD_SA
395: during reauthentication by first recreating all new SAs before deleting the old
396: ones. This behavior can be beneficial to avoid connectivity gaps during
397: reauthentication, but requires support for overlapping SAs by the peer.
398: strongSwan can handle such overlapping SAs since version 5.3.0.
399:
400: .TP
401: .BR charon.max_ikev1_exchanges " [3]"
402: Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
403: track concurrently.
404:
405: .TP
406: .BR charon.max_packet " [10000]"
407: Maximum packet size accepted by charon.
408:
409: .TP
410: .BR charon.multiple_authentication " [yes]"
411: Enable multiple authentication exchanges (RFC 4739).
412:
413: .TP
414: .BR charon.nbns1 " []"
415: WINS servers assigned to peer via configuration payload (CP).
416:
417: .TP
418: .BR charon.nbns2 " []"
419: WINS servers assigned to peer via configuration payload (CP).
420:
421: .TP
422: .BR charon.plugin.ha.buflen " [2048]"
423: Buffer size for received HA messages. For IKEv1 the public DH factors are also
424: transmitted so depending on the DH group the HA messages can get quite big (the
425: default should be fine up to
426: .RI "" "modp4096" ")."
427:
428:
429: .TP
430: .BR charon.plugins.addrblock.strict " [yes]"
431: If set to yes, a subject certificate without an addrblock extension is rejected
432: if the issuer certificate has such an addrblock extension. If set to no, subject
433: certificates issued without the addrblock extension are accepted without any
434: traffic selector checks and no policy is enforced by the plugin.
435:
436: .TP
437: .BR charon.plugins.android_log.loglevel " [1]"
438: Loglevel for logging to Android specific logger.
439:
440: .TP
441: .B charon.plugins.attr
442: .br
443: Section to specify arbitrary attributes that are assigned to a peer via
444: configuration payload (CP).
445:
446: .TP
447: .BR charon.plugins.attr.<attr> " []"
448: .RB "" "<attr>" ""
449: can be either
450: .RI "" "address" ","
451: .RI "" "netmask" ","
452: .RI "" "dns" ","
453: .RI "" "nbns" ","
454: .RI "" "dhcp" ","
455: .RI "" "subnet" ","
456: .RI "" "split\-include" ","
457: .RI "" "split\-exclude" ""
458: or the numeric identifier of the attribute
459: type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation
460: or an arbitrary value depending on the attribute type. For some attribute types
461: multiple values may be specified as a comma separated list.
462:
463: .TP
464: .BR charon.plugins.attr-sql.crash_recovery " [yes]"
465: Release all online leases during startup. Disable this to share the DB between
466: multiple VPN gateways.
467:
468: .TP
469: .BR charon.plugins.attr-sql.database " []"
470: Database URI for attr\-sql plugin used by charon. If it contains a password, make
471: sure to adjust the permissions of the config file accordingly.
472:
473: .TP
474: .BR charon.plugins.attr-sql.lease_history " [yes]"
475: Enable logging of SQL IP pool leases.
476:
477: .TP
478: .BR charon.plugins.bliss.use_bliss_b " [yes]"
479: Use the enhanced BLISS\-B key generation and signature algorithm.
480:
481: .TP
482: .BR charon.plugins.bypass-lan.interfaces_ignore " []"
483: A comma\-separated list of network interfaces for which connected subnets should
484: be ignored, if
485: .RB "" "interfaces_use" ""
486: is specified this option has no effect.
487:
488: .TP
489: .BR charon.plugins.bypass-lan.interfaces_use " []"
490: A comma\-separated list of network interfaces for which connected subnets should
491: be considered. All other interfaces are ignored.
492:
493: .TP
494: .BR charon.plugins.certexpire.csv.cron " []"
495: Cron style string specifying CSV export times.
496:
497: .TP
498: .BR charon.plugins.certexpire.csv.empty_string " []"
499: String to use in empty intermediate CA fields.
500:
501: .TP
502: .BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
503: Use a fixed intermediate CA field count.
504:
505: .TP
506: .BR charon.plugins.certexpire.csv.force " [yes]"
507: Force export of all trustchains we have a private key for.
508:
509: .TP
510: .BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
511: .RB "" "strftime" "(3)"
512: format string to export expiration dates as.
513:
514: .TP
515: .BR charon.plugins.certexpire.csv.local " []"
516: .RB "" "strftime" "(3)"
517: format string for the CSV file name to export local certificates
518: to.
519:
520: .TP
521: .BR charon.plugins.certexpire.csv.remote " []"
522: .RB "" "strftime" "(3)"
523: format string for the CSV file name to export remote
524: certificates to.
525:
526: .TP
527: .BR charon.plugins.certexpire.csv.separator " [,]"
528: CSV field separator.
529:
530: .TP
531: .BR charon.plugins.coupling.file " []"
532: File to store coupling list to.
533:
534: .TP
535: .BR charon.plugins.coupling.hash " [sha1]"
536: Hashing algorithm to fingerprint coupled certificates.
537:
538: .TP
539: .BR charon.plugins.coupling.max " [1]"
540: Maximum number of coupling entries to create.
541:
542: .TP
543: .BR charon.plugins.curl.redir " [-1]"
544: Maximum number of redirects followed by the plugin, set to 0 to disable
545: following redirects, set to \-1 for no limit.
546:
547: .TP
548: .BR charon.plugins.dhcp.force_server_address " [no]"
549: Always use the configured server address. This might be helpful if the DHCP
550: server runs on the same host as strongSwan, and the DHCP daemon does not listen
551: on the loopback interface. In that case the server cannot be reached via
552: unicast (or even 255.255.255.255) as that would be routed via loopback. Setting
553: this option to yes and configuring the local broadcast address (e.g.
554: 192.168.0.255) as server address might work.
555:
556: .TP
557: .BR charon.plugins.dhcp.identity_lease " [no]"
558: Derive user\-defined MAC address from hash of IKE identity and send client
559: identity DHCP option.
560:
561: .TP
562: .BR charon.plugins.dhcp.interface " []"
563: Interface name the plugin uses for address allocation. The default is to bind to
564: any (0.0.0.0) and let the system decide which way to route the packets to the
565: DHCP server.
566:
567: .TP
568: .BR charon.plugins.dhcp.server " [255.255.255.255]"
569: DHCP server unicast or broadcast IP address.
570:
571: .TP
572: .BR charon.plugins.dhcp.use_server_port " [no]"
573: Use the DHCP server port (67) as source port, instead of the DHCP client port
574: (68), when a unicast server address is configured and the plugin acts as relay
575: agent. When replying in this mode the DHCP server will always send packets to
576: the DHCP server port and if no process binds that port an ICMP port unreachables
577: will be sent back, which might be problematic for some DHCP servers. To avoid
578: that, enabling this option will cause the plugin to bind the DHCP server port to
579: send its requests when acting as relay agent. This is not necessary if a DHCP
580: server is already running on the same host and might even cause conflicts (and
581: since the server port is already bound, ICMPs should not be an issue).
582:
583: .TP
584: .BR charon.plugins.dnscert.enable " [no]"
585: Enable fetching of CERT RRs via DNS.
586:
587: .TP
588: .BR charon.plugins.drbg.max_drbg_requests " [4294967294]"
589: Number of pseudo\-random bit requests from the DRBG before an automatic reseeding
590: occurs.
591:
592: .TP
593: .BR charon.plugins.duplicheck.enable " [yes]"
594: Enable duplicheck plugin (if loaded).
595:
596: .TP
597: .BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
598: Socket provided by the duplicheck plugin.
599:
600: .TP
601: .BR charon.plugins.eap-aka.request_identity " [yes]"
602: .TP
603: .BR charon.plugins.eap-aka-3gpp.seq_check " []"
604: Enable to activate sequence check of the AKA SQN values in order to trigger
605: resync cycles.
606:
607: .TP
608: .BR charon.plugins.eap-aka-3gpp2.seq_check " []"
609: Enable to activate sequence check of the AKA SQN values in order to trigger
610: resync cycles.
611:
612: .TP
613: .BR charon.plugins.eap-dynamic.prefer_user " [no]"
614: If enabled the EAP methods proposed in an EAP\-Nak message sent by the peer are
615: preferred over the methods registered locally.
616:
617: .TP
618: .BR charon.plugins.eap-dynamic.preferred " []"
619: The preferred EAP method(s) to be used. If it is not given the first registered
620: method will be used initially. If a comma separated list is given the methods
621: are tried in the given order before trying the rest of the registered methods.
622:
623: .TP
624: .BR charon.plugins.eap-gtc.backend " [pam]"
625: XAuth backend to be used for credential verification.
626:
627: .TP
628: .BR charon.plugins.eap-peap.fragment_size " [1024]"
629: Maximum size of an EAP\-PEAP packet.
630:
631: .TP
632: .BR charon.plugins.eap-peap.include_length " [no]"
633: Include length in non\-fragmented EAP\-PEAP packets.
634:
635: .TP
636: .BR charon.plugins.eap-peap.max_message_count " [32]"
637: Maximum number of processed EAP\-PEAP packets (0 = no limit).
638:
639: .TP
640: .BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
641: Phase2 EAP client authentication method.
642:
643: .TP
644: .BR charon.plugins.eap-peap.phase2_piggyback " [no]"
645: Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
646:
647: .TP
648: .BR charon.plugins.eap-peap.phase2_tnc " [no]"
649: Start phase2 EAP TNC protocol after successful client authentication.
650:
651: .TP
652: .BR charon.plugins.eap-peap.request_peer_auth " [no]"
653: Request peer authentication based on a client certificate.
654:
655: .TP
656: .BR charon.plugins.eap-radius.accounting " [no]"
657: Send RADIUS accounting information to RADIUS servers.
658:
659: .TP
660: .BR charon.plugins.eap-radius.accounting_close_on_timeout " [yes]"
661: Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
662:
663: .TP
664: .BR charon.plugins.eap-radius.accounting_interval " [0]"
665: Interval in seconds for interim RADIUS accounting updates, if not specified by
666: the RADIUS server in the Access\-Accept message.
667:
668: .TP
669: .BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
670: If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
671: Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
672:
673: .TP
674: .BR charon.plugins.eap-radius.accounting_send_class " [no]"
675: If enabled, adds the Class attributes received in Access\-Accept message to the
676: RADIUS accounting messages.
677:
678: .TP
679: .BR charon.plugins.eap-radius.class_group " [no]"
680: Use the
681: .RI "" "class" ""
682: attribute sent in the RADIUS\-Accept message as group membership
683: information that is compared to the groups specified in the
684: .RB "" "rightgroups" ""
685: option in
686: .RB "" "ipsec.conf" "(5)."
687:
688:
689: .TP
690: .BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
691: Closes all IKE_SAs if communication with the RADIUS server times out. If it is
692: not set only the current IKE_SA is closed.
693:
694: .TP
695: .BR charon.plugins.eap-radius.dae.enable " [no]"
696: Enables support for the Dynamic Authorization Extension (RFC 5176).
697:
698: .TP
699: .BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
700: Address to listen for DAE messages from the RADIUS server.
701:
702: .TP
703: .BR charon.plugins.eap-radius.dae.port " [3799]"
704: Port to listen for DAE requests.
705:
706: .TP
707: .BR charon.plugins.eap-radius.dae.secret " []"
708: Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
709: permissions of the config file accordingly.
710:
711: .TP
712: .BR charon.plugins.eap-radius.eap_start " [no]"
713: Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation.
714:
715: .TP
716: .BR charon.plugins.eap-radius.filter_id " [no]"
717: If the RADIUS
718: .RI "" "tunnel_type" ""
719: attribute with value
720: .RB "" "ESP" ""
721: is received, use the
722: .RI "" "filter_id" ""
723: attribute sent in the RADIUS\-Accept message as group membership
724: information that is compared to the groups specified in the
725: .RB "" "rightgroups" ""
726: option in
727: .RB "" "ipsec.conf" "(5)."
728:
729:
730: .TP
731: .BR charon.plugins.eap-radius.forward.ike_to_radius " []"
732: RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
733: or attribute number, a colon can be used to specify vendor\-specific attributes,
734: e.g. Reply\-Message, or 11, or 36906:12).
735:
736: .TP
737: .BR charon.plugins.eap-radius.forward.radius_to_ike " []"
738: Same as
739: .RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
740: but from RADIUS to
741: IKEv2, a strongSwan specific private notify (40969) is used to transmit the
742: attributes.
743:
744: .TP
745: .BR charon.plugins.eap-radius.id_prefix " []"
746: Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP
747: method.
748:
749: .TP
750: .BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
751: NAS\-Identifier to include in RADIUS messages.
752:
753: .TP
754: .BR charon.plugins.eap-radius.port " [1812]"
755: Port of RADIUS server (authentication).
756:
757: .TP
758: .BR charon.plugins.eap-radius.retransmit_base " [1.4]"
759: Base to use for calculating exponential back off.
760:
761: .TP
762: .BR charon.plugins.eap-radius.retransmit_timeout " [2.0]"
763: Timeout in seconds before sending first retransmit.
764:
765: .TP
766: .BR charon.plugins.eap-radius.retransmit_tries " [4]"
767: Number of times to retransmit a packet before giving up.
768:
769: .TP
770: .BR charon.plugins.eap-radius.secret " []"
771: Shared secret between RADIUS and NAS. If set, make sure to adjust the
772: permissions of the config file accordingly.
773:
774: .TP
775: .BR charon.plugins.eap-radius.server " []"
776: IP/Hostname of RADIUS server.
777:
778: .TP
779: .B charon.plugins.eap-radius.servers
780: .br
781: Section to specify multiple RADIUS servers. The
782: .RB "" "nas_identifier" ","
783: .RB "" "secret" ","
784: .RB "" "sockets" ""
785: and
786: .RB "" "port" ""
787: (or
788: .RB "" "auth_port" ")"
789: options can be specified for each
790: server. A server's IP/Hostname can be configured using the
791: .RB "" "address" ""
792: option.
793: The
794: .RB "" "acct_port" ""
795: [1813] option can be used to specify the port used for RADIUS
796: accounting. For each RADIUS server a priority can be specified using the
797: .RB "" "preference" ""
798: [0] option. The retransmission time for each server can set set
799: using
800: .RB "" "retransmit_base" ","
801: .RB "" "retransmit_timeout" ""
802: and
803: .RB "" "retransmit_tries" "."
804:
805:
806: .TP
807: .BR charon.plugins.eap-radius.sockets " [1]"
808: Number of sockets (ports) to use, increase for high load.
809:
810: .TP
811: .BR charon.plugins.eap-radius.station_id_with_port " [yes]"
812: Whether to include the UDP port in the Called\- and Calling\-Station\-Id RADIUS
813: attributes.
814:
815: .TP
816: .B charon.plugins.eap-radius.xauth
817: .br
818: Section to configure multiple XAuth authentication rounds via RADIUS. The
819: subsections define so called authentication profiles with arbitrary names. In
820: each profile section one or more XAuth types can be configured, with an assigned
821: message. For each type a separate XAuth exchange will be initiated and all
822: replies get concatenated into the User\-Password attribute, which then gets
823: verified over RADIUS.
824:
825: Available XAuth types are
826: .RB "" "password" ","
827: .RB "" "passcode" ","
828: .RB "" "nextpin" ","
829: and
830: .RB "" "answer" "."
831: This type is not relevant to strongSwan or the AAA server, but the
832: client may show a different dialog (along with the configured message).
833:
834: To use the configured profiles, they have to be configured in the respective
835: connection in
836: .RB "" "ipsec.conf" "(5)"
837: by appending the profile name, separated by a
838: colon, to the
839: .RB "" "xauth\-radius" ""
840: XAauth backend configuration in
841: .RI "" "rightauth" ""
842: or
843: .RI "" "rightauth2" ","
844: for instance,
845: .RI "" "rightauth2=xauth\-radius:profile" "."
846:
847:
848: .TP
849: .BR charon.plugins.eap-sim.request_identity " [yes]"
850: .TP
851: .BR charon.plugins.eap-simaka-sql.database " []"
852: .TP
853: .BR charon.plugins.eap-simaka-sql.remove_used " [no]"
854: .TP
855: .BR charon.plugins.eap-tls.fragment_size " [1024]"
856: Maximum size of an EAP\-TLS packet.
857:
858: .TP
859: .BR charon.plugins.eap-tls.include_length " [yes]"
860: Include length in non\-fragmented EAP\-TLS packets.
861:
862: .TP
863: .BR charon.plugins.eap-tls.max_message_count " [32]"
864: Maximum number of processed EAP\-TLS packets (0 = no limit).
865:
866: .TP
867: .BR charon.plugins.eap-tnc.max_message_count " [10]"
868: Maximum number of processed EAP\-TNC packets (0 = no limit).
869:
870: .TP
871: .BR charon.plugins.eap-tnc.protocol " [tnccs-2.0]"
872: IF\-TNCCS protocol version to be used
873: .RI "(" "tnccs\-1.1" ","
874: .RI "" "tnccs\-2.0" ","
875: .RI "" "tnccs\-dynamic" ")."
876:
877:
878: .TP
879: .BR charon.plugins.eap-ttls.fragment_size " [1024]"
880: Maximum size of an EAP\-TTLS packet.
881:
882: .TP
883: .BR charon.plugins.eap-ttls.include_length " [yes]"
884: Include length in non\-fragmented EAP\-TTLS packets.
885:
886: .TP
887: .BR charon.plugins.eap-ttls.max_message_count " [32]"
888: Maximum number of processed EAP\-TTLS packets (0 = no limit).
889:
890: .TP
891: .BR charon.plugins.eap-ttls.phase2_method " [md5]"
892: Phase2 EAP client authentication method.
893:
894: .TP
895: .BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
896: Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
897:
898: .TP
899: .BR charon.plugins.eap-ttls.phase2_tnc " [no]"
900: Start phase2 EAP TNC protocol after successful client authentication.
901:
902: .TP
903: .BR charon.plugins.eap-ttls.phase2_tnc_method " [pt]"
904: Phase2 EAP TNC transport protocol
905: .RI "(" "pt" ""
906: as IETF standard or legacy
907: .RI "" "tnc" ")"
908:
909:
910: .TP
911: .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
912: Request peer authentication based on a client certificate.
913:
914: .TP
915: .BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
916: Socket provided by the error\-notify plugin.
917:
918: .TP
919: .BR charon.plugins.ext-auth.script " []"
920: Command to pass to the system shell for peer authorization. Authorization is
921: considered successful if the command executes normally with an exit code of
922: zero. For all other exit codes IKE_SA authorization is rejected.
923:
924: The following environment variables get passed to the script:
925: .RI "" "IKE_UNIQUE_ID" ":"
926: The IKE_SA numerical unique identifier.
927: .RI "" "IKE_NAME" ":"
928: The peer configuration
929: connection name.
930: .RI "" "IKE_LOCAL_HOST" ":"
931: Local IKE IP address.
932: .RI "" "IKE_REMOTE_HOST" ":"
933: Remote IKE IP address.
934: .RI "" "IKE_LOCAL_ID" ":"
935: Local IKE identity.
936: .RI "" "IKE_REMOTE_ID" ":"
937: Remote IKE identity.
938: .RI "" "IKE_REMOTE_EAP_ID" ":"
939: Remote EAP or XAuth identity, if used.
940:
941: .TP
942: .BR charon.plugins.forecast.groups " [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]"
943: Comma separated list of multicast groups to join locally. The local host
944: receives and forwards packets in the local LAN for joined multicast groups only.
945: Packets matching the list of multicast groups get forwarded to connected
946: clients. The default group includes host multicasts, IGMP, mDNS, LLMNR and
947: SSDP/WS\-Discovery, and is usually a good choice for Windows clients.
948:
949: .TP
950: .BR charon.plugins.forecast.interface " []"
951: Name of the local interface to listen for broadcasts messages to forward. If no
952: interface is configured, the first usable interface is used, which is usually
953: just fine for single\-homed hosts. If your host has multiple interfaces, set this
954: option to the local LAN interface you want to forward broadcasts from/to.
955:
956: .TP
957: .BR charon.plugins.forecast.reinject " []"
958: Comma separated list of CHILD_SA configuration names for which to perform
959: multi/broadcast reinjection. For clients connecting over such a configuration,
960: any multi/broadcast received over the tunnel gets reinjected to all active
961: tunnels. This makes the broadcasts visible to other peers, and for examples
962: allows clients to see others shares. If disabled, multi/broadcast messages
963: received over a tunnel are injected to the local network only, but not to other
964: IPsec clients.
965:
966: .TP
967: .BR charon.plugins.gcrypt.quick_random " [no]"
968: Use faster random numbers in gcrypt; for testing only, produces weak keys!
969:
970: .TP
971: .BR charon.plugins.ha.autobalance " [0]"
972: Interval in seconds to automatically balance handled segments between nodes. Set
973: to 0 to disable.
974:
975: .TP
976: .BR charon.plugins.ha.fifo_interface " [yes]"
977: .TP
978: .BR charon.plugins.ha.heartbeat_delay " [1000]"
979: .TP
980: .BR charon.plugins.ha.heartbeat_timeout " [2100]"
981: .TP
982: .BR charon.plugins.ha.local " []"
983: .TP
984: .BR charon.plugins.ha.monitor " [yes]"
985: .TP
986: .BR charon.plugins.ha.pools " []"
987: .TP
988: .BR charon.plugins.ha.remote " []"
989: .TP
990: .BR charon.plugins.ha.resync " [yes]"
991: .TP
992: .BR charon.plugins.ha.secret " []"
993: .TP
994: .BR charon.plugins.ha.segment_count " [1]"
995: .TP
996: .BR charon.plugins.ipseckey.enable " [no]"
997: Enable fetching of IPSECKEY RRs via DNS.
998:
999: .TP
1000: .BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
1001: Allow that the remote traffic selector equals the IKE peer. The route installed
1002: for such traffic (via TUN device) usually prevents further IKE traffic. The
1003: fwmark options for the
1004: .RI "" "kernel\-netlink" ""
1005: and
1006: .RI "" "socket\-default" ""
1007: plugins can be used
1008: to circumvent that problem.
1009:
1010: .TP
1011: .BR charon.plugins.kernel-netlink.buflen " [<min(PAGE_SIZE, 8192)>]"
1012: Buffer size for received Netlink messages.
1013:
1014: .TP
1015: .BR charon.plugins.kernel-netlink.force_receive_buffer_size " [no]"
1016: If the maximum Netlink socket receive buffer in bytes set by
1017: .RI "" "receive_buffer_size" ""
1018: exceeds the system\-wide maximum from
1019: /proc/sys/net/core/rmem_max, this option can be used to override the limit.
1020: Enabling this option requires special privileges (CAP_NET_ADMIN).
1021:
1022: .TP
1023: .BR charon.plugins.kernel-netlink.fwmark " []"
1024: Firewall mark to set on the routing rule that directs traffic to our routing
1025: table. The format is [!]mark[/mask], where the optional exclamation mark inverts
1026: the meaning (i.e. the rule only applies to packets that don't match the mark).
1027:
1028: .TP
1029: .BR charon.plugins.kernel-netlink.hw_offload_feature_interface " [lo]"
1030: If the kernel supports hardware offloading, the plugin needs to find the feature
1031: flag which represents hardware offloading support for network devices. Using the
1032: loopback device for this purpose is usually fine, since it should always be
1033: present. For rare cases in which the loopback device cannot be used to obtain
1034: the appropriate feature flag, this option can be used to specify an alternative
1035: interface for offload feature detection.
1036:
1037: .TP
1038: .BR charon.plugins.kernel-netlink.ignore_retransmit_errors " [no]"
1039: Whether to ignore errors potentially resulting from a retransmission.
1040:
1041: .TP
1042: .BR charon.plugins.kernel-netlink.mss " [0]"
1043: MSS to set on installed routes, 0 to disable.
1044:
1045: .TP
1046: .BR charon.plugins.kernel-netlink.mtu " [0]"
1047: MTU to set on installed routes, 0 to disable.
1048:
1049: .TP
1050: .BR charon.plugins.kernel-netlink.parallel_route " [no]"
1051: Whether to perform concurrent Netlink ROUTE queries on a single socket. While
1052: parallel queries can improve throughput, it has more overhead. On vanilla Linux,
1053: DUMP queries fail with EBUSY and must be retried, further decreasing
1054: performance.
1055:
1056: .TP
1057: .BR charon.plugins.kernel-netlink.parallel_xfrm " [no]"
1058: Whether to perform concurrent Netlink XFRM queries on a single socket.
1059:
1060: .TP
1061: .BR charon.plugins.kernel-netlink.policy_update " [no]"
1062: Whether to always use XFRM_MSG_UPDPOLICY to install policies.
1063:
1064: .TP
1065: .BR charon.plugins.kernel-netlink.port_bypass " [no]"
1066: Whether to use port or socket based IKE XFRM bypass policies. IKE bypass
1067: policies are used to exempt IKE traffic from XFRM processing. The default socket
1068: based policies are directly tied to the IKE UDP sockets, port based policies use
1069: global XFRM bypass policies for the used IKE UDP ports.
1070:
1071: .TP
1072: .BR charon.plugins.kernel-netlink.process_rules " [no]"
1073: Whether to process changes in routing rules to trigger roam events. This is
1074: currently only useful if the kernel based route lookup is used (i.e. if route
1075: installation is disabled or an inverted fwmark match is configured).
1076:
1077: .TP
1078: .BR charon.plugins.kernel-netlink.receive_buffer_size " [0]"
1079: Maximum Netlink socket receive buffer in bytes. This value controls how many
1080: bytes of Netlink messages can be received on a Netlink socket. The default value
1081: is set by /proc/sys/net/core/rmem_default. The specified value cannot exceed the
1082: system\-wide maximum from /proc/sys/net/core/rmem_max, unless
1083: .RI "" "force_receive_buffer_size" ""
1084: is enabled.
1085:
1086: .TP
1087: .BR charon.plugins.kernel-netlink.retries " [0]"
1088: Number of Netlink message retransmissions to send on timeout.
1089:
1090: .TP
1091: .BR charon.plugins.kernel-netlink.roam_events " [yes]"
1092: Whether to trigger roam events when interfaces, addresses or routes change.
1093:
1094: .TP
1095: .BR charon.plugins.kernel-netlink.set_proto_port_transport_sa " [no]"
1096: Whether to set protocol and ports in the selector installed on transport mode
1097: IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
1098: it also prevents the use of a single IPsec SA by more than one traffic selector.
1099:
1100: .TP
1101: .B charon.plugins.kernel-netlink.spdh_thresh
1102: .br
1103: XFRM policy hashing threshold configuration for IPv4 and IPv6.
1104:
1105: The section defines hashing thresholds to configure in the kernel during daemon
1106: startup. Each address family takes a threshold for the local subnet of an IPsec
1107: policy (src in out\-policies, dst in in\- and forward\-policies) and the remote
1108: subnet (dst in out\-policies, src in in\- and forward\-policies).
1109:
1110: If the subnet has more or equal net bits than the threshold, the first threshold
1111: bits are used to calculate a hash to lookup the policy.
1112:
1113: Policy hashing thresholds are not supported before Linux 3.18 and might conflict
1114: with socket policies before Linux 4.8.
1115:
1116: .TP
1117: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits " [32]"
1118: Local subnet XFRM policy hashing threshold for IPv4.
1119:
1120: .TP
1121: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits " [32]"
1122: Remote subnet XFRM policy hashing threshold for IPv4.
1123:
1124: .TP
1125: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits " [128]"
1126: Local subnet XFRM policy hashing threshold for IPv6.
1127:
1128: .TP
1129: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits " [128]"
1130: Remote subnet XFRM policy hashing threshold for IPv6.
1131:
1132: .TP
1133: .BR charon.plugins.kernel-netlink.timeout " [0]"
1134: Netlink message retransmission timeout, 0 to disable retransmissions.
1135:
1136: .TP
1137: .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
1138: Lifetime of XFRM acquire state created by the kernel when traffic matches a trap
1139: policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
1140: Indirectly controls the delay between XFRM acquire messages triggered by the
1141: kernel for a trap policy. The same value is used as timeout for SPIs allocated
1142: by the kernel. The default value equals the total retransmission timeout for
1143: IKE messages, see IKEv2 RETRANSMISSION in
1144: .RB "" "strongswan.conf" "(5)."
1145:
1146:
1147: .TP
1148: .BR charon.plugins.kernel-pfkey.events_buffer_size " [0]"
1149: Size of the receive buffer for the event socket (0 for default size). Because
1150: events are received asynchronously installing e.g. lots of policies may require
1151: a larger buffer than the default on certain platforms in order to receive all
1152: messages.
1153:
1154: .TP
1155: .BR charon.plugins.kernel-pfkey.route_via_internal " [no]"
1156: Whether to use the internal or external interface in installed routes. The
1157: internal interface is the one where the IP address contained in the local
1158: traffic selector is located, the external interface is the one over which the
1159: destination address of the IPsec tunnel can be reached. This is not relevant if
1160: virtual IPs are used, for which a TUN device is created that's used in the
1161: routes.
1162:
1163: .TP
1164: .BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
1165: Time in ms to wait until virtual IP addresses appear/disappear before failing.
1166:
1167: .TP
1168: .BR charon.plugins.led.activity_led " []"
1169: .TP
1170: .BR charon.plugins.led.blink_time " [50]"
1171: .TP
1172: .B charon.plugins.load-tester
1173: .br
1174: Section to configure the load\-tester plugin, see LOAD TESTS in
1175: .RB "" "strongswan.conf" "(5)"
1176: for details.
1177:
1178: .TP
1179: .B charon.plugins.load-tester.addrs
1180: .br
1181: Section that contains key/value pairs with address pools (in CIDR notation) to
1182: use for a specific network interface e.g. eth0 = 10.10.0.0/16.
1183:
1184: .TP
1185: .BR charon.plugins.load-tester.addrs_keep " [no]"
1186: Whether to keep dynamic addresses even after the associated SA got terminated.
1187:
1188: .TP
1189: .BR charon.plugins.load-tester.addrs_prefix " [16]"
1190: Network prefix length to use when installing dynamic addresses. If set to \-1 the
1191: full address is used (i.e. 32 or 128).
1192:
1193: .TP
1194: .BR charon.plugins.load-tester.ca_dir " []"
1195: Directory to load (intermediate) CA certificates from.
1196:
1197: .TP
1198: .BR charon.plugins.load-tester.child_rekey " [600]"
1199: Seconds to start CHILD_SA rekeying after setup.
1200:
1201: .TP
1202: .BR charon.plugins.load-tester.crl " []"
1203: URI to a CRL to include as certificate distribution point in generated
1204: certificates.
1205:
1206: .TP
1207: .BR charon.plugins.load-tester.delay " [0]"
1208: Delay between initiations for each thread.
1209:
1210: .TP
1211: .BR charon.plugins.load-tester.delete_after_established " [no]"
1212: Delete an IKE_SA as soon as it has been established.
1213:
1214: .TP
1215: .BR charon.plugins.load-tester.digest " [sha1]"
1216: Digest algorithm used when issuing certificates.
1217:
1218: .TP
1219: .BR charon.plugins.load-tester.dpd_delay " [0]"
1220: DPD delay to use in load test.
1221:
1222: .TP
1223: .BR charon.plugins.load-tester.dynamic_port " [0]"
1224: Base port to be used for requests (each client uses a different port).
1225:
1226: .TP
1227: .BR charon.plugins.load-tester.eap_password " [default-pwd]"
1228: EAP secret to use in load test.
1229:
1230: .TP
1231: .BR charon.plugins.load-tester.enable " [no]"
1232: Enable the load testing plugin.
1233: .RB "" "WARNING" ":"
1234: Never enable this plugin on
1235: productive systems. It provides preconfigured credentials and allows an attacker
1236: to authenticate as any user.
1237:
1238: .TP
1239: .BR charon.plugins.load-tester.esp " [aes128-sha1]"
1240: CHILD_SA proposal to use for load tests.
1241:
1242: .TP
1243: .BR charon.plugins.load-tester.fake_kernel " [no]"
1244: Fake the kernel interface to allow load\-testing against self.
1245:
1246: .TP
1247: .BR charon.plugins.load-tester.ike_rekey " [0]"
1248: Seconds to start IKE_SA rekeying after setup.
1249:
1250: .TP
1251: .BR charon.plugins.load-tester.init_limit " [0]"
1252: Global limit of concurrently established SAs during load test.
1253:
1254: .TP
1255: .BR charon.plugins.load-tester.initiator " [0.0.0.0]"
1256: Address to initiate from.
1257:
1258: .TP
1259: .BR charon.plugins.load-tester.initiator_auth " [pubkey]"
1260: Authentication method(s) the initiator uses.
1261:
1262: .TP
1263: .BR charon.plugins.load-tester.initiator_id " []"
1264: Initiator ID used in load test.
1265:
1266: .TP
1267: .BR charon.plugins.load-tester.initiator_match " []"
1268: Initiator ID to match against as responder.
1269:
1270: .TP
1271: .BR charon.plugins.load-tester.initiator_tsi " []"
1272: Traffic selector on initiator side, as proposed by initiator.
1273:
1274: .TP
1275: .BR charon.plugins.load-tester.initiator_tsr " []"
1276: Traffic selector on responder side, as proposed by initiator.
1277:
1278: .TP
1279: .BR charon.plugins.load-tester.initiators " [0]"
1280: Number of concurrent initiator threads to use in load test.
1281:
1282: .TP
1283: .BR charon.plugins.load-tester.issuer_cert " []"
1284: Path to the issuer certificate (if not configured a hard\-coded default value is
1285: used).
1286:
1287: .TP
1288: .BR charon.plugins.load-tester.issuer_key " []"
1289: Path to private key that is used to issue certificates (if not configured a
1290: hard\-coded default value is used).
1291:
1292: .TP
1293: .BR charon.plugins.load-tester.iterations " [1]"
1294: Number of IKE_SAs to initiate by each initiator in load test.
1295:
1296: .TP
1297: .BR charon.plugins.load-tester.mode " [tunnel]"
1298: IPsec mode to use, one of
1299: .RI "" "tunnel" ","
1300: .RI "" "transport" ","
1301: or
1302: .RI "" "beet" "."
1303:
1304:
1305: .TP
1306: .BR charon.plugins.load-tester.pool " []"
1307: Provide INTERNAL_IPV4_ADDRs from a named pool.
1308:
1309: .TP
1310: .BR charon.plugins.load-tester.preshared_key " [<default-psk>]"
1311: Preshared key to use in load test.
1312:
1313: .TP
1314: .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
1315: IKE proposal to use in load test.
1316:
1317: .TP
1318: .BR charon.plugins.load-tester.request_virtual_ip " [no]"
1319: Request an INTERNAL_IPV4_ADDR from the server.
1320:
1321: .TP
1322: .BR charon.plugins.load-tester.responder " [127.0.0.1]"
1323: Address to initiation connections to.
1324:
1325: .TP
1326: .BR charon.plugins.load-tester.responder_auth " [pubkey]"
1327: Authentication method(s) the responder uses.
1328:
1329: .TP
1330: .BR charon.plugins.load-tester.responder_id " []"
1331: Responder ID used in load test.
1332:
1333: .TP
1334: .BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
1335: Traffic selector on initiator side, as narrowed by responder.
1336:
1337: .TP
1338: .BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
1339: Traffic selector on responder side, as narrowed by responder.
1340:
1341: .TP
1342: .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
1343: Shutdown the daemon after all IKE_SAs have been established.
1344:
1345: .TP
1346: .BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
1347: Socket provided by the load\-tester plugin.
1348:
1349: .TP
1350: .BR charon.plugins.load-tester.version " [0]"
1351: IKE version to use (0 means use IKEv2 as initiator and accept any version as
1352: responder).
1353:
1354: .TP
1355: .BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
1356: Socket provided by the lookip plugin.
1357:
1358: .TP
1359: .BR charon.plugins.ntru.parameter_set " [optimum]"
1360: The following parameter sets are available:
1361: .RB "" "x9_98_speed" ","
1362: .RB "" "x9_98_bandwidth" ","
1363: .RB "" "x9_98_balance" ""
1364: and
1365: .RB "" "optimum" ","
1366: the last set not being
1367: part of the X9.98 standard but having the best performance.
1368:
1369: .TP
1370: .BR charon.plugins.openssl.engine_id " [pkcs11]"
1371: ENGINE ID to use in the OpenSSL plugin.
1372:
1373: .TP
1374: .BR charon.plugins.openssl.fips_mode " [0]"
1375: Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
1376:
1377: .TP
1378: .BR charon.plugins.osx-attr.append " [yes]"
1379: Whether DNS servers are appended to existing entries, instead of replacing them.
1380:
1381: .TP
1382: .B charon.plugins.p-cscf.enable
1383: .br
1384: Section to enable requesting P\-CSCF server addresses for individual connections.
1385:
1386: .TP
1387: .BR charon.plugins.p-cscf.enable.<conn> " [no]"
1388: <conn> is the name of a connection with an ePDG from which to request P\-CSCF
1389: server addresses. Requests will be sent for addresses of the same families for
1390: which internal IPs are requested.
1391:
1392: .TP
1393: .B charon.plugins.pkcs11.modules
1394: .br
1395: List of available PKCS#11 modules.
1396:
1397: .TP
1398: .BR charon.plugins.pkcs11.modules.<name>.load_certs " [yes]"
1399: Whether to automatically load certificates from tokens.
1400:
1401: .TP
1402: .BR charon.plugins.pkcs11.modules.<name>.os_locking " [no]"
1403: Whether OS locking should be enabled for this module.
1404:
1405: .TP
1406: .BR charon.plugins.pkcs11.modules.<name>.path " []"
1407: Full path to the shared object file of this PKCS#11 module.
1408:
1409: .TP
1410: .BR charon.plugins.pkcs11.reload_certs " [no]"
1411: Reload certificates from all tokens if charon receives a SIGHUP.
1412:
1413: .TP
1414: .BR charon.plugins.pkcs11.use_dh " [no]"
1415: Whether the PKCS#11 modules should be used for DH and ECDH (see
1416: .RI "" "use_ecc" ""
1417: option).
1418:
1419: .TP
1420: .BR charon.plugins.pkcs11.use_ecc " [no]"
1421: Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
1422: operations. ECDSA private keys can be used regardless of this option.
1423:
1424: .TP
1425: .BR charon.plugins.pkcs11.use_hasher " [no]"
1426: Whether the PKCS#11 modules should be used to hash data.
1427:
1428: .TP
1429: .BR charon.plugins.pkcs11.use_pubkey " [no]"
1430: Whether the PKCS#11 modules should be used for public key operations, even for
1431: keys not stored on tokens.
1432:
1433: .TP
1434: .BR charon.plugins.pkcs11.use_rng " [no]"
1435: Whether the PKCS#11 modules should be used as RNG.
1436:
1437: .TP
1438: .BR charon.plugins.radattr.dir " []"
1439: Directory where RADIUS attributes are stored in client\-ID specific files.
1440:
1441: .TP
1442: .BR charon.plugins.radattr.message_id " [-1]"
1443: Attributes are added to all IKE_AUTH messages by default (\-1), or only to the
1444: IKE_AUTH message with the given IKEv2 message ID.
1445:
1446: .TP
1447: .BR charon.plugins.random.random " [${random_device}]"
1448: File to read random bytes from.
1449:
1450: .TP
1451: .BR charon.plugins.random.strong_equals_true " [no]"
1452: If set to yes the RNG_STRONG class reads random bytes from the same source as
1453: the RNG_TRUE class.
1454:
1455: .TP
1456: .BR charon.plugins.random.urandom " [${urandom_device}]"
1457: File to read pseudo random bytes from.
1458:
1459: .TP
1460: .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
1461: File where to add DNS server entries.
1462:
1463: .TP
1464: .BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]"
1465: Prefix used for interface names sent to
1466: .RB "" "resolvconf" "(8)."
1467: The nameserver
1468: address is appended to this prefix to make it unique. The result has to be a
1469: valid interface name according to the rules defined by resolvconf. Also, it
1470: should have a high priority according to the order defined in
1471: .RB "" "interface\-order" "(5)."
1472:
1473:
1474: .TP
1475: .BR charon.plugins.revocation.enable_crl " [yes]"
1476: Whether CRL validation should be enabled.
1477:
1478: .TP
1479: .BR charon.plugins.revocation.enable_ocsp " [yes]"
1480: Whether OCSP validation should be enabled.
1481:
1482: .TP
1483: .BR charon.plugins.save-keys.esp " [no]"
1484: Whether to save ESP keys.
1485:
1486: .TP
1487: .BR charon.plugins.save-keys.ike " [no]"
1488: Whether to save IKE keys.
1489:
1490: .TP
1491: .BR charon.plugins.save-keys.load " [no]"
1492: Whether to load the plugin.
1493:
1494: .TP
1495: .BR charon.plugins.save-keys.wireshark_keys " []"
1496: Directory where the keys are stored in the format supported by Wireshark. IKEv1
1497: keys are stored in the
1498: .RI "" "ikev1_decryption_table" ""
1499: file. IKEv2 keys are stored in
1500: the
1501: .RI "" "ikev2_decryption_table" ""
1502: file. Keys for ESP CHILD_SAs are stored in the
1503: .RI "" "esp_sa" ""
1504: file.
1505:
1506: .TP
1507: .BR charon.plugins.socket-default.fwmark " []"
1508: Firewall mark to set on outbound packets.
1509:
1510: .TP
1511: .BR charon.plugins.socket-default.set_source " [yes]"
1512: Set source address on outbound packets, if possible.
1513:
1514: .TP
1515: .BR charon.plugins.socket-default.set_sourceif " [no]"
1516: Force sending interface on outbound packets, if possible. This allows using IPv6
1517: link\-local addresses as tunnel endpoints.
1518:
1519: .TP
1520: .BR charon.plugins.socket-default.use_ipv4 " [yes]"
1521: Listen on IPv4, if possible.
1522:
1523: .TP
1524: .BR charon.plugins.socket-default.use_ipv6 " [yes]"
1525: Listen on IPv6, if possible.
1526:
1527: .TP
1528: .BR charon.plugins.sql.database " []"
1529: Database URI for charon's SQL plugin. If it contains a password, make sure to
1530: adjust the permissions of the config file accordingly.
1531:
1532: .TP
1533: .BR charon.plugins.sql.loglevel " [-1]"
1534: Loglevel for logging to SQL database.
1535:
1536: .TP
1537: .BR charon.plugins.stroke.allow_swap " [yes]"
1538: Analyze addresses/hostnames in
1539: .RI "" "left|right" ""
1540: to detect which side is local and
1541: swap configuration options if necessary. If disabled
1542: .RI "" "left" ""
1543: is always
1544: .RI "" "local" "."
1545:
1546:
1547: .TP
1548: .BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
1549: Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
1550: certificates even if they don't contain a CA basic constraint.
1551:
1552: .TP
1553: .BR charon.plugins.stroke.max_concurrent " [4]"
1554: Maximum number of stroke messages handled concurrently.
1555:
1556: .TP
1557: .BR charon.plugins.stroke.prevent_loglevel_changes " [no]"
1558: If enabled log level changes via stroke socket are not allowed.
1559:
1560: .TP
1561: .BR charon.plugins.stroke.secrets_file " [${sysconfdir}/ipsec.secrets]"
1562: Location of the ipsec.secrets file
1563:
1564: .TP
1565: .BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
1566: Socket provided by the stroke plugin.
1567:
1568: .TP
1569: .BR charon.plugins.stroke.timeout " [0]"
1570: Timeout in ms for any stroke command. Use 0 to disable the timeout.
1571:
1572: .TP
1573: .BR charon.plugins.systime-fix.interval " [0]"
1574: Interval in seconds to check system time for validity. 0 disables the check.
1575:
1576: .TP
1577: .BR charon.plugins.systime-fix.reauth " [no]"
1578: Whether to use reauth or delete if an invalid cert lifetime is detected.
1579:
1580: .TP
1581: .BR charon.plugins.systime-fix.threshold " []"
1582: Threshold date where system time is considered valid. Disabled if not specified.
1583:
1584: .TP
1585: .BR charon.plugins.systime-fix.threshold_format " [%Y]"
1586: .RB "" "strptime" "(3)"
1587: format used to parse threshold option.
1588:
1589: .TP
1590: .BR charon.plugins.systime-fix.timeout " [0s]"
1591: How long to wait for a valid system time if an interval is configured. 0 to
1592: recheck indefinitely.
1593:
1594: .TP
1595: .BR charon.plugins.tnc-ifmap.client_cert " []"
1596: Path to X.509 certificate file of IF\-MAP client.
1597:
1598: .TP
1599: .BR charon.plugins.tnc-ifmap.client_key " []"
1600: Path to private key file of IF\-MAP client.
1601:
1602: .TP
1603: .BR charon.plugins.tnc-ifmap.device_name " []"
1604: Unique name of strongSwan server as a PEP and/or PDP device.
1605:
1606: .TP
1607: .BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
1608: Interval in seconds between periodic IF\-MAP RenewSession requests.
1609:
1610: .TP
1611: .BR charon.plugins.tnc-ifmap.server_cert " []"
1612: Path to X.509 certificate file of IF\-MAP server.
1613:
1614: .TP
1615: .BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
1616: URI of the form [https://]servername[:port][/path].
1617:
1618: .TP
1619: .BR charon.plugins.tnc-ifmap.username_password " []"
1620: Credentials of IF\-MAP client of the form username:password. If set, make sure to
1621: adjust the permissions of the config file accordingly.
1622:
1623: .TP
1624: .BR charon.plugins.tnc-imc.dlclose " [yes]"
1625: Unload IMC after use.
1626:
1627: .TP
1628: .BR charon.plugins.tnc-imc.preferred_language " [en]"
1629: Preferred language for TNC recommendations.
1630:
1631: .TP
1632: .BR charon.plugins.tnc-imv.dlclose " [yes]"
1633: Unload IMV after use.
1634:
1635: .TP
1636: .BR charon.plugins.tnc-imv.recommendation_policy " [default]"
1637: TNC recommendation policy, one of
1638: .RI "" "default" ","
1639: .RI "" "any" ","
1640: or
1641: .RI "" "all" "."
1642:
1643:
1644: .TP
1645: .BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
1646: Enable PT\-TLS protocol on the strongSwan PDP.
1647:
1648: .TP
1649: .BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
1650: PT\-TLS server port the strongSwan PDP is listening on.
1651:
1652: .TP
1653: .BR charon.plugins.tnc-pdp.radius.enable " [yes]"
1654: Enable RADIUS protocol on the strongSwan PDP.
1655:
1656: .TP
1657: .BR charon.plugins.tnc-pdp.radius.method " [ttls]"
1658: EAP tunnel method to be used.
1659:
1660: .TP
1661: .BR charon.plugins.tnc-pdp.radius.port " [1812]"
1662: RADIUS server port the strongSwan PDP is listening on.
1663:
1664: .TP
1665: .BR charon.plugins.tnc-pdp.radius.secret " []"
1666: Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust
1667: the permissions of the config file accordingly.
1668:
1669: .TP
1670: .BR charon.plugins.tnc-pdp.server " []"
1671: Name of the strongSwan PDP as contained in the AAA certificate.
1672:
1673: .TP
1674: .BR charon.plugins.tnc-pdp.timeout " []"
1675: Timeout in seconds before closing incomplete connections.
1676:
1677: .TP
1678: .BR charon.plugins.tnccs-11.max_message_size " [45000]"
1679: Maximum size of a PA\-TNC message (XML & Base64 encoding).
1680:
1681: .TP
1682: .BR charon.plugins.tnccs-20.max_batch_size " [65522]"
1683: Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529).
1684:
1685: .TP
1686: .BR charon.plugins.tnccs-20.max_message_size " [65490]"
1687: Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497).
1688:
1689: .TP
1690: .BR charon.plugins.tnccs-20.mutual " [no]"
1691: Enable PB\-TNC mutual protocol.
1692:
1693: .TP
1694: .BR charon.plugins.tnccs-20.tests.pb_tnc_noskip " [no]"
1695: Send an unsupported PB\-TNC message type with the NOSKIP flag set.
1696:
1697: .TP
1698: .BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]"
1699: Send a PB\-TNC batch with a modified PB\-TNC version.
1700:
1701: .TP
1702: .BR charon.plugins.tpm.fips_186_4 " [no]"
1703: Is the TPM 2.0 FIPS\-186\-4 compliant, forcing e.g. the use of the default salt
1704: length instead of maximum salt length with RSAPSS padding.
1705:
1706: .TP
1707: .BR charon.plugins.tpm.tcti.name " [device|tabrmd]"
1708: Name of TPM 2.0 TCTI library. Valid values:
1709: .RI "" "tabrmd" ","
1710: .RI "" "device" ""
1711: or
1712: .RI "" "mssim" "."
1713: Defaults are
1714: .RI "" "device" ""
1715: if the
1716: .RI "" "/dev/tpmrm0" ""
1717: in\-kernel TPM 2.0 resource manager
1718: device exists, and
1719: .RI "" "tabrmd" ""
1720: otherwise, requiring the d\-bus based TPM 2.0 access
1721: broker and resource manager to be available.
1722:
1723: .TP
1724: .BR charon.plugins.tpm.tcti.opts " [/dev/tpmrm0|<none>]"
1725: Options for the TPM 2.0 TCTI library. Defaults are
1726: .RI "" "/dev/tpmrm0" ""
1727: if the TCTI
1728: library name is
1729: .RI "" "device" ""
1730: and no options otherwise.
1731:
1732: .TP
1733: .BR charon.plugins.tpm.use_rng " [no]"
1734: Whether the TPM should be used as RNG.
1735:
1736: .TP
1737: .BR charon.plugins.unbound.dlv_anchors " []"
1738: File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
1739: the same format as
1740: .RI "" "trust_anchors" "."
1741: Only one DLV can be configured, which is
1742: then used as a root trusted DLV, this means that it is a lookaside for the root.
1743:
1744: .TP
1745: .BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
1746: File to read DNS resolver configuration from.
1747:
1748: .TP
1749: .BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
1750: File to read DNSSEC trust anchors from (usually root zone KSK). The format of
1751: the file is the standard DNS Zone file format, anchors can be stored as DS or
1752: DNSKEY entries in the file.
1753:
1754: .TP
1755: .BR charon.plugins.updown.dns_handler " [no]"
1756: Whether the updown script should handle DNS servers assigned via IKEv1 Mode
1757: Config or IKEv2 Config Payloads (if enabled they can't be handled by other
1758: plugins, like resolve)
1759:
1760: .TP
1761: .BR charon.plugins.vici.socket " [unix://${piddir}/charon.vici]"
1762: Socket the vici plugin serves clients.
1763:
1764: .TP
1765: .BR charon.plugins.whitelist.enable " [yes]"
1766: Enable loaded whitelist plugin.
1767:
1768: .TP
1769: .BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
1770: Socket provided by the whitelist plugin.
1771:
1772: .TP
1773: .BR charon.plugins.wolfssl.fips_mode " [no]"
1774: Enable to prevent loading the plugin if wolfSSL is not in FIPS mode.
1775:
1776: .TP
1777: .BR charon.plugins.xauth-eap.backend " [radius]"
1778: EAP plugin to be used as backend for XAuth credential verification.
1779:
1780: .TP
1781: .BR charon.plugins.xauth-pam.pam_service " [login]"
1782: PAM service to be used for authentication.
1783:
1784: .TP
1785: .BR charon.plugins.xauth-pam.session " [no]"
1786: Open/close a PAM session for each active IKE_SA.
1787:
1788: .TP
1789: .BR charon.plugins.xauth-pam.trim_email " [yes]"
1790: If an email address is received as an XAuth username, trim it to just the
1791: username part.
1792:
1793: .TP
1794: .BR charon.port " [500]"
1795: UDP port used locally. If set to 0 a random port will be allocated.
1796:
1797: .TP
1798: .BR charon.port_nat_t " [4500]"
1799: UDP port used locally in case of NAT\-T. If set to 0 a random port will be
1800: allocated. Has to be different from
1801: .RB "" "charon.port" ","
1802: otherwise a random port
1803: will be allocated.
1804:
1805: .TP
1806: .BR charon.prefer_best_path " [no]"
1807: By default, charon keeps SAs on the routing path with addresses it previously
1808: used if that path is still usable. By setting this option to yes, it tries more
1809: aggressively to update SAs with MOBIKE on routing priority changes using the
1810: cheapest path. This adds more noise, but allows to dynamically adapt SAs to
1811: routing priority changes. This option has no effect if MOBIKE is not supported
1812: or disabled.
1813:
1814: .TP
1815: .BR charon.prefer_configured_proposals " [yes]"
1816: Prefer locally configured proposals for IKE/IPsec over supplied ones as
1817: responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
1818: notifies).
1819:
1820: .TP
1821: .BR charon.prefer_temporary_addrs " [no]"
1822: By default, permanent IPv6 source addresses are preferred over temporary ones
1823: (RFC 4941), to make connections more stable. Enable this option to reverse this.
1824:
1825: It also affects which IPv6 addresses are announced as additional addresses if
1826: MOBIKE is used. If the option is disabled, only permanent addresses are sent,
1827: and only temporary ones if it is enabled.
1828:
1829: .TP
1830: .BR charon.process_route " [yes]"
1831: Process RTM_NEWROUTE and RTM_DELROUTE events.
1832:
1833: .TP
1834: .B charon.processor.priority_threads
1835: .br
1836: Section to configure the number of reserved threads per priority class see JOB
1837: PRIORITY MANAGEMENT in
1838: .RB "" "strongswan.conf" "(5)."
1839:
1840:
1841: .TP
1842: .BR charon.rdn_matching " [strict]"
1843: How RDNs in subject DNs of certificates are matched against configured
1844: identities. Possible values are
1845: .RI "" "strict" ""
1846: (the default),
1847: .RI "" "reordered" ","
1848: and
1849: .RI "" "relaxed" "."
1850: With
1851: .RI "" "strict" ""
1852: the number, type and order of all RDNs has to match,
1853: wildcards (*) for the values of RDNs are allowed (that's the case for all three
1854: variants). Using
1855: .RI "" "reordered" ""
1856: also matches DNs if the RDNs appear in a different
1857: order, the number and type still has to match. Finally,
1858: .RI "" "relaxed" ""
1859: also allows
1860: matches of DNs that contain more RDNs than the configured identity (missing RDNs
1861: are treated like a wildcard match).
1862:
1863: Note that
1864: .RI "" "reordered" ""
1865: and
1866: .RI "" "relaxed" ""
1867: impose a considerable overhead on memory
1868: usage and runtime, in particular, for mismatches, compared to
1869: .RI "" "strict" "."
1870:
1871:
1872: .TP
1873: .BR charon.receive_delay " [0]"
1874: Delay in ms for receiving packets, to simulate larger RTT.
1875:
1876: .TP
1877: .BR charon.receive_delay_request " [yes]"
1878: Delay request messages.
1879:
1880: .TP
1881: .BR charon.receive_delay_response " [yes]"
1882: Delay response messages.
1883:
1884: .TP
1885: .BR charon.receive_delay_type " [0]"
1886: Specific IKEv2 message type to delay, 0 for any.
1887:
1888: .TP
1889: .BR charon.replay_window " [32]"
1890: Size of the AH/ESP replay window, in packets.
1891:
1892: .TP
1893: .BR charon.retransmit_base " [1.8]"
1894: Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
1895: .RB "" "strongswan.conf" "(5)."
1896:
1897:
1898: .TP
1899: .BR charon.retransmit_jitter " [0]"
1900: Maximum jitter in percent to apply randomly to calculated retransmission timeout
1901: (0 to disable).
1902:
1903: .TP
1904: .BR charon.retransmit_limit " [0]"
1905: Upper limit in seconds for calculated retransmission timeout (0 to disable).
1906:
1907: .TP
1908: .BR charon.retransmit_timeout " [4.0]"
1909: Timeout in seconds before sending first retransmit.
1910:
1911: .TP
1912: .BR charon.retransmit_tries " [5]"
1913: Number of times to retransmit a packet before giving up.
1914:
1915: .TP
1916: .BR charon.retry_initiate_interval " [0]"
1917: Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
1918: resolution failed), 0 to disable retries.
1919:
1920: .TP
1921: .BR charon.reuse_ikesa " [yes]"
1922: Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
1923:
1924: .TP
1925: .BR charon.routing_table " []"
1926: Numerical routing table to install routes to.
1927:
1928: .TP
1929: .BR charon.routing_table_prio " []"
1930: Priority of the routing table.
1931:
1932: .TP
1933: .BR charon.rsa_pss " [no]"
1934: Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
1935:
1936: .TP
1937: .BR charon.send_delay " [0]"
1938: Delay in ms for sending packets, to simulate larger RTT.
1939:
1940: .TP
1941: .BR charon.send_delay_request " [yes]"
1942: Delay request messages.
1943:
1944: .TP
1945: .BR charon.send_delay_response " [yes]"
1946: Delay response messages.
1947:
1948: .TP
1949: .BR charon.send_delay_type " [0]"
1950: Specific IKEv2 message type to delay, 0 for any.
1951:
1952: .TP
1953: .BR charon.send_vendor_id " [no]"
1954: Send strongSwan vendor ID payload
1955:
1956: .TP
1957: .BR charon.signature_authentication " [yes]"
1958: Whether to enable Signature Authentication as per RFC 7427.
1959:
1960: .TP
1961: .BR charon.signature_authentication_constraints " [yes]"
1962: If enabled, signature schemes configured in
1963: .RI "" "rightauth" ","
1964: in addition to getting
1965: used as constraints against signature schemes employed in the certificate chain,
1966: are also used as constraints against the signature scheme used by peers during
1967: IKEv2.
1968:
1969: .TP
1970: .BR charon.spi_label " [0x0000000000000000]"
1971: Value mixed into the local IKE SPIs after applying
1972: .RI "" "spi_mask" "."
1973:
1974:
1975: .TP
1976: .BR charon.spi_mask " [0x0000000000000000]"
1977: Mask applied to local IKE SPIs before mixing in
1978: .RI "" "spi_label" ""
1979: (bits set will be
1980: replaced with
1981: .RI "" "spi_label" ")."
1982:
1983:
1984: .TP
1985: .BR charon.spi_max " [0xcfffffff]"
1986: The upper limit for SPIs requested from the kernel for IPsec SAs.
1987:
1988: .TP
1989: .BR charon.spi_min " [0xc0000000]"
1990: The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be
1991: set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved by IANA.
1992:
1993: .TP
1994: .B charon.start-scripts
1995: .br
1996: Section containing a list of scripts (name = path) that are executed when the
1997: daemon is started.
1998:
1999: .TP
2000: .B charon.stop-scripts
2001: .br
2002: Section containing a list of scripts (name = path) that are executed when the
2003: daemon is terminated.
2004:
2005: .TP
2006: .B charon.syslog
2007: .br
2008: Section to define syslog loggers, see LOGGER CONFIGURATION in
2009: .RB "" "strongswan.conf" "(5)."
2010:
2011:
2012: .TP
2013: .B charon.syslog.<facility>
2014: .br
2015: <facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION
2016: in
2017: .RB "" "strongswan.conf" "(5)."
2018:
2019:
2020: .TP
2021: .BR charon.syslog.<facility>.<subsystem> " [<default>]"
2022: Loglevel for a specific subsystem.
2023:
2024: .TP
2025: .BR charon.syslog.<facility>.default " [1]"
2026: Specifies the default loglevel to be used for subsystems for which no specific
2027: loglevel is defined.
2028:
2029: .TP
2030: .BR charon.syslog.<facility>.ike_name " [no]"
2031: Prefix each log entry with the connection name and a unique numerical identifier
2032: for each IKE_SA.
2033:
2034: .TP
2035: .BR charon.syslog.identifier " []"
2036: Global identifier used for an
2037: .RB "" "openlog" "(3)"
2038: call, prepended to each log message
2039: by syslog. If not configured,
2040: .RB "" "openlog" "(3)"
2041: is not called, so the value will
2042: depend on system defaults (often the program name).
2043:
2044: .TP
2045: .BR charon.threads " [16]"
2046: Number of worker threads in charon. Several of these are reserved for long
2047: running tasks in internal modules and plugins. Therefore, make sure you don't
2048: set this value too low. The number of idle worker threads listed in
2049: .RI "" "ipsec statusall" ""
2050: might be used as indicator on the number of reserved threads.
2051:
2052: .TP
2053: .BR charon.tls.cipher " []"
2054: List of TLS encryption ciphers.
2055:
2056: .TP
2057: .BR charon.tls.key_exchange " []"
2058: List of TLS key exchange methods.
2059:
2060: .TP
2061: .BR charon.tls.mac " []"
2062: List of TLS MAC algorithms.
2063:
2064: .TP
2065: .BR charon.tls.suites " []"
2066: List of TLS cipher suites.
2067:
2068: .TP
2069: .BR charon.tnc.tnc_config " [/etc/tnc_config]"
2070: TNC IMC/IMV configuration file.
2071:
2072: .TP
2073: .BR charon.user " []"
2074: Name of the user the daemon changes to after startup.
2075:
2076: .TP
2077: .BR charon.x509.enforce_critical " [yes]"
2078: Discard certificates with unsupported or unknown critical extensions.
2079:
2080: .TP
2081: .BR charon-nm.ca_dir " [<default>]"
2082: Directory from which to load CA certificates if no certificate is configured.
2083:
2084: .TP
2085: .B charon-systemd.journal
2086: .br
2087: Section to configure native systemd journal logger, very similar to the syslog
2088: logger as described in LOGGER CONFIGURATION in
2089: .RB "" "strongswan.conf" "(5)."
2090:
2091:
2092: .TP
2093: .BR charon-systemd.journal.<subsystem> " [<default>]"
2094: Loglevel for a specific subsystem.
2095:
2096: .TP
2097: .BR charon-systemd.journal.default " [1]"
2098: Specifies the default loglevel to be used for subsystems for which no specific
2099: loglevel is defined.
2100:
2101: .TP
2102: .BR imv_policy_manager.command_allow " []"
2103: Shell command to be executed with recommendation allow.
2104:
2105: .TP
2106: .BR imv_policy_manager.command_block " []"
2107: Shell command to be executed with all other recommendations.
2108:
2109: .TP
2110: .BR imv_policy_manager.database " []"
2111: Database URI for the database that stores the package information. If it
2112: contains a password, make sure to adjust the permissions of the config file
2113: accordingly.
2114:
2115: .TP
2116: .BR imv_policy_manager.load " [sqlite]"
2117: Plugins to load in IMV policy manager.
2118:
2119: .TP
2120: .BR libimcv.debug_level " [1]"
2121: Debug level for a stand\-alone
2122: .RI "" "libimcv" ""
2123: library.
2124:
2125: .TP
2126: .BR libimcv.load " [random nonce gmp pubkey x509]"
2127: Plugins to load in IMC/IMVs with stand\-alone
2128: .RI "" "libimcv" ""
2129: library.
2130:
2131: .TP
2132: .BR libimcv.plugins.imc-attestation.aik_blob " []"
2133: AIK encrypted private key blob file.
2134:
2135: .TP
2136: .BR libimcv.plugins.imc-attestation.aik_cert " []"
2137: AIK certificate file.
2138:
2139: .TP
2140: .BR libimcv.plugins.imc-attestation.aik_handle " []"
2141: AIK object handle.
2142:
2143: .TP
2144: .BR libimcv.plugins.imc-attestation.aik_pubkey " []"
2145: AIK public key file.
2146:
2147: .TP
2148: .BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]"
2149: Enforce mandatory Diffie\-Hellman groups.
2150:
2151: .TP
2152: .BR libimcv.plugins.imc-attestation.nonce_len " [20]"
2153: DH nonce length.
2154:
2155: .TP
2156: .BR libimcv.plugins.imc-attestation.pcr17_after " []"
2157: PCR17 value after measurement.
2158:
2159: .TP
2160: .BR libimcv.plugins.imc-attestation.pcr17_before " []"
2161: PCR17 value before measurement.
2162:
2163: .TP
2164: .BR libimcv.plugins.imc-attestation.pcr17_meas " []"
2165: Dummy measurement value extended into PCR17 if the TBOOT log is not available.
2166:
2167: .TP
2168: .BR libimcv.plugins.imc-attestation.pcr18_after " []"
2169: PCR18 value after measurement.
2170:
2171: .TP
2172: .BR libimcv.plugins.imc-attestation.pcr18_before " []"
2173: PCR18 value before measurement.
2174:
2175: .TP
2176: .BR libimcv.plugins.imc-attestation.pcr18_meas " []"
2177: Dummy measurement value extended into PCR17 if the TBOOT log is not available.
2178:
2179: .TP
2180: .BR libimcv.plugins.imc-attestation.pcr_info " [no]"
2181: Whether to send pcr_before and pcr_after info.
2182:
2183: .TP
2184: .BR libimcv.plugins.imc-attestation.use_quote2 " [yes]"
2185: Use Quote2 AIK signature instead of Quote signature.
2186:
2187: .TP
2188: .BR libimcv.plugins.imc-attestation.use_version_info " [no]"
2189: Version Info is included in Quote2 signature.
2190:
2191: .TP
2192: .BR libimcv.plugins.imc-hcd.push_info " [yes]"
2193: Send quadruple info without being prompted.
2194:
2195: .TP
2196: .BR libimcv.plugins.imc-hcd.subtypes " []"
2197: Section to define PWG HCD PA subtypes.
2198:
2199: .TP
2200: .BR libimcv.plugins.imc-hcd.subtypes.<section> " []"
2201: Defines a PWG HCD PA subtype section. Recognized subtype section names are
2202: .RI "" "system" ","
2203: .RI "" "control" ","
2204: .RI "" "marker" ","
2205: .RI "" "finisher" ","
2206: .RI "" "interface" ""
2207: and
2208: .RI "" "scanner" "."
2209:
2210:
2211: .TP
2212: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> " []"
2213: Defines a software type section. Recognized software type section names are
2214: .RI "" "firmware" ","
2215: .RI "" "resident_application" ""
2216: and
2217: .RI "" "user_application" "."
2218:
2219:
2220: .TP
2221: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> " []"
2222: Defines a software section having an arbitrary name.
2223:
2224: .TP
2225: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name " []"
2226: Name of the software installed on the hardcopy device.
2227:
2228: .TP
2229: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches " []"
2230: String describing all patches applied to the given software on this hardcopy
2231: device. The individual patches are separated by a newline character '\\n'.
2232:
2233: .TP
2234: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.string_version " []"
2235: String describing the version of the given software on this hardcopy device.
2236:
2237: .TP
2238: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version " []"
2239: Hex\-encoded version string with a length of 16 octets consisting of the fields
2240: major version number (4 octets), minor version number (4 octets), build number
2241: (4 octets), service pack major number (2 octets) and service pack minor number
2242: (2 octets).
2243:
2244: .TP
2245: .BR libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language " [en]"
2246: Variable length natural language tag conforming to RFC 5646 specifies the
2247: language to be used in the health assessment message of a given subtype.
2248:
2249: .TP
2250: .BR libimcv.plugins.imc-hcd.subtypes.system.certification_state " []"
2251: Hex\-encoded certification state.
2252:
2253: .TP
2254: .BR libimcv.plugins.imc-hcd.subtypes.system.configuration_state " []"
2255: Hex\-encoded configuration state.
2256:
2257: .TP
2258: .BR libimcv.plugins.imc-hcd.subtypes.system.machine_type_model " []"
2259: String specifying the machine type and model of the hardcopy device.
2260:
2261: .TP
2262: .BR libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled " [no]"
2263: Specifies if a PSTN facsimile interface is installed and enabled on the hardcopy
2264: device.
2265:
2266: .TP
2267: .BR libimcv.plugins.imc-hcd.subtypes.system.time_source " []"
2268: String specifying the hostname of the network time server used by the hardcopy
2269: device.
2270:
2271: .TP
2272: .BR libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled " [no]"
2273: Specifies if users can dynamically download and execute applications on the
2274: hardcopy device.
2275:
2276: .TP
2277: .BR libimcv.plugins.imc-hcd.subtypes.system.user_application_persistence_enabled " [no]"
2278: Specifies if user dynamically downloaded applications can persist outside the
2279: boundaries of a single job on the hardcopy device.
2280:
2281: .TP
2282: .BR libimcv.plugins.imc-hcd.subtypes.system.vendor_name " []"
2283: String specifying the manufacturer of the hardcopy device.
2284:
2285: .TP
2286: .BR libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code " []"
2287: Integer specifying the globally unique 24\-bit SMI code assigned to the
2288: manufacturer of the hardcopy device.
2289:
2290: .TP
2291: .BR libimcv.plugins.imc-os.device_cert " []"
2292: Manually set the path to the client device certificate (e.g.
2293: /etc/pts/aikCert.der)
2294:
2295: .TP
2296: .BR libimcv.plugins.imc-os.device_handle " []"
2297: Manually set handle to a private key bound to a smartcard or TPM (e.g.
2298: 0x81010004)
2299:
2300: .TP
2301: .BR libimcv.plugins.imc-os.device_id " []"
2302: Manually set the client device ID in hexadecimal format (e.g.
2303: 1083f03988c9762703b1c1080c2e46f72b99cc31)
2304:
2305: .TP
2306: .BR libimcv.plugins.imc-os.device_pubkey " []"
2307: Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der)
2308:
2309: .TP
2310: .BR libimcv.plugins.imc-os.push_info " [yes]"
2311: Send operating system info without being prompted.
2312:
2313: .TP
2314: .BR libimcv.plugins.imc-scanner.push_info " [yes]"
2315: Send open listening ports without being prompted.
2316:
2317: .TP
2318: .BR libimcv.plugins.imc-swima.eid_epoch " [0x11223344]"
2319: Set 32 bit epoch value for event IDs manually if software collector database is
2320: not available.
2321:
2322: .TP
2323: .BR libimcv.plugins.imc-swima.subscriptions " [no]"
2324: Accept SW Inventory or SW Events subscriptions.
2325:
2326: .TP
2327: .BR libimcv.plugins.imc-swima.swid_database " []"
2328: URI to software collector database containing event timestamps, software
2329: creation and deletion events and collected software identifiers. If it contains
2330: a password, make sure to adjust the permissions of the config file accordingly.
2331:
2332: .TP
2333: .BR libimcv.plugins.imc-swima.swid_directory " [${prefix}/share]"
2334: Directory where SWID tags are located.
2335:
2336: .TP
2337: .BR libimcv.plugins.imc-swima.swid_full " [no]"
2338: Include file information in the XML\-encoded SWID tags.
2339:
2340: .TP
2341: .BR libimcv.plugins.imc-swima.swid_pretty " [no]"
2342: Generate XML\-encoded SWID tags with pretty indentation.
2343:
2344: .TP
2345: .BR libimcv.plugins.imc-test.additional_ids " [0]"
2346: Number of additional IMC IDs.
2347:
2348: .TP
2349: .BR libimcv.plugins.imc-test.command " [none]"
2350: Command to be sent to the Test IMV.
2351:
2352: .TP
2353: .BR libimcv.plugins.imc-test.dummy_size " [0]"
2354: Size of dummy attribute to be sent to the Test IMV (0 = disabled).
2355:
2356: .TP
2357: .BR libimcv.plugins.imc-test.retry " [no]"
2358: Do a handshake retry.
2359:
2360: .TP
2361: .BR libimcv.plugins.imc-test.retry_command " []"
2362: Command to be sent to the Test IMV in the handshake retry.
2363:
2364: .TP
2365: .BR libimcv.plugins.imv-attestation.cadir " []"
2366: Path to directory with AIK cacerts.
2367:
2368: .TP
2369: .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
2370: Preferred Diffie\-Hellman group.
2371:
2372: .TP
2373: .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]"
2374: Preferred measurement hash algorithm.
2375:
2376: .TP
2377: .BR libimcv.plugins.imv-attestation.mandatory_dh_groups " [yes]"
2378: Enforce mandatory Diffie\-Hellman groups.
2379:
2380: .TP
2381: .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
2382: DH minimum nonce length.
2383:
2384: .TP
2385: .BR libimcv.plugins.imv-os.remediation_uri " []"
2386: URI pointing to operating system remediation instructions.
2387:
2388: .TP
2389: .BR libimcv.plugins.imv-scanner.remediation_uri " []"
2390: URI pointing to scanner remediation instructions.
2391:
2392: .TP
2393: .BR libimcv.plugins.imv-swima.rest_api.timeout " [120]"
2394: Timeout of SWID REST API HTTP POST transaction.
2395:
2396: .TP
2397: .BR libimcv.plugins.imv-swima.rest_api.uri " []"
2398: HTTP URI of the SWID REST API.
2399:
2400: .TP
2401: .BR libimcv.plugins.imv-test.rounds " [0]"
2402: Number of IMC\-IMV retry rounds.
2403:
2404: .TP
2405: .BR libimcv.stderr_quiet " [no]"
2406: Disable output to stderr with a stand\-alone
2407: .RI "" "libimcv" ""
2408: library.
2409:
2410: .TP
2411: .BR libimcv.swid_gen.command " [/usr/local/bin/swid_generator]"
2412: SWID generator command to be executed.
2413:
2414: .TP
2415: .BR libimcv.swid_gen.tag_creator.name " [strongSwan Project]"
2416: Name of the tagCreator entity.
2417:
2418: .TP
2419: .BR libimcv.swid_gen.tag_creator.regid " [strongswan.org]"
2420: regid of the tagCreator entity.
2421:
2422: .TP
2423: .BR manager.database " []"
2424: Credential database URI for manager. If it contains a password, make sure to
2425: adjust the permissions of the config file accordingly.
2426:
2427: .TP
2428: .BR manager.debug " [no]"
2429: Enable debugging in manager.
2430:
2431: .TP
2432: .BR manager.load " []"
2433: Plugins to load in manager.
2434:
2435: .TP
2436: .BR manager.socket " []"
2437: FastCGI socket of manager, to run it statically.
2438:
2439: .TP
2440: .BR manager.threads " [10]"
2441: Threads to use for request handling.
2442:
2443: .TP
2444: .BR manager.timeout " [15m]"
2445: Session timeout for manager.
2446:
2447: .TP
2448: .BR medsrv.database " []"
2449: Mediation server database URI. If it contains a password, make sure to adjust
2450: the permissions of the config file accordingly.
2451:
2452: .TP
2453: .BR medsrv.debug " [no]"
2454: Debugging in mediation server web application.
2455:
2456: .TP
2457: .BR medsrv.dpd " [5m]"
2458: DPD timeout to use in mediation server plugin.
2459:
2460: .TP
2461: .BR medsrv.load " []"
2462: Plugins to load in mediation server plugin.
2463:
2464: .TP
2465: .BR medsrv.password_length " [6]"
2466: Minimum password length required for mediation server user accounts.
2467:
2468: .TP
2469: .BR medsrv.rekey " [20m]"
2470: Rekeying time on mediation connections in mediation server plugin.
2471:
2472: .TP
2473: .BR medsrv.socket " []"
2474: Run Mediation server web application statically on socket.
2475:
2476: .TP
2477: .BR medsrv.threads " [5]"
2478: Number of thread for mediation service web application.
2479:
2480: .TP
2481: .BR medsrv.timeout " [15m]"
2482: Session timeout for mediation service.
2483:
2484: .TP
2485: .BR pki.load " []"
2486: Plugins to load in ipsec pki tool.
2487:
2488: .TP
2489: .BR pool.database " []"
2490: Database URI for the database that stores IP pools and configuration attributes.
2491: If it contains a password, make sure to adjust the permissions of the
2492: config file accordingly.
2493:
2494: .TP
2495: .BR pool.load " []"
2496: Plugins to load in ipsec pool tool.
2497:
2498: .TP
2499: .BR scepclient.load " []"
2500: Plugins to load in ipsec scepclient tool.
2501:
2502: .TP
2503: .B sec-updater
2504: .br
2505: Options for the sec\-updater tool.
2506:
2507: .TP
2508: .BR sec-updater.database " []"
2509: Global IMV policy database URI. If it contains a password, make sure to adjust
2510: the permissions of the config file accordingly.
2511:
2512: .TP
2513: .BR sec-updater.load " []"
2514: Plugins to load in sec\-updater tool.
2515:
2516: .TP
2517: .BR sec-updater.swid_gen.command " [/usr/local/bin/swid_generator]"
2518: SWID generator command to be executed.
2519:
2520: .TP
2521: .BR sec-updater.swid_gen.tag_creator.name " [strongSwan Project]"
2522: Name of the tagCreator entity.
2523:
2524: .TP
2525: .BR sec-updater.swid_gen.tag_creator.regid " [strongswan.org]"
2526: regid of the tagCreator entity.
2527:
2528: .TP
2529: .BR sec-updater.tmp.deb_file " [/tmp/sec-updater.deb]"
2530: Temporary storage for downloaded deb package file.
2531:
2532: .TP
2533: .BR sec-updater.tmp.tag_file " [/tmp/sec-updater.tag]"
2534: Temporary storage for generated SWID tags.
2535:
2536: .TP
2537: .BR sec-updater.tnc_manage_command " [/var/www/tnc/manage.py]"
2538: strongTNC manage.py command used to import SWID tags.
2539:
2540: .TP
2541: .BR starter.config_file " [${sysconfdir}/ipsec.conf]"
2542: Location of the ipsec.conf file
2543:
2544: .TP
2545: .BR starter.load_warning " [yes]"
2546: Disable charon plugin load option warning.
2547:
2548: .TP
2549: .B sw-collector
2550: .br
2551: Options for the sw\-collector tool.
2552:
2553: .TP
2554: .BR sw-collector.database " []"
2555: URI to software collector database containing event timestamps, software
2556: creation and deletion events and collected software identifiers. If it contains
2557: a password, make sure to adjust the permissions of the config file accordingly.
2558:
2559: .TP
2560: .BR sw-collector.first_file " [/var/log/bootstrap.log]"
2561: Path pointing to file created when the Linux OS was installed.
2562:
2563: .TP
2564: .BR sw-collector.first_time " [0000-00-00T00:00:00Z]"
2565: Time in UTC when the Linux OS was installed.
2566:
2567: .TP
2568: .BR sw-collector.history " []"
2569: Path pointing to apt history.log file.
2570:
2571: .TP
2572: .BR sw-collector.load " []"
2573: Plugins to load in sw\-collector tool.
2574:
2575: .TP
2576: .BR sw-collector.rest_api.timeout " [120]"
2577: Timeout of REST API HTTP POST transaction.
2578:
2579: .TP
2580: .BR sw-collector.rest_api.uri " []"
2581: HTTP URI of the central collector's REST API.
2582:
2583: .TP
2584: .BR swanctl.load " []"
2585: Plugins to load in swanctl.
2586:
2587: .TP
2588: .BR swanctl.socket " [unix://${piddir}/charon.vici]"
2589: VICI socket to connect to by default.
2590:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to strongswan.conf.5.main CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf