diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2015-04-11 22:03:59 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2015-04-11 22:30:17 +0200 |
| commit | 8404fb0212f9fb77bc53b23004b829b488430700 (patch) | |
| tree | 23876c7540d138f58a6a7d90793ccf9004f6afd2 /conf/options/charon.opt | |
| parent | 1b7c683a32c62b6e08ad7bf5af39b9f4edd634f3 (diff) | |
| download | vyos-strongswan-8404fb0212f9fb77bc53b23004b829b488430700.tar.gz vyos-strongswan-8404fb0212f9fb77bc53b23004b829b488430700.zip | |
Imported Upstream version 5.3.0
Diffstat (limited to 'conf/options/charon.opt')
| -rw-r--r-- | conf/options/charon.opt | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 678aa37bc..bbc50ba37 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no charon.ignore_routing_tables A space-separated list of routing tables to be excluded from route lookups. +charon.ignore_acquire_ts = no + Whether to ignore the traffic selectors from the kernel's acquire events for + IKEv2 connections (they are not used for IKEv1). + + If this is disabled the traffic selectors from the kernel's acquire events, + which are derived from the triggering packet, are prepended to the traffic + selectors from the configuration for IKEv2 connection. By enabling this, + such specific traffic selectors will be ignored and only the ones in the + config will be sent. This always happens for IKEv1 connections as the + protocol only supports one set of traffic selectors per CHILD_SA. + charon.ikesa_limit = 0 Maximum number of IKE_SAs that can be established at the same time before new connection attempts are blocked. @@ -196,6 +207,16 @@ charon.load_modular = no charon.max_packet = 10000 Maximum packet size accepted by charon. +charon.make_before_break = no + Initiate IKEv2 reauthentication with a make-before-break scheme. + + Initiate IKEv2 reauthentication with a make-before-break instead of a + break-before-make scheme. Make-before-break uses overlapping IKE and + CHILD_SA during reauthentication by first recreating all new SAs before + deleting the old ones. This behavior can be beneficial to avoid connectivity + gaps during reauthentication, but requires support for overlapping SAs by + the peer. strongSwan can handle such overlapping SAs since version 5.3.0. + charon.multiple_authentication = yes Enable multiple authentication exchanges (RFC 4739). @@ -277,6 +298,17 @@ charon.send_delay_type = 0 charon.send_vendor_id = no Send strongSwan vendor ID payload +charon.signature_authentication = yes + Whether to enable Signature Authentication as per RFC 7427. + +charon.signature_authentication_constraints = yes + Whether to enable constraints against IKEv2 signature schemes. + + If enabled, signature schemes configured in _rightauth_, in addition to + getting used as constraints against signature schemes employed in the + certificate chain, are also used as constraints against the signature scheme + used by peers during IKEv2. + charon.start-scripts {} Section containing a list of scripts (name = path) that are executed when the daemon is started. |