diff options
| author | Yves-Alexis Perez <corsac@corsac.net> | 2017-05-30 20:59:31 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-05-30 21:03:44 +0200 |
| commit | 335b7e322c795d86705aab67d2ecf72f1c9c5614 (patch) | |
| tree | c3a2256cd4d3c9242c47da2a47077b12b3b7a1a6 /conf/options | |
| parent | 7f6fc258427831ed2e80f7540c4368cf6ceba385 (diff) | |
| download | vyos-strongswan-335b7e322c795d86705aab67d2ecf72f1c9c5614.tar.gz vyos-strongswan-335b7e322c795d86705aab67d2ecf72f1c9c5614.zip | |
New upstream version 5.5.3
Diffstat (limited to 'conf/options')
| -rw-r--r-- | conf/options/charon.conf | 12 | ||||
| -rw-r--r-- | conf/options/charon.opt | 17 |
2 files changed, 29 insertions, 0 deletions
diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 1b5d52d02..7ccb74939 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -29,6 +29,10 @@ charon { # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). # delete_rekeyed = no + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic # strength. # dh_exponent_ansi_x9_42 = yes @@ -199,6 +203,14 @@ charon { # in strongswan.conf(5). # retransmit_base = 1.8 + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + # Timeout in seconds before sending first retransmit. # retransmit_timeout = 4.0 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 4c4311e81..3593c6a5f 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -75,6 +75,16 @@ charon.delete_rekeyed = no However, this might cause problems with implementations that continue to use rekeyed SAs until they expire. +charon.delete_rekeyed_delay = 5 + Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 + only). + + Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 + only). To process delayed packets the inbound part of a CHILD_SA is kept + installed up to the configured number of seconds after it got replaced + during a rekeying. If set to 0 the CHILD_SA will be kept installed until it + expires (if no lifetime is set it will be destroyed immediately). + charon.dh_exponent_ansi_x9_42 = yes Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. @@ -311,6 +321,13 @@ charon.retransmit_timeout = 4.0 charon.retransmit_tries = 5 Number of times to retransmit a packet before giving up. +charon.retransmit_jitter = 0 + Maximum jitter in percent to apply randomly to calculated retransmission + timeout (0 to disable). + +charon.retransmit_limit = 0 + Upper limit in seconds for calculated retransmission timeout (0 to disable). + charon.retry_initiate_interval = 0 Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS resolution failed), 0 to disable retries. |