summaryrefslogtreecommitdiff
path: root/conf/options
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2014-03-11 20:48:48 +0100
committerYves-Alexis Perez <corsac@debian.org>2014-03-11 20:48:48 +0100
commit15fb7904f4431a6e7c305fd08732458f7f885e7e (patch)
treec93b60ee813af70509f00f34e29ebec311762427 /conf/options
parent5313d2d78ca150515f7f5eb39801c100690b6b29 (diff)
downloadvyos-strongswan-15fb7904f4431a6e7c305fd08732458f7f885e7e.tar.gz
vyos-strongswan-15fb7904f4431a6e7c305fd08732458f7f885e7e.zip
Imported Upstream version 5.1.2
Diffstat (limited to 'conf/options')
-rw-r--r--conf/options/attest.conf11
-rw-r--r--conf/options/attest.opt6
-rw-r--r--conf/options/charon-logging.conf62
-rw-r--r--conf/options/charon-logging.opt57
-rw-r--r--conf/options/charon.conf281
-rw-r--r--conf/options/charon.opt284
-rw-r--r--conf/options/imcv.conf43
-rw-r--r--conf/options/imcv.opt28
-rw-r--r--conf/options/manager.conf23
-rw-r--r--conf/options/manager.opt18
-rw-r--r--conf/options/medsrv.conf32
-rw-r--r--conf/options/medsrv.opt27
-rw-r--r--conf/options/pacman.conf12
-rw-r--r--conf/options/pacman.opt7
-rw-r--r--conf/options/pool.conf12
-rw-r--r--conf/options/pool.opt7
-rw-r--r--conf/options/starter.conf10
-rw-r--r--conf/options/starter.opt5
-rw-r--r--conf/options/tnc.conf11
-rw-r--r--conf/options/tnc.opt2
-rw-r--r--conf/options/tools.conf21
-rw-r--r--conf/options/tools.opt8
22 files changed, 967 insertions, 0 deletions
diff --git a/conf/options/attest.conf b/conf/options/attest.conf
new file mode 100644
index 000000000..1f7f57cb4
--- /dev/null
+++ b/conf/options/attest.conf
@@ -0,0 +1,11 @@
+attest {
+
+ # File measurement information database URI. If it contains a password, make
+ # sure to adjust the permissions of the config file accordingly.
+ # database =
+
+ # Plugins to load in ipsec attest tool.
+ # load =
+
+}
+
diff --git a/conf/options/attest.opt b/conf/options/attest.opt
new file mode 100644
index 000000000..20b14f42d
--- /dev/null
+++ b/conf/options/attest.opt
@@ -0,0 +1,6 @@
+attest.database =
+ File measurement information database URI. If it contains a password, make
+ sure to adjust the permissions of the config file accordingly.
+
+attest.load =
+ Plugins to load in ipsec attest tool.
diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf
new file mode 100644
index 000000000..c91421dea
--- /dev/null
+++ b/conf/options/charon-logging.conf
@@ -0,0 +1,62 @@
+charon {
+
+ # Section to define file loggers, see LOGGER CONFIGURATION in
+ # strongswan.conf(5).
+ filelog {
+
+ # <filename> is the full path to the log file.
+ # <filename> {
+
+ # Loglevel for a specific subsystem.
+ # <subsystem> = <default>
+
+ # If this option is enabled log entries are appended to the existing
+ # file.
+ # append = yes
+
+ # Default loglevel.
+ # default = 1
+
+ # Enabling this option disables block buffering and enables line
+ # buffering.
+ # flush_line = no
+
+ # Prefix each log entry with the connection name and a unique
+ # numerical identifier for each IKE_SA.
+ # ike_name = no
+
+ # Prefix each log entry with a timestamp. The option accepts a
+ # format string as passed to strftime(3).
+ # time_format =
+
+ # }
+
+ }
+
+ # Section to define syslog loggers, see LOGGER CONFIGURATION in
+ # strongswan.conf(5).
+ syslog {
+
+ # Identifier for use with openlog(3).
+ # identifier =
+
+ # <facility> is one of the supported syslog facilities, see LOGGER
+ # CONFIGURATION in strongswan.conf(5).
+ # <facility> {
+
+ # Loglevel for a specific subsystem.
+ # <subsystem> = <default>
+
+ # Default loglevel.
+ # default = 1
+
+ # Prefix each log entry with the connection name and a unique
+ # numerical identifier for each IKE_SA.
+ # ike_name = no
+
+ # }
+
+ }
+
+}
+
diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt
new file mode 100644
index 000000000..b437a9cc3
--- /dev/null
+++ b/conf/options/charon-logging.opt
@@ -0,0 +1,57 @@
+charon.filelog {}
+ Section to define file loggers, see LOGGER CONFIGURATION in
+ **strongswan.conf**(5).
+
+charon.filelog.<filename> { # }
+ <filename> is the full path to the log file.
+
+charon.filelog.<filename>.default = 1
+ Default loglevel.
+
+ Specifies the default loglevel to be used for subsystems for which no
+ specific loglevel is defined.
+
+charon.filelog.<filename>.<subsystem> = <default>
+ Loglevel for a specific subsystem.
+
+charon.filelog.<filename>.append = yes
+ If this option is enabled log entries are appended to the existing file.
+
+charon.filelog.<filename>.flush_line = no
+ Enabling this option disables block buffering and enables line buffering.
+
+charon.filelog.<filename>.ike_name = no
+ Prefix each log entry with the connection name and a unique numerical
+ identifier for each IKE_SA.
+
+charon.filelog.<filename>.time_format
+ Prefix each log entry with a timestamp. The option accepts a format string
+ as passed to **strftime**(3).
+
+charon.syslog {}
+ Section to define syslog loggers, see LOGGER CONFIGURATION in
+ **strongswan.conf**(5).
+
+charon.syslog.identifier
+ Identifier for use with openlog(3).
+
+ Global identifier used for an **openlog**(3) call, prepended to each log
+ message by syslog. If not configured, **openlog**(3) is not called, so the
+ value will depend on system defaults (often the program name).
+
+charon.syslog.<facility> { # }
+ <facility> is one of the supported syslog facilities, see LOGGER
+ CONFIGURATION in **strongswan.conf**(5).
+
+charon.syslog.<facility>.default = 1
+ Default loglevel.
+
+ Specifies the default loglevel to be used for subsystems for which no
+ specific loglevel is defined.
+
+charon.syslog.<facility>.<subsystem> = <default>
+ Loglevel for a specific subsystem.
+
+charon.syslog.<facility>.ike_name = no
+ Prefix each log entry with the connection name and a unique numerical
+ identifier for each IKE_SA.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
new file mode 100644
index 000000000..5cab2b1c4
--- /dev/null
+++ b/conf/options/charon.conf
@@ -0,0 +1,281 @@
+# Options for the charon IKE daemon.
+charon {
+
+ # Maximum number of half-open IKE_SAs for a single peer IP.
+ # block_threshold = 5
+
+ # Whether relations in validated certificate chains should be cached in
+ # memory.
+ # cert_cache = yes
+
+ # Send Cisco Unity vendor ID payload (IKEv1 only).
+ # cisco_unity = no
+
+ # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+ # close_ike_on_child_failure = no
+
+ # Number of half-open IKE_SAs that activate the cookie mechanism.
+ # cookie_threshold = 10
+
+ # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+ # strength.
+ # dh_exponent_ansi_x9_42 = yes
+
+ # DNS server assigned to peer via configuration payload (CP).
+ # dns1 =
+
+ # DNS server assigned to peer via configuration payload (CP).
+ # dns2 =
+
+ # Enable Denial of Service protection using cookies and aggressiveness
+ # checks.
+ # dos_protection = yes
+
+ # Compliance with the errata for RFC 4753.
+ # ecp_x_coordinate_only = yes
+
+ # Free objects during authentication (might conflict with plugins).
+ # flush_auth_cfg = no
+
+ # Maximum size (in bytes) of a sent fragment when using the proprietary
+ # IKEv1 fragmentation extension.
+ # fragment_size = 512
+
+ # Name of the group the daemon changes to after startup.
+ # group =
+
+ # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+ # half_open_timeout = 30
+
+ # Enable hash and URL support.
+ # hash_and_url = no
+
+ # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+ # i_dont_care_about_security_and_use_aggressive_mode_psk = no
+
+ # A space-separated list of routing tables to be excluded from route
+ # lookups.
+ # ignore_routing_tables =
+
+ # Maximum number of IKE_SAs that can be established at the same time before
+ # new connection attempts are blocked.
+ # ikesa_limit = 0
+
+ # Number of exclusively locked segments in the hash table.
+ # ikesa_table_segments = 1
+
+ # Size of the IKE_SA hash table.
+ # ikesa_table_size = 1
+
+ # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+ # inactivity_close_ike = no
+
+ # Limit new connections based on the current number of half open IKE_SAs,
+ # see IKE_SA_INIT DROPPING in strongswan.conf(5).
+ # init_limit_half_open = 0
+
+ # Limit new connections based on the number of queued jobs.
+ # init_limit_job_load = 0
+
+ # Causes charon daemon to ignore IKE initiation requests.
+ # initiator_only = no
+
+ # Install routes into a separate routing table for established IPsec
+ # tunnels.
+ # install_routes = yes
+
+ # Install virtual IP addresses.
+ # install_virtual_ip = yes
+
+ # The name of the interface on which virtual IP addresses should be
+ # installed.
+ # install_virtual_ip_on =
+
+ # Check daemon, libstrongswan and plugin integrity at startup.
+ # integrity_test = no
+
+ # A comma-separated list of network interfaces that should be ignored, if
+ # interfaces_use is specified this option has no effect.
+ # interfaces_ignore =
+
+ # A comma-separated list of network interfaces that should be used by
+ # charon. All other interfaces are ignored.
+ # interfaces_use =
+
+ # NAT keep alive interval.
+ # keep_alive = 20s
+
+ # Plugins to load in the IKE daemon charon.
+ # load =
+
+ # Determine plugins to load via each plugin's load option.
+ # load_modular = no
+
+ # Maximum packet size accepted by charon.
+ # max_packet = 10000
+
+ # Enable multiple authentication exchanges (RFC 4739).
+ # multiple_authentication = yes
+
+ # WINS servers assigned to peer via configuration payload (CP).
+ # nbns1 =
+
+ # WINS servers assigned to peer via configuration payload (CP).
+ # nbns2 =
+
+ # UDP port used locally. If set to 0 a random port will be allocated.
+ # port = 500
+
+ # UDP port used locally in case of NAT-T. If set to 0 a random port will be
+ # allocated. Has to be different from charon.port, otherwise a random port
+ # will be allocated.
+ # port_nat_t = 4500
+
+ # Process RTM_NEWROUTE and RTM_DELROUTE events.
+ # process_route = yes
+
+ # Delay in ms for receiving packets, to simulate larger RTT.
+ # receive_delay = 0
+
+ # Delay request messages.
+ # receive_delay_request = yes
+
+ # Delay response messages.
+ # receive_delay_response = yes
+
+ # Specific IKEv2 message type to delay, 0 for any.
+ # receive_delay_type = 0
+
+ # Size of the AH/ESP replay window, in packets.
+ # replay_window = 32
+
+ # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+ # in strongswan.conf(5).
+ # retransmit_base = 1.8
+
+ # Timeout in seconds before sending first retransmit.
+ # retransmit_timeout = 4.0
+
+ # Number of times to retransmit a packet before giving up.
+ # retransmit_tries = 5
+
+ # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
+ # resolution failed), 0 to disable retries.
+ # retry_initiate_interval = 0
+
+ # Initiate CHILD_SA within existing IKE_SAs.
+ # reuse_ikesa = yes
+
+ # Numerical routing table to install routes to.
+ # routing_table =
+
+ # Priority of the routing table.
+ # routing_table_prio =
+
+ # Delay in ms for sending packets, to simulate larger RTT.
+ # send_delay = 0
+
+ # Delay request messages.
+ # send_delay_request = yes
+
+ # Delay response messages.
+ # send_delay_response = yes
+
+ # Specific IKEv2 message type to delay, 0 for any.
+ # send_delay_type = 0
+
+ # Send strongSwan vendor ID payload
+ # send_vendor_id = no
+
+ # Number of worker threads in charon.
+ # threads = 16
+
+ # Name of the user the daemon changes to after startup.
+ # user =
+
+ crypto_test {
+
+ # Benchmark crypto algorithms and order them by efficiency.
+ # bench = no
+
+ # Buffer size used for crypto benchmark.
+ # bench_size = 1024
+
+ # Number of iterations to test each algorithm.
+ # bench_time = 50
+
+ # Test crypto algorithms during registration (requires test vectors
+ # provided by the test-vectors plugin).
+ # on_add = no
+
+ # Test crypto algorithms on each crypto primitive instantiation.
+ # on_create = no
+
+ # Strictly require at least one test vector to enable an algorithm.
+ # required = no
+
+ # Whether to test RNG with TRUE quality; requires a lot of entropy.
+ # rng_true = no
+
+ }
+
+ host_resolver {
+
+ # Maximum number of concurrent resolver threads (they are terminated if
+ # unused).
+ # max_threads = 3
+
+ # Minimum number of resolver threads to keep around.
+ # min_threads = 0
+
+ }
+
+ leak_detective {
+
+ # Includes source file names and line numbers in leak detective output.
+ # detailed = yes
+
+ # Threshold in bytes for leaks to be reported (0 to report all).
+ # usage_threshold = 10240
+
+ # Threshold in number of allocations for leaks to be reported (0 to
+ # report all).
+ # usage_threshold_count = 0
+
+ }
+
+ processor {
+
+ # Section to configure the number of reserved threads per priority class
+ # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
+ priority_threads {
+
+ }
+
+ }
+
+ tls {
+
+ # List of TLS encryption ciphers.
+ # cipher =
+
+ # List of TLS key exchange methods.
+ # key_exchange =
+
+ # List of TLS MAC algorithms.
+ # mac =
+
+ # List of TLS cipher suites.
+ # suites =
+
+ }
+
+ x509 {
+
+ # Discard certificates with unsupported or unknown critical extensions.
+ # enforce_critical = yes
+
+ }
+
+}
+
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
new file mode 100644
index 000000000..c6f4f1e9e
--- /dev/null
+++ b/conf/options/charon.opt
@@ -0,0 +1,284 @@
+charon {}
+ Options for the charon IKE daemon.
+
+ Options for the charon IKE daemon.
+
+ **Note**: Many of the options in this section also apply to **charon-cmd**
+ and other **charon** derivatives. Just use their respective name (e.g.
+ **charon-cmd** instead of **charon**). For many options defaults can be
+ defined in the **libstrongswan** section.
+
+charon.block_threshold = 5
+ Maximum number of half-open IKE_SAs for a single peer IP.
+
+charon.cert_cache = yes
+ Whether relations in validated certificate chains should be cached in
+ memory.
+
+charon.cisco_unity = no
+ Send Cisco Unity vendor ID payload (IKEv1 only).
+
+charon.close_ike_on_child_failure = no
+ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+
+charon.cookie_threshold = 10
+ Number of half-open IKE_SAs that activate the cookie mechanism.
+
+charon.crypto_test.bench = no
+ Benchmark crypto algorithms and order them by efficiency.
+
+charon.crypto_test.bench_size = 1024
+ Buffer size used for crypto benchmark.
+
+charon.crypto_test.bench_time = 50
+ Number of iterations to test each algorithm.
+
+charon.crypto_test.on_add = no
+ Test crypto algorithms during registration (requires test vectors provided
+ by the _test-vectors_ plugin).
+
+charon.crypto_test.on_create = no
+ Test crypto algorithms on each crypto primitive instantiation.
+
+charon.crypto_test.required = no
+ Strictly require at least one test vector to enable an algorithm.
+
+charon.crypto_test.rng_true = no
+ Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+charon.dh_exponent_ansi_x9_42 = yes
+ Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+ strength.
+
+charon.dns1
+ DNS server assigned to peer via configuration payload (CP).
+
+charon.dns2
+ DNS server assigned to peer via configuration payload (CP).
+
+charon.dos_protection = yes
+ Enable Denial of Service protection using cookies and aggressiveness checks.
+
+charon.ecp_x_coordinate_only = yes
+ Compliance with the errata for RFC 4753.
+
+charon.flush_auth_cfg = no
+ Free objects during authentication (might conflict with plugins).
+
+ If enabled objects used during authentication (certificates, identities
+ etc.) are released to free memory once an IKE_SA is established. Enabling
+ this might conflict with plugins that later need access to e.g. the used
+ certificates.
+
+charon.fragment_size = 512
+ Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+ fragmentation extension.
+
+charon.group
+ Name of the group the daemon changes to after startup.
+
+charon.half_open_timeout = 30
+ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+
+charon.hash_and_url = no
+ Enable hash and URL support.
+
+charon.host_resolver.max_threads = 3
+ Maximum number of concurrent resolver threads (they are terminated if
+ unused).
+
+charon.host_resolver.min_threads = 0
+ Minimum number of resolver threads to keep around.
+
+charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
+ Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+
+ If enabled responders are allowed to use IKEv1 Aggressive Mode with
+ pre-shared keys, which is discouraged due to security concerns (offline
+ attacks on the openly transmitted hash of the PSK).
+
+charon.ignore_routing_tables
+ A space-separated list of routing tables to be excluded from route lookups.
+
+charon.ikesa_limit = 0
+ Maximum number of IKE_SAs that can be established at the same time before
+ new connection attempts are blocked.
+
+charon.ikesa_table_segments = 1
+ Number of exclusively locked segments in the hash table.
+
+charon.ikesa_table_size = 1
+ Size of the IKE_SA hash table.
+
+charon.inactivity_close_ike = no
+ Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+
+charon.init_limit_half_open = 0
+ Limit new connections based on the current number of half open IKE_SAs, see
+ IKE_SA_INIT DROPPING in **strongswan.conf**(5).
+
+charon.init_limit_job_load = 0
+ Limit new connections based on the number of queued jobs.
+
+ Limit new connections based on the number of jobs currently queued for
+ processing (see IKE_SA_INIT DROPPING).
+
+charon.initiator_only = no
+ Causes charon daemon to ignore IKE initiation requests.
+
+charon.install_routes = yes
+ Install routes into a separate routing table for established IPsec tunnels.
+
+charon.install_virtual_ip = yes
+ Install virtual IP addresses.
+
+charon.install_virtual_ip_on
+ The name of the interface on which virtual IP addresses should be installed.
+
+ The name of the interface on which virtual IP addresses should be installed.
+ If not specified the addresses will be installed on the outbound interface.
+
+charon.integrity_test = no
+ Check daemon, libstrongswan and plugin integrity at startup.
+
+charon.interfaces_ignore
+ A comma-separated list of network interfaces that should be ignored, if
+ **interfaces_use** is specified this option has no effect.
+
+charon.interfaces_use
+ A comma-separated list of network interfaces that should be used by charon.
+ All other interfaces are ignored.
+
+charon.keep_alive = 20s
+ NAT keep alive interval.
+
+charon.leak_detective.detailed = yes
+ Includes source file names and line numbers in leak detective output.
+
+charon.leak_detective.usage_threshold = 10240
+ Threshold in bytes for leaks to be reported (0 to report all).
+
+charon.leak_detective.usage_threshold_count = 0
+ Threshold in number of allocations for leaks to be reported (0 to report
+ all).
+
+charon.load
+ Plugins to load in the IKE daemon charon.
+
+charon.load_modular = no
+ Determine plugins to load via each plugin's load option.
+
+ If enabled, the list of plugins to load is determined via the value of the
+ _charon.plugins.<name>.load_ options. In addition to a simple boolean flag
+ that option may take an integer value indicating the priority of a plugin,
+ which would influence the order of a plugin in the plugin list (the default
+ is 1). If two plugins have the same priority their order in the default
+ plugin list is preserved. Enabled plugins not found in that list are ordered
+ alphabetically before other plugins with the same priority.
+
+charon.max_packet = 10000
+ Maximum packet size accepted by charon.
+
+charon.multiple_authentication = yes
+ Enable multiple authentication exchanges (RFC 4739).
+
+charon.nbns1
+ WINS servers assigned to peer via configuration payload (CP).
+
+charon.nbns2
+ WINS servers assigned to peer via configuration payload (CP).
+
+charon.port = 500
+ UDP port used locally. If set to 0 a random port will be allocated.
+
+charon.port_nat_t = 4500
+ UDP port used locally in case of NAT-T. If set to 0 a random port will be
+ allocated. Has to be different from **charon.port**, otherwise a random
+ port will be allocated.
+
+charon.process_route = yes
+ Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+charon.processor.priority_threads {}
+ Section to configure the number of reserved threads per priority class
+ see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
+
+charon.receive_delay = 0
+ Delay in ms for receiving packets, to simulate larger RTT.
+
+charon.receive_delay_response = yes
+ Delay response messages.
+
+charon.receive_delay_request = yes
+ Delay request messages.
+
+charon.receive_delay_type = 0
+ Specific IKEv2 message type to delay, 0 for any.
+
+charon.replay_window = 32
+ Size of the AH/ESP replay window, in packets.
+
+charon.retransmit_base = 1.8
+ Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+ in **strongswan.conf**(5).
+
+charon.retransmit_timeout = 4.0
+ Timeout in seconds before sending first retransmit.
+
+charon.retransmit_tries = 5
+ Number of times to retransmit a packet before giving up.
+
+charon.retry_initiate_interval = 0
+ Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+ failed), 0 to disable retries.
+
+charon.reuse_ikesa = yes
+ Initiate CHILD_SA within existing IKE_SAs.
+
+charon.routing_table
+ Numerical routing table to install routes to.
+
+charon.routing_table_prio
+ Priority of the routing table.
+
+charon.send_delay = 0
+ Delay in ms for sending packets, to simulate larger RTT.
+
+charon.send_delay_response = yes
+ Delay response messages.
+
+charon.send_delay_request = yes
+ Delay request messages.
+
+charon.send_delay_type = 0
+ Specific IKEv2 message type to delay, 0 for any.
+
+charon.send_vendor_id = no
+ Send strongSwan vendor ID payload
+
+charon.threads = 16
+ Number of worker threads in charon.
+
+ Number of worker threads in charon. Several of these are reserved for long
+ running tasks in internal modules and plugins. Therefore, make sure you
+ don't set this value too low. The number of idle worker threads listed in
+ _ipsec statusall_ might be used as indicator on the number of reserved
+ threads.
+
+charon.tls.cipher
+ List of TLS encryption ciphers.
+
+charon.tls.key_exchange
+ List of TLS key exchange methods.
+
+charon.tls.mac
+ List of TLS MAC algorithms.
+
+charon.tls.suites
+ List of TLS cipher suites.
+
+charon.user
+ Name of the user the daemon changes to after startup.
+
+charon.x509.enforce_critical = yes
+ Discard certificates with unsupported or unknown critical extensions.
diff --git a/conf/options/imcv.conf b/conf/options/imcv.conf
new file mode 100644
index 000000000..92016ef52
--- /dev/null
+++ b/conf/options/imcv.conf
@@ -0,0 +1,43 @@
+charon {
+
+ # Defaults for options in this section can be configured in the libimcv
+ # section.
+ imcv {
+
+ # Whether IMVs send a standard IETF Assessment Result attribute.
+ # assessment_result = yes
+
+ # Global IMV policy database URI. If it contains a password, make sure
+ # to adjust the permissions of the config file accordingly.
+ # database =
+
+ # Script called for each TNC connection to generate IMV policies.
+ # policy_script = ipsec _imv_policy
+
+ os_info {
+
+ # Manually set the name of the client OS (e.g. Ubuntu).
+ # name =
+
+ # Manually set the version of the client OS (e.g. 12.04 i686).
+ # version =
+
+ }
+
+ }
+
+}
+
+libimcv {
+
+ # Debug level for a stand-alone libimcv library.
+ # debug_level = 1
+
+ # Plugins to load in IMC/IMVs with stand-alone libimcv library.
+ # load = random nonce gmp pubkey x509
+
+ # Disable output to stderr with a stand-alone libimcv library.
+ # stderr_quiet = no
+
+}
+
diff --git a/conf/options/imcv.opt b/conf/options/imcv.opt
new file mode 100644
index 000000000..a249a7b14
--- /dev/null
+++ b/conf/options/imcv.opt
@@ -0,0 +1,28 @@
+charon.imcv {}
+ Defaults for options in this section can be configured in the _libimcv_
+ section.
+
+charon.imcv.assessment_result = yes
+ Whether IMVs send a standard IETF Assessment Result attribute.
+
+charon.imcv.database =
+ Global IMV policy database URI. If it contains a password, make sure to
+ adjust the permissions of the config file accordingly.
+
+charon.imcv.os_info.name =
+ Manually set the name of the client OS (e.g. Ubuntu).
+
+charon.imcv.os_info.version =
+ Manually set the version of the client OS (e.g. 12.04 i686).
+
+charon.imcv.policy_script = ipsec _imv_policy
+ Script called for each TNC connection to generate IMV policies.
+
+libimcv.debug_level = 1
+ Debug level for a stand-alone _libimcv_ library.
+
+libimcv.load = random nonce gmp pubkey x509
+ Plugins to load in IMC/IMVs with stand-alone _libimcv_ library.
+
+libimcv.stderr_quiet = no
+ Disable output to stderr with a stand-alone _libimcv_ library.
diff --git a/conf/options/manager.conf b/conf/options/manager.conf
new file mode 100644
index 000000000..bb0934688
--- /dev/null
+++ b/conf/options/manager.conf
@@ -0,0 +1,23 @@
+manager {
+
+ # Credential database URI for manager. If it contains a password, make sure
+ # to adjust the permissions of the config file accordingly.
+ # database =
+
+ # Enable debugging in manager.
+ # debug = no
+
+ # Plugins to load in manager.
+ # load =
+
+ # FastCGI socket of manager, to run it statically.
+ # socket =
+
+ # Threads to use for request handling.
+ # threads = 10
+
+ # Session timeout for manager.
+ # timeout = 15m
+
+}
+
diff --git a/conf/options/manager.opt b/conf/options/manager.opt
new file mode 100644
index 000000000..dbac73110
--- /dev/null
+++ b/conf/options/manager.opt
@@ -0,0 +1,18 @@
+manager.database =
+ Credential database URI for manager. If it contains a password, make
+ sure to adjust the permissions of the config file accordingly.
+
+manager.debug = no
+ Enable debugging in manager.
+
+manager.load =
+ Plugins to load in manager.
+
+manager.socket =
+ FastCGI socket of manager, to run it statically.
+
+manager.threads = 10
+ Threads to use for request handling.
+
+manager.timeout = 15m
+ Session timeout for manager.
diff --git a/conf/options/medsrv.conf b/conf/options/medsrv.conf
new file mode 100644
index 000000000..b3026ea3f
--- /dev/null
+++ b/conf/options/medsrv.conf
@@ -0,0 +1,32 @@
+medsrv {
+
+ # Mediation server database URI. If it contains a password, make sure to
+ # adjust the permissions of the config file accordingly.
+ # database =
+
+ # Debugging in mediation server web application.
+ # debug = no
+
+ # DPD timeout to use in mediation server plugin.
+ # dpd = 5m
+
+ # Plugins to load in mediation server plugin.
+ # load =
+
+ # Minimum password length required for mediation server user accounts.
+ # password_length = 6
+
+ # Rekeying time on mediation connections in mediation server plugin.
+ # rekey = 20m
+
+ # Run Mediation server web application statically on socket.
+ # socket =
+
+ # Number of thread for mediation service web application.
+ # threads = 5
+
+ # Session timeout for mediation service.
+ # timeout = 15m
+
+}
+
diff --git a/conf/options/medsrv.opt b/conf/options/medsrv.opt
new file mode 100644
index 000000000..f673b7e03
--- /dev/null
+++ b/conf/options/medsrv.opt
@@ -0,0 +1,27 @@
+medsrv.database =
+ Mediation server database URI. If it contains a password, make
+ sure to adjust the permissions of the config file accordingly.
+
+medsrv.debug = no
+ Debugging in mediation server web application.
+
+medsrv.dpd = 5m
+ DPD timeout to use in mediation server plugin.
+
+medsrv.load =
+ Plugins to load in mediation server plugin.
+
+medsrv.password_length = 6
+ Minimum password length required for mediation server user accounts.
+
+medsrv.rekey = 20m
+ Rekeying time on mediation connections in mediation server plugin.
+
+medsrv.socket =
+ Run Mediation server web application statically on socket.
+
+medsrv.threads = 5
+ Number of thread for mediation service web application.
+
+medsrv.timeout = 15m
+ Session timeout for mediation service.
diff --git a/conf/options/pacman.conf b/conf/options/pacman.conf
new file mode 100644
index 000000000..730e5435c
--- /dev/null
+++ b/conf/options/pacman.conf
@@ -0,0 +1,12 @@
+pacman {
+
+ # Database URI for the database that stores the package information. If it
+ # contains a password, make sure to adjust the permissions of the config
+ # file accordingly.
+ # database =
+
+ # Plugins to load in package manager.
+ # load =
+
+}
+
diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt
new file mode 100644
index 000000000..dfb4ba2b1
--- /dev/null
+++ b/conf/options/pacman.opt
@@ -0,0 +1,7 @@
+pacman.database =
+ Database URI for the database that stores the package information. If it
+ contains a password, make sure to adjust the permissions of the config file
+ accordingly.
+
+pacman.load =
+ Plugins to load in package manager.
diff --git a/conf/options/pool.conf b/conf/options/pool.conf
new file mode 100644
index 000000000..297c0f8cf
--- /dev/null
+++ b/conf/options/pool.conf
@@ -0,0 +1,12 @@
+pool {
+
+ # Database URI for the database that stores IP pools and configuration
+ # attributes. If it contains a password, make sure to adjust the
+ # permissions of the config file accordingly.
+ # database =
+
+ # Plugins to load in ipsec pool tool.
+ # load =
+
+}
+
diff --git a/conf/options/pool.opt b/conf/options/pool.opt
new file mode 100644
index 000000000..79458c779
--- /dev/null
+++ b/conf/options/pool.opt
@@ -0,0 +1,7 @@
+pool.database
+ Database URI for the database that stores IP pools and configuration
+ attributes. If it contains a password, make sure to adjust the permissions
+ of the config file accordingly.
+
+pool.load =
+ Plugins to load in ipsec pool tool.
diff --git a/conf/options/starter.conf b/conf/options/starter.conf
new file mode 100644
index 000000000..8465f7e53
--- /dev/null
+++ b/conf/options/starter.conf
@@ -0,0 +1,10 @@
+starter {
+
+ # Plugins to load in starter.
+ # load =
+
+ # Disable charon plugin load option warning.
+ # load_warning = yes
+
+}
+
diff --git a/conf/options/starter.opt b/conf/options/starter.opt
new file mode 100644
index 000000000..4e6574d58
--- /dev/null
+++ b/conf/options/starter.opt
@@ -0,0 +1,5 @@
+starter.load =
+ Plugins to load in starter.
+
+starter.load_warning = yes
+ Disable charon plugin load option warning.
diff --git a/conf/options/tnc.conf b/conf/options/tnc.conf
new file mode 100644
index 000000000..6736a2d0a
--- /dev/null
+++ b/conf/options/tnc.conf
@@ -0,0 +1,11 @@
+charon {
+
+ tnc {
+
+ # TNC IMC/IMV configuration file.
+ # tnc_config = /etc/tnc_config
+
+ }
+
+}
+
diff --git a/conf/options/tnc.opt b/conf/options/tnc.opt
new file mode 100644
index 000000000..467723ea6
--- /dev/null
+++ b/conf/options/tnc.opt
@@ -0,0 +1,2 @@
+charon.tnc.tnc_config = /etc/tnc_config
+ TNC IMC/IMV configuration file.
diff --git a/conf/options/tools.conf b/conf/options/tools.conf
new file mode 100644
index 000000000..a3ab099ed
--- /dev/null
+++ b/conf/options/tools.conf
@@ -0,0 +1,21 @@
+openac {
+
+ # Plugins to load in ipsec openac tool.
+ # load =
+
+}
+
+pki {
+
+ # Plugins to load in ipsec pki tool.
+ # load =
+
+}
+
+scepclient {
+
+ # Plugins to load in ipsec scepclient tool.
+ # load =
+
+}
+
diff --git a/conf/options/tools.opt b/conf/options/tools.opt
new file mode 100644
index 000000000..23e6a1c9f
--- /dev/null
+++ b/conf/options/tools.opt
@@ -0,0 +1,8 @@
+openac.load =
+ Plugins to load in ipsec openac tool.
+
+pki.load =
+ Plugins to load in ipsec pki tool.
+
+scepclient.load =
+ Plugins to load in ipsec scepclient tool.