Imported Upstream version 5.1.2

22 files changed, 967 insertions, 0 deletions

diff --git a/conf/options/attest.conf b/conf/options/attest.conf
new file mode 100644
index 000000000..1f7f57cb4
--- /dev/null
+++ b/conf/options/attest.conf
@@ -0,0 +1,11 @@
+attest {
+
+    # File measurement information database URI. If it contains a password, make
+    # sure to adjust the permissions of the config file accordingly.
+    # database =
+
+    # Plugins to load in ipsec attest tool.
+    # load =
+
+}
+
diff --git a/conf/options/attest.opt b/conf/options/attest.opt
new file mode 100644
index 000000000..20b14f42d
--- /dev/null
+++ b/conf/options/attest.opt
@@ -0,0 +1,6 @@
+attest.database =
+	File measurement information database URI. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
+
+attest.load =
+	Plugins to load in ipsec attest tool.
diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf
new file mode 100644
index 000000000..c91421dea
--- /dev/null
+++ b/conf/options/charon-logging.conf
@@ -0,0 +1,62 @@
+charon {
+
+    # Section to define file loggers, see LOGGER CONFIGURATION in
+    # strongswan.conf(5).
+    filelog {
+
+        # <filename> is the full path to the log file.
+        # <filename> {
+
+            # Loglevel for a specific subsystem.
+            # <subsystem> = <default>
+
+            # If this option is enabled log entries are appended to the existing
+            # file.
+            # append = yes
+
+            # Default loglevel.
+            # default = 1
+
+            # Enabling this option disables block buffering and enables line
+            # buffering.
+            # flush_line = no
+
+            # Prefix each log entry with the connection name and a unique
+            # numerical identifier for each IKE_SA.
+            # ike_name = no
+
+            # Prefix each log entry with a timestamp. The option accepts a
+            # format string as passed to strftime(3).
+            # time_format =
+
+        # }
+
+    }
+
+    # Section to define syslog loggers, see LOGGER CONFIGURATION in
+    # strongswan.conf(5).
+    syslog {
+
+        # Identifier for use with openlog(3).
+        # identifier =
+
+        # <facility> is one of the supported syslog facilities, see LOGGER
+        # CONFIGURATION in strongswan.conf(5).
+        # <facility> {
+
+            # Loglevel for a specific subsystem.
+            # <subsystem> = <default>
+
+            # Default loglevel.
+            # default = 1
+
+            # Prefix each log entry with the connection name and a unique
+            # numerical identifier for each IKE_SA.
+            # ike_name = no
+
+        # }
+
+    }
+
+}
+
diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt
new file mode 100644
index 000000000..b437a9cc3
--- /dev/null
+++ b/conf/options/charon-logging.opt
@@ -0,0 +1,57 @@
+charon.filelog {}
+	Section to define file loggers, see LOGGER CONFIGURATION in
+	**strongswan.conf**(5).
+
+charon.filelog.<filename> { # }
+	<filename> is the full path to the log file.
+
+charon.filelog.<filename>.default = 1
+	Default loglevel.
+
+	Specifies the default loglevel to be used for subsystems for which no
+	specific loglevel is defined.
+
+charon.filelog.<filename>.<subsystem> = <default>
+	Loglevel for a specific subsystem.
+
+charon.filelog.<filename>.append = yes
+	If this option is enabled log entries are appended to the existing file.
+
+charon.filelog.<filename>.flush_line = no
+	Enabling this option disables block buffering and enables line buffering.
+
+charon.filelog.<filename>.ike_name = no
+	Prefix each log entry with the connection name and a unique numerical
+	identifier for each IKE_SA.
+
+charon.filelog.<filename>.time_format
+	Prefix each log entry with a timestamp. The option accepts a format string
+	as passed to **strftime**(3).
+
+charon.syslog {}
+	Section to define syslog loggers, see LOGGER CONFIGURATION in
+	**strongswan.conf**(5).
+
+charon.syslog.identifier
+	Identifier for use with openlog(3).
+
+	Global identifier used for an **openlog**(3) call, prepended to each log
+	message by syslog.  If not configured, **openlog**(3) is not called, so the
+	value will depend on system defaults (often the program name).
+
+charon.syslog.<facility> { # }
+	<facility> is one of the supported syslog facilities, see LOGGER
+	CONFIGURATION in **strongswan.conf**(5).
+
+charon.syslog.<facility>.default = 1
+	Default loglevel.
+
+	Specifies the default loglevel to be used for subsystems for which no
+	specific loglevel is defined.
+
+charon.syslog.<facility>.<subsystem> = <default>
+	Loglevel for a specific subsystem.
+
+charon.syslog.<facility>.ike_name = no
+	Prefix each log entry with the connection name and a unique numerical
+	identifier for each IKE_SA.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
new file mode 100644
index 000000000..5cab2b1c4
--- /dev/null
+++ b/conf/options/charon.conf
@@ -0,0 +1,281 @@
+# Options for the charon IKE daemon.
+charon {
+
+    # Maximum number of half-open IKE_SAs for a single peer IP.
+    # block_threshold = 5
+
+    # Whether relations in validated certificate chains should be cached in
+    # memory.
+    # cert_cache = yes
+
+    # Send Cisco Unity vendor ID payload (IKEv1 only).
+    # cisco_unity = no
+
+    # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+    # close_ike_on_child_failure = no
+
+    # Number of half-open IKE_SAs that activate the cookie mechanism.
+    # cookie_threshold = 10
+
+    # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+    # strength.
+    # dh_exponent_ansi_x9_42 = yes
+
+    # DNS server assigned to peer via configuration payload (CP).
+    # dns1 =
+
+    # DNS server assigned to peer via configuration payload (CP).
+    # dns2 =
+
+    # Enable Denial of Service protection using cookies and aggressiveness
+    # checks.
+    # dos_protection = yes
+
+    # Compliance with the errata for RFC 4753.
+    # ecp_x_coordinate_only = yes
+
+    # Free objects during authentication (might conflict with plugins).
+    # flush_auth_cfg = no
+
+    # Maximum size (in bytes) of a sent fragment when using the proprietary
+    # IKEv1 fragmentation extension.
+    # fragment_size = 512
+
+    # Name of the group the daemon changes to after startup.
+    # group =
+
+    # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+    # half_open_timeout = 30
+
+    # Enable hash and URL support.
+    # hash_and_url = no
+
+    # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+    # i_dont_care_about_security_and_use_aggressive_mode_psk = no
+
+    # A space-separated list of routing tables to be excluded from route
+    # lookups.
+    # ignore_routing_tables =
+
+    # Maximum number of IKE_SAs that can be established at the same time before
+    # new connection attempts are blocked.
+    # ikesa_limit = 0
+
+    # Number of exclusively locked segments in the hash table.
+    # ikesa_table_segments = 1
+
+    # Size of the IKE_SA hash table.
+    # ikesa_table_size = 1
+
+    # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+    # inactivity_close_ike = no
+
+    # Limit new connections based on the current number of half open IKE_SAs,
+    # see IKE_SA_INIT DROPPING in strongswan.conf(5).
+    # init_limit_half_open = 0
+
+    # Limit new connections based on the number of queued jobs.
+    # init_limit_job_load = 0
+
+    # Causes charon daemon to ignore IKE initiation requests.
+    # initiator_only = no
+
+    # Install routes into a separate routing table for established IPsec
+    # tunnels.
+    # install_routes = yes
+
+    # Install virtual IP addresses.
+    # install_virtual_ip = yes
+
+    # The name of the interface on which virtual IP addresses should be
+    # installed.
+    # install_virtual_ip_on =
+
+    # Check daemon, libstrongswan and plugin integrity at startup.
+    # integrity_test = no
+
+    # A comma-separated list of network interfaces that should be ignored, if
+    # interfaces_use is specified this option has no effect.
+    # interfaces_ignore =
+
+    # A comma-separated list of network interfaces that should be used by
+    # charon. All other interfaces are ignored.
+    # interfaces_use =
+
+    # NAT keep alive interval.
+    # keep_alive = 20s
+
+    # Plugins to load in the IKE daemon charon.
+    # load =
+
+    # Determine plugins to load via each plugin's load option.
+    # load_modular = no
+
+    # Maximum packet size accepted by charon.
+    # max_packet = 10000
+
+    # Enable multiple authentication exchanges (RFC 4739).
+    # multiple_authentication = yes
+
+    # WINS servers assigned to peer via configuration payload (CP).
+    # nbns1 =
+
+    # WINS servers assigned to peer via configuration payload (CP).
+    # nbns2 =
+
+    # UDP port used locally. If set to 0 a random port will be allocated.
+    # port = 500
+
+    # UDP port used locally in case of NAT-T. If set to 0 a random port will be
+    # allocated.  Has to be different from charon.port, otherwise a random port
+    # will be allocated.
+    # port_nat_t = 4500
+
+    # Process RTM_NEWROUTE and RTM_DELROUTE events.
+    # process_route = yes
+
+    # Delay in ms for receiving packets, to simulate larger RTT.
+    # receive_delay = 0
+
+    # Delay request messages.
+    # receive_delay_request = yes
+
+    # Delay response messages.
+    # receive_delay_response = yes
+
+    # Specific IKEv2 message type to delay, 0 for any.
+    # receive_delay_type = 0
+
+    # Size of the AH/ESP replay window, in packets.
+    # replay_window = 32
+
+    # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+    # in strongswan.conf(5).
+    # retransmit_base = 1.8
+
+    # Timeout in seconds before sending first retransmit.
+    # retransmit_timeout = 4.0
+
+    # Number of times to retransmit a packet before giving up.
+    # retransmit_tries = 5
+
+    # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
+    # resolution failed), 0 to disable retries.
+    # retry_initiate_interval = 0
+
+    # Initiate CHILD_SA within existing IKE_SAs.
+    # reuse_ikesa = yes
+
+    # Numerical routing table to install routes to.
+    # routing_table =
+
+    # Priority of the routing table.
+    # routing_table_prio =
+
+    # Delay in ms for sending packets, to simulate larger RTT.
+    # send_delay = 0
+
+    # Delay request messages.
+    # send_delay_request = yes
+
+    # Delay response messages.
+    # send_delay_response = yes
+
+    # Specific IKEv2 message type to delay, 0 for any.
+    # send_delay_type = 0
+
+    # Send strongSwan vendor ID payload
+    # send_vendor_id = no
+
+    # Number of worker threads in charon.
+    # threads = 16
+
+    # Name of the user the daemon changes to after startup.
+    # user =
+
+    crypto_test {
+
+        # Benchmark crypto algorithms and order them by efficiency.
+        # bench = no
+
+        # Buffer size used for crypto benchmark.
+        # bench_size = 1024
+
+        # Number of iterations to test each algorithm.
+        # bench_time = 50
+
+        # Test crypto algorithms during registration (requires test vectors
+        # provided by the test-vectors plugin).
+        # on_add = no
+
+        # Test crypto algorithms on each crypto primitive instantiation.
+        # on_create = no
+
+        # Strictly require at least one test vector to enable an algorithm.
+        # required = no
+
+        # Whether to test RNG with TRUE quality; requires a lot of entropy.
+        # rng_true = no
+
+    }
+
+    host_resolver {
+
+        # Maximum number of concurrent resolver threads (they are terminated if
+        # unused).
+        # max_threads = 3
+
+        # Minimum number of resolver threads to keep around.
+        # min_threads = 0
+
+    }
+
+    leak_detective {
+
+        # Includes source file names and line numbers in leak detective output.
+        # detailed = yes
+
+        # Threshold in bytes for leaks to be reported (0 to report all).
+        # usage_threshold = 10240
+
+        # Threshold in number of allocations for leaks to be reported (0 to
+        # report all).
+        # usage_threshold_count = 0
+
+    }
+
+    processor {
+
+        # Section to configure the number of reserved threads per priority class
+        # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
+        priority_threads {
+
+        }
+
+    }
+
+    tls {
+
+        # List of TLS encryption ciphers.
+        # cipher =
+
+        # List of TLS key exchange methods.
+        # key_exchange =
+
+        # List of TLS MAC algorithms.
+        # mac =
+
+        # List of TLS cipher suites.
+        # suites =
+
+    }
+
+    x509 {
+
+        # Discard certificates with unsupported or unknown critical extensions.
+        # enforce_critical = yes
+
+    }
+
+}
+
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
new file mode 100644
index 000000000..c6f4f1e9e
--- /dev/null
+++ b/conf/options/charon.opt
@@ -0,0 +1,284 @@
+charon {}
+	Options for the charon IKE daemon.
+
+	Options for the charon IKE daemon.
+
+	**Note**: Many of the options in this section also apply to **charon-cmd**
+	and other **charon** derivatives.  Just use their respective name (e.g.
+	**charon-cmd** instead of **charon**). For many options defaults can be
+	defined in the **libstrongswan** section.
+
+charon.block_threshold = 5
+	Maximum number of half-open IKE_SAs for a single peer IP.
+
+charon.cert_cache = yes
+	Whether relations in validated certificate chains should be cached in
+	memory.
+
+charon.cisco_unity = no
+	Send Cisco Unity vendor ID payload (IKEv1 only).
+
+charon.close_ike_on_child_failure = no
+	Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+
+charon.cookie_threshold = 10
+	Number of half-open IKE_SAs that activate the cookie mechanism.
+
+charon.crypto_test.bench = no
+	Benchmark crypto algorithms and order them by efficiency.
+
+charon.crypto_test.bench_size = 1024
+	Buffer size used for crypto benchmark.
+
+charon.crypto_test.bench_time = 50
+	Number of iterations to test each algorithm.
+
+charon.crypto_test.on_add = no
+	Test crypto algorithms during registration (requires test vectors provided
+	by the _test-vectors_ plugin).
+
+charon.crypto_test.on_create = no
+	Test crypto algorithms on each crypto primitive instantiation.
+
+charon.crypto_test.required = no
+	Strictly require at least one test vector to enable an algorithm.
+
+charon.crypto_test.rng_true = no
+	Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+charon.dh_exponent_ansi_x9_42 = yes
+	Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+	strength.
+
+charon.dns1
+	DNS server assigned to peer via configuration payload (CP).
+
+charon.dns2
+	DNS server assigned to peer via configuration payload (CP).
+
+charon.dos_protection = yes
+	Enable Denial of Service protection using cookies and aggressiveness checks.
+
+charon.ecp_x_coordinate_only = yes
+	Compliance with the errata for RFC 4753.
+
+charon.flush_auth_cfg = no
+	Free objects during authentication (might conflict with plugins).
+
+	If enabled objects used during authentication (certificates, identities
+	etc.) are released to free memory once an IKE_SA is established. Enabling
+	this might conflict with plugins that later need access to e.g. the used
+	certificates.
+
+charon.fragment_size = 512
+	Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+	fragmentation extension.
+
+charon.group
+	Name of the group the daemon changes to after startup.
+
+charon.half_open_timeout = 30
+	Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+
+charon.hash_and_url = no
+	Enable hash and URL support.
+
+charon.host_resolver.max_threads = 3
+	Maximum number of concurrent resolver threads (they are terminated if
+	unused).
+
+charon.host_resolver.min_threads = 0
+	Minimum number of resolver threads to keep around.
+
+charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
+	Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+
+	If enabled responders are allowed to use IKEv1 Aggressive Mode with
+	pre-shared keys, which is discouraged due to security concerns (offline
+	attacks on the openly transmitted hash of the PSK).
+
+charon.ignore_routing_tables
+	A space-separated list of routing tables to be excluded from route lookups.
+
+charon.ikesa_limit = 0
+	Maximum number of IKE_SAs that can be established at the same time before
+	new connection attempts are blocked.
+
+charon.ikesa_table_segments = 1
+	Number of exclusively locked segments in the hash table.
+
+charon.ikesa_table_size = 1
+	Size of the IKE_SA hash table.
+
+charon.inactivity_close_ike = no
+	Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+
+charon.init_limit_half_open = 0
+	Limit new connections based on the current number of half open IKE_SAs, see
+	IKE_SA_INIT DROPPING in **strongswan.conf**(5).
+
+charon.init_limit_job_load = 0
+	Limit new connections based on the number of queued jobs.
+
+	Limit new connections based on the number of jobs currently queued for
+	processing (see IKE_SA_INIT DROPPING).
+
+charon.initiator_only = no
+	Causes charon daemon to ignore IKE initiation requests.
+
+charon.install_routes = yes
+	Install routes into a separate routing table for established IPsec tunnels.
+
+charon.install_virtual_ip = yes
+	Install virtual IP addresses.
+
+charon.install_virtual_ip_on
+	The name of the interface on which virtual IP addresses should be installed.
+
+	The name of the interface on which virtual IP addresses should be installed.
+	If not specified the addresses will be installed on the outbound interface.
+
+charon.integrity_test = no
+	Check daemon, libstrongswan and plugin integrity at startup.
+
+charon.interfaces_ignore
+	A comma-separated list of network interfaces that should be ignored, if
+	**interfaces_use** is specified this option has no effect.
+
+charon.interfaces_use
+	A comma-separated list of network interfaces that should be used by charon.
+	All other interfaces are ignored.
+
+charon.keep_alive = 20s
+	NAT keep alive interval.
+
+charon.leak_detective.detailed = yes
+	Includes source file names and line numbers in leak detective output.
+
+charon.leak_detective.usage_threshold = 10240
+	Threshold in bytes for leaks to be reported (0 to report all).
+
+charon.leak_detective.usage_threshold_count = 0
+	Threshold in number of allocations for leaks to be reported (0 to report
+	all).
+
+charon.load
+	Plugins to load in the IKE daemon charon.
+
+charon.load_modular = no
+	Determine plugins to load via each plugin's load option.
+
+	If enabled, the list of plugins to load is determined via the value of the
+	_charon.plugins.<name>.load_ options.  In addition to a simple boolean flag
+	that option may take an integer value indicating the priority of a plugin,
+	which would influence the order of a plugin in the plugin list (the default
+	is 1). If two plugins have the same priority their order in the default
+	plugin list is preserved. Enabled plugins not found in that list are ordered
+	alphabetically before other plugins with the same priority.
+
+charon.max_packet = 10000
+	Maximum packet size accepted by charon.
+
+charon.multiple_authentication = yes
+	Enable multiple authentication exchanges (RFC 4739).
+
+charon.nbns1
+	WINS servers assigned to peer via configuration payload (CP).
+
+charon.nbns2
+	WINS servers assigned to peer via configuration payload (CP).
+
+charon.port = 500
+	UDP port used locally. If set to 0 a random port will be allocated.
+
+charon.port_nat_t = 4500
+	UDP port used locally in case of NAT-T. If set to 0 a random port will be
+	allocated.  Has to be different from **charon.port**, otherwise a random
+	port will be allocated.
+
+charon.process_route = yes
+	Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+charon.processor.priority_threads {}
+	Section to configure the number of reserved threads per priority class
+	see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
+
+charon.receive_delay = 0
+	Delay in ms for receiving packets, to simulate larger RTT.
+
+charon.receive_delay_response = yes
+	Delay response messages.
+
+charon.receive_delay_request = yes
+	Delay request messages.
+
+charon.receive_delay_type = 0
+	Specific IKEv2 message type to delay, 0 for any.
+
+charon.replay_window = 32
+	Size of the AH/ESP replay window, in packets.
+
+charon.retransmit_base = 1.8
+	Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+	in **strongswan.conf**(5).
+
+charon.retransmit_timeout = 4.0
+	Timeout in seconds before sending first retransmit.
+
+charon.retransmit_tries = 5
+	Number of times to retransmit a packet before giving up.
+
+charon.retry_initiate_interval = 0
+	Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+	failed), 0 to disable retries.
+
+charon.reuse_ikesa = yes
+	Initiate CHILD_SA within existing IKE_SAs.
+
+charon.routing_table
+	Numerical routing table to install routes to.
+
+charon.routing_table_prio
+	Priority of the routing table.
+
+charon.send_delay = 0
+	Delay in ms for sending packets, to simulate larger RTT.
+
+charon.send_delay_response = yes
+	Delay response messages.
+
+charon.send_delay_request = yes
+	Delay request messages.
+
+charon.send_delay_type = 0
+	Specific IKEv2 message type to delay, 0 for any.
+
+charon.send_vendor_id = no
+	Send strongSwan vendor ID payload
+
+charon.threads = 16
+	Number of worker threads in charon.
+
+	Number of worker threads in charon. Several of these are reserved for long
+	running tasks in internal modules and plugins. Therefore, make sure you
+	don't set this value too low. The number of idle worker threads listed in
+	_ipsec statusall_ might be used as indicator on the number of reserved
+	threads.
+
+charon.tls.cipher
+	List of TLS encryption ciphers.
+
+charon.tls.key_exchange
+	List of TLS key exchange methods.
+
+charon.tls.mac
+	List of TLS MAC algorithms.
+
+charon.tls.suites
+	List of TLS cipher suites.
+
+charon.user
+	Name of the user the daemon changes to after startup.
+
+charon.x509.enforce_critical = yes
+	Discard certificates with unsupported or unknown critical extensions.
diff --git a/conf/options/imcv.conf b/conf/options/imcv.conf
new file mode 100644
index 000000000..92016ef52
--- /dev/null
+++ b/conf/options/imcv.conf
@@ -0,0 +1,43 @@
+charon {
+
+    # Defaults for options in this section can be configured in the libimcv
+    # section.
+    imcv {
+
+        # Whether IMVs send a standard IETF Assessment Result attribute.
+        # assessment_result = yes
+
+        # Global IMV policy database URI. If it contains a password, make sure
+        # to adjust the permissions of the config file accordingly.
+        # database =
+
+        # Script called for each TNC connection to generate IMV policies.
+        # policy_script = ipsec _imv_policy
+
+        os_info {
+
+            # Manually set the name of the client OS (e.g. Ubuntu).
+            # name =
+
+            # Manually set the version of the client OS (e.g. 12.04 i686).
+            # version =
+
+        }
+
+    }
+
+}
+
+libimcv {
+
+    # Debug level for a stand-alone libimcv library.
+    # debug_level = 1
+
+    # Plugins to load in IMC/IMVs with stand-alone libimcv library.
+    # load = random nonce gmp pubkey x509
+
+    # Disable output to stderr with a stand-alone libimcv library.
+    # stderr_quiet = no
+
+}
+
diff --git a/conf/options/imcv.opt b/conf/options/imcv.opt
new file mode 100644
index 000000000..a249a7b14
--- /dev/null
+++ b/conf/options/imcv.opt
@@ -0,0 +1,28 @@
+charon.imcv {}
+	Defaults for options in this section can be configured in the _libimcv_
+	section.
+
+charon.imcv.assessment_result = yes
+	Whether IMVs send a standard IETF Assessment Result attribute.
+
+charon.imcv.database =
+	Global IMV policy database URI. If it contains a password, make	sure to
+	adjust the permissions of the config file accordingly.
+
+charon.imcv.os_info.name =
+	Manually set the name of the client OS (e.g. Ubuntu).
+
+charon.imcv.os_info.version =
+	Manually set the version of the client OS (e.g. 12.04 i686).
+
+charon.imcv.policy_script = ipsec _imv_policy
+	Script called for each TNC connection to generate IMV policies.
+
+libimcv.debug_level = 1
+	Debug level for a stand-alone _libimcv_ library.
+
+libimcv.load = random nonce gmp pubkey x509
+	Plugins to load in IMC/IMVs with stand-alone _libimcv_ library.
+
+libimcv.stderr_quiet = no
+	Disable output to stderr with a stand-alone _libimcv_ library.
diff --git a/conf/options/manager.conf b/conf/options/manager.conf
new file mode 100644
index 000000000..bb0934688
--- /dev/null
+++ b/conf/options/manager.conf
@@ -0,0 +1,23 @@
+manager {
+
+    # Credential database URI for manager. If it contains a password, make sure
+    # to adjust the permissions of the config file accordingly.
+    # database =
+
+    # Enable debugging in manager.
+    # debug = no
+
+    # Plugins to load in manager.
+    # load =
+
+    # FastCGI socket of manager, to run it statically.
+    # socket =
+
+    # Threads to use for request handling.
+    # threads = 10
+
+    # Session timeout for manager.
+    # timeout = 15m
+
+}
+
diff --git a/conf/options/manager.opt b/conf/options/manager.opt
new file mode 100644
index 000000000..dbac73110
--- /dev/null
+++ b/conf/options/manager.opt
@@ -0,0 +1,18 @@
+manager.database =
+	Credential database URI for manager. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
+
+manager.debug = no
+	Enable debugging in manager.
+
+manager.load =
+	Plugins to load in manager.
+
+manager.socket =
+	FastCGI socket of manager, to run it statically.
+
+manager.threads = 10
+	Threads to use for request handling.
+
+manager.timeout = 15m
+	Session timeout for manager.
diff --git a/conf/options/medsrv.conf b/conf/options/medsrv.conf
new file mode 100644
index 000000000..b3026ea3f
--- /dev/null
+++ b/conf/options/medsrv.conf
@@ -0,0 +1,32 @@
+medsrv {
+
+    # Mediation server database URI. If it contains a password, make sure to
+    # adjust the permissions of the config file accordingly.
+    # database =
+
+    # Debugging in mediation server web application.
+    # debug = no
+
+    # DPD timeout to use in mediation server plugin.
+    # dpd = 5m
+
+    # Plugins to load in mediation server plugin.
+    # load =
+
+    # Minimum password length required for mediation server user accounts.
+    # password_length = 6
+
+    # Rekeying time on mediation connections in mediation server plugin.
+    # rekey = 20m
+
+    # Run Mediation server web application statically on socket.
+    # socket =
+
+    # Number of thread for mediation service web application.
+    # threads = 5
+
+    # Session timeout for mediation service.
+    # timeout = 15m
+
+}
+
diff --git a/conf/options/medsrv.opt b/conf/options/medsrv.opt
new file mode 100644
index 000000000..f673b7e03
--- /dev/null
+++ b/conf/options/medsrv.opt
@@ -0,0 +1,27 @@
+medsrv.database =
+	Mediation server database URI. If it contains a password, make
+	sure to adjust the permissions of the config file accordingly.
+
+medsrv.debug = no
+	Debugging in mediation server web application.
+
+medsrv.dpd = 5m
+	DPD timeout to use in mediation server plugin.
+
+medsrv.load =
+	Plugins to load in mediation server plugin.
+
+medsrv.password_length = 6
+	Minimum password length required for mediation server user accounts.
+
+medsrv.rekey = 20m
+	Rekeying time on mediation connections in mediation server plugin.
+
+medsrv.socket =
+	Run Mediation server web application statically on socket.
+
+medsrv.threads = 5
+	Number of thread for mediation service web application.
+
+medsrv.timeout = 15m
+	Session timeout for mediation service.
diff --git a/conf/options/pacman.conf b/conf/options/pacman.conf
new file mode 100644
index 000000000..730e5435c
--- /dev/null
+++ b/conf/options/pacman.conf
@@ -0,0 +1,12 @@
+pacman {
+
+    # Database URI for the database that stores the package information. If it
+    # contains a password, make sure to adjust the permissions of the config
+    # file accordingly.
+    # database =
+
+    # Plugins to load in package manager.
+    # load =
+
+}
+
diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt
new file mode 100644
index 000000000..dfb4ba2b1
--- /dev/null
+++ b/conf/options/pacman.opt
@@ -0,0 +1,7 @@
+pacman.database =
+	Database URI for the database that stores the package information. If it
+	contains a password, make sure to adjust the permissions of the config file
+	accordingly.
+
+pacman.load =
+	Plugins to load in package manager.
diff --git a/conf/options/pool.conf b/conf/options/pool.conf
new file mode 100644
index 000000000..297c0f8cf
--- /dev/null
+++ b/conf/options/pool.conf
@@ -0,0 +1,12 @@
+pool {
+
+    # Database URI for the database that stores IP pools and configuration
+    # attributes. If it contains a password, make        sure to adjust the
+    # permissions of the config file accordingly.
+    # database =
+
+    # Plugins to load in ipsec pool tool.
+    # load =
+
+}
+
diff --git a/conf/options/pool.opt b/conf/options/pool.opt
new file mode 100644
index 000000000..79458c779
--- /dev/null
+++ b/conf/options/pool.opt
@@ -0,0 +1,7 @@
+pool.database
+	Database URI for the database that stores IP pools and configuration
+	attributes. If it contains a password, make	sure to adjust the permissions
+	of the config file accordingly.
+
+pool.load =
+	Plugins to load in ipsec pool tool.
diff --git a/conf/options/starter.conf b/conf/options/starter.conf
new file mode 100644
index 000000000..8465f7e53
--- /dev/null
+++ b/conf/options/starter.conf
@@ -0,0 +1,10 @@
+starter {
+
+    # Plugins to load in starter.
+    # load =
+
+    # Disable charon plugin load option warning.
+    # load_warning = yes
+
+}
+
diff --git a/conf/options/starter.opt b/conf/options/starter.opt
new file mode 100644
index 000000000..4e6574d58
--- /dev/null
+++ b/conf/options/starter.opt
@@ -0,0 +1,5 @@
+starter.load =
+	Plugins to load in starter.
+
+starter.load_warning = yes
+	Disable charon plugin load option warning.
diff --git a/conf/options/tnc.conf b/conf/options/tnc.conf
new file mode 100644
index 000000000..6736a2d0a
--- /dev/null
+++ b/conf/options/tnc.conf
@@ -0,0 +1,11 @@
+charon {
+
+    tnc {
+
+        # TNC IMC/IMV configuration file.
+        # tnc_config = /etc/tnc_config
+
+    }
+
+}
+
diff --git a/conf/options/tnc.opt b/conf/options/tnc.opt
new file mode 100644
index 000000000..467723ea6
--- /dev/null
+++ b/conf/options/tnc.opt
@@ -0,0 +1,2 @@
+charon.tnc.tnc_config = /etc/tnc_config
+	TNC IMC/IMV configuration file.
diff --git a/conf/options/tools.conf b/conf/options/tools.conf
new file mode 100644
index 000000000..a3ab099ed
--- /dev/null
+++ b/conf/options/tools.conf
@@ -0,0 +1,21 @@
+openac {
+
+    # Plugins to load in ipsec openac tool.
+    # load =
+
+}
+
+pki {
+
+    # Plugins to load in ipsec pki tool.
+    # load =
+
+}
+
+scepclient {
+
+    # Plugins to load in ipsec scepclient tool.
+    # load =
+
+}
+
diff --git a/conf/options/tools.opt b/conf/options/tools.opt
new file mode 100644
index 000000000..23e6a1c9f
--- /dev/null
+++ b/conf/options/tools.opt
@@ -0,0 +1,8 @@
+openac.load =
+	Plugins to load in ipsec openac tool.
+
+pki.load =
+	Plugins to load in ipsec pki tool.
+
+scepclient.load =
+	Plugins to load in ipsec scepclient tool.