summaryrefslogtreecommitdiff
path: root/conf/options
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2016-03-24 11:59:32 +0100
committerYves-Alexis Perez <corsac@debian.org>2016-03-24 11:59:32 +0100
commit518dd33c94e041db0444c7d1f33da363bb8e3faf (patch)
treee8d1665ffadff7ec40228dda47e81f8f4691cd07 /conf/options
parentf42f239a632306ed082f6fde878977248eea85cf (diff)
downloadvyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.tar.gz
vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.zip
Imported Upstream version 5.4.0
Diffstat (limited to 'conf/options')
-rw-r--r--conf/options/charon.conf8
-rw-r--r--conf/options/charon.opt13
2 files changed, 19 insertions, 2 deletions
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index b55d429a7..5ca61a8e8 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -20,6 +20,9 @@ charon {
# Number of half-open IKE_SAs that activate the cookie mechanism.
# cookie_threshold = 10
+ # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+ # delete_rekeyed = no
+
# Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
# strength.
# dh_exponent_ansi_x9_42 = yes
@@ -44,6 +47,9 @@ charon {
# Free objects during authentication (might conflict with plugins).
# flush_auth_cfg = no
+ # Whether to follow IKEv2 redirects (RFC 5685).
+ # follow_redirects = yes
+
# Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
# when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
# address family specific default values). If specified this limit is
@@ -188,7 +194,7 @@ charon {
# DNS resolution failed), 0 to disable retries.
# retry_initiate_interval = 0
- # Initiate CHILD_SA within existing IKE_SAs.
+ # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
# reuse_ikesa = yes
# Numerical routing table to install routes to.
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 816f3250c..86279ec83 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -61,6 +61,14 @@ charon.crypto_test.required = no
charon.crypto_test.rng_true = no
Whether to test RNG with TRUE quality; requires a lot of entropy.
+charon.delete_rekeyed = no
+ Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+
+ Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+ Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
+ However, this might cause problems with implementations that continue to
+ use rekeyed SAs until they expire.
+
charon.dh_exponent_ansi_x9_42 = yes
Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
strength.
@@ -89,6 +97,9 @@ charon.flush_auth_cfg = no
this might conflict with plugins that later need access to e.g. the used
certificates.
+charon.follow_redirects = yes
+ Whether to follow IKEv2 redirects (RFC 5685).
+
charon.fragment_size = 0
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
@@ -283,7 +294,7 @@ charon.retry_initiate_interval = 0
resolution failed), 0 to disable retries.
charon.reuse_ikesa = yes
- Initiate CHILD_SA within existing IKE_SAs.
+ Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
charon.routing_table
Numerical routing table to install routes to.