diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2016-03-24 11:59:32 +0100 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2016-03-24 11:59:32 +0100 |
commit | 518dd33c94e041db0444c7d1f33da363bb8e3faf (patch) | |
tree | e8d1665ffadff7ec40228dda47e81f8f4691cd07 /conf/options | |
parent | f42f239a632306ed082f6fde878977248eea85cf (diff) | |
download | vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.tar.gz vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.zip |
Imported Upstream version 5.4.0
Diffstat (limited to 'conf/options')
-rw-r--r-- | conf/options/charon.conf | 8 | ||||
-rw-r--r-- | conf/options/charon.opt | 13 |
2 files changed, 19 insertions, 2 deletions
diff --git a/conf/options/charon.conf b/conf/options/charon.conf index b55d429a7..5ca61a8e8 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -20,6 +20,9 @@ charon { # Number of half-open IKE_SAs that activate the cookie mechanism. # cookie_threshold = 10 + # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + # delete_rekeyed = no + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic # strength. # dh_exponent_ansi_x9_42 = yes @@ -44,6 +47,9 @@ charon { # Free objects during authentication (might conflict with plugins). # flush_auth_cfg = no + # Whether to follow IKEv2 redirects (RFC 5685). + # follow_redirects = yes + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for # address family specific default values). If specified this limit is @@ -188,7 +194,7 @@ charon { # DNS resolution failed), 0 to disable retries. # retry_initiate_interval = 0 - # Initiate CHILD_SA within existing IKE_SAs. + # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). # reuse_ikesa = yes # Numerical routing table to install routes to. diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 816f3250c..86279ec83 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -61,6 +61,14 @@ charon.crypto_test.required = no charon.crypto_test.rng_true = no Whether to test RNG with TRUE quality; requires a lot of entropy. +charon.delete_rekeyed = no + Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + + Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings. + However, this might cause problems with implementations that continue to + use rekeyed SAs until they expire. + charon.dh_exponent_ansi_x9_42 = yes Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. @@ -89,6 +97,9 @@ charon.flush_auth_cfg = no this might conflict with plugins that later need access to e.g. the used certificates. +charon.follow_redirects = yes + Whether to follow IKEv2 redirects (RFC 5685). + charon.fragment_size = 0 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for @@ -283,7 +294,7 @@ charon.retry_initiate_interval = 0 resolution failed), 0 to disable retries. charon.reuse_ikesa = yes - Initiate CHILD_SA within existing IKE_SAs. + Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). charon.routing_table Numerical routing table to install routes to. |