Imported Upstream version 5.3.0

2 files changed, 45 insertions, 0 deletions

diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 0bec9bb0a..bd8e29940 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -58,6 +58,10 @@ charon {
     # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
     # i_dont_care_about_security_and_use_aggressive_mode_psk = no
 
+    # Whether to ignore the traffic selectors from the kernel's acquire events
+    # for IKEv2 connections (they are not used for IKEv1).
+    # ignore_acquire_ts = no
+
     # A space-separated list of routing tables to be excluded from route
     # lookups.
     # ignore_routing_tables =
@@ -116,6 +120,9 @@ charon {
     # Determine plugins to load via each plugin's load option.
     # load_modular = no
 
+    # Initiate IKEv2 reauthentication with a make-before-break scheme.
+    # make_before_break = no
+
     # Maximum packet size accepted by charon.
     # max_packet = 10000
 
@@ -197,6 +204,12 @@ charon {
     # Send strongSwan vendor ID payload
     # send_vendor_id = no
 
+    # Whether to enable Signature Authentication as per RFC 7427.
+    # signature_authentication = yes
+
+    # Whether to enable constraints against IKEv2 signature schemes.
+    # signature_authentication_constraints = yes
+
     # Number of worker threads in charon.
     # threads = 16
 
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 678aa37bc..bbc50ba37 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
 charon.ignore_routing_tables
 	A space-separated list of routing tables to be excluded from route lookups.
 
+charon.ignore_acquire_ts = no
+	Whether to ignore the traffic selectors from the kernel's acquire events for
+	IKEv2 connections (they are not used for IKEv1).
+
+	If this is disabled the traffic selectors from the kernel's acquire events,
+	which are derived from the triggering packet, are prepended to the traffic
+	selectors from the configuration for IKEv2 connection. By enabling this,
+	such specific traffic selectors will be ignored and only the ones in the
+	config will	be sent. This always happens for IKEv1 connections as the
+	protocol only supports one set of traffic selectors per CHILD_SA.
+
 charon.ikesa_limit = 0
 	Maximum number of IKE_SAs that can be established at the same time before
 	new connection attempts are blocked.
@@ -196,6 +207,16 @@ charon.load_modular = no
 charon.max_packet = 10000
 	Maximum packet size accepted by charon.
 
+charon.make_before_break = no
+	Initiate IKEv2 reauthentication with a make-before-break scheme.
+
+	Initiate IKEv2 reauthentication with a make-before-break instead of a
+	break-before-make scheme. Make-before-break uses overlapping IKE and
+	CHILD_SA during reauthentication by first recreating all new SAs before
+	deleting the old ones. This behavior can be beneficial to avoid connectivity
+	gaps during reauthentication, but requires support for overlapping SAs by
+	the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
+
 charon.multiple_authentication = yes
 	Enable multiple authentication exchanges (RFC 4739).
 
@@ -277,6 +298,17 @@ charon.send_delay_type = 0
 charon.send_vendor_id = no
 	Send strongSwan vendor ID payload
 
+charon.signature_authentication = yes
+	Whether to enable Signature Authentication as per RFC 7427.
+
+charon.signature_authentication_constraints = yes
+	Whether to enable constraints against IKEv2 signature schemes.
+
+	If enabled, signature schemes configured in _rightauth_, in addition to
+	getting used as constraints against signature schemes employed in the
+	certificate chain, are also used as constraints against the signature scheme
+	used by peers during IKEv2.
+
 charon.start-scripts {}
 	Section containing a list of scripts (name = path) that are executed when
 	the daemon is started.