diff options
author | Romain Francoise <rfrancoise@debian.org> | 2014-10-21 19:28:38 +0200 |
---|---|---|
committer | Romain Francoise <rfrancoise@debian.org> | 2014-10-21 19:28:38 +0200 |
commit | 2b8de74ff4c334c25e89988c4a401b24b5bcf03d (patch) | |
tree | 10fb49ca94bfd0c8b8a583412281abfc0186836e /conf/plugins | |
parent | 81c63b0eed39432878f78727f60a1e7499645199 (diff) | |
download | vyos-strongswan-2b8de74ff4c334c25e89988c4a401b24b5bcf03d.tar.gz vyos-strongswan-2b8de74ff4c334c25e89988c4a401b24b5bcf03d.zip |
Import upstream release 5.2.1
Diffstat (limited to 'conf/plugins')
-rw-r--r-- | conf/plugins/eap-radius.conf | 6 | ||||
-rw-r--r-- | conf/plugins/eap-radius.opt | 6 | ||||
-rw-r--r-- | conf/plugins/ext-auth.conf | 11 | ||||
-rw-r--r-- | conf/plugins/ext-auth.opt | 15 | ||||
-rw-r--r-- | conf/plugins/kernel-netlink.conf | 10 | ||||
-rw-r--r-- | conf/plugins/kernel-netlink.opt | 15 | ||||
-rw-r--r-- | conf/plugins/stroke.conf | 3 | ||||
-rw-r--r-- | conf/plugins/stroke.opt | 3 |
8 files changed, 67 insertions, 2 deletions
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf index 64db67456..b98b195d1 100644 --- a/conf/plugins/eap-radius.conf +++ b/conf/plugins/eap-radius.conf @@ -7,11 +7,15 @@ eap-radius { # updates. # accounting_close_on_timeout = yes + # Interval for interim RADIUS accounting updates, if not specified by the + # RADIUS server in the Access-Accept message. + # accounting_interval = 0 + # If enabled, accounting is disabled unless an IKE_SA has at least one # virtual IP. # accounting_requires_vip = no - # Use class attributes in RADIUS-Accept messages as group membership + # Use class attributes in Access-Accept messages as group membership # information. # class_group = no diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt index 0df6a0d6f..2a6786dd9 100644 --- a/conf/plugins/eap-radius.opt +++ b/conf/plugins/eap-radius.opt @@ -5,12 +5,16 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes Close the IKE_SA if there is a timeout during interim RADIUS accounting updates. +charon.plugins.eap-radius.accounting_interval = 0 + Interval for interim RADIUS accounting updates, if not specified by the + RADIUS server in the Access-Accept message. + charon.plugins.eap-radius.accounting_requires_vip = no If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. charon.plugins.eap-radius.class_group = no - Use class attributes in RADIUS-Accept messages as group membership + Use class attributes in Access-Accept messages as group membership information. Use the _class_ attribute sent in the RADIUS-Accept message as group diff --git a/conf/plugins/ext-auth.conf b/conf/plugins/ext-auth.conf new file mode 100644 index 000000000..f5aa45f6f --- /dev/null +++ b/conf/plugins/ext-auth.conf @@ -0,0 +1,11 @@ +ext-auth { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Shell script to invoke for peer authorization. + # script = + +} + diff --git a/conf/plugins/ext-auth.opt b/conf/plugins/ext-auth.opt new file mode 100644 index 000000000..bf127b9d7 --- /dev/null +++ b/conf/plugins/ext-auth.opt @@ -0,0 +1,15 @@ +charon.plugins.ext-auth.script = + Shell script to invoke for peer authorization. + + Command to pass to the system shell for peer authorization. Authorization + is considered successful if the command executes normally with an exit code + of zero. For all other exit codes IKE_SA authorization is rejected. + + The following environment variables get passed to the script: + _IKE_UNIQUE_ID_: The IKE_SA numerical unique identifier. + _IKE_NAME_: The peer configuration connection name. + _IKE_LOCAL_HOST_: Local IKE IP address. + _IKE_REMOTE_HOST_: Remote IKE IP address. + _IKE_LOCAL_ID_: Local IKE identity. + _IKE_REMOTE_ID_: Remote IKE identity. + _IKE_REMOTE_EAP_ID_: Remote EAP or XAuth identity, if used. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index 670746963..f05f486b1 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -8,10 +8,20 @@ kernel-netlink { # priority of this plugin. load = yes + # MSS to set on installed routes, 0 to disable. + # mss = 0 + + # MTU to set on installed routes, 0 to disable. + # mtu = 0 + # Whether to trigger roam events when interfaces, addresses or routes # change. # roam_events = yes + # Whether to set protocol and ports in the selector installed on transport + # mode IPsec SAs in the kernel. + # set_proto_port_transport_sa = no + # Lifetime of XFRM acquire state in kernel. # xfrm_acq_expires = 165 diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index a8e421b6e..7d44581a5 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -7,9 +7,24 @@ charon.plugins.kernel-netlink.fwmark = inverts the meaning (i.e. the rule only applies to packets that don't match the mark). +charon.plugins.kernel-netlink.mss = 0 + MSS to set on installed routes, 0 to disable. + +charon.plugins.kernel-netlink.mtu = 0 + MTU to set on installed routes, 0 to disable. + charon.plugins.kernel-netlink.roam_events = yes Whether to trigger roam events when interfaces, addresses or routes change. +charon.plugins.kernel-netlink.set_proto_port_transport_sa = no + Whether to set protocol and ports in the selector installed on transport + mode IPsec SAs in the kernel. + + Whether to set protocol and ports in the selector installed on transport + mode IPsec SAs in the kernel. While doing so enforces policies for inbound + traffic, it also prevents the use of a single IPsec SA by more than one + traffic selector. + charon.plugins.kernel-netlink.xfrm_acq_expires = 165 Lifetime of XFRM acquire state in kernel. diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf index 6dd063053..3d8ee0acc 100644 --- a/conf/plugins/stroke.conf +++ b/conf/plugins/stroke.conf @@ -14,6 +14,9 @@ stroke { # If enabled log level changes via stroke socket are not allowed. # prevent_loglevel_changes = no + # Location of the ipsec.secrets file + # secrets_file = ${sysconfdir}/ipsec.secrets + # Socket provided by the stroke plugin. # socket = unix://${piddir}/charon.ctl diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt index 2cfc2c6fa..4b49b1f04 100644 --- a/conf/plugins/stroke.opt +++ b/conf/plugins/stroke.opt @@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4 charon.plugins.stroke.prevent_loglevel_changes = no If enabled log level changes via stroke socket are not allowed. +charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets + Location of the ipsec.secrets file + charon.plugins.stroke.socket = unix://${piddir}/charon.ctl Socket provided by the stroke plugin. |