Imported Upstream version 5.1.2

1 files changed, 1664 insertions, 0 deletions

diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
new file mode 100644
index 000000000..282b8fa70
--- /dev/null
+++ b/conf/strongswan.conf.5.main
@@ -0,0 +1,1664 @@
+.TP
+.BR attest.database " []"
+File measurement information database URI. If it contains a password, make sure
+to adjust the permissions of the config file accordingly.
+
+.TP
+.BR attest.load " []"
+Plugins to load in ipsec attest tool.
+
+.TP
+.B charon
+.br
+Options for the charon IKE daemon.
+
+.RB "" "Note" ":"
+Many of the options in this section also apply to
+.RB "" "charon\-cmd" ""
+and
+other
+.RB "" "charon" ""
+derivatives.  Just use their respective name (e.g.
+.RB "" "charon\-cmd" ""
+instead of
+.RB "" "charon" ")."
+For many options defaults can be defined
+in the
+.RB "" "libstrongswan" ""
+section.
+
+.TP
+.BR charon.block_threshold " [5]"
+Maximum number of half\-open IKE_SAs for a single peer IP.
+
+.TP
+.BR charon.cert_cache " [yes]"
+Whether relations in validated certificate chains should be cached in memory.
+
+.TP
+.BR charon.cisco_unity " [no]"
+Send Cisco Unity vendor ID payload (IKEv1 only).
+
+.TP
+.BR charon.close_ike_on_child_failure " [no]"
+Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+
+.TP
+.BR charon.cookie_threshold " [10]"
+Number of half\-open IKE_SAs that activate the cookie mechanism.
+
+.TP
+.BR charon.dh_exponent_ansi_x9_42 " [yes]"
+Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+strength.
+
+.TP
+.BR charon.dns1 " []"
+DNS server assigned to peer via configuration payload (CP).
+
+.TP
+.BR charon.dns2 " []"
+DNS server assigned to peer via configuration payload (CP).
+
+.TP
+.BR charon.dos_protection " [yes]"
+Enable Denial of Service protection using cookies and aggressiveness checks.
+
+.TP
+.BR charon.ecp_x_coordinate_only " [yes]"
+Compliance with the errata for RFC 4753.
+
+.TP
+.BR charon.flush_auth_cfg " [no]"
+If enabled objects used during authentication (certificates, identities etc.)
+are released to free memory once an IKE_SA is established. Enabling this might
+conflict with plugins that later need access to e.g. the used certificates.
+
+.TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+
+.TP
+.BR charon.group " []"
+Name of the group the daemon changes to after startup.
+
+.TP
+.BR charon.half_open_timeout " [30]"
+Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+
+.TP
+.BR charon.hash_and_url " [no]"
+Enable hash and URL support.
+
+.TP
+.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
+If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared
+keys, which is discouraged due to security concerns (offline attacks on the
+openly transmitted hash of the PSK).
+
+.TP
+.BR charon.ignore_routing_tables " []"
+A space\-separated list of routing tables to be excluded from route lookups.
+
+.TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked.
+
+.TP
+.BR charon.ikesa_table_segments " [1]"
+Number of exclusively locked segments in the hash table.
+
+.TP
+.BR charon.ikesa_table_size " [1]"
+Size of the IKE_SA hash table.
+
+.TP
+.BR charon.inactivity_close_ike " [no]"
+Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+
+.TP
+.BR charon.init_limit_half_open " [0]"
+Limit new connections based on the current number of half open IKE_SAs, see
+IKE_SA_INIT DROPPING in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.init_limit_job_load " [0]"
+Limit new connections based on the number of jobs currently queued for
+processing (see IKE_SA_INIT DROPPING).
+
+.TP
+.BR charon.initiator_only " [no]"
+Causes charon daemon to ignore IKE initiation requests.
+
+.TP
+.BR charon.install_routes " [yes]"
+Install routes into a separate routing table for established IPsec tunnels.
+
+.TP
+.BR charon.install_virtual_ip " [yes]"
+Install virtual IP addresses.
+
+.TP
+.BR charon.install_virtual_ip_on " []"
+The name of the interface on which virtual IP addresses should be installed. If
+not specified the addresses will be installed on the outbound interface.
+
+.TP
+.BR charon.integrity_test " [no]"
+Check daemon, libstrongswan and plugin integrity at startup.
+
+.TP
+.BR charon.interfaces_ignore " []"
+A comma\-separated list of network interfaces that should be ignored, if
+.RB "" "interfaces_use" ""
+is specified this option has no effect.
+
+.TP
+.BR charon.interfaces_use " []"
+A comma\-separated list of network interfaces that should be used by charon. All
+other interfaces are ignored.
+
+.TP
+.BR charon.keep_alive " [20s]"
+NAT keep alive interval.
+
+.TP
+.BR charon.load " []"
+Plugins to load in the IKE daemon charon.
+
+.TP
+.BR charon.load_modular " [no]"
+If enabled, the list of plugins to load is determined via the value of the
+.RI "" "charon.plugins.<name>.load" ""
+options.  In addition to a simple boolean flag that
+option may take an integer value indicating the priority of a plugin, which
+would influence the order of a plugin in the plugin list (the default is 1). If
+two plugins have the same priority their order in the default plugin list is
+preserved. Enabled plugins not found in that list are ordered alphabetically
+before other plugins with the same priority.
+
+.TP
+.BR charon.max_packet " [10000]"
+Maximum packet size accepted by charon.
+
+.TP
+.BR charon.multiple_authentication " [yes]"
+Enable multiple authentication exchanges (RFC 4739).
+
+.TP
+.BR charon.nbns1 " []"
+WINS servers assigned to peer via configuration payload (CP).
+
+.TP
+.BR charon.nbns2 " []"
+WINS servers assigned to peer via configuration payload (CP).
+
+.TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT\-T. If set to 0 a random port will be
+allocated.  Has to be different from
+.RB "" "charon.port" ","
+otherwise a random port
+will be allocated.
+
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+.TP
+.BR charon.receive_delay " [0]"
+Delay in ms for receiving packets, to simulate larger RTT.
+
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.retransmit_timeout " [4.0]"
+Timeout in seconds before sending first retransmit.
+
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up.
+
+.TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+
+.TP
+.BR charon.reuse_ikesa " [yes]"
+Initiate CHILD_SA within existing IKE_SAs.
+
+.TP
+.BR charon.routing_table " []"
+Numerical routing table to install routes to.
+
+.TP
+.BR charon.routing_table_prio " []"
+Priority of the routing table.
+
+.TP
+.BR charon.send_delay " [0]"
+Delay in ms for sending packets, to simulate larger RTT.
+
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.send_vendor_id " [no]"
+Send strongSwan vendor ID payload
+
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon. Several of these are reserved for long
+running tasks in internal modules and plugins. Therefore, make sure you don't
+set this value too low. The number of idle worker threads listed in
+.RI "" "ipsec statusall" ""
+might be used as indicator on the number of reserved threads.
+
+.TP
+.BR charon.user " []"
+Name of the user the daemon changes to after startup.
+
+.TP
+.BR charon.crypto_test.bench " [no]"
+Benchmark crypto algorithms and order them by efficiency.
+
+.TP
+.BR charon.crypto_test.bench_size " [1024]"
+Buffer size used for crypto benchmark.
+
+.TP
+.BR charon.crypto_test.bench_time " [50]"
+Number of iterations to test each algorithm.
+
+.TP
+.BR charon.crypto_test.on_add " [no]"
+Test crypto algorithms during registration (requires test vectors provided by
+the
+.RI "" "test\-vectors" ""
+plugin).
+
+.TP
+.BR charon.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation.
+
+.TP
+.BR charon.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm.
+
+.TP
+.BR charon.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+.TP
+.B charon.filelog
+.br
+Section to define file loggers, see LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.B charon.filelog.<filename>
+.br
+<filename> is the full path to the log file.
+
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+Prefix each log entry with the connection name and a unique numerical identifier
+for each IKE_SA.
+
+.TP
+.BR charon.filelog.<filename>.time_format " []"
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.RB "" "strftime" "(3)."
+
+
+.TP
+.BR charon.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused).
+
+.TP
+.BR charon.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around.
+
+.TP
+.B charon.imcv
+.br
+Defaults for options in this section can be configured in the
+.RI "" "libimcv" ""
+section.
+
+.TP
+.BR charon.imcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute.
+
+.TP
+.BR charon.imcv.database " []"
+Global IMV policy database URI. If it contains a password, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR charon.imcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies.
+
+.TP
+.BR charon.imcv.os_info.name " []"
+Manually set the name of the client OS (e.g. Ubuntu).
+
+.TP
+.BR charon.imcv.os_info.version " []"
+Manually set the version of the client OS (e.g. 12.04 i686).
+
+.TP
+.BR charon.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output.
+
+.TP
+.BR charon.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all).
+
+.TP
+.BR charon.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all).
+
+.TP
+.BR charon.plugins.android_log.loglevel " [1]"
+Loglevel for logging to Android specific logger.
+
+.TP
+.B charon.plugins.attr
+.br
+Section to specify arbitrary attributes that are assigned to a peer via
+configuration payload (CP).
+
+.TP
+.BR charon.plugins.attr.<attr> " []"
+.RB "" "<attr>" ""
+can be either
+.RI "" "address" ","
+.RI "" "netmask" ","
+.RI "" "dns" ","
+.RI "" "nbns" ","
+.RI "" "dhcp" ","
+.RI "" "subnet" ","
+.RI "" "split\-include" ","
+.RI "" "split\-exclude" ""
+or the numeric identifier of the attribute
+type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation
+or an arbitrary value depending on the attribute type.  For some attribute types
+multiple values may be specified as a comma separated list.
+
+.TP
+.BR charon.plugins.attr-sql.database " []"
+Database URI for attr\-sql plugin used by charon. If it contains a password, make
+sure to adjust the permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.attr-sql.lease_history " [yes]"
+Enable logging of SQL IP pool leases.
+
+.TP
+.BR charon.plugins.certexpire.csv.cron " []"
+Cron style string specifying CSV export times.
+
+.TP
+.BR charon.plugins.certexpire.csv.empty_string " []"
+String to use in empty intermediate CA fields.
+
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count.
+
+.TP
+.BR charon.plugins.certexpire.csv.force " [yes]"
+Force export of all trustchains we have a private key for.
+
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+.RB "" "strftime" "(3)"
+format string to export expiration dates as.
+
+.TP
+.BR charon.plugins.certexpire.csv.local " []"
+.RB "" "strftime" "(3)"
+format string for the CSV file name to export local certificates
+to.
+
+.TP
+.BR charon.plugins.certexpire.csv.remote " []"
+.RB "" "strftime" "(3)"
+format string for the CSV file name to export remote
+certificates to.
+
+.TP
+.BR charon.plugins.certexpire.csv.separator " [,]"
+CSV field separator.
+
+.TP
+.BR charon.plugins.coupling.file " []"
+File to store coupling list to.
+
+.TP
+.BR charon.plugins.coupling.hash " [sha1]"
+Hashing algorithm to fingerprint coupled certificates.
+
+.TP
+.BR charon.plugins.coupling.max " [1]"
+Maximum number of coupling entries to create.
+
+.TP
+.BR charon.plugins.dhcp.force_server_address " [no]"
+Always use the configured server address. This might be helpful if the DHCP
+server runs on the same host as strongSwan, and the DHCP daemon does not listen
+on the loopback interface.  In that case the server cannot be reached via
+unicast (or even 255.255.255.255) as that would be routed via loopback. Setting
+this option to yes and configuring the local broadcast address (e.g.
+192.168.0.255) as server address might work.
+
+.TP
+.BR charon.plugins.dhcp.identity_lease " [no]"
+Derive user\-defined MAC address from hash of IKE identity.
+
+.TP
+.BR charon.plugins.dhcp.interface " []"
+Interface name the plugin uses for address allocation. The default is to bind to
+any (0.0.0.0) and let the system decide which way to route the packets to the
+DHCP server.
+
+.TP
+.BR charon.plugins.dhcp.server " [255.255.255.255]"
+DHCP server unicast or broadcast IP address.
+
+.TP
+.BR charon.plugins.dnscert.enable " [no]"
+Enable fetching of CERT RRs via DNS.
+
+.TP
+.BR charon.plugins.duplicheck.enable " [yes]"
+Enable duplicheck plugin (if loaded).
+
+.TP
+.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+Socket provided by the duplicheck plugin.
+
+.TP
+.BR charon.plugins.eap-aka.request_identity " [yes]"
+.TP
+.BR charon.plugins.eap-aka-3ggp2.seq_check " []"
+.TP
+.BR charon.plugins.eap-dynamic.prefer_user " [no]"
+If enabled the EAP methods proposed in an EAP\-Nak message sent by the peer are
+preferred over the methods registered locally.
+
+.TP
+.BR charon.plugins.eap-dynamic.preferred " []"
+The preferred EAP method(s) to be used.  If it is not given the first registered
+method will be used initially.  If a comma separated list is given the methods
+are tried in the given order before trying the rest of the registered methods.
+
+.TP
+.BR charon.plugins.eap-gtc.backend " [pam]"
+XAuth backend to be used for credential verification.
+
+.TP
+.BR charon.plugins.eap-peap.fragment_size " [1024]"
+Maximum size of an EAP\-PEAP packet.
+
+.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non\-fragmented EAP\-PEAP packets.
+
+.TP
+.BR charon.plugins.eap-peap.max_message_count " [32]"
+Maximum number of processed EAP\-PEAP packets (0 = no limit).
+
+.TP
+.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
+Phase2 EAP client authentication method.
+
+.TP
+.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+
+.TP
+.BR charon.plugins.eap-peap.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication.
+
+.TP
+.BR charon.plugins.eap-peap.request_peer_auth " [no]"
+Request peer authentication based on a client certificate.
+
+.TP
+.BR charon.plugins.eap-radius.accounting " [no]"
+Send RADIUS accounting information to RADIUS servers.
+
+.TP
+.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
+If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
+
+.TP
+.BR charon.plugins.eap-radius.class_group " [no]"
+Use the
+.RI "" "class" ""
+attribute sent in the RADIUS\-Accept message as group membership
+information that is compared to the groups specified in the
+.RB "" "rightgroups" ""
+option in
+.RB "" "ipsec.conf" "(5)."
+
+
+.TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+
+.TP
+.BR charon.plugins.eap-radius.eap_start " [no]"
+Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation.
+
+.TP
+.BR charon.plugins.eap-radius.filter_id " [no]"
+If the RADIUS
+.RI "" "tunnel_type" ""
+attribute with value
+.RB "" "ESP" ""
+is received, use the
+.RI "" "filter_id" ""
+attribute sent in the RADIUS\-Accept message as group membership
+information that is compared to the groups specified in the
+.RB "" "rightgroups" ""
+option in
+.RB "" "ipsec.conf" "(5)."
+
+
+.TP
+.BR charon.plugins.eap-radius.id_prefix " []"
+Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP
+method.
+
+.TP
+.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
+NAS\-Identifier to include in RADIUS messages.
+
+.TP
+.BR charon.plugins.eap-radius.port " [1812]"
+Port of RADIUS server (authentication).
+
+.TP
+.BR charon.plugins.eap-radius.secret " []"
+Shared secret between RADIUS and NAS. If set, make sure to adjust the
+permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.eap-radius.server " []"
+IP/Hostname of RADIUS server.
+
+.TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load.
+
+.TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176).
+
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server.
+
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests.
+
+.TP
+.BR charon.plugins.eap-radius.dae.secret " []"
+Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
+permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius " []"
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
+or attribute number, a colon can be used to specify vendor\-specific attributes,
+e.g. Reply\-Message, or 11, or 36906:12).
+
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike " []"
+Same as
+.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+
+.TP
+.B charon.plugins.eap-radius.servers
+.br
+Section to specify multiple RADIUS servers. The
+.RB "" "nas_identifier" ","
+.RB "" "secret" ","
+.RB "" "sockets" ""
+and
+.RB "" "port" ""
+(or
+.RB "" "auth_port" ")"
+options can be specified for each
+server. A server's IP/Hostname can be configured using the
+.RB "" "address" ""
+option.
+The
+.RB "" "acct_port" ""
+[1813] option can be used to specify the port used for RADIUS
+accounting. For each RADIUS server a priority can be specified using the
+.RB "" "preference" ""
+[0] option.
+
+.TP
+.B charon.plugins.eap-radius.xauth
+.br
+Section to configure multiple XAuth authentication rounds via RADIUS. The
+subsections define so called authentication profiles with arbitrary names. In
+each profile section one or more XAuth types can be configured, with an assigned
+message. For each type a separate XAuth exchange will be initiated and all
+replies get concatenated into the User\-Password attribute, which then gets
+verified over RADIUS.
+
+Available XAuth types are
+.RB "" "password" ","
+.RB "" "passcode" ","
+.RB "" "nextpin" ","
+and
+.RB "" "answer" "."
+This type is not relevant to strongSwan or the AAA server, but the
+client may show a different dialog (along with the configured message).
+
+To use the configured profiles, they have to be configured in the respective
+connection in
+.RB "" "ipsec.conf" "(5)"
+by appending the profile name, separated by a
+colon, to the
+.RB "" "xauth\-radius" ""
+XAauth backend configuration in
+.RI "" "rightauth" ""
+or
+.RI "" "rightauth2" ","
+for instance,
+.RI "" "rightauth2=xauth\-radius:profile" "."
+
+
+.TP
+.BR charon.plugins.eap-sim.request_identity " [yes]"
+.TP
+.BR charon.plugins.eap-simaka-sql.database " []"
+.TP
+.BR charon.plugins.eap-simaka-sql.remove_used " [no]"
+.TP
+.BR charon.plugins.eap-tls.fragment_size " [1024]"
+Maximum size of an EAP\-TLS packet.
+
+.TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non\-fragmented EAP\-TLS packets.
+
+.TP
+.BR charon.plugins.eap-tls.max_message_count " [32]"
+Maximum number of processed EAP\-TLS packets (0 = no limit).
+
+.TP
+.BR charon.plugins.eap-tnc.max_message_count " [10]"
+Maximum number of processed EAP\-TNC packets (0 = no limit).
+
+.TP
+.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
+IF\-TNCCS protocol version to be used 
+.RI "(" "tnccs\-1.1" ","
+.RI "" "tnccs\-2.0" ","
+.RI "" "tnccs\-dynamic" ")."
+
+
+.TP
+.BR charon.plugins.eap-ttls.fragment_size " [1024]"
+Maximum size of an EAP\-TTLS packet.
+
+.TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non\-fragmented EAP\-TTLS packets.
+
+.TP
+.BR charon.plugins.eap-ttls.max_message_count " [32]"
+Maximum number of processed EAP\-TTLS packets (0 = no limit).
+
+.TP
+.BR charon.plugins.eap-ttls.phase2_method " [md5]"
+Phase2 EAP client authentication method.
+
+.TP
+.BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
+
+.TP
+.BR charon.plugins.eap-ttls.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication.
+
+.TP
+.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
+Request peer authentication based on a client certificate.
+
+.TP
+.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+Socket provided by the error\-notify plugin.
+
+.TP
+.BR charon.plugins.gcrypt.quick_random " [no]"
+Use faster random numbers in gcrypt; for testing only, produces weak keys!
+
+.TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes. Set
+to 0 to disable.
+
+.TP
+.BR charon.plugins.ha.fifo_interface " [yes]"
+.TP
+.BR charon.plugins.ha.heartbeat_delay " [1000]"
+.TP
+.BR charon.plugins.ha.heartbeat_timeout " [2100]"
+.TP
+.BR charon.plugins.ha.local " []"
+.TP
+.BR charon.plugins.ha.monitor " [yes]"
+.TP
+.BR charon.plugins.ha.pools " []"
+.TP
+.BR charon.plugins.ha.remote " []"
+.TP
+.BR charon.plugins.ha.resync " [yes]"
+.TP
+.BR charon.plugins.ha.secret " []"
+.TP
+.BR charon.plugins.ha.segment_count " [1]"
+.TP
+.BR charon.plugins.imc-attestation.aik_blob " []"
+AIK encrypted private key blob file.
+
+.TP
+.BR charon.plugins.imc-attestation.aik_cert " []"
+AIK certificate file.
+
+.TP
+.BR charon.plugins.imc-attestation.aik_key " []"
+AIK public key file.
+
+.TP
+.BR charon.plugins.imc-attestation.nonce_len " [20]"
+DH nonce length.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr17_after " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr17_before " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr17_meas " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr18_after " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr18_before " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr18_meas " []"
+Dummy data if the TBOOT log is not retrieved.
+
+.TP
+.BR charon.plugins.imc-attestation.pcr_info " [yes]"
+Whether to send pcr_before and pcr_after info.
+
+.TP
+.BR charon.plugins.imc-attestation.use_quote2 " [yes]"
+Use Quote2 AIK signature instead of Quote signature.
+
+.TP
+.BR charon.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted.
+
+.TP
+.BR charon.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted.
+
+.TP
+.BR charon.plugins.imc-swid.swid_directory " [${prefix}/share]"
+Directory where SWID tags are located.
+
+.TP
+.BR charon.plugins.imc-test.additional_ids " [0]"
+Number of additional IMC IDs.
+
+.TP
+.BR charon.plugins.imc-test.command " [none]"
+Command to be sent to the Test IMV.
+
+.TP
+.BR charon.plugins.imc-test.dummy_size " [0]"
+Size of dummy attribute to be sent to the Test IMV (0 = disabled).
+
+.TP
+.BR charon.plugins.imc-test.retry " [no]"
+Do a handshake retry.
+
+.TP
+.BR charon.plugins.imc-test.retry_command " []"
+Command to be sent to the Test IMV in the handshake retry.
+
+.TP
+.BR charon.plugins.imv-attestation.cadir " []"
+Path to directory with AIK cacerts.
+
+.TP
+.BR charon.plugins.imv-attestation.dh_group " [ecp256]"
+Preferred Diffie\-Hellman group.
+
+.TP
+.BR charon.plugins.imv-attestation.hash_algorithm " [sha256]"
+Preferred measurement hash algorithm.
+
+.TP
+.BR charon.plugins.imv-attestation.min_nonce_len " [0]"
+DH minimum nonce length.
+
+.TP
+.BR charon.plugins.imv-os.remediation_uri " []"
+URI pointing to operating system remediation instructions.
+
+.TP
+.BR charon.plugins.imv-scanner.remediation_uri " []"
+URI pointing to scanner remediation instructions.
+
+.TP
+.BR charon.plugins.imv-test.rounds " [0]"
+Number of IMC\-IMV retry rounds.
+
+.TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable fetching of IPSECKEY RRs via DNS.
+
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
+Number of ipsecN devices.
+
+.TP
+.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
+Set MTU of ipsecN device.
+
+.TP
+.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
+Allow that the remote traffic selector equals the IKE peer. The route installed
+for such traffic (via TUN device) usually prevents further IKE traffic. The
+fwmark options for the
+.RI "" "kernel\-netlink" ""
+and
+.RI "" "socket\-default" ""
+plugins can be used
+to circumvent that problem.
+
+.TP
+.BR charon.plugins.kernel-netlink.fwmark " []"
+Firewall mark to set on the routing rule that directs traffic to our routing
+table. The format is [!]mark[/mask], where the optional exclamation mark inverts
+the meaning (i.e. the rule only applies to packets that don't match the mark).
+
+.TP
+.BR charon.plugins.kernel-netlink.roam_events " [yes]"
+Whether to trigger roam events when interfaces, addresses or routes change.
+
+.TP
+.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
+Lifetime of XFRM acquire state in kernel. The value gets written to
+/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
+acquire messages sent.
+
+.TP
+.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
+Time in ms to wait until virtual IP addresses appear/disappear before failing.
+
+.TP
+.BR charon.plugins.led.activity_led " []"
+.TP
+.BR charon.plugins.led.blink_time " [50]"
+.TP
+.B charon.plugins.load-tester
+.br
+Section to configure the load\-tester plugin, see LOAD TESTS in
+.RB "" "strongswan.conf" "(5)"
+for details.
+
+.TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated.
+
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to \-1 the
+full address is used (i.e. 32 or 128).
+
+.TP
+.BR charon.plugins.load-tester.ca_dir " []"
+Directory to load (intermediate) CA certificates from.
+
+.TP
+.BR charon.plugins.load-tester.child_rekey " [600]"
+Seconds to start CHILD_SA rekeying after setup.
+
+.TP
+.BR charon.plugins.load-tester.delay " [0]"
+Delay between initiatons for each thread.
+
+.TP
+.BR charon.plugins.load-tester.delete_after_established " [no]"
+Delete an IKE_SA as soon as it has been established.
+
+.TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates.
+
+.TP
+.BR charon.plugins.load-tester.dpd_delay " [0]"
+DPD delay to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.dynamic_port " [0]"
+Base port to be used for requests (each client uses a different port).
+
+.TP
+.BR charon.plugins.load-tester.eap_password " [default-pwd]"
+EAP secret to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.enable " [no]"
+Enable the load testing plugin.
+.RB "" "WARNING" ":"
+Never enable this plugin on
+productive systems. It provides preconfigured credentials and allows an attacker
+to authenticate as any user.
+
+.TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests.
+
+.TP
+.BR charon.plugins.load-tester.fake_kernel " [no]"
+Fake the kernel interface to allow load\-testing against self.
+
+.TP
+.BR charon.plugins.load-tester.ike_rekey " [0]"
+Seconds to start IKE_SA rekeying after setup.
+
+.TP
+.BR charon.plugins.load-tester.init_limit " [0]"
+Global limit of concurrently established SAs during load test.
+
+.TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from.
+
+.TP
+.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
+Authentication method(s) the intiator uses.
+
+.TP
+.BR charon.plugins.load-tester.initiator_id " []"
+Initiator ID used in load test.
+
+.TP
+.BR charon.plugins.load-tester.initiator_match " []"
+Initiator ID to match against as responder.
+
+.TP
+.BR charon.plugins.load-tester.initiator_tsi " []"
+Traffic selector on initiator side, as proposed by initiator.
+
+.TP
+.BR charon.plugins.load-tester.initiator_tsr " []"
+Traffic selector on responder side, as proposed by initiator.
+
+.TP
+.BR charon.plugins.load-tester.initiators " [0]"
+Number of concurrent initiator threads to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.issuer_cert " []"
+Path to the issuer certificate (if not configured a hard\-coded default value is
+used).
+
+.TP
+.BR charon.plugins.load-tester.issuer_key " []"
+Path to private key that is used to issue certificates (if not configured a
+hard\-coded default value is used).
+
+.TP
+.BR charon.plugins.load-tester.iterations " [1]"
+Number of IKE_SAs to initiate by each initiator in load test.
+
+.TP
+.BR charon.plugins.load-tester.mode " [tunnel]"
+IPsec mode to use, one of
+.RI "" "tunnel" ","
+.RI "" "transport" ","
+or
+.RI "" "beet" "."
+
+
+.TP
+.BR charon.plugins.load-tester.pool " []"
+Provide INTERNAL_IPV4_ADDRs from a named pool.
+
+.TP
+.BR charon.plugins.load-tester.preshared_key " [<default-psk>]"
+Preshared key to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
+IKE proposal to use in load test.
+
+.TP
+.BR charon.plugins.load-tester.request_virtual_ip " [no]"
+Request an INTERNAL_IPV4_ADDR from the server.
+
+.TP
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
+Address to initiation connections to.
+
+.TP
+.BR charon.plugins.load-tester.responder_auth " [pubkey]"
+Authentication method(s) the responder uses.
+
+.TP
+.BR charon.plugins.load-tester.responder_id " []"
+Responder ID used in load test.
+
+.TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder.
+
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder.
+
+.TP
+.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
+Shutdown the daemon after all IKE_SAs have been established.
+
+.TP
+.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+Socket provided by the load\-tester plugin.
+
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder).
+
+.TP
+.B charon.plugins.load-tester.addrs
+.br
+Section that contains key/value pairs with address pools (in CIDR notation) to
+use for a specific network interface e.g. eth0 = 10.10.0.0/16.
+
+.TP
+.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+Socket provided by the lookip plugin.
+
+.TP
+.BR charon.plugins.ntru.max_drbg_requests " [4294967294]"
+Number of pseudo\-random bit requests from the DRBG before an automatic reseeding
+occurs.
+
+.TP
+.BR charon.plugins.ntru.parameter_set " [optimum]"
+The following parameter sets are available:
+.RB "" "x9_98_speed" ","
+.RB "" "x9_98_bandwidth" ","
+.RB "" "x9_98_balance" ""
+and
+.RB "" "optimum" ","
+the last set not being
+part of the X9.98 standard but having the best performance.
+
+.TP
+.BR charon.plugins.openssl.engine_id " [pkcs11]"
+ENGINE ID to use in the OpenSSL plugin.
+
+.TP
+.BR charon.plugins.openssl.fips_mode " [0]"
+Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
+
+.TP
+.BR charon.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens.
+
+.TP
+.BR charon.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP.
+
+.TP
+.BR charon.plugins.pkcs11.use_dh " [no]"
+Whether the PKCS#11 modules should be used for DH and ECDH (see
+.RI "" "use_ecc" ""
+option).
+
+.TP
+.BR charon.plugins.pkcs11.use_ecc " [no]"
+Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
+operations. ECDSA private keys can be used regardless of this option.
+
+.TP
+.BR charon.plugins.pkcs11.use_hasher " [no]"
+Whether the PKCS#11 modules should be used to hash data.
+
+.TP
+.BR charon.plugins.pkcs11.use_pubkey " [no]"
+Whether the PKCS#11 modules should be used for public key operations, even for
+keys not stored on tokens.
+
+.TP
+.BR charon.plugins.pkcs11.use_rng " [no]"
+Whether the PKCS#11 modules should be used as RNG.
+
+.TP
+.B charon.plugins.pkcs11.modules
+.br
+List of available PKCS#11 modules.
+
+.TP
+.BR charon.plugins.radattr.dir " []"
+Directory where RADIUS attributes are stored in client\-ID specific files.
+
+.TP
+.BR charon.plugins.radattr.message_id " [-1]"
+Attributes are added to all IKE_AUTH messages by default (\-1), or only to the
+IKE_AUTH message with the given IKEv2 message ID.
+
+.TP
+.BR charon.plugins.random.random " [${random_device}]"
+File to read random bytes from.
+
+.TP
+.BR charon.plugins.random.strong_equals_true " [no]"
+If set to yes the RNG_STRONG class reads random bytes from the same source as
+the RNG_TRUE class.
+
+.TP
+.BR charon.plugins.random.urandom " [${urandom_device}]"
+File to read pseudo random bytes from.
+
+.TP
+.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
+File where to add DNS server entries.
+
+.TP
+.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]"
+Prefix used for interface names sent to
+.RB "" "resolvconf" "(8)."
+The nameserver
+address is appended to this prefix to make it unique.  The result has to be a
+valid interface name according to the rules defined by resolvconf.  Also, it
+should have a high priority according to the order defined in
+.RB "" "interface\-order" "(5)."
+
+
+.TP
+.BR charon.plugins.socket-default.fwmark " []"
+Firewall mark to set on outbound packets.
+
+.TP
+.BR charon.plugins.socket-default.set_source " [yes]"
+Set source address on outbound packets, if possible.
+
+.TP
+.BR charon.plugins.socket-default.use_ipv4 " [yes]"
+Listen on IPv4, if possible.
+
+.TP
+.BR charon.plugins.socket-default.use_ipv6 " [yes]"
+Listen on IPv6, if possible.
+
+.TP
+.BR charon.plugins.sql.database " []"
+Database URI for charon's SQL plugin. If it contains a password, make sure to
+adjust the permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.sql.loglevel " [-1]"
+Loglevel for logging to SQL database.
+
+.TP
+.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
+Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
+certificates even if they don't contain a CA basic constraint.
+
+.TP
+.BR charon.plugins.stroke.max_concurrent " [4]"
+Maximum number of stroke messages handled concurrently.
+
+.TP
+.BR charon.plugins.stroke.prevent_loglevel_changes " [no]"
+If enabled log level changes via stroke socket are not allowed.
+
+.TP
+.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+Socket provided by the stroke plugin.
+
+.TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout.
+
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check.
+
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected.
+
+.TP
+.BR charon.plugins.systime-fix.threshold " []"
+Threshold date where system time is considered valid. Disabled if not specified.
+
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+.RB "" "strptime" "(3)"
+format used to parse threshold option.
+
+.TP
+.BR charon.plugins.tnc-ifmap.client_cert " []"
+Path to X.509 certificate file of IF\-MAP client.
+
+.TP
+.BR charon.plugins.tnc-ifmap.client_key " []"
+Path to private key file of IF\-MAP client.
+
+.TP
+.BR charon.plugins.tnc-ifmap.device_name " []"
+Unique name of strongSwan server as a PEP and/or PDP device.
+
+.TP
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF\-MAP RenewSession requests.
+
+.TP
+.BR charon.plugins.tnc-ifmap.server_cert " []"
+Path to X.509 certificate file of IF\-MAP server.
+
+.TP
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path].
+
+.TP
+.BR charon.plugins.tnc-ifmap.username_password " []"
+Credentials of IF\-MAP client of the form username:password. If set, make sure to
+adjust the permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use.
+
+.TP
+.BR charon.plugins.tnc-imc.preferred_language " [en]"
+Preferred language for TNC recommendations.
+
+.TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use.
+
+.TP
+.BR charon.plugins.tnc-imv.recommendation_policy " [default]"
+TNC recommendation policy, one of
+.RI "" "default" ","
+.RI "" "any" ","
+or
+.RI "" "all" "."
+
+
+.TP
+.BR charon.plugins.tnc-pdp.server " []"
+Name of the strongSwan PDP as contained in the AAA certificate.
+
+.TP
+.BR charon.plugins.tnc-pdp.timeout " []"
+Timeout in seconds before closing incomplete connections.
+
+.TP
+.BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
+Enable PT\-TLS protocol on the strongSwan PDP.
+
+.TP
+.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
+PT\-TLS server port the strongSwan PDP is listening on.
+
+.TP
+.BR charon.plugins.tnc-pdp.radius.enable " [yes]"
+Enable RADIUS protocol on the strongSwan PDP.
+
+.TP
+.BR charon.plugins.tnc-pdp.radius.method " [ttls]"
+EAP tunnel method to be used.
+
+.TP
+.BR charon.plugins.tnc-pdp.radius.port " [1812]"
+RADIUS server port the strongSwan PDP is listening on.
+
+.TP
+.BR charon.plugins.tnc-pdp.radius.secret " []"
+Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR charon.plugins.tnccs-11.max_message_size " [45000]"
+Maximum size of a PA\-TNC message (XML & Base64 encoding).
+
+.TP
+.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
+Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529).
+
+.TP
+.BR charon.plugins.tnccs-20.max_message_size " [65490]"
+Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497).
+
+.TP
+.BR charon.plugins.unbound.dlv_anchors " []"
+File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
+the same format as
+.RI "" "trust_anchors" "."
+Only one DLV can be configured, which is
+then used as a root trusted DLV, this means that it is a lookaside for the root.
+
+.TP
+.BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from.
+
+.TP
+.BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK). The format of
+the file is the standard DNS Zone file format, anchors can be stored as DS or
+DNSKEY entries in the file.
+
+.TP
+.BR charon.plugins.updown.dns_handler " [no]"
+Whether the updown script should handle DNS servers assigned via IKEv1 Mode
+Config or IKEv2 Config Payloads (if enabled they can't be handled by other
+plugins, like resolve)
+
+.TP
+.BR charon.plugins.whitelist.enable " [yes]"
+Enable loaded whitelist plugin.
+
+.TP
+.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+Socket provided by the whitelist plugin.
+
+.TP
+.BR charon.plugins.xauth-eap.backend " [radius]"
+EAP plugin to be used as backend for XAuth credential verification.
+
+.TP
+.BR charon.plugins.xauth-pam.pam_service " [login]"
+PAM service to be used for authentication.
+
+.TP
+.BR charon.plugins.xauth-pam.session " [no]"
+Open/close a PAM session for each active IKE_SA.
+
+.TP
+.BR charon.plugins.xauth-pam.trim_email " [yes]"
+If an email address is received as an XAuth username, trim it to just the
+username part.
+
+.TP
+.B charon.processor.priority_threads
+.br
+Section to configure the number of reserved threads per priority class see JOB
+PRIORITY MANAGEMENT in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.B charon.syslog
+.br
+Section to define syslog loggers, see LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.syslog.identifier " []"
+Global identifier used for an
+.RB "" "openlog" "(3)"
+call, prepended to each log message
+by syslog.  If not configured,
+.RB "" "openlog" "(3)"
+is not called, so the value will
+depend on system defaults (often the program name).
+
+.TP
+.B charon.syslog.<facility>
+.br
+<facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION
+in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.syslog.<facility>.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon.syslog.<facility>.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
+.BR charon.syslog.<facility>.ike_name " [no]"
+Prefix each log entry with the connection name and a unique numerical identifier
+for each IKE_SA.
+
+.TP
+.BR charon.tls.cipher " []"
+List of TLS encryption ciphers.
+
+.TP
+.BR charon.tls.key_exchange " []"
+List of TLS key exchange methods.
+
+.TP
+.BR charon.tls.mac " []"
+List of TLS MAC algorithms.
+
+.TP
+.BR charon.tls.suites " []"
+List of TLS cipher suites.
+
+.TP
+.BR charon.tnc.tnc_config " [/etc/tnc_config]"
+TNC IMC/IMV configuration file.
+
+.TP
+.BR charon.x509.enforce_critical " [yes]"
+Discard certificates with unsupported or unknown critical extensions.
+
+.TP
+.BR libimcv.debug_level " [1]"
+Debug level for a stand\-alone
+.RI "" "libimcv" ""
+library.
+
+.TP
+.BR libimcv.load " [random nonce gmp pubkey x509]"
+Plugins to load in IMC/IMVs with stand\-alone
+.RI "" "libimcv" ""
+library.
+
+.TP
+.BR libimcv.stderr_quiet " [no]"
+Disable output to stderr with a stand\-alone
+.RI "" "libimcv" ""
+library.
+
+.TP
+.BR manager.database " []"
+Credential database URI for manager. If it contains a password, make sure to
+adjust the permissions of the config file accordingly.
+
+.TP
+.BR manager.debug " [no]"
+Enable debugging in manager.
+
+.TP
+.BR manager.load " []"
+Plugins to load in manager.
+
+.TP
+.BR manager.socket " []"
+FastCGI socket of manager, to run it statically.
+
+.TP
+.BR manager.threads " [10]"
+Threads to use for request handling.
+
+.TP
+.BR manager.timeout " [15m]"
+Session timeout for manager.
+
+.TP
+.BR medsrv.database " []"
+Mediation server database URI. If it contains a password, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR medsrv.debug " [no]"
+Debugging in mediation server web application.
+
+.TP
+.BR medsrv.dpd " [5m]"
+DPD timeout to use in mediation server plugin.
+
+.TP
+.BR medsrv.load " []"
+Plugins to load in mediation server plugin.
+
+.TP
+.BR medsrv.password_length " [6]"
+Minimum password length required for mediation server user accounts.
+
+.TP
+.BR medsrv.rekey " [20m]"
+Rekeying time on mediation connections in mediation server plugin.
+
+.TP
+.BR medsrv.socket " []"
+Run Mediation server web application statically on socket.
+
+.TP
+.BR medsrv.threads " [5]"
+Number of thread for mediation service web application.
+
+.TP
+.BR medsrv.timeout " [15m]"
+Session timeout for mediation service.
+
+.TP
+.BR openac.load " []"
+Plugins to load in ipsec openac tool.
+
+.TP
+.BR pacman.database " []"
+Database URI for the database that stores the package information. If it
+contains a password, make sure to adjust the permissions of the config file
+accordingly.
+
+.TP
+.BR pacman.load " []"
+Plugins to load in package manager.
+
+.TP
+.BR pki.load " []"
+Plugins to load in ipsec pki tool.
+
+.TP
+.BR pool.database " []"
+Database URI for the database that stores IP pools and configuration attributes.
+If it contains a password, make        sure to adjust the permissions of the
+config file accordingly.
+
+.TP
+.BR pool.load " []"
+Plugins to load in ipsec pool tool.
+
+.TP
+.BR scepclient.load " []"
+Plugins to load in ipsec scepclient tool.
+
+.TP
+.BR starter.load " []"
+Plugins to load in starter.
+
+.TP
+.BR starter.load_warning " [yes]"
+Disable charon plugin load option warning.
+