diff options
author | Yves-Alexis Perez <corsac@corsac.net> | 2017-05-30 20:59:31 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-05-30 20:59:31 +0200 |
commit | bba25e2ff6c4a193acb54560ea4417537bd2954e (patch) | |
tree | 9e074fe343f9ab6f5ce1e9c5142d9a6cf180fcda /conf/strongswan.conf.5.main | |
parent | 05ddd767992d68bb38c7f16ece142e8c2e9ae016 (diff) | |
download | vyos-strongswan-bba25e2ff6c4a193acb54560ea4417537bd2954e.tar.gz vyos-strongswan-bba25e2ff6c4a193acb54560ea4417537bd2954e.zip |
New upstream version 5.5.3
Diffstat (limited to 'conf/strongswan.conf.5.main')
-rw-r--r-- | conf/strongswan.conf.5.main | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 72ab3a77a..4df7ce42d 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -114,6 +114,14 @@ this might cause problems with implementations that continue to use rekeyed SAs until they expire. .TP +.BR charon.delete_rekeyed_delay " [5]" +Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 +only). To process delayed packets the inbound part of a CHILD_SA is kept +installed up to the configured number of seconds after it got replaced during a +rekeying. If set to 0 the CHILD_SA will be kept installed until it expires (if +no lifetime is set it will be destroyed immediately). + +.TP .BR charon.dh_exponent_ansi_x9_42 " [yes]" Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. @@ -432,6 +440,11 @@ or an arbitrary value depending on the attribute type. For some attribute types multiple values may be specified as a comma separated list. .TP +.BR charon.plugins.attr-sql.crash_recovery " [yes]" +Release all online leases during startup. Disable this to share the DB between +multiple VPN gateways. + +.TP .BR charon.plugins.attr-sql.database " []" Database URI for attr\-sql plugin used by charon. If it contains a password, make sure to adjust the permissions of the config file accordingly. @@ -1049,8 +1062,8 @@ Lifetime of XFRM acquire state created by the kernel when traffic matches a trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay between XFRM acquire messages triggered by the kernel for a trap policy. The same value is used as timeout for SPIs allocated -by the kernel. The default value equals the default total retransmission timeout -for IKE messages, see IKEv2 RETRANSMISSION in +by the kernel. The default value equals the total retransmission timeout for +IKE messages, see IKEv2 RETRANSMISSION in .RB "" "strongswan.conf" "(5)." @@ -1394,6 +1407,11 @@ Firewall mark to set on outbound packets. Set source address on outbound packets, if possible. .TP +.BR charon.plugins.socket-default.set_sourceif " [no]" +Force sending interface on outbound packets, if possible. This allows using IPv6 +link\-local addresses as tunnel endpoints. + +.TP .BR charon.plugins.socket-default.use_ipv4 " [yes]" Listen on IPv4, if possible. @@ -1698,6 +1716,15 @@ Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in .TP +.BR charon.retransmit_jitter " [0]" +Maximum jitter in percent to apply randomly to calculated retransmission timeout +(0 to disable). + +.TP +.BR charon.retransmit_limit " [0]" +Upper limit in seconds for calculated retransmission timeout (0 to disable). + +.TP .BR charon.retransmit_timeout " [4.0]" Timeout in seconds before sending first retransmit. |