Import upstream version 5.1.3

11 files changed, 320 insertions, 304 deletions

diff --git a/conf/Makefile.in b/conf/Makefile.in
index d92593219..e14c44e3e 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -346,7 +346,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/conf/format-options.py b/conf/format-options.py
index 04afed6d6..fc6e6e1fd 100755
--- a/conf/format-options.py
+++ b/conf/format-options.py
@@ -54,6 +54,7 @@ import sys
 import re
 from textwrap import TextWrapper
 from optparse import OptionParser
+from operator import attrgetter
 
 class ConfigOption:
 	"""Representing a configuration option or described section in strongswan.conf"""
@@ -67,9 +68,7 @@ class ConfigOption:
 		self.options = []
 
 	def __cmp__(self, other):
-		if self.section == other.section:
-			return  cmp(self.name, other.name)
-		return 1 if self.section else -1
+		return  cmp(self.name, other.name)
 
 	def add_paragraph(self):
 		"""Adds a new paragraph to the description"""
@@ -246,7 +245,7 @@ class ConfFormatter:
 		self.__print_description(section, indent)
 		print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name)
 		print
-		for o in section.options:
+		for o in sorted(section.options, key=attrgetter('section')):
 			if o.section:
 				self.__print_section(o, indent + 1, section.commented)
 			else:
@@ -258,7 +257,7 @@ class ConfFormatter:
 		"""Print a list of options"""
 		if not options:
 			return
-		for option in options:
+		for option in sorted(options, key=attrgetter('section')):
 			if option.section:
 				self.__print_section(option, 0, False)
 			else:
diff --git a/conf/options/tools.conf b/conf/options/tools.conf
index a3ab099ed..781635ceb 100644
--- a/conf/options/tools.conf
+++ b/conf/options/tools.conf
@@ -1,10 +1,3 @@
-openac {
-
-    # Plugins to load in ipsec openac tool.
-    # load =
-
-}
-
 pki {
 
     # Plugins to load in ipsec pki tool.
diff --git a/conf/options/tools.opt b/conf/options/tools.opt
index 23e6a1c9f..72a49de28 100644
--- a/conf/options/tools.opt
+++ b/conf/options/tools.opt
@@ -1,6 +1,3 @@
-openac.load =
-	Plugins to load in ipsec openac tool.
-
 pki.load =
 	Plugins to load in ipsec pki tool.
 
diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf
index 53023b81e..64db67456 100644
--- a/conf/plugins/eap-radius.conf
+++ b/conf/plugins/eap-radius.conf
@@ -3,6 +3,10 @@ eap-radius {
     # Send RADIUS accounting information to RADIUS servers.
     # accounting = no
 
+    # Close the IKE_SA if there is a timeout during interim RADIUS accounting
+    # updates.
+    # accounting_close_on_timeout = yes
+
     # If enabled, accounting is disabled unless an IKE_SA has at least one
     # virtual IP.
     # accounting_requires_vip = no
diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt
index 0edd3458c..0df6a0d6f 100644
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@@ -1,6 +1,10 @@
 charon.plugins.eap-radius.accounting = no
 	Send RADIUS accounting information to RADIUS servers.
 
+charon.plugins.eap-radius.accounting_close_on_timeout = yes
+	Close the IKE_SA if there is a timeout during interim RADIUS accounting
+	updates.
+
 charon.plugins.eap-radius.accounting_requires_vip = no
 	If enabled, accounting is disabled unless an IKE_SA has at least one
 	virtual IP.
diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf
index ffb1b45a3..2d8deaa8e 100644
--- a/conf/plugins/imc-attestation.conf
+++ b/conf/plugins/imc-attestation.conf
@@ -13,6 +13,9 @@ imc-attestation {
     # priority of this plugin.
     load = yes
 
+    # Enforce mandatory Diffie-Hellman groups.
+    # mandatory_dh_groups = yes
+
     # DH nonce length.
     # nonce_len = 20
 
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index 9c108053b..aaac4c2c1 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -7,6 +7,9 @@ charon.plugins.imc-attestation.aik_cert =
 charon.plugins.imc-attestation.aik_key =
 	AIK public key file.
 
+charon.plugins.imc-attestation.mandatory_dh_groups = yes
+	Enforce mandatory Diffie-Hellman groups.
+
 charon.plugins.imc-attestation.nonce_len = 20
 	DH nonce length.
 
@@ -14,4 +17,4 @@ charon.plugins.imc-attestation.use_quote2 = yes
 	Use Quote2 AIK signature instead of Quote signature.
 
 charon.plugins.imc-attestation.pcr_info = yes
-	Whether to send pcr_before and pcr_after info.
\ No newline at end of file
+	Whether to send pcr_before and pcr_after info.
diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf
index 48ffba839..3a1a7f225 100644
--- a/conf/plugins/imv-attestation.conf
+++ b/conf/plugins/imv-attestation.conf
@@ -35,6 +35,9 @@ imv-attestation {
     # priority of this plugin.
     load = yes
 
+    # Enforce mandatory Diffie-Hellman groups.
+    # mandatory_dh_groups = yes
+
     # DH minimum nonce length.
     # min_nonce_len = 0
 
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index c0ae20488..f266281e6 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -1,6 +1,9 @@
 charon.plugins.imv-attestation.cadir =
 	Path to directory with AIK cacerts.
 
+charon.plugins.imv-attestation.mandatory_dh_groups = yes
+	Enforce mandatory Diffie-Hellman groups.
+
 charon.plugins.imv-attestation.dh_group = ecp256
 	Preferred Diffie-Hellman group.
 
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 282b8fa70..12fde4903 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -48,6 +48,37 @@ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
 Number of half\-open IKE_SAs that activate the cookie mechanism.
 
 .TP
+.BR charon.crypto_test.bench " [no]"
+Benchmark crypto algorithms and order them by efficiency.
+
+.TP
+.BR charon.crypto_test.bench_size " [1024]"
+Buffer size used for crypto benchmark.
+
+.TP
+.BR charon.crypto_test.bench_time " [50]"
+Number of iterations to test each algorithm.
+
+.TP
+.BR charon.crypto_test.on_add " [no]"
+Test crypto algorithms during registration (requires test vectors provided by
+the
+.RI "" "test\-vectors" ""
+plugin).
+
+.TP
+.BR charon.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation.
+
+.TP
+.BR charon.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm.
+
+.TP
+.BR charon.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+.TP
 .BR charon.dh_exponent_ansi_x9_42 " [yes]"
 Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 strength.
@@ -69,6 +100,47 @@ Enable Denial of Service protection using cookies and aggressiveness checks.
 Compliance with the errata for RFC 4753.
 
 .TP
+.B charon.filelog
+.br
+Section to define file loggers, see LOGGER CONFIGURATION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.B charon.filelog.<filename>
+.br
+<filename> is the full path to the log file.
+
+.TP
+.BR charon.filelog.<filename>.<subsystem> " [<default>]"
+Loglevel for a specific subsystem.
+
+.TP
+.BR charon.filelog.<filename>.append " [yes]"
+If this option is enabled log entries are appended to the existing file.
+
+.TP
+.BR charon.filelog.<filename>.default " [1]"
+Specifies the default loglevel to be used for subsystems for which no specific
+loglevel is defined.
+
+.TP
+.BR charon.filelog.<filename>.flush_line " [no]"
+Enabling this option disables block buffering and enables line buffering.
+
+.TP
+.BR charon.filelog.<filename>.ike_name " [no]"
+Prefix each log entry with the connection name and a unique numerical identifier
+for each IKE_SA.
+
+.TP
+.BR charon.filelog.<filename>.time_format " []"
+Prefix each log entry with a timestamp. The option accepts a format string as
+passed to
+.RB "" "strftime" "(3)."
+
+
+.TP
 .BR charon.flush_auth_cfg " [no]"
 If enabled objects used during authentication (certificates, identities etc.)
 are released to free memory once an IKE_SA is established. Enabling this might
@@ -92,6 +164,14 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 Enable hash and URL support.
 
 .TP
+.BR charon.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused).
+
+.TP
+.BR charon.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around.
+
+.TP
 .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
 If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared
 keys, which is discouraged due to security concerns (offline attacks on the
@@ -115,6 +195,34 @@ Number of exclusively locked segments in the hash table.
 Size of the IKE_SA hash table.
 
 .TP
+.B charon.imcv
+.br
+Defaults for options in this section can be configured in the
+.RI "" "libimcv" ""
+section.
+
+.TP
+.BR charon.imcv.assessment_result " [yes]"
+Whether IMVs send a standard IETF Assessment Result attribute.
+
+.TP
+.BR charon.imcv.database " []"
+Global IMV policy database URI. If it contains a password, make sure to adjust
+the permissions of the config file accordingly.
+
+.TP
+.BR charon.imcv.os_info.name " []"
+Manually set the name of the client OS (e.g. Ubuntu).
+
+.TP
+.BR charon.imcv.os_info.version " []"
+Manually set the version of the client OS (e.g. 12.04 i686).
+
+.TP
+.BR charon.imcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies.
+
+.TP
 .BR charon.inactivity_close_ike " [no]"
 Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
 
@@ -167,6 +275,18 @@ other interfaces are ignored.
 NAT keep alive interval.
 
 .TP
+.BR charon.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output.
+
+.TP
+.BR charon.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all).
+
+.TP
+.BR charon.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all).
+
+.TP
 .BR charon.load " []"
 Plugins to load in the IKE daemon charon.
 
@@ -198,225 +318,6 @@ WINS servers assigned to peer via configuration payload (CP).
 WINS servers assigned to peer via configuration payload (CP).
 
 .TP
-.BR charon.port " [500]"
-UDP port used locally. If set to 0 a random port will be allocated.
-
-.TP
-.BR charon.port_nat_t " [4500]"
-UDP port used locally in case of NAT\-T. If set to 0 a random port will be
-allocated.  Has to be different from
-.RB "" "charon.port" ","
-otherwise a random port
-will be allocated.
-
-.TP
-.BR charon.process_route " [yes]"
-Process RTM_NEWROUTE and RTM_DELROUTE events.
-
-.TP
-.BR charon.receive_delay " [0]"
-Delay in ms for receiving packets, to simulate larger RTT.
-
-.TP
-.BR charon.receive_delay_request " [yes]"
-Delay request messages.
-
-.TP
-.BR charon.receive_delay_response " [yes]"
-Delay response messages.
-
-.TP
-.BR charon.receive_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any.
-
-.TP
-.BR charon.replay_window " [32]"
-Size of the AH/ESP replay window, in packets.
-
-.TP
-.BR charon.retransmit_base " [1.8]"
-Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
-.RB "" "strongswan.conf" "(5)."
-
-
-.TP
-.BR charon.retransmit_timeout " [4.0]"
-Timeout in seconds before sending first retransmit.
-
-.TP
-.BR charon.retransmit_tries " [5]"
-Number of times to retransmit a packet before giving up.
-
-.TP
-.BR charon.retry_initiate_interval " [0]"
-Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
-failed), 0 to disable retries.
-
-.TP
-.BR charon.reuse_ikesa " [yes]"
-Initiate CHILD_SA within existing IKE_SAs.
-
-.TP
-.BR charon.routing_table " []"
-Numerical routing table to install routes to.
-
-.TP
-.BR charon.routing_table_prio " []"
-Priority of the routing table.
-
-.TP
-.BR charon.send_delay " [0]"
-Delay in ms for sending packets, to simulate larger RTT.
-
-.TP
-.BR charon.send_delay_request " [yes]"
-Delay request messages.
-
-.TP
-.BR charon.send_delay_response " [yes]"
-Delay response messages.
-
-.TP
-.BR charon.send_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any.
-
-.TP
-.BR charon.send_vendor_id " [no]"
-Send strongSwan vendor ID payload
-
-.TP
-.BR charon.threads " [16]"
-Number of worker threads in charon. Several of these are reserved for long
-running tasks in internal modules and plugins. Therefore, make sure you don't
-set this value too low. The number of idle worker threads listed in
-.RI "" "ipsec statusall" ""
-might be used as indicator on the number of reserved threads.
-
-.TP
-.BR charon.user " []"
-Name of the user the daemon changes to after startup.
-
-.TP
-.BR charon.crypto_test.bench " [no]"
-Benchmark crypto algorithms and order them by efficiency.
-
-.TP
-.BR charon.crypto_test.bench_size " [1024]"
-Buffer size used for crypto benchmark.
-
-.TP
-.BR charon.crypto_test.bench_time " [50]"
-Number of iterations to test each algorithm.
-
-.TP
-.BR charon.crypto_test.on_add " [no]"
-Test crypto algorithms during registration (requires test vectors provided by
-the
-.RI "" "test\-vectors" ""
-plugin).
-
-.TP
-.BR charon.crypto_test.on_create " [no]"
-Test crypto algorithms on each crypto primitive instantiation.
-
-.TP
-.BR charon.crypto_test.required " [no]"
-Strictly require at least one test vector to enable an algorithm.
-
-.TP
-.BR charon.crypto_test.rng_true " [no]"
-Whether to test RNG with TRUE quality; requires a lot of entropy.
-
-.TP
-.B charon.filelog
-.br
-Section to define file loggers, see LOGGER CONFIGURATION in
-.RB "" "strongswan.conf" "(5)."
-
-
-.TP
-.B charon.filelog.<filename>
-.br
-<filename> is the full path to the log file.
-
-.TP
-.BR charon.filelog.<filename>.<subsystem> " [<default>]"
-Loglevel for a specific subsystem.
-
-.TP
-.BR charon.filelog.<filename>.append " [yes]"
-If this option is enabled log entries are appended to the existing file.
-
-.TP
-.BR charon.filelog.<filename>.default " [1]"
-Specifies the default loglevel to be used for subsystems for which no specific
-loglevel is defined.
-
-.TP
-.BR charon.filelog.<filename>.flush_line " [no]"
-Enabling this option disables block buffering and enables line buffering.
-
-.TP
-.BR charon.filelog.<filename>.ike_name " [no]"
-Prefix each log entry with the connection name and a unique numerical identifier
-for each IKE_SA.
-
-.TP
-.BR charon.filelog.<filename>.time_format " []"
-Prefix each log entry with a timestamp. The option accepts a format string as
-passed to
-.RB "" "strftime" "(3)."
-
-
-.TP
-.BR charon.host_resolver.max_threads " [3]"
-Maximum number of concurrent resolver threads (they are terminated if unused).
-
-.TP
-.BR charon.host_resolver.min_threads " [0]"
-Minimum number of resolver threads to keep around.
-
-.TP
-.B charon.imcv
-.br
-Defaults for options in this section can be configured in the
-.RI "" "libimcv" ""
-section.
-
-.TP
-.BR charon.imcv.assessment_result " [yes]"
-Whether IMVs send a standard IETF Assessment Result attribute.
-
-.TP
-.BR charon.imcv.database " []"
-Global IMV policy database URI. If it contains a password, make sure to adjust
-the permissions of the config file accordingly.
-
-.TP
-.BR charon.imcv.policy_script " [ipsec _imv_policy]"
-Script called for each TNC connection to generate IMV policies.
-
-.TP
-.BR charon.imcv.os_info.name " []"
-Manually set the name of the client OS (e.g. Ubuntu).
-
-.TP
-.BR charon.imcv.os_info.version " []"
-Manually set the version of the client OS (e.g. 12.04 i686).
-
-.TP
-.BR charon.leak_detective.detailed " [yes]"
-Includes source file names and line numbers in leak detective output.
-
-.TP
-.BR charon.leak_detective.usage_threshold " [10240]"
-Threshold in bytes for leaks to be reported (0 to report all).
-
-.TP
-.BR charon.leak_detective.usage_threshold_count " [0]"
-Threshold in number of allocations for leaks to be reported (0 to report all).
-
-.TP
 .BR charon.plugins.android_log.loglevel " [1]"
 Loglevel for logging to Android specific logger.
 
@@ -588,6 +489,10 @@ Request peer authentication based on a client certificate.
 Send RADIUS accounting information to RADIUS servers.
 
 .TP
+.BR charon.plugins.eap-radius.accounting_close_on_timeout " [yes]"
+Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
+
+.TP
 .BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
 If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
 
@@ -608,6 +513,23 @@ Closes all IKE_SAs if communication with the RADIUS server times out. If it is
 not set only the current IKE_SA is closed.
 
 .TP
+.BR charon.plugins.eap-radius.dae.enable " [no]"
+Enables support for the Dynamic Authorization Extension (RFC 5176).
+
+.TP
+.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
+Address to listen for DAE messages from the RADIUS server.
+
+.TP
+.BR charon.plugins.eap-radius.dae.port " [3799]"
+Port to listen for DAE requests.
+
+.TP
+.BR charon.plugins.eap-radius.dae.secret " []"
+Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
+permissions of the config file accordingly.
+
+.TP
 .BR charon.plugins.eap-radius.eap_start " [no]"
 Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation.
 
@@ -627,6 +549,20 @@ option in
 
 
 .TP
+.BR charon.plugins.eap-radius.forward.ike_to_radius " []"
+RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
+or attribute number, a colon can be used to specify vendor\-specific attributes,
+e.g. Reply\-Message, or 11, or 36906:12).
+
+.TP
+.BR charon.plugins.eap-radius.forward.radius_to_ike " []"
+Same as
+.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
+but from RADIUS to
+IKEv2, a strongSwan specific private notify (40969) is used to transmit the
+attributes.
+
+.TP
 .BR charon.plugins.eap-radius.id_prefix " []"
 Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP
 method.
@@ -649,41 +585,6 @@ permissions of the config file accordingly.
 IP/Hostname of RADIUS server.
 
 .TP
-.BR charon.plugins.eap-radius.sockets " [1]"
-Number of sockets (ports) to use, increase for high load.
-
-.TP
-.BR charon.plugins.eap-radius.dae.enable " [no]"
-Enables support for the Dynamic Authorization Extension (RFC 5176).
-
-.TP
-.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
-Address to listen for DAE messages from the RADIUS server.
-
-.TP
-.BR charon.plugins.eap-radius.dae.port " [3799]"
-Port to listen for DAE requests.
-
-.TP
-.BR charon.plugins.eap-radius.dae.secret " []"
-Shared secret used to verify/sign DAE messages. If set, make sure to adjust the
-permissions of the config file accordingly.
-
-.TP
-.BR charon.plugins.eap-radius.forward.ike_to_radius " []"
-RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
-or attribute number, a colon can be used to specify vendor\-specific attributes,
-e.g. Reply\-Message, or 11, or 36906:12).
-
-.TP
-.BR charon.plugins.eap-radius.forward.radius_to_ike " []"
-Same as
-.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" ""
-but from RADIUS to
-IKEv2, a strongSwan specific private notify (40969) is used to transmit the
-attributes.
-
-.TP
 .B charon.plugins.eap-radius.servers
 .br
 Section to specify multiple RADIUS servers. The
@@ -706,6 +607,10 @@ accounting. For each RADIUS server a priority can be specified using the
 [0] option.
 
 .TP
+.BR charon.plugins.eap-radius.sockets " [1]"
+Number of sockets (ports) to use, increase for high load.
+
+.TP
 .B charon.plugins.eap-radius.xauth
 .br
 Section to configure multiple XAuth authentication rounds via RADIUS. The
@@ -842,6 +747,10 @@ AIK certificate file.
 AIK public key file.
 
 .TP
+.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
 .BR charon.plugins.imc-attestation.nonce_len " [20]"
 DH nonce length.
 
@@ -922,6 +831,10 @@ Preferred Diffie\-Hellman group.
 Preferred measurement hash algorithm.
 
 .TP
+.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]"
+Enforce mandatory Diffie\-Hellman groups.
+
+.TP
 .BR charon.plugins.imv-attestation.min_nonce_len " [0]"
 DH minimum nonce length.
 
@@ -992,6 +905,12 @@ Section to configure the load\-tester plugin, see LOAD TESTS in
 for details.
 
 .TP
+.B charon.plugins.load-tester.addrs
+.br
+Section that contains key/value pairs with address pools (in CIDR notation) to
+use for a specific network interface e.g. eth0 = 10.10.0.0/16.
+
+.TP
 .BR charon.plugins.load-tester.addrs_keep " [no]"
 Whether to keep dynamic addresses even after the associated SA got terminated.
 
@@ -1157,12 +1076,6 @@ IKE version to use (0 means use IKEv2 as initiator and accept any version as
 responder).
 
 .TP
-.B charon.plugins.load-tester.addrs
-.br
-Section that contains key/value pairs with address pools (in CIDR notation) to
-use for a specific network interface e.g. eth0 = 10.10.0.0/16.
-
-.TP
 .BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
 Socket provided by the lookip plugin.
 
@@ -1195,6 +1108,11 @@ Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
 Whether to load certificates from tokens.
 
 .TP
+.B charon.plugins.pkcs11.modules
+.br
+List of available PKCS#11 modules.
+
+.TP
 .BR charon.plugins.pkcs11.reload_certs " [no]"
 Reload certificates from all tokens if charon receives a SIGHUP.
 
@@ -1223,11 +1141,6 @@ keys not stored on tokens.
 Whether the PKCS#11 modules should be used as RNG.
 
 .TP
-.B charon.plugins.pkcs11.modules
-.br
-List of available PKCS#11 modules.
-
-.TP
 .BR charon.plugins.radattr.dir " []"
 Directory where RADIUS attributes are stored in client\-ID specific files.
 
@@ -1378,14 +1291,6 @@ or
 
 
 .TP
-.BR charon.plugins.tnc-pdp.server " []"
-Name of the strongSwan PDP as contained in the AAA certificate.
-
-.TP
-.BR charon.plugins.tnc-pdp.timeout " []"
-Timeout in seconds before closing incomplete connections.
-
-.TP
 .BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
 Enable PT\-TLS protocol on the strongSwan PDP.
 
@@ -1411,6 +1316,14 @@ Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust
 the permissions of the config file accordingly.
 
 .TP
+.BR charon.plugins.tnc-pdp.server " []"
+Name of the strongSwan PDP as contained in the AAA certificate.
+
+.TP
+.BR charon.plugins.tnc-pdp.timeout " []"
+Timeout in seconds before closing incomplete connections.
+
+.TP
 .BR charon.plugins.tnccs-11.max_message_size " [45000]"
 Maximum size of a PA\-TNC message (XML & Base64 encoding).
 
@@ -1472,6 +1385,22 @@ If an email address is received as an XAuth username, trim it to just the
 username part.
 
 .TP
+.BR charon.port " [500]"
+UDP port used locally. If set to 0 a random port will be allocated.
+
+.TP
+.BR charon.port_nat_t " [4500]"
+UDP port used locally in case of NAT\-T. If set to 0 a random port will be
+allocated.  Has to be different from
+.RB "" "charon.port" ","
+otherwise a random port
+will be allocated.
+
+.TP
+.BR charon.process_route " [yes]"
+Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+.TP
 .B charon.processor.priority_threads
 .br
 Section to configure the number of reserved threads per priority class see JOB
@@ -1480,6 +1409,77 @@ PRIORITY MANAGEMENT in
 
 
 .TP
+.BR charon.receive_delay " [0]"
+Delay in ms for receiving packets, to simulate larger RTT.
+
+.TP
+.BR charon.receive_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.receive_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.receive_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+
+.TP
+.BR charon.retransmit_base " [1.8]"
+Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in
+.RB "" "strongswan.conf" "(5)."
+
+
+.TP
+.BR charon.retransmit_timeout " [4.0]"
+Timeout in seconds before sending first retransmit.
+
+.TP
+.BR charon.retransmit_tries " [5]"
+Number of times to retransmit a packet before giving up.
+
+.TP
+.BR charon.retry_initiate_interval " [0]"
+Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+failed), 0 to disable retries.
+
+.TP
+.BR charon.reuse_ikesa " [yes]"
+Initiate CHILD_SA within existing IKE_SAs.
+
+.TP
+.BR charon.routing_table " []"
+Numerical routing table to install routes to.
+
+.TP
+.BR charon.routing_table_prio " []"
+Priority of the routing table.
+
+.TP
+.BR charon.send_delay " [0]"
+Delay in ms for sending packets, to simulate larger RTT.
+
+.TP
+.BR charon.send_delay_request " [yes]"
+Delay request messages.
+
+.TP
+.BR charon.send_delay_response " [yes]"
+Delay response messages.
+
+.TP
+.BR charon.send_delay_type " [0]"
+Specific IKEv2 message type to delay, 0 for any.
+
+.TP
+.BR charon.send_vendor_id " [no]"
+Send strongSwan vendor ID payload
+
+.TP
 .B charon.syslog
 .br
 Section to define syslog loggers, see LOGGER CONFIGURATION in
@@ -1487,16 +1487,6 @@ Section to define syslog loggers, see LOGGER CONFIGURATION in
 
 
 .TP
-.BR charon.syslog.identifier " []"
-Global identifier used for an
-.RB "" "openlog" "(3)"
-call, prepended to each log message
-by syslog.  If not configured,
-.RB "" "openlog" "(3)"
-is not called, so the value will
-depend on system defaults (often the program name).
-
-.TP
 .B charon.syslog.<facility>
 .br
 <facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION
@@ -1519,6 +1509,24 @@ Prefix each log entry with the connection name and a unique numerical identifier
 for each IKE_SA.
 
 .TP
+.BR charon.syslog.identifier " []"
+Global identifier used for an
+.RB "" "openlog" "(3)"
+call, prepended to each log message
+by syslog.  If not configured,
+.RB "" "openlog" "(3)"
+is not called, so the value will
+depend on system defaults (often the program name).
+
+.TP
+.BR charon.threads " [16]"
+Number of worker threads in charon. Several of these are reserved for long
+running tasks in internal modules and plugins. Therefore, make sure you don't
+set this value too low. The number of idle worker threads listed in
+.RI "" "ipsec statusall" ""
+might be used as indicator on the number of reserved threads.
+
+.TP
 .BR charon.tls.cipher " []"
 List of TLS encryption ciphers.
 
@@ -1539,6 +1547,10 @@ List of TLS cipher suites.
 TNC IMC/IMV configuration file.
 
 .TP
+.BR charon.user " []"
+Name of the user the daemon changes to after startup.
+
+.TP
 .BR charon.x509.enforce_critical " [yes]"
 Discard certificates with unsupported or unknown critical extensions.
 
@@ -1623,10 +1635,6 @@ Number of thread for mediation service web application.
 Session timeout for mediation service.
 
 .TP
-.BR openac.load " []"
-Plugins to load in ipsec openac tool.
-
-.TP
 .BR pacman.database " []"
 Database URI for the database that stores the package information. If it
 contains a password, make sure to adjust the permissions of the config file