summaryrefslogtreecommitdiff
path: root/conf
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2015-04-11 22:03:59 +0200
committerYves-Alexis Perez <corsac@debian.org>2015-04-11 22:30:17 +0200
commit8404fb0212f9fb77bc53b23004b829b488430700 (patch)
tree23876c7540d138f58a6a7d90793ccf9004f6afd2 /conf
parent1b7c683a32c62b6e08ad7bf5af39b9f4edd634f3 (diff)
downloadvyos-strongswan-8404fb0212f9fb77bc53b23004b829b488430700.tar.gz
vyos-strongswan-8404fb0212f9fb77bc53b23004b829b488430700.zip
Imported Upstream version 5.3.0
Diffstat (limited to 'conf')
-rw-r--r--conf/Makefile.am3
-rw-r--r--conf/Makefile.in8
-rw-r--r--conf/options/charon.conf13
-rw-r--r--conf/options/charon.opt32
-rw-r--r--conf/plugins/bliss.conf11
-rw-r--r--conf/plugins/bliss.opt2
-rw-r--r--conf/plugins/forecast.conf17
-rw-r--r--conf/plugins/forecast.opt29
-rw-r--r--conf/plugins/imc-attestation.opt18
-rw-r--r--conf/plugins/imv-attestation.opt18
-rw-r--r--conf/plugins/kernel-netlink.conf21
-rw-r--r--conf/plugins/kernel-netlink.opt32
-rw-r--r--conf/plugins/kernel-pfkey.conf11
-rw-r--r--conf/plugins/kernel-pfkey.opt7
-rw-r--r--conf/plugins/tnccs-20.conf13
-rw-r--r--conf/plugins/tnccs-20.opt9
-rw-r--r--conf/strongswan.conf.5.main125
17 files changed, 345 insertions, 24 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am
index e5077391a..f10af25a2 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -28,6 +28,7 @@ plugins = \
plugins/android_log.opt \
plugins/attr.opt \
plugins/attr-sql.opt \
+ plugins/bliss.opt \
plugins/certexpire.opt \
plugins/coupling.opt \
plugins/dhcp.opt \
@@ -46,6 +47,7 @@ plugins = \
plugins/eap-ttls.opt \
plugins/error-notify.opt \
plugins/ext-auth.opt \
+ plugins/forecast.opt \
plugins/gcrypt.opt \
plugins/ha.opt \
plugins/imc-attestation.opt \
@@ -62,6 +64,7 @@ plugins = \
plugins/led.opt \
plugins/kernel-libipsec.opt \
plugins/kernel-netlink.opt \
+ plugins/kernel-pfkey.opt \
plugins/kernel-pfroute.opt \
plugins/load-tester.opt \
plugins/lookip.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index d5bb3ffa7..4b391402a 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -180,6 +180,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -240,10 +241,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -317,6 +320,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -405,6 +410,7 @@ plugins = \
plugins/android_log.opt \
plugins/attr.opt \
plugins/attr-sql.opt \
+ plugins/bliss.opt \
plugins/certexpire.opt \
plugins/coupling.opt \
plugins/dhcp.opt \
@@ -423,6 +429,7 @@ plugins = \
plugins/eap-ttls.opt \
plugins/error-notify.opt \
plugins/ext-auth.opt \
+ plugins/forecast.opt \
plugins/gcrypt.opt \
plugins/ha.opt \
plugins/imc-attestation.opt \
@@ -439,6 +446,7 @@ plugins = \
plugins/led.opt \
plugins/kernel-libipsec.opt \
plugins/kernel-netlink.opt \
+ plugins/kernel-pfkey.opt \
plugins/kernel-pfroute.opt \
plugins/load-tester.opt \
plugins/lookip.opt \
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 0bec9bb0a..bd8e29940 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -58,6 +58,10 @@ charon {
# Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
# i_dont_care_about_security_and_use_aggressive_mode_psk = no
+ # Whether to ignore the traffic selectors from the kernel's acquire events
+ # for IKEv2 connections (they are not used for IKEv1).
+ # ignore_acquire_ts = no
+
# A space-separated list of routing tables to be excluded from route
# lookups.
# ignore_routing_tables =
@@ -116,6 +120,9 @@ charon {
# Determine plugins to load via each plugin's load option.
# load_modular = no
+ # Initiate IKEv2 reauthentication with a make-before-break scheme.
+ # make_before_break = no
+
# Maximum packet size accepted by charon.
# max_packet = 10000
@@ -197,6 +204,12 @@ charon {
# Send strongSwan vendor ID payload
# send_vendor_id = no
+ # Whether to enable Signature Authentication as per RFC 7427.
+ # signature_authentication = yes
+
+ # Whether to enable constraints against IKEv2 signature schemes.
+ # signature_authentication_constraints = yes
+
# Number of worker threads in charon.
# threads = 16
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 678aa37bc..bbc50ba37 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
charon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookups.
+charon.ignore_acquire_ts = no
+ Whether to ignore the traffic selectors from the kernel's acquire events for
+ IKEv2 connections (they are not used for IKEv1).
+
+ If this is disabled the traffic selectors from the kernel's acquire events,
+ which are derived from the triggering packet, are prepended to the traffic
+ selectors from the configuration for IKEv2 connection. By enabling this,
+ such specific traffic selectors will be ignored and only the ones in the
+ config will be sent. This always happens for IKEv1 connections as the
+ protocol only supports one set of traffic selectors per CHILD_SA.
+
charon.ikesa_limit = 0
Maximum number of IKE_SAs that can be established at the same time before
new connection attempts are blocked.
@@ -196,6 +207,16 @@ charon.load_modular = no
charon.max_packet = 10000
Maximum packet size accepted by charon.
+charon.make_before_break = no
+ Initiate IKEv2 reauthentication with a make-before-break scheme.
+
+ Initiate IKEv2 reauthentication with a make-before-break instead of a
+ break-before-make scheme. Make-before-break uses overlapping IKE and
+ CHILD_SA during reauthentication by first recreating all new SAs before
+ deleting the old ones. This behavior can be beneficial to avoid connectivity
+ gaps during reauthentication, but requires support for overlapping SAs by
+ the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
+
charon.multiple_authentication = yes
Enable multiple authentication exchanges (RFC 4739).
@@ -277,6 +298,17 @@ charon.send_delay_type = 0
charon.send_vendor_id = no
Send strongSwan vendor ID payload
+charon.signature_authentication = yes
+ Whether to enable Signature Authentication as per RFC 7427.
+
+charon.signature_authentication_constraints = yes
+ Whether to enable constraints against IKEv2 signature schemes.
+
+ If enabled, signature schemes configured in _rightauth_, in addition to
+ getting used as constraints against signature schemes employed in the
+ certificate chain, are also used as constraints against the signature scheme
+ used by peers during IKEv2.
+
charon.start-scripts {}
Section containing a list of scripts (name = path) that are executed when
the daemon is started.
diff --git a/conf/plugins/bliss.conf b/conf/plugins/bliss.conf
new file mode 100644
index 000000000..e35c27dc4
--- /dev/null
+++ b/conf/plugins/bliss.conf
@@ -0,0 +1,11 @@
+bliss {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # Use the enhanced BLISS-B key generation and signature algorithm.
+ # use_bliss_b = yes
+
+}
+
diff --git a/conf/plugins/bliss.opt b/conf/plugins/bliss.opt
new file mode 100644
index 000000000..0983da026
--- /dev/null
+++ b/conf/plugins/bliss.opt
@@ -0,0 +1,2 @@
+charon.plugins.bliss.use_bliss_b = yes
+ Use the enhanced BLISS-B key generation and signature algorithm.
diff --git a/conf/plugins/forecast.conf b/conf/plugins/forecast.conf
new file mode 100644
index 000000000..79edb4bc8
--- /dev/null
+++ b/conf/plugins/forecast.conf
@@ -0,0 +1,17 @@
+forecast {
+
+ # Multicast groups to join locally, allowing forwarding of them.
+ # groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
+
+ # Local interface to listen for broadcasts to forward.
+ # interface =
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # CHILD_SA configurations names to perform multi/broadcast reinjection.
+ # reinject =
+
+}
+
diff --git a/conf/plugins/forecast.opt b/conf/plugins/forecast.opt
new file mode 100644
index 000000000..444cced63
--- /dev/null
+++ b/conf/plugins/forecast.opt
@@ -0,0 +1,29 @@
+charon.plugins.forecast.interface =
+ Local interface to listen for broadcasts to forward.
+
+ Name of the local interface to listen for broadcasts messages to forward.
+ If no interface is configured, the first usable interface is used, which
+ is usually just fine for single-homed hosts. If your host has multiple
+ interfaces, set this option to the local LAN interface you want to forward
+ broadcasts from/to.
+
+charon.plugins.forecast.reinject =
+ CHILD_SA configurations names to perform multi/broadcast reinjection.
+
+ Comma separated list of CHILD_SA configuration names for which to perform
+ multi/broadcast reinjection. For clients connecting over such a
+ configuration, any multi/broadcast received over the tunnel gets reinjected
+ to all active tunnels. This makes the broadcasts visible to other peers,
+ and for examples allows clients to see others shares. If disabled,
+ multi/broadcast messages received over a tunnel are injected to the local
+ network only, but not to other IPsec clients.
+
+charon.plugins.forecast.groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
+ Multicast groups to join locally, allowing forwarding of them.
+
+ Comma separated list of multicast groups to join locally. The local host
+ receives and forwards packets in the local LAN for joined multicast groups
+ only. Packets matching the list of multicast groups get forwarded to
+ connected clients. The default group includes host multicasts, IGMP, mDNS,
+ LLMNR and SSDP/WS-Discovery, and is usually a good choice for Windows
+ clients.
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index 9b60b9ede..7a40bc962 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -18,3 +18,21 @@ libimcv.plugins.imc-attestation.use_quote2 = yes
libimcv.plugins.imc-attestation.pcr_info = no
Whether to send pcr_before and pcr_after info.
+
+libimcv.plugins.imc-attestation.pcr17_before =
+ PCR17 value before measurement.
+
+libimcv.plugins.imc-attestation.pcr17_meas =
+ Dummy measurement value extended into PCR17 if the TBOOT log is not available.
+
+libimcv.plugins.imc-attestation.pcr17_after =
+ PCR17 value after measurement.
+
+libimcv.plugins.imc-attestation.pcr18_before =
+ PCR18 value before measurement.
+
+libimcv.plugins.imc-attestation.pcr18_meas =
+ Dummy measurement value extended into PCR17 if the TBOOT log is not available.
+
+libimcv.plugins.imc-attestation.pcr18_after =
+ PCR18 value after measurement.
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index 3ad51625d..f55225023 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -12,21 +12,3 @@ libimcv.plugins.imv-attestation.hash_algorithm = sha256
libimcv.plugins.imv-attestation.min_nonce_len = 0
DH minimum nonce length.
-
-libimcv.plugins.imc-attestation.pcr17_after
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr17_before
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr17_meas
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_after
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_before
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_meas
- Dummy data if the TBOOT log is not retrieved.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index f05f486b1..723bf0a49 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -4,6 +4,9 @@ kernel-netlink {
# routing table.
# fwmark =
+ # Whether to ignore errors potentially resulting from a retransmission.
+ # ignore_retransmit_errors = no
+
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
@@ -14,6 +17,21 @@ kernel-netlink {
# MTU to set on installed routes, 0 to disable.
# mtu = 0
+ # Whether to perform concurrent Netlink ROUTE queries on a single socket.
+ # parallel_route = no
+
+ # Whether to perform concurrent Netlink XFRM queries on a single socket.
+ # parallel_xfrm = no
+
+ # Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+ # policy_update = no
+
+ # Whether to use port or socket based IKE XFRM bypass policies.
+ # port_bypass = no
+
+ # Number of Netlink message retransmissions to send on timeout.
+ # retries = 0
+
# Whether to trigger roam events when interfaces, addresses or routes
# change.
# roam_events = yes
@@ -22,6 +40,9 @@ kernel-netlink {
# mode IPsec SAs in the kernel.
# set_proto_port_transport_sa = no
+ # Netlink message retransmission timeout, 0 to disable retransmissions.
+ # timeout = 0
+
# Lifetime of XFRM acquire state in kernel.
# xfrm_acq_expires = 165
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 7d44581a5..800ba20c0 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -13,6 +13,29 @@ charon.plugins.kernel-netlink.mss = 0
charon.plugins.kernel-netlink.mtu = 0
MTU to set on installed routes, 0 to disable.
+charon.plugins.kernel-netlink.parallel_route = no
+ Whether to perform concurrent Netlink ROUTE queries on a single socket.
+
+ Whether to perform concurrent Netlink ROUTE queries on a single socket.
+ While parallel queries can improve throughput, it has more overhead. On
+ vanilla Linux, DUMP queries fail with EBUSY and must be retried, further
+ decreasing performance.
+
+charon.plugins.kernel-netlink.parallel_xfrm = no
+ Whether to perform concurrent Netlink XFRM queries on a single socket.
+
+charon.plugins.kernel-netlink.policy_update = no
+ Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+
+charon.plugins.kernel-netlink.port_bypass = no
+ Whether to use port or socket based IKE XFRM bypass policies.
+
+ Whether to use port or socket based IKE XFRM bypass policies.
+ IKE bypass policies are used to exempt IKE traffic from XFRM processing.
+ The default socket based policies are directly tied to the IKE UDP sockets,
+ port based policies use global XFRM bypass policies for the used IKE UDP
+ ports.
+
charon.plugins.kernel-netlink.roam_events = yes
Whether to trigger roam events when interfaces, addresses or routes change.
@@ -25,6 +48,15 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
traffic, it also prevents the use of a single IPsec SA by more than one
traffic selector.
+charon.plugins.kernel-netlink.retries = 0
+ Number of Netlink message retransmissions to send on timeout.
+
+charon.plugins.kernel-netlink.timeout = 0
+ Netlink message retransmission timeout, 0 to disable retransmissions.
+
+charon.plugins.kernel-netlink.ignore_retransmit_errors = no
+ Whether to ignore errors potentially resulting from a retransmission.
+
charon.plugins.kernel-netlink.xfrm_acq_expires = 165
Lifetime of XFRM acquire state in kernel.
diff --git a/conf/plugins/kernel-pfkey.conf b/conf/plugins/kernel-pfkey.conf
new file mode 100644
index 000000000..2d4733e74
--- /dev/null
+++ b/conf/plugins/kernel-pfkey.conf
@@ -0,0 +1,11 @@
+kernel-pfkey {
+
+ # Size of the receive buffer for the event socket (0 for default size).
+ # events_buffer_size = 0
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
diff --git a/conf/plugins/kernel-pfkey.opt b/conf/plugins/kernel-pfkey.opt
new file mode 100644
index 000000000..ec05215d3
--- /dev/null
+++ b/conf/plugins/kernel-pfkey.opt
@@ -0,0 +1,7 @@
+charon.plugins.kernel-pfkey.events_buffer_size = 0
+ Size of the receive buffer for the event socket (0 for default size).
+
+ Size of the receive buffer for the event socket (0 for default size).
+ Because events are received asynchronously installing e.g. lots of policies
+ may require a larger buffer than the default on certain platforms in order
+ to receive all messages.
diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf
index 9a57ee14d..e8c45ae5c 100644
--- a/conf/plugins/tnccs-20.conf
+++ b/conf/plugins/tnccs-20.conf
@@ -10,5 +10,18 @@ tnccs-20 {
# Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
# max_message_size = 65490
+ # Enable PB-TNC mutual protocol.
+ # mutual = no
+
+ tests {
+
+ # Send an unsupported PB-TNC message type with the NOSKIP flag set.
+ # pb_tnc_noskip = no
+
+ # Send a PB-TNC batch with a modified PB-TNC version.
+ # pb_tnc_version = 2
+
+ }
+
}
diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt
index b15bc3fa1..8d16d1cb2 100644
--- a/conf/plugins/tnccs-20.opt
+++ b/conf/plugins/tnccs-20.opt
@@ -3,3 +3,12 @@ charon.plugins.tnccs-20.max_batch_size = 65522
charon.plugins.tnccs-20.max_message_size = 65490
Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
+
+charon.plugins.tnccs-20.mutual = no
+ Enable PB-TNC mutual protocol.
+
+charon.plugins.tnccs-20.tests.pb_tnc_noskip = no
+ Send an unsupported PB-TNC message type with the NOSKIP flag set.
+
+charon.plugins.tnccs-20.tests.pb_tnc_version = 2
+ Send a PB-TNC batch with a modified PB-TNC version.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 28f6b12ec..b6db9c914 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -198,6 +198,15 @@ keys, which is discouraged due to security concerns (offline attacks on the
openly transmitted hash of the PSK).
.TP
+.BR charon.ignore_acquire_ts " [no]"
+If this is disabled the traffic selectors from the kernel's acquire events,
+which are derived from the triggering packet, are prepended to the traffic
+selectors from the configuration for IKEv2 connection. By enabling this, such
+specific traffic selectors will be ignored and only the ones in the config will
+be sent. This always happens for IKEv1 connections as the protocol only supports
+one set of traffic selectors per CHILD_SA.
+
+.TP
.BR charon.ignore_routing_tables " []"
A space\-separated list of routing tables to be excluded from route lookups.
@@ -322,6 +331,15 @@ preserved. Enabled plugins not found in that list are ordered alphabetically
before other plugins with the same priority.
.TP
+.BR charon.make_before_break " [no]"
+Initiate IKEv2 reauthentication with a make\-before\-break instead of a
+break\-before\-make scheme. Make\-before\-break uses overlapping IKE and CHILD_SA
+during reauthentication by first recreating all new SAs before deleting the old
+ones. This behavior can be beneficial to avoid connectivity gaps during
+reauthentication, but requires support for overlapping SAs by the peer.
+strongSwan can handle such overlapping SAs since version 5.3.0.
+
+.TP
.BR charon.max_packet " [10000]"
Maximum packet size accepted by charon.
@@ -374,6 +392,10 @@ sure to adjust the permissions of the config file accordingly.
Enable logging of SQL IP pool leases.
.TP
+.BR charon.plugins.bliss.use_bliss_b " [yes]"
+Use the enhanced BLISS\-B key generation and signature algorithm.
+
+.TP
.BR charon.plugins.certexpire.csv.cron " []"
Cron style string specifying CSV export times.
@@ -762,6 +784,31 @@ Remote IKE identity.
Remote EAP or XAuth identity, if used.
.TP
+.BR charon.plugins.forecast.groups " [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]"
+Comma separated list of multicast groups to join locally. The local host
+receives and forwards packets in the local LAN for joined multicast groups only.
+Packets matching the list of multicast groups get forwarded to connected
+clients. The default group includes host multicasts, IGMP, mDNS, LLMNR and
+SSDP/WS\-Discovery, and is usually a good choice for Windows clients.
+
+.TP
+.BR charon.plugins.forecast.interface " []"
+Name of the local interface to listen for broadcasts messages to forward. If no
+interface is configured, the first usable interface is used, which is usually
+just fine for single\-homed hosts. If your host has multiple interfaces, set this
+option to the local LAN interface you want to forward broadcasts from/to.
+
+.TP
+.BR charon.plugins.forecast.reinject " []"
+Comma separated list of CHILD_SA configuration names for which to perform
+multi/broadcast reinjection. For clients connecting over such a configuration,
+any multi/broadcast received over the tunnel gets reinjected to all active
+tunnels. This makes the broadcasts visible to other peers, and for examples
+allows clients to see others shares. If disabled, multi/broadcast messages
+received over a tunnel are injected to the local network only, but not to other
+IPsec clients.
+
+.TP
.BR charon.plugins.gcrypt.quick_random " [no]"
Use faster random numbers in gcrypt; for testing only, produces weak keys!
@@ -812,6 +859,10 @@ table. The format is [!]mark[/mask], where the optional exclamation mark inverts
the meaning (i.e. the rule only applies to packets that don't match the mark).
.TP
+.BR charon.plugins.kernel-netlink.ignore_retransmit_errors " [no]"
+Whether to ignore errors potentially resulting from a retransmission.
+
+.TP
.BR charon.plugins.kernel-netlink.mss " [0]"
MSS to set on installed routes, 0 to disable.
@@ -820,6 +871,32 @@ MSS to set on installed routes, 0 to disable.
MTU to set on installed routes, 0 to disable.
.TP
+.BR charon.plugins.kernel-netlink.parallel_route " [no]"
+Whether to perform concurrent Netlink ROUTE queries on a single socket. While
+parallel queries can improve throughput, it has more overhead. On vanilla Linux,
+DUMP queries fail with EBUSY and must be retried, further decreasing
+performance.
+
+.TP
+.BR charon.plugins.kernel-netlink.parallel_xfrm " [no]"
+Whether to perform concurrent Netlink XFRM queries on a single socket.
+
+.TP
+.BR charon.plugins.kernel-netlink.policy_update " [no]"
+Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+
+.TP
+.BR charon.plugins.kernel-netlink.port_bypass " [no]"
+Whether to use port or socket based IKE XFRM bypass policies. IKE bypass
+policies are used to exempt IKE traffic from XFRM processing. The default socket
+based policies are directly tied to the IKE UDP sockets, port based policies use
+global XFRM bypass policies for the used IKE UDP ports.
+
+.TP
+.BR charon.plugins.kernel-netlink.retries " [0]"
+Number of Netlink message retransmissions to send on timeout.
+
+.TP
.BR charon.plugins.kernel-netlink.roam_events " [yes]"
Whether to trigger roam events when interfaces, addresses or routes change.
@@ -830,12 +907,23 @@ IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
it also prevents the use of a single IPsec SA by more than one traffic selector.
.TP
+.BR charon.plugins.kernel-netlink.timeout " [0]"
+Netlink message retransmission timeout, 0 to disable retransmissions.
+
+.TP
.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
Lifetime of XFRM acquire state in kernel. The value gets written to
/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
acquire messages sent.
.TP
+.BR charon.plugins.kernel-pfkey.events_buffer_size " [0]"
+Size of the receive buffer for the event socket (0 for default size). Because
+events are received asynchronously installing e.g. lots of policies may require
+a larger buffer than the default on certain platforms in order to receive all
+messages.
+
+.TP
.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
Time in ms to wait until virtual IP addresses appear/disappear before failing.
@@ -1291,6 +1379,18 @@ Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529).
Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497).
.TP
+.BR charon.plugins.tnccs-20.mutual " [no]"
+Enable PB\-TNC mutual protocol.
+
+.TP
+.BR charon.plugins.tnccs-20.tests.pb_tnc_noskip " [no]"
+Send an unsupported PB\-TNC message type with the NOSKIP flag set.
+
+.TP
+.BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]"
+Send a PB\-TNC batch with a modified PB\-TNC version.
+
+.TP
.BR charon.plugins.unbound.dlv_anchors " []"
File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
the same format as
@@ -1444,6 +1544,19 @@ Specific IKEv2 message type to delay, 0 for any.
Send strongSwan vendor ID payload
.TP
+.BR charon.signature_authentication " [yes]"
+Whether to enable Signature Authentication as per RFC 7427.
+
+.TP
+.BR charon.signature_authentication_constraints " [yes]"
+If enabled, signature schemes configured in
+.RI "" "rightauth" ","
+in addition to getting
+used as constraints against signature schemes employed in the certificate chain,
+are also used as constraints against the signature scheme used by peers during
+IKEv2.
+
+.TP
.B charon.start-scripts
.br
Section containing a list of scripts (name = path) that are executed when the
@@ -1581,27 +1694,27 @@ DH nonce length.
.TP
.BR libimcv.plugins.imc-attestation.pcr17_after " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR17 value after measurement.
.TP
.BR libimcv.plugins.imc-attestation.pcr17_before " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR17 value before measurement.
.TP
.BR libimcv.plugins.imc-attestation.pcr17_meas " []"
-Dummy data if the TBOOT log is not retrieved.
+Dummy measurement value extended into PCR17 if the TBOOT log is not available.
.TP
.BR libimcv.plugins.imc-attestation.pcr18_after " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR18 value after measurement.
.TP
.BR libimcv.plugins.imc-attestation.pcr18_before " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR18 value before measurement.
.TP
.BR libimcv.plugins.imc-attestation.pcr18_meas " []"
-Dummy data if the TBOOT log is not retrieved.
+Dummy measurement value extended into PCR17 if the TBOOT log is not available.
.TP
.BR libimcv.plugins.imc-attestation.pcr_info " [no]"