diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2015-04-11 22:03:59 +0200 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2015-04-11 22:30:17 +0200 |
commit | 8404fb0212f9fb77bc53b23004b829b488430700 (patch) | |
tree | 23876c7540d138f58a6a7d90793ccf9004f6afd2 /conf | |
parent | 1b7c683a32c62b6e08ad7bf5af39b9f4edd634f3 (diff) | |
download | vyos-strongswan-8404fb0212f9fb77bc53b23004b829b488430700.tar.gz vyos-strongswan-8404fb0212f9fb77bc53b23004b829b488430700.zip |
Imported Upstream version 5.3.0
Diffstat (limited to 'conf')
-rw-r--r-- | conf/Makefile.am | 3 | ||||
-rw-r--r-- | conf/Makefile.in | 8 | ||||
-rw-r--r-- | conf/options/charon.conf | 13 | ||||
-rw-r--r-- | conf/options/charon.opt | 32 | ||||
-rw-r--r-- | conf/plugins/bliss.conf | 11 | ||||
-rw-r--r-- | conf/plugins/bliss.opt | 2 | ||||
-rw-r--r-- | conf/plugins/forecast.conf | 17 | ||||
-rw-r--r-- | conf/plugins/forecast.opt | 29 | ||||
-rw-r--r-- | conf/plugins/imc-attestation.opt | 18 | ||||
-rw-r--r-- | conf/plugins/imv-attestation.opt | 18 | ||||
-rw-r--r-- | conf/plugins/kernel-netlink.conf | 21 | ||||
-rw-r--r-- | conf/plugins/kernel-netlink.opt | 32 | ||||
-rw-r--r-- | conf/plugins/kernel-pfkey.conf | 11 | ||||
-rw-r--r-- | conf/plugins/kernel-pfkey.opt | 7 | ||||
-rw-r--r-- | conf/plugins/tnccs-20.conf | 13 | ||||
-rw-r--r-- | conf/plugins/tnccs-20.opt | 9 | ||||
-rw-r--r-- | conf/strongswan.conf.5.main | 125 |
17 files changed, 345 insertions, 24 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am index e5077391a..f10af25a2 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -28,6 +28,7 @@ plugins = \ plugins/android_log.opt \ plugins/attr.opt \ plugins/attr-sql.opt \ + plugins/bliss.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ plugins/dhcp.opt \ @@ -46,6 +47,7 @@ plugins = \ plugins/eap-ttls.opt \ plugins/error-notify.opt \ plugins/ext-auth.opt \ + plugins/forecast.opt \ plugins/gcrypt.opt \ plugins/ha.opt \ plugins/imc-attestation.opt \ @@ -62,6 +64,7 @@ plugins = \ plugins/led.opt \ plugins/kernel-libipsec.opt \ plugins/kernel-netlink.opt \ + plugins/kernel-pfkey.opt \ plugins/kernel-pfroute.opt \ plugins/load-tester.opt \ plugins/lookip.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index d5bb3ffa7..4b391402a 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -180,6 +180,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -240,10 +241,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -317,6 +320,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -405,6 +410,7 @@ plugins = \ plugins/android_log.opt \ plugins/attr.opt \ plugins/attr-sql.opt \ + plugins/bliss.opt \ plugins/certexpire.opt \ plugins/coupling.opt \ plugins/dhcp.opt \ @@ -423,6 +429,7 @@ plugins = \ plugins/eap-ttls.opt \ plugins/error-notify.opt \ plugins/ext-auth.opt \ + plugins/forecast.opt \ plugins/gcrypt.opt \ plugins/ha.opt \ plugins/imc-attestation.opt \ @@ -439,6 +446,7 @@ plugins = \ plugins/led.opt \ plugins/kernel-libipsec.opt \ plugins/kernel-netlink.opt \ + plugins/kernel-pfkey.opt \ plugins/kernel-pfroute.opt \ plugins/load-tester.opt \ plugins/lookip.opt \ diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 0bec9bb0a..bd8e29940 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -58,6 +58,10 @@ charon { # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. # i_dont_care_about_security_and_use_aggressive_mode_psk = no + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + # A space-separated list of routing tables to be excluded from route # lookups. # ignore_routing_tables = @@ -116,6 +120,9 @@ charon { # Determine plugins to load via each plugin's load option. # load_modular = no + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + # Maximum packet size accepted by charon. # max_packet = 10000 @@ -197,6 +204,12 @@ charon { # Send strongSwan vendor ID payload # send_vendor_id = no + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + # Number of worker threads in charon. # threads = 16 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 678aa37bc..bbc50ba37 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no charon.ignore_routing_tables A space-separated list of routing tables to be excluded from route lookups. +charon.ignore_acquire_ts = no + Whether to ignore the traffic selectors from the kernel's acquire events for + IKEv2 connections (they are not used for IKEv1). + + If this is disabled the traffic selectors from the kernel's acquire events, + which are derived from the triggering packet, are prepended to the traffic + selectors from the configuration for IKEv2 connection. By enabling this, + such specific traffic selectors will be ignored and only the ones in the + config will be sent. This always happens for IKEv1 connections as the + protocol only supports one set of traffic selectors per CHILD_SA. + charon.ikesa_limit = 0 Maximum number of IKE_SAs that can be established at the same time before new connection attempts are blocked. @@ -196,6 +207,16 @@ charon.load_modular = no charon.max_packet = 10000 Maximum packet size accepted by charon. +charon.make_before_break = no + Initiate IKEv2 reauthentication with a make-before-break scheme. + + Initiate IKEv2 reauthentication with a make-before-break instead of a + break-before-make scheme. Make-before-break uses overlapping IKE and + CHILD_SA during reauthentication by first recreating all new SAs before + deleting the old ones. This behavior can be beneficial to avoid connectivity + gaps during reauthentication, but requires support for overlapping SAs by + the peer. strongSwan can handle such overlapping SAs since version 5.3.0. + charon.multiple_authentication = yes Enable multiple authentication exchanges (RFC 4739). @@ -277,6 +298,17 @@ charon.send_delay_type = 0 charon.send_vendor_id = no Send strongSwan vendor ID payload +charon.signature_authentication = yes + Whether to enable Signature Authentication as per RFC 7427. + +charon.signature_authentication_constraints = yes + Whether to enable constraints against IKEv2 signature schemes. + + If enabled, signature schemes configured in _rightauth_, in addition to + getting used as constraints against signature schemes employed in the + certificate chain, are also used as constraints against the signature scheme + used by peers during IKEv2. + charon.start-scripts {} Section containing a list of scripts (name = path) that are executed when the daemon is started. diff --git a/conf/plugins/bliss.conf b/conf/plugins/bliss.conf new file mode 100644 index 000000000..e35c27dc4 --- /dev/null +++ b/conf/plugins/bliss.conf @@ -0,0 +1,11 @@ +bliss { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Use the enhanced BLISS-B key generation and signature algorithm. + # use_bliss_b = yes + +} + diff --git a/conf/plugins/bliss.opt b/conf/plugins/bliss.opt new file mode 100644 index 000000000..0983da026 --- /dev/null +++ b/conf/plugins/bliss.opt @@ -0,0 +1,2 @@ +charon.plugins.bliss.use_bliss_b = yes + Use the enhanced BLISS-B key generation and signature algorithm. diff --git a/conf/plugins/forecast.conf b/conf/plugins/forecast.conf new file mode 100644 index 000000000..79edb4bc8 --- /dev/null +++ b/conf/plugins/forecast.conf @@ -0,0 +1,17 @@ +forecast { + + # Multicast groups to join locally, allowing forwarding of them. + # groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 + + # Local interface to listen for broadcasts to forward. + # interface = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # CHILD_SA configurations names to perform multi/broadcast reinjection. + # reinject = + +} + diff --git a/conf/plugins/forecast.opt b/conf/plugins/forecast.opt new file mode 100644 index 000000000..444cced63 --- /dev/null +++ b/conf/plugins/forecast.opt @@ -0,0 +1,29 @@ +charon.plugins.forecast.interface = + Local interface to listen for broadcasts to forward. + + Name of the local interface to listen for broadcasts messages to forward. + If no interface is configured, the first usable interface is used, which + is usually just fine for single-homed hosts. If your host has multiple + interfaces, set this option to the local LAN interface you want to forward + broadcasts from/to. + +charon.plugins.forecast.reinject = + CHILD_SA configurations names to perform multi/broadcast reinjection. + + Comma separated list of CHILD_SA configuration names for which to perform + multi/broadcast reinjection. For clients connecting over such a + configuration, any multi/broadcast received over the tunnel gets reinjected + to all active tunnels. This makes the broadcasts visible to other peers, + and for examples allows clients to see others shares. If disabled, + multi/broadcast messages received over a tunnel are injected to the local + network only, but not to other IPsec clients. + +charon.plugins.forecast.groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 + Multicast groups to join locally, allowing forwarding of them. + + Comma separated list of multicast groups to join locally. The local host + receives and forwards packets in the local LAN for joined multicast groups + only. Packets matching the list of multicast groups get forwarded to + connected clients. The default group includes host multicasts, IGMP, mDNS, + LLMNR and SSDP/WS-Discovery, and is usually a good choice for Windows + clients. diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt index 9b60b9ede..7a40bc962 100644 --- a/conf/plugins/imc-attestation.opt +++ b/conf/plugins/imc-attestation.opt @@ -18,3 +18,21 @@ libimcv.plugins.imc-attestation.use_quote2 = yes libimcv.plugins.imc-attestation.pcr_info = no Whether to send pcr_before and pcr_after info. + +libimcv.plugins.imc-attestation.pcr17_before = + PCR17 value before measurement. + +libimcv.plugins.imc-attestation.pcr17_meas = + Dummy measurement value extended into PCR17 if the TBOOT log is not available. + +libimcv.plugins.imc-attestation.pcr17_after = + PCR17 value after measurement. + +libimcv.plugins.imc-attestation.pcr18_before = + PCR18 value before measurement. + +libimcv.plugins.imc-attestation.pcr18_meas = + Dummy measurement value extended into PCR17 if the TBOOT log is not available. + +libimcv.plugins.imc-attestation.pcr18_after = + PCR18 value after measurement. diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt index 3ad51625d..f55225023 100644 --- a/conf/plugins/imv-attestation.opt +++ b/conf/plugins/imv-attestation.opt @@ -12,21 +12,3 @@ libimcv.plugins.imv-attestation.hash_algorithm = sha256 libimcv.plugins.imv-attestation.min_nonce_len = 0 DH minimum nonce length. - -libimcv.plugins.imc-attestation.pcr17_after - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr17_before - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr17_meas - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr18_after - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr18_before - Dummy data if the TBOOT log is not retrieved. - -libimcv.plugins.imc-attestation.pcr18_meas - Dummy data if the TBOOT log is not retrieved. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index f05f486b1..723bf0a49 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -4,6 +4,9 @@ kernel-netlink { # routing table. # fwmark = + # Whether to ignore errors potentially resulting from a retransmission. + # ignore_retransmit_errors = no + # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes @@ -14,6 +17,21 @@ kernel-netlink { # MTU to set on installed routes, 0 to disable. # mtu = 0 + # Whether to perform concurrent Netlink ROUTE queries on a single socket. + # parallel_route = no + + # Whether to perform concurrent Netlink XFRM queries on a single socket. + # parallel_xfrm = no + + # Whether to always use XFRM_MSG_UPDPOLICY to install policies. + # policy_update = no + + # Whether to use port or socket based IKE XFRM bypass policies. + # port_bypass = no + + # Number of Netlink message retransmissions to send on timeout. + # retries = 0 + # Whether to trigger roam events when interfaces, addresses or routes # change. # roam_events = yes @@ -22,6 +40,9 @@ kernel-netlink { # mode IPsec SAs in the kernel. # set_proto_port_transport_sa = no + # Netlink message retransmission timeout, 0 to disable retransmissions. + # timeout = 0 + # Lifetime of XFRM acquire state in kernel. # xfrm_acq_expires = 165 diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 7d44581a5..800ba20c0 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -13,6 +13,29 @@ charon.plugins.kernel-netlink.mss = 0 charon.plugins.kernel-netlink.mtu = 0 MTU to set on installed routes, 0 to disable. +charon.plugins.kernel-netlink.parallel_route = no + Whether to perform concurrent Netlink ROUTE queries on a single socket. + + Whether to perform concurrent Netlink ROUTE queries on a single socket. + While parallel queries can improve throughput, it has more overhead. On + vanilla Linux, DUMP queries fail with EBUSY and must be retried, further + decreasing performance. + +charon.plugins.kernel-netlink.parallel_xfrm = no + Whether to perform concurrent Netlink XFRM queries on a single socket. + +charon.plugins.kernel-netlink.policy_update = no + Whether to always use XFRM_MSG_UPDPOLICY to install policies. + +charon.plugins.kernel-netlink.port_bypass = no + Whether to use port or socket based IKE XFRM bypass policies. + + Whether to use port or socket based IKE XFRM bypass policies. + IKE bypass policies are used to exempt IKE traffic from XFRM processing. + The default socket based policies are directly tied to the IKE UDP sockets, + port based policies use global XFRM bypass policies for the used IKE UDP + ports. + charon.plugins.kernel-netlink.roam_events = yes Whether to trigger roam events when interfaces, addresses or routes change. @@ -25,6 +48,15 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no traffic, it also prevents the use of a single IPsec SA by more than one traffic selector. +charon.plugins.kernel-netlink.retries = 0 + Number of Netlink message retransmissions to send on timeout. + +charon.plugins.kernel-netlink.timeout = 0 + Netlink message retransmission timeout, 0 to disable retransmissions. + +charon.plugins.kernel-netlink.ignore_retransmit_errors = no + Whether to ignore errors potentially resulting from a retransmission. + charon.plugins.kernel-netlink.xfrm_acq_expires = 165 Lifetime of XFRM acquire state in kernel. diff --git a/conf/plugins/kernel-pfkey.conf b/conf/plugins/kernel-pfkey.conf new file mode 100644 index 000000000..2d4733e74 --- /dev/null +++ b/conf/plugins/kernel-pfkey.conf @@ -0,0 +1,11 @@ +kernel-pfkey { + + # Size of the receive buffer for the event socket (0 for default size). + # events_buffer_size = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/kernel-pfkey.opt b/conf/plugins/kernel-pfkey.opt new file mode 100644 index 000000000..ec05215d3 --- /dev/null +++ b/conf/plugins/kernel-pfkey.opt @@ -0,0 +1,7 @@ +charon.plugins.kernel-pfkey.events_buffer_size = 0 + Size of the receive buffer for the event socket (0 for default size). + + Size of the receive buffer for the event socket (0 for default size). + Because events are received asynchronously installing e.g. lots of policies + may require a larger buffer than the default on certain platforms in order + to receive all messages. diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf index 9a57ee14d..e8c45ae5c 100644 --- a/conf/plugins/tnccs-20.conf +++ b/conf/plugins/tnccs-20.conf @@ -10,5 +10,18 @@ tnccs-20 { # Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). # max_message_size = 65490 + # Enable PB-TNC mutual protocol. + # mutual = no + + tests { + + # Send an unsupported PB-TNC message type with the NOSKIP flag set. + # pb_tnc_noskip = no + + # Send a PB-TNC batch with a modified PB-TNC version. + # pb_tnc_version = 2 + + } + } diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt index b15bc3fa1..8d16d1cb2 100644 --- a/conf/plugins/tnccs-20.opt +++ b/conf/plugins/tnccs-20.opt @@ -3,3 +3,12 @@ charon.plugins.tnccs-20.max_batch_size = 65522 charon.plugins.tnccs-20.max_message_size = 65490 Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). + +charon.plugins.tnccs-20.mutual = no + Enable PB-TNC mutual protocol. + +charon.plugins.tnccs-20.tests.pb_tnc_noskip = no + Send an unsupported PB-TNC message type with the NOSKIP flag set. + +charon.plugins.tnccs-20.tests.pb_tnc_version = 2 + Send a PB-TNC batch with a modified PB-TNC version. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 28f6b12ec..b6db9c914 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -198,6 +198,15 @@ keys, which is discouraged due to security concerns (offline attacks on the openly transmitted hash of the PSK). .TP +.BR charon.ignore_acquire_ts " [no]" +If this is disabled the traffic selectors from the kernel's acquire events, +which are derived from the triggering packet, are prepended to the traffic +selectors from the configuration for IKEv2 connection. By enabling this, such +specific traffic selectors will be ignored and only the ones in the config will +be sent. This always happens for IKEv1 connections as the protocol only supports +one set of traffic selectors per CHILD_SA. + +.TP .BR charon.ignore_routing_tables " []" A space\-separated list of routing tables to be excluded from route lookups. @@ -322,6 +331,15 @@ preserved. Enabled plugins not found in that list are ordered alphabetically before other plugins with the same priority. .TP +.BR charon.make_before_break " [no]" +Initiate IKEv2 reauthentication with a make\-before\-break instead of a +break\-before\-make scheme. Make\-before\-break uses overlapping IKE and CHILD_SA +during reauthentication by first recreating all new SAs before deleting the old +ones. This behavior can be beneficial to avoid connectivity gaps during +reauthentication, but requires support for overlapping SAs by the peer. +strongSwan can handle such overlapping SAs since version 5.3.0. + +.TP .BR charon.max_packet " [10000]" Maximum packet size accepted by charon. @@ -374,6 +392,10 @@ sure to adjust the permissions of the config file accordingly. Enable logging of SQL IP pool leases. .TP +.BR charon.plugins.bliss.use_bliss_b " [yes]" +Use the enhanced BLISS\-B key generation and signature algorithm. + +.TP .BR charon.plugins.certexpire.csv.cron " []" Cron style string specifying CSV export times. @@ -762,6 +784,31 @@ Remote IKE identity. Remote EAP or XAuth identity, if used. .TP +.BR charon.plugins.forecast.groups " [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]" +Comma separated list of multicast groups to join locally. The local host +receives and forwards packets in the local LAN for joined multicast groups only. +Packets matching the list of multicast groups get forwarded to connected +clients. The default group includes host multicasts, IGMP, mDNS, LLMNR and +SSDP/WS\-Discovery, and is usually a good choice for Windows clients. + +.TP +.BR charon.plugins.forecast.interface " []" +Name of the local interface to listen for broadcasts messages to forward. If no +interface is configured, the first usable interface is used, which is usually +just fine for single\-homed hosts. If your host has multiple interfaces, set this +option to the local LAN interface you want to forward broadcasts from/to. + +.TP +.BR charon.plugins.forecast.reinject " []" +Comma separated list of CHILD_SA configuration names for which to perform +multi/broadcast reinjection. For clients connecting over such a configuration, +any multi/broadcast received over the tunnel gets reinjected to all active +tunnels. This makes the broadcasts visible to other peers, and for examples +allows clients to see others shares. If disabled, multi/broadcast messages +received over a tunnel are injected to the local network only, but not to other +IPsec clients. + +.TP .BR charon.plugins.gcrypt.quick_random " [no]" Use faster random numbers in gcrypt; for testing only, produces weak keys! @@ -812,6 +859,10 @@ table. The format is [!]mark[/mask], where the optional exclamation mark inverts the meaning (i.e. the rule only applies to packets that don't match the mark). .TP +.BR charon.plugins.kernel-netlink.ignore_retransmit_errors " [no]" +Whether to ignore errors potentially resulting from a retransmission. + +.TP .BR charon.plugins.kernel-netlink.mss " [0]" MSS to set on installed routes, 0 to disable. @@ -820,6 +871,32 @@ MSS to set on installed routes, 0 to disable. MTU to set on installed routes, 0 to disable. .TP +.BR charon.plugins.kernel-netlink.parallel_route " [no]" +Whether to perform concurrent Netlink ROUTE queries on a single socket. While +parallel queries can improve throughput, it has more overhead. On vanilla Linux, +DUMP queries fail with EBUSY and must be retried, further decreasing +performance. + +.TP +.BR charon.plugins.kernel-netlink.parallel_xfrm " [no]" +Whether to perform concurrent Netlink XFRM queries on a single socket. + +.TP +.BR charon.plugins.kernel-netlink.policy_update " [no]" +Whether to always use XFRM_MSG_UPDPOLICY to install policies. + +.TP +.BR charon.plugins.kernel-netlink.port_bypass " [no]" +Whether to use port or socket based IKE XFRM bypass policies. IKE bypass +policies are used to exempt IKE traffic from XFRM processing. The default socket +based policies are directly tied to the IKE UDP sockets, port based policies use +global XFRM bypass policies for the used IKE UDP ports. + +.TP +.BR charon.plugins.kernel-netlink.retries " [0]" +Number of Netlink message retransmissions to send on timeout. + +.TP .BR charon.plugins.kernel-netlink.roam_events " [yes]" Whether to trigger roam events when interfaces, addresses or routes change. @@ -830,12 +907,23 @@ IPsec SAs in the kernel. While doing so enforces policies for inbound traffic, it also prevents the use of a single IPsec SA by more than one traffic selector. .TP +.BR charon.plugins.kernel-netlink.timeout " [0]" +Netlink message retransmission timeout, 0 to disable retransmissions. + +.TP .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" Lifetime of XFRM acquire state in kernel. The value gets written to /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM acquire messages sent. .TP +.BR charon.plugins.kernel-pfkey.events_buffer_size " [0]" +Size of the receive buffer for the event socket (0 for default size). Because +events are received asynchronously installing e.g. lots of policies may require +a larger buffer than the default on certain platforms in order to receive all +messages. + +.TP .BR charon.plugins.kernel-pfroute.vip_wait " [1000]" Time in ms to wait until virtual IP addresses appear/disappear before failing. @@ -1291,6 +1379,18 @@ Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529). Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497). .TP +.BR charon.plugins.tnccs-20.mutual " [no]" +Enable PB\-TNC mutual protocol. + +.TP +.BR charon.plugins.tnccs-20.tests.pb_tnc_noskip " [no]" +Send an unsupported PB\-TNC message type with the NOSKIP flag set. + +.TP +.BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]" +Send a PB\-TNC batch with a modified PB\-TNC version. + +.TP .BR charon.plugins.unbound.dlv_anchors " []" File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses the same format as @@ -1444,6 +1544,19 @@ Specific IKEv2 message type to delay, 0 for any. Send strongSwan vendor ID payload .TP +.BR charon.signature_authentication " [yes]" +Whether to enable Signature Authentication as per RFC 7427. + +.TP +.BR charon.signature_authentication_constraints " [yes]" +If enabled, signature schemes configured in +.RI "" "rightauth" "," +in addition to getting +used as constraints against signature schemes employed in the certificate chain, +are also used as constraints against the signature scheme used by peers during +IKEv2. + +.TP .B charon.start-scripts .br Section containing a list of scripts (name = path) that are executed when the @@ -1581,27 +1694,27 @@ DH nonce length. .TP .BR libimcv.plugins.imc-attestation.pcr17_after " []" -Dummy data if the TBOOT log is not retrieved. +PCR17 value after measurement. .TP .BR libimcv.plugins.imc-attestation.pcr17_before " []" -Dummy data if the TBOOT log is not retrieved. +PCR17 value before measurement. .TP .BR libimcv.plugins.imc-attestation.pcr17_meas " []" -Dummy data if the TBOOT log is not retrieved. +Dummy measurement value extended into PCR17 if the TBOOT log is not available. .TP .BR libimcv.plugins.imc-attestation.pcr18_after " []" -Dummy data if the TBOOT log is not retrieved. +PCR18 value after measurement. .TP .BR libimcv.plugins.imc-attestation.pcr18_before " []" -Dummy data if the TBOOT log is not retrieved. +PCR18 value before measurement. .TP .BR libimcv.plugins.imc-attestation.pcr18_meas " []" -Dummy data if the TBOOT log is not retrieved. +Dummy measurement value extended into PCR17 if the TBOOT log is not available. .TP .BR libimcv.plugins.imc-attestation.pcr_info " [no]" |