summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-02-07 13:27:27 +0100
commit7585facf05d927eb6df3929ce09ed5e60d905437 (patch)
treee4d14b4dc180db20356b6b01ce0112f3a2d7897e /man
parentc1343b3278cdf99533b7902744d15969f9d6fdc1 (diff)
downloadvyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz
vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip
Imported Upstream version 5.0.2
Diffstat (limited to 'man')
-rw-r--r--man/Makefile.in34
-rw-r--r--man/ipsec.conf.555
-rw-r--r--man/ipsec.conf.5.in53
-rw-r--r--man/ipsec.secrets.533
-rw-r--r--man/ipsec.secrets.5.in31
-rw-r--r--man/strongswan.conf.5110
-rw-r--r--man/strongswan.conf.5.in110
7 files changed, 353 insertions, 73 deletions
diff --git a/man/Makefile.in b/man/Makefile.in
index b1c54dcd1..e313a4fff 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,9 +1,9 @@
-# Makefile.in generated by automake 1.11.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.3 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
-# Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
man5dir = $(mandir)/man5
am__installdirs = "$(DESTDIR)$(man5dir)"
NROFF = nroff
@@ -99,6 +105,7 @@ CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -126,6 +133,7 @@ LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MYSQLCFLAG = @MYSQLCFLAG@
MYSQLCONFIG = @MYSQLCONFIG@
@@ -153,6 +161,7 @@ RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -165,6 +174,7 @@ abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
@@ -218,7 +228,6 @@ libexecdir = @libexecdir@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
-lt_ECHO = @lt_ECHO@
maemo_CFLAGS = @maemo_CFLAGS@
maemo_LIBS = @maemo_LIBS@
manager_plugins = @manager_plugins@
@@ -344,9 +353,7 @@ uninstall-man5:
sed -n '/\.5[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
- test -z "$$files" || { \
- echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \
- cd "$(DESTDIR)$(man5dir)" && rm -f $$files; }
+ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
tags: TAGS
TAGS:
@@ -414,10 +421,15 @@ install-am: all-am
installcheck: installcheck-am
install-strip:
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- `test -z '$(STRIP)' || \
- echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
mostlyclean-generic:
clean-generic:
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 83ebc223c..e24196c2b 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.1rc1" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.0.2" "strongSwan"
.SH NAME
ipsec.conf \- IPsec configuration and connections
.SH DESCRIPTION
@@ -369,7 +369,7 @@ for the connection, e.g.
.BR aes128-sha256 .
The notation is
.BR encryption-integrity[-dhgroup][-esnmode] .
-.br
+
Defaults to
.BR aes128-sha1,3des-sha1 .
The daemon adds its extensive default proposal to this default
@@ -377,7 +377,7 @@ or the configured value. To restrict it to the configured proposal an
exclamation mark
.RB ( ! )
can be added at the end.
-.br
+
.BR Note :
As a responder the daemon accepts the first supported proposal received from
the peer. In order to restrict a responder to only accept specific cipher
@@ -403,15 +403,39 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
This may help to surmount restrictive firewalls. In order to force the peer to
encapsulate packets, NAT detection payloads are faked.
.TP
+.BR fragmentation " = yes | force | " no
+whether to use IKE fragmentation (proprietary IKEv1 extension). Acceptable
+values are
+.BR yes ,
+.B force
+and
+.B no
+(the default). Fragmented messages sent by a peer are always accepted
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
+.TP
.BR ike " = <cipher suites>"
comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
to be used, e.g.
.BR aes128-sha1-modp2048 .
The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.BR encryption-integrity[-prf]-dhgroup .
+If no PRF is given, the algorithms defined for integrity are used for the PRF.
+The prf keywords are the same as the integrity algorithms, but have a
+.B prf
+prefix (such as
+.BR prfsha1 ,
+.B prfsha256
+or
+.BR prfaesxcbc ).
.br
+In IKEv2, multiple algorithms and proposals may be included, such as
+.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+
Defaults to
.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
The daemon adds its extensive default proposal to this
@@ -419,13 +443,14 @@ default or the configured value. To restrict it to the configured proposal an
exclamation mark
.RB ( ! )
can be added at the end.
-.br
+
.BR Note :
As a responder the daemon accepts the first supported proposal received from
the peer. In order to restrict a responder to only accept specific cipher
suites, the strict flag
.RB ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
+exclamation mark) can be used, e.g:
+.BR aes256-sha512-modp4096!
.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)
@@ -579,6 +604,15 @@ to the distinguished name of the certificate's subject.
The left participant's ID can be overridden by specifying a
.B leftid
value which must be certified by the certificate, though.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific certificate to load from a PKCS#11 backend for this
+connection. See ipsec.secrets(5) for details about smartcard definitions.
+.B leftcert
+is required only if selecting the certificate with
+.B leftid
+is not sufficient, for example if multiple certificates use the same subject.
.TP
.BR leftcert2 " = <path>"
Same as
@@ -1012,6 +1046,11 @@ currently can have either the value
.BR cacert " = <path>"
defines a path to the CA certificate either relative to
\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
.TP
.BR crluri " = <uri>"
defines a CRL distribution point (ldap, http, or file URI)
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index f4d7ed1d6..2766cc4ed 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -369,7 +369,7 @@ for the connection, e.g.
.BR aes128-sha256 .
The notation is
.BR encryption-integrity[-dhgroup][-esnmode] .
-.br
+
Defaults to
.BR aes128-sha1,3des-sha1 .
The daemon adds its extensive default proposal to this default
@@ -377,7 +377,7 @@ or the configured value. To restrict it to the configured proposal an
exclamation mark
.RB ( ! )
can be added at the end.
-.br
+
.BR Note :
As a responder the daemon accepts the first supported proposal received from
the peer. In order to restrict a responder to only accept specific cipher
@@ -403,15 +403,39 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected.
This may help to surmount restrictive firewalls. In order to force the peer to
encapsulate packets, NAT detection payloads are faked.
.TP
+.BR fragmentation " = yes | force | " no
+whether to use IKE fragmentation (proprietary IKEv1 extension). Acceptable
+values are
+.BR yes ,
+.B force
+and
+.B no
+(the default). Fragmented messages sent by a peer are always accepted
+irrespective of the value of this option. If set to
+.BR yes ,
+and the peer supports it, larger IKE messages will be sent in fragments.
+If set to
+.B force
+the initial IKE message will already be fragmented if required.
+.TP
.BR ike " = <cipher suites>"
comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
to be used, e.g.
.BR aes128-sha1-modp2048 .
The notation is
-.BR encryption-integrity-dhgroup .
-In IKEv2, multiple algorithms and proposals may be included, such as
-aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024.
+.BR encryption-integrity[-prf]-dhgroup .
+If no PRF is given, the algorithms defined for integrity are used for the PRF.
+The prf keywords are the same as the integrity algorithms, but have a
+.B prf
+prefix (such as
+.BR prfsha1 ,
+.B prfsha256
+or
+.BR prfaesxcbc ).
.br
+In IKEv2, multiple algorithms and proposals may be included, such as
+.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
+
Defaults to
.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
The daemon adds its extensive default proposal to this
@@ -419,13 +443,14 @@ default or the configured value. To restrict it to the configured proposal an
exclamation mark
.RB ( ! )
can be added at the end.
-.br
+
.BR Note :
As a responder the daemon accepts the first supported proposal received from
the peer. In order to restrict a responder to only accept specific cipher
suites, the strict flag
.RB ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
+exclamation mark) can be used, e.g:
+.BR aes256-sha512-modp4096!
.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)
@@ -579,6 +604,15 @@ to the distinguished name of the certificate's subject.
The left participant's ID can be overridden by specifying a
.B leftid
value which must be certified by the certificate, though.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific certificate to load from a PKCS#11 backend for this
+connection. See ipsec.secrets(5) for details about smartcard definitions.
+.B leftcert
+is required only if selecting the certificate with
+.B leftid
+is not sufficient, for example if multiple certificates use the same subject.
.TP
.BR leftcert2 " = <path>"
Same as
@@ -1012,6 +1046,11 @@ currently can have either the value
.BR cacert " = <path>"
defines a path to the CA certificate either relative to
\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
+.br
+A value in the form
+.B %smartcard[<slot nr>[@<module>]]:<keyid>
+defines a specific CA certificate to load from a PKCS#11 backend for this CA.
+See ipsec.secrets(5) for details about smartcard definitions.
.TP
.BR crluri " = <uri>"
defines a CRL distribution point (ldap, http, or file URI)
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index c7c092502..127f18f20 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "4.6.2dr3" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.2" "strongSwan"
.SH NAME
ipsec.secrets \- secrets for IKE/IPsec authentication
.SH DESCRIPTION
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
colon.
.LP
A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure. To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
.LP
Matching IDs with selectors is fairly straightforward: they have to be
equal. In the case of a ``Road Warrior'' connection, if an equal
@@ -100,6 +94,9 @@ defines an ECDSA private key
.B EAP
defines EAP credentials
.TP
+.B NTLM
+defines NTLM credentials
+.TP
.B XAUTH
defines XAUTH credentials
.TP
@@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
.br
\fBEAP\fP secrets are IKEv2 only.
.TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
.B [ <servername> ] <username> : XAUTH <password>
The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
\fBXAUTH\fP secrets are IKEv1 only.
.TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
.B %prompt
can be specified, which causes the daemons to ask the user for the pin code.
.LP
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index aa1b5c9c1..319d4856b 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -37,13 +37,7 @@ by whitespace. If no ID selectors are specified the line must start with a
colon.
.LP
A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written
-in the familiar dotted quad form or as a domain name to be looked up
-when the file is loaded.
-In many cases it is a bad idea to use domain names because
-the name server may not be running or may be insecure. To denote a
-Fully Qualified Domain Name (as opposed to an IP address denoted by
-its domain name), precede the name with an at sign (\fB@\fP).
+\fB%any\fP or \fB%any6\fP (other kinds may come).
.LP
Matching IDs with selectors is fairly straightforward: they have to be
equal. In the case of a ``Road Warrior'' connection, if an equal
@@ -100,6 +94,9 @@ defines an ECDSA private key
.B EAP
defines EAP credentials
.TP
+.B NTLM
+defines NTLM credentials
+.TP
.B XAUTH
defines XAUTH credentials
.TP
@@ -151,18 +148,22 @@ The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
.br
\fBEAP\fP secrets are IKEv2 only.
.TP
+.B <user id> : NTLM <secret>
+The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
+secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
+cleartext.
+.br
+\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
+.TP
.B [ <servername> ] <username> : XAUTH <password>
The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
\fBXAUTH\fP secrets are IKEv1 only.
.TP
-.B : PIN <smartcard selector> <pin code> | %prompt
-IKEv1 uses the format
-.B "%smartcard[<slot nr>[:<key id>]]"
-to specify the smartcard selector (e.g. %smartcard1:50).
-The IKEv2 daemon supports multiple modules with the format
-.B "%smartcard[<slot nr>[@<module>]]:<keyid>"
-, but always requires a keyid to uniquely select the correct key. Instead of
-specifying the pin code statically,
+.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
+The smartcard selector always requires a keyid to uniquely select the correct
+key. The slot number defines the slot on the token, the module name refers to
+the module name defined in strongswan.conf(5).
+Instead of specifying the pin code statically,
.B %prompt
can be specified, which causes the daemons to ask the user for the pin code.
.LP
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 16b9f245a..8a34a7f93 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2012-05-01" "5.0.1" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-01-25" "5.0.2" "strongSwan"
.SH NAME
strongswan.conf \- strongSwan configuration file
.SH DESCRIPTION
@@ -164,6 +164,10 @@ are released to free memory once an IKE_SA is established.
Enabling this might conflict with plugins that later need access to e.g. the
used certificates.
.TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+.TP
.BR charon.half_open_timeout " [30]"
Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
.TP
@@ -178,6 +182,10 @@ openly transmitted hash of the PSK)
.BR charon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookups
.TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked
+.TP
.BR charon.ikesa_table_segments " [1]"
Number of exclusively locked segments in the hash table
.TP
@@ -635,9 +643,15 @@ Passphrase protecting the private key
.BR charon.plugins.tnc-ifmap.username
Authentication username of strongSwan MAP client
.TP
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
+.TP
.BR charon.plugins.tnc-imc.preferred_language " [en]"
Preferred language for TNC recommendations
.TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
+.TP
.BR charon.plugins.tnc-pdp.method " [ttls]"
EAP tunnel method to be used
.TP
@@ -696,6 +710,12 @@ strength
.BR libstrongswan.ecp_x_coordinate_only " [yes]"
Compliance with the errata for RFC 4753
.TP
+.BR libstrongswan.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR libstrongswan.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
.BR libstrongswan.integrity_test " [no]"
Check daemon, libstrongswan and plugin integrity at startup
.TP
@@ -728,6 +748,12 @@ ENGINE ID to use in the OpenSSL plugin
.BR libstrongswan.plugins.pkcs11.modules
List of available PKCS#11 modules
.TP
+.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
.BR libstrongswan.plugins.pkcs11.use_dh " [no]"
Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
.TP
@@ -764,10 +790,13 @@ Debug level for a stand-alone libimcv library
.TP
.BR libimcv.stderr_quiet " [no]"
Disable output to stderr with a stand-alone libimcv library
-.SS libimcv plugins section
.TP
-.BR libimcv.plugins.imc-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.os_info.name
+Manually set the name of the client OS (e.g. Ubuntu)
+.TP
+.BR libimcv.os_info.version
+Manually set the version of the client OS (e.g. 12.04 i686)
+.SS libimcv plugins section
.TP
.BR libimcv.plugins.imc-attestation.aik_blob
AIK encrypted private key blob file
@@ -799,12 +828,27 @@ Preferred measurement hash algorithm
.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
DH minimum nonce length
.TP
-.BR libimcv.plugins.imv-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.plugins.imv-attestation.remediation_uri
+URI pointing to attestation remediation instructions
+.TP
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted
+.TP
+.BR libimcv.plugins.imv-os.database
+Database URI for the database that stores operating system information
+.TP
+.BR libimcv.plugins.imv-os.remediation_uri
+URI pointing to operating system remediation instructions
+.TP
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted
.TP
.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
By default all ports must be closed (yes) or can be open (no)
.TP
+.BR libimcv.plugins.imv-scanner.remediation_uri
+URI pointing to scanner remediation instructions
+.TP
.BR libimcv.plugins.imv-scanner.tcp_ports
List of TCP ports that can be open or must be closed
.TP
@@ -826,6 +870,9 @@ Do a handshake retry
.BR libimcv.plugins.imc-test.retry_command
Command to be sent to the Test IMV in the handshake retry
.TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
.BR libimcv.plugins.imv-test.rounds " [0]"
Number of IMC-IMV retry rounds
.SS libtls section
@@ -902,6 +949,10 @@ Session timeout for mediation service
.TP
.BR openac.load
Plugins to load in ipsec openac tool
+.SS pacman section
+.TP
+.BR pacman.database
+Database URI for the database that stores the package information
.SS pki section
.TP
.BR pki.load
@@ -1244,6 +1295,17 @@ Never enable the load-testing plugin on productive systems. It provides
preconfigured credentials and allows an attacker to authenticate as any user.
.SS Options
.TP
+.BR charon.plugins.load-tester.addrs
+Subsection that contains key/value pairs with address pools (in CIDR notation)
+to use for a specific network interface e.g. eth0 = 10.10.0.0/16
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to -1 the
+full address is used (i.e. 32 or 128)
+.TP
+.BR charon.plugins.load-tester.ca_dir
+Directory to load (intermediate) CA certificates from
+.TP
.BR charon.plugins.load-tester.child_rekey " [600]"
Seconds to start CHILD_SA rekeying after setup
.TP
@@ -1253,6 +1315,9 @@ Delay between initiatons for each thread
.BR charon.plugins.load-tester.delete_after_established " [no]"
Delete an IKE_SA as soon as it has been established
.TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates
+.TP
.BR charon.plugins.load-tester.dpd_delay " [0]"
DPD delay to use in load test
.TP
@@ -1274,6 +1339,9 @@ Seconds to start IKE_SA rekeying after setup
.BR charon.plugins.load-tester.init_limit " [0]"
Global limit of concurrently established SAs during load test
.TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from
+.TP
.BR charon.plugins.load-tester.initiators " [0]"
Number of concurrent initiator threads to use in load test
.TP
@@ -1283,8 +1351,24 @@ Authentication method(s) the intiator uses
.BR charon.plugins.load-tester.initiator_id
Initiator ID used in load test
.TP
+.BR charon.plugins.load-tester.initiator_match
+Initiator ID to to match against as responder
+.TP
+.BR charon.plugins.load-tester.initiator_tsi
+Traffic selector on initiator side, as proposed by initiator
+.TP
+.BR charon.plugins.load-tester.initiator_tsr
+Traffic selector on responder side, as proposed by initiator
+.TP
.BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initate by each initiator in load test
+Number of IKE_SAs to initiate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.issuer_cert
+Path to the issuer certificate (if not configured a hard-coded value is used)
+.TP
+.BR charon.plugins.load-tester.issuer_key
+Path to private key that is used to issue certificates (if not configured a
+hard-coded value is used)
.TP
.BR charon.plugins.load-tester.pool
Provide INTERNAL_IPV4_ADDRs from a named pool
@@ -1295,7 +1379,7 @@ Preshared key to use in load test
.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
IKE proposal to use in load test
.TP
-.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
Address to initiation connections to
.TP
.BR charon.plugins.load-tester.responder_auth " [pubkey]"
@@ -1304,11 +1388,21 @@ Authentication method(s) the responder uses
.BR charon.plugins.load-tester.responder_id
Responder ID used in load test
.TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder
+.TP
.BR charon.plugins.load-tester.request_virtual_ip " [no]"
Request an INTERNAL_IPV4_ADDR from the server
.TP
.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
Shutdown the daemon after all IKE_SAs have been established
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder)
.SS Configuration details
For public key authentication, the responder uses the
.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 217d7d739..2fafed62d 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2012-05-01" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-01-25" "@IPSEC_VERSION@" "strongSwan"
.SH NAME
strongswan.conf \- strongSwan configuration file
.SH DESCRIPTION
@@ -164,6 +164,10 @@ are released to free memory once an IKE_SA is established.
Enabling this might conflict with plugins that later need access to e.g. the
used certificates.
.TP
+.BR charon.fragment_size " [512]"
+Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+fragmentation extension.
+.TP
.BR charon.half_open_timeout " [30]"
Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
.TP
@@ -178,6 +182,10 @@ openly transmitted hash of the PSK)
.BR charon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookups
.TP
+.BR charon.ikesa_limit " [0]"
+Maximum number of IKE_SAs that can be established at the same time before new
+connection attempts are blocked
+.TP
.BR charon.ikesa_table_segments " [1]"
Number of exclusively locked segments in the hash table
.TP
@@ -635,9 +643,15 @@ Passphrase protecting the private key
.BR charon.plugins.tnc-ifmap.username
Authentication username of strongSwan MAP client
.TP
+.BR charon.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
+.TP
.BR charon.plugins.tnc-imc.preferred_language " [en]"
Preferred language for TNC recommendations
.TP
+.BR charon.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
+.TP
.BR charon.plugins.tnc-pdp.method " [ttls]"
EAP tunnel method to be used
.TP
@@ -696,6 +710,12 @@ strength
.BR libstrongswan.ecp_x_coordinate_only " [yes]"
Compliance with the errata for RFC 4753
.TP
+.BR libstrongswan.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR libstrongswan.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
.BR libstrongswan.integrity_test " [no]"
Check daemon, libstrongswan and plugin integrity at startup
.TP
@@ -728,6 +748,12 @@ ENGINE ID to use in the OpenSSL plugin
.BR libstrongswan.plugins.pkcs11.modules
List of available PKCS#11 modules
.TP
+.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
.BR libstrongswan.plugins.pkcs11.use_dh " [no]"
Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
.TP
@@ -764,10 +790,13 @@ Debug level for a stand-alone libimcv library
.TP
.BR libimcv.stderr_quiet " [no]"
Disable output to stderr with a stand-alone libimcv library
-.SS libimcv plugins section
.TP
-.BR libimcv.plugins.imc-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.os_info.name
+Manually set the name of the client OS (e.g. Ubuntu)
+.TP
+.BR libimcv.os_info.version
+Manually set the version of the client OS (e.g. 12.04 i686)
+.SS libimcv plugins section
.TP
.BR libimcv.plugins.imc-attestation.aik_blob
AIK encrypted private key blob file
@@ -799,12 +828,27 @@ Preferred measurement hash algorithm
.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
DH minimum nonce length
.TP
-.BR libimcv.plugins.imv-attestation.platform_info
-Information on operating system and hardware platform
+.BR libimcv.plugins.imv-attestation.remediation_uri
+URI pointing to attestation remediation instructions
+.TP
+.BR libimcv.plugins.imc-os.push_info " [yes]"
+Send operating system info without being prompted
+.TP
+.BR libimcv.plugins.imv-os.database
+Database URI for the database that stores operating system information
+.TP
+.BR libimcv.plugins.imv-os.remediation_uri
+URI pointing to operating system remediation instructions
+.TP
+.BR libimcv.plugins.imc-scanner.push_info " [yes]"
+Send open listening ports without being prompted
.TP
.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
By default all ports must be closed (yes) or can be open (no)
.TP
+.BR libimcv.plugins.imv-scanner.remediation_uri
+URI pointing to scanner remediation instructions
+.TP
.BR libimcv.plugins.imv-scanner.tcp_ports
List of TCP ports that can be open or must be closed
.TP
@@ -826,6 +870,9 @@ Do a handshake retry
.BR libimcv.plugins.imc-test.retry_command
Command to be sent to the Test IMV in the handshake retry
.TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
.BR libimcv.plugins.imv-test.rounds " [0]"
Number of IMC-IMV retry rounds
.SS libtls section
@@ -902,6 +949,10 @@ Session timeout for mediation service
.TP
.BR openac.load
Plugins to load in ipsec openac tool
+.SS pacman section
+.TP
+.BR pacman.database
+Database URI for the database that stores the package information
.SS pki section
.TP
.BR pki.load
@@ -1244,6 +1295,17 @@ Never enable the load-testing plugin on productive systems. It provides
preconfigured credentials and allows an attacker to authenticate as any user.
.SS Options
.TP
+.BR charon.plugins.load-tester.addrs
+Subsection that contains key/value pairs with address pools (in CIDR notation)
+to use for a specific network interface e.g. eth0 = 10.10.0.0/16
+.TP
+.BR charon.plugins.load-tester.addrs_prefix " [16]"
+Network prefix length to use when installing dynamic addresses. If set to -1 the
+full address is used (i.e. 32 or 128)
+.TP
+.BR charon.plugins.load-tester.ca_dir
+Directory to load (intermediate) CA certificates from
+.TP
.BR charon.plugins.load-tester.child_rekey " [600]"
Seconds to start CHILD_SA rekeying after setup
.TP
@@ -1253,6 +1315,9 @@ Delay between initiatons for each thread
.BR charon.plugins.load-tester.delete_after_established " [no]"
Delete an IKE_SA as soon as it has been established
.TP
+.BR charon.plugins.load-tester.digest " [sha1]"
+Digest algorithm used when issuing certificates
+.TP
.BR charon.plugins.load-tester.dpd_delay " [0]"
DPD delay to use in load test
.TP
@@ -1274,6 +1339,9 @@ Seconds to start IKE_SA rekeying after setup
.BR charon.plugins.load-tester.init_limit " [0]"
Global limit of concurrently established SAs during load test
.TP
+.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
+Address to initiate from
+.TP
.BR charon.plugins.load-tester.initiators " [0]"
Number of concurrent initiator threads to use in load test
.TP
@@ -1283,8 +1351,24 @@ Authentication method(s) the intiator uses
.BR charon.plugins.load-tester.initiator_id
Initiator ID used in load test
.TP
+.BR charon.plugins.load-tester.initiator_match
+Initiator ID to to match against as responder
+.TP
+.BR charon.plugins.load-tester.initiator_tsi
+Traffic selector on initiator side, as proposed by initiator
+.TP
+.BR charon.plugins.load-tester.initiator_tsr
+Traffic selector on responder side, as proposed by initiator
+.TP
.BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initate by each initiator in load test
+Number of IKE_SAs to initiate by each initiator in load test
+.TP
+.BR charon.plugins.load-tester.issuer_cert
+Path to the issuer certificate (if not configured a hard-coded value is used)
+.TP
+.BR charon.plugins.load-tester.issuer_key
+Path to private key that is used to issue certificates (if not configured a
+hard-coded value is used)
.TP
.BR charon.plugins.load-tester.pool
Provide INTERNAL_IPV4_ADDRs from a named pool
@@ -1295,7 +1379,7 @@ Preshared key to use in load test
.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
IKE proposal to use in load test
.TP
-.BR charon.plugins.load-tester.remote " [127.0.0.1]"
+.BR charon.plugins.load-tester.responder " [127.0.0.1]"
Address to initiation connections to
.TP
.BR charon.plugins.load-tester.responder_auth " [pubkey]"
@@ -1304,11 +1388,21 @@ Authentication method(s) the responder uses
.BR charon.plugins.load-tester.responder_id
Responder ID used in load test
.TP
+.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
+Traffic selector on initiator side, as narrowed by responder
+.TP
+.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
+Traffic selector on responder side, as narrowed by responder
+.TP
.BR charon.plugins.load-tester.request_virtual_ip " [no]"
Request an INTERNAL_IPV4_ADDR from the server
.TP
.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
Shutdown the daemon after all IKE_SAs have been established
+.TP
+.BR charon.plugins.load-tester.version " [0]"
+IKE version to use (0 means use IKEv2 as initiator and accept any version as
+responder)
.SS Configuration details
For public key authentication, the responder uses the
.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq