diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2013-11-01 13:32:07 +0100 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2013-11-01 13:32:07 +0100 |
commit | a54780509260a8cb6f0344f531da168b34410dd5 (patch) | |
tree | 477239a312679174252f39f7a80bc8bf33836d9a /man | |
parent | 6e50941f7ce9c6f2d6888412968c7f4ffb495379 (diff) | |
parent | 5313d2d78ca150515f7f5eb39801c100690b6b29 (diff) | |
download | vyos-strongswan-a54780509260a8cb6f0344f531da168b34410dd5.tar.gz vyos-strongswan-a54780509260a8cb6f0344f531da168b34410dd5.zip |
Merge tag 'upstream/5.1.1'
Upstream version 5.1.1
Diffstat (limited to 'man')
-rw-r--r-- | man/Makefile.am | 17 | ||||
-rw-r--r-- | man/Makefile.in | 162 | ||||
-rw-r--r-- | man/ipsec.conf.5 | 1280 | ||||
-rw-r--r-- | man/ipsec.conf.5.in | 67 | ||||
-rw-r--r-- | man/ipsec.secrets.5 | 195 | ||||
-rw-r--r-- | man/ipsec.secrets.5.in | 2 | ||||
-rw-r--r-- | man/strongswan.conf.5 | 1665 | ||||
-rw-r--r-- | man/strongswan.conf.5.in | 144 |
8 files changed, 274 insertions, 3258 deletions
diff --git a/man/Makefile.am b/man/Makefile.am index 0becd24c7..266ef7d3a 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -1,13 +1,6 @@ -dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 -EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in -CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 +man_MANS = \ + ipsec.conf.5 \ + ipsec.secrets.5 \ + strongswan.conf.5 -SUFFIXES = .in - -.in: - $(AM_V_GEN) \ - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - -e "s:@DEV_URANDOM@:$(urandom_device):" \ - -e "s:@DEV_RANDOM@:$(random_device):" \ - $(srcdir)/$@.in > $@ +CLEANFILES = $(man_MANS) diff --git a/man/Makefile.in b/man/Makefile.in index 0bc64a6eb..9c970cdcd 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -1,9 +1,8 @@ -# Makefile.in generated by automake 1.11.6 from Makefile.am. +# Makefile.in generated by automake 1.13.3 from Makefile.am. # @configure_input@ -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software -# Foundation, Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -15,23 +14,51 @@ @SET_MAKE@ VPATH = @srcdir@ -am__make_dryrun = \ - { \ - am__dry=no; \ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ - echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \ - | grep '^AM OK$$' >/dev/null || am__dry=yes;; \ - *) \ - for am__flg in $$MAKEFLAGS; do \ - case $$am__flg in \ - *=*|--*) ;; \ - *n*) am__dry=yes; break;; \ - esac; \ - done;; \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ - test $$am__dry = yes; \ - } + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -51,14 +78,16 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = man -DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(srcdir)/ipsec.conf.5.in $(srcdir)/ipsec.secrets.5.in \ + $(srcdir)/strongswan.conf.5.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ $(top_srcdir)/m4/config/ltsugar.m4 \ $(top_srcdir)/m4/config/ltversion.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ $(top_srcdir)/m4/macros/add-plugin.m4 \ @@ -67,14 +96,20 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = +CONFIG_CLEAN_FILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ +am__v_at_1 = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ @@ -112,7 +147,8 @@ am__uninstall_files_from_dir = { \ man5dir = $(mandir)/man5 am__installdirs = "$(DESTDIR)$(man5dir)" NROFF = nroff -MANS = $(dist_man_MANS) +MANS = $(man_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ @@ -187,6 +223,10 @@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ @@ -303,6 +343,7 @@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ @@ -310,14 +351,15 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 -EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in -CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 -SUFFIXES = .in +man_MANS = \ + ipsec.conf.5 \ + ipsec.secrets.5 \ + strongswan.conf.5 + +CLEANFILES = $(man_MANS) all: all-am .SUFFIXES: -.SUFFIXES: .in $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -348,16 +390,22 @@ $(top_srcdir)/configure: $(am__configure_deps) $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +ipsec.conf.5: $(top_builddir)/config.status $(srcdir)/ipsec.conf.5.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +ipsec.secrets.5: $(top_builddir)/config.status $(srcdir)/ipsec.secrets.5.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +strongswan.conf.5: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs -install-man5: $(dist_man_MANS) +install-man5: $(man_MANS) @$(NORMAL_INSTALL) @list1=''; \ - list2='$(dist_man_MANS)'; \ + list2='$(man_MANS)'; \ test -n "$(man5dir)" \ && test -n "`echo $$list1$$list2`" \ || exit 0; \ @@ -392,32 +440,19 @@ uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) -tags: TAGS -TAGS: +tags TAGS: -ctags: CTAGS -CTAGS: +ctags CTAGS: + +cscope cscopelist: distdir: $(DISTFILES) - @list='$(MANS)'; if test -n "$$list"; then \ - list=`for p in $$list; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ - if test -n "$$list" && \ - grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ - echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ - grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ - echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ - echo " typically \`make maintainer-clean' will remove them" >&2; \ - exit 1; \ - else :; fi; \ - else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -556,25 +591,18 @@ uninstall-man: uninstall-man5 .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ - distclean distclean-generic distclean-libtool distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man5 \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - uninstall uninstall-am uninstall-man uninstall-man5 - - -.in: - $(AM_V_GEN) \ - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - -e "s:@DEV_URANDOM@:$(urandom_device):" \ - -e "s:@DEV_RANDOM@:$(random_device):" \ - $(srcdir)/$@.in > $@ + cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man5 install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ + ps ps-am tags-am uninstall uninstall-am uninstall-man \ + uninstall-man5 + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5 deleted file mode 100644 index 76bef614f..000000000 --- a/man/ipsec.conf.5 +++ /dev/null @@ -1,1280 +0,0 @@ -.TH IPSEC.CONF 5 "2012-06-26" "5.1.0" "strongSwan" -.SH NAME -ipsec.conf \- IPsec configuration and connections -.SH DESCRIPTION -The optional -.I ipsec.conf -file -specifies most configuration and control information for the -strongSwan IPsec subsystem. -The major exception is secrets for authentication; -see -.IR ipsec.secrets (5). -Its contents are not security-sensitive. -.PP -The file is a text file, consisting of one or more -.IR sections . -White space followed by -.B # -followed by anything to the end of the line -is a comment and is ignored, -as are empty lines which are not within a section. -.PP -A line which contains -.B include -and a file name, separated by white space, -is replaced by the contents of that file, -preceded and followed by empty lines. -If the file name is not a full pathname, -it is considered to be relative to the directory containing the -including file. -Such inclusions can be nested. -Only a single filename may be supplied, and it may not contain white space, -but it may include shell wildcards (see -.IR sh (1)); -for example: -.PP -.B include -.B "ipsec.*.conf" -.PP -The intention of the include facility is mostly to permit keeping -information on connections, or sets of connections, -separate from the main configuration file. -This permits such connection descriptions to be changed, -copied to the other security gateways involved, etc., -without having to constantly extract them from the configuration -file and then insert them back into it. -Note also the -.B also -parameter (described below) which permits splitting a single logical -section (e.g. a connection description) into several actual sections. -.PP -A section -begins with a line of the form: -.PP -.I type -.I name -.PP -where -.I type -indicates what type of section follows, and -.I name -is an arbitrary name which distinguishes the section from others -of the same type. -Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens. -All subsequent non-empty lines -which begin with white space are part of the section; -comments within a section must begin with white space too. -There may be only one section of a given type with a given name. -.PP -Lines within the section are generally of the form -.PP -\ \ \ \ \ \fIparameter\fB=\fIvalue\fR -.PP -(note the mandatory preceding white space). -There can be white space on either side of the -.BR = . -Parameter names follow the same syntax as section names, -and are specific to a section type. -Unless otherwise explicitly specified, -no parameter name may appear more than once in a section. -.PP -An empty -.I value -stands for the system default value (if any) of the parameter, -i.e. it is roughly equivalent to omitting the parameter line entirely. -A -.I value -may contain white space only if the entire -.I value -is enclosed in double quotes (\fB"\fR); -a -.I value -cannot itself contain a double quote, -nor may it be continued across more than one line. -.PP -Numeric values are specified to be either an ``integer'' -(a sequence of digits) or a ``decimal number'' -(sequence of digits optionally followed by `.' and another sequence of digits). -.PP -There is currently one parameter which is available in any type of -section: -.TP -.B also -the value is a section name; -the parameters of that section are appended to this section, -as if they had been written as part of it. -The specified section must exist, must follow the current one, -and must have the same section type. -(Nesting is permitted, -and there may be more than one -.B also -in a single section, -although it is forbidden to append the same section more than once.) -.PP -A section with name -.B %default -specifies defaults for sections of the same type. -For each parameter in it, -any section of that type which does not have a parameter of the same name -gets a copy of the one from the -.B %default -section. -There may be multiple -.B %default -sections of a given type, -but only one default may be supplied for any specific parameter name, -and all -.B %default -sections of a given type must precede all non-\c -.B %default -sections of that type. -.B %default -sections may not contain the -.B also -parameter. -.PP -Currently there are three types of sections: -a -.B config -section specifies general configuration information for IPsec, a -.B conn -section specifies an IPsec connection, while a -.B ca -section specifies special properties of a certification authority. -.SH "CONN SECTIONS" -A -.B conn -section contains a -.IR "connection specification" , -defining a network connection to be made using IPsec. -The name given is arbitrary, and is used to identify the connection. -Here's a simple example: -.PP -.ne 10 -.nf -.ft B -.ta 1c -conn snt - left=192.168.0.1 - leftsubnet=10.1.0.0/16 - right=192.168.0.2 - rightsubnet=10.1.0.0/16 - keyingtries=%forever - auto=add -.ft -.fi -.PP -A note on terminology: There are two kinds of communications going on: -transmission of user IP packets, and gateway-to-gateway negotiations for -keying, rekeying, and general control. -The path to control the connection is called 'ISAKMP SA' in IKEv1 -and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel -level data path, is called 'IPsec SA' or 'Child SA'. -strongSwan previously used two separate keying daemons, \fIpluto\fP and -\fIcharon\fP. This manual does not discuss \fIpluto\fP options anymore, but -only \fIcharon\fP that since strongSwan 5.0 supports both IKEv1 and IKEv2. -.PP -To avoid trivial editing of the configuration file to suit it to each system -involved in a connection, -connection specifications are written in terms of -.I left -and -.I right -participants, -rather than in terms of local and remote. -Which participant is considered -.I left -or -.I right -is arbitrary; -for every connection description an attempt is made to figure out whether -the local endpoint should act as the -.I left -or -.I right -endpoint. This is done by matching the IP addresses defined for both endpoints -with the IP addresses assigned to local network interfaces. If a match is found -then the role (left or right) that matches is going to be considered local. -If no match is found during startup, -.I left -is considered local. -This permits using identical connection specifications on both ends. -There are cases where there is no symmetry; a good convention is to -use -.I left -for the local side and -.I right -for the remote side (the first letters are a good mnemonic). -.PP -Many of the parameters relate to one participant or the other; -only the ones for -.I left -are listed here, but every parameter whose name begins with -.B left -has a -.B right -counterpart, -whose description is the same but with -.B left -and -.B right -reversed. -.PP -Parameters are optional unless marked '(required)'. -.SS "CONN PARAMETERS" -Unless otherwise noted, for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP -.BR aaa_identity " = <id>" -defines the identity of the AAA backend used during IKEv2 EAP authentication. -This is required if the EAP client uses a method that verifies the server -identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity. -.TP -.BR aggressive " = yes | " no -whether to use IKEv1 Aggressive or Main Mode (the default). -.TP -.BR also " = <name>" -includes conn section -.BR <name> . -.TP -.BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig" -how the two security gateways should authenticate each other; -acceptable values are -.B psk -or -.B secret -for pre-shared secrets, -.B pubkey -(the default) for public key signatures as well as the synonyms -.B rsasig -for RSA digital signatures and -.B ecdsasig -for Elliptic Curve DSA signatures. -.B never -can be used if negotiation is never to be attempted or accepted (useful for -shunt-only conns). -Digital signatures are superior in every way to shared secrets. -IKEv1 additionally supports the values -.B xauthpsk -and -.B xauthrsasig -that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode -based on shared secrets or digital RSA signatures, respectively. -This parameter is deprecated, as two peers do not need to agree on an -authentication method in IKEv2. Use the -.B leftauth -parameter instead to define authentication methods. -.TP -.BR auto " = " ignore " | add | route | start" -what operation, if any, should be done automatically at IPsec startup; -currently-accepted values are -.BR add , -.BR route , -.B start -and -.B ignore -(the default). -.B add -loads a connection without starting it. -.B route -loads a connection and installs kernel traps. If traffic is detected between -.B leftsubnet -and -.BR rightsubnet , -a connection is established. -.B start -loads a connection and brings it up immediately. -.B ignore -ignores the connection. This is equal to deleting a connection from the config -file. -Relevant only locally, other end need not agree on it. -.TP -.BR closeaction " = " none " | clear | hold | restart" -defines the action to take if the remote peer unexpectedly closes a CHILD_SA -(see -.B dpdaction -for meaning of values). -A -.B closeaction should not be -used if the peer uses reauthentication or uniquids checking, as these events -might trigger the defined action when not desired. -.TP -.BR compress " = yes | " no -whether IPComp compression of content is proposed on the connection -(link-level compression does not work on encrypted data, -so to be effective, compression must be done \fIbefore\fR encryption); -acceptable values are -.B yes -and -.B no -(the default). A value of -.B yes -causes the daemon to propose both compressed and uncompressed, -and prefer compressed. -A value of -.B no -prevents the daemon from proposing or accepting compression. -.TP -.BR dpdaction " = " none " | clear | hold | restart" -controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where -R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) -are periodically sent in order to check the -liveliness of the IPsec peer. The values -.BR clear , -.BR hold , -and -.B restart -all activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted -.RB ( clear ), -put in the hold state -.RB ( hold ) -or restarted -.RB ( restart ). -The default is -.B none -which disables the active sending of DPD messages. -.TP -.BR dpddelay " = " 30s " | <time>" -defines the period time interval with which R_U_THERE messages/INFORMATIONAL -exchanges are sent to the peer. These are only sent if no other traffic is -received. In IKEv2, a value of 0 sends no additional INFORMATIONAL -messages and uses only standard messages (such as those to rekey) to detect -dead peers. -.TP -.BR dpdtimeout " = " 150s " | <time> -defines the timeout interval, after which all connections to a peer are deleted -in case of inactivity. This only applies to IKEv1, in IKEv2 the default -retransmission timeout applies, as every exchange is used to detect dead peers. -.TP -.BR inactivity " = <time>" -defines the timeout interval, after which a CHILD_SA is closed if it did -not send or receive any traffic. -.TP -.BR eap_identity " = <id>" -defines the identity the client uses to reply to an EAP Identity request. -If defined on the EAP server, the defined identity will be used as peer -identity during EAP authentication. The special value -.B %identity -uses the EAP Identity method to ask the client for an EAP identity. If not -defined, the IKEv2 identity will be used as EAP identity. -.TP -.BR esp " = <cipher suites>" -comma-separated list of ESP encryption/authentication algorithms to be used -for the connection, e.g. -.BR aes128-sha256 . -The notation is -.BR encryption-integrity[-dhgroup][-esnmode] . - -Defaults to -.BR aes128-sha1,3des-sha1 . -The daemon adds its extensive default proposal to this default -or the configured value. To restrict it to the configured proposal an -exclamation mark -.RB ( ! ) -can be added at the end. - -.BR Note : -As a responder the daemon accepts the first supported proposal received from -the peer. In order to restrict a responder to only accept specific cipher -suites, the strict flag -.RB ( ! , -exclamation mark) can be used, e.g: aes256-sha512-modp4096! -.br -If -.B dh-group -is specified, CHILD_SA/Quick Mode setup and rekeying include a separate -Diffie-Hellman exchange. Valid values for -.B esnmode -(IKEv2 only) are -.B esn -and -.BR noesn . -Specifying both negotiates Extended Sequence Number support with the peer, -the default is -.B noesn. -.TP -.BR forceencaps " = yes | " no -force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to surmount restrictive firewalls. In order to force the peer to -encapsulate packets, NAT detection payloads are faked. -.TP -.BR fragmentation " = yes | force | " no -whether to use IKE fragmentation (proprietary IKEv1 extension). Acceptable -values are -.BR yes , -.B force -and -.B no -(the default). Fragmented messages sent by a peer are always accepted -irrespective of the value of this option. If set to -.BR yes , -and the peer supports it, larger IKE messages will be sent in fragments. -If set to -.B force -the initial IKE message will already be fragmented if required. -.TP -.BR ike " = <cipher suites>" -comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms -to be used, e.g. -.BR aes128-sha1-modp2048 . -The notation is -.BR encryption-integrity[-prf]-dhgroup . -If no PRF is given, the algorithms defined for integrity are used for the PRF. -The prf keywords are the same as the integrity algorithms, but have a -.B prf -prefix (such as -.BR prfsha1 , -.B prfsha256 -or -.BR prfaesxcbc ). -.br -In IKEv2, multiple algorithms and proposals may be included, such as -.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 . - -Defaults to -.BR aes128-sha1-modp2048,3des-sha1-modp1536 . -The daemon adds its extensive default proposal to this -default or the configured value. To restrict it to the configured proposal an -exclamation mark -.RB ( ! ) -can be added at the end. - -.BR Note : -As a responder the daemon accepts the first supported proposal received from -the peer. In order to restrict a responder to only accept specific cipher -suites, the strict flag -.RB ( ! , -exclamation mark) can be used, e.g: -.BR aes256-sha512-modp4096! -.TP -.BR ikedscp " = " 000000 " | <DSCP field>" -Differentiated Services Field Codepoint to set on outgoing IKE packets sent -from this connection. The value is a six digit binary encoded string defining -the Codepoint to set, as defined in RFC 2474. -.TP -.BR ikelifetime " = " 3h " | <time>" -how long the keying channel of a connection (ISAKMP or IKE SA) -should last before being renegotiated. Also see EXPIRY/REKEY below. -.TP -.BR installpolicy " = " yes " | no" -decides whether IPsec policies are installed in the kernel by the charon daemon -for a given connection. Allows peaceful cooperation e.g. with -the Mobile IPv6 daemon mip6d who wants to control the kernel policies. -Acceptable values are -.B yes -(the default) and -.BR no . -.TP -.BR keyexchange " = " ike " | ikev1 | ikev2" -which key exchange protocol should be used to initiate the connection. -Connections marked with -.B ike -use IKEv2 when initiating, but accept any protocol version when responding. -.TP -.BR keyingtries " = " 3 " | <number> | %forever" -how many attempts (a whole number or \fB%forever\fP) should be made to -negotiate a connection, or a replacement for one, before giving up -(default -.BR 3 ). -The value \fB%forever\fP -means 'never give up'. -Relevant only locally, other end need not agree on it. -.TP -.B keylife -synonym for -.BR lifetime . -.TP -.BR left " = <ip address> | <fqdn> | " %any -(required) -the IP address of the left participant's public-network interface -or one of several magic values. -The value -.B %any -(the default) for the local endpoint signifies an address to be filled in (by -automatic keying) during negotiation. If the local peer initiates the -connection setup the routing table will be queried to determine the correct -local IP address. -In case the local peer is responding to a connection setup then any IP address -that is assigned to a local interface will be accepted. - -The prefix -.B % -in front of a fully-qualified domain name or an IP address will implicitly set -.BR leftallowany =yes. - -If -.B %any -is used for the remote endpoint it literally means any IP address. - -Please note that with the usage of wildcards multiple connection descriptions -might match a given incoming connection attempt. The most specific description -is used in that case. -.TP -.BR leftallowany " = yes | " no -a modifier for -.BR left , -making it behave as -.B %any -although a concrete IP address or domain name has been assigned. -.TP -.BR leftauth " = <auth method>" -Authentication method to use locally (left) or require from the remote (right) -side. -Acceptable values are -.B pubkey -for public key authentication (RSA/ECDSA), -.B psk -for pre-shared key authentication, -.B eap -to (require the) use of the Extensible Authentication Protocol in IKEv2, and -.B xauth -for IKEv1 eXtended Authentication. -To require a trustchain public key strength for the remote side, specify the -key type followed by the minimum strength in bits (for example -.BR ecdsa-384 -or -.BR rsa-2048-ecdsa-256 ). -To limit the acceptable set of hashing algorithms for trustchain validation, -append hash algorithms to -.BR pubkey -or a key strength definition (for example -.BR pubkey-sha1-sha256 -or -.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ). -For -.BR eap , -an optional EAP method can be appended. Currently defined methods are -.BR eap-aka , -.BR eap-gtc , -.BR eap-md5 , -.BR eap-mschapv2 , -.BR eap-peap , -.BR eap-sim , -.BR eap-tls , -.BR eap-ttls , -.BR eap-dynamic , -and -.BR eap-radius . -Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific -EAP methods are defined in the form -.B eap-type-vendor -.RB "(e.g. " eap-7-12345 ). -For -.B xauth, -an XAuth authentication backend can be specified, such as -.B xauth-generic -or -.BR xauth-eap . -If XAuth is used in -.BR leftauth , -Hybrid authentication is used. For traditional XAuth authentication, define -XAuth in -.BR lefauth2 . -.TP -.BR leftauth2 " = <auth method>" -Same as -.BR leftauth , -but defines an additional authentication exchange. In IKEv1, only XAuth can be -used in the second authentication round. IKEv2 supports multiple complete -authentication rounds using "Multiple Authentication Exchanges" defined -in RFC 4739. This allows, for example, separated authentication -of host and user. -.TP -.BR leftca " = <issuer dn> | %same" -the distinguished name of a certificate authority which is required to -lie in the trust path going from the left participant's certificate up -to the root certification authority. -.B %same -means that the value configured for the right participant should be reused. -.TP -.BR leftca2 " = <issuer dn> | %same" -Same as -.BR leftca , -but for the second authentication round (IKEv2 only). -.TP -.BR leftcert " = <path>" -the path to the left participant's X.509 certificate. The file can be encoded -either in PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP -are accepted. By default -.B leftcert -sets -.B leftid -to the distinguished name of the certificate's subject. -The left participant's ID can be overridden by specifying a -.B leftid -value which must be certified by the certificate, though. -.br -A value in the form -.B %smartcard[<slot nr>[@<module>]]:<keyid> -defines a specific certificate to load from a PKCS#11 backend for this -connection. See ipsec.secrets(5) for details about smartcard definitions. -.B leftcert -is required only if selecting the certificate with -.B leftid -is not sufficient, for example if multiple certificates use the same subject. -.br -Multiple certificate paths or PKCS#11 backends can be specified in a comma -separated list. The daemon chooses the certificate based on the received -certificate requests if possible before enforcing the first. -.TP -.BR leftcert2 " = <path>" -Same as -.B leftcert, -but for the second authentication round (IKEv2 only). -.TP -.BR leftcertpolicy " = <OIDs>" -Comma separated list of certificate policy OIDs the peer's certificate must -have. -OIDs are specified using the numerical dotted representation. -.TP -.BR leftdns " = <servers>" -Comma separated list of DNS server addresses to exchange as configuration -attributes. On the initiator, a server is a fixed IPv4/IPv6 address, or -.BR %config4 / %config6 -to request attributes without an address. On the responder, -only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned -to the client. -.TP -.BR leftfirewall " = yes | " no -whether the left participant is doing forwarding-firewalling -(including masquerading) using iptables for traffic from \fIleftsubnet\fR, -which should be turned off (for traffic to the other subnet) -once the connection is established; -acceptable values are -.B yes -and -.B no -(the default). -May not be used in the same connection description with -.BR leftupdown . -Implemented as a parameter to the default \fBipsec _updown\fR script. -See notes below. -Relevant only locally, other end need not agree on it. - -If one or both security gateways are doing forwarding firewalling -(possibly including masquerading), -and this is specified using the firewall parameters, -tunnels established with IPsec are exempted from it -so that packets can flow unchanged through the tunnels. -(This means that all subnets connected in this manner must have -distinct, non-overlapping subnet address blocks.) -This is done by the default \fBipsec _updown\fR script. - -In situations calling for more control, -it may be preferable for the user to supply his own -.I updown -script, -which makes the appropriate adjustments for his system. -.TP -.BR leftgroups " = <group list>" -a comma separated list of group names. If the -.B leftgroups -parameter is present then the peer must be a member of at least one -of the groups defined by the parameter. -.TP -.BR leftgroups2 " = <group list>" -Same as -.B leftgroups, -but for the second authentication round defined with -.B leftauth2. -.TP -.BR lefthostaccess " = yes | " no -inserts a pair of INPUT and OUTPUT iptables rules using the default -\fBipsec _updown\fR script, thus allowing access to the host itself -in the case where the host's internal interface is part of the -negotiated client subnet. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.BR leftid " = <id>" -how the left participant should be identified for authentication; -defaults to -.B left -or the subject of the certificate configured with -.BR leftcert . -Can be an IP address, a fully-qualified domain name, an email address, or -a keyid. If -.B leftcert -is configured the identity has to be confirmed by the certificate. - -For IKEv2 and -.B rightid -the prefix -.B % -in front of the identity prevents the daemon from sending IDr in its IKE_AUTH -request and will allow it to verify the configured identity against the subject -and subjectAltNames contained in the responder's certificate (otherwise it is -only compared with the IDr returned by the responder). The IDr sent by the -initiator might otherwise prevent the responder from finding a config if it -has configured a different value for -.BR leftid . -.TP -.BR leftid2 " = <id>" -identity to use for a second authentication for the left participant -(IKEv2 only); defaults to -.BR leftid . -.TP -.BR leftikeport " = <port>" -UDP port the left participant uses for IKE communication. -If unspecified, port 500 is used with the port floating -to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port -different from the default additionally requires a socket implementation that -listens on this port. -.TP -.BR leftprotoport " = <protocol>/<port>" -restrict the traffic selector to a single protocol and/or port. This option -is now deprecated, protocol/port information can be defined for each subnet -directly in -.BR leftsubnet . -.TP -.BR leftsigkey " = <raw public key> | <path to public key>" -the left participant's public key for public key signature authentication, -in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the -optional -.B dns: -or -.B ssh: -prefix in front of 0x or 0s, the public key is expected to be in either -the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format, -respectively. -Also accepted is the path to a file containing the public key in PEM or DER -encoding. -.TP -.BR leftsendcert " = never | no | " ifasked " | always | yes" -Accepted values are -.B never -or -.BR no , -.B always -or -.BR yes , -and -.BR ifasked " (the default)," -the latter meaning that the peer must send a certificate request payload in -order to get a certificate in return. -.TP -.BR leftsourceip " = %config4 | %config6 | <ip address>" -Comma separated list of internal source IPs to use in a tunnel, also known as -virtual IP. If the value is one of the synonyms -.BR %config , -.BR %cfg , -.BR %modeconfig , -or -.BR %modecfg , -an address (from the tunnel address family) is requested from the peer. With -.B %config4 -and -.B %config6 -an address of the given address family will be requested explicitly. -If an IP address is configured, it will be requested from the responder, -which is free to respond with a different address. -.TP -.BR rightsourceip " = %config | <network>/<netmask> | %poolname" -Comma separated list of internal source IPs to use in a tunnel for the remote -peer. If the value is -.B %config -on the responder side, the initiator must propose an address which is then -echoed back. Also supported are address pools expressed as -\fInetwork\fB/\fInetmask\fR -or the use of an external IP address pool using %\fIpoolname\fR, -where \fIpoolname\fR is the name of the IP address pool used for the lookup. -.TP -.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]" -private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR; -if omitted, essentially assumed to be \fIleft\fB/32\fR, -signifying that the left end of the connection goes to the left participant -only. Configured subnets of the peers may differ, the protocol narrows it to -the greatest common subnet. In IKEv1, this may lead to problems with other -implementations, make sure to configure identical subnets in such -configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only -interprets the first subnet of such a definition, unless the Cisco Unity -extension plugin is enabled. - -The optional part after each subnet enclosed in square brackets specifies a -protocol/port to restrict the selector for that subnet. - -Examples: -.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or" -.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] . -Instead of omitting either value -.B %any -can be used to the same effect, e.g. -.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] . - -The port value can alternatively take the value -.B %opaque -for RFC 4301 OPAQUE selectors, or a numerical range in the form -.BR 1024-65535 . -None of the kernel backends currently supports opaque or port ranges and uses -.B %any -for policy installation instead. - -Instead of specifying a subnet, -.B %dynamic -can be used to replace it with the IKE address, having the same effect -as omitting -.B leftsubnet -completely. Using -.B %dynamic -can be used to define multiple dynamic selectors, each having a potentially -different protocol/port definition. - -.TP -.BR leftupdown " = <path>" -what ``updown'' script to run to adjust routing and/or firewalling -when the status of the connection -changes (default -.BR "ipsec _updown" ). -May include positional parameters separated by white space -(although this requires enclosing the whole string in quotes); -including shell metacharacters is unwise. -Relevant only locally, other end need not agree on it. Charon uses the updown -script to insert firewall rules only, since routing has been implemented -directly into the daemon. -.TP -.BR lifebytes " = <number>" -the number of bytes transmitted over an IPsec SA before it expires. -.TP -.BR lifepackets " = <number>" -the number of packets transmitted over an IPsec SA before it expires. -.TP -.BR lifetime " = " 1h " | <time>" -how long a particular instance of a connection -(a set of encryption/authentication keys for user packets) should last, -from successful negotiation to expiry; -acceptable values are an integer optionally followed by -.BR s -(a time in seconds) -or a decimal number followed by -.BR m , -.BR h , -or -.B d -(a time -in minutes, hours, or days respectively) -(default -.BR 1h , -maximum -.BR 24h ). -Normally, the connection is renegotiated (via the keying channel) -before it expires (see -.BR margintime ). -The two ends need not exactly agree on -.BR lifetime , -although if they do not, -there will be some clutter of superseded connections on the end -which thinks the lifetime is longer. Also see EXPIRY/REKEY below. -.TP -.BR marginbytes " = <number>" -how many bytes before IPsec SA expiry (see -.BR lifebytes ) -should attempts to negotiate a replacement begin. -.TP -.BR marginpackets " = <number>" -how many packets before IPsec SA expiry (see -.BR lifepackets ) -should attempts to negotiate a replacement begin. -.TP -.BR margintime " = " 9m " | <time>" -how long before connection expiry or keying-channel expiry -should attempts to -negotiate a replacement -begin; acceptable values as for -.B lifetime -(default -.BR 9m ). -Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY -below. -.TP -.BR mark " = <value>[/<mask>]" -sets an XFRM mark in the inbound and outbound -IPsec SAs and policies. If the mask is missing then a default -mask of -.B 0xffffffff -is assumed. -.TP -.BR mark_in " = <value>[/<mask>]" -sets an XFRM mark in the inbound IPsec SA and -policy. If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.BR mark_out " = <value>[/<mask>]" -sets an XFRM mark in the outbound IPsec SA and -policy. If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.BR mobike " = " yes " | no" -enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are -.B yes -(the default) and -.BR no . -If set to -.BR no , -the charon daemon will not actively propose MOBIKE as initiator and -ignore the MOBIKE_SUPPORTED notify as responder. -.TP -.BR modeconfig " = push | " pull -defines which mode is used to assign a virtual IP. -Accepted values are -.B push -and -.B pull -(the default). -Push mode is currently not supported in charon, hence this parameter has no -effect. -.TP -.BR reauth " = " yes " | no" -whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, -reauthentication is always done. In IKEv2, a value of -.B no -rekeys without uninstalling the IPsec SAs, a value of -.B yes -(the default) creates a new IKE_SA from scratch and tries to recreate -all IPsec SAs. -.TP -.BR rekey " = " yes " | no" -whether a connection should be renegotiated when it is about to expire; -acceptable values are -.B yes -(the default) -and -.BR no . -The two ends need not agree, but while a value of -.B no -prevents charon from requesting renegotiation, -it does not prevent responding to renegotiation requested from the other end, -so -.B no -will be largely ineffective unless both ends agree on it. Also see -.BR reauth . -.TP -.BR rekeyfuzz " = " 100% " | <percentage>" -maximum percentage by which -.BR marginbytes , -.B marginpackets -and -.B margintime -should be randomly increased to randomize rekeying intervals -(important for hosts with many connections); -acceptable values are an integer, -which may exceed 100, -followed by a `%' -(defaults to -.BR 100% ). -The value of -.BR marginTYPE , -after this random increase, -must not exceed -.B lifeTYPE -(where TYPE is one of -.IR bytes , -.I packets -or -.IR time ). -The value -.B 0% -will suppress randomization. -Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY -below. -.TP -.B rekeymargin -synonym for -.BR margintime . -.TP -.BR reqid " = <number>" -sets the reqid for a given connection to a pre-configured fixed value. -.TP -.BR tfc " = <value>" -number of bytes to pad ESP payload data to. Traffic Flow Confidentiality -is currently supported in IKEv2 and applies to outgoing packets only. The -special value -.BR %mtu -fills up ESP packets with padding to have the size of the MTU. -.TP -.BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" -the type of the connection; currently the accepted values -are -.B tunnel -(the default) -signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; -.BR transport , -signifying host-to-host transport mode; -.BR transport_proxy , -signifying the special Mobile IPv6 transport proxy mode; -.BR passthrough , -signifying that no IPsec processing should be done at all; -.BR drop , -signifying that packets should be discarded. -.TP -.BR xauth " = " client " | server" -specifies the role in the XAuth protocol if activated by -.B authby=xauthpsk -or -.B authby=xauthrsasig. -Accepted values are -.B server -and -.B client -(the default). -.TP -.BR xauth_identity " = <id>" -defines the identity/username the client uses to reply to an XAuth request. -If not defined, the IKEv1 identity will be used as XAuth identity. - -.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" -The following parameters are relevant to IKEv2 Mediation Extension -operation only. -.TP -.BR mediation " = yes | " no -whether this connection is a mediation connection, ie. whether this -connection is used to mediate other connections. Mediation connections -create no child SA. Acceptable values are -.B no -(the default) and -.BR yes . -.TP -.BR mediated_by " = <name>" -the name of the connection to mediate this connection through. If given, -the connection will be mediated through the named mediation connection. -The mediation connection must set -.BR mediation=yes . -.TP -.BR me_peerid " = <id>" -ID as which the peer is known to the mediation server, ie. which the other -end of this connection uses as its -.B leftid -on its connection to the mediation server. This is the ID we request the -mediation server to mediate us with. If -.B me_peerid -is not given, the -.B rightid -of this connection will be used as peer ID. - -.SH "CA SECTIONS" -These are optional sections that can be used to assign special -parameters to a Certification Authority (CA). Because the daemons -automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP, -there is no need to explicitly add them with a CA section, unless you -want to assign special parameters (like a CRL) to a CA. -.TP -.BR also " = <name>" -includes ca section -.BR <name> . -.TP -.BR auto " = " ignore " | add" -currently can have either the value -.B ignore -(the default) or -.BR add . -.TP -.BR cacert " = <path>" -defines a path to the CA certificate either relative to -\fI/etc/ipsec.d/cacerts\fP or as an absolute path. -.br -A value in the form -.B %smartcard[<slot nr>[@<module>]]:<keyid> -defines a specific CA certificate to load from a PKCS#11 backend for this CA. -See ipsec.secrets(5) for details about smartcard definitions. -.TP -.BR crluri " = <uri>" -defines a CRL distribution point (ldap, http, or file URI) -.TP -.B crluri1 -synonym for -.B crluri. -.TP -.BR crluri2 " = <uri>" -defines an alternative CRL distribution point (ldap, http, or file URI) -.TP -.TP -.BR ocspuri " = <uri>" -defines an OCSP URI. -.TP -.B ocspuri1 -synonym for -.B ocspuri. -.TP -.BR ocspuri2 " = <uri>" -defines an alternative OCSP URI. -.TP -.BR certuribase " = <uri>" -defines the base URI for the Hash and URL feature supported by IKEv2. -Instead of exchanging complete certificates, IKEv2 allows one to send an URI -that resolves to the DER encoded certificate. The certificate URIs are built -by appending the SHA1 hash of the DER encoded certificates to this base URI. -.SH "CONFIG SECTIONS" -At present, the only -.B config -section known to the IPsec software is the one named -.BR setup , -which contains information used when the software is being started. -The currently-accepted -.I parameter -names in a -.B config -.B setup -section are: -.TP -.BR cachecrls " = yes | " no -if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will -be cached in -.I /etc/ipsec.d/crls/ -under a unique file name derived from the certification authority's public key. -.TP -.BR charondebug " = <debug list>" -how much charon debugging output should be logged. -A comma separated list containing type/level-pairs may -be specified, e.g: -.B dmn 3, ike 1, net -1. -Acceptable values for types are -.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, -.B tnc, imc, imv, pts -and the level is one of -.B -1, 0, 1, 2, 3, 4 -(for silent, audit, control, controlmore, raw, private). By default, the level -is set to -.B 1 -for all types. For more flexibility see LOGGER CONFIGURATION in -.IR strongswan.conf (5). -.TP -.BR strictcrlpolicy " = yes | ifuri | " no -defines if a fresh CRL must be available in order for the peer authentication -based on RSA signatures to succeed. -IKEv2 additionally recognizes -.B ifuri -which reverts to -.B yes -if at least one CRL URI is defined and to -.B no -if no URI is known. -.TP -.BR uniqueids " = " yes " | no | never | replace | keep" -whether a particular participant ID should be kept unique, -with any new IKE_SA using an ID deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default), -.B no -and -.BR never . -Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is -almost invariably intended to replace an old one. The difference between -.B no -and -.B never -is that the daemon will replace old IKE_SAs when receiving an INITIAL_CONTACT -notify if the option is -.B no -but will ignore these notifies if -.B never -is configured. -The daemon also accepts the value -.B replace -which is identical to -.B yes -and the value -.B keep -to reject new IKE_SA setups and keep the duplicate established earlier. - -.SH SA EXPIRY/REKEY -The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire -after a specific amount of time. For IPsec SAs this can also happen after a -specified number of transmitted packets or transmitted bytes. The following -settings can be used to configure this: -.TS -l r l r,- - - -,lB s lB s,a r a r. -Setting Default Setting Default -IKE SA IPsec SA -ikelifetime 3h lifebytes - - lifepackets - - lifetime 1h -.TE -.SS Rekeying -IKE SAs as well as IPsec SAs can be rekeyed before they expire. This can be -configured using the following settings: -.TS -l r l r,- - - -,lB s lB s,a r a r. -Setting Default Setting Default -IKE and IPsec SA IPsec SA -margintime 9m marginbytes - - marginpackets - -.TE -.SS Randomization -To avoid collisions the specified margins are increased randomly before -subtracting them from the expiration limits (see formula below). This is -controlled by the -.B rekeyfuzz -setting: -.TS -l r,- -,lB s,a r. -Setting Default -IKE and IPsec SA -rekeyfuzz 100% -.TE -.PP -Randomization can be disabled by setting -.BR rekeyfuzz " to " 0% . -.SS Formula -The following formula is used to calculate the rekey time of IPsec SAs: -.PP -.EX - rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) -.EE -.PP -It applies equally to IKE SAs and byte and packet limits for IPsec SAs. -.SS Example -Let's consider the default configuration: -.PP -.EX - lifetime = 1h - margintime = 9m - rekeyfuzz = 100% -.EE -.PP -From the formula above follows that the rekey time lies between: -.PP -.EX - rekeytime_min = 1h - (9m + 9m) = 42m - rekeytime_max = 1h - (9m + 0m) = 51m -.EE -.PP -Thus, the daemon will attempt to rekey the IPsec SA at a random time -between 42 and 51 minutes after establishing the SA. Or, in other words, -between 9 and 18 minutes before the SA expires. -.SS Notes -.IP \[bu] -Since the rekeying of an SA needs some time, the margin values must not be -too low. -.IP \[bu] -The value -.B margin... + margin... * rekeyfuzz -must not exceed the original limit. For example, specifying -.B margintime = 30m -in the default configuration is a bad idea as there is a chance that the rekey -time equals zero and, thus, rekeying gets disabled. -.SH FILES -.nf -/etc/ipsec.conf -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts -/etc/ipsec.d/cacerts -/etc/ipsec.d/certs -/etc/ipsec.d/crls - -.SH SEE ALSO -strongswan.conf(5), ipsec.secrets(5), ipsec(8) -.SH HISTORY -Originally written for the FreeS/WAN project by Henry Spencer. -Updated and extended for the strongSwan project <http://www.strongswan.org> by -Tobias Brunner, Andreas Steffen and Martin Willi. diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 4c64e86ca..92be67000 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "2012-06-26" "@IPSEC_VERSION@" "strongSwan" +.TH IPSEC.CONF 5 "2012-06-26" "@PACKAGE_VERSION@" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -236,10 +236,44 @@ identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity. .BR aggressive " = yes | " no whether to use IKEv1 Aggressive or Main Mode (the default). .TP +.BR ah " = <cipher suites>" +comma-separated list of AH algorithms to be used for the connection, e.g. +.BR sha1-sha256-modp1024 . +The notation is +.BR integrity[-dhgroup] . +For IKEv2, multiple algorithms (separated by -) of the same type can be included +in a single proposal. IKEv1 only includes the first algorithm in a proposal. +Only either the +.B ah +or +.B esp +keyword may be used, AH+ESP bundles are not supported. + +There is no default, by default ESP is used. +The daemon adds its extensive default proposal to the configured value. To +restrict it to the configured proposal an +exclamation mark +.RB ( ! ) +can be added at the end. + +If +.B dh-group +is specified, CHILD_SA/Quick Mode setup and rekeying include a separate +Diffie-Hellman exchange. +.TP .BR also " = <name>" includes conn section .BR <name> . .TP +.BR auth " = <value>" +was used by the +.B pluto +IKEv1 daemon to use AH integrity protection for ESP encrypted packets, but is +not supported in charon. The +.B ah +keyword specifies algorithms to use for integrity protection with AH, but +without encryption. AH+ESP bundles are not supported. +.TP .BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig" how the two security gateways should authenticate each other; acceptable values are @@ -368,6 +402,13 @@ for the connection, e.g. .BR aes128-sha256 . The notation is .BR encryption-integrity[-dhgroup][-esnmode] . +For IKEv2, multiple algorithms (separated by -) of the same type can be included +in a single proposal. IKEv1 only includes the first algorithm in a proposal. +Only either the +.B ah +or +.B esp +keyword may be used, AH+ESP bundles are not supported. Defaults to .BR aes128-sha1,3des-sha1 . @@ -488,9 +529,8 @@ Relevant only locally, other end need not agree on it. synonym for .BR lifetime . .TP -.BR left " = <ip address> | <fqdn> | " %any -(required) -the IP address of the left participant's public-network interface +.BR left " = <ip address> | <fqdn> | " %any " | <range> | <subnet> " +The IP address of the left participant's public-network interface or one of several magic values. The value .B %any @@ -510,6 +550,14 @@ If .B %any is used for the remote endpoint it literally means any IP address. +To limit the connection to a specific range of hosts, a range ( +.BR 10.1.0.0-10.2.255.255 +) or a subnet ( +.BR 10.1.0.0/16 +) can be specified, and multiple addresses, ranges and subnets can be separated +by commas. While one can freely combine these items, to initiate the connection +at least one non-range/subnet is required. + Please note that with the usage of wildcards multiple connection descriptions might match a given incoming connection attempt. The most specific description is used in that case. @@ -810,6 +858,14 @@ Instead of omitting either value can be used to the same effect, e.g. .BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] . +If the protocol is +.B icmp +or +.B ipv6-icmp +the port is interpreted as ICMP message type if it is less than 256 or as type +and code if it is greater or equal to 256, with the type in the most significant +8 bits and the code in the least significant 8 bits. + The port value can alternatively take the value .B %opaque for RFC 4301 OPAQUE selectors, or a numerical range in the form @@ -931,8 +987,7 @@ Accepted values are and .B pull (the default). -Push mode is currently not supported in charon, hence this parameter has no -effect. +Push mode is currently not supported with IKEv2. .TP .BR reauth " = " yes " | no" whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 deleted file mode 100644 index a4a58f261..000000000 --- a/man/ipsec.secrets.5 +++ /dev/null @@ -1,195 +0,0 @@ -.TH IPSEC.SECRETS 5 "2011-12-14" "5.1.0rc1" "strongSwan" -.SH NAME -ipsec.secrets \- secrets for IKE/IPsec authentication -.SH DESCRIPTION -The file \fIipsec.secrets\fP holds a table of secrets. -These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons -pluto (IKEv1) and charon (IKEv2) to authenticate other hosts. -.LP -It is vital that these secrets be protected. The file should be owned -by the super-user, -and its permissions should be set to block all access by others. -.LP -The file is a sequence of entries and include directives. -Here is an example. -.LP -.RS -.nf -# /etc/ipsec.secrets - strongSwan IPsec secrets file -192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" - -: RSA moonKey.pem - -alice@strongswan.org : EAP "x3.dEhgN" - -carol : XAUTH "4iChxLT3" - -dave : XAUTH "ryftzG4A" - -# get secrets from other files -include ipsec.*.secrets -.fi -.RE -.LP -Each entry in the file is a list of optional ID selectors, followed by a secret. -The two parts are separated by a colon (\fB:\fP) that is surrounded -by whitespace. If no ID selectors are specified the line must start with a -colon. -.LP -A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, -\fB%any\fP or \fB%any6\fP (other kinds may come). -.LP -Matching IDs with selectors is fairly straightforward: they have to be -equal. In the case of a ``Road Warrior'' connection, if an equal -match is not found for the Peer's ID, and it is in the form of an IP -address, a selector of \fB%any\fP will match the peer's IP address if IPV4 -and \fB%any6\fP will match a the peer's IP address if IPV6. -Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of -\fB%any\fP. -.LP -In IKEv1 an additional complexity -arises in the case of authentication by preshared secret: the -responder will need to look up the secret before the Peer's ID payload has -been decoded, so the ID used will be the IP address. -.LP -To authenticate a connection between two hosts, the entry that most -specifically matches the host and peer IDs is used. An entry with no -selectors will match any host and peer. More specifically, an entry with one -selector will match a host and peer if the selector matches the host's ID (the -peer isn't considered). Still more specifically, an entry with multiple -selectors will match a host and peer if the host ID and peer ID each match one -of the selectors. If the key is for an asymmetric authentication technique -(i.e. a public key system such as RSA), an entry with multiple selectors will -match a host and peer even if only the host ID matches a selector (it is -presumed that the selectors are all identities of the host). -It is acceptable for two entries to be the best match as -long as they agree about the secret or private key. -.LP -Authentication by preshared secret requires that both systems find the -identical secret (the secret is not actually transmitted by the IKE -protocol). If both the host and peer appear in the selector list, the -same entry will be suitable for both systems so verbatim copying -between systems can be used. This naturally extends to larger groups -sharing the same secret. Thus multiple-selector entries are best for PSK -authentication. -.LP -Authentication by public key systems such as RSA requires that each host -have its own private key. A host could reasonably use a different private keys -for different interfaces and for different peers. But it would not -be normal to share entries between systems. Thus thus no-selector and -one-selector forms of entry often make sense for public key authentication. -.LP -The key part of an entry must start with a token indicating the kind of -key. The following types of secrets are currently supported: -.TP -.B PSK -defines a pre-shared key -.TP -.B RSA -defines an RSA private key -.TP -.B ECDSA -defines an ECDSA private key -.TP -.B P12 -defines a PKCS#12 container -.TP -.B EAP -defines EAP credentials -.TP -.B NTLM -defines NTLM credentials -.TP -.B XAUTH -defines XAUTH credentials -.TP -.B PIN -defines a smartcard PIN -.LP -Details on each type of secret are given below. -.LP -Whitespace at the end of a line is ignored. At the start of a line or -after whitespace, \fB#\fP and the following text up to the end of the -line is treated as a comment. -.LP -An include directive causes the contents of the named file to be processed -before continuing with the current file. The filename is subject to -``globbing'' as in \fIsh\fP(1), so every file with a matching name -is processed. Includes may be nested to a modest -depth (10, currently). If the filename doesn't start with a \fB/\fP, the -directory containing the current file is prepended to the name. The -include directive is a line that starts with the word \fBinclude\fP, -followed by whitespace, followed by the filename (which must not contain -whitespace). -.SS TYPES OF SECRETS -.TP -.B [ <selectors> ] : PSK <secret> -A preshared \fIsecret\fP is most conveniently represented as a sequence of -characters, which is delimited by double-quote characters (\fB"\fP). -The sequence cannot contain newline or double-quote characters. -.br -Alternatively, preshared secrets can be represented as hexadecimal or Base64 -encoded binary values. A character sequence beginning with -.B 0x -is interpreted as sequence of hexadecimal digits. -Similarly, a character sequence beginning with -.B 0s -is interpreted as Base64 encoded binary data. -.TP -.B : RSA <private key file> [ <passphrase> | %prompt ] -.TQ -.B : ECDSA <private key file> [ <passphrase> | %prompt ] -For the private key file both absolute paths or paths relative to -\fI/etc/ipsec.d/private\fP are accepted. If the private key file is -encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase -.B %prompt -can be used which then causes the daemon to ask the user for the password -whenever it is required to decrypt the key. -.TP -.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ] -For the PKCS#12 file both absolute paths or paths relative to -\fI/etc/ipsec.d/private\fP are accepted. If the container is -encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase -.B %prompt -can be used which then causes the daemon to ask the user for the password -whenever it is required to decrypt the container. Private keys, client and CA -certificates are extracted from the container. To use such a client certificate -in a connection set leftid to one of the subjects of the certificate. -.TP -.B <user id> : EAP <secret> -The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets. -.br -\fBEAP\fP secrets are IKEv2 only. -.TP -.B <user id> : NTLM <secret> -The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the -secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as -cleartext. -.br -\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin. -.TP -.B [ <servername> ] <username> : XAUTH <password> -The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets. -\fBXAUTH\fP secrets are IKEv1 only. -.TP -.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt -The smartcard selector always requires a keyid to uniquely select the correct -key. The slot number defines the slot on the token, the module name refers to -the module name defined in strongswan.conf(5). -Instead of specifying the pin code statically, -.B %prompt -can be specified, which causes the daemon to ask the user for the pin code. -.LP - -.SH FILES -/etc/ipsec.secrets -.SH SEE ALSO -ipsec.conf(5), strongswan.conf(5), ipsec(8) -.br -.SH HISTORY -Originally written for the FreeS/WAN project by D. Hugh Redelmeier. -Updated and extended for the strongSwan project <http://www.strongswan.org> by -Tobias Brunner and Andreas Steffen. -.SH BUGS -If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP; -if it is \fB0::0\fP, it will match \fB%any6\fP. diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in index ee20c9670..15e36faff 100644 --- a/man/ipsec.secrets.5.in +++ b/man/ipsec.secrets.5.in @@ -1,4 +1,4 @@ -.TH IPSEC.SECRETS 5 "2011-12-14" "@IPSEC_VERSION@" "strongSwan" +.TH IPSEC.SECRETS 5 "2011-12-14" "@PACKAGE_VERSION@" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 deleted file mode 100644 index fc99c8c47..000000000 --- a/man/strongswan.conf.5 +++ /dev/null @@ -1,1665 +0,0 @@ -.TH STRONGSWAN.CONF 5 "2013-07-22" "5.1.0" "strongSwan" -.SH NAME -strongswan.conf \- strongSwan configuration file -.SH DESCRIPTION -While the -.IR ipsec.conf (5) -configuration file is well suited to define IPsec related configuration -parameters, it is not useful for other strongSwan applications to read options -from this file. -The file is hard to parse and only -.I ipsec starter -is capable of doing so. As the number of components of the strongSwan project -is continually growing, a more flexible configuration file was needed, one that -is easy to extend and can be used by all components. With strongSwan 4.2.1 -.IR strongswan.conf (5) -was introduced which meets these requirements. - -.SH SYNTAX -The format of the strongswan.conf file consists of hierarchical -.B sections -and a list of -.B key/value pairs -in each section. Each section has a name, followed by C-Style curly brackets -defining the section body. Each section body contains a set of subsections -and key/value pairs: -.PP -.EX - settings := (section|keyvalue)* - section := name { settings } - keyvalue := key = value\\n -.EE -.PP -Values must be terminated by a newline. -.PP -Comments are possible using the \fB#\fP-character, but be careful: The parser -implementation is currently limited and does not like brackets in comments. -.PP -Section names and keys may contain any printable character except: -.PP -.EX - . { } # \\n \\t space -.EE -.PP -An example file in this format might look like this: -.PP -.EX - a = b - section-one { - somevalue = asdf - subsection { - othervalue = xxx - } - # yei, a comment - yetanother = zz - } - section-two { - x = 12 - } -.EE -.PP -Indentation is optional, you may use tabs or spaces. - -.SH INCLUDING FILES -Using the -.B include -statement it is possible to include other files into strongswan.conf, e.g. -.PP -.EX - include /some/path/*.conf -.EE -.PP -If the file name is not an absolute path, it is considered to be relative -to the directory of the file containing the include statement. The file name -may include shell wildcards (see -.IR sh (1)). -Also, such inclusions can be nested. -.PP -Sections loaded from included files -.I extend -previously loaded sections; already existing values are -.IR replaced . -It is important to note that settings are added relative to the section the -include statement is in. -.PP -As an example, the following three files result in the same final -config as the one given above: -.PP -.EX - a = b - section-one { - somevalue = before include - include include.conf - } - include other.conf - -include.conf: - # settings loaded from this file are added to section-one - # the following replaces the previous value - somevalue = asdf - subsection { - othervalue = yyy - } - yetanother = zz - -other.conf: - # this extends section-one and subsection - section-one { - subsection { - # this replaces the previous value - othervalue = xxx - } - } - section-two { - x = 12 - } -.EE - -.SH READING VALUES -Values are accessed using a dot-separated section list and a key. -With reference to the example above, accessing -.B section-one.subsection.othervalue -will return -.BR xxx . - -.SH DEFINED KEYS -The following keys are currently defined (using dot notation). The default -value (if any) is listed in brackets after the key. - -.SS attest section -.TP -.BR attest.database -Path to database with file measurement information -.TP -.BR attest.load -Plugins to load in ipsec attest tool - -.SS charon section -.TP -.BR Note : -Many of these options also apply to \fBcharon\-cmd\fR and other -\fBcharon\fR derivatives. Just use their respective name (e.g. -\fIcharon\-cmd\fR) instead of \fIcharon\fR. -.TP -.BR charon.block_threshold " [5]" -Maximum number of half-open IKE_SAs for a single peer IP -.TP -.BR charon.cisco_unity " [no] -Send Cisco Unity vendor ID payload (IKEv1 only) -.TP -.BR charon.close_ike_on_child_failure " [no]" -Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed -.TP -.BR charon.cookie_threshold " [10]" -Number of half-open IKE_SAs that activate the cookie mechanism -.TP -.BR charon.dns1 -.TQ -.BR charon.dns2 -DNS servers assigned to peer via configuration payload (CP) -.TP -.BR charon.dos_protection " [yes]" -Enable Denial of Service protection using cookies and aggressiveness checks -.TP -.BR charon.filelog -Section to define file loggers, see LOGGER CONFIGURATION -.TP -.BR charon.flush_auth_cfg " [no]" -If enabled objects used during authentication (certificates, identities etc.) -are released to free memory once an IKE_SA is established. -Enabling this might conflict with plugins that later need access to e.g. the -used certificates. -.TP -.BR charon.fragment_size " [512]" -Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 -fragmentation extension. -.TP -.BR charon.group -Name of the group the daemon changes to after startup -.TP -.BR charon.half_open_timeout " [30]" -Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). -.TP -.BR charon.hash_and_url " [no]" -Enable hash and URL support -.TP -.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" -If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared -keys, which is discouraged due to security concerns (offline attacks on the -openly transmitted hash of the PSK) -.TP -.BR charon.ignore_routing_tables -A space-separated list of routing tables to be excluded from route lookups -.TP -.BR charon.ikesa_limit " [0]" -Maximum number of IKE_SAs that can be established at the same time before new -connection attempts are blocked -.TP -.BR charon.ikesa_table_segments " [1]" -Number of exclusively locked segments in the hash table -.TP -.BR charon.ikesa_table_size " [1]" -Size of the IKE_SA hash table -.TP -.BR charon.inactivity_close_ike " [no]" -Whether to close IKE_SA if the only CHILD_SA closed due to inactivity -.TP -.BR charon.init_limit_half_open " [0]" -Limit new connections based on the current number of half open IKE_SAs (see -IKE_SA_INIT DROPPING). -.TP -.BR charon.init_limit_job_load " [0]" -Limit new connections based on the number of jobs currently queued for -processing (see IKE_SA_INIT DROPPING). -.TP -.BR charon.initiator_only " [no]" -Causes charon daemon to ignore IKE initiation requests. -.TP -.BR charon.install_routes " [yes]" -Install routes into a separate routing table for established IPsec tunnels -.TP -.BR charon.install_virtual_ip " [yes]" -Install virtual IP addresses -.TP -.BR charon.install_virtual_ip_on -The name of the interface on which virtual IP addresses should be installed. -If not specified the addresses will be installed on the outbound interface. -.TP -.BR charon.interfaces_ignore -A comma-separated list of network interfaces that should be ignored, if -.B charon.interfaces_use -is specified this option has no effect. -.TP -.BR charon.interfaces_use -A comma-separated list of network interfaces that should be used by charon. -All other interfaces are ignored. -.TP -.BR charon.keep_alive " [20s]" -NAT keep alive interval -.TP -.BR charon.load -Plugins to load in the IKEv2 daemon charon -.TP -.BR charon.max_packet " [10000]" -Maximum packet size accepted by charon -.TP -.BR charon.multiple_authentication " [yes]" -Enable multiple authentication exchanges (RFC 4739) -.TP -.BR charon.nbns1 -.TQ -.BR charon.nbns2 -WINS servers assigned to peer via configuration payload (CP) -.TP -.BR charon.port " [500]" -UDP port used locally. If set to 0 a random port will be allocated. -.TP -.BR charon.port_nat_t " [4500]" -UDP port used locally in case of NAT-T. If set to 0 a random port will be -allocated. Has to be different from -.BR charon.port , -otherwise a random port will be allocated. -.TP -.BR charon.process_route " [yes]" -Process RTM_NEWROUTE and RTM_DELROUTE events -.TP -.BR charon.receive_delay " [0]" -Delay in ms for receiving packets, to simulate larger RTT -.TP -.BR charon.receive_delay_response " [yes]" -Delay response messages -.TP -.BR charon.receive_delay_request " [yes]" -Delay request messages -.TP -.BR charon.receive_delay_type " [0]" -Specific IKEv2 message type to delay, 0 for any -.TP -.BR charon.replay_window " [32]" -Size of the AH/ESP replay window, in packets. -.TP -.BR charon.retransmit_base " [1.8]" -Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION -.TP -.BR charon.retransmit_timeout " [4.0] -Timeout in seconds before sending first retransmit -.TP -.BR charon.retransmit_tries " [5]" -Number of times to retransmit a packet before giving up -.TP -.BR charon.retry_initiate_interval " [0]" -Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution -failed), 0 to disable retries. -.TP -.BR charon.reuse_ikesa " [yes] -Initiate CHILD_SA within existing IKE_SAs -.TP -.BR charon.routing_table -Numerical routing table to install routes to -.TP -.BR charon.routing_table_prio -Priority of the routing table -.TP -.BR charon.send_delay " [0]" -Delay in ms for sending packets, to simulate larger RTT -.TP -.BR charon.send_delay_response " [yes]" -Delay response messages -.TP -.BR charon.send_delay_request " [yes]" -Delay request messages -.TP -.BR charon.send_delay_type " [0]" -Specific IKEv2 message type to delay, 0 for any -.TP -.BR charon.send_vendor_id " [no] -Send strongSwan vendor ID payload -.TP -.BR charon.syslog -Section to define syslog loggers, see LOGGER CONFIGURATION -.TP -.BR charon.threads " [16]" -Number of worker threads in charon -.TP -.BR charon.user -Name of the user the daemon changes to after startup -.SS charon.plugins subsection -.TP -.BR charon.plugins.android_log.loglevel " [1]" -Loglevel for logging to Android specific logger -.TP -.BR charon.plugins.attr -Section to specify arbitrary attributes that are assigned to a peer via -configuration payload (CP) -.TP -.BR charon.plugins.certexpire.csv.cron -Cron style string specifying CSV export times -.TP -.BR charon.plugins.certexpire.csv.empty_string -String to use in empty intermediate CA fields -.TP -.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" -Use a fixed intermediate CA field count -.TP -.BR charon.plugins.certexpire.csv.force " [yes]" -Force export of all trustchains we have a private key for -.TP -.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" -strftime(3) format string to export expiration dates as -.TP -.BR charon.plugins.certexpire.csv.local -strftime(3) format string for the CSV file name to export local certificates to -.TP -.BR charon.plugins.certexpire.csv.remote -strftime(3) format string for the CSV file name to export remote certificates to -.TP -.BR charon.plugins.certexpire.csv.separator " [,]" -CSV field separator -.TP -.BR charon.plugins.coupling.file -File to store coupling list to -.TP -.BR charon.plugins.coupling.hash " [sha1]" -Hashing algorithm to fingerprint coupled certificates -.TP -.BR charon.plugins.coupling.max " [1]" -Maximum number of coupling entries to create -.TP -.BR charon.plugins.dhcp.force_server_address " [no]" -Always use the configured server address. This might be helpful if the DHCP -server runs on the same host as strongSwan, and the DHCP daemon does not listen -on the loopback interface. In that case the server cannot be reached via -unicast (or even 255.255.255.255) as that would be routed via loopback. -Setting this option to yes and configuring the local broadcast address (e.g. -192.168.0.255) as server address might work. -.TP -.BR charon.plugins.dhcp.identity_lease " [no]" -Derive user-defined MAC address from hash of IKEv2 identity -.TP -.BR charon.plugins.dhcp.server " [255.255.255.255]" -DHCP server unicast or broadcast IP address -.TP -.BR charon.plugins.duplicheck.enable " [yes]" -Enable duplicheck plugin (if loaded) -.TP -.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]" -Socket provided by the duplicheck plugin -.TP -.BR charon.plugins.eap-aka.request_identity " [yes]" - -.TP -.BR charon.plugins.eap-aka-3ggp2.seq_check - -.TP -.BR charon.plugins.eap-dynamic.preferred -The preferred EAP method(s) to be used. If it is not given the first -registered method will be used initially. If a comma separated list is given -the methods are tried in the given order before trying the rest of the -registered methods. -.TP -.BR charon.plugins.eap-dynamic.prefer_user " [no]" -If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are -preferred over the methods registered locally. -.TP -.BR charon.plugins.eap-gtc.backend " [pam]" -XAuth backend to be used for credential verification -.TP -.BR charon.plugins.eap-peap.fragment_size " [1024]" -Maximum size of an EAP-PEAP packet -.TP -.BR charon.plugins.eap-peap.max_message_count " [32]" -Maximum number of processed EAP-PEAP packets (0 = no limit) -.TP -.BR charon.plugins.eap-peap.include_length " [no]" -Include length in non-fragmented EAP-PEAP packets -.TP -.BR charon.plugins.eap-peap.phase2_method " [mschapv2]" -Phase2 EAP client authentication method -.TP -.BR charon.plugins.eap-peap.phase2_piggyback " [no]" -Phase2 EAP Identity request piggybacked by server onto TLS Finished message -.TP -.BR charon.plugins.eap-peap.phase2_tnc " [no]" -Start phase2 EAP TNC protocol after successful client authentication -.TP -.BR charon.plugins.eap-peap.request_peer_auth " [no]" -Request peer authentication based on a client certificate -.TP -.BR charon.plugins.eap-radius.accounting " [no]" -Send RADIUS accounting information to RADIUS servers. -.TP -.BR charon.plugins.eap-radius.accounting_requires_vip " [no]" -If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP -.TP -.BR charon.plugins.eap-radius.class_group " [no]" -Use the -.I class -attribute sent in the RADIUS-Accept message as group membership information that -is compared to the groups specified in the -.B rightgroups -option in -.B ipsec.conf (5). -.TP -.BR charon.plugins.eap-radius.close_all_on_timeout " [no]" -Closes all IKE_SAs if communication with the RADIUS server times out. If it is -not set only the current IKE_SA is closed. -.TP -.BR charon.plugins.eap-radius.dae.enable " [no]" -Enables support for the Dynamic Authorization Extension (RFC 5176) -.TP -.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" -Address to listen for DAE messages from the RADIUS server -.TP -.BR charon.plugins.eap-radius.dae.port " [3799]" -Port to listen for DAE requests -.TP -.BR charon.plugins.eap-radius.dae.secret -Shared secret used to verify/sign DAE messages -.TP -.BR charon.plugins.eap-radius.eap_start " [no]" -Send EAP-Start instead of EAP-Identity to start RADIUS conversation -.TP -.BR charon.plugins.eap-radius.filter_id " [no]" -If the RADIUS -.I tunnel_type -attribute with value -.B ESP -is received, use the -.I filter_id -attribute sent in the RADIUS-Accept message as group membership information that -is compared to the groups specified in the -.B rightgroups -option in -.B ipsec.conf (5). -.TP -.BR charon.plugins.eap-radius.forward.ike_to_radius -RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by -name or attribute number, a colon can be used to specify vendor-specific -attributes, e.g. Reply-Message, or 11, or 36906:12). -.TP -.BR charon.plugins.eap-radius.forward.radius_to_ike -Same as -.B charon.plugins.eap-radius.forward.ike_to_radius -but from RADIUS to -IKEv2, a strongSwan specific private notify (40969) is used to transmit the -attributes. -.TP -.BR charon.plugins.eap-radius.id_prefix -Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the -EAP method -.TP -.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]" -NAS-Identifier to include in RADIUS messages -.TP -.BR charon.plugins.eap-radius.port " [1812]" -Port of RADIUS server (authentication) -.TP -.BR charon.plugins.eap-radius.secret -Shared secret between RADIUS and NAS -.TP -.BR charon.plugins.eap-radius.server -IP/Hostname of RADIUS server -.TP -.BR charon.plugins.eap-radius.servers -Section to specify multiple RADIUS servers. The -.BR nas_identifier , -.BR secret , -.B sockets -and -.B port -(or -.BR auth_port ) -options can be specified for each server. A server's IP/Hostname can be -configured using the -.B address -option. The -.BR acct_port " [1813]" -option can be used to specify the port used for RADIUS accounting. -For each RADIUS server a priority can be specified using the -.BR preference " [0]" -option. -.TP -.BR charon.plugins.eap-radius.sockets " [1]" -Number of sockets (ports) to use, increase for high load -.TP -.BR charon.plugins.eap-sim.request_identity " [yes]" - -.TP -.BR charon.plugins.eap-simaka-sql.database - -.TP -.BR charon.plugins.eap-simaka-sql.remove_used " [no]" - -.TP -.BR charon.plugins.eap-tls.fragment_size " [1024]" -Maximum size of an EAP-TLS packet -.TP -.BR charon.plugins.eap-tls.max_message_count " [32]" -Maximum number of processed EAP-TLS packets (0 = no limit) -.TP -.BR charon.plugins.eap-tls.include_length " [yes]" -Include length in non-fragmented EAP-TLS packets -.TP -.BR charon.plugins.eap-tnc.max_message_count " [10]" -Maximum number of processed EAP-TNC packets (0 = no limit) -.TP -.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]" -IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic) -.TP -.BR charon.plugins.eap-ttls.fragment_size " [1024]" -Maximum size of an EAP-TTLS packet -.TP -.BR charon.plugins.eap-ttls.max_message_count " [32]" -Maximum number of processed EAP-TTLS packets (0 = no limit) -.TP -.BR charon.plugins.eap-ttls.include_length " [yes]" -Include length in non-fragmented EAP-TTLS packets -.TP -.BR charon.plugins.eap-ttls.phase2_method " [md5]" -Phase2 EAP client authentication method -.TP -.BR charon.plugins.eap-ttls.phase2_piggyback " [no]" -Phase2 EAP Identity request piggybacked by server onto TLS Finished message -.TP -.BR charon.plugins.eap-ttls.phase2_tnc " [no]" -Start phase2 EAP TNC protocol after successful client authentication -.TP -.BR charon.plugins.eap-ttls.request_peer_auth " [no]" -Request peer authentication based on a client certificate -.TP -.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]" -Socket provided by the error-notify plugin -.TP -.BR charon.plugins.ha.autobalance " [0]" -Interval in seconds to automatically balance handled segments between nodes. -Set to 0 to disable. -.TP -.BR charon.plugins.ha.fifo_interface " [yes]" - -.TP -.BR charon.plugins.ha.heartbeat_delay " [1000]" - -.TP -.BR charon.plugins.ha.heartbeat_timeout " [2100]" - -.TP -.BR charon.plugins.ha.local - -.TP -.BR charon.plugins.ha.monitor " [yes]" - -.TP -.BR charon.plugins.ha.pools - -.TP -.BR charon.plugins.ha.remote - -.TP -.BR charon.plugins.ha.resync " [yes]" - -.TP -.BR charon.plugins.ha.secret - -.TP -.BR charon.plugins.ha.segment_count " [1]" - -.TP -.BR charon.plugins.ipseckey.enable " [no]" -Enable the fetching of IPSECKEY RRs via DNS -.TP -.BR charon.plugins.led.activity_led - -.TP -.BR charon.plugins.led.blink_time " [50]" - -.TP -.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" -Number of ipsecN devices -.TP -.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" -Set MTU of ipsecN device -.TP -.BR charon.plugins.kernel-netlink.roam_events " [yes]" -Whether to trigger roam events when interfaces, addresses or routes change -.TP -.BR charon.plugins.kernel-pfroute.vip_wait " [1000]" -Time in ms to wait until virtual IP addresses appear/disappear before failing. -.TP -.BR charon.plugins.load-tester -Section to configure the load-tester plugin, see LOAD TESTS -.TP -.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" -Socket provided by the lookip plugin -.TP -.BR charon.plugins.radattr.dir -Directory where RADIUS attributes are stored in client-ID specific files. -.TP -.BR charon.plugins.radattr.message_id " [-1]" -Attributes are added to all IKE_AUTH messages by default (-1), or only to the -IKE_AUTH message with the given IKEv2 message ID. -.TP -.BR charon.plugins.resolve.file " [/etc/resolv.conf]" -File where to add DNS server entries -.TP -.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]" -Prefix used for interface names sent to resolvconf(8). The nameserver address -is appended to this prefix to make it unique. The result has to be a valid -interface name according to the rules defined by resolvconf. Also, it should -have a high priority according to the order defined in interface-order(5). -.TP -.BR charon.plugins.socket-default.set_source " [yes]" -Set source address on outbound packets, if possible. -.TP -.BR charon.plugins.socket-default.use_ipv4 " [yes]" -Listen on IPv4, if possible. -.TP -.BR charon.plugins.socket-default.use_ipv6 " [yes]" -Listen on IPv6, if possible. -.TP -.BR charon.plugins.sql.database -Database URI for charons SQL plugin -.TP -.BR charon.plugins.sql.loglevel " [-1]" -Loglevel for logging to SQL database -.TP -.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]" -Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA -certificates even if they don't contain a CA basic constraint. -.TP -.BR charon.plugins.stroke.max_concurrent " [4]" -Maximum number of stroke messages handled concurrently -.TP -.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" -Socket provided by the stroke plugin -.TP -.BR charon.plugins.stroke.timeout " [0]" -Timeout in ms for any stroke command. Use 0 to disable the timeout -.TP -.BR charon.plugins.systime-fix.interval " [0]" -Interval in seconds to check system time for validity. 0 disables the check -.TP -.BR charon.plugins.systime-fix.reauth " [no]" -Whether to use reauth or delete if an invalid cert lifetime is detected -.TP -.BR charon.plugins.systime-fix.threshold -Threshold date where system time is considered valid. Disabled if not specified -.TP -.BR charon.plugins.systime-fix.threshold_format " [%Y]" -strptime(3) format used to parse threshold option -.TP -.BR charon.plugins.tnccs-11.max_message_size " [45000]" -Maximum size of a PA-TNC message (XML & Base64 encoding) -.TP -.BR charon.plugins.tnccs-20.max_batch_size " [65522]" -Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) -.TP -.BR charon.plugins.tnccs-20.max_message_size " [65490]" -Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) -.TP -.BR charon.plugins.tnc-ifmap.client_cert -Path to X.509 certificate file of IF-MAP client -.TP -.BR charon.plugins.tnc-ifmap.client_key -Path to private key file of IF-MAP client -.TP -.BR charon.plugins.tnc-ifmap.device_name -Unique name of strongSwan server as a PEP and/or PDP device -.TP -.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]" -Interval in seconds between periodic IF-MAP RenewSession requests -.TP -.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]" -URI of the form [https://]servername[:port][/path] -.TP -.BR charon.plugins.tnc-ifmap.server_cert -Path to X.509 certificate file of IF-MAP server -.TP -.BR charon.plugins.tnc-ifmap.username_password -Credentials of IF-MAP client of the form username:password -.TP -.BR charon.plugins.tnc-imc.dlclose " [yes]" -Unload IMC after use -.TP -.BR charon.plugins.tnc-imc.preferred_language " [en]" -Preferred language for TNC recommendations -.TP -.BR charon.plugins.tnc-imv.dlclose " [yes]" -Unload IMV after use -.TP -.BR charon.plugins.tnc-pdp.method " [ttls]" -EAP tunnel method to be used -.TP -.BR charon.plugins.tnc-pdp.port " [1812]" -RADIUS server port the strongSwan PDP is listening on -.TP -.BR charon.plugins.tnc-pdp.secret -Shared RADIUS secret between strongSwan PDP and NAS -.TP -.BR charon.plugins.tnc-pdp.server -Name of the strongSwan PDP as contained in the AAA certificate -.TP -.BR charon.plugins.tnc-pdp.timeout -Timeout in seconds before closing incomplete connections -.TP -.BR charon.plugins.updown.dns_handler " [no]" -Whether the updown script should handle DNS serves assigned via IKEv1 Mode -Config or IKEv2 Config Payloads (if enabled they can't be handled by other -plugins, like resolve) -.TP -.BR charon.plugins.whitelist.enable " [yes]" -Enable loaded whitelist plugin -.TP -.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]" -Socket provided by the whitelist plugin -.TP -.BR charon.plugins.xauth-eap.backend " [radius]" -EAP plugin to be used as backend for XAuth credential verification -.TP -.BR charon.plugins.xauth-pam.pam_service " [login]" -PAM service to be used for authentication -.SS libstrongswan section -.TP -.BR libstrongswan.cert_cache " [yes]" -Whether relations in validated certificate chains should be cached in memory -.TP -.BR libstrongswan.crypto_test.bench " [no]" - -.TP -.BR libstrongswan.crypto_test.bench_size " [1024]" - -.TP -.BR libstrongswan.crypto_test.bench_time " [50]" - -.TP -.BR libstrongswan.crypto_test.on_add " [no]" -Test crypto algorithms during registration -.TP -.BR libstrongswan.crypto_test.on_create " [no]" -Test crypto algorithms on each crypto primitive instantiation -.TP -.BR libstrongswan.crypto_test.required " [no]" -Strictly require at least one test vector to enable an algorithm -.TP -.BR libstrongswan.crypto_test.rng_true " [no]" -Whether to test RNG with TRUE quality; requires a lot of entropy -.TP -.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]" -Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical -strength -.TP -.BR libstrongswan.ecp_x_coordinate_only " [yes]" -Compliance with the errata for RFC 4753 -.TP -.BR libstrongswan.host_resolver.max_threads " [3]" -Maximum number of concurrent resolver threads (they are terminated if unused) -.TP -.BR libstrongswan.host_resolver.min_threads " [0]" -Minimum number of resolver threads to keep around -.TP -.BR libstrongswan.integrity_test " [no]" -Check daemon, libstrongswan and plugin integrity at startup -.TP -.BR libstrongswan.leak_detective.detailed " [yes]" -Includes source file names and line numbers in leak detective output -.TP -.BR libstrongswan.leak_detective.usage_threshold " [10240]" -Threshold in bytes for leaks to be reported (0 to report all) -.TP -.BR libstrongswan.leak_detective.usage_threshold_count " [0]" -Threshold in number of allocations for leaks to be reported (0 to report all) -.TP -.BR libstrongswan.processor.priority_threads -Subsection to configure the number of reserved threads per priority class -see JOB PRIORITY MANAGEMENT -.TP -.BR libstrongswan.x509.enforce_critical " [yes]" -Discard certificates with unsupported or unknown critical extensions -.SS libstrongswan.plugins subsection -.TP -.BR libstrongswan.plugins.attr-sql.database -Database URI for attr-sql plugin used by charon -.TP -.BR libstrongswan.plugins.attr-sql.lease_history " [yes]" -Enable logging of SQL IP pool leases -.TP -.BR libstrongswan.plugins.gcrypt.quick_random " [no]" -Use faster random numbers in gcrypt; for testing only, produces weak keys! -.TP -.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]" -ENGINE ID to use in the OpenSSL plugin -.TP -.BR libstrongswan.plugins.openssl.fips_mode " [0]" -Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2) -.TP -.BR libstrongswan.plugins.pkcs11.modules -List of available PKCS#11 modules -.TP -.BR libstrongswan.plugins.pkcs11.load_certs " [yes]" -Whether to load certificates from tokens -.TP -.BR libstrongswan.plugins.pkcs11.reload_certs " [no]" -Reload certificates from all tokens if charon receives a SIGHUP -.TP -.BR libstrongswan.plugins.pkcs11.use_dh " [no]" -Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option) -.TP -.BR libstrongswan.plugins.pkcs11.use_ecc " [no]" -Whether the PKCS#11 modules should be used for ECDH and ECDSA public key -operations. ECDSA private keys can be used regardless of this option -.TP -.BR libstrongswan.plugins.pkcs11.use_hasher " [no]" -Whether the PKCS#11 modules should be used to hash data -.TP -.BR libstrongswan.plugins.pkcs11.use_pubkey " [no]" -Whether the PKCS#11 modules should be used for public key operations, even for -keys not stored on tokens -.TP -.BR libstrongswan.plugins.pkcs11.use_rng " [no]" -Whether the PKCS#11 modules should be used as RNG -.TP -.BR libstrongswan.plugins.random.random " [/dev/random]" -File to read random bytes from, instead of /dev/random -.TP -.BR libstrongswan.plugins.random.urandom " [/dev/urandom]" -File to read pseudo random bytes from, instead of /dev/urandom -.TP -.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]" -File to read DNS resolver configuration from -.TP -.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" -File to read DNSSEC trust anchors from (usually root zone KSK) -.SS libtls section -.TP -.BR libtls.cipher -List of TLS encryption ciphers -.TP -.BR libtls.key_exchange -List of TLS key exchange methods -.TP -.BR libtls.mac -List of TLS MAC algorithms -.TP -.BR libtls.suites -List of TLS cipher suites -.SS libtnccs section -.TP -.BR libtnccs.tnc_config " [/etc/tnc_config]" -TNC IMC/IMV configuration directory -.SS libimcv section -.TP -.BR libimcv.assessment_result " [yes]" -Whether IMVs send a standard IETF Assessment Result attribute -.TP -.BR libimcv.database -Global IMV policy database URI -.TP -.BR libimcv.debug_level " [1]" -Debug level for a stand-alone libimcv library -.TP -.BR libimcv.load " [random nonce gmp pubkey x509]" -Plugins to load in IMC/IMVs -.TP -.BR libimcv.os_info.name -Manually set the name of the client OS (e.g. Ubuntu) -.TP -.BR libimcv.os_info.version -Manually set the version of the client OS (e.g. 12.04 i686) -.TP -.BR libimcv.policy_script " [ipsec _imv_policy]" -Script called for each TNC connection to generate IMV policies -.TP -.BR libimcv.stderr_quiet " [no]" -isable output to stderr with a stand-alone libimcv library -.PP -.SS libimcv plugins section -.TP -.BR libimcv.plugins.imc-attestation.aik_blob -AIK encrypted private key blob file -.TP -.BR libimcv.plugins.imc-attestation.aik_cert -AIK certificate file -.TP -.BR libimcv.plugins.imc-attestation.aik_key -AIK public key file -.TP -.BR libimcv.plugins.imv-attestation.nonce_len " [20]" -DH nonce length -.TP -.BR libimcv.plugins.imv-attestation.use_quote2 " [yes]" -Use Quote2 AIK signature instead of Quote signature -.TP -.BR libimcv.plugins.imv-attestation.cadir -Path to directory with AIK cacerts -.TP -.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" -Preferred Diffie-Hellman group -.TP -.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" -Preferred measurement hash algorithm -.TP -.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" -DH minimum nonce length -.TP -.BR libimcv.plugins.imv-attestation.remediation_uri -URI pointing to attestation remediation instructions -.TP -.BR libimcv.plugins.imc-os.push_info " [yes]" -Send operating system info without being prompted -.TP -.BR libimcv.plugins.imv-os.remediation_uri -URI pointing to operating system remediation instructions -.TP -.BR libimcv.plugins.imc-scanner.push_info " [yes]" -Send open listening ports without being prompted -.TP -.BR libimcv.plugins.imv-scanner.remediation_uri -URI pointing to scanner remediation instructions -.TP -.BR libimcv.plugins.imc-test.additional_ids " [0]" -Number of additional IMC IDs -.TP -.BR libimcv.plugins.imc-test.command " [none]" -Command to be sent to the Test IMV -.TP -.BR libimcv.plugins.imc-test.dummy_size " [0]" -Size of dummy attribute to be sent to the Test IMV (0 = disabled) -.TP -.BR libimcv.plugins.imv-test.remediation_uri -URI pointing to test remediation instructions -.TP -.BR libimcv.plugins.imc-test.retry " [no]" -Do a handshake retry -.TP -.BR libimcv.plugins.imc-test.retry_command -Command to be sent to the Test IMV in the handshake retry -.TP -.BR libimcv.plugins.imv-test.rounds " [0]" -Number of IMC-IMV retry rounds -.SS manager section -.TP -.BR manager.database -Credential database URI for manager -.TP -.BR manager.debug " [no]" -Enable debugging in manager -.TP -.BR manager.load -Plugins to load in manager -.TP -.BR manager.socket -FastCGI socket of manager, to run it statically -.TP -.BR manager.threads " [10]" -Threads to use for request handling -.TP -.BR manager.timeout " [15m]" -Session timeout for manager -.SS mediation client section -.TP -.BR medcli.database -Mediation client database URI -.TP -.BR medcli.dpd " [5m]" -DPD timeout to use in mediation client plugin -.TP -.BR medcli.rekey " [20m]" -Rekeying time on mediation connections in mediation client plugin -.SS mediation server section -.TP -.BR medsrv.database -Mediation server database URI -.TP -.BR medsrv.debug " [no]" -Debugging in mediation server web application -.TP -.BR medsrv.dpd " [5m]" -DPD timeout to use in mediation server plugin -.TP -.BR medsrv.load -Plugins to load in mediation server plugin -.TP -.BR medsrv.password_length " [6]" -Minimum password length required for mediation server user accounts -.TP -.BR medsrv.rekey " [20m]" -Rekeying time on mediation connections in mediation server plugin -.TP -.BR medsrv.socket -Run Mediation server web application statically on socket -.TP -.BR medsrv.threads " [5]" -Number of thread for mediation service web application -.TP -.BR medsrv.timeout " [15m]" -Session timeout for mediation service -.SS openac section -.TP -.BR openac.load -Plugins to load in ipsec openac tool -.SS pacman section -.TP -.BR pacman.database -Database URI for the database that stores the package information -.SS pki section -.TP -.BR pki.load -Plugins to load in ipsec pki tool -.SS pool section -.TP -.BR pool.load -Plugins to load in ipsec pool tool -.SS scepclient section -.TP -.BR scepclient.load -Plugins to load in ipsec scepclient tool -.SS starter section -.TP -.BR starter.load -Plugins to load in starter -.TP -.BR starter.load_warning " [yes]" -Disable charon plugin load option warning - -.SH LOGGER CONFIGURATION -The options described below provide a much more flexible way to configure -loggers for the IKEv2 daemon charon than using the -.B charondebug -option in -.BR ipsec.conf (5). -.PP -.B Please note -that if any loggers are specified in strongswan.conf, -.B charondebug -does not have any effect. -.PP -There are currently two types of loggers defined: -.TP -.B File loggers -Log directly to a file and are defined by specifying the full path to the -file as subsection in the -.B charon.filelog -section. To log to the console the two special filenames -.BR stdout " and " stderr -can be used. -.TP -.B Syslog loggers -Log into a syslog facility and are defined by specifying the facility to log to -as the name of a subsection in the -.B charon.syslog -section. The following facilities are currently supported: -.BR daemon " and " auth . -.PP -Multiple loggers can be defined for each type with different log verbosity for -the different subsystems of the daemon. -.SS Options -.TP -.BR charon.filelog.<filename>.default " [1]" -.TQ -.BR charon.syslog.<facility>.default -Specifies the default loglevel to be used for subsystems for which no specific -loglevel is defined. -.TP -.BR charon.filelog.<filename>.<subsystem> " [<default>]" -.TQ -.BR charon.syslog.<facility>.<subsystem> -Specifies the loglevel for the given subsystem. -.TP -.BR charon.filelog.<filename>.append " [yes]" -If this option is enabled log entries are appended to the existing file. -.TP -.BR charon.filelog.<filename>.flush_line " [no]" -Enabling this option disables block buffering and enables line buffering. -.TP -.BR charon.filelog.<filename>.ike_name " [no]" -.TQ -.BR charon.syslog.<facility>.ike_name -Prefix each log entry with the connection name and a unique numerical -identifier for each IKE_SA. -.TP -.BR charon.filelog.<filename>.time_format -Prefix each log entry with a timestamp. The option accepts a format string as -passed to -.BR strftime (3). -.TP -.BR charon.syslog.identifier -Global identifier used for an -.BR openlog (3) -call, prepended to each log message by syslog. If not configured, -.BR openlog (3) -is not called, so the value will depend on system defaults (often the program -name). - -.SS Subsystems -.TP -.B dmn -Main daemon setup/cleanup/signal handling -.TP -.B mgr -IKE_SA manager, handling synchronization for IKE_SA access -.TP -.B ike -IKE_SA -.TP -.B chd -CHILD_SA -.TP -.B job -Jobs queueing/processing and thread pool management -.TP -.B cfg -Configuration management and plugins -.TP -.B knl -IPsec/Networking kernel interface -.TP -.B net -IKE network communication -.TP -.B asn -Low-level encoding/decoding (ASN.1, X.509 etc.) -.TP -.B enc -Packet encoding/decoding encryption/decryption operations -.TP -.B tls -libtls library messages -.TP -.B esp -libipsec library messages -.TP -.B lib -libstrongwan library messages -.TP -.B tnc -Trusted Network Connect -.TP -.B imc -Integrity Measurement Collector -.TP -.B imv -Integrity Measurement Verifier -.TP -.B pts -Platform Trust Service -.SS Loglevels -.TP -.B -1 -Absolutely silent -.TP -.B 0 -Very basic auditing logs, (e.g. SA up/SA down) -.TP -.B 1 -Generic control flow with errors, a good default to see whats going on -.TP -.B 2 -More detailed debugging control flow -.TP -.B 3 -Including RAW data dumps in Hex -.TP -.B 4 -Also include sensitive material in dumps, e.g. keys -.SS Example -.PP -.EX - charon { - filelog { - /var/log/charon.log { - time_format = %b %e %T - append = no - default = 1 - } - stderr { - ike = 2 - knl = 3 - ike_name = yes - } - } - syslog { - # enable logging to LOG_DAEMON, use defaults - daemon { - } - # minimalistic IKE auditing logging to LOG_AUTHPRIV - auth { - default = -1 - ike = 0 - } - } - } -.EE - -.SH JOB PRIORITY MANAGEMENT -Some operations in the IKEv2 daemon charon are currently implemented -synchronously and blocking. Two examples for such operations are communication -with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during -certificate chain verification. Under high load conditions, the thread pool may -run out of available threads, and some more important jobs, such as liveness -checking, may not get executed in time. -.PP -To prevent thread starvation in such situations job priorities were introduced. -The job processor will reserve some threads for higher priority jobs, these -threads are not available for lower priority, locking jobs. -.SS Implementation -Currently 4 priorities have been defined, and they are used in charon as -follows: -.TP -.B CRITICAL -Priority for long-running dispatcher jobs. -.TP -.B HIGH -INFORMATIONAL exchanges, as used by liveness checking (DPD). -.TP -.B MEDIUM -Everything not HIGH/LOW, including IKE_SA_INIT processing. -.TP -.B LOW -IKE_AUTH message processing. RADIUS and CRL fetching block here -.PP -Although IKE_SA_INIT processing is computationally expensive, it is explicitly -assigned to the MEDIUM class. This allows charon to do the DH exchange while -other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more -IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING. -.PP -The thread pool processes jobs strictly by priority, meaning it will consume all -higher priority jobs before looking for ones with lower priority. Further, it -reserves threads for certain priorities. A priority class having reserved -.I n -threads will always have -.I n -threads available for this class (either currently processing a job, or waiting -for one). -.SS Configuration -To ensure that there are always enough threads available for higher priority -tasks, threads must be reserved for each priority class. -.TP -.BR libstrongswan.processor.priority_threads.critical " [0]" -Threads reserved for CRITICAL priority class jobs -.TP -.BR libstrongswan.processor.priority_threads.high " [0]" -Threads reserved for HIGH priority class jobs -.TP -.BR libstrongswan.processor.priority_threads.medium " [0]" -Threads reserved for MEDIUM priority class jobs -.TP -.BR libstrongswan.processor.priority_threads.low " [0]" -Threads reserved for LOW priority class jobs -.PP -Let's consider the following configuration: -.PP -.EX - libstrongswan { - processor { - priority_threads { - high = 1 - medium = 4 - } - } - } -.EE -.PP -With this configuration, one thread is reserved for HIGH priority tasks. As -currently only liveness checking and stroke message processing is done with -high priority, one or two threads should be sufficient. -.PP -The MEDIUM class mostly processes non-blocking jobs. Unless your setup is -experiencing many blocks in locks while accessing shared resources, threads for -one or two times the number of CPU cores is fine. -.PP -It is usually not required to reserve threads for CRITICAL jobs. Jobs in this -class rarely return and do not release their thread to the pool. -.PP -The remaining threads are available for LOW priority jobs. Reserving threads -does not make sense (until we have an even lower priority). -.SS Monitoring -To see what the threads are actually doing, invoke -.IR "ipsec statusall" . -Under high load, something like this will show up: -.PP -.EX - worker threads: 2 or 32 idle, 5/1/2/22 working, - job queue: 0/0/1/149, scheduled: 198 -.EE -.PP -From 32 worker threads, -.IP 2 -are currently idle. -.IP 5 -are running CRITICAL priority jobs (dispatching from sockets, etc.). -.IP 1 -is currently handling a HIGH priority job. This is actually the thread currently -providing this information via stroke. -.IP 2 -are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA -messages. -.IP 22 -are handling LOW priority jobs, probably waiting for an EAP-RADIUS response -while processing IKE_AUTH messages. -.PP -The job queue load shows how many jobs are queued for each priority, ready for -execution. The single MEDIUM priority job will get executed immediately, as -we have two spare threads reserved for MEDIUM class jobs. - -.SH IKE_SA_INIT DROPPING -If a responder receives more connection requests per seconds than it can handle, -it does not make sense to accept more IKE_SA_INIT messages. And if they are -queued but can't get processed in time, an answer might be sent after the -client has already given up and restarted its connection setup. This -additionally increases the load on the responder. -.PP -To limit the responder load resulting from new connection attempts, the daemon -can drop IKE_SA_INIT messages just after reception. There are two mechanisms to -decide if this should happen, configured with the following options: -.TP -.BR charon.init_limit_half_open " [0]" -Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in -connecting state, but not yet established. -.TP -.BR charon.init_limit_job_load " [0]" -Limit based on the number of jobs currently queued for processing (sum over all -job priorities). -.PP -The second limit includes load from other jobs, such as rekeying. Choosing a -good value is difficult and depends on the hardware and expected load. -.PP -The first limit is simpler to calculate, but includes the load from new -connections only. If your responder is capable of negotiating 100 tunnels/s, you -might set this limit to 1000. The daemon will then drop new connection attempts -if generating a response would require more than 10 seconds. If you are -allowing for a maximum response time of more than 30 seconds, consider adjusting -the timeout for connecting IKE_SAs -.RB ( charon.half_open_timeout ). -A responder, by default, deletes an IKE_SA if the initiator does not establish -it within 30 seconds. Under high load, a higher value might be required. - -.SH LOAD TESTS -To do stability testing and performance optimizations, the IKEv2 daemon charon -provides the load-tester plugin. This plugin allows one to setup thousands of -tunnels concurrently against the daemon itself or a remote host. -.PP -.B WARNING: -Never enable the load-testing plugin on productive systems. It provides -preconfigured credentials and allows an attacker to authenticate as any user. -.SS Options -.TP -.BR charon.plugins.load-tester.addrs -Subsection that contains key/value pairs with address pools (in CIDR notation) -to use for a specific network interface e.g. eth0 = 10.10.0.0/16 -.TP -.BR charon.plugins.load-tester.addrs_keep " [no]" -Whether to keep dynamic addresses even after the associated SA got terminated -.TP -.BR charon.plugins.load-tester.addrs_prefix " [16]" -Network prefix length to use when installing dynamic addresses. If set to -1 the -full address is used (i.e. 32 or 128) -.TP -.BR charon.plugins.load-tester.ca_dir -Directory to load (intermediate) CA certificates from -.TP -.BR charon.plugins.load-tester.child_rekey " [600]" -Seconds to start CHILD_SA rekeying after setup -.TP -.BR charon.plugins.load-tester.delay " [0]" -Delay between initiatons for each thread -.TP -.BR charon.plugins.load-tester.delete_after_established " [no]" -Delete an IKE_SA as soon as it has been established -.TP -.BR charon.plugins.load-tester.digest " [sha1]" -Digest algorithm used when issuing certificates -.TP -.BR charon.plugins.load-tester.dpd_delay " [0]" -DPD delay to use in load test -.TP -.BR charon.plugins.load-tester.dynamic_port " [0]" -Base port to be used for requests (each client uses a different port) -.TP -.BR charon.plugins.load-tester.eap_password " [default-pwd]" -EAP secret to use in load test -.TP -.BR charon.plugins.load-tester.enable " [no]" -Enable the load testing plugin -.TP -.BR charon.plugins.load-tester.esp " [aes128-sha1]" -CHILD_SA proposal to use for load tests -.TP -.BR charon.plugins.load-tester.fake_kernel " [no]" -Fake the kernel interface to allow load-testing against self -.TP -.BR charon.plugins.load-tester.ike_rekey " [0]" -Seconds to start IKE_SA rekeying after setup -.TP -.BR charon.plugins.load-tester.init_limit " [0]" -Global limit of concurrently established SAs during load test -.TP -.BR charon.plugins.load-tester.initiator " [0.0.0.0]" -Address to initiate from -.TP -.BR charon.plugins.load-tester.initiators " [0]" -Number of concurrent initiator threads to use in load test -.TP -.BR charon.plugins.load-tester.initiator_auth " [pubkey]" -Authentication method(s) the intiator uses -.TP -.BR charon.plugins.load-tester.initiator_id -Initiator ID used in load test -.TP -.BR charon.plugins.load-tester.initiator_match -Initiator ID to match against as responder -.TP -.BR charon.plugins.load-tester.initiator_tsi -Traffic selector on initiator side, as proposed by initiator -.TP -.BR charon.plugins.load-tester.initiator_tsr -Traffic selector on responder side, as proposed by initiator -.TP -.BR charon.plugins.load-tester.iterations " [1]" -Number of IKE_SAs to initiate by each initiator in load test -.TP -.BR charon.plugins.load-tester.issuer_cert -Path to the issuer certificate (if not configured a hard-coded value is used) -.TP -.BR charon.plugins.load-tester.issuer_key -Path to private key that is used to issue certificates (if not configured a -hard-coded value is used) -.TP -.BR charon.plugins.load-tester.pool -Provide INTERNAL_IPV4_ADDRs from a named pool -.TP -.BR charon.plugins.load-tester.preshared_key " [default-psk]" -Preshared key to use in load test -.TP -.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" -IKE proposal to use in load test -.TP -.BR charon.plugins.load-tester.responder " [127.0.0.1]" -Address to initiation connections to -.TP -.BR charon.plugins.load-tester.responder_auth " [pubkey]" -Authentication method(s) the responder uses -.TP -.BR charon.plugins.load-tester.responder_id -Responder ID used in load test -.TP -.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]" -Traffic selector on initiator side, as narrowed by responder -.TP -.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]" -Traffic selector on responder side, as narrowed by responder -.TP -.BR charon.plugins.load-tester.request_virtual_ip " [no]" -Request an INTERNAL_IPV4_ADDR from the server -.TP -.BR charon.plugins.load-tester.shutdown_when_complete " [no]" -Shutdown the daemon after all IKE_SAs have been established -.TP -.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]" -Socket provided by the load-tester plugin -.TP -.BR charon.plugins.load-tester.version " [0]" -IKE version to use (0 means use IKEv2 as initiator and accept any version as -responder) -.PP -.SS Configuration details -For public key authentication, the responder uses the -.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq -identity. For the initiator, each connection attempt uses a different identity -in the form -.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , -where the first number inidicates the client number, the second the -authentication round (if multiple authentication is used). -.PP -For PSK authentication, FQDN identities are used. The server uses -.BR srv.strongswan.org , -the client uses an identity in the form -.BR c1-r1.strongswan.org . -.PP -For EAP authentication, the client uses a NAI in the form -.BR 100000000010001@strongswan.org . -.PP -To configure multiple authentication, concatenate multiple methods using, e.g. -.EX - initiator_auth = pubkey|psk|eap-md5|eap-aka -.EE -.PP -The responder uses a hardcoded certificate based on a 1024-bit RSA key. -This certificate additionally serves as CA certificate. A peer uses the same -private key, but generates client certificates on demand signed by the CA -certificate. Install the Responder/CA certificate on the remote host to -authenticate all clients. -.PP -To speed up testing, the load tester plugin implements a special Diffie-Hellman -implementation called modpnull. By setting -.EX - proposal = aes128-sha1-modpnull -.EE -this wicked fast DH implementation is used. It does not provide any security -at all, but allows one to run tests without DH calculation overhead. -.SS Examples -.PP -In the simplest case, the daemon initiates IKE_SAs against itself using the -loopback interface. This will actually establish double the number of IKE_SAs, -as the daemon is initiator and responder for each IKE_SA at the same time. -Installation of IPsec SAs would fails, as each SA gets installed twice. To -simulate the correct behavior, a fake kernel interface can be enabled which does -not install the IPsec SAs at the kernel level. -.PP -A simple loopback configuration might look like this: -.PP -.EX - charon { - # create new IKE_SAs for each CHILD_SA to simulate - # different clients - reuse_ikesa = no - # turn off denial of service protection - dos_protection = no - - plugins { - load-tester { - # enable the plugin - enable = yes - # use 4 threads to initiate connections - # simultaneously - initiators = 4 - # each thread initiates 1000 connections - iterations = 1000 - # delay each initiation in each thread by 20ms - delay = 20 - # enable the fake kernel interface to - # avoid SA conflicts - fake_kernel = yes - } - } - } -.EE -.PP -This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay -value if your box can not handle that much load, or decrease it to put more -load on it. If the daemon starts retransmitting messages your box probably can -not handle all connection attempts. -.PP -The plugin also allows one to test against a remote host. This might help to -test against a real world configuration. A connection setup to do stress -testing of a gateway might look like this: -.PP -.EX - charon { - reuse_ikesa = no - threads = 32 - - plugins { - load-tester { - enable = yes - # 10000 connections, ten in parallel - initiators = 10 - iterations = 1000 - # use a delay of 100ms, overall time is: - # iterations * delay = 100s - delay = 100 - # address of the gateway - remote = 1.2.3.4 - # IKE-proposal to use - proposal = aes128-sha1-modp1024 - # use faster PSK authentication instead - # of 1024bit RSA - initiator_auth = psk - responder_auth = psk - # request a virtual IP using configuration - # payloads - request_virtual_ip = yes - # enable CHILD_SA every 60s - child_rekey = 60 - } - } - } -.EE - -.SH IKEv2 RETRANSMISSION -Retransmission timeouts in the IKEv2 daemon charon can be configured globally -using the three keys listed below: -.PP -.RS -.nf -.BR charon.retransmit_base " [1.8]" -.BR charon.retransmit_timeout " [4.0]" -.BR charon.retransmit_tries " [5]" -.fi -.RE -.PP -The following algorithm is used to calculate the timeout: -.PP -.EX - relative timeout = retransmit_timeout * retransmit_base ^ (n-1) -.EE -.PP -Where -.I n -is the current retransmission count. -.PP -Using the default values, packets are retransmitted in: - -.TS -l r r ---- -lB r r. -Retransmission Relative Timeout Absolute Timeout -1 4s 4s -2 7s 11s -3 13s 24s -4 23s 47s -5 42s 89s -giving up 76s 165s -.TE - -.SH FILES -/etc/strongswan.conf - -.SH SEE ALSO -\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) - -.SH HISTORY -Written for the -.UR http://www.strongswan.org -strongSwan project -.UE -by Tobias Brunner, Andreas Steffen and Martin Willi. diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 847d9d520..db63d36f4 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2013-07-22" "@IPSEC_VERSION@" "strongSwan" +.TH STRONGSWAN.CONF 5 "2013-10-29" "@PACKAGE_VERSION@" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -319,7 +319,11 @@ Send strongSwan vendor ID payload Section to define syslog loggers, see LOGGER CONFIGURATION .TP .BR charon.threads " [16]" -Number of worker threads in charon +Number of worker threads in charon. Several of these are reserved for long +running tasks in internal modules and plugins. Therefore, make sure you don't +set this value too low. The number of idle worker threads listed in +.I ipsec statusall +might be used as indicator on the number of reserved threads. .TP .BR charon.user Name of the user the daemon changes to after startup @@ -379,10 +383,13 @@ Derive user-defined MAC address from hash of IKEv2 identity .BR charon.plugins.dhcp.server " [255.255.255.255]" DHCP server unicast or broadcast IP address .TP +.BR charon.plugins.dnscert.enable " [no]" +Enable fetching of CERT RRs via DNS +.TP .BR charon.plugins.duplicheck.enable " [yes]" Enable duplicheck plugin (if loaded) .TP -.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]" +.BR charon.plugins.duplicheck.socket " [unix://@piddir@/charon.dck]" Socket provided by the duplicheck plugin .TP .BR charon.plugins.eap-aka.request_identity " [yes]" @@ -522,6 +529,27 @@ option. .BR charon.plugins.eap-radius.sockets " [1]" Number of sockets (ports) to use, increase for high load .TP +.BR charon.plugins.eap-radius.xauth +Section to configure multiple XAuth authentication rounds via RADIUS. The subsections define so called +authentication profiles with arbitrary names. In each profile section one or more XAuth types can be +configured, with an assigned message. For each type a separate XAuth exchange will be initiated and all +replies get concatenated into the User-Password attribute, which then gets verified over RADIUS. + +Available XAuth types are \fBpassword\fR, \fBpasscode\fR, \fBnextpin\fR, and \fBanswer\fR. This type is +not relevant to strongSwan or the AAA server, but the client may show a different dialog (along with the +configured message). + +To use the configured profiles, they have to be configured in the respective connection in +.IR ipsec.conf (5) +by appending the profile name, separated by a colon, to the +.B xauth-radius +XAauth backend configuration in +.I rightauth +or +.IR rightauth2 , +for instance, +.IR rightauth2=xauth-radius:profile . +.TP .BR charon.plugins.eap-sim.request_identity " [yes]" .TP @@ -567,7 +595,7 @@ Start phase2 EAP TNC protocol after successful client authentication .BR charon.plugins.eap-ttls.request_peer_auth " [no]" Request peer authentication based on a client certificate .TP -.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]" +.BR charon.plugins.error-notify.socket " [unix://@piddir@/charon.enfy]" Socket provided by the error-notify plugin .TP .BR charon.plugins.ha.autobalance " [0]" @@ -605,7 +633,7 @@ Set to 0 to disable. .TP .BR charon.plugins.ipseckey.enable " [no]" -Enable the fetching of IPSECKEY RRs via DNS +Enable fetching of IPSECKEY RRs via DNS .TP .BR charon.plugins.led.activity_led @@ -619,16 +647,32 @@ Number of ipsecN devices .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" Set MTU of ipsecN device .TP +.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]" +Allow that the remote traffic selector equals the IKE peer. The route installed +for such traffic (via TUN device) usually prevents further IKE traffic. The +fwmark options for the \fIkernel-netlink\fR and \fIsocket-default\fR plugins can +be used to circumvent that problem. +.TP +.BR charon.plugins.kernel-netlink.fwmark +Firewall mark to set on the routing rule that directs traffic to our own routing +table. The format is [!]mark[/mask], where the optional exclamation mark inverts +the meaning (i.e. the rule only applies to packets that don't match the mark). +.TP .BR charon.plugins.kernel-netlink.roam_events " [yes]" Whether to trigger roam events when interfaces, addresses or routes change .TP +.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" +Lifetime of XFRM acquire state in kernel. The value gets written to +/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM +acquire messages sent. +.TP .BR charon.plugins.kernel-pfroute.vip_wait " [1000]" Time in ms to wait until virtual IP addresses appear/disappear before failing. .TP .BR charon.plugins.load-tester Section to configure the load-tester plugin, see LOAD TESTS .TP -.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" +.BR charon.plugins.lookip.socket " [unix://@piddir@/charon.lkp]" Socket provided by the lookip plugin .TP .BR charon.plugins.radattr.dir @@ -647,6 +691,9 @@ is appended to this prefix to make it unique. The result has to be a valid interface name according to the rules defined by resolvconf. Also, it should have a high priority according to the order defined in interface-order(5). .TP +.BR charon.plugins.socket-default.fwmark +Firewall mark to set on outbound packets. +.TP .BR charon.plugins.socket-default.set_source " [yes]" Set source address on outbound packets, if possible. .TP @@ -669,7 +716,7 @@ certificates even if they don't contain a CA basic constraint. .BR charon.plugins.stroke.max_concurrent " [4]" Maximum number of stroke messages handled concurrently .TP -.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" +.BR charon.plugins.stroke.socket " [unix://@piddir@/charon.ctl]" Socket provided by the stroke plugin .TP .BR charon.plugins.stroke.timeout " [0]" @@ -687,15 +734,6 @@ Threshold date where system time is considered valid. Disabled if not specified .BR charon.plugins.systime-fix.threshold_format " [%Y]" strptime(3) format used to parse threshold option .TP -.BR charon.plugins.tnccs-11.max_message_size " [45000]" -Maximum size of a PA-TNC message (XML & Base64 encoding) -.TP -.BR charon.plugins.tnccs-20.max_batch_size " [65522]" -Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) -.TP -.BR charon.plugins.tnccs-20.max_message_size " [65490]" -Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) -.TP .BR charon.plugins.tnc-ifmap.client_cert Path to X.509 certificate file of IF-MAP client .TP @@ -717,22 +755,22 @@ Path to X.509 certificate file of IF-MAP server .BR charon.plugins.tnc-ifmap.username_password Credentials of IF-MAP client of the form username:password .TP -.BR charon.plugins.tnc-imc.dlclose " [yes]" -Unload IMC after use +.BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]" +Enable PT-TLS protocol on the strongSwan PDP .TP -.BR charon.plugins.tnc-imc.preferred_language " [en]" -Preferred language for TNC recommendations +.BR charon.plugins.tnc-pdp.pt_tls.port " [271]" +PT-TLS server port the strongSwan PDP is listening on .TP -.BR charon.plugins.tnc-imv.dlclose " [yes]" -Unload IMV after use +.BR charon.plugins.tnc-pdp.radius.enable " [yes]" +Enable RADIUS protocol on the strongSwan PDP .TP -.BR charon.plugins.tnc-pdp.method " [ttls]" +.BR charon.plugins.tnc-pdp.radius.method " [ttls]" EAP tunnel method to be used .TP -.BR charon.plugins.tnc-pdp.port " [1812]" +.BR charon.plugins.tnc-pdp.radius.port " [1812]" RADIUS server port the strongSwan PDP is listening on .TP -.BR charon.plugins.tnc-pdp.secret +.BR charon.plugins.tnc-pdp.radius.secret Shared RADIUS secret between strongSwan PDP and NAS .TP .BR charon.plugins.tnc-pdp.server @@ -749,7 +787,7 @@ plugins, like resolve) .BR charon.plugins.whitelist.enable " [yes]" Enable loaded whitelist plugin .TP -.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]" +.BR charon.plugins.whitelist.socket " [unix://@piddir@/charon.wlst]" Socket provided by the whitelist plugin .TP .BR charon.plugins.xauth-eap.backend " [radius]" @@ -757,6 +795,10 @@ EAP plugin to be used as backend for XAuth credential verification .TP .BR charon.plugins.xauth-pam.pam_service " [login]" PAM service to be used for authentication +.TP +.BR charon.plugins.xauth-pam.trim_email " [yes]" +If an email address is given as an XAuth username, trim it to just the +username part. .SS libstrongswan section .TP .BR libstrongswan.cert_cache " [yes]" @@ -857,17 +899,25 @@ keys not stored on tokens .BR libstrongswan.plugins.pkcs11.use_rng " [no]" Whether the PKCS#11 modules should be used as RNG .TP -.BR libstrongswan.plugins.random.random " [@DEV_RANDOM@]" -File to read random bytes from, instead of @DEV_RANDOM@ +.BR libstrongswan.plugins.random.random " [@random_device@]" +File to read random bytes from, instead of @random_device@ .TP -.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]" -File to read pseudo random bytes from, instead of @DEV_URANDOM@ +.BR libstrongswan.plugins.random.urandom " [@urandom_device@]" +File to read pseudo random bytes from, instead of @urandom_device@ .TP .BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]" File to read DNS resolver configuration from .TP .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" -File to read DNSSEC trust anchors from (usually root zone KSK) +File to read DNSSEC trust anchors from (usually root zone KSK). The format of +the file is the standard DNS Zone file format, anchors can be stored as DS or +DNSKEY entries in the file. +.TP +.BR libstrongswan.plugins.unbound.dlv_anchors +File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses +the same format as \fItrust_anchors\fR. Only one DLV can be configured, which +is then used as a root trusted DLV, this means that it is a lookaside for +the root. .SS libtls section .TP .BR libtls.cipher @@ -885,6 +935,26 @@ List of TLS cipher suites .TP .BR libtnccs.tnc_config " [/etc/tnc_config]" TNC IMC/IMV configuration directory +.PP +.SS libtnccs plugins section +.TP +.BR libtnccs.plugins.tnccs-11.max_message_size " [45000]" +Maximum size of a PA-TNC message (XML & Base64 encoding) +.TP +.BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]" +Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) +.TP +.BR libtnccs.plugins.tnccs-20.max_message_size " [65490]" +Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) +.TP +.BR libtnccs.plugins.tnc-imc.dlclose " [yes]" +Unload IMC after use +.TP +.BR libtnccs.plugins.tnc-imc.preferred_language " [en]" +Preferred language for TNC recommendations +.TP +.BR libtnccs.plugins.tnc-imv.dlclose " [yes]" +Unload IMV after use .SS libimcv section .TP .BR libimcv.assessment_result " [yes]" @@ -955,6 +1025,9 @@ Send open listening ports without being prompted .BR libimcv.plugins.imv-scanner.remediation_uri URI pointing to scanner remediation instructions .TP +.BR libimcv.plugins.imc-swid.swid_directory " [@prefix@/share]" +Directory where SWID tags are located +.TP .BR libimcv.plugins.imc-test.additional_ids " [0]" Number of additional IMC IDs .TP @@ -1048,6 +1121,10 @@ Plugins to load in ipsec pki tool .TP .BR pool.load Plugins to load in ipsec pool tool +.SS pt-tls-client section +.TP +.BR pt-tls-client.load +Plugins to load in ipsec pt-tls-client tool .SS scepclient section .TP .BR scepclient.load @@ -1463,6 +1540,9 @@ Path to the issuer certificate (if not configured a hard-coded value is used) Path to private key that is used to issue certificates (if not configured a hard-coded value is used) .TP +.BR charon.plugins.load-tester.mode " [tunnel]" +IPsec mode to use, one of \fBtunnel\fR, \fBtransport\fR, or \fBbeet\fR. +.TP .BR charon.plugins.load-tester.pool Provide INTERNAL_IPV4_ADDRs from a named pool .TP @@ -1493,7 +1573,7 @@ Request an INTERNAL_IPV4_ADDR from the server .BR charon.plugins.load-tester.shutdown_when_complete " [no]" Shutdown the daemon after all IKE_SAs have been established .TP -.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]" +.BR charon.plugins.load-tester.socket " [unix://@piddir@/charon.ldt]" Socket provided by the load-tester plugin .TP .BR charon.plugins.load-tester.version " [0]" |