summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2013-11-01 13:32:07 +0100
committerYves-Alexis Perez <corsac@debian.org>2013-11-01 13:32:07 +0100
commita54780509260a8cb6f0344f531da168b34410dd5 (patch)
tree477239a312679174252f39f7a80bc8bf33836d9a /man
parent6e50941f7ce9c6f2d6888412968c7f4ffb495379 (diff)
parent5313d2d78ca150515f7f5eb39801c100690b6b29 (diff)
downloadvyos-strongswan-a54780509260a8cb6f0344f531da168b34410dd5.tar.gz
vyos-strongswan-a54780509260a8cb6f0344f531da168b34410dd5.zip
Merge tag 'upstream/5.1.1'
Upstream version 5.1.1
Diffstat (limited to 'man')
-rw-r--r--man/Makefile.am17
-rw-r--r--man/Makefile.in162
-rw-r--r--man/ipsec.conf.51280
-rw-r--r--man/ipsec.conf.5.in67
-rw-r--r--man/ipsec.secrets.5195
-rw-r--r--man/ipsec.secrets.5.in2
-rw-r--r--man/strongswan.conf.51665
-rw-r--r--man/strongswan.conf.5.in144
8 files changed, 274 insertions, 3258 deletions
diff --git a/man/Makefile.am b/man/Makefile.am
index 0becd24c7..266ef7d3a 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -1,13 +1,6 @@
-dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
-EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in
-CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
+man_MANS = \
+ ipsec.conf.5 \
+ ipsec.secrets.5 \
+ strongswan.conf.5
-SUFFIXES = .in
-
-.in:
- $(AM_V_GEN) \
- sed \
- -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
- -e "s:@DEV_URANDOM@:$(urandom_device):" \
- -e "s:@DEV_RANDOM@:$(random_device):" \
- $(srcdir)/$@.in > $@
+CLEANFILES = $(man_MANS)
diff --git a/man/Makefile.in b/man/Makefile.in
index 0bc64a6eb..9c970cdcd 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,9 +1,8 @@
-# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# Makefile.in generated by automake 1.13.3 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
-# Foundation, Inc.
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -15,23 +14,51 @@
@SET_MAKE@
VPATH = @srcdir@
-am__make_dryrun = \
- { \
- am__dry=no; \
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
- echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \
- | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
- *) \
- for am__flg in $$MAKEFLAGS; do \
- case $$am__flg in \
- *=*|--*) ;; \
- *n*) am__dry=yes; break;; \
- esac; \
- done;; \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
- test $$am__dry = yes; \
- }
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -51,14 +78,16 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = man
-DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
- $(srcdir)/Makefile.in
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(srcdir)/ipsec.conf.5.in $(srcdir)/ipsec.secrets.5.in \
+ $(srcdir)/strongswan.conf.5.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/config/ltoptions.m4 \
$(top_srcdir)/m4/config/ltsugar.m4 \
$(top_srcdir)/m4/config/ltversion.m4 \
$(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
$(top_srcdir)/m4/macros/with.m4 \
$(top_srcdir)/m4/macros/enable-disable.m4 \
$(top_srcdir)/m4/macros/add-plugin.m4 \
@@ -67,14 +96,20 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_FILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
-am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
+am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
@@ -112,7 +147,8 @@ am__uninstall_files_from_dir = { \
man5dir = $(mandir)/man5
am__installdirs = "$(DESTDIR)$(man5dir)"
NROFF = nroff
-MANS = $(dist_man_MANS)
+MANS = $(man_MANS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
@@ -187,6 +223,10 @@ PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
@@ -303,6 +343,7 @@ starter_plugins = @starter_plugins@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
@@ -310,14 +351,15 @@ top_srcdir = @top_srcdir@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-dist_man_MANS = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
-EXTRA_DIST = ipsec.conf.5.in ipsec.secrets.5.in strongswan.conf.5.in
-CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
-SUFFIXES = .in
+man_MANS = \
+ ipsec.conf.5 \
+ ipsec.secrets.5 \
+ strongswan.conf.5
+
+CLEANFILES = $(man_MANS)
all: all-am
.SUFFIXES:
-.SUFFIXES: .in
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
@@ -348,16 +390,22 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
+ipsec.conf.5: $(top_builddir)/config.status $(srcdir)/ipsec.conf.5.in
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+ipsec.secrets.5: $(top_builddir)/config.status $(srcdir)/ipsec.secrets.5.in
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+strongswan.conf.5: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.in
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
-install-man5: $(dist_man_MANS)
+install-man5: $(man_MANS)
@$(NORMAL_INSTALL)
@list1=''; \
- list2='$(dist_man_MANS)'; \
+ list2='$(man_MANS)'; \
test -n "$(man5dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
@@ -392,32 +440,19 @@ uninstall-man5:
@$(NORMAL_UNINSTALL)
@list=''; test -n "$(man5dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.5[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
-tags: TAGS
-TAGS:
+tags TAGS:
-ctags: CTAGS
-CTAGS:
+ctags CTAGS:
+
+cscope cscopelist:
distdir: $(DISTFILES)
- @list='$(MANS)'; if test -n "$$list"; then \
- list=`for p in $$list; do \
- if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
- if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
- if test -n "$$list" && \
- grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
- echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
- grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
- echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
- echo " typically \`make maintainer-clean' will remove them" >&2; \
- exit 1; \
- else :; fi; \
- else :; fi
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -556,25 +591,18 @@ uninstall-man: uninstall-man5
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
- distclean distclean-generic distclean-libtool distdir dvi \
- dvi-am html html-am info info-am install install-am \
- install-data install-data-am install-dvi install-dvi-am \
- install-exec install-exec-am install-html install-html-am \
- install-info install-info-am install-man install-man5 \
- install-pdf install-pdf-am install-ps install-ps-am \
- install-strip installcheck installcheck-am installdirs \
- maintainer-clean maintainer-clean-generic mostlyclean \
- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- uninstall uninstall-am uninstall-man uninstall-man5
-
-
-.in:
- $(AM_V_GEN) \
- sed \
- -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
- -e "s:@DEV_URANDOM@:$(urandom_device):" \
- -e "s:@DEV_RANDOM@:$(random_device):" \
- $(srcdir)/$@.in > $@
+ cscopelist-am ctags-am distclean distclean-generic \
+ distclean-libtool distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-man5 install-pdf install-pdf-am install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+ ps ps-am tags-am uninstall uninstall-am uninstall-man \
+ uninstall-man5
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
deleted file mode 100644
index 76bef614f..000000000
--- a/man/ipsec.conf.5
+++ /dev/null
@@ -1,1280 +0,0 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.1.0" "strongSwan"
-.SH NAME
-ipsec.conf \- IPsec configuration and connections
-.SH DESCRIPTION
-The optional
-.I ipsec.conf
-file
-specifies most configuration and control information for the
-strongSwan IPsec subsystem.
-The major exception is secrets for authentication;
-see
-.IR ipsec.secrets (5).
-Its contents are not security-sensitive.
-.PP
-The file is a text file, consisting of one or more
-.IR sections .
-White space followed by
-.B #
-followed by anything to the end of the line
-is a comment and is ignored,
-as are empty lines which are not within a section.
-.PP
-A line which contains
-.B include
-and a file name, separated by white space,
-is replaced by the contents of that file,
-preceded and followed by empty lines.
-If the file name is not a full pathname,
-it is considered to be relative to the directory containing the
-including file.
-Such inclusions can be nested.
-Only a single filename may be supplied, and it may not contain white space,
-but it may include shell wildcards (see
-.IR sh (1));
-for example:
-.PP
-.B include
-.B "ipsec.*.conf"
-.PP
-The intention of the include facility is mostly to permit keeping
-information on connections, or sets of connections,
-separate from the main configuration file.
-This permits such connection descriptions to be changed,
-copied to the other security gateways involved, etc.,
-without having to constantly extract them from the configuration
-file and then insert them back into it.
-Note also the
-.B also
-parameter (described below) which permits splitting a single logical
-section (e.g. a connection description) into several actual sections.
-.PP
-A section
-begins with a line of the form:
-.PP
-.I type
-.I name
-.PP
-where
-.I type
-indicates what type of section follows, and
-.I name
-is an arbitrary name which distinguishes the section from others
-of the same type.
-Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.
-All subsequent non-empty lines
-which begin with white space are part of the section;
-comments within a section must begin with white space too.
-There may be only one section of a given type with a given name.
-.PP
-Lines within the section are generally of the form
-.PP
-\ \ \ \ \ \fIparameter\fB=\fIvalue\fR
-.PP
-(note the mandatory preceding white space).
-There can be white space on either side of the
-.BR = .
-Parameter names follow the same syntax as section names,
-and are specific to a section type.
-Unless otherwise explicitly specified,
-no parameter name may appear more than once in a section.
-.PP
-An empty
-.I value
-stands for the system default value (if any) of the parameter,
-i.e. it is roughly equivalent to omitting the parameter line entirely.
-A
-.I value
-may contain white space only if the entire
-.I value
-is enclosed in double quotes (\fB"\fR);
-a
-.I value
-cannot itself contain a double quote,
-nor may it be continued across more than one line.
-.PP
-Numeric values are specified to be either an ``integer''
-(a sequence of digits) or a ``decimal number''
-(sequence of digits optionally followed by `.' and another sequence of digits).
-.PP
-There is currently one parameter which is available in any type of
-section:
-.TP
-.B also
-the value is a section name;
-the parameters of that section are appended to this section,
-as if they had been written as part of it.
-The specified section must exist, must follow the current one,
-and must have the same section type.
-(Nesting is permitted,
-and there may be more than one
-.B also
-in a single section,
-although it is forbidden to append the same section more than once.)
-.PP
-A section with name
-.B %default
-specifies defaults for sections of the same type.
-For each parameter in it,
-any section of that type which does not have a parameter of the same name
-gets a copy of the one from the
-.B %default
-section.
-There may be multiple
-.B %default
-sections of a given type,
-but only one default may be supplied for any specific parameter name,
-and all
-.B %default
-sections of a given type must precede all non-\c
-.B %default
-sections of that type.
-.B %default
-sections may not contain the
-.B also
-parameter.
-.PP
-Currently there are three types of sections:
-a
-.B config
-section specifies general configuration information for IPsec, a
-.B conn
-section specifies an IPsec connection, while a
-.B ca
-section specifies special properties of a certification authority.
-.SH "CONN SECTIONS"
-A
-.B conn
-section contains a
-.IR "connection specification" ,
-defining a network connection to be made using IPsec.
-The name given is arbitrary, and is used to identify the connection.
-Here's a simple example:
-.PP
-.ne 10
-.nf
-.ft B
-.ta 1c
-conn snt
- left=192.168.0.1
- leftsubnet=10.1.0.0/16
- right=192.168.0.2
- rightsubnet=10.1.0.0/16
- keyingtries=%forever
- auto=add
-.ft
-.fi
-.PP
-A note on terminology: There are two kinds of communications going on:
-transmission of user IP packets, and gateway-to-gateway negotiations for
-keying, rekeying, and general control.
-The path to control the connection is called 'ISAKMP SA' in IKEv1
-and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel
-level data path, is called 'IPsec SA' or 'Child SA'.
-strongSwan previously used two separate keying daemons, \fIpluto\fP and
-\fIcharon\fP. This manual does not discuss \fIpluto\fP options anymore, but
-only \fIcharon\fP that since strongSwan 5.0 supports both IKEv1 and IKEv2.
-.PP
-To avoid trivial editing of the configuration file to suit it to each system
-involved in a connection,
-connection specifications are written in terms of
-.I left
-and
-.I right
-participants,
-rather than in terms of local and remote.
-Which participant is considered
-.I left
-or
-.I right
-is arbitrary;
-for every connection description an attempt is made to figure out whether
-the local endpoint should act as the
-.I left
-or
-.I right
-endpoint. This is done by matching the IP addresses defined for both endpoints
-with the IP addresses assigned to local network interfaces. If a match is found
-then the role (left or right) that matches is going to be considered local.
-If no match is found during startup,
-.I left
-is considered local.
-This permits using identical connection specifications on both ends.
-There are cases where there is no symmetry; a good convention is to
-use
-.I left
-for the local side and
-.I right
-for the remote side (the first letters are a good mnemonic).
-.PP
-Many of the parameters relate to one participant or the other;
-only the ones for
-.I left
-are listed here, but every parameter whose name begins with
-.B left
-has a
-.B right
-counterpart,
-whose description is the same but with
-.B left
-and
-.B right
-reversed.
-.PP
-Parameters are optional unless marked '(required)'.
-.SS "CONN PARAMETERS"
-Unless otherwise noted, for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-.TP
-.BR aaa_identity " = <id>"
-defines the identity of the AAA backend used during IKEv2 EAP authentication.
-This is required if the EAP client uses a method that verifies the server
-identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
-.TP
-.BR aggressive " = yes | " no
-whether to use IKEv1 Aggressive or Main Mode (the default).
-.TP
-.BR also " = <name>"
-includes conn section
-.BR <name> .
-.TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig"
-how the two security gateways should authenticate each other;
-acceptable values are
-.B psk
-or
-.B secret
-for pre-shared secrets,
-.B pubkey
-(the default) for public key signatures as well as the synonyms
-.B rsasig
-for RSA digital signatures and
-.B ecdsasig
-for Elliptic Curve DSA signatures.
-.B never
-can be used if negotiation is never to be attempted or accepted (useful for
-shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
-IKEv1 additionally supports the values
-.B xauthpsk
-and
-.B xauthrsasig
-that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets or digital RSA signatures, respectively.
-This parameter is deprecated, as two peers do not need to agree on an
-authentication method in IKEv2. Use the
-.B leftauth
-parameter instead to define authentication methods.
-.TP
-.BR auto " = " ignore " | add | route | start"
-what operation, if any, should be done automatically at IPsec startup;
-currently-accepted values are
-.BR add ,
-.BR route ,
-.B start
-and
-.B ignore
-(the default).
-.B add
-loads a connection without starting it.
-.B route
-loads a connection and installs kernel traps. If traffic is detected between
-.B leftsubnet
-and
-.BR rightsubnet ,
-a connection is established.
-.B start
-loads a connection and brings it up immediately.
-.B ignore
-ignores the connection. This is equal to deleting a connection from the config
-file.
-Relevant only locally, other end need not agree on it.
-.TP
-.BR closeaction " = " none " | clear | hold | restart"
-defines the action to take if the remote peer unexpectedly closes a CHILD_SA
-(see
-.B dpdaction
-for meaning of values).
-A
-.B closeaction should not be
-used if the peer uses reauthentication or uniquids checking, as these events
-might trigger the defined action when not desired.
-.TP
-.BR compress " = yes | " no
-whether IPComp compression of content is proposed on the connection
-(link-level compression does not work on encrypted data,
-so to be effective, compression must be done \fIbefore\fR encryption);
-acceptable values are
-.B yes
-and
-.B no
-(the default). A value of
-.B yes
-causes the daemon to propose both compressed and uncompressed,
-and prefer compressed.
-A value of
-.B no
-prevents the daemon from proposing or accepting compression.
-.TP
-.BR dpdaction " = " none " | clear | hold | restart"
-controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
-R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
-are periodically sent in order to check the
-liveliness of the IPsec peer. The values
-.BR clear ,
-.BR hold ,
-and
-.B restart
-all activate DPD. If no activity is detected, all connections with a dead peer
-are stopped and unrouted
-.RB ( clear ),
-put in the hold state
-.RB ( hold )
-or restarted
-.RB ( restart ).
-The default is
-.B none
-which disables the active sending of DPD messages.
-.TP
-.BR dpddelay " = " 30s " | <time>"
-defines the period time interval with which R_U_THERE messages/INFORMATIONAL
-exchanges are sent to the peer. These are only sent if no other traffic is
-received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
-messages and uses only standard messages (such as those to rekey) to detect
-dead peers.
-.TP
-.BR dpdtimeout " = " 150s " | <time>
-defines the timeout interval, after which all connections to a peer are deleted
-in case of inactivity. This only applies to IKEv1, in IKEv2 the default
-retransmission timeout applies, as every exchange is used to detect dead peers.
-.TP
-.BR inactivity " = <time>"
-defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic.
-.TP
-.BR eap_identity " = <id>"
-defines the identity the client uses to reply to an EAP Identity request.
-If defined on the EAP server, the defined identity will be used as peer
-identity during EAP authentication. The special value
-.B %identity
-uses the EAP Identity method to ask the client for an EAP identity. If not
-defined, the IKEv2 identity will be used as EAP identity.
-.TP
-.BR esp " = <cipher suites>"
-comma-separated list of ESP encryption/authentication algorithms to be used
-for the connection, e.g.
-.BR aes128-sha256 .
-The notation is
-.BR encryption-integrity[-dhgroup][-esnmode] .
-
-Defaults to
-.BR aes128-sha1,3des-sha1 .
-The daemon adds its extensive default proposal to this default
-or the configured value. To restrict it to the configured proposal an
-exclamation mark
-.RB ( ! )
-can be added at the end.
-
-.BR Note :
-As a responder the daemon accepts the first supported proposal received from
-the peer. In order to restrict a responder to only accept specific cipher
-suites, the strict flag
-.RB ( ! ,
-exclamation mark) can be used, e.g: aes256-sha512-modp4096!
-.br
-If
-.B dh-group
-is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
-Diffie-Hellman exchange. Valid values for
-.B esnmode
-(IKEv2 only) are
-.B esn
-and
-.BR noesn .
-Specifying both negotiates Extended Sequence Number support with the peer,
-the default is
-.B noesn.
-.TP
-.BR forceencaps " = yes | " no
-force UDP encapsulation for ESP packets even if no NAT situation is detected.
-This may help to surmount restrictive firewalls. In order to force the peer to
-encapsulate packets, NAT detection payloads are faked.
-.TP
-.BR fragmentation " = yes | force | " no
-whether to use IKE fragmentation (proprietary IKEv1 extension). Acceptable
-values are
-.BR yes ,
-.B force
-and
-.B no
-(the default). Fragmented messages sent by a peer are always accepted
-irrespective of the value of this option. If set to
-.BR yes ,
-and the peer supports it, larger IKE messages will be sent in fragments.
-If set to
-.B force
-the initial IKE message will already be fragmented if required.
-.TP
-.BR ike " = <cipher suites>"
-comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
-to be used, e.g.
-.BR aes128-sha1-modp2048 .
-The notation is
-.BR encryption-integrity[-prf]-dhgroup .
-If no PRF is given, the algorithms defined for integrity are used for the PRF.
-The prf keywords are the same as the integrity algorithms, but have a
-.B prf
-prefix (such as
-.BR prfsha1 ,
-.B prfsha256
-or
-.BR prfaesxcbc ).
-.br
-In IKEv2, multiple algorithms and proposals may be included, such as
-.BR aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024 .
-
-Defaults to
-.BR aes128-sha1-modp2048,3des-sha1-modp1536 .
-The daemon adds its extensive default proposal to this
-default or the configured value. To restrict it to the configured proposal an
-exclamation mark
-.RB ( ! )
-can be added at the end.
-
-.BR Note :
-As a responder the daemon accepts the first supported proposal received from
-the peer. In order to restrict a responder to only accept specific cipher
-suites, the strict flag
-.RB ( ! ,
-exclamation mark) can be used, e.g:
-.BR aes256-sha512-modp4096!
-.TP
-.BR ikedscp " = " 000000 " | <DSCP field>"
-Differentiated Services Field Codepoint to set on outgoing IKE packets sent
-from this connection. The value is a six digit binary encoded string defining
-the Codepoint to set, as defined in RFC 2474.
-.TP
-.BR ikelifetime " = " 3h " | <time>"
-how long the keying channel of a connection (ISAKMP or IKE SA)
-should last before being renegotiated. Also see EXPIRY/REKEY below.
-.TP
-.BR installpolicy " = " yes " | no"
-decides whether IPsec policies are installed in the kernel by the charon daemon
-for a given connection. Allows peaceful cooperation e.g. with
-the Mobile IPv6 daemon mip6d who wants to control the kernel policies.
-Acceptable values are
-.B yes
-(the default) and
-.BR no .
-.TP
-.BR keyexchange " = " ike " | ikev1 | ikev2"
-which key exchange protocol should be used to initiate the connection.
-Connections marked with
-.B ike
-use IKEv2 when initiating, but accept any protocol version when responding.
-.TP
-.BR keyingtries " = " 3 " | <number> | %forever"
-how many attempts (a whole number or \fB%forever\fP) should be made to
-negotiate a connection, or a replacement for one, before giving up
-(default
-.BR 3 ).
-The value \fB%forever\fP
-means 'never give up'.
-Relevant only locally, other end need not agree on it.
-.TP
-.B keylife
-synonym for
-.BR lifetime .
-.TP
-.BR left " = <ip address> | <fqdn> | " %any
-(required)
-the IP address of the left participant's public-network interface
-or one of several magic values.
-The value
-.B %any
-(the default) for the local endpoint signifies an address to be filled in (by
-automatic keying) during negotiation. If the local peer initiates the
-connection setup the routing table will be queried to determine the correct
-local IP address.
-In case the local peer is responding to a connection setup then any IP address
-that is assigned to a local interface will be accepted.
-
-The prefix
-.B %
-in front of a fully-qualified domain name or an IP address will implicitly set
-.BR leftallowany =yes.
-
-If
-.B %any
-is used for the remote endpoint it literally means any IP address.
-
-Please note that with the usage of wildcards multiple connection descriptions
-might match a given incoming connection attempt. The most specific description
-is used in that case.
-.TP
-.BR leftallowany " = yes | " no
-a modifier for
-.BR left ,
-making it behave as
-.B %any
-although a concrete IP address or domain name has been assigned.
-.TP
-.BR leftauth " = <auth method>"
-Authentication method to use locally (left) or require from the remote (right)
-side.
-Acceptable values are
-.B pubkey
-for public key authentication (RSA/ECDSA),
-.B psk
-for pre-shared key authentication,
-.B eap
-to (require the) use of the Extensible Authentication Protocol in IKEv2, and
-.B xauth
-for IKEv1 eXtended Authentication.
-To require a trustchain public key strength for the remote side, specify the
-key type followed by the minimum strength in bits (for example
-.BR ecdsa-384
-or
-.BR rsa-2048-ecdsa-256 ).
-To limit the acceptable set of hashing algorithms for trustchain validation,
-append hash algorithms to
-.BR pubkey
-or a key strength definition (for example
-.BR pubkey-sha1-sha256
-or
-.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
-For
-.BR eap ,
-an optional EAP method can be appended. Currently defined methods are
-.BR eap-aka ,
-.BR eap-gtc ,
-.BR eap-md5 ,
-.BR eap-mschapv2 ,
-.BR eap-peap ,
-.BR eap-sim ,
-.BR eap-tls ,
-.BR eap-ttls ,
-.BR eap-dynamic ,
-and
-.BR eap-radius .
-Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
-EAP methods are defined in the form
-.B eap-type-vendor
-.RB "(e.g. " eap-7-12345 ).
-For
-.B xauth,
-an XAuth authentication backend can be specified, such as
-.B xauth-generic
-or
-.BR xauth-eap .
-If XAuth is used in
-.BR leftauth ,
-Hybrid authentication is used. For traditional XAuth authentication, define
-XAuth in
-.BR lefauth2 .
-.TP
-.BR leftauth2 " = <auth method>"
-Same as
-.BR leftauth ,
-but defines an additional authentication exchange. In IKEv1, only XAuth can be
-used in the second authentication round. IKEv2 supports multiple complete
-authentication rounds using "Multiple Authentication Exchanges" defined
-in RFC 4739. This allows, for example, separated authentication
-of host and user.
-.TP
-.BR leftca " = <issuer dn> | %same"
-the distinguished name of a certificate authority which is required to
-lie in the trust path going from the left participant's certificate up
-to the root certification authority.
-.B %same
-means that the value configured for the right participant should be reused.
-.TP
-.BR leftca2 " = <issuer dn> | %same"
-Same as
-.BR leftca ,
-but for the second authentication round (IKEv2 only).
-.TP
-.BR leftcert " = <path>"
-the path to the left participant's X.509 certificate. The file can be encoded
-either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-are accepted. By default
-.B leftcert
-sets
-.B leftid
-to the distinguished name of the certificate's subject.
-The left participant's ID can be overridden by specifying a
-.B leftid
-value which must be certified by the certificate, though.
-.br
-A value in the form
-.B %smartcard[<slot nr>[@<module>]]:<keyid>
-defines a specific certificate to load from a PKCS#11 backend for this
-connection. See ipsec.secrets(5) for details about smartcard definitions.
-.B leftcert
-is required only if selecting the certificate with
-.B leftid
-is not sufficient, for example if multiple certificates use the same subject.
-.br
-Multiple certificate paths or PKCS#11 backends can be specified in a comma
-separated list. The daemon chooses the certificate based on the received
-certificate requests if possible before enforcing the first.
-.TP
-.BR leftcert2 " = <path>"
-Same as
-.B leftcert,
-but for the second authentication round (IKEv2 only).
-.TP
-.BR leftcertpolicy " = <OIDs>"
-Comma separated list of certificate policy OIDs the peer's certificate must
-have.
-OIDs are specified using the numerical dotted representation.
-.TP
-.BR leftdns " = <servers>"
-Comma separated list of DNS server addresses to exchange as configuration
-attributes. On the initiator, a server is a fixed IPv4/IPv6 address, or
-.BR %config4 / %config6
-to request attributes without an address. On the responder,
-only fixed IPv4/IPv6 addresses are allowed and define DNS servers assigned
-to the client.
-.TP
-.BR leftfirewall " = yes | " no
-whether the left participant is doing forwarding-firewalling
-(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
-which should be turned off (for traffic to the other subnet)
-once the connection is established;
-acceptable values are
-.B yes
-and
-.B no
-(the default).
-May not be used in the same connection description with
-.BR leftupdown .
-Implemented as a parameter to the default \fBipsec _updown\fR script.
-See notes below.
-Relevant only locally, other end need not agree on it.
-
-If one or both security gateways are doing forwarding firewalling
-(possibly including masquerading),
-and this is specified using the firewall parameters,
-tunnels established with IPsec are exempted from it
-so that packets can flow unchanged through the tunnels.
-(This means that all subnets connected in this manner must have
-distinct, non-overlapping subnet address blocks.)
-This is done by the default \fBipsec _updown\fR script.
-
-In situations calling for more control,
-it may be preferable for the user to supply his own
-.I updown
-script,
-which makes the appropriate adjustments for his system.
-.TP
-.BR leftgroups " = <group list>"
-a comma separated list of group names. If the
-.B leftgroups
-parameter is present then the peer must be a member of at least one
-of the groups defined by the parameter.
-.TP
-.BR leftgroups2 " = <group list>"
-Same as
-.B leftgroups,
-but for the second authentication round defined with
-.B leftauth2.
-.TP
-.BR lefthostaccess " = yes | " no
-inserts a pair of INPUT and OUTPUT iptables rules using the default
-\fBipsec _updown\fR script, thus allowing access to the host itself
-in the case where the host's internal interface is part of the
-negotiated client subnet.
-Acceptable values are
-.B yes
-and
-.B no
-(the default).
-.TP
-.BR leftid " = <id>"
-how the left participant should be identified for authentication;
-defaults to
-.B left
-or the subject of the certificate configured with
-.BR leftcert .
-Can be an IP address, a fully-qualified domain name, an email address, or
-a keyid. If
-.B leftcert
-is configured the identity has to be confirmed by the certificate.
-
-For IKEv2 and
-.B rightid
-the prefix
-.B %
-in front of the identity prevents the daemon from sending IDr in its IKE_AUTH
-request and will allow it to verify the configured identity against the subject
-and subjectAltNames contained in the responder's certificate (otherwise it is
-only compared with the IDr returned by the responder). The IDr sent by the
-initiator might otherwise prevent the responder from finding a config if it
-has configured a different value for
-.BR leftid .
-.TP
-.BR leftid2 " = <id>"
-identity to use for a second authentication for the left participant
-(IKEv2 only); defaults to
-.BR leftid .
-.TP
-.BR leftikeport " = <port>"
-UDP port the left participant uses for IKE communication.
-If unspecified, port 500 is used with the port floating
-to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port
-different from the default additionally requires a socket implementation that
-listens on this port.
-.TP
-.BR leftprotoport " = <protocol>/<port>"
-restrict the traffic selector to a single protocol and/or port. This option
-is now deprecated, protocol/port information can be defined for each subnet
-directly in
-.BR leftsubnet .
-.TP
-.BR leftsigkey " = <raw public key> | <path to public key>"
-the left participant's public key for public key signature authentication,
-in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
-optional
-.B dns:
-or
-.B ssh:
-prefix in front of 0x or 0s, the public key is expected to be in either
-the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
-respectively.
-Also accepted is the path to a file containing the public key in PEM or DER
-encoding.
-.TP
-.BR leftsendcert " = never | no | " ifasked " | always | yes"
-Accepted values are
-.B never
-or
-.BR no ,
-.B always
-or
-.BR yes ,
-and
-.BR ifasked " (the default),"
-the latter meaning that the peer must send a certificate request payload in
-order to get a certificate in return.
-.TP
-.BR leftsourceip " = %config4 | %config6 | <ip address>"
-Comma separated list of internal source IPs to use in a tunnel, also known as
-virtual IP. If the value is one of the synonyms
-.BR %config ,
-.BR %cfg ,
-.BR %modeconfig ,
-or
-.BR %modecfg ,
-an address (from the tunnel address family) is requested from the peer. With
-.B %config4
-and
-.B %config6
-an address of the given address family will be requested explicitly.
-If an IP address is configured, it will be requested from the responder,
-which is free to respond with a different address.
-.TP
-.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
-Comma separated list of internal source IPs to use in a tunnel for the remote
-peer. If the value is
-.B %config
-on the responder side, the initiator must propose an address which is then
-echoed back. Also supported are address pools expressed as
-\fInetwork\fB/\fInetmask\fR
-or the use of an external IP address pool using %\fIpoolname\fR,
-where \fIpoolname\fR is the name of the IP address pool used for the lookup.
-.TP
-.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]"
-private subnet behind the left participant, expressed as
-\fInetwork\fB/\fInetmask\fR;
-if omitted, essentially assumed to be \fIleft\fB/32\fR,
-signifying that the left end of the connection goes to the left participant
-only. Configured subnets of the peers may differ, the protocol narrows it to
-the greatest common subnet. In IKEv1, this may lead to problems with other
-implementations, make sure to configure identical subnets in such
-configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
-interprets the first subnet of such a definition, unless the Cisco Unity
-extension plugin is enabled.
-
-The optional part after each subnet enclosed in square brackets specifies a
-protocol/port to restrict the selector for that subnet.
-
-Examples:
-.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or"
-.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] .
-Instead of omitting either value
-.B %any
-can be used to the same effect, e.g.
-.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
-
-The port value can alternatively take the value
-.B %opaque
-for RFC 4301 OPAQUE selectors, or a numerical range in the form
-.BR 1024-65535 .
-None of the kernel backends currently supports opaque or port ranges and uses
-.B %any
-for policy installation instead.
-
-Instead of specifying a subnet,
-.B %dynamic
-can be used to replace it with the IKE address, having the same effect
-as omitting
-.B leftsubnet
-completely. Using
-.B %dynamic
-can be used to define multiple dynamic selectors, each having a potentially
-different protocol/port definition.
-
-.TP
-.BR leftupdown " = <path>"
-what ``updown'' script to run to adjust routing and/or firewalling
-when the status of the connection
-changes (default
-.BR "ipsec _updown" ).
-May include positional parameters separated by white space
-(although this requires enclosing the whole string in quotes);
-including shell metacharacters is unwise.
-Relevant only locally, other end need not agree on it. Charon uses the updown
-script to insert firewall rules only, since routing has been implemented
-directly into the daemon.
-.TP
-.BR lifebytes " = <number>"
-the number of bytes transmitted over an IPsec SA before it expires.
-.TP
-.BR lifepackets " = <number>"
-the number of packets transmitted over an IPsec SA before it expires.
-.TP
-.BR lifetime " = " 1h " | <time>"
-how long a particular instance of a connection
-(a set of encryption/authentication keys for user packets) should last,
-from successful negotiation to expiry;
-acceptable values are an integer optionally followed by
-.BR s
-(a time in seconds)
-or a decimal number followed by
-.BR m ,
-.BR h ,
-or
-.B d
-(a time
-in minutes, hours, or days respectively)
-(default
-.BR 1h ,
-maximum
-.BR 24h ).
-Normally, the connection is renegotiated (via the keying channel)
-before it expires (see
-.BR margintime ).
-The two ends need not exactly agree on
-.BR lifetime ,
-although if they do not,
-there will be some clutter of superseded connections on the end
-which thinks the lifetime is longer. Also see EXPIRY/REKEY below.
-.TP
-.BR marginbytes " = <number>"
-how many bytes before IPsec SA expiry (see
-.BR lifebytes )
-should attempts to negotiate a replacement begin.
-.TP
-.BR marginpackets " = <number>"
-how many packets before IPsec SA expiry (see
-.BR lifepackets )
-should attempts to negotiate a replacement begin.
-.TP
-.BR margintime " = " 9m " | <time>"
-how long before connection expiry or keying-channel expiry
-should attempts to
-negotiate a replacement
-begin; acceptable values as for
-.B lifetime
-(default
-.BR 9m ).
-Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
-below.
-.TP
-.BR mark " = <value>[/<mask>]"
-sets an XFRM mark in the inbound and outbound
-IPsec SAs and policies. If the mask is missing then a default
-mask of
-.B 0xffffffff
-is assumed.
-.TP
-.BR mark_in " = <value>[/<mask>]"
-sets an XFRM mark in the inbound IPsec SA and
-policy. If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.BR mark_out " = <value>[/<mask>]"
-sets an XFRM mark in the outbound IPsec SA and
-policy. If the mask is missing then a default mask of
-.B 0xffffffff
-is assumed.
-.TP
-.BR mobike " = " yes " | no"
-enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are
-.B yes
-(the default) and
-.BR no .
-If set to
-.BR no ,
-the charon daemon will not actively propose MOBIKE as initiator and
-ignore the MOBIKE_SUPPORTED notify as responder.
-.TP
-.BR modeconfig " = push | " pull
-defines which mode is used to assign a virtual IP.
-Accepted values are
-.B push
-and
-.B pull
-(the default).
-Push mode is currently not supported in charon, hence this parameter has no
-effect.
-.TP
-.BR reauth " = " yes " | no"
-whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
-reauthentication is always done. In IKEv2, a value of
-.B no
-rekeys without uninstalling the IPsec SAs, a value of
-.B yes
-(the default) creates a new IKE_SA from scratch and tries to recreate
-all IPsec SAs.
-.TP
-.BR rekey " = " yes " | no"
-whether a connection should be renegotiated when it is about to expire;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-The two ends need not agree, but while a value of
-.B no
-prevents charon from requesting renegotiation,
-it does not prevent responding to renegotiation requested from the other end,
-so
-.B no
-will be largely ineffective unless both ends agree on it. Also see
-.BR reauth .
-.TP
-.BR rekeyfuzz " = " 100% " | <percentage>"
-maximum percentage by which
-.BR marginbytes ,
-.B marginpackets
-and
-.B margintime
-should be randomly increased to randomize rekeying intervals
-(important for hosts with many connections);
-acceptable values are an integer,
-which may exceed 100,
-followed by a `%'
-(defaults to
-.BR 100% ).
-The value of
-.BR marginTYPE ,
-after this random increase,
-must not exceed
-.B lifeTYPE
-(where TYPE is one of
-.IR bytes ,
-.I packets
-or
-.IR time ).
-The value
-.B 0%
-will suppress randomization.
-Relevant only locally, other end need not agree on it. Also see EXPIRY/REKEY
-below.
-.TP
-.B rekeymargin
-synonym for
-.BR margintime .
-.TP
-.BR reqid " = <number>"
-sets the reqid for a given connection to a pre-configured fixed value.
-.TP
-.BR tfc " = <value>"
-number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
-is currently supported in IKEv2 and applies to outgoing packets only. The
-special value
-.BR %mtu
-fills up ESP packets with padding to have the size of the MTU.
-.TP
-.BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
-the type of the connection; currently the accepted values
-are
-.B tunnel
-(the default)
-signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel;
-.BR transport ,
-signifying host-to-host transport mode;
-.BR transport_proxy ,
-signifying the special Mobile IPv6 transport proxy mode;
-.BR passthrough ,
-signifying that no IPsec processing should be done at all;
-.BR drop ,
-signifying that packets should be discarded.
-.TP
-.BR xauth " = " client " | server"
-specifies the role in the XAuth protocol if activated by
-.B authby=xauthpsk
-or
-.B authby=xauthrsasig.
-Accepted values are
-.B server
-and
-.B client
-(the default).
-.TP
-.BR xauth_identity " = <id>"
-defines the identity/username the client uses to reply to an XAuth request.
-If not defined, the IKEv1 identity will be used as XAuth identity.
-
-.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION"
-The following parameters are relevant to IKEv2 Mediation Extension
-operation only.
-.TP
-.BR mediation " = yes | " no
-whether this connection is a mediation connection, ie. whether this
-connection is used to mediate other connections. Mediation connections
-create no child SA. Acceptable values are
-.B no
-(the default) and
-.BR yes .
-.TP
-.BR mediated_by " = <name>"
-the name of the connection to mediate this connection through. If given,
-the connection will be mediated through the named mediation connection.
-The mediation connection must set
-.BR mediation=yes .
-.TP
-.BR me_peerid " = <id>"
-ID as which the peer is known to the mediation server, ie. which the other
-end of this connection uses as its
-.B leftid
-on its connection to the mediation server. This is the ID we request the
-mediation server to mediate us with. If
-.B me_peerid
-is not given, the
-.B rightid
-of this connection will be used as peer ID.
-
-.SH "CA SECTIONS"
-These are optional sections that can be used to assign special
-parameters to a Certification Authority (CA). Because the daemons
-automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
-there is no need to explicitly add them with a CA section, unless you
-want to assign special parameters (like a CRL) to a CA.
-.TP
-.BR also " = <name>"
-includes ca section
-.BR <name> .
-.TP
-.BR auto " = " ignore " | add"
-currently can have either the value
-.B ignore
-(the default) or
-.BR add .
-.TP
-.BR cacert " = <path>"
-defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
-.br
-A value in the form
-.B %smartcard[<slot nr>[@<module>]]:<keyid>
-defines a specific CA certificate to load from a PKCS#11 backend for this CA.
-See ipsec.secrets(5) for details about smartcard definitions.
-.TP
-.BR crluri " = <uri>"
-defines a CRL distribution point (ldap, http, or file URI)
-.TP
-.B crluri1
-synonym for
-.B crluri.
-.TP
-.BR crluri2 " = <uri>"
-defines an alternative CRL distribution point (ldap, http, or file URI)
-.TP
-.TP
-.BR ocspuri " = <uri>"
-defines an OCSP URI.
-.TP
-.B ocspuri1
-synonym for
-.B ocspuri.
-.TP
-.BR ocspuri2 " = <uri>"
-defines an alternative OCSP URI.
-.TP
-.BR certuribase " = <uri>"
-defines the base URI for the Hash and URL feature supported by IKEv2.
-Instead of exchanging complete certificates, IKEv2 allows one to send an URI
-that resolves to the DER encoded certificate. The certificate URIs are built
-by appending the SHA1 hash of the DER encoded certificates to this base URI.
-.SH "CONFIG SECTIONS"
-At present, the only
-.B config
-section known to the IPsec software is the one named
-.BR setup ,
-which contains information used when the software is being started.
-The currently-accepted
-.I parameter
-names in a
-.B config
-.B setup
-section are:
-.TP
-.BR cachecrls " = yes | " no
-if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
-be cached in
-.I /etc/ipsec.d/crls/
-under a unique file name derived from the certification authority's public key.
-.TP
-.BR charondebug " = <debug list>"
-how much charon debugging output should be logged.
-A comma separated list containing type/level-pairs may
-be specified, e.g:
-.B dmn 3, ike 1, net -1.
-Acceptable values for types are
-.B dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls,
-.B tnc, imc, imv, pts
-and the level is one of
-.B -1, 0, 1, 2, 3, 4
-(for silent, audit, control, controlmore, raw, private). By default, the level
-is set to
-.B 1
-for all types. For more flexibility see LOGGER CONFIGURATION in
-.IR strongswan.conf (5).
-.TP
-.BR strictcrlpolicy " = yes | ifuri | " no
-defines if a fresh CRL must be available in order for the peer authentication
-based on RSA signatures to succeed.
-IKEv2 additionally recognizes
-.B ifuri
-which reverts to
-.B yes
-if at least one CRL URI is defined and to
-.B no
-if no URI is known.
-.TP
-.BR uniqueids " = " yes " | no | never | replace | keep"
-whether a particular participant ID should be kept unique,
-with any new IKE_SA using an ID deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default),
-.B no
-and
-.BR never .
-Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is
-almost invariably intended to replace an old one. The difference between
-.B no
-and
-.B never
-is that the daemon will replace old IKE_SAs when receiving an INITIAL_CONTACT
-notify if the option is
-.B no
-but will ignore these notifies if
-.B never
-is configured.
-The daemon also accepts the value
-.B replace
-which is identical to
-.B yes
-and the value
-.B keep
-to reject new IKE_SA setups and keep the duplicate established earlier.
-
-.SH SA EXPIRY/REKEY
-The IKE SAs and IPsec SAs negotiated by the daemon can be configured to expire
-after a specific amount of time. For IPsec SAs this can also happen after a
-specified number of transmitted packets or transmitted bytes. The following
-settings can be used to configure this:
-.TS
-l r l r,- - - -,lB s lB s,a r a r.
-Setting Default Setting Default
-IKE SA IPsec SA
-ikelifetime 3h lifebytes -
- lifepackets -
- lifetime 1h
-.TE
-.SS Rekeying
-IKE SAs as well as IPsec SAs can be rekeyed before they expire. This can be
-configured using the following settings:
-.TS
-l r l r,- - - -,lB s lB s,a r a r.
-Setting Default Setting Default
-IKE and IPsec SA IPsec SA
-margintime 9m marginbytes -
- marginpackets -
-.TE
-.SS Randomization
-To avoid collisions the specified margins are increased randomly before
-subtracting them from the expiration limits (see formula below). This is
-controlled by the
-.B rekeyfuzz
-setting:
-.TS
-l r,- -,lB s,a r.
-Setting Default
-IKE and IPsec SA
-rekeyfuzz 100%
-.TE
-.PP
-Randomization can be disabled by setting
-.BR rekeyfuzz " to " 0% .
-.SS Formula
-The following formula is used to calculate the rekey time of IPsec SAs:
-.PP
-.EX
- rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz))
-.EE
-.PP
-It applies equally to IKE SAs and byte and packet limits for IPsec SAs.
-.SS Example
-Let's consider the default configuration:
-.PP
-.EX
- lifetime = 1h
- margintime = 9m
- rekeyfuzz = 100%
-.EE
-.PP
-From the formula above follows that the rekey time lies between:
-.PP
-.EX
- rekeytime_min = 1h - (9m + 9m) = 42m
- rekeytime_max = 1h - (9m + 0m) = 51m
-.EE
-.PP
-Thus, the daemon will attempt to rekey the IPsec SA at a random time
-between 42 and 51 minutes after establishing the SA. Or, in other words,
-between 9 and 18 minutes before the SA expires.
-.SS Notes
-.IP \[bu]
-Since the rekeying of an SA needs some time, the margin values must not be
-too low.
-.IP \[bu]
-The value
-.B margin... + margin... * rekeyfuzz
-must not exceed the original limit. For example, specifying
-.B margintime = 30m
-in the default configuration is a bad idea as there is a chance that the rekey
-time equals zero and, thus, rekeying gets disabled.
-.SH FILES
-.nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
-
-.SH SEE ALSO
-strongswan.conf(5), ipsec.secrets(5), ipsec(8)
-.SH HISTORY
-Originally written for the FreeS/WAN project by Henry Spencer.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 4c64e86ca..92be67000 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "@IPSEC_VERSION@" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "@PACKAGE_VERSION@" "strongSwan"
.SH NAME
ipsec.conf \- IPsec configuration and connections
.SH DESCRIPTION
@@ -236,10 +236,44 @@ identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
.BR aggressive " = yes | " no
whether to use IKEv1 Aggressive or Main Mode (the default).
.TP
+.BR ah " = <cipher suites>"
+comma-separated list of AH algorithms to be used for the connection, e.g.
+.BR sha1-sha256-modp1024 .
+The notation is
+.BR integrity[-dhgroup] .
+For IKEv2, multiple algorithms (separated by -) of the same type can be included
+in a single proposal. IKEv1 only includes the first algorithm in a proposal.
+Only either the
+.B ah
+or
+.B esp
+keyword may be used, AH+ESP bundles are not supported.
+
+There is no default, by default ESP is used.
+The daemon adds its extensive default proposal to the configured value. To
+restrict it to the configured proposal an
+exclamation mark
+.RB ( ! )
+can be added at the end.
+
+If
+.B dh-group
+is specified, CHILD_SA/Quick Mode setup and rekeying include a separate
+Diffie-Hellman exchange.
+.TP
.BR also " = <name>"
includes conn section
.BR <name> .
.TP
+.BR auth " = <value>"
+was used by the
+.B pluto
+IKEv1 daemon to use AH integrity protection for ESP encrypted packets, but is
+not supported in charon. The
+.B ah
+keyword specifies algorithms to use for integrity protection with AH, but
+without encryption. AH+ESP bundles are not supported.
+.TP
.BR authby " = " pubkey " | rsasig | ecdsasig | psk | secret | never | xauthpsk | xauthrsasig"
how the two security gateways should authenticate each other;
acceptable values are
@@ -368,6 +402,13 @@ for the connection, e.g.
.BR aes128-sha256 .
The notation is
.BR encryption-integrity[-dhgroup][-esnmode] .
+For IKEv2, multiple algorithms (separated by -) of the same type can be included
+in a single proposal. IKEv1 only includes the first algorithm in a proposal.
+Only either the
+.B ah
+or
+.B esp
+keyword may be used, AH+ESP bundles are not supported.
Defaults to
.BR aes128-sha1,3des-sha1 .
@@ -488,9 +529,8 @@ Relevant only locally, other end need not agree on it.
synonym for
.BR lifetime .
.TP
-.BR left " = <ip address> | <fqdn> | " %any
-(required)
-the IP address of the left participant's public-network interface
+.BR left " = <ip address> | <fqdn> | " %any " | <range> | <subnet> "
+The IP address of the left participant's public-network interface
or one of several magic values.
The value
.B %any
@@ -510,6 +550,14 @@ If
.B %any
is used for the remote endpoint it literally means any IP address.
+To limit the connection to a specific range of hosts, a range (
+.BR 10.1.0.0-10.2.255.255
+) or a subnet (
+.BR 10.1.0.0/16
+) can be specified, and multiple addresses, ranges and subnets can be separated
+by commas. While one can freely combine these items, to initiate the connection
+at least one non-range/subnet is required.
+
Please note that with the usage of wildcards multiple connection descriptions
might match a given incoming connection attempt. The most specific description
is used in that case.
@@ -810,6 +858,14 @@ Instead of omitting either value
can be used to the same effect, e.g.
.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
+If the protocol is
+.B icmp
+or
+.B ipv6-icmp
+the port is interpreted as ICMP message type if it is less than 256 or as type
+and code if it is greater or equal to 256, with the type in the most significant
+8 bits and the code in the least significant 8 bits.
+
The port value can alternatively take the value
.B %opaque
for RFC 4301 OPAQUE selectors, or a numerical range in the form
@@ -931,8 +987,7 @@ Accepted values are
and
.B pull
(the default).
-Push mode is currently not supported in charon, hence this parameter has no
-effect.
+Push mode is currently not supported with IKEv2.
.TP
.BR reauth " = " yes " | no"
whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
deleted file mode 100644
index a4a58f261..000000000
--- a/man/ipsec.secrets.5
+++ /dev/null
@@ -1,195 +0,0 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "5.1.0rc1" "strongSwan"
-.SH NAME
-ipsec.secrets \- secrets for IKE/IPsec authentication
-.SH DESCRIPTION
-The file \fIipsec.secrets\fP holds a table of secrets.
-These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons
-pluto (IKEv1) and charon (IKEv2) to authenticate other hosts.
-.LP
-It is vital that these secrets be protected. The file should be owned
-by the super-user,
-and its permissions should be set to block all access by others.
-.LP
-The file is a sequence of entries and include directives.
-Here is an example.
-.LP
-.RS
-.nf
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
-
-: RSA moonKey.pem
-
-alice@strongswan.org : EAP "x3.dEhgN"
-
-carol : XAUTH "4iChxLT3"
-
-dave : XAUTH "ryftzG4A"
-
-# get secrets from other files
-include ipsec.*.secrets
-.fi
-.RE
-.LP
-Each entry in the file is a list of optional ID selectors, followed by a secret.
-The two parts are separated by a colon (\fB:\fP) that is surrounded
-by whitespace. If no ID selectors are specified the line must start with a
-colon.
-.LP
-A selector is an IP address, a Fully Qualified Domain Name, user@FQDN,
-\fB%any\fP or \fB%any6\fP (other kinds may come).
-.LP
-Matching IDs with selectors is fairly straightforward: they have to be
-equal. In the case of a ``Road Warrior'' connection, if an equal
-match is not found for the Peer's ID, and it is in the form of an IP
-address, a selector of \fB%any\fP will match the peer's IP address if IPV4
-and \fB%any6\fP will match a the peer's IP address if IPV6.
-Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of
-\fB%any\fP.
-.LP
-In IKEv1 an additional complexity
-arises in the case of authentication by preshared secret: the
-responder will need to look up the secret before the Peer's ID payload has
-been decoded, so the ID used will be the IP address.
-.LP
-To authenticate a connection between two hosts, the entry that most
-specifically matches the host and peer IDs is used. An entry with no
-selectors will match any host and peer. More specifically, an entry with one
-selector will match a host and peer if the selector matches the host's ID (the
-peer isn't considered). Still more specifically, an entry with multiple
-selectors will match a host and peer if the host ID and peer ID each match one
-of the selectors. If the key is for an asymmetric authentication technique
-(i.e. a public key system such as RSA), an entry with multiple selectors will
-match a host and peer even if only the host ID matches a selector (it is
-presumed that the selectors are all identities of the host).
-It is acceptable for two entries to be the best match as
-long as they agree about the secret or private key.
-.LP
-Authentication by preshared secret requires that both systems find the
-identical secret (the secret is not actually transmitted by the IKE
-protocol). If both the host and peer appear in the selector list, the
-same entry will be suitable for both systems so verbatim copying
-between systems can be used. This naturally extends to larger groups
-sharing the same secret. Thus multiple-selector entries are best for PSK
-authentication.
-.LP
-Authentication by public key systems such as RSA requires that each host
-have its own private key. A host could reasonably use a different private keys
-for different interfaces and for different peers. But it would not
-be normal to share entries between systems. Thus thus no-selector and
-one-selector forms of entry often make sense for public key authentication.
-.LP
-The key part of an entry must start with a token indicating the kind of
-key. The following types of secrets are currently supported:
-.TP
-.B PSK
-defines a pre-shared key
-.TP
-.B RSA
-defines an RSA private key
-.TP
-.B ECDSA
-defines an ECDSA private key
-.TP
-.B P12
-defines a PKCS#12 container
-.TP
-.B EAP
-defines EAP credentials
-.TP
-.B NTLM
-defines NTLM credentials
-.TP
-.B XAUTH
-defines XAUTH credentials
-.TP
-.B PIN
-defines a smartcard PIN
-.LP
-Details on each type of secret are given below.
-.LP
-Whitespace at the end of a line is ignored. At the start of a line or
-after whitespace, \fB#\fP and the following text up to the end of the
-line is treated as a comment.
-.LP
-An include directive causes the contents of the named file to be processed
-before continuing with the current file. The filename is subject to
-``globbing'' as in \fIsh\fP(1), so every file with a matching name
-is processed. Includes may be nested to a modest
-depth (10, currently). If the filename doesn't start with a \fB/\fP, the
-directory containing the current file is prepended to the name. The
-include directive is a line that starts with the word \fBinclude\fP,
-followed by whitespace, followed by the filename (which must not contain
-whitespace).
-.SS TYPES OF SECRETS
-.TP
-.B [ <selectors> ] : PSK <secret>
-A preshared \fIsecret\fP is most conveniently represented as a sequence of
-characters, which is delimited by double-quote characters (\fB"\fP).
-The sequence cannot contain newline or double-quote characters.
-.br
-Alternatively, preshared secrets can be represented as hexadecimal or Base64
-encoded binary values. A character sequence beginning with
-.B 0x
-is interpreted as sequence of hexadecimal digits.
-Similarly, a character sequence beginning with
-.B 0s
-is interpreted as Base64 encoded binary data.
-.TP
-.B : RSA <private key file> [ <passphrase> | %prompt ]
-.TQ
-.B : ECDSA <private key file> [ <passphrase> | %prompt ]
-For the private key file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
-encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
-.B %prompt
-can be used which then causes the daemon to ask the user for the password
-whenever it is required to decrypt the key.
-.TP
-.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
-For the PKCS#12 file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the container is
-encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
-.B %prompt
-can be used which then causes the daemon to ask the user for the password
-whenever it is required to decrypt the container. Private keys, client and CA
-certificates are extracted from the container. To use such a client certificate
-in a connection set leftid to one of the subjects of the certificate.
-.TP
-.B <user id> : EAP <secret>
-The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
-.br
-\fBEAP\fP secrets are IKEv2 only.
-.TP
-.B <user id> : NTLM <secret>
-The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets, but the
-secret is stored as NTLM hash, which is MD4(UTF-16LE(secret)), instead of as
-cleartext.
-.br
-\fBNTLM\fP secrets can only be used with the \fBeap-mschapv2\fP plugin.
-.TP
-.B [ <servername> ] <username> : XAUTH <password>
-The format of \fIpassword\fP is the same as that of \fBPSK\fP secrets.
-\fBXAUTH\fP secrets are IKEv1 only.
-.TP
-.B : PIN %smartcard[<slot nr>[@<module>]]:<keyid> <pin code> | %prompt
-The smartcard selector always requires a keyid to uniquely select the correct
-key. The slot number defines the slot on the token, the module name refers to
-the module name defined in strongswan.conf(5).
-Instead of specifying the pin code statically,
-.B %prompt
-can be specified, which causes the daemon to ask the user for the pin code.
-.LP
-
-.SH FILES
-/etc/ipsec.secrets
-.SH SEE ALSO
-ipsec.conf(5), strongswan.conf(5), ipsec(8)
-.br
-.SH HISTORY
-Originally written for the FreeS/WAN project by D. Hugh Redelmeier.
-Updated and extended for the strongSwan project <http://www.strongswan.org> by
-Tobias Brunner and Andreas Steffen.
-.SH BUGS
-If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP;
-if it is \fB0::0\fP, it will match \fB%any6\fP.
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index ee20c9670..15e36faff 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "@IPSEC_VERSION@" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "@PACKAGE_VERSION@" "strongSwan"
.SH NAME
ipsec.secrets \- secrets for IKE/IPsec authentication
.SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
deleted file mode 100644
index fc99c8c47..000000000
--- a/man/strongswan.conf.5
+++ /dev/null
@@ -1,1665 +0,0 @@
-.TH STRONGSWAN.CONF 5 "2013-07-22" "5.1.0" "strongSwan"
-.SH NAME
-strongswan.conf \- strongSwan configuration file
-.SH DESCRIPTION
-While the
-.IR ipsec.conf (5)
-configuration file is well suited to define IPsec related configuration
-parameters, it is not useful for other strongSwan applications to read options
-from this file.
-The file is hard to parse and only
-.I ipsec starter
-is capable of doing so. As the number of components of the strongSwan project
-is continually growing, a more flexible configuration file was needed, one that
-is easy to extend and can be used by all components. With strongSwan 4.2.1
-.IR strongswan.conf (5)
-was introduced which meets these requirements.
-
-.SH SYNTAX
-The format of the strongswan.conf file consists of hierarchical
-.B sections
-and a list of
-.B key/value pairs
-in each section. Each section has a name, followed by C-Style curly brackets
-defining the section body. Each section body contains a set of subsections
-and key/value pairs:
-.PP
-.EX
- settings := (section|keyvalue)*
- section := name { settings }
- keyvalue := key = value\\n
-.EE
-.PP
-Values must be terminated by a newline.
-.PP
-Comments are possible using the \fB#\fP-character, but be careful: The parser
-implementation is currently limited and does not like brackets in comments.
-.PP
-Section names and keys may contain any printable character except:
-.PP
-.EX
- . { } # \\n \\t space
-.EE
-.PP
-An example file in this format might look like this:
-.PP
-.EX
- a = b
- section-one {
- somevalue = asdf
- subsection {
- othervalue = xxx
- }
- # yei, a comment
- yetanother = zz
- }
- section-two {
- x = 12
- }
-.EE
-.PP
-Indentation is optional, you may use tabs or spaces.
-
-.SH INCLUDING FILES
-Using the
-.B include
-statement it is possible to include other files into strongswan.conf, e.g.
-.PP
-.EX
- include /some/path/*.conf
-.EE
-.PP
-If the file name is not an absolute path, it is considered to be relative
-to the directory of the file containing the include statement. The file name
-may include shell wildcards (see
-.IR sh (1)).
-Also, such inclusions can be nested.
-.PP
-Sections loaded from included files
-.I extend
-previously loaded sections; already existing values are
-.IR replaced .
-It is important to note that settings are added relative to the section the
-include statement is in.
-.PP
-As an example, the following three files result in the same final
-config as the one given above:
-.PP
-.EX
- a = b
- section-one {
- somevalue = before include
- include include.conf
- }
- include other.conf
-
-include.conf:
- # settings loaded from this file are added to section-one
- # the following replaces the previous value
- somevalue = asdf
- subsection {
- othervalue = yyy
- }
- yetanother = zz
-
-other.conf:
- # this extends section-one and subsection
- section-one {
- subsection {
- # this replaces the previous value
- othervalue = xxx
- }
- }
- section-two {
- x = 12
- }
-.EE
-
-.SH READING VALUES
-Values are accessed using a dot-separated section list and a key.
-With reference to the example above, accessing
-.B section-one.subsection.othervalue
-will return
-.BR xxx .
-
-.SH DEFINED KEYS
-The following keys are currently defined (using dot notation). The default
-value (if any) is listed in brackets after the key.
-
-.SS attest section
-.TP
-.BR attest.database
-Path to database with file measurement information
-.TP
-.BR attest.load
-Plugins to load in ipsec attest tool
-
-.SS charon section
-.TP
-.BR Note :
-Many of these options also apply to \fBcharon\-cmd\fR and other
-\fBcharon\fR derivatives. Just use their respective name (e.g.
-\fIcharon\-cmd\fR) instead of \fIcharon\fR.
-.TP
-.BR charon.block_threshold " [5]"
-Maximum number of half-open IKE_SAs for a single peer IP
-.TP
-.BR charon.cisco_unity " [no]
-Send Cisco Unity vendor ID payload (IKEv1 only)
-.TP
-.BR charon.close_ike_on_child_failure " [no]"
-Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
-.TP
-.BR charon.cookie_threshold " [10]"
-Number of half-open IKE_SAs that activate the cookie mechanism
-.TP
-.BR charon.dns1
-.TQ
-.BR charon.dns2
-DNS servers assigned to peer via configuration payload (CP)
-.TP
-.BR charon.dos_protection " [yes]"
-Enable Denial of Service protection using cookies and aggressiveness checks
-.TP
-.BR charon.filelog
-Section to define file loggers, see LOGGER CONFIGURATION
-.TP
-.BR charon.flush_auth_cfg " [no]"
-If enabled objects used during authentication (certificates, identities etc.)
-are released to free memory once an IKE_SA is established.
-Enabling this might conflict with plugins that later need access to e.g. the
-used certificates.
-.TP
-.BR charon.fragment_size " [512]"
-Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
-fragmentation extension.
-.TP
-.BR charon.group
-Name of the group the daemon changes to after startup
-.TP
-.BR charon.half_open_timeout " [30]"
-Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
-.TP
-.BR charon.hash_and_url " [no]"
-Enable hash and URL support
-.TP
-.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
-If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared
-keys, which is discouraged due to security concerns (offline attacks on the
-openly transmitted hash of the PSK)
-.TP
-.BR charon.ignore_routing_tables
-A space-separated list of routing tables to be excluded from route lookups
-.TP
-.BR charon.ikesa_limit " [0]"
-Maximum number of IKE_SAs that can be established at the same time before new
-connection attempts are blocked
-.TP
-.BR charon.ikesa_table_segments " [1]"
-Number of exclusively locked segments in the hash table
-.TP
-.BR charon.ikesa_table_size " [1]"
-Size of the IKE_SA hash table
-.TP
-.BR charon.inactivity_close_ike " [no]"
-Whether to close IKE_SA if the only CHILD_SA closed due to inactivity
-.TP
-.BR charon.init_limit_half_open " [0]"
-Limit new connections based on the current number of half open IKE_SAs (see
-IKE_SA_INIT DROPPING).
-.TP
-.BR charon.init_limit_job_load " [0]"
-Limit new connections based on the number of jobs currently queued for
-processing (see IKE_SA_INIT DROPPING).
-.TP
-.BR charon.initiator_only " [no]"
-Causes charon daemon to ignore IKE initiation requests.
-.TP
-.BR charon.install_routes " [yes]"
-Install routes into a separate routing table for established IPsec tunnels
-.TP
-.BR charon.install_virtual_ip " [yes]"
-Install virtual IP addresses
-.TP
-.BR charon.install_virtual_ip_on
-The name of the interface on which virtual IP addresses should be installed.
-If not specified the addresses will be installed on the outbound interface.
-.TP
-.BR charon.interfaces_ignore
-A comma-separated list of network interfaces that should be ignored, if
-.B charon.interfaces_use
-is specified this option has no effect.
-.TP
-.BR charon.interfaces_use
-A comma-separated list of network interfaces that should be used by charon.
-All other interfaces are ignored.
-.TP
-.BR charon.keep_alive " [20s]"
-NAT keep alive interval
-.TP
-.BR charon.load
-Plugins to load in the IKEv2 daemon charon
-.TP
-.BR charon.max_packet " [10000]"
-Maximum packet size accepted by charon
-.TP
-.BR charon.multiple_authentication " [yes]"
-Enable multiple authentication exchanges (RFC 4739)
-.TP
-.BR charon.nbns1
-.TQ
-.BR charon.nbns2
-WINS servers assigned to peer via configuration payload (CP)
-.TP
-.BR charon.port " [500]"
-UDP port used locally. If set to 0 a random port will be allocated.
-.TP
-.BR charon.port_nat_t " [4500]"
-UDP port used locally in case of NAT-T. If set to 0 a random port will be
-allocated. Has to be different from
-.BR charon.port ,
-otherwise a random port will be allocated.
-.TP
-.BR charon.process_route " [yes]"
-Process RTM_NEWROUTE and RTM_DELROUTE events
-.TP
-.BR charon.receive_delay " [0]"
-Delay in ms for receiving packets, to simulate larger RTT
-.TP
-.BR charon.receive_delay_response " [yes]"
-Delay response messages
-.TP
-.BR charon.receive_delay_request " [yes]"
-Delay request messages
-.TP
-.BR charon.receive_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any
-.TP
-.BR charon.replay_window " [32]"
-Size of the AH/ESP replay window, in packets.
-.TP
-.BR charon.retransmit_base " [1.8]"
-Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
-.TP
-.BR charon.retransmit_timeout " [4.0]
-Timeout in seconds before sending first retransmit
-.TP
-.BR charon.retransmit_tries " [5]"
-Number of times to retransmit a packet before giving up
-.TP
-.BR charon.retry_initiate_interval " [0]"
-Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
-failed), 0 to disable retries.
-.TP
-.BR charon.reuse_ikesa " [yes]
-Initiate CHILD_SA within existing IKE_SAs
-.TP
-.BR charon.routing_table
-Numerical routing table to install routes to
-.TP
-.BR charon.routing_table_prio
-Priority of the routing table
-.TP
-.BR charon.send_delay " [0]"
-Delay in ms for sending packets, to simulate larger RTT
-.TP
-.BR charon.send_delay_response " [yes]"
-Delay response messages
-.TP
-.BR charon.send_delay_request " [yes]"
-Delay request messages
-.TP
-.BR charon.send_delay_type " [0]"
-Specific IKEv2 message type to delay, 0 for any
-.TP
-.BR charon.send_vendor_id " [no]
-Send strongSwan vendor ID payload
-.TP
-.BR charon.syslog
-Section to define syslog loggers, see LOGGER CONFIGURATION
-.TP
-.BR charon.threads " [16]"
-Number of worker threads in charon
-.TP
-.BR charon.user
-Name of the user the daemon changes to after startup
-.SS charon.plugins subsection
-.TP
-.BR charon.plugins.android_log.loglevel " [1]"
-Loglevel for logging to Android specific logger
-.TP
-.BR charon.plugins.attr
-Section to specify arbitrary attributes that are assigned to a peer via
-configuration payload (CP)
-.TP
-.BR charon.plugins.certexpire.csv.cron
-Cron style string specifying CSV export times
-.TP
-.BR charon.plugins.certexpire.csv.empty_string
-String to use in empty intermediate CA fields
-.TP
-.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
-Use a fixed intermediate CA field count
-.TP
-.BR charon.plugins.certexpire.csv.force " [yes]"
-Force export of all trustchains we have a private key for
-.TP
-.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
-strftime(3) format string to export expiration dates as
-.TP
-.BR charon.plugins.certexpire.csv.local
-strftime(3) format string for the CSV file name to export local certificates to
-.TP
-.BR charon.plugins.certexpire.csv.remote
-strftime(3) format string for the CSV file name to export remote certificates to
-.TP
-.BR charon.plugins.certexpire.csv.separator " [,]"
-CSV field separator
-.TP
-.BR charon.plugins.coupling.file
-File to store coupling list to
-.TP
-.BR charon.plugins.coupling.hash " [sha1]"
-Hashing algorithm to fingerprint coupled certificates
-.TP
-.BR charon.plugins.coupling.max " [1]"
-Maximum number of coupling entries to create
-.TP
-.BR charon.plugins.dhcp.force_server_address " [no]"
-Always use the configured server address. This might be helpful if the DHCP
-server runs on the same host as strongSwan, and the DHCP daemon does not listen
-on the loopback interface. In that case the server cannot be reached via
-unicast (or even 255.255.255.255) as that would be routed via loopback.
-Setting this option to yes and configuring the local broadcast address (e.g.
-192.168.0.255) as server address might work.
-.TP
-.BR charon.plugins.dhcp.identity_lease " [no]"
-Derive user-defined MAC address from hash of IKEv2 identity
-.TP
-.BR charon.plugins.dhcp.server " [255.255.255.255]"
-DHCP server unicast or broadcast IP address
-.TP
-.BR charon.plugins.duplicheck.enable " [yes]"
-Enable duplicheck plugin (if loaded)
-.TP
-.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
-Socket provided by the duplicheck plugin
-.TP
-.BR charon.plugins.eap-aka.request_identity " [yes]"
-
-.TP
-.BR charon.plugins.eap-aka-3ggp2.seq_check
-
-.TP
-.BR charon.plugins.eap-dynamic.preferred
-The preferred EAP method(s) to be used. If it is not given the first
-registered method will be used initially. If a comma separated list is given
-the methods are tried in the given order before trying the rest of the
-registered methods.
-.TP
-.BR charon.plugins.eap-dynamic.prefer_user " [no]"
-If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are
-preferred over the methods registered locally.
-.TP
-.BR charon.plugins.eap-gtc.backend " [pam]"
-XAuth backend to be used for credential verification
-.TP
-.BR charon.plugins.eap-peap.fragment_size " [1024]"
-Maximum size of an EAP-PEAP packet
-.TP
-.BR charon.plugins.eap-peap.max_message_count " [32]"
-Maximum number of processed EAP-PEAP packets (0 = no limit)
-.TP
-.BR charon.plugins.eap-peap.include_length " [no]"
-Include length in non-fragmented EAP-PEAP packets
-.TP
-.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
-Phase2 EAP client authentication method
-.TP
-.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
-Phase2 EAP Identity request piggybacked by server onto TLS Finished message
-.TP
-.BR charon.plugins.eap-peap.phase2_tnc " [no]"
-Start phase2 EAP TNC protocol after successful client authentication
-.TP
-.BR charon.plugins.eap-peap.request_peer_auth " [no]"
-Request peer authentication based on a client certificate
-.TP
-.BR charon.plugins.eap-radius.accounting " [no]"
-Send RADIUS accounting information to RADIUS servers.
-.TP
-.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
-If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP
-.TP
-.BR charon.plugins.eap-radius.class_group " [no]"
-Use the
-.I class
-attribute sent in the RADIUS-Accept message as group membership information that
-is compared to the groups specified in the
-.B rightgroups
-option in
-.B ipsec.conf (5).
-.TP
-.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
-Closes all IKE_SAs if communication with the RADIUS server times out. If it is
-not set only the current IKE_SA is closed.
-.TP
-.BR charon.plugins.eap-radius.dae.enable " [no]"
-Enables support for the Dynamic Authorization Extension (RFC 5176)
-.TP
-.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]"
-Address to listen for DAE messages from the RADIUS server
-.TP
-.BR charon.plugins.eap-radius.dae.port " [3799]"
-Port to listen for DAE requests
-.TP
-.BR charon.plugins.eap-radius.dae.secret
-Shared secret used to verify/sign DAE messages
-.TP
-.BR charon.plugins.eap-radius.eap_start " [no]"
-Send EAP-Start instead of EAP-Identity to start RADIUS conversation
-.TP
-.BR charon.plugins.eap-radius.filter_id " [no]"
-If the RADIUS
-.I tunnel_type
-attribute with value
-.B ESP
-is received, use the
-.I filter_id
-attribute sent in the RADIUS-Accept message as group membership information that
-is compared to the groups specified in the
-.B rightgroups
-option in
-.B ipsec.conf (5).
-.TP
-.BR charon.plugins.eap-radius.forward.ike_to_radius
-RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by
-name or attribute number, a colon can be used to specify vendor-specific
-attributes, e.g. Reply-Message, or 11, or 36906:12).
-.TP
-.BR charon.plugins.eap-radius.forward.radius_to_ike
-Same as
-.B charon.plugins.eap-radius.forward.ike_to_radius
-but from RADIUS to
-IKEv2, a strongSwan specific private notify (40969) is used to transmit the
-attributes.
-.TP
-.BR charon.plugins.eap-radius.id_prefix
-Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the
-EAP method
-.TP
-.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]"
-NAS-Identifier to include in RADIUS messages
-.TP
-.BR charon.plugins.eap-radius.port " [1812]"
-Port of RADIUS server (authentication)
-.TP
-.BR charon.plugins.eap-radius.secret
-Shared secret between RADIUS and NAS
-.TP
-.BR charon.plugins.eap-radius.server
-IP/Hostname of RADIUS server
-.TP
-.BR charon.plugins.eap-radius.servers
-Section to specify multiple RADIUS servers. The
-.BR nas_identifier ,
-.BR secret ,
-.B sockets
-and
-.B port
-(or
-.BR auth_port )
-options can be specified for each server. A server's IP/Hostname can be
-configured using the
-.B address
-option. The
-.BR acct_port " [1813]"
-option can be used to specify the port used for RADIUS accounting.
-For each RADIUS server a priority can be specified using the
-.BR preference " [0]"
-option.
-.TP
-.BR charon.plugins.eap-radius.sockets " [1]"
-Number of sockets (ports) to use, increase for high load
-.TP
-.BR charon.plugins.eap-sim.request_identity " [yes]"
-
-.TP
-.BR charon.plugins.eap-simaka-sql.database
-
-.TP
-.BR charon.plugins.eap-simaka-sql.remove_used " [no]"
-
-.TP
-.BR charon.plugins.eap-tls.fragment_size " [1024]"
-Maximum size of an EAP-TLS packet
-.TP
-.BR charon.plugins.eap-tls.max_message_count " [32]"
-Maximum number of processed EAP-TLS packets (0 = no limit)
-.TP
-.BR charon.plugins.eap-tls.include_length " [yes]"
-Include length in non-fragmented EAP-TLS packets
-.TP
-.BR charon.plugins.eap-tnc.max_message_count " [10]"
-Maximum number of processed EAP-TNC packets (0 = no limit)
-.TP
-.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]"
-IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic)
-.TP
-.BR charon.plugins.eap-ttls.fragment_size " [1024]"
-Maximum size of an EAP-TTLS packet
-.TP
-.BR charon.plugins.eap-ttls.max_message_count " [32]"
-Maximum number of processed EAP-TTLS packets (0 = no limit)
-.TP
-.BR charon.plugins.eap-ttls.include_length " [yes]"
-Include length in non-fragmented EAP-TTLS packets
-.TP
-.BR charon.plugins.eap-ttls.phase2_method " [md5]"
-Phase2 EAP client authentication method
-.TP
-.BR charon.plugins.eap-ttls.phase2_piggyback " [no]"
-Phase2 EAP Identity request piggybacked by server onto TLS Finished message
-.TP
-.BR charon.plugins.eap-ttls.phase2_tnc " [no]"
-Start phase2 EAP TNC protocol after successful client authentication
-.TP
-.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
-Request peer authentication based on a client certificate
-.TP
-.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
-Socket provided by the error-notify plugin
-.TP
-.BR charon.plugins.ha.autobalance " [0]"
-Interval in seconds to automatically balance handled segments between nodes.
-Set to 0 to disable.
-.TP
-.BR charon.plugins.ha.fifo_interface " [yes]"
-
-.TP
-.BR charon.plugins.ha.heartbeat_delay " [1000]"
-
-.TP
-.BR charon.plugins.ha.heartbeat_timeout " [2100]"
-
-.TP
-.BR charon.plugins.ha.local
-
-.TP
-.BR charon.plugins.ha.monitor " [yes]"
-
-.TP
-.BR charon.plugins.ha.pools
-
-.TP
-.BR charon.plugins.ha.remote
-
-.TP
-.BR charon.plugins.ha.resync " [yes]"
-
-.TP
-.BR charon.plugins.ha.secret
-
-.TP
-.BR charon.plugins.ha.segment_count " [1]"
-
-.TP
-.BR charon.plugins.ipseckey.enable " [no]"
-Enable the fetching of IPSECKEY RRs via DNS
-.TP
-.BR charon.plugins.led.activity_led
-
-.TP
-.BR charon.plugins.led.blink_time " [50]"
-
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]"
-Number of ipsecN devices
-.TP
-.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
-Set MTU of ipsecN device
-.TP
-.BR charon.plugins.kernel-netlink.roam_events " [yes]"
-Whether to trigger roam events when interfaces, addresses or routes change
-.TP
-.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
-Time in ms to wait until virtual IP addresses appear/disappear before failing.
-.TP
-.BR charon.plugins.load-tester
-Section to configure the load-tester plugin, see LOAD TESTS
-.TP
-.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
-Socket provided by the lookip plugin
-.TP
-.BR charon.plugins.radattr.dir
-Directory where RADIUS attributes are stored in client-ID specific files.
-.TP
-.BR charon.plugins.radattr.message_id " [-1]"
-Attributes are added to all IKE_AUTH messages by default (-1), or only to the
-IKE_AUTH message with the given IKEv2 message ID.
-.TP
-.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
-File where to add DNS server entries
-.TP
-.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]"
-Prefix used for interface names sent to resolvconf(8). The nameserver address
-is appended to this prefix to make it unique. The result has to be a valid
-interface name according to the rules defined by resolvconf. Also, it should
-have a high priority according to the order defined in interface-order(5).
-.TP
-.BR charon.plugins.socket-default.set_source " [yes]"
-Set source address on outbound packets, if possible.
-.TP
-.BR charon.plugins.socket-default.use_ipv4 " [yes]"
-Listen on IPv4, if possible.
-.TP
-.BR charon.plugins.socket-default.use_ipv6 " [yes]"
-Listen on IPv6, if possible.
-.TP
-.BR charon.plugins.sql.database
-Database URI for charons SQL plugin
-.TP
-.BR charon.plugins.sql.loglevel " [-1]"
-Loglevel for logging to SQL database
-.TP
-.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
-Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
-certificates even if they don't contain a CA basic constraint.
-.TP
-.BR charon.plugins.stroke.max_concurrent " [4]"
-Maximum number of stroke messages handled concurrently
-.TP
-.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
-Socket provided by the stroke plugin
-.TP
-.BR charon.plugins.stroke.timeout " [0]"
-Timeout in ms for any stroke command. Use 0 to disable the timeout
-.TP
-.BR charon.plugins.systime-fix.interval " [0]"
-Interval in seconds to check system time for validity. 0 disables the check
-.TP
-.BR charon.plugins.systime-fix.reauth " [no]"
-Whether to use reauth or delete if an invalid cert lifetime is detected
-.TP
-.BR charon.plugins.systime-fix.threshold
-Threshold date where system time is considered valid. Disabled if not specified
-.TP
-.BR charon.plugins.systime-fix.threshold_format " [%Y]"
-strptime(3) format used to parse threshold option
-.TP
-.BR charon.plugins.tnccs-11.max_message_size " [45000]"
-Maximum size of a PA-TNC message (XML & Base64 encoding)
-.TP
-.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
-Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
-.TP
-.BR charon.plugins.tnccs-20.max_message_size " [65490]"
-Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
-.TP
-.BR charon.plugins.tnc-ifmap.client_cert
-Path to X.509 certificate file of IF-MAP client
-.TP
-.BR charon.plugins.tnc-ifmap.client_key
-Path to private key file of IF-MAP client
-.TP
-.BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan server as a PEP and/or PDP device
-.TP
-.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
-Interval in seconds between periodic IF-MAP RenewSession requests
-.TP
-.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
-URI of the form [https://]servername[:port][/path]
-.TP
-.BR charon.plugins.tnc-ifmap.server_cert
-Path to X.509 certificate file of IF-MAP server
-.TP
-.BR charon.plugins.tnc-ifmap.username_password
-Credentials of IF-MAP client of the form username:password
-.TP
-.BR charon.plugins.tnc-imc.dlclose " [yes]"
-Unload IMC after use
-.TP
-.BR charon.plugins.tnc-imc.preferred_language " [en]"
-Preferred language for TNC recommendations
-.TP
-.BR charon.plugins.tnc-imv.dlclose " [yes]"
-Unload IMV after use
-.TP
-.BR charon.plugins.tnc-pdp.method " [ttls]"
-EAP tunnel method to be used
-.TP
-.BR charon.plugins.tnc-pdp.port " [1812]"
-RADIUS server port the strongSwan PDP is listening on
-.TP
-.BR charon.plugins.tnc-pdp.secret
-Shared RADIUS secret between strongSwan PDP and NAS
-.TP
-.BR charon.plugins.tnc-pdp.server
-Name of the strongSwan PDP as contained in the AAA certificate
-.TP
-.BR charon.plugins.tnc-pdp.timeout
-Timeout in seconds before closing incomplete connections
-.TP
-.BR charon.plugins.updown.dns_handler " [no]"
-Whether the updown script should handle DNS serves assigned via IKEv1 Mode
-Config or IKEv2 Config Payloads (if enabled they can't be handled by other
-plugins, like resolve)
-.TP
-.BR charon.plugins.whitelist.enable " [yes]"
-Enable loaded whitelist plugin
-.TP
-.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
-Socket provided by the whitelist plugin
-.TP
-.BR charon.plugins.xauth-eap.backend " [radius]"
-EAP plugin to be used as backend for XAuth credential verification
-.TP
-.BR charon.plugins.xauth-pam.pam_service " [login]"
-PAM service to be used for authentication
-.SS libstrongswan section
-.TP
-.BR libstrongswan.cert_cache " [yes]"
-Whether relations in validated certificate chains should be cached in memory
-.TP
-.BR libstrongswan.crypto_test.bench " [no]"
-
-.TP
-.BR libstrongswan.crypto_test.bench_size " [1024]"
-
-.TP
-.BR libstrongswan.crypto_test.bench_time " [50]"
-
-.TP
-.BR libstrongswan.crypto_test.on_add " [no]"
-Test crypto algorithms during registration
-.TP
-.BR libstrongswan.crypto_test.on_create " [no]"
-Test crypto algorithms on each crypto primitive instantiation
-.TP
-.BR libstrongswan.crypto_test.required " [no]"
-Strictly require at least one test vector to enable an algorithm
-.TP
-.BR libstrongswan.crypto_test.rng_true " [no]"
-Whether to test RNG with TRUE quality; requires a lot of entropy
-.TP
-.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]"
-Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
-strength
-.TP
-.BR libstrongswan.ecp_x_coordinate_only " [yes]"
-Compliance with the errata for RFC 4753
-.TP
-.BR libstrongswan.host_resolver.max_threads " [3]"
-Maximum number of concurrent resolver threads (they are terminated if unused)
-.TP
-.BR libstrongswan.host_resolver.min_threads " [0]"
-Minimum number of resolver threads to keep around
-.TP
-.BR libstrongswan.integrity_test " [no]"
-Check daemon, libstrongswan and plugin integrity at startup
-.TP
-.BR libstrongswan.leak_detective.detailed " [yes]"
-Includes source file names and line numbers in leak detective output
-.TP
-.BR libstrongswan.leak_detective.usage_threshold " [10240]"
-Threshold in bytes for leaks to be reported (0 to report all)
-.TP
-.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
-Threshold in number of allocations for leaks to be reported (0 to report all)
-.TP
-.BR libstrongswan.processor.priority_threads
-Subsection to configure the number of reserved threads per priority class
-see JOB PRIORITY MANAGEMENT
-.TP
-.BR libstrongswan.x509.enforce_critical " [yes]"
-Discard certificates with unsupported or unknown critical extensions
-.SS libstrongswan.plugins subsection
-.TP
-.BR libstrongswan.plugins.attr-sql.database
-Database URI for attr-sql plugin used by charon
-.TP
-.BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
-Enable logging of SQL IP pool leases
-.TP
-.BR libstrongswan.plugins.gcrypt.quick_random " [no]"
-Use faster random numbers in gcrypt; for testing only, produces weak keys!
-.TP
-.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
-ENGINE ID to use in the OpenSSL plugin
-.TP
-.BR libstrongswan.plugins.openssl.fips_mode " [0]"
-Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
-.TP
-.BR libstrongswan.plugins.pkcs11.modules
-List of available PKCS#11 modules
-.TP
-.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
-Whether to load certificates from tokens
-.TP
-.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
-Reload certificates from all tokens if charon receives a SIGHUP
-.TP
-.BR libstrongswan.plugins.pkcs11.use_dh " [no]"
-Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
-.TP
-.BR libstrongswan.plugins.pkcs11.use_ecc " [no]"
-Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
-operations. ECDSA private keys can be used regardless of this option
-.TP
-.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-Whether the PKCS#11 modules should be used to hash data
-.TP
-.BR libstrongswan.plugins.pkcs11.use_pubkey " [no]"
-Whether the PKCS#11 modules should be used for public key operations, even for
-keys not stored on tokens
-.TP
-.BR libstrongswan.plugins.pkcs11.use_rng " [no]"
-Whether the PKCS#11 modules should be used as RNG
-.TP
-.BR libstrongswan.plugins.random.random " [/dev/random]"
-File to read random bytes from, instead of /dev/random
-.TP
-.BR libstrongswan.plugins.random.urandom " [/dev/urandom]"
-File to read pseudo random bytes from, instead of /dev/urandom
-.TP
-.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
-File to read DNS resolver configuration from
-.TP
-.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
-File to read DNSSEC trust anchors from (usually root zone KSK)
-.SS libtls section
-.TP
-.BR libtls.cipher
-List of TLS encryption ciphers
-.TP
-.BR libtls.key_exchange
-List of TLS key exchange methods
-.TP
-.BR libtls.mac
-List of TLS MAC algorithms
-.TP
-.BR libtls.suites
-List of TLS cipher suites
-.SS libtnccs section
-.TP
-.BR libtnccs.tnc_config " [/etc/tnc_config]"
-TNC IMC/IMV configuration directory
-.SS libimcv section
-.TP
-.BR libimcv.assessment_result " [yes]"
-Whether IMVs send a standard IETF Assessment Result attribute
-.TP
-.BR libimcv.database
-Global IMV policy database URI
-.TP
-.BR libimcv.debug_level " [1]"
-Debug level for a stand-alone libimcv library
-.TP
-.BR libimcv.load " [random nonce gmp pubkey x509]"
-Plugins to load in IMC/IMVs
-.TP
-.BR libimcv.os_info.name
-Manually set the name of the client OS (e.g. Ubuntu)
-.TP
-.BR libimcv.os_info.version
-Manually set the version of the client OS (e.g. 12.04 i686)
-.TP
-.BR libimcv.policy_script " [ipsec _imv_policy]"
-Script called for each TNC connection to generate IMV policies
-.TP
-.BR libimcv.stderr_quiet " [no]"
-isable output to stderr with a stand-alone libimcv library
-.PP
-.SS libimcv plugins section
-.TP
-.BR libimcv.plugins.imc-attestation.aik_blob
-AIK encrypted private key blob file
-.TP
-.BR libimcv.plugins.imc-attestation.aik_cert
-AIK certificate file
-.TP
-.BR libimcv.plugins.imc-attestation.aik_key
-AIK public key file
-.TP
-.BR libimcv.plugins.imv-attestation.nonce_len " [20]"
-DH nonce length
-.TP
-.BR libimcv.plugins.imv-attestation.use_quote2 " [yes]"
-Use Quote2 AIK signature instead of Quote signature
-.TP
-.BR libimcv.plugins.imv-attestation.cadir
-Path to directory with AIK cacerts
-.TP
-.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
-Preferred Diffie-Hellman group
-.TP
-.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]"
-Preferred measurement hash algorithm
-.TP
-.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]"
-DH minimum nonce length
-.TP
-.BR libimcv.plugins.imv-attestation.remediation_uri
-URI pointing to attestation remediation instructions
-.TP
-.BR libimcv.plugins.imc-os.push_info " [yes]"
-Send operating system info without being prompted
-.TP
-.BR libimcv.plugins.imv-os.remediation_uri
-URI pointing to operating system remediation instructions
-.TP
-.BR libimcv.plugins.imc-scanner.push_info " [yes]"
-Send open listening ports without being prompted
-.TP
-.BR libimcv.plugins.imv-scanner.remediation_uri
-URI pointing to scanner remediation instructions
-.TP
-.BR libimcv.plugins.imc-test.additional_ids " [0]"
-Number of additional IMC IDs
-.TP
-.BR libimcv.plugins.imc-test.command " [none]"
-Command to be sent to the Test IMV
-.TP
-.BR libimcv.plugins.imc-test.dummy_size " [0]"
-Size of dummy attribute to be sent to the Test IMV (0 = disabled)
-.TP
-.BR libimcv.plugins.imv-test.remediation_uri
-URI pointing to test remediation instructions
-.TP
-.BR libimcv.plugins.imc-test.retry " [no]"
-Do a handshake retry
-.TP
-.BR libimcv.plugins.imc-test.retry_command
-Command to be sent to the Test IMV in the handshake retry
-.TP
-.BR libimcv.plugins.imv-test.rounds " [0]"
-Number of IMC-IMV retry rounds
-.SS manager section
-.TP
-.BR manager.database
-Credential database URI for manager
-.TP
-.BR manager.debug " [no]"
-Enable debugging in manager
-.TP
-.BR manager.load
-Plugins to load in manager
-.TP
-.BR manager.socket
-FastCGI socket of manager, to run it statically
-.TP
-.BR manager.threads " [10]"
-Threads to use for request handling
-.TP
-.BR manager.timeout " [15m]"
-Session timeout for manager
-.SS mediation client section
-.TP
-.BR medcli.database
-Mediation client database URI
-.TP
-.BR medcli.dpd " [5m]"
-DPD timeout to use in mediation client plugin
-.TP
-.BR medcli.rekey " [20m]"
-Rekeying time on mediation connections in mediation client plugin
-.SS mediation server section
-.TP
-.BR medsrv.database
-Mediation server database URI
-.TP
-.BR medsrv.debug " [no]"
-Debugging in mediation server web application
-.TP
-.BR medsrv.dpd " [5m]"
-DPD timeout to use in mediation server plugin
-.TP
-.BR medsrv.load
-Plugins to load in mediation server plugin
-.TP
-.BR medsrv.password_length " [6]"
-Minimum password length required for mediation server user accounts
-.TP
-.BR medsrv.rekey " [20m]"
-Rekeying time on mediation connections in mediation server plugin
-.TP
-.BR medsrv.socket
-Run Mediation server web application statically on socket
-.TP
-.BR medsrv.threads " [5]"
-Number of thread for mediation service web application
-.TP
-.BR medsrv.timeout " [15m]"
-Session timeout for mediation service
-.SS openac section
-.TP
-.BR openac.load
-Plugins to load in ipsec openac tool
-.SS pacman section
-.TP
-.BR pacman.database
-Database URI for the database that stores the package information
-.SS pki section
-.TP
-.BR pki.load
-Plugins to load in ipsec pki tool
-.SS pool section
-.TP
-.BR pool.load
-Plugins to load in ipsec pool tool
-.SS scepclient section
-.TP
-.BR scepclient.load
-Plugins to load in ipsec scepclient tool
-.SS starter section
-.TP
-.BR starter.load
-Plugins to load in starter
-.TP
-.BR starter.load_warning " [yes]"
-Disable charon plugin load option warning
-
-.SH LOGGER CONFIGURATION
-The options described below provide a much more flexible way to configure
-loggers for the IKEv2 daemon charon than using the
-.B charondebug
-option in
-.BR ipsec.conf (5).
-.PP
-.B Please note
-that if any loggers are specified in strongswan.conf,
-.B charondebug
-does not have any effect.
-.PP
-There are currently two types of loggers defined:
-.TP
-.B File loggers
-Log directly to a file and are defined by specifying the full path to the
-file as subsection in the
-.B charon.filelog
-section. To log to the console the two special filenames
-.BR stdout " and " stderr
-can be used.
-.TP
-.B Syslog loggers
-Log into a syslog facility and are defined by specifying the facility to log to
-as the name of a subsection in the
-.B charon.syslog
-section. The following facilities are currently supported:
-.BR daemon " and " auth .
-.PP
-Multiple loggers can be defined for each type with different log verbosity for
-the different subsystems of the daemon.
-.SS Options
-.TP
-.BR charon.filelog.<filename>.default " [1]"
-.TQ
-.BR charon.syslog.<facility>.default
-Specifies the default loglevel to be used for subsystems for which no specific
-loglevel is defined.
-.TP
-.BR charon.filelog.<filename>.<subsystem> " [<default>]"
-.TQ
-.BR charon.syslog.<facility>.<subsystem>
-Specifies the loglevel for the given subsystem.
-.TP
-.BR charon.filelog.<filename>.append " [yes]"
-If this option is enabled log entries are appended to the existing file.
-.TP
-.BR charon.filelog.<filename>.flush_line " [no]"
-Enabling this option disables block buffering and enables line buffering.
-.TP
-.BR charon.filelog.<filename>.ike_name " [no]"
-.TQ
-.BR charon.syslog.<facility>.ike_name
-Prefix each log entry with the connection name and a unique numerical
-identifier for each IKE_SA.
-.TP
-.BR charon.filelog.<filename>.time_format
-Prefix each log entry with a timestamp. The option accepts a format string as
-passed to
-.BR strftime (3).
-.TP
-.BR charon.syslog.identifier
-Global identifier used for an
-.BR openlog (3)
-call, prepended to each log message by syslog. If not configured,
-.BR openlog (3)
-is not called, so the value will depend on system defaults (often the program
-name).
-
-.SS Subsystems
-.TP
-.B dmn
-Main daemon setup/cleanup/signal handling
-.TP
-.B mgr
-IKE_SA manager, handling synchronization for IKE_SA access
-.TP
-.B ike
-IKE_SA
-.TP
-.B chd
-CHILD_SA
-.TP
-.B job
-Jobs queueing/processing and thread pool management
-.TP
-.B cfg
-Configuration management and plugins
-.TP
-.B knl
-IPsec/Networking kernel interface
-.TP
-.B net
-IKE network communication
-.TP
-.B asn
-Low-level encoding/decoding (ASN.1, X.509 etc.)
-.TP
-.B enc
-Packet encoding/decoding encryption/decryption operations
-.TP
-.B tls
-libtls library messages
-.TP
-.B esp
-libipsec library messages
-.TP
-.B lib
-libstrongwan library messages
-.TP
-.B tnc
-Trusted Network Connect
-.TP
-.B imc
-Integrity Measurement Collector
-.TP
-.B imv
-Integrity Measurement Verifier
-.TP
-.B pts
-Platform Trust Service
-.SS Loglevels
-.TP
-.B -1
-Absolutely silent
-.TP
-.B 0
-Very basic auditing logs, (e.g. SA up/SA down)
-.TP
-.B 1
-Generic control flow with errors, a good default to see whats going on
-.TP
-.B 2
-More detailed debugging control flow
-.TP
-.B 3
-Including RAW data dumps in Hex
-.TP
-.B 4
-Also include sensitive material in dumps, e.g. keys
-.SS Example
-.PP
-.EX
- charon {
- filelog {
- /var/log/charon.log {
- time_format = %b %e %T
- append = no
- default = 1
- }
- stderr {
- ike = 2
- knl = 3
- ike_name = yes
- }
- }
- syslog {
- # enable logging to LOG_DAEMON, use defaults
- daemon {
- }
- # minimalistic IKE auditing logging to LOG_AUTHPRIV
- auth {
- default = -1
- ike = 0
- }
- }
- }
-.EE
-
-.SH JOB PRIORITY MANAGEMENT
-Some operations in the IKEv2 daemon charon are currently implemented
-synchronously and blocking. Two examples for such operations are communication
-with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during
-certificate chain verification. Under high load conditions, the thread pool may
-run out of available threads, and some more important jobs, such as liveness
-checking, may not get executed in time.
-.PP
-To prevent thread starvation in such situations job priorities were introduced.
-The job processor will reserve some threads for higher priority jobs, these
-threads are not available for lower priority, locking jobs.
-.SS Implementation
-Currently 4 priorities have been defined, and they are used in charon as
-follows:
-.TP
-.B CRITICAL
-Priority for long-running dispatcher jobs.
-.TP
-.B HIGH
-INFORMATIONAL exchanges, as used by liveness checking (DPD).
-.TP
-.B MEDIUM
-Everything not HIGH/LOW, including IKE_SA_INIT processing.
-.TP
-.B LOW
-IKE_AUTH message processing. RADIUS and CRL fetching block here
-.PP
-Although IKE_SA_INIT processing is computationally expensive, it is explicitly
-assigned to the MEDIUM class. This allows charon to do the DH exchange while
-other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more
-IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING.
-.PP
-The thread pool processes jobs strictly by priority, meaning it will consume all
-higher priority jobs before looking for ones with lower priority. Further, it
-reserves threads for certain priorities. A priority class having reserved
-.I n
-threads will always have
-.I n
-threads available for this class (either currently processing a job, or waiting
-for one).
-.SS Configuration
-To ensure that there are always enough threads available for higher priority
-tasks, threads must be reserved for each priority class.
-.TP
-.BR libstrongswan.processor.priority_threads.critical " [0]"
-Threads reserved for CRITICAL priority class jobs
-.TP
-.BR libstrongswan.processor.priority_threads.high " [0]"
-Threads reserved for HIGH priority class jobs
-.TP
-.BR libstrongswan.processor.priority_threads.medium " [0]"
-Threads reserved for MEDIUM priority class jobs
-.TP
-.BR libstrongswan.processor.priority_threads.low " [0]"
-Threads reserved for LOW priority class jobs
-.PP
-Let's consider the following configuration:
-.PP
-.EX
- libstrongswan {
- processor {
- priority_threads {
- high = 1
- medium = 4
- }
- }
- }
-.EE
-.PP
-With this configuration, one thread is reserved for HIGH priority tasks. As
-currently only liveness checking and stroke message processing is done with
-high priority, one or two threads should be sufficient.
-.PP
-The MEDIUM class mostly processes non-blocking jobs. Unless your setup is
-experiencing many blocks in locks while accessing shared resources, threads for
-one or two times the number of CPU cores is fine.
-.PP
-It is usually not required to reserve threads for CRITICAL jobs. Jobs in this
-class rarely return and do not release their thread to the pool.
-.PP
-The remaining threads are available for LOW priority jobs. Reserving threads
-does not make sense (until we have an even lower priority).
-.SS Monitoring
-To see what the threads are actually doing, invoke
-.IR "ipsec statusall" .
-Under high load, something like this will show up:
-.PP
-.EX
- worker threads: 2 or 32 idle, 5/1/2/22 working,
- job queue: 0/0/1/149, scheduled: 198
-.EE
-.PP
-From 32 worker threads,
-.IP 2
-are currently idle.
-.IP 5
-are running CRITICAL priority jobs (dispatching from sockets, etc.).
-.IP 1
-is currently handling a HIGH priority job. This is actually the thread currently
-providing this information via stroke.
-.IP 2
-are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA
-messages.
-.IP 22
-are handling LOW priority jobs, probably waiting for an EAP-RADIUS response
-while processing IKE_AUTH messages.
-.PP
-The job queue load shows how many jobs are queued for each priority, ready for
-execution. The single MEDIUM priority job will get executed immediately, as
-we have two spare threads reserved for MEDIUM class jobs.
-
-.SH IKE_SA_INIT DROPPING
-If a responder receives more connection requests per seconds than it can handle,
-it does not make sense to accept more IKE_SA_INIT messages. And if they are
-queued but can't get processed in time, an answer might be sent after the
-client has already given up and restarted its connection setup. This
-additionally increases the load on the responder.
-.PP
-To limit the responder load resulting from new connection attempts, the daemon
-can drop IKE_SA_INIT messages just after reception. There are two mechanisms to
-decide if this should happen, configured with the following options:
-.TP
-.BR charon.init_limit_half_open " [0]"
-Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in
-connecting state, but not yet established.
-.TP
-.BR charon.init_limit_job_load " [0]"
-Limit based on the number of jobs currently queued for processing (sum over all
-job priorities).
-.PP
-The second limit includes load from other jobs, such as rekeying. Choosing a
-good value is difficult and depends on the hardware and expected load.
-.PP
-The first limit is simpler to calculate, but includes the load from new
-connections only. If your responder is capable of negotiating 100 tunnels/s, you
-might set this limit to 1000. The daemon will then drop new connection attempts
-if generating a response would require more than 10 seconds. If you are
-allowing for a maximum response time of more than 30 seconds, consider adjusting
-the timeout for connecting IKE_SAs
-.RB ( charon.half_open_timeout ).
-A responder, by default, deletes an IKE_SA if the initiator does not establish
-it within 30 seconds. Under high load, a higher value might be required.
-
-.SH LOAD TESTS
-To do stability testing and performance optimizations, the IKEv2 daemon charon
-provides the load-tester plugin. This plugin allows one to setup thousands of
-tunnels concurrently against the daemon itself or a remote host.
-.PP
-.B WARNING:
-Never enable the load-testing plugin on productive systems. It provides
-preconfigured credentials and allows an attacker to authenticate as any user.
-.SS Options
-.TP
-.BR charon.plugins.load-tester.addrs
-Subsection that contains key/value pairs with address pools (in CIDR notation)
-to use for a specific network interface e.g. eth0 = 10.10.0.0/16
-.TP
-.BR charon.plugins.load-tester.addrs_keep " [no]"
-Whether to keep dynamic addresses even after the associated SA got terminated
-.TP
-.BR charon.plugins.load-tester.addrs_prefix " [16]"
-Network prefix length to use when installing dynamic addresses. If set to -1 the
-full address is used (i.e. 32 or 128)
-.TP
-.BR charon.plugins.load-tester.ca_dir
-Directory to load (intermediate) CA certificates from
-.TP
-.BR charon.plugins.load-tester.child_rekey " [600]"
-Seconds to start CHILD_SA rekeying after setup
-.TP
-.BR charon.plugins.load-tester.delay " [0]"
-Delay between initiatons for each thread
-.TP
-.BR charon.plugins.load-tester.delete_after_established " [no]"
-Delete an IKE_SA as soon as it has been established
-.TP
-.BR charon.plugins.load-tester.digest " [sha1]"
-Digest algorithm used when issuing certificates
-.TP
-.BR charon.plugins.load-tester.dpd_delay " [0]"
-DPD delay to use in load test
-.TP
-.BR charon.plugins.load-tester.dynamic_port " [0]"
-Base port to be used for requests (each client uses a different port)
-.TP
-.BR charon.plugins.load-tester.eap_password " [default-pwd]"
-EAP secret to use in load test
-.TP
-.BR charon.plugins.load-tester.enable " [no]"
-Enable the load testing plugin
-.TP
-.BR charon.plugins.load-tester.esp " [aes128-sha1]"
-CHILD_SA proposal to use for load tests
-.TP
-.BR charon.plugins.load-tester.fake_kernel " [no]"
-Fake the kernel interface to allow load-testing against self
-.TP
-.BR charon.plugins.load-tester.ike_rekey " [0]"
-Seconds to start IKE_SA rekeying after setup
-.TP
-.BR charon.plugins.load-tester.init_limit " [0]"
-Global limit of concurrently established SAs during load test
-.TP
-.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
-Address to initiate from
-.TP
-.BR charon.plugins.load-tester.initiators " [0]"
-Number of concurrent initiator threads to use in load test
-.TP
-.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
-Authentication method(s) the intiator uses
-.TP
-.BR charon.plugins.load-tester.initiator_id
-Initiator ID used in load test
-.TP
-.BR charon.plugins.load-tester.initiator_match
-Initiator ID to match against as responder
-.TP
-.BR charon.plugins.load-tester.initiator_tsi
-Traffic selector on initiator side, as proposed by initiator
-.TP
-.BR charon.plugins.load-tester.initiator_tsr
-Traffic selector on responder side, as proposed by initiator
-.TP
-.BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initiate by each initiator in load test
-.TP
-.BR charon.plugins.load-tester.issuer_cert
-Path to the issuer certificate (if not configured a hard-coded value is used)
-.TP
-.BR charon.plugins.load-tester.issuer_key
-Path to private key that is used to issue certificates (if not configured a
-hard-coded value is used)
-.TP
-.BR charon.plugins.load-tester.pool
-Provide INTERNAL_IPV4_ADDRs from a named pool
-.TP
-.BR charon.plugins.load-tester.preshared_key " [default-psk]"
-Preshared key to use in load test
-.TP
-.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
-IKE proposal to use in load test
-.TP
-.BR charon.plugins.load-tester.responder " [127.0.0.1]"
-Address to initiation connections to
-.TP
-.BR charon.plugins.load-tester.responder_auth " [pubkey]"
-Authentication method(s) the responder uses
-.TP
-.BR charon.plugins.load-tester.responder_id
-Responder ID used in load test
-.TP
-.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
-Traffic selector on initiator side, as narrowed by responder
-.TP
-.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
-Traffic selector on responder side, as narrowed by responder
-.TP
-.BR charon.plugins.load-tester.request_virtual_ip " [no]"
-Request an INTERNAL_IPV4_ADDR from the server
-.TP
-.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
-Shutdown the daemon after all IKE_SAs have been established
-.TP
-.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
-Socket provided by the load-tester plugin
-.TP
-.BR charon.plugins.load-tester.version " [0]"
-IKE version to use (0 means use IKEv2 as initiator and accept any version as
-responder)
-.PP
-.SS Configuration details
-For public key authentication, the responder uses the
-.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
-identity. For the initiator, each connection attempt uses a different identity
-in the form
-.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
-where the first number inidicates the client number, the second the
-authentication round (if multiple authentication is used).
-.PP
-For PSK authentication, FQDN identities are used. The server uses
-.BR srv.strongswan.org ,
-the client uses an identity in the form
-.BR c1-r1.strongswan.org .
-.PP
-For EAP authentication, the client uses a NAI in the form
-.BR 100000000010001@strongswan.org .
-.PP
-To configure multiple authentication, concatenate multiple methods using, e.g.
-.EX
- initiator_auth = pubkey|psk|eap-md5|eap-aka
-.EE
-.PP
-The responder uses a hardcoded certificate based on a 1024-bit RSA key.
-This certificate additionally serves as CA certificate. A peer uses the same
-private key, but generates client certificates on demand signed by the CA
-certificate. Install the Responder/CA certificate on the remote host to
-authenticate all clients.
-.PP
-To speed up testing, the load tester plugin implements a special Diffie-Hellman
-implementation called modpnull. By setting
-.EX
- proposal = aes128-sha1-modpnull
-.EE
-this wicked fast DH implementation is used. It does not provide any security
-at all, but allows one to run tests without DH calculation overhead.
-.SS Examples
-.PP
-In the simplest case, the daemon initiates IKE_SAs against itself using the
-loopback interface. This will actually establish double the number of IKE_SAs,
-as the daemon is initiator and responder for each IKE_SA at the same time.
-Installation of IPsec SAs would fails, as each SA gets installed twice. To
-simulate the correct behavior, a fake kernel interface can be enabled which does
-not install the IPsec SAs at the kernel level.
-.PP
-A simple loopback configuration might look like this:
-.PP
-.EX
- charon {
- # create new IKE_SAs for each CHILD_SA to simulate
- # different clients
- reuse_ikesa = no
- # turn off denial of service protection
- dos_protection = no
-
- plugins {
- load-tester {
- # enable the plugin
- enable = yes
- # use 4 threads to initiate connections
- # simultaneously
- initiators = 4
- # each thread initiates 1000 connections
- iterations = 1000
- # delay each initiation in each thread by 20ms
- delay = 20
- # enable the fake kernel interface to
- # avoid SA conflicts
- fake_kernel = yes
- }
- }
- }
-.EE
-.PP
-This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay
-value if your box can not handle that much load, or decrease it to put more
-load on it. If the daemon starts retransmitting messages your box probably can
-not handle all connection attempts.
-.PP
-The plugin also allows one to test against a remote host. This might help to
-test against a real world configuration. A connection setup to do stress
-testing of a gateway might look like this:
-.PP
-.EX
- charon {
- reuse_ikesa = no
- threads = 32
-
- plugins {
- load-tester {
- enable = yes
- # 10000 connections, ten in parallel
- initiators = 10
- iterations = 1000
- # use a delay of 100ms, overall time is:
- # iterations * delay = 100s
- delay = 100
- # address of the gateway
- remote = 1.2.3.4
- # IKE-proposal to use
- proposal = aes128-sha1-modp1024
- # use faster PSK authentication instead
- # of 1024bit RSA
- initiator_auth = psk
- responder_auth = psk
- # request a virtual IP using configuration
- # payloads
- request_virtual_ip = yes
- # enable CHILD_SA every 60s
- child_rekey = 60
- }
- }
- }
-.EE
-
-.SH IKEv2 RETRANSMISSION
-Retransmission timeouts in the IKEv2 daemon charon can be configured globally
-using the three keys listed below:
-.PP
-.RS
-.nf
-.BR charon.retransmit_base " [1.8]"
-.BR charon.retransmit_timeout " [4.0]"
-.BR charon.retransmit_tries " [5]"
-.fi
-.RE
-.PP
-The following algorithm is used to calculate the timeout:
-.PP
-.EX
- relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
-.EE
-.PP
-Where
-.I n
-is the current retransmission count.
-.PP
-Using the default values, packets are retransmitted in:
-
-.TS
-l r r
----
-lB r r.
-Retransmission Relative Timeout Absolute Timeout
-1 4s 4s
-2 7s 11s
-3 13s 24s
-4 23s 47s
-5 42s 89s
-giving up 76s 165s
-.TE
-
-.SH FILES
-/etc/strongswan.conf
-
-.SH SEE ALSO
-\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
-
-.SH HISTORY
-Written for the
-.UR http://www.strongswan.org
-strongSwan project
-.UE
-by Tobias Brunner, Andreas Steffen and Martin Willi.
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 847d9d520..db63d36f4 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-07-22" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-10-29" "@PACKAGE_VERSION@" "strongSwan"
.SH NAME
strongswan.conf \- strongSwan configuration file
.SH DESCRIPTION
@@ -319,7 +319,11 @@ Send strongSwan vendor ID payload
Section to define syslog loggers, see LOGGER CONFIGURATION
.TP
.BR charon.threads " [16]"
-Number of worker threads in charon
+Number of worker threads in charon. Several of these are reserved for long
+running tasks in internal modules and plugins. Therefore, make sure you don't
+set this value too low. The number of idle worker threads listed in
+.I ipsec statusall
+might be used as indicator on the number of reserved threads.
.TP
.BR charon.user
Name of the user the daemon changes to after startup
@@ -379,10 +383,13 @@ Derive user-defined MAC address from hash of IKEv2 identity
.BR charon.plugins.dhcp.server " [255.255.255.255]"
DHCP server unicast or broadcast IP address
.TP
+.BR charon.plugins.dnscert.enable " [no]"
+Enable fetching of CERT RRs via DNS
+.TP
.BR charon.plugins.duplicheck.enable " [yes]"
Enable duplicheck plugin (if loaded)
.TP
-.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+.BR charon.plugins.duplicheck.socket " [unix://@piddir@/charon.dck]"
Socket provided by the duplicheck plugin
.TP
.BR charon.plugins.eap-aka.request_identity " [yes]"
@@ -522,6 +529,27 @@ option.
.BR charon.plugins.eap-radius.sockets " [1]"
Number of sockets (ports) to use, increase for high load
.TP
+.BR charon.plugins.eap-radius.xauth
+Section to configure multiple XAuth authentication rounds via RADIUS. The subsections define so called
+authentication profiles with arbitrary names. In each profile section one or more XAuth types can be
+configured, with an assigned message. For each type a separate XAuth exchange will be initiated and all
+replies get concatenated into the User-Password attribute, which then gets verified over RADIUS.
+
+Available XAuth types are \fBpassword\fR, \fBpasscode\fR, \fBnextpin\fR, and \fBanswer\fR. This type is
+not relevant to strongSwan or the AAA server, but the client may show a different dialog (along with the
+configured message).
+
+To use the configured profiles, they have to be configured in the respective connection in
+.IR ipsec.conf (5)
+by appending the profile name, separated by a colon, to the
+.B xauth-radius
+XAauth backend configuration in
+.I rightauth
+or
+.IR rightauth2 ,
+for instance,
+.IR rightauth2=xauth-radius:profile .
+.TP
.BR charon.plugins.eap-sim.request_identity " [yes]"
.TP
@@ -567,7 +595,7 @@ Start phase2 EAP TNC protocol after successful client authentication
.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
Request peer authentication based on a client certificate
.TP
-.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+.BR charon.plugins.error-notify.socket " [unix://@piddir@/charon.enfy]"
Socket provided by the error-notify plugin
.TP
.BR charon.plugins.ha.autobalance " [0]"
@@ -605,7 +633,7 @@ Set to 0 to disable.
.TP
.BR charon.plugins.ipseckey.enable " [no]"
-Enable the fetching of IPSECKEY RRs via DNS
+Enable fetching of IPSECKEY RRs via DNS
.TP
.BR charon.plugins.led.activity_led
@@ -619,16 +647,32 @@ Number of ipsecN devices
.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
Set MTU of ipsecN device
.TP
+.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]"
+Allow that the remote traffic selector equals the IKE peer. The route installed
+for such traffic (via TUN device) usually prevents further IKE traffic. The
+fwmark options for the \fIkernel-netlink\fR and \fIsocket-default\fR plugins can
+be used to circumvent that problem.
+.TP
+.BR charon.plugins.kernel-netlink.fwmark
+Firewall mark to set on the routing rule that directs traffic to our own routing
+table. The format is [!]mark[/mask], where the optional exclamation mark inverts
+the meaning (i.e. the rule only applies to packets that don't match the mark).
+.TP
.BR charon.plugins.kernel-netlink.roam_events " [yes]"
Whether to trigger roam events when interfaces, addresses or routes change
.TP
+.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
+Lifetime of XFRM acquire state in kernel. The value gets written to
+/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
+acquire messages sent.
+.TP
.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
Time in ms to wait until virtual IP addresses appear/disappear before failing.
.TP
.BR charon.plugins.load-tester
Section to configure the load-tester plugin, see LOAD TESTS
.TP
-.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+.BR charon.plugins.lookip.socket " [unix://@piddir@/charon.lkp]"
Socket provided by the lookip plugin
.TP
.BR charon.plugins.radattr.dir
@@ -647,6 +691,9 @@ is appended to this prefix to make it unique. The result has to be a valid
interface name according to the rules defined by resolvconf. Also, it should
have a high priority according to the order defined in interface-order(5).
.TP
+.BR charon.plugins.socket-default.fwmark
+Firewall mark to set on outbound packets.
+.TP
.BR charon.plugins.socket-default.set_source " [yes]"
Set source address on outbound packets, if possible.
.TP
@@ -669,7 +716,7 @@ certificates even if they don't contain a CA basic constraint.
.BR charon.plugins.stroke.max_concurrent " [4]"
Maximum number of stroke messages handled concurrently
.TP
-.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+.BR charon.plugins.stroke.socket " [unix://@piddir@/charon.ctl]"
Socket provided by the stroke plugin
.TP
.BR charon.plugins.stroke.timeout " [0]"
@@ -687,15 +734,6 @@ Threshold date where system time is considered valid. Disabled if not specified
.BR charon.plugins.systime-fix.threshold_format " [%Y]"
strptime(3) format used to parse threshold option
.TP
-.BR charon.plugins.tnccs-11.max_message_size " [45000]"
-Maximum size of a PA-TNC message (XML & Base64 encoding)
-.TP
-.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
-Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
-.TP
-.BR charon.plugins.tnccs-20.max_message_size " [65490]"
-Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
-.TP
.BR charon.plugins.tnc-ifmap.client_cert
Path to X.509 certificate file of IF-MAP client
.TP
@@ -717,22 +755,22 @@ Path to X.509 certificate file of IF-MAP server
.BR charon.plugins.tnc-ifmap.username_password
Credentials of IF-MAP client of the form username:password
.TP
-.BR charon.plugins.tnc-imc.dlclose " [yes]"
-Unload IMC after use
+.BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]"
+Enable PT-TLS protocol on the strongSwan PDP
.TP
-.BR charon.plugins.tnc-imc.preferred_language " [en]"
-Preferred language for TNC recommendations
+.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
+PT-TLS server port the strongSwan PDP is listening on
.TP
-.BR charon.plugins.tnc-imv.dlclose " [yes]"
-Unload IMV after use
+.BR charon.plugins.tnc-pdp.radius.enable " [yes]"
+Enable RADIUS protocol on the strongSwan PDP
.TP
-.BR charon.plugins.tnc-pdp.method " [ttls]"
+.BR charon.plugins.tnc-pdp.radius.method " [ttls]"
EAP tunnel method to be used
.TP
-.BR charon.plugins.tnc-pdp.port " [1812]"
+.BR charon.plugins.tnc-pdp.radius.port " [1812]"
RADIUS server port the strongSwan PDP is listening on
.TP
-.BR charon.plugins.tnc-pdp.secret
+.BR charon.plugins.tnc-pdp.radius.secret
Shared RADIUS secret between strongSwan PDP and NAS
.TP
.BR charon.plugins.tnc-pdp.server
@@ -749,7 +787,7 @@ plugins, like resolve)
.BR charon.plugins.whitelist.enable " [yes]"
Enable loaded whitelist plugin
.TP
-.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+.BR charon.plugins.whitelist.socket " [unix://@piddir@/charon.wlst]"
Socket provided by the whitelist plugin
.TP
.BR charon.plugins.xauth-eap.backend " [radius]"
@@ -757,6 +795,10 @@ EAP plugin to be used as backend for XAuth credential verification
.TP
.BR charon.plugins.xauth-pam.pam_service " [login]"
PAM service to be used for authentication
+.TP
+.BR charon.plugins.xauth-pam.trim_email " [yes]"
+If an email address is given as an XAuth username, trim it to just the
+username part.
.SS libstrongswan section
.TP
.BR libstrongswan.cert_cache " [yes]"
@@ -857,17 +899,25 @@ keys not stored on tokens
.BR libstrongswan.plugins.pkcs11.use_rng " [no]"
Whether the PKCS#11 modules should be used as RNG
.TP
-.BR libstrongswan.plugins.random.random " [@DEV_RANDOM@]"
-File to read random bytes from, instead of @DEV_RANDOM@
+.BR libstrongswan.plugins.random.random " [@random_device@]"
+File to read random bytes from, instead of @random_device@
.TP
-.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
-File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.BR libstrongswan.plugins.random.urandom " [@urandom_device@]"
+File to read pseudo random bytes from, instead of @urandom_device@
.TP
.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
File to read DNS resolver configuration from
.TP
.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
-File to read DNSSEC trust anchors from (usually root zone KSK)
+File to read DNSSEC trust anchors from (usually root zone KSK). The format of
+the file is the standard DNS Zone file format, anchors can be stored as DS or
+DNSKEY entries in the file.
+.TP
+.BR libstrongswan.plugins.unbound.dlv_anchors
+File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
+the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
+is then used as a root trusted DLV, this means that it is a lookaside for
+the root.
.SS libtls section
.TP
.BR libtls.cipher
@@ -885,6 +935,26 @@ List of TLS cipher suites
.TP
.BR libtnccs.tnc_config " [/etc/tnc_config]"
TNC IMC/IMV configuration directory
+.PP
+.SS libtnccs plugins section
+.TP
+.BR libtnccs.plugins.tnccs-11.max_message_size " [45000]"
+Maximum size of a PA-TNC message (XML & Base64 encoding)
+.TP
+.BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]"
+Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
+.TP
+.BR libtnccs.plugins.tnccs-20.max_message_size " [65490]"
+Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
+.TP
+.BR libtnccs.plugins.tnc-imc.dlclose " [yes]"
+Unload IMC after use
+.TP
+.BR libtnccs.plugins.tnc-imc.preferred_language " [en]"
+Preferred language for TNC recommendations
+.TP
+.BR libtnccs.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
.SS libimcv section
.TP
.BR libimcv.assessment_result " [yes]"
@@ -955,6 +1025,9 @@ Send open listening ports without being prompted
.BR libimcv.plugins.imv-scanner.remediation_uri
URI pointing to scanner remediation instructions
.TP
+.BR libimcv.plugins.imc-swid.swid_directory " [@prefix@/share]"
+Directory where SWID tags are located
+.TP
.BR libimcv.plugins.imc-test.additional_ids " [0]"
Number of additional IMC IDs
.TP
@@ -1048,6 +1121,10 @@ Plugins to load in ipsec pki tool
.TP
.BR pool.load
Plugins to load in ipsec pool tool
+.SS pt-tls-client section
+.TP
+.BR pt-tls-client.load
+Plugins to load in ipsec pt-tls-client tool
.SS scepclient section
.TP
.BR scepclient.load
@@ -1463,6 +1540,9 @@ Path to the issuer certificate (if not configured a hard-coded value is used)
Path to private key that is used to issue certificates (if not configured a
hard-coded value is used)
.TP
+.BR charon.plugins.load-tester.mode " [tunnel]"
+IPsec mode to use, one of \fBtunnel\fR, \fBtransport\fR, or \fBbeet\fR.
+.TP
.BR charon.plugins.load-tester.pool
Provide INTERNAL_IPV4_ADDRs from a named pool
.TP
@@ -1493,7 +1573,7 @@ Request an INTERNAL_IPV4_ADDR from the server
.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
Shutdown the daemon after all IKE_SAs have been established
.TP
-.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+.BR charon.plugins.load-tester.socket " [unix://@piddir@/charon.ldt]"
Socket provided by the load-tester plugin
.TP
.BR charon.plugins.load-tester.version " [0]"