Merge tag 'upstream/5.1.0'

Upstream version 5.1.0
author: Yves-Alexis Perez <corsac@debian.org> 2013-08-25 15:37:27 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2013-08-25 15:37:27 +0200
commit: c7307e752d8f47c68f834e22ee2ce0a14a70e695 (patch)
tree: fbb442a20ab54aad511b46a070e65b8d09c22791 /man
parent: f74c6d77c3efb529e7403eeef0613c061eb895b3 (diff)
parent: 6b99c8d9cff7b3e8ae8f3204b99e7ea40f791349 (diff)
download: vyos-strongswan-c7307e752d8f47c68f834e22ee2ce0a14a70e695.tar.gz
vyos-strongswan-c7307e752d8f47c68f834e22ee2ce0a14a70e695.zip
8 files changed, 334 insertions, 162 deletions
diff --git a/man/Makefile.am b/man/Makefile.am
index ea04303bd..0becd24c7 100644
--- a/man/Makefile.am
+++ b/man/Makefile.am
@@ -5,9 +5,9 @@ CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5
 SUFFIXES = .in
 
 .in:
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
 	-e "s:@DEV_URANDOM@:$(urandom_device):" \
 	-e "s:@DEV_RANDOM@:$(random_device):" \
 	$(srcdir)/$@.in > $@
-
diff --git a/man/Makefile.in b/man/Makefile.in
index 50b7144a1..0bc64a6eb 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -62,13 +62,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
 	$(top_srcdir)/m4/macros/with.m4 \
 	$(top_srcdir)/m4/macros/enable-disable.m4 \
 	$(top_srcdir)/m4/macros/add-plugin.m4 \
-	$(top_srcdir)/configure.in
+	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
 CONFIG_CLEAN_VPATH_FILES =
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
 am__can_run_installinfo = \
@@ -111,6 +117,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
@@ -123,6 +130,8 @@ CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 CHECK_CFLAGS = @CHECK_CFLAGS@
 CHECK_LIBS = @CHECK_LIBS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -138,6 +147,7 @@ ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+GENHTML = @GENHTML@
 GPERF = @GPERF@
 GPRBUILD = @GPRBUILD@
 GREP = @GREP@
@@ -146,6 +156,7 @@ INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
 LD = @LD@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
@@ -192,6 +203,7 @@ SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
@@ -220,6 +232,7 @@ charon_natt_port = @charon_natt_port@
 charon_plugins = @charon_plugins@
 charon_udp_port = @charon_udp_port@
 clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -556,6 +569,7 @@ uninstall-man: uninstall-man5
 
 
 .in:
+	$(AM_V_GEN) \
 	sed \
 	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
 	-e "s:@DEV_URANDOM@:$(urandom_device):" \
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index 981b53dba..76bef614f 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.4" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.1.0" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -300,8 +300,7 @@ for meaning of values).
 A
 .B closeaction should not be
 used if the peer uses reauthentication or uniquids checking, as these events
-might trigger the defined action when not desired. Currently not supported with
-IKEv1.
+might trigger the defined action when not desired.
 .TP
 .BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
@@ -731,34 +730,23 @@ different from the default additionally requires a socket implementation that
 listens on this port.
 .TP
 .BR leftprotoport " = <protocol>/<port>"
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
-or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
+restrict the traffic selector to a single protocol and/or port. This option
+is now deprecated, protocol/port information can be defined for each subnet
+directly in
+.BR leftsubnet .
+.TP
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
+.B dns:
 or
-.BR leftprotoport=/53 .
-Instead of omitting either value
-.B %any
-can be used to the same effect, e.g.
-.B leftprotoport=udp/%any
-or
-.BR leftprotoport=%any/53 .
-
-The port value can alternatively take the value
-.B %opaque
-for RFC 4301 OPAQUE selectors, or a numerical range in the form
-.BR 1024-65535 .
-None of the kernel backends currently supports opaque or port ranges and uses
-.B %any
-for policy installation instead.
-.TP
-.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
-the left participant's public key for RSA signature authentication, in RFC 2537
-format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is
-the path to a file containing the public key in PEM or DER encoding.
+.B ssh:
+prefix in front of 0x or 0s, the public key is expected to be in either
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
+Also accepted is the path to a file containing the public key in PEM or DER
+encoding.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
@@ -799,7 +787,7 @@ echoed back. Also supported are address pools expressed as
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
-.BR leftsubnet " = <ip subnet>"
+.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]"
 private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
@@ -810,6 +798,36 @@ implementations, make sure to configure identical subnets in such
 configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
 interprets the first subnet of such a definition, unless the Cisco Unity
 extension plugin is enabled.
+
+The optional part after each subnet enclosed in square brackets specifies a
+protocol/port to restrict the selector for that subnet.
+
+Examples:
+.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or"
+.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] .
+Instead of omitting either value
+.B %any
+can be used to the same effect, e.g.
+.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
+
+Instead of specifying a subnet,
+.B %dynamic
+can be used to replace it with the IKE address, having the same effect
+as omitting
+.B leftsubnet
+completely. Using
+.B %dynamic
+can be used to define multiple dynamic selectors, each having a potentially
+different protocol/port definition.
+
 .TP
 .BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index e778ab773..4c64e86ca 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -300,8 +300,7 @@ for meaning of values).
 A
 .B closeaction should not be
 used if the peer uses reauthentication or uniquids checking, as these events
-might trigger the defined action when not desired. Currently not supported with
-IKEv1.
+might trigger the defined action when not desired.
 .TP
 .BR compress " = yes | " no
 whether IPComp compression of content is proposed on the connection
@@ -731,34 +730,23 @@ different from the default additionally requires a socket implementation that
 listens on this port.
 .TP
 .BR leftprotoport " = <protocol>/<port>"
-restrict the traffic selector to a single protocol and/or port.
-Examples:
-.B leftprotoport=tcp/http
-or
-.B leftprotoport=6/80
-or
-.B leftprotoport=udp
+restrict the traffic selector to a single protocol and/or port. This option
+is now deprecated, protocol/port information can be defined for each subnet
+directly in
+.BR leftsubnet .
+.TP
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
+.B dns:
 or
-.BR leftprotoport=/53 .
-Instead of omitting either value
-.B %any
-can be used to the same effect, e.g.
-.B leftprotoport=udp/%any
-or
-.BR leftprotoport=%any/53 .
-
-The port value can alternatively take the value
-.B %opaque
-for RFC 4301 OPAQUE selectors, or a numerical range in the form
-.BR 1024-65535 .
-None of the kernel backends currently supports opaque or port ranges and uses
-.B %any
-for policy installation instead.
-.TP
-.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
-the left participant's public key for RSA signature authentication, in RFC 2537
-format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is
-the path to a file containing the public key in PEM or DER encoding.
+.B ssh:
+prefix in front of 0x or 0s, the public key is expected to be in either
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
+Also accepted is the path to a file containing the public key in PEM or DER
+encoding.
 .TP
 .BR leftsendcert " = never | no | " ifasked " | always | yes"
 Accepted values are
@@ -799,7 +787,7 @@ echoed back. Also supported are address pools expressed as
 or the use of an external IP address pool using %\fIpoolname\fR,
 where \fIpoolname\fR is the name of the IP address pool used for the lookup.
 .TP
-.BR leftsubnet " = <ip subnet>"
+.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]"
 private subnet behind the left participant, expressed as
 \fInetwork\fB/\fInetmask\fR;
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
@@ -810,6 +798,36 @@ implementations, make sure to configure identical subnets in such
 configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
 interprets the first subnet of such a definition, unless the Cisco Unity
 extension plugin is enabled.
+
+The optional part after each subnet enclosed in square brackets specifies a
+protocol/port to restrict the selector for that subnet.
+
+Examples:
+.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or"
+.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] .
+Instead of omitting either value
+.B %any
+can be used to the same effect, e.g.
+.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
+
+Instead of specifying a subnet,
+.B %dynamic
+can be used to replace it with the IKE address, having the same effect
+as omitting
+.B leftsubnet
+completely. Using
+.B %dynamic
+can be used to define multiple dynamic selectors, each having a potentially
+different protocol/port definition.
+
 .TP
 .BR leftupdown " = <path>"
 what ``updown'' script to run to adjust routing and/or firewalling
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 9b3d19190..a4a58f261 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.4" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.1.0rc1" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
@@ -91,6 +91,9 @@ defines an RSA private key
 .B ECDSA
 defines an ECDSA private key
 .TP
+.B P12
+defines a PKCS#12 container
+.TP
 .B EAP
 defines EAP credentials
 .TP
@@ -133,16 +136,26 @@ Similarly, a character sequence beginning with
 .B 0s
 is interpreted as Base64 encoded binary data.
 .TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.B : RSA <private key file> [ <passphrase> | %prompt ]
 .TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+.B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
 \fI/etc/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
-can be used which then causes the daemons to ask the user for the password
+can be used which then causes the daemon to ask the user for the password
 whenever it is required to decrypt the key.
 .TP
+.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+For the PKCS#12 file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the container is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemon to ask the user for the password
+whenever it is required to decrypt the container. Private keys, client and CA
+certificates are extracted from the container. To use such a client certificate
+in a connection set leftid to one of the subjects of the certificate.
+.TP
 .B <user id> : EAP <secret>
 The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
@@ -165,7 +178,7 @@ key. The slot number defines the slot on the token, the module name refers to
 the module name defined in strongswan.conf(5).
 Instead of specifying the pin code statically,
 .B %prompt
-can be specified, which causes the daemons to ask the user for the pin code.
+can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
index 319d4856b..ee20c9670 100644
--- a/man/ipsec.secrets.5.in
+++ b/man/ipsec.secrets.5.in
@@ -91,6 +91,9 @@ defines an RSA private key
 .B ECDSA
 defines an ECDSA private key
 .TP
+.B P12
+defines a PKCS#12 container
+.TP
 .B EAP
 defines EAP credentials
 .TP
@@ -133,16 +136,26 @@ Similarly, a character sequence beginning with
 .B 0s
 is interpreted as Base64 encoded binary data.
 .TP
-.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ]
+.B : RSA <private key file> [ <passphrase> | %prompt ]
 .TQ
-.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ]
+.B : ECDSA <private key file> [ <passphrase> | %prompt ]
 For the private key file both absolute paths or paths relative to
 \fI/etc/ipsec.d/private\fP are accepted. If the private key file is
 encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
 .B %prompt
-can be used which then causes the daemons to ask the user for the password
+can be used which then causes the daemon to ask the user for the password
 whenever it is required to decrypt the key.
 .TP
+.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+For the PKCS#12 file both absolute paths or paths relative to
+\fI/etc/ipsec.d/private\fP are accepted. If the container is
+encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+.B %prompt
+can be used which then causes the daemon to ask the user for the password
+whenever it is required to decrypt the container. Private keys, client and CA
+certificates are extracted from the container. To use such a client certificate
+in a connection set leftid to one of the subjects of the certificate.
+.TP
 .B <user id> : EAP <secret>
 The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets.
 .br
@@ -165,7 +178,7 @@ key. The slot number defines the slot on the token, the module name refers to
 the module name defined in strongswan.conf(5).
 Instead of specifying the pin code statically,
 .B %prompt
-can be specified, which causes the daemons to ask the user for the pin code.
+can be specified, which causes the daemon to ask the user for the pin code.
 .LP
 
 .SH FILES
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 3c820dbf9..fc99c8c47 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.4" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-07-22" "5.1.0" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -133,8 +133,14 @@ Path to database with file measurement information
 .TP
 .BR attest.load
 Plugins to load in ipsec attest tool
+
 .SS charon section
 .TP
+.BR Note :
+Many of these options also apply to \fBcharon\-cmd\fR and other
+\fBcharon\fR derivatives. Just use their respective name (e.g.
+\fIcharon\-cmd\fR) instead of  \fIcharon\fR.
+.TP
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
@@ -168,6 +174,9 @@ used certificates.
 Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
 fragmentation extension.
 .TP
+.BR charon.group
+Name of the group the daemon changes to after startup
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -311,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.threads " [16]"
 Number of worker threads in charon
+.TP
+.BR charon.user
+Name of the user the daemon changes to after startup
 .SS charon.plugins subsection
 .TP
 .BR charon.plugins.android_log.loglevel " [1]"
@@ -323,6 +335,18 @@ configuration payload (CP)
 .BR charon.plugins.certexpire.csv.cron
 Cron style string specifying CSV export times
 .TP
+.BR charon.plugins.certexpire.csv.empty_string
+String to use in empty intermediate CA fields
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count
+.TP
+.BR charon.plugins.certexpire.csv.force " [yes]"
+Force export of all trustchains we have a private key for
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+strftime(3) format string to export expiration dates as
+.TP
 .BR charon.plugins.certexpire.csv.local
 strftime(3) format string for the CSV file name to export local certificates to
 .TP
@@ -332,15 +356,6 @@ strftime(3) format string for the CSV file name to export remote certificates to
 .BR charon.plugins.certexpire.csv.separator " [,]"
 CSV field separator
 .TP
-.BR charon.plugins.certexpire.csv.empty_string
-String to use in empty intermediate CA fields
-.TP
-.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
-strftime(3) format string to export expiration dates as
-.TP
-.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
-Use a fixed intermediate CA field count
-.TP
 .BR charon.plugins.coupling.file
 File to store coupling list to
 .TP
@@ -367,6 +382,9 @@ DHCP server unicast or broadcast IP address
 .BR charon.plugins.duplicheck.enable " [yes]"
 Enable duplicheck plugin (if loaded)
 .TP
+.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+Socket provided by the duplicheck plugin
+.TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
 .TP
@@ -410,6 +428,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.eap-radius.accounting " [no]"
 Send RADIUS accounting information to RADIUS servers.
 .TP
+.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
+If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP
+.TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
 .I class
@@ -546,6 +567,9 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+Socket provided by the error-notify plugin
+.TP
 .BR charon.plugins.ha.autobalance " [0]"
 Interval in seconds to automatically balance handled segments between nodes.
 Set to 0 to disable.
@@ -581,7 +605,7 @@ Set to 0 to disable.
 
 .TP
 .BR charon.plugins.ipseckey.enable " [no]"
-Enable the fetching of IPSECKEY RRs from the DNS
+Enable the fetching of IPSECKEY RRs via DNS
 .TP
 .BR charon.plugins.led.activity_led
 
@@ -595,9 +619,18 @@ Number of ipsecN devices
 .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
 Set MTU of ipsecN device
 .TP
+.BR charon.plugins.kernel-netlink.roam_events " [yes]"
+Whether to trigger roam events when interfaces, addresses or routes change
+.TP
+.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
+Time in ms to wait until virtual IP addresses appear/disappear before failing.
+.TP
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
+.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+Socket provided by the lookip plugin
+.TP
 .BR charon.plugins.radattr.dir
 Directory where RADIUS attributes are stored in client-ID specific files.
 .TP
@@ -617,6 +650,12 @@ have a high priority according to the order defined in interface-order(5).
 .BR charon.plugins.socket-default.set_source " [yes]"
 Set source address on outbound packets, if possible.
 .TP
+.BR charon.plugins.socket-default.use_ipv4 " [yes]"
+Listen on IPv4, if possible.
+.TP
+.BR charon.plugins.socket-default.use_ipv6 " [yes]"
+Listen on IPv6, if possible.
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
@@ -630,6 +669,9 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+Socket provided by the stroke plugin
+.TP
 .BR charon.plugins.stroke.timeout " [0]"
 Timeout in ms for any stroke command. Use 0 to disable the timeout
 .TP
@@ -707,6 +749,9 @@ plugins, like resolve)
 .BR charon.plugins.whitelist.enable " [yes]"
 Enable loaded whitelist plugin
 .TP
+.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+Socket provided by the whitelist plugin
+.TP
 .BR charon.plugins.xauth-eap.backend " [radius]"
 EAP plugin to be used as backend for XAuth credential verification
 .TP
@@ -760,6 +805,9 @@ Includes source file names and line numbers in leak detective output
 .BR libstrongswan.leak_detective.usage_threshold " [10240]"
 Threshold in bytes for leaks to be reported (0 to report all)
 .TP
+.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all)
+.TP
 .BR libstrongswan.processor.priority_threads
 Subsection to configure the number of reserved threads per priority class
 see JOB PRIORITY MANAGEMENT
@@ -820,6 +868,19 @@ File to read DNS resolver configuration from
 .TP
 .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
 File to read DNSSEC trust anchors from (usually root zone KSK)
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -829,17 +890,27 @@ TNC IMC/IMV configuration directory
 .BR libimcv.assessment_result " [yes]"
 Whether IMVs send a standard IETF Assessment Result attribute
 .TP
+.BR libimcv.database
+Global IMV policy database URI
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand-alone libimcv library
 .TP
-.BR libimcv.stderr_quiet " [no]"
-Disable output to stderr with a stand-alone libimcv library
+.BR libimcv.load " [random nonce gmp pubkey x509]"
+Plugins to load in IMC/IMVs
 .TP
 .BR libimcv.os_info.name
 Manually set the name of the client OS (e.g. Ubuntu)
 .TP
 .BR libimcv.os_info.version
 Manually set the version of the client OS (e.g. 12.04 i686)
+.TP
+.BR libimcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies
+.TP
+.BR libimcv.stderr_quiet " [no]"
+isable output to stderr with a stand-alone libimcv library
+.PP
 .SS libimcv plugins section
 .TP
 .BR libimcv.plugins.imc-attestation.aik_blob
@@ -860,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature
 .BR libimcv.plugins.imv-attestation.cadir
 Path to directory with AIK cacerts
 .TP
-.BR libimcv.plugins.imv-attestation.database
-Path to database with file measurement information
-.TP
 .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
 Preferred Diffie-Hellman group
 .TP
@@ -878,27 +946,15 @@ URI pointing to attestation remediation instructions
 .BR libimcv.plugins.imc-os.push_info " [yes]"
 Send operating system info without being prompted
 .TP
-.BR libimcv.plugins.imv-os.database
-Database URI for the database that stores operating system information
-.TP
 .BR libimcv.plugins.imv-os.remediation_uri
 URI pointing to operating system remediation instructions
 .TP
 .BR libimcv.plugins.imc-scanner.push_info " [yes]"
 Send open listening ports without being prompted
 .TP
-.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
-By default all ports must be closed (yes) or can be open (no)
-.TP
 .BR libimcv.plugins.imv-scanner.remediation_uri
 URI pointing to scanner remediation instructions
 .TP
-.BR libimcv.plugins.imv-scanner.tcp_ports
-List of TCP ports that can be open or must be closed
-.TP
-.BR libimcv.plugins.imv-scanner.udp_ports
-List of UDP ports that can be open or must be closed
-.TP
 .BR libimcv.plugins.imc-test.additional_ids " [0]"
 Number of additional IMC IDs
 .TP
@@ -908,30 +964,17 @@ Command to be sent to the Test IMV
 .BR libimcv.plugins.imc-test.dummy_size " [0]"
 Size of dummy attribute to be sent to the Test IMV (0 = disabled)
 .TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imc-test.retry " [no]"
 Do a handshake retry
 .TP
 .BR libimcv.plugins.imc-test.retry_command
 Command to be sent to the Test IMV in the handshake retry
 .TP
-.BR libimcv.plugins.imv-test.remediation_uri
-URI pointing to test remediation instructions
-.TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
-.SS libtls section
-.TP
-.BR libtls.cipher
-List of TLS encryption ciphers
-.TP
-.BR libtls.key_exchange
-List of TLS key exchange methods
-.TP
-.BR libtls.mac
-List of TLS MAC algorithms
-.TP
-.BR libtls.suites
-List of TLS cipher suites
 .SS manager section
 .TP
 .BR manager.database
@@ -1450,9 +1493,13 @@ Request an INTERNAL_IPV4_ADDR from the server
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
 .TP
+.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+Socket provided by the load-tester plugin
+.TP
 .BR charon.plugins.load-tester.version " [0]"
 IKE version to use (0 means use IKEv2 as initiator and accept any version as
 responder)
+.PP
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
@@ -1608,7 +1655,8 @@ giving up	76s	165s
 /etc/strongswan.conf
 
 .SH SEE ALSO
-ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+
 .SH HISTORY
 Written for the
 .UR http://www.strongswan.org
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 44fe330e8..847d9d520 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-04-01" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-07-22" "@IPSEC_VERSION@" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -133,8 +133,14 @@ Path to database with file measurement information
 .TP
 .BR attest.load
 Plugins to load in ipsec attest tool
+
 .SS charon section
 .TP
+.BR Note :
+Many of these options also apply to \fBcharon\-cmd\fR and other
+\fBcharon\fR derivatives. Just use their respective name (e.g.
+\fIcharon\-cmd\fR) instead of  \fIcharon\fR.
+.TP
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
@@ -168,6 +174,9 @@ used certificates.
 Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
 fragmentation extension.
 .TP
+.BR charon.group
+Name of the group the daemon changes to after startup
+.TP
 .BR charon.half_open_timeout " [30]"
 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .TP
@@ -311,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION
 .TP
 .BR charon.threads " [16]"
 Number of worker threads in charon
+.TP
+.BR charon.user
+Name of the user the daemon changes to after startup
 .SS charon.plugins subsection
 .TP
 .BR charon.plugins.android_log.loglevel " [1]"
@@ -323,6 +335,18 @@ configuration payload (CP)
 .BR charon.plugins.certexpire.csv.cron
 Cron style string specifying CSV export times
 .TP
+.BR charon.plugins.certexpire.csv.empty_string
+String to use in empty intermediate CA fields
+.TP
+.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
+Use a fixed intermediate CA field count
+.TP
+.BR charon.plugins.certexpire.csv.force " [yes]"
+Force export of all trustchains we have a private key for
+.TP
+.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
+strftime(3) format string to export expiration dates as
+.TP
 .BR charon.plugins.certexpire.csv.local
 strftime(3) format string for the CSV file name to export local certificates to
 .TP
@@ -332,15 +356,6 @@ strftime(3) format string for the CSV file name to export remote certificates to
 .BR charon.plugins.certexpire.csv.separator " [,]"
 CSV field separator
 .TP
-.BR charon.plugins.certexpire.csv.empty_string
-String to use in empty intermediate CA fields
-.TP
-.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]"
-strftime(3) format string to export expiration dates as
-.TP
-.BR charon.plugins.certexpire.csv.fixed_fields " [yes]"
-Use a fixed intermediate CA field count
-.TP
 .BR charon.plugins.coupling.file
 File to store coupling list to
 .TP
@@ -367,6 +382,9 @@ DHCP server unicast or broadcast IP address
 .BR charon.plugins.duplicheck.enable " [yes]"
 Enable duplicheck plugin (if loaded)
 .TP
+.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]"
+Socket provided by the duplicheck plugin
+.TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
 .TP
@@ -410,6 +428,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.eap-radius.accounting " [no]"
 Send RADIUS accounting information to RADIUS servers.
 .TP
+.BR charon.plugins.eap-radius.accounting_requires_vip " [no]"
+If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP
+.TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
 .I class
@@ -546,6 +567,9 @@ Start phase2 EAP TNC protocol after successful client authentication
 .BR charon.plugins.eap-ttls.request_peer_auth " [no]"
 Request peer authentication based on a client certificate
 .TP
+.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]"
+Socket provided by the error-notify plugin
+.TP
 .BR charon.plugins.ha.autobalance " [0]"
 Interval in seconds to automatically balance handled segments between nodes.
 Set to 0 to disable.
@@ -581,7 +605,7 @@ Set to 0 to disable.
 
 .TP
 .BR charon.plugins.ipseckey.enable " [no]"
-Enable the fetching of IPSECKEY RRs from the DNS
+Enable the fetching of IPSECKEY RRs via DNS
 .TP
 .BR charon.plugins.led.activity_led
 
@@ -595,9 +619,18 @@ Number of ipsecN devices
 .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]"
 Set MTU of ipsecN device
 .TP
+.BR charon.plugins.kernel-netlink.roam_events " [yes]"
+Whether to trigger roam events when interfaces, addresses or routes change
+.TP
+.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
+Time in ms to wait until virtual IP addresses appear/disappear before failing.
+.TP
 .BR charon.plugins.load-tester
 Section to configure the load-tester plugin, see LOAD TESTS
 .TP
+.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]"
+Socket provided by the lookip plugin
+.TP
 .BR charon.plugins.radattr.dir
 Directory where RADIUS attributes are stored in client-ID specific files.
 .TP
@@ -617,6 +650,12 @@ have a high priority according to the order defined in interface-order(5).
 .BR charon.plugins.socket-default.set_source " [yes]"
 Set source address on outbound packets, if possible.
 .TP
+.BR charon.plugins.socket-default.use_ipv4 " [yes]"
+Listen on IPv4, if possible.
+.TP
+.BR charon.plugins.socket-default.use_ipv6 " [yes]"
+Listen on IPv6, if possible.
+.TP
 .BR charon.plugins.sql.database
 Database URI for charons SQL plugin
 .TP
@@ -630,6 +669,9 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]"
+Socket provided by the stroke plugin
+.TP
 .BR charon.plugins.stroke.timeout " [0]"
 Timeout in ms for any stroke command. Use 0 to disable the timeout
 .TP
@@ -707,6 +749,9 @@ plugins, like resolve)
 .BR charon.plugins.whitelist.enable " [yes]"
 Enable loaded whitelist plugin
 .TP
+.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]"
+Socket provided by the whitelist plugin
+.TP
 .BR charon.plugins.xauth-eap.backend " [radius]"
 EAP plugin to be used as backend for XAuth credential verification
 .TP
@@ -760,6 +805,9 @@ Includes source file names and line numbers in leak detective output
 .BR libstrongswan.leak_detective.usage_threshold " [10240]"
 Threshold in bytes for leaks to be reported (0 to report all)
 .TP
+.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all)
+.TP
 .BR libstrongswan.processor.priority_threads
 Subsection to configure the number of reserved threads per priority class
 see JOB PRIORITY MANAGEMENT
@@ -820,6 +868,19 @@ File to read DNS resolver configuration from
 .TP
 .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
 File to read DNSSEC trust anchors from (usually root zone KSK)
+.SS libtls section
+.TP
+.BR libtls.cipher
+List of TLS encryption ciphers
+.TP
+.BR libtls.key_exchange
+List of TLS key exchange methods
+.TP
+.BR libtls.mac
+List of TLS MAC algorithms
+.TP
+.BR libtls.suites
+List of TLS cipher suites
 .SS libtnccs section
 .TP
 .BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -829,17 +890,27 @@ TNC IMC/IMV configuration directory
 .BR libimcv.assessment_result " [yes]"
 Whether IMVs send a standard IETF Assessment Result attribute
 .TP
+.BR libimcv.database
+Global IMV policy database URI
+.TP
 .BR libimcv.debug_level " [1]"
 Debug level for a stand-alone libimcv library
 .TP
-.BR libimcv.stderr_quiet " [no]"
-Disable output to stderr with a stand-alone libimcv library
+.BR libimcv.load " [random nonce gmp pubkey x509]"
+Plugins to load in IMC/IMVs
 .TP
 .BR libimcv.os_info.name
 Manually set the name of the client OS (e.g. Ubuntu)
 .TP
 .BR libimcv.os_info.version
 Manually set the version of the client OS (e.g. 12.04 i686)
+.TP
+.BR libimcv.policy_script " [ipsec _imv_policy]"
+Script called for each TNC connection to generate IMV policies
+.TP
+.BR libimcv.stderr_quiet " [no]"
+isable output to stderr with a stand-alone libimcv library
+.PP
 .SS libimcv plugins section
 .TP
 .BR libimcv.plugins.imc-attestation.aik_blob
@@ -860,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature
 .BR libimcv.plugins.imv-attestation.cadir
 Path to directory with AIK cacerts
 .TP
-.BR libimcv.plugins.imv-attestation.database
-Path to database with file measurement information
-.TP
 .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]"
 Preferred Diffie-Hellman group
 .TP
@@ -878,27 +946,15 @@ URI pointing to attestation remediation instructions
 .BR libimcv.plugins.imc-os.push_info " [yes]"
 Send operating system info without being prompted
 .TP
-.BR libimcv.plugins.imv-os.database
-Database URI for the database that stores operating system information
-.TP
 .BR libimcv.plugins.imv-os.remediation_uri
 URI pointing to operating system remediation instructions
 .TP
 .BR libimcv.plugins.imc-scanner.push_info " [yes]"
 Send open listening ports without being prompted
 .TP
-.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]"
-By default all ports must be closed (yes) or can be open (no)
-.TP
 .BR libimcv.plugins.imv-scanner.remediation_uri
 URI pointing to scanner remediation instructions
 .TP
-.BR libimcv.plugins.imv-scanner.tcp_ports
-List of TCP ports that can be open or must be closed
-.TP
-.BR libimcv.plugins.imv-scanner.udp_ports
-List of UDP ports that can be open or must be closed
-.TP
 .BR libimcv.plugins.imc-test.additional_ids " [0]"
 Number of additional IMC IDs
 .TP
@@ -908,30 +964,17 @@ Command to be sent to the Test IMV
 .BR libimcv.plugins.imc-test.dummy_size " [0]"
 Size of dummy attribute to be sent to the Test IMV (0 = disabled)
 .TP
+.BR libimcv.plugins.imv-test.remediation_uri
+URI pointing to test remediation instructions
+.TP
 .BR libimcv.plugins.imc-test.retry " [no]"
 Do a handshake retry
 .TP
 .BR libimcv.plugins.imc-test.retry_command
 Command to be sent to the Test IMV in the handshake retry
 .TP
-.BR libimcv.plugins.imv-test.remediation_uri
-URI pointing to test remediation instructions
-.TP
 .BR libimcv.plugins.imv-test.rounds " [0]"
 Number of IMC-IMV retry rounds
-.SS libtls section
-.TP
-.BR libtls.cipher
-List of TLS encryption ciphers
-.TP
-.BR libtls.key_exchange
-List of TLS key exchange methods
-.TP
-.BR libtls.mac
-List of TLS MAC algorithms
-.TP
-.BR libtls.suites
-List of TLS cipher suites
 .SS manager section
 .TP
 .BR manager.database
@@ -1450,9 +1493,13 @@ Request an INTERNAL_IPV4_ADDR from the server
 .BR charon.plugins.load-tester.shutdown_when_complete " [no]"
 Shutdown the daemon after all IKE_SAs have been established
 .TP
+.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]"
+Socket provided by the load-tester plugin
+.TP
 .BR charon.plugins.load-tester.version " [0]"
 IKE version to use (0 means use IKEv2 as initiator and accept any version as
 responder)
+.PP
 .SS Configuration details
 For public key authentication, the responder uses the
 .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq
@@ -1608,7 +1655,8 @@ giving up	76s	165s
 /etc/strongswan.conf
 
 .SH SEE ALSO
-ipsec.conf(5), ipsec.secrets(5), ipsec(8)
+\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+
 .SH HISTORY
 Written for the
 .UR http://www.strongswan.org
author	Yves-Alexis Perez <corsac@debian.org>	2013-08-25 15:37:27 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2013-08-25 15:37:27 +0200
commit	c7307e752d8f47c68f834e22ee2ce0a14a70e695 (patch)
tree	fbb442a20ab54aad511b46a070e65b8d09c22791 /man
parent	f74c6d77c3efb529e7403eeef0613c061eb895b3 (diff)
parent	6b99c8d9cff7b3e8ae8f3204b99e7ea40f791349 (diff)
download	vyos-strongswan-c7307e752d8f47c68f834e22ee2ce0a14a70e695.tar.gz vyos-strongswan-c7307e752d8f47c68f834e22ee2ce0a14a70e695.zip