New upstream version 5.5.2

1 files changed, 119 insertions, 4 deletions

diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index eb46005e1..789b128fd 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -31,6 +31,10 @@
         # Set the Mode Config mode to use.
         # pull = yes
 
+        # Differentiated Services Field Codepoint to set on outgoing IKE packets
+        # (six binary digits).
+        # dscp = 000000
+
         # Enforce UDP encapsulation by faking NAT-D payloads.
         # encap = no
 
@@ -73,6 +77,15 @@
         # Comma separated list of named IP pools.
         # pools =
 
+        # Whether this connection is a mediation connection.
+        # mediation = no
+
+        # The name of the connection to mediate this connection through.
+        # mediated_by =
+
+        # Identity under which the peer is registered at the mediation server.
+        # mediation_peer =
+
         # Section for a local authentication round.
         # local<suffix> {
 
@@ -85,6 +98,9 @@
             # authentication.
             # certs =
 
+            # Section for a certificate candidate to use for authentication.
+            # cert<suffix> =
+
             # Comma separated list of raw public key candidates to use for
             # authentication.
             # pubkeys =
@@ -106,6 +122,22 @@
             # Client XAuth username used in the XAuth exchange.
             # xauth_id = id
 
+            # cert<suffix> {
+
+                # Absolute path to the certificate to load.
+                # file =
+
+                # Hex-encoded CKA_ID of the certificate on a token.
+                # handle =
+
+                # Optional slot number of the token that stores the certificate.
+                # slot =
+
+                # Optional PKCS#11 module name.
+                # module =
+
+            # }
+
         # }
 
         # Section for a remote authentication round.
@@ -122,13 +154,22 @@
             # Authorization group memberships to require.
             # groups =
 
+            # Certificate policy OIDs the peer's certificate must have.
+            # cert_policy =
+
             # Comma separated list of certificate to accept for authentication.
             # certs =
 
+            # Section for a certificate to accept for authentication.
+            # cert<suffix> =
+
             # Comma separated list of CA certificates to accept for
             # authentication.
             # cacerts =
 
+            # Section for a CA certificate to accept for authentication.
+            # cacert<suffix> =
+
             # Comma separated list of raw public keys to accept for
             # authentication.
             # pubkeys =
@@ -140,6 +181,39 @@
             # or eap[-method]).
             # auth = pubkey
 
+            # cert<suffix> {
+
+                # Absolute path to the certificate to load.
+                # file =
+
+                # Hex-encoded CKA_ID of the certificate on a token.
+                # handle =
+
+                # Optional slot number of the token that stores the certificate.
+                # slot =
+
+                # Optional PKCS#11 module name.
+                # module =
+
+            # }
+
+            # cacert<suffix> {
+
+                # Absolute path to the certificate to load.
+                # file =
+
+                # Hex-encoded CKA_ID of the CA certificate on a token.
+                # handle =
+
+                # Optional slot number of the token that stores the CA
+                # certificate.
+                # slot =
+
+                # Optional PKCS#11 module name.
+                # module =
+
+            # }
+
         # }
 
         # children {
@@ -194,8 +268,8 @@
                 # Hostaccess variable to pass to updown script.
                 # hostaccess = yes
 
-                # IPsec Mode to establish (tunnel, transport, beet, pass or
-                # drop).
+                # IPsec Mode to establish (tunnel, transport, transport_proxy,
+                # beet, pass or drop).
                 # mode = tunnel
 
                 # Whether to install IPsec policies or not.
@@ -270,6 +344,17 @@
 
     # }
 
+    # NTLM secret section for a specific secret.
+    # ntlm<suffix> {
+
+        # Value of the NTLM secret.
+        # secret =
+
+        # Identity the NTLM secret belongs to.
+        # id<suffix> =
+
+    # }
+
     # IKE preshared secret section for a specific secret.
     # ike<suffix> {
 
@@ -340,6 +425,24 @@
 
     # }
 
+    # Definition for a private key that's stored on a token/smartcard.
+    # token<suffix> {
+
+        # Hex-encoded CKA_ID of the private key on the token.
+        # handle =
+
+        # Optional slot number to access the token.
+        # slot =
+
+        # Optional PKCS#11 module name to access the token.
+        # module =
+
+        # Optional PIN required to access the key on the token. If none is
+        # provided the user is prompted during an interactive --load-creds call.
+        # pin =
+
+    # }
+
 # }
 
 # Section defining named pools.
@@ -367,10 +470,22 @@
         # CA certificate belonging to the certification authority.
         # cacert =
 
-        # Comma-separated list of CRL distribution points
+        # Absolute path to the certificate to load.
+        # file =
+
+        # Hex-encoded CKA_ID of the CA certificate on a token.
+        # handle =
+
+        # Optional slot number of the token that stores the CA certificate.
+        # slot =
+
+        # Optional PKCS#11 module name.
+        # module =
+
+        # Comma-separated list of CRL distribution points.
         # crl_uris =
 
-        # Comma-separated list of OCSP URIs
+        # Comma-separated list of OCSP URIs.
         # ocsp_uris =
 
         # Defines the base URI for the Hash and URL feature supported by IKEv2.