1 files changed, 17 insertions, 0 deletions

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 4c4311e81..3593c6a5f 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -75,6 +75,16 @@ charon.delete_rekeyed = no
 	However, this might cause problems with implementations that continue to
 	use rekeyed SAs until they expire.
 
+charon.delete_rekeyed_delay = 5
+	Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
+	only).
+
+	Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2
+	only). To process delayed packets the inbound part of a CHILD_SA is kept
+	installed up to the configured number of seconds after it got replaced
+	during a rekeying. If set to 0 the CHILD_SA will be kept installed until it
+	expires (if no lifetime is set it will be destroyed immediately).
+
 charon.dh_exponent_ansi_x9_42 = yes
 	Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 	strength.
@@ -311,6 +321,13 @@ charon.retransmit_timeout = 4.0
 charon.retransmit_tries = 5
 	Number of times to retransmit a packet before giving up.
 
+charon.retransmit_jitter = 0
+	Maximum jitter in percent to apply randomly to calculated retransmission
+	timeout (0 to disable).
+
+charon.retransmit_limit = 0
+	Upper limit in seconds for calculated retransmission timeout (0 to disable).
+
 charon.retry_initiate_interval = 0
 	Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
 	resolution failed), 0 to disable retries.