summaryrefslogtreecommitdiff
path: root/conf/options/charon.opt
diff options
context:
space:
mode:
Diffstat (limited to 'conf/options/charon.opt')
-rw-r--r--conf/options/charon.opt284
1 files changed, 284 insertions, 0 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
new file mode 100644
index 000000000..c6f4f1e9e
--- /dev/null
+++ b/conf/options/charon.opt
@@ -0,0 +1,284 @@
+charon {}
+ Options for the charon IKE daemon.
+
+ Options for the charon IKE daemon.
+
+ **Note**: Many of the options in this section also apply to **charon-cmd**
+ and other **charon** derivatives. Just use their respective name (e.g.
+ **charon-cmd** instead of **charon**). For many options defaults can be
+ defined in the **libstrongswan** section.
+
+charon.block_threshold = 5
+ Maximum number of half-open IKE_SAs for a single peer IP.
+
+charon.cert_cache = yes
+ Whether relations in validated certificate chains should be cached in
+ memory.
+
+charon.cisco_unity = no
+ Send Cisco Unity vendor ID payload (IKEv1 only).
+
+charon.close_ike_on_child_failure = no
+ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+
+charon.cookie_threshold = 10
+ Number of half-open IKE_SAs that activate the cookie mechanism.
+
+charon.crypto_test.bench = no
+ Benchmark crypto algorithms and order them by efficiency.
+
+charon.crypto_test.bench_size = 1024
+ Buffer size used for crypto benchmark.
+
+charon.crypto_test.bench_time = 50
+ Number of iterations to test each algorithm.
+
+charon.crypto_test.on_add = no
+ Test crypto algorithms during registration (requires test vectors provided
+ by the _test-vectors_ plugin).
+
+charon.crypto_test.on_create = no
+ Test crypto algorithms on each crypto primitive instantiation.
+
+charon.crypto_test.required = no
+ Strictly require at least one test vector to enable an algorithm.
+
+charon.crypto_test.rng_true = no
+ Whether to test RNG with TRUE quality; requires a lot of entropy.
+
+charon.dh_exponent_ansi_x9_42 = yes
+ Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+ strength.
+
+charon.dns1
+ DNS server assigned to peer via configuration payload (CP).
+
+charon.dns2
+ DNS server assigned to peer via configuration payload (CP).
+
+charon.dos_protection = yes
+ Enable Denial of Service protection using cookies and aggressiveness checks.
+
+charon.ecp_x_coordinate_only = yes
+ Compliance with the errata for RFC 4753.
+
+charon.flush_auth_cfg = no
+ Free objects during authentication (might conflict with plugins).
+
+ If enabled objects used during authentication (certificates, identities
+ etc.) are released to free memory once an IKE_SA is established. Enabling
+ this might conflict with plugins that later need access to e.g. the used
+ certificates.
+
+charon.fragment_size = 512
+ Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
+ fragmentation extension.
+
+charon.group
+ Name of the group the daemon changes to after startup.
+
+charon.half_open_timeout = 30
+ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+
+charon.hash_and_url = no
+ Enable hash and URL support.
+
+charon.host_resolver.max_threads = 3
+ Maximum number of concurrent resolver threads (they are terminated if
+ unused).
+
+charon.host_resolver.min_threads = 0
+ Minimum number of resolver threads to keep around.
+
+charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
+ Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+
+ If enabled responders are allowed to use IKEv1 Aggressive Mode with
+ pre-shared keys, which is discouraged due to security concerns (offline
+ attacks on the openly transmitted hash of the PSK).
+
+charon.ignore_routing_tables
+ A space-separated list of routing tables to be excluded from route lookups.
+
+charon.ikesa_limit = 0
+ Maximum number of IKE_SAs that can be established at the same time before
+ new connection attempts are blocked.
+
+charon.ikesa_table_segments = 1
+ Number of exclusively locked segments in the hash table.
+
+charon.ikesa_table_size = 1
+ Size of the IKE_SA hash table.
+
+charon.inactivity_close_ike = no
+ Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+
+charon.init_limit_half_open = 0
+ Limit new connections based on the current number of half open IKE_SAs, see
+ IKE_SA_INIT DROPPING in **strongswan.conf**(5).
+
+charon.init_limit_job_load = 0
+ Limit new connections based on the number of queued jobs.
+
+ Limit new connections based on the number of jobs currently queued for
+ processing (see IKE_SA_INIT DROPPING).
+
+charon.initiator_only = no
+ Causes charon daemon to ignore IKE initiation requests.
+
+charon.install_routes = yes
+ Install routes into a separate routing table for established IPsec tunnels.
+
+charon.install_virtual_ip = yes
+ Install virtual IP addresses.
+
+charon.install_virtual_ip_on
+ The name of the interface on which virtual IP addresses should be installed.
+
+ The name of the interface on which virtual IP addresses should be installed.
+ If not specified the addresses will be installed on the outbound interface.
+
+charon.integrity_test = no
+ Check daemon, libstrongswan and plugin integrity at startup.
+
+charon.interfaces_ignore
+ A comma-separated list of network interfaces that should be ignored, if
+ **interfaces_use** is specified this option has no effect.
+
+charon.interfaces_use
+ A comma-separated list of network interfaces that should be used by charon.
+ All other interfaces are ignored.
+
+charon.keep_alive = 20s
+ NAT keep alive interval.
+
+charon.leak_detective.detailed = yes
+ Includes source file names and line numbers in leak detective output.
+
+charon.leak_detective.usage_threshold = 10240
+ Threshold in bytes for leaks to be reported (0 to report all).
+
+charon.leak_detective.usage_threshold_count = 0
+ Threshold in number of allocations for leaks to be reported (0 to report
+ all).
+
+charon.load
+ Plugins to load in the IKE daemon charon.
+
+charon.load_modular = no
+ Determine plugins to load via each plugin's load option.
+
+ If enabled, the list of plugins to load is determined via the value of the
+ _charon.plugins.<name>.load_ options. In addition to a simple boolean flag
+ that option may take an integer value indicating the priority of a plugin,
+ which would influence the order of a plugin in the plugin list (the default
+ is 1). If two plugins have the same priority their order in the default
+ plugin list is preserved. Enabled plugins not found in that list are ordered
+ alphabetically before other plugins with the same priority.
+
+charon.max_packet = 10000
+ Maximum packet size accepted by charon.
+
+charon.multiple_authentication = yes
+ Enable multiple authentication exchanges (RFC 4739).
+
+charon.nbns1
+ WINS servers assigned to peer via configuration payload (CP).
+
+charon.nbns2
+ WINS servers assigned to peer via configuration payload (CP).
+
+charon.port = 500
+ UDP port used locally. If set to 0 a random port will be allocated.
+
+charon.port_nat_t = 4500
+ UDP port used locally in case of NAT-T. If set to 0 a random port will be
+ allocated. Has to be different from **charon.port**, otherwise a random
+ port will be allocated.
+
+charon.process_route = yes
+ Process RTM_NEWROUTE and RTM_DELROUTE events.
+
+charon.processor.priority_threads {}
+ Section to configure the number of reserved threads per priority class
+ see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
+
+charon.receive_delay = 0
+ Delay in ms for receiving packets, to simulate larger RTT.
+
+charon.receive_delay_response = yes
+ Delay response messages.
+
+charon.receive_delay_request = yes
+ Delay request messages.
+
+charon.receive_delay_type = 0
+ Specific IKEv2 message type to delay, 0 for any.
+
+charon.replay_window = 32
+ Size of the AH/ESP replay window, in packets.
+
+charon.retransmit_base = 1.8
+ Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+ in **strongswan.conf**(5).
+
+charon.retransmit_timeout = 4.0
+ Timeout in seconds before sending first retransmit.
+
+charon.retransmit_tries = 5
+ Number of times to retransmit a packet before giving up.
+
+charon.retry_initiate_interval = 0
+ Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
+ failed), 0 to disable retries.
+
+charon.reuse_ikesa = yes
+ Initiate CHILD_SA within existing IKE_SAs.
+
+charon.routing_table
+ Numerical routing table to install routes to.
+
+charon.routing_table_prio
+ Priority of the routing table.
+
+charon.send_delay = 0
+ Delay in ms for sending packets, to simulate larger RTT.
+
+charon.send_delay_response = yes
+ Delay response messages.
+
+charon.send_delay_request = yes
+ Delay request messages.
+
+charon.send_delay_type = 0
+ Specific IKEv2 message type to delay, 0 for any.
+
+charon.send_vendor_id = no
+ Send strongSwan vendor ID payload
+
+charon.threads = 16
+ Number of worker threads in charon.
+
+ Number of worker threads in charon. Several of these are reserved for long
+ running tasks in internal modules and plugins. Therefore, make sure you
+ don't set this value too low. The number of idle worker threads listed in
+ _ipsec statusall_ might be used as indicator on the number of reserved
+ threads.
+
+charon.tls.cipher
+ List of TLS encryption ciphers.
+
+charon.tls.key_exchange
+ List of TLS key exchange methods.
+
+charon.tls.mac
+ List of TLS MAC algorithms.
+
+charon.tls.suites
+ List of TLS cipher suites.
+
+charon.user
+ Name of the user the daemon changes to after startup.
+
+charon.x509.enforce_critical = yes
+ Discard certificates with unsupported or unknown critical extensions.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 09:21:20 +0000