diff options
Diffstat (limited to 'conf/options')
| -rw-r--r-- | conf/options/aikpub2.conf | 7 | ||||
| -rw-r--r-- | conf/options/aikpub2.opt | 2 | ||||
| -rw-r--r-- | conf/options/charon.conf | 9 | ||||
| -rw-r--r-- | conf/options/charon.opt | 20 |
4 files changed, 29 insertions, 9 deletions
diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf deleted file mode 100644 index fd48f2c7a..000000000 --- a/conf/options/aikpub2.conf +++ /dev/null @@ -1,7 +0,0 @@ -aikpub2 { - - # Plugins to load in aikpub2 tool. - # load = - -} - diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt deleted file mode 100644 index 6a755d211..000000000 --- a/conf/options/aikpub2.opt +++ /dev/null @@ -1,2 +0,0 @@ -aikpub2.load = - Plugins to load in aikpub2 tool. diff --git a/conf/options/charon.conf b/conf/options/charon.conf index f72041e6a..1b5d52d02 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -164,6 +164,9 @@ charon { # will be allocated. # port_nat_t = 4500 + # Wether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + # Prefer locally configured proposals for IKE/IPsec over supplied ones as # responder (disabling this can avoid keying retries due to # INVALID_KE_PAYLOAD notifies). @@ -236,6 +239,12 @@ charon { # Whether to enable constraints against IKEv2 signature schemes. # signature_authentication_constraints = yes + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + # Number of worker threads in charon. # threads = 16 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 6e0b37c57..4c4311e81 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -260,6 +260,16 @@ charon.port_nat_t = 4500 allocated. Has to be different from **charon.port**, otherwise a random port will be allocated. +charon.prefer_best_path = no + Wether to prefer updating SAs to the path with the best route. + + By default, charon keeps SAs on the routing path with addresses it + previously used if that path is still usable. By setting this option to + yes, it tries more aggressively to update SAs with MOBIKE on routing + priority changes using the cheapest path. This adds more noise, but allows + to dynamically adapt SAs to routing priority changes. This option has no + effect if MOBIKE is not supported or disabled. + charon.prefer_configured_proposals = yes Prefer locally configured proposals for IKE/IPsec over supplied ones as responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD @@ -340,6 +350,16 @@ charon.signature_authentication_constraints = yes certificate chain, are also used as constraints against the signature scheme used by peers during IKEv2. +charon.spi_min = 0xc0000000 + The lower limit for SPIs requested from the kernel for IPsec SAs. + + The lower limit for SPIs requested from the kernel for IPsec SAs. Should not + be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved + by IANA. + +charon.spi_max = 0xcfffffff + The upper limit for SPIs requested from the kernel for IPsec SAs. + charon.start-scripts {} Section containing a list of scripts (name = path) that are executed when the daemon is started. |