6 files changed, 42 insertions, 8 deletions

diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf
new file mode 100644
index 000000000..fd48f2c7a
--- /dev/null
+++ b/conf/options/aikpub2.conf
@@ -0,0 +1,7 @@
+aikpub2 {
+
+    # Plugins to load in aikpub2 tool.
+    # load =
+
+}
+
diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt
new file mode 100644
index 000000000..6a755d211
--- /dev/null
+++ b/conf/options/aikpub2.opt
@@ -0,0 +1,2 @@
+aikpub2.load =
+	Plugins to load in aikpub2 tool.
diff --git a/conf/options/charon-nm.conf b/conf/options/charon-nm.conf
new file mode 100644
index 000000000..85d64480d
--- /dev/null
+++ b/conf/options/charon-nm.conf
@@ -0,0 +1,8 @@
+charon-nm {
+
+    # Directory from which to load CA certificates if no certificate is
+    # configured.
+    # ca_dir = <default>
+
+}
+
diff --git a/conf/options/charon-nm.opt b/conf/options/charon-nm.opt
new file mode 100644
index 000000000..6372934bd
--- /dev/null
+++ b/conf/options/charon-nm.opt
@@ -0,0 +1,3 @@
+charon-nm.ca_dir = <default>
+	Directory from which to load CA certificates if no certificate is
+	configured.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 78411250e..f72041e6a 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -7,6 +7,12 @@ charon {
     # Maximum number of half-open IKE_SAs for a single peer IP.
     # block_threshold = 5
 
+    # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+    # be saved under a unique file name derived from the public key of the
+    # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+    # /etc/swanctl/x509crl (vici), respectively.
+    # cache_crls = no
+
     # Whether relations in validated certificate chains should be cached in
     # memory.
     # cert_cache = yes
@@ -51,10 +57,11 @@ charon {
     # follow_redirects = yes
 
     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
-    # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
-    # address family specific        default values). If specified this limit is
-    # used for both IPv4 and IPv6.
-    # fragment_size = 0
+    # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+    # to 1280 (use 0 for address family specific default values, which uses a
+    # lower value for IPv4).  If specified this limit is used for both IPv4 and
+    # IPv6.
+    # fragment_size = 1280
 
     # Name of the group the daemon changes to after startup.
     # group =
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 3970012d2..6e0b37c57 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -30,6 +30,12 @@ charon.cert_cache = yes
 	Whether relations in validated certificate chains should be cached in
 	memory.
 
+charon.cache_crls = no
+	Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+	be saved under a unique file name derived from the public key of the
+	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+	**/etc/swanctl/x509crl** (vici), respectively.
+
 charon.cisco_unity = no
 	Send Cisco Unity vendor ID payload (IKEv1 only).
 
@@ -100,11 +106,12 @@ charon.flush_auth_cfg = no
 charon.follow_redirects = yes
 	Whether to follow IKEv2 redirects (RFC 5685).
 
-charon.fragment_size = 0
+charon.fragment_size = 1280
 	Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
-	when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
-	address family specific	default values). If specified this limit is used
-	for both IPv4 and IPv6.
+	when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+	to 1280 (use 0 for address family specific default values, which uses a
+	lower value for IPv4).  If specified this limit is used for both IPv4 and
+	IPv6.
 
 charon.group
 	Name of the group the daemon changes to after startup.