summaryrefslogtreecommitdiff
path: root/conf/options
diff options
context:
space:
mode:
Diffstat (limited to 'conf/options')
-rw-r--r--conf/options/charon.conf13
-rw-r--r--conf/options/charon.opt32
2 files changed, 45 insertions, 0 deletions
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 0bec9bb0a..bd8e29940 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -58,6 +58,10 @@ charon {
# Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
# i_dont_care_about_security_and_use_aggressive_mode_psk = no
+ # Whether to ignore the traffic selectors from the kernel's acquire events
+ # for IKEv2 connections (they are not used for IKEv1).
+ # ignore_acquire_ts = no
+
# A space-separated list of routing tables to be excluded from route
# lookups.
# ignore_routing_tables =
@@ -116,6 +120,9 @@ charon {
# Determine plugins to load via each plugin's load option.
# load_modular = no
+ # Initiate IKEv2 reauthentication with a make-before-break scheme.
+ # make_before_break = no
+
# Maximum packet size accepted by charon.
# max_packet = 10000
@@ -197,6 +204,12 @@ charon {
# Send strongSwan vendor ID payload
# send_vendor_id = no
+ # Whether to enable Signature Authentication as per RFC 7427.
+ # signature_authentication = yes
+
+ # Whether to enable constraints against IKEv2 signature schemes.
+ # signature_authentication_constraints = yes
+
# Number of worker threads in charon.
# threads = 16
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 678aa37bc..bbc50ba37 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
charon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookups.
+charon.ignore_acquire_ts = no
+ Whether to ignore the traffic selectors from the kernel's acquire events for
+ IKEv2 connections (they are not used for IKEv1).
+
+ If this is disabled the traffic selectors from the kernel's acquire events,
+ which are derived from the triggering packet, are prepended to the traffic
+ selectors from the configuration for IKEv2 connection. By enabling this,
+ such specific traffic selectors will be ignored and only the ones in the
+ config will be sent. This always happens for IKEv1 connections as the
+ protocol only supports one set of traffic selectors per CHILD_SA.
+
charon.ikesa_limit = 0
Maximum number of IKE_SAs that can be established at the same time before
new connection attempts are blocked.
@@ -196,6 +207,16 @@ charon.load_modular = no
charon.max_packet = 10000
Maximum packet size accepted by charon.
+charon.make_before_break = no
+ Initiate IKEv2 reauthentication with a make-before-break scheme.
+
+ Initiate IKEv2 reauthentication with a make-before-break instead of a
+ break-before-make scheme. Make-before-break uses overlapping IKE and
+ CHILD_SA during reauthentication by first recreating all new SAs before
+ deleting the old ones. This behavior can be beneficial to avoid connectivity
+ gaps during reauthentication, but requires support for overlapping SAs by
+ the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
+
charon.multiple_authentication = yes
Enable multiple authentication exchanges (RFC 4739).
@@ -277,6 +298,17 @@ charon.send_delay_type = 0
charon.send_vendor_id = no
Send strongSwan vendor ID payload
+charon.signature_authentication = yes
+ Whether to enable Signature Authentication as per RFC 7427.
+
+charon.signature_authentication_constraints = yes
+ Whether to enable constraints against IKEv2 signature schemes.
+
+ If enabled, signature schemes configured in _rightauth_, in addition to
+ getting used as constraints against signature schemes employed in the
+ certificate chain, are also used as constraints against the signature scheme
+ used by peers during IKEv2.
+
charon.start-scripts {}
Section containing a list of scripts (name = path) that are executed when
the daemon is started.