diff options
Diffstat (limited to 'conf/plugins')
120 files changed, 1967 insertions, 0 deletions
diff --git a/conf/plugins/android_log.conf b/conf/plugins/android_log.conf new file mode 100644 index 000000000..4d87eed85 --- /dev/null +++ b/conf/plugins/android_log.conf @@ -0,0 +1,11 @@ +android_log { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Loglevel for logging to Android specific logger. + # loglevel = 1 + +} + diff --git a/conf/plugins/android_log.opt b/conf/plugins/android_log.opt new file mode 100644 index 000000000..801b8bf19 --- /dev/null +++ b/conf/plugins/android_log.opt @@ -0,0 +1,2 @@ +charon.plugins.android_log.loglevel = 1 + Loglevel for logging to Android specific logger. diff --git a/conf/plugins/attr-sql.conf b/conf/plugins/attr-sql.conf new file mode 100644 index 000000000..24d4e809d --- /dev/null +++ b/conf/plugins/attr-sql.conf @@ -0,0 +1,16 @@ +attr-sql { + + # Database URI for attr-sql plugin used by charon. If it contains a + # password, make sure to adjust the permissions of the config file + # accordingly. + # database = + + # Enable logging of SQL IP pool leases. + # lease_history = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/attr-sql.opt b/conf/plugins/attr-sql.opt new file mode 100644 index 000000000..abd749e3e --- /dev/null +++ b/conf/plugins/attr-sql.opt @@ -0,0 +1,6 @@ +charon.plugins.attr-sql.database + Database URI for attr-sql plugin used by charon. If it contains a password, + make sure to adjust the permissions of the config file accordingly. + +charon.plugins.attr-sql.lease_history = yes + Enable logging of SQL IP pool leases. diff --git a/conf/plugins/attr.conf b/conf/plugins/attr.conf new file mode 100644 index 000000000..7a3645b79 --- /dev/null +++ b/conf/plugins/attr.conf @@ -0,0 +1,14 @@ +# Section to specify arbitrary attributes that are assigned to a peer via +# configuration payload (CP). +attr { + + # <attr> is an attribute name or an integer, values can be an IP address, + # subnet or arbitrary value. + # <attr> = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/attr.opt b/conf/plugins/attr.opt new file mode 100644 index 000000000..f3c187c7b --- /dev/null +++ b/conf/plugins/attr.opt @@ -0,0 +1,14 @@ +charon.plugins.attr {} + Section to specify arbitrary attributes that are assigned to a peer via + configuration payload (CP). + +charon.plugins.attr.<attr> + <attr> is an attribute name or an integer, values can be an IP address, + subnet or arbitrary value. + + **<attr>** can be either _address_, _netmask_, _dns_, _nbns_, _dhcp_, + _subnet_, _split-include_, _split-exclude_ or the numeric identifier of the + attribute type. The assigned value can be an IPv4/IPv6 address, a subnet in + CIDR notation or an arbitrary value depending on the attribute type. For + some attribute types multiple values may be specified as a comma separated + list. diff --git a/conf/plugins/certexpire.conf b/conf/plugins/certexpire.conf new file mode 100644 index 000000000..543848c15 --- /dev/null +++ b/conf/plugins/certexpire.conf @@ -0,0 +1,38 @@ +certexpire { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + csv { + + # Cron style string specifying CSV export times. + # cron = + + # String to use in empty intermediate CA fields. + # empty_string = + + # Use a fixed intermediate CA field count. + # fixed_fields = yes + + # Force export of all trustchains we have a private key for. + # force = yes + + # strftime(3) format string to export expiration dates as. + # format = %d:%m:%Y + + # strftime(3) format string for the CSV file name to export local + # certificates to. + # local = + + # strftime(3) format string for the CSV file name to export remote + # certificates to. + # remote = + + # CSV field separator. + # separator = , + + } + +} + diff --git a/conf/plugins/certexpire.opt b/conf/plugins/certexpire.opt new file mode 100644 index 000000000..7c165383a --- /dev/null +++ b/conf/plugins/certexpire.opt @@ -0,0 +1,25 @@ +charon.plugins.certexpire.csv.cron + Cron style string specifying CSV export times. + +charon.plugins.certexpire.csv.empty_string = + String to use in empty intermediate CA fields. + +charon.plugins.certexpire.csv.fixed_fields = yes + Use a fixed intermediate CA field count. + +charon.plugins.certexpire.csv.force = yes + Force export of all trustchains we have a private key for. + +charon.plugins.certexpire.csv.format = %d:%m:%Y + **strftime**(3) format string to export expiration dates as. + +charon.plugins.certexpire.csv.local + **strftime**(3) format string for the CSV file name to export local + certificates to. + +charon.plugins.certexpire.csv.remote + **strftime**(3) format string for the CSV file name to export remote + certificates to. + +charon.plugins.certexpire.csv.separator = , + CSV field separator. diff --git a/conf/plugins/coupling.conf b/conf/plugins/coupling.conf new file mode 100644 index 000000000..a5c3d7868 --- /dev/null +++ b/conf/plugins/coupling.conf @@ -0,0 +1,17 @@ +coupling { + + # File to store coupling list to. + # file = + + # Hashing algorithm to fingerprint coupled certificates. + # hash = sha1 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of coupling entries to create. + # max = 1 + +} + diff --git a/conf/plugins/coupling.opt b/conf/plugins/coupling.opt new file mode 100644 index 000000000..179579d47 --- /dev/null +++ b/conf/plugins/coupling.opt @@ -0,0 +1,8 @@ +charon.plugins.coupling.file + File to store coupling list to. + +charon.plugins.coupling.hash = sha1 + Hashing algorithm to fingerprint coupled certificates. + +charon.plugins.coupling.max = 1 + Maximum number of coupling entries to create. diff --git a/conf/plugins/dhcp.conf b/conf/plugins/dhcp.conf new file mode 100644 index 000000000..b0e8c84c8 --- /dev/null +++ b/conf/plugins/dhcp.conf @@ -0,0 +1,20 @@ +dhcp { + + # Always use the configured server address. + # force_server_address = no + + # Derive user-defined MAC address from hash of IKE identity. + # identity_lease = no + + # Interface name the plugin uses for address allocation. + # interface = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DHCP server unicast or broadcast IP address. + # server = 255.255.255.255 + +} + diff --git a/conf/plugins/dhcp.opt b/conf/plugins/dhcp.opt new file mode 100644 index 000000000..9c7b86091 --- /dev/null +++ b/conf/plugins/dhcp.opt @@ -0,0 +1,22 @@ +charon.plugins.dhcp.force_server_address = no + Always use the configured server address. + + Always use the configured server address. This might be helpful if the DHCP + server runs on the same host as strongSwan, and the DHCP daemon does not + listen on the loopback interface. In that case the server cannot be reached + via unicast (or even 255.255.255.255) as that would be routed via loopback. + Setting this option to yes and configuring the local broadcast address (e.g. + 192.168.0.255) as server address might work. + +charon.plugins.dhcp.identity_lease = no + Derive user-defined MAC address from hash of IKE identity. + +charon.plugins.dhcp.server = 255.255.255.255 + DHCP server unicast or broadcast IP address. + +charon.plugins.dhcp.interface + Interface name the plugin uses for address allocation. + + Interface name the plugin uses for address allocation. The default is to + bind to any (0.0.0.0) and let the system decide which way to route the + packets to the DHCP server. diff --git a/conf/plugins/dnscert.conf b/conf/plugins/dnscert.conf new file mode 100644 index 000000000..c29b6ed43 --- /dev/null +++ b/conf/plugins/dnscert.conf @@ -0,0 +1,11 @@ +dnscert { + + # Enable fetching of CERT RRs via DNS. + # enable = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/dnscert.opt b/conf/plugins/dnscert.opt new file mode 100644 index 000000000..fd5a8d819 --- /dev/null +++ b/conf/plugins/dnscert.opt @@ -0,0 +1,2 @@ +charon.plugins.dnscert.enable = no + Enable fetching of CERT RRs via DNS. diff --git a/conf/plugins/duplicheck.conf b/conf/plugins/duplicheck.conf new file mode 100644 index 000000000..212fe404d --- /dev/null +++ b/conf/plugins/duplicheck.conf @@ -0,0 +1,14 @@ +duplicheck { + + # Enable duplicheck plugin (if loaded). + # enable = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the duplicheck plugin. + # socket = unix://${piddir}/charon.dck + +} + diff --git a/conf/plugins/duplicheck.opt b/conf/plugins/duplicheck.opt new file mode 100644 index 000000000..ff54fe3a8 --- /dev/null +++ b/conf/plugins/duplicheck.opt @@ -0,0 +1,5 @@ +charon.plugins.duplicheck.enable = yes + Enable duplicheck plugin (if loaded). + +charon.plugins.duplicheck.socket = unix://${piddir}/charon.dck + Socket provided by the duplicheck plugin. diff --git a/conf/plugins/eap-aka-3ggp2.conf b/conf/plugins/eap-aka-3ggp2.conf new file mode 100644 index 000000000..c52c99609 --- /dev/null +++ b/conf/plugins/eap-aka-3ggp2.conf @@ -0,0 +1,10 @@ +eap-aka-3ggp2 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # seq_check = + +} + diff --git a/conf/plugins/eap-aka-3ggp2.opt b/conf/plugins/eap-aka-3ggp2.opt new file mode 100644 index 000000000..9e2a42b3f --- /dev/null +++ b/conf/plugins/eap-aka-3ggp2.opt @@ -0,0 +1 @@ +charon.plugins.eap-aka-3ggp2.seq_check = diff --git a/conf/plugins/eap-aka.conf b/conf/plugins/eap-aka.conf new file mode 100644 index 000000000..278f1d677 --- /dev/null +++ b/conf/plugins/eap-aka.conf @@ -0,0 +1,10 @@ +eap-aka { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # request_identity = yes + +} + diff --git a/conf/plugins/eap-aka.opt b/conf/plugins/eap-aka.opt new file mode 100644 index 000000000..e8d166db9 --- /dev/null +++ b/conf/plugins/eap-aka.opt @@ -0,0 +1 @@ +charon.plugins.eap-aka.request_identity = yes diff --git a/conf/plugins/eap-dynamic.conf b/conf/plugins/eap-dynamic.conf new file mode 100644 index 000000000..7b738b1b2 --- /dev/null +++ b/conf/plugins/eap-dynamic.conf @@ -0,0 +1,14 @@ +eap-dynamic { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Prefer peer's proposed EAP methods. + # prefer_user = no + + # The preferred EAP method(s) to be used. + # preferred = + +} + diff --git a/conf/plugins/eap-dynamic.opt b/conf/plugins/eap-dynamic.opt new file mode 100644 index 000000000..2d50a0aab --- /dev/null +++ b/conf/plugins/eap-dynamic.opt @@ -0,0 +1,13 @@ +charon.plugins.eap-dynamic.preferred = + The preferred EAP method(s) to be used. + + The preferred EAP method(s) to be used. If it is not given the first + registered method will be used initially. If a comma separated list is + given the methods are tried in the given order before trying the rest of + the registered methods. + +charon.plugins.eap-dynamic.prefer_user = no + Prefer peer's proposed EAP methods. + + If enabled the EAP methods proposed in an EAP-Nak message sent by the peer + are preferred over the methods registered locally. diff --git a/conf/plugins/eap-gtc.conf b/conf/plugins/eap-gtc.conf new file mode 100644 index 000000000..4760f3fc8 --- /dev/null +++ b/conf/plugins/eap-gtc.conf @@ -0,0 +1,11 @@ +eap-gtc { + + # XAuth backend to be used for credential verification. + # backend = pam + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/eap-gtc.opt b/conf/plugins/eap-gtc.opt new file mode 100644 index 000000000..3fe8b7d68 --- /dev/null +++ b/conf/plugins/eap-gtc.opt @@ -0,0 +1,2 @@ +charon.plugins.eap-gtc.backend = pam + XAuth backend to be used for credential verification. diff --git a/conf/plugins/eap-peap.conf b/conf/plugins/eap-peap.conf new file mode 100644 index 000000000..600e16426 --- /dev/null +++ b/conf/plugins/eap-peap.conf @@ -0,0 +1,30 @@ +eap-peap { + + # Maximum size of an EAP-PEAP packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-PEAP packets. + # include_length = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-PEAP packets (0 = no limit). + # max_message_count = 32 + + # Phase2 EAP client authentication method. + # phase2_method = mschapv2 + + # Phase2 EAP Identity request piggybacked by server onto TLS Finished + # message. + # phase2_piggyback = no + + # Start phase2 EAP TNC protocol after successful client authentication. + # phase2_tnc = no + + # Request peer authentication based on a client certificate. + # request_peer_auth = no + +} + diff --git a/conf/plugins/eap-peap.opt b/conf/plugins/eap-peap.opt new file mode 100644 index 000000000..6fe88606d --- /dev/null +++ b/conf/plugins/eap-peap.opt @@ -0,0 +1,20 @@ +charon.plugins.eap-peap.fragment_size = 1024 + Maximum size of an EAP-PEAP packet. + +charon.plugins.eap-peap.max_message_count = 32 + Maximum number of processed EAP-PEAP packets (0 = no limit). + +charon.plugins.eap-peap.include_length = no + Include length in non-fragmented EAP-PEAP packets. + +charon.plugins.eap-peap.phase2_method = mschapv2 + Phase2 EAP client authentication method. + +charon.plugins.eap-peap.phase2_piggyback = no + Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +charon.plugins.eap-peap.phase2_tnc = no + Start phase2 EAP TNC protocol after successful client authentication. + +charon.plugins.eap-peap.request_peer_auth = no + Request peer authentication based on a client certificate. diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf new file mode 100644 index 000000000..53023b81e --- /dev/null +++ b/conf/plugins/eap-radius.conf @@ -0,0 +1,86 @@ +eap-radius { + + # Send RADIUS accounting information to RADIUS servers. + # accounting = no + + # If enabled, accounting is disabled unless an IKE_SA has at least one + # virtual IP. + # accounting_requires_vip = no + + # Use class attributes in RADIUS-Accept messages as group membership + # information. + # class_group = no + + # Closes all IKE_SAs if communication with the RADIUS server times out. If + # it is not set only the current IKE_SA is closed. + # close_all_on_timeout = no + + # Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + # eap_start = no + + # Use filter_id attribute as group membership information. + # filter_id = no + + # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + # EAP method. + # id_prefix = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # NAS-Identifier to include in RADIUS messages. + # nas_identifier = strongSwan + + # Port of RADIUS server (authentication). + # port = 1812 + + # Shared secret between RADIUS and NAS. If set, make sure to adjust the + # permissions of the config file accordingly. + # secret = + + # IP/Hostname of RADIUS server. + # server = + + # Number of sockets (ports) to use, increase for high load. + # sockets = 1 + + dae { + + # Enables support for the Dynamic Authorization Extension (RFC 5176). + # enable = no + + # Address to listen for DAE messages from the RADIUS server. + # listen = 0.0.0.0 + + # Port to listen for DAE requests. + # port = 3799 + + # Shared secret used to verify/sign DAE messages. If set, make sure to + # adjust the permissions of the config file accordingly. + # secret = + + } + + forward { + + # RADIUS attributes to be forwarded from IKEv2 to RADIUS. + # ike_to_radius = + + # Same as ike_to_radius but from RADIUS to IKEv2. + # radius_to_ike = + + } + + # Section to specify multiple RADIUS servers. + servers { + + } + + # Section to configure multiple XAuth authentication rounds via RADIUS. + xauth { + + } + +} + diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt new file mode 100644 index 000000000..0edd3458c --- /dev/null +++ b/conf/plugins/eap-radius.opt @@ -0,0 +1,105 @@ +charon.plugins.eap-radius.accounting = no + Send RADIUS accounting information to RADIUS servers. + +charon.plugins.eap-radius.accounting_requires_vip = no + If enabled, accounting is disabled unless an IKE_SA has at least one + virtual IP. + +charon.plugins.eap-radius.class_group = no + Use class attributes in RADIUS-Accept messages as group membership + information. + + Use the _class_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.close_all_on_timeout = no + Closes all IKE_SAs if communication with the RADIUS server times out. If it + is not set only the current IKE_SA is closed. + +charon.plugins.eap-radius.dae.enable = no + Enables support for the Dynamic Authorization Extension (RFC 5176). + +charon.plugins.eap-radius.dae.listen = 0.0.0.0 + Address to listen for DAE messages from the RADIUS server. + +charon.plugins.eap-radius.dae.port = 3799 + Port to listen for DAE requests. + +charon.plugins.eap-radius.dae.secret + Shared secret used to verify/sign DAE messages. If set, make sure to adjust + the permissions of the config file accordingly. + +charon.plugins.eap-radius.eap_start = no + Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + +charon.plugins.eap-radius.filter_id = no + Use filter_id attribute as group membership information. + + If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use + the _filter_id_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.forward.ike_to_radius + RADIUS attributes to be forwarded from IKEv2 to RADIUS. + + RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by + name or attribute number, a colon can be used to specify vendor-specific + attributes, e.g. Reply-Message, or 11, or 36906:12). + +charon.plugins.eap-radius.forward.radius_to_ike = + Same as ike_to_radius but from RADIUS to IKEv2. + + Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to + IKEv2, a strongSwan specific private notify (40969) is used to transmit the + attributes. + +charon.plugins.eap-radius.id_prefix + Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + EAP method. + +charon.plugins.eap-radius.nas_identifier = strongSwan + NAS-Identifier to include in RADIUS messages. + +charon.plugins.eap-radius.port = 1812 + Port of RADIUS server (authentication). + +charon.plugins.eap-radius.secret = + Shared secret between RADIUS and NAS. If set, make sure to adjust the + permissions of the config file accordingly. + +charon.plugins.eap-radius.server = + IP/Hostname of RADIUS server. + +charon.plugins.eap-radius.servers {} + Section to specify multiple RADIUS servers. + + Section to specify multiple RADIUS servers. The **nas_identifier**, + **secret**, **sockets** and **port** (or **auth_port**) options can be + specified for each server. A server's IP/Hostname can be configured using + the **address** option. The **acct_port** [1813] option can be used to + specify the port used for RADIUS accounting. For each RADIUS server a + priority can be specified using the **preference** [0] option. + +charon.plugins.eap-radius.sockets = 1 + Number of sockets (ports) to use, increase for high load. + +charon.plugins.eap-radius.xauth {} + Section to configure multiple XAuth authentication rounds via RADIUS. + + Section to configure multiple XAuth authentication rounds via RADIUS. + The subsections define so called authentication profiles with arbitrary + names. In each profile section one or more XAuth types can be configured, + with an assigned message. For each type a separate XAuth exchange will be + initiated and all replies get concatenated into the User-Password attribute, + which then gets verified over RADIUS. + + Available XAuth types are **password**, **passcode**, **nextpin**, and + **answer**. This type is not relevant to strongSwan or the AAA server, but + the client may show a different dialog (along with the configured message). + + To use the configured profiles, they have to be configured in the respective + connection in **ipsec.conf**(5) by appending the profile name, separated by + a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_ + or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_. diff --git a/conf/plugins/eap-sim.conf b/conf/plugins/eap-sim.conf new file mode 100644 index 000000000..96ec2e02c --- /dev/null +++ b/conf/plugins/eap-sim.conf @@ -0,0 +1,10 @@ +eap-sim { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # request_identity = yes + +} + diff --git a/conf/plugins/eap-sim.opt b/conf/plugins/eap-sim.opt new file mode 100644 index 000000000..052454c0e --- /dev/null +++ b/conf/plugins/eap-sim.opt @@ -0,0 +1 @@ +charon.plugins.eap-sim.request_identity = yes diff --git a/conf/plugins/eap-simaka-sql.conf b/conf/plugins/eap-simaka-sql.conf new file mode 100644 index 000000000..1574a5a85 --- /dev/null +++ b/conf/plugins/eap-simaka-sql.conf @@ -0,0 +1,12 @@ +eap-simaka-sql { + + # database = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # remove_used = no + +} + diff --git a/conf/plugins/eap-simaka-sql.opt b/conf/plugins/eap-simaka-sql.opt new file mode 100644 index 000000000..6b87a7e94 --- /dev/null +++ b/conf/plugins/eap-simaka-sql.opt @@ -0,0 +1,3 @@ +charon.plugins.eap-simaka-sql.database = + +charon.plugins.eap-simaka-sql.remove_used = no diff --git a/conf/plugins/eap-tls.conf b/conf/plugins/eap-tls.conf new file mode 100644 index 000000000..e3ce7ded7 --- /dev/null +++ b/conf/plugins/eap-tls.conf @@ -0,0 +1,17 @@ +eap-tls { + + # Maximum size of an EAP-TLS packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-TLS packets. + # include_length = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TLS packets (0 = no limit). + # max_message_count = 32 + +} + diff --git a/conf/plugins/eap-tls.opt b/conf/plugins/eap-tls.opt new file mode 100644 index 000000000..e7b96523a --- /dev/null +++ b/conf/plugins/eap-tls.opt @@ -0,0 +1,8 @@ +charon.plugins.eap-tls.fragment_size = 1024 + Maximum size of an EAP-TLS packet. + +charon.plugins.eap-tls.max_message_count = 32 + Maximum number of processed EAP-TLS packets (0 = no limit). + +charon.plugins.eap-tls.include_length = yes + Include length in non-fragmented EAP-TLS packets. diff --git a/conf/plugins/eap-tnc.conf b/conf/plugins/eap-tnc.conf new file mode 100644 index 000000000..aca72f1ed --- /dev/null +++ b/conf/plugins/eap-tnc.conf @@ -0,0 +1,15 @@ +eap-tnc { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TNC packets (0 = no limit). + # max_message_count = 10 + + # IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, + # tnccs-dynamic). + # protocol = tnccs-1.1 + +} + diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt new file mode 100644 index 000000000..8e060ceda --- /dev/null +++ b/conf/plugins/eap-tnc.opt @@ -0,0 +1,6 @@ +charon.plugins.eap-tnc.max_message_count = 10 + Maximum number of processed EAP-TNC packets (0 = no limit). + +charon.plugins.eap-tnc.protocol = tnccs-1.1 + IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_, + _tnccs-dynamic_). diff --git a/conf/plugins/eap-ttls.conf b/conf/plugins/eap-ttls.conf new file mode 100644 index 000000000..5229625e0 --- /dev/null +++ b/conf/plugins/eap-ttls.conf @@ -0,0 +1,30 @@ +eap-ttls { + + # Maximum size of an EAP-TTLS packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-TTLS packets. + # include_length = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TTLS packets (0 = no limit). + # max_message_count = 32 + + # Phase2 EAP client authentication method. + # phase2_method = md5 + + # Phase2 EAP Identity request piggybacked by server onto TLS Finished + # message. + # phase2_piggyback = no + + # Start phase2 EAP TNC protocol after successful client authentication. + # phase2_tnc = no + + # Request peer authentication based on a client certificate. + # request_peer_auth = no + +} + diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt new file mode 100644 index 000000000..21a6cb674 --- /dev/null +++ b/conf/plugins/eap-ttls.opt @@ -0,0 +1,20 @@ +charon.plugins.eap-ttls.fragment_size = 1024 + Maximum size of an EAP-TTLS packet. + +charon.plugins.eap-ttls.max_message_count = 32 + Maximum number of processed EAP-TTLS packets (0 = no limit). + +charon.plugins.eap-ttls.include_length = yes + Include length in non-fragmented EAP-TTLS packets. + +charon.plugins.eap-ttls.phase2_method = md5 + Phase2 EAP client authentication method. + +charon.plugins.eap-ttls.phase2_piggyback = no + Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +charon.plugins.eap-ttls.phase2_tnc = no + Start phase2 EAP TNC protocol after successful client authentication. + +charon.plugins.eap-ttls.request_peer_auth = no + Request peer authentication based on a client certificate. diff --git a/conf/plugins/error-notify.conf b/conf/plugins/error-notify.conf new file mode 100644 index 000000000..5915a0971 --- /dev/null +++ b/conf/plugins/error-notify.conf @@ -0,0 +1,11 @@ +error-notify { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the error-notify plugin. + # socket = unix://${piddir}/charon.enfy + +} + diff --git a/conf/plugins/error-notify.opt b/conf/plugins/error-notify.opt new file mode 100644 index 000000000..44ea0551e --- /dev/null +++ b/conf/plugins/error-notify.opt @@ -0,0 +1,2 @@ +charon.plugins.error-notify.socket = unix://${piddir}/charon.enfy + Socket provided by the error-notify plugin. diff --git a/conf/plugins/gcrypt.conf b/conf/plugins/gcrypt.conf new file mode 100644 index 000000000..fce2c7a6e --- /dev/null +++ b/conf/plugins/gcrypt.conf @@ -0,0 +1,11 @@ +gcrypt { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Use faster random numbers in gcrypt; for testing only, produces weak keys! + # quick_random = no + +} + diff --git a/conf/plugins/gcrypt.opt b/conf/plugins/gcrypt.opt new file mode 100644 index 000000000..c6b0505d7 --- /dev/null +++ b/conf/plugins/gcrypt.opt @@ -0,0 +1,2 @@ +charon.plugins.gcrypt.quick_random = no + Use faster random numbers in gcrypt; for testing only, produces weak keys! diff --git a/conf/plugins/ha.conf b/conf/plugins/ha.conf new file mode 100644 index 000000000..e8b2fa48d --- /dev/null +++ b/conf/plugins/ha.conf @@ -0,0 +1,32 @@ +ha { + + # Interval in seconds to automatically balance handled segments between + # nodes. Set to 0 to disable. + # autobalance = 0 + + # fifo_interface = yes + + # heartbeat_delay = 1000 + + # heartbeat_timeout = 2100 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # local = + + # monitor = yes + + # pools = + + # remote = + + # resync = yes + + # secret = + + # segment_count = 1 + +} + diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt new file mode 100644 index 000000000..77d5b7888 --- /dev/null +++ b/conf/plugins/ha.opt @@ -0,0 +1,23 @@ +charon.plugins.ha.autobalance = 0 + Interval in seconds to automatically balance handled segments between nodes. + Set to 0 to disable. + +charon.plugins.ha.fifo_interface = yes + +charon.plugins.ha.heartbeat_delay = 1000 + +charon.plugins.ha.heartbeat_timeout = 2100 + +charon.plugins.ha.local = + +charon.plugins.ha.monitor = yes + +charon.plugins.ha.pools = + +charon.plugins.ha.remote = + +charon.plugins.ha.resync = yes + +charon.plugins.ha.secret = + +charon.plugins.ha.segment_count = 1 diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf new file mode 100644 index 000000000..ffb1b45a3 --- /dev/null +++ b/conf/plugins/imc-attestation.conf @@ -0,0 +1,26 @@ +imc-attestation { + + # AIK encrypted private key blob file. + # aik_blob = + + # AIK certificate file. + # aik_cert = + + # AIK public key file. + # aik_key = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DH nonce length. + # nonce_len = 20 + + # Whether to send pcr_before and pcr_after info. + # pcr_info = yes + + # Use Quote2 AIK signature instead of Quote signature. + # use_quote2 = yes + +} + diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt new file mode 100644 index 000000000..9c108053b --- /dev/null +++ b/conf/plugins/imc-attestation.opt @@ -0,0 +1,17 @@ +charon.plugins.imc-attestation.aik_blob = + AIK encrypted private key blob file. + +charon.plugins.imc-attestation.aik_cert = + AIK certificate file. + +charon.plugins.imc-attestation.aik_key = + AIK public key file. + +charon.plugins.imc-attestation.nonce_len = 20 + DH nonce length. + +charon.plugins.imc-attestation.use_quote2 = yes + Use Quote2 AIK signature instead of Quote signature. + +charon.plugins.imc-attestation.pcr_info = yes + Whether to send pcr_before and pcr_after info.
\ No newline at end of file diff --git a/conf/plugins/imc-os.conf b/conf/plugins/imc-os.conf new file mode 100644 index 000000000..1d245d3f3 --- /dev/null +++ b/conf/plugins/imc-os.conf @@ -0,0 +1,11 @@ +imc-os { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Send operating system info without being prompted. + # push_info = yes + +} + diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt new file mode 100644 index 000000000..2a6333f93 --- /dev/null +++ b/conf/plugins/imc-os.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-os.push_info = yes + Send operating system info without being prompted. diff --git a/conf/plugins/imc-scanner.conf b/conf/plugins/imc-scanner.conf new file mode 100644 index 000000000..7f2f53106 --- /dev/null +++ b/conf/plugins/imc-scanner.conf @@ -0,0 +1,11 @@ +imc-scanner { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Send open listening ports without being prompted. + # push_info = yes + +} + diff --git a/conf/plugins/imc-scanner.opt b/conf/plugins/imc-scanner.opt new file mode 100644 index 000000000..84e6dfa2f --- /dev/null +++ b/conf/plugins/imc-scanner.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-scanner.push_info = yes + Send open listening ports without being prompted. diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf new file mode 100644 index 000000000..8b3317163 --- /dev/null +++ b/conf/plugins/imc-swid.conf @@ -0,0 +1,11 @@ +imc-swid { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Directory where SWID tags are located. + # swid_directory = ${prefix}/share + +} + diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt new file mode 100644 index 000000000..67f7c79c4 --- /dev/null +++ b/conf/plugins/imc-swid.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-swid.swid_directory = ${prefix}/share + Directory where SWID tags are located. diff --git a/conf/plugins/imc-test.conf b/conf/plugins/imc-test.conf new file mode 100644 index 000000000..0d66e3d0c --- /dev/null +++ b/conf/plugins/imc-test.conf @@ -0,0 +1,23 @@ +imc-test { + + # Number of additional IMC IDs. + # additional_ids = 0 + + # Command to be sent to the Test IMV. + # command = none + + # Size of dummy attribute to be sent to the Test IMV (0 = disabled). + # dummy_size = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Do a handshake retry. + # retry = no + + # Command to be sent to the Test IMV in the handshake retry. + # retry_command = + +} + diff --git a/conf/plugins/imc-test.opt b/conf/plugins/imc-test.opt new file mode 100644 index 000000000..c3169b5af --- /dev/null +++ b/conf/plugins/imc-test.opt @@ -0,0 +1,14 @@ +charon.plugins.imc-test.additional_ids = 0 + Number of additional IMC IDs. + +charon.plugins.imc-test.command = none + Command to be sent to the Test IMV. + +charon.plugins.imc-test.dummy_size = 0 + Size of dummy attribute to be sent to the Test IMV (0 = disabled). + +charon.plugins.imc-test.retry = no + Do a handshake retry. + +charon.plugins.imc-test.retry_command = + Command to be sent to the Test IMV in the handshake retry. diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf new file mode 100644 index 000000000..48ffba839 --- /dev/null +++ b/conf/plugins/imv-attestation.conf @@ -0,0 +1,42 @@ +imc-attestation { + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_after = + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_before = + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_meas = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_after = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_before = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_meas = + +} + +imv-attestation { + + # Path to directory with AIK cacerts. + # cadir = + + # Preferred Diffie-Hellman group. + # dh_group = ecp256 + + # Preferred measurement hash algorithm. + # hash_algorithm = sha256 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DH minimum nonce length. + # min_nonce_len = 0 + +} + diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt new file mode 100644 index 000000000..c0ae20488 --- /dev/null +++ b/conf/plugins/imv-attestation.opt @@ -0,0 +1,29 @@ +charon.plugins.imv-attestation.cadir = + Path to directory with AIK cacerts. + +charon.plugins.imv-attestation.dh_group = ecp256 + Preferred Diffie-Hellman group. + +charon.plugins.imv-attestation.hash_algorithm = sha256 + Preferred measurement hash algorithm. + +charon.plugins.imv-attestation.min_nonce_len = 0 + DH minimum nonce length. + +charon.plugins.imc-attestation.pcr17_after + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr17_before + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr17_meas + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_after + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_before + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_meas + Dummy data if the TBOOT log is not retrieved. diff --git a/conf/plugins/imv-os.conf b/conf/plugins/imv-os.conf new file mode 100644 index 000000000..8f0da3760 --- /dev/null +++ b/conf/plugins/imv-os.conf @@ -0,0 +1,11 @@ +imv-os { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # URI pointing to operating system remediation instructions. + # remediation_uri = + +} + diff --git a/conf/plugins/imv-os.opt b/conf/plugins/imv-os.opt new file mode 100644 index 000000000..eab926201 --- /dev/null +++ b/conf/plugins/imv-os.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-os.remediation_uri = + URI pointing to operating system remediation instructions. diff --git a/conf/plugins/imv-scanner.conf b/conf/plugins/imv-scanner.conf new file mode 100644 index 000000000..25719d0ef --- /dev/null +++ b/conf/plugins/imv-scanner.conf @@ -0,0 +1,11 @@ +imv-scanner { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # URI pointing to scanner remediation instructions. + # remediation_uri = + +} + diff --git a/conf/plugins/imv-scanner.opt b/conf/plugins/imv-scanner.opt new file mode 100644 index 000000000..7af87493b --- /dev/null +++ b/conf/plugins/imv-scanner.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-scanner.remediation_uri = + URI pointing to scanner remediation instructions. diff --git a/conf/plugins/imv-test.conf b/conf/plugins/imv-test.conf new file mode 100644 index 000000000..9bd248792 --- /dev/null +++ b/conf/plugins/imv-test.conf @@ -0,0 +1,11 @@ +imv-test { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Number of IMC-IMV retry rounds. + # rounds = 0 + +} + diff --git a/conf/plugins/imv-test.opt b/conf/plugins/imv-test.opt new file mode 100644 index 000000000..2cbddc8f6 --- /dev/null +++ b/conf/plugins/imv-test.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-test.rounds = 0 + Number of IMC-IMV retry rounds. diff --git a/conf/plugins/ipseckey.conf b/conf/plugins/ipseckey.conf new file mode 100644 index 000000000..f2e5e5877 --- /dev/null +++ b/conf/plugins/ipseckey.conf @@ -0,0 +1,11 @@ +ipseckey { + + # Enable fetching of IPSECKEY RRs via DNS. + # enable = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/ipseckey.opt b/conf/plugins/ipseckey.opt new file mode 100644 index 000000000..d4cff26dd --- /dev/null +++ b/conf/plugins/ipseckey.opt @@ -0,0 +1,2 @@ +charon.plugins.ipseckey.enable = no + Enable fetching of IPSECKEY RRs via DNS. diff --git a/conf/plugins/kernel-klips.conf b/conf/plugins/kernel-klips.conf new file mode 100644 index 000000000..10ca30839 --- /dev/null +++ b/conf/plugins/kernel-klips.conf @@ -0,0 +1,14 @@ +kernel-klips { + + # Number of ipsecN devices. + # ipsec_dev_count = 4 + + # Set MTU of ipsecN device. + # ipsec_dev_mtu = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt new file mode 100644 index 000000000..ad9806e71 --- /dev/null +++ b/conf/plugins/kernel-klips.opt @@ -0,0 +1,5 @@ +charon.plugins.kernel-klips.ipsec_dev_count = 4 + Number of ipsecN devices. + +charon.plugins.kernel-klips.ipsec_dev_mtu = 0 + Set MTU of ipsecN device. diff --git a/conf/plugins/kernel-libipsec.conf b/conf/plugins/kernel-libipsec.conf new file mode 100644 index 000000000..3411be2ff --- /dev/null +++ b/conf/plugins/kernel-libipsec.conf @@ -0,0 +1,11 @@ +kernel-libipsec { + + # Allow that the remote traffic selector equals the IKE peer. + # allow_peer_ts = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/kernel-libipsec.opt b/conf/plugins/kernel-libipsec.opt new file mode 100644 index 000000000..e76db63d9 --- /dev/null +++ b/conf/plugins/kernel-libipsec.opt @@ -0,0 +1,7 @@ +charon.plugins.kernel-libipsec.allow_peer_ts = no + Allow that the remote traffic selector equals the IKE peer. + + Allow that the remote traffic selector equals the IKE peer. The route + installed for such traffic (via TUN device) usually prevents further IKE + traffic. The fwmark options for the _kernel-netlink_ and _socket-default_ + plugins can be used to circumvent that problem. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf new file mode 100644 index 000000000..670746963 --- /dev/null +++ b/conf/plugins/kernel-netlink.conf @@ -0,0 +1,19 @@ +kernel-netlink { + + # Firewall mark to set on the routing rule that directs traffic to our + # routing table. + # fwmark = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to trigger roam events when interfaces, addresses or routes + # change. + # roam_events = yes + + # Lifetime of XFRM acquire state in kernel. + # xfrm_acq_expires = 165 + +} + diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt new file mode 100644 index 000000000..a8e421b6e --- /dev/null +++ b/conf/plugins/kernel-netlink.opt @@ -0,0 +1,18 @@ +charon.plugins.kernel-netlink.fwmark = + Firewall mark to set on the routing rule that directs traffic to our routing + table. + + Firewall mark to set on the routing rule that directs traffic to our routing + table. The format is [!]mark[/mask], where the optional exclamation mark + inverts the meaning (i.e. the rule only applies to packets that don't match + the mark). + +charon.plugins.kernel-netlink.roam_events = yes + Whether to trigger roam events when interfaces, addresses or routes change. + +charon.plugins.kernel-netlink.xfrm_acq_expires = 165 + Lifetime of XFRM acquire state in kernel. + + Lifetime of XFRM acquire state in kernel. The value gets written to + /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM + acquire messages sent. diff --git a/conf/plugins/kernel-pfroute.conf b/conf/plugins/kernel-pfroute.conf new file mode 100644 index 000000000..9aa4dcac0 --- /dev/null +++ b/conf/plugins/kernel-pfroute.conf @@ -0,0 +1,12 @@ +kernel-pfroute { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Time in ms to wait until virtual IP addresses appear/disappear before + # failing. + # vip_wait = 1000 + +} + diff --git a/conf/plugins/kernel-pfroute.opt b/conf/plugins/kernel-pfroute.opt new file mode 100644 index 000000000..8b9bb9169 --- /dev/null +++ b/conf/plugins/kernel-pfroute.opt @@ -0,0 +1,3 @@ +charon.plugins.kernel-pfroute.vip_wait = 1000 + Time in ms to wait until virtual IP addresses appear/disappear before + failing. diff --git a/conf/plugins/led.conf b/conf/plugins/led.conf new file mode 100644 index 000000000..0f34adb07 --- /dev/null +++ b/conf/plugins/led.conf @@ -0,0 +1,12 @@ +led { + + # activity_led = + + # blink_time = 50 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/led.opt b/conf/plugins/led.opt new file mode 100644 index 000000000..9e2f1ac61 --- /dev/null +++ b/conf/plugins/led.opt @@ -0,0 +1,3 @@ +charon.plugins.led.activity_led = + +charon.plugins.led.blink_time = 50 diff --git a/conf/plugins/load-tester.conf b/conf/plugins/load-tester.conf new file mode 100644 index 000000000..e69c029d6 --- /dev/null +++ b/conf/plugins/load-tester.conf @@ -0,0 +1,138 @@ +# Section to configure the load-tester plugin, see LOAD TESTS in +# strongswan.conf(5) for details. +load-tester { + + # Whether to keep dynamic addresses even after the associated SA got + # terminated. + # addrs_keep = no + + # Network prefix length to use when installing dynamic addresses. If set to + # -1 the full address is used (i.e. 32 or 128). + # addrs_prefix = 16 + + # Directory to load (intermediate) CA certificates from. + # ca_dir = + + # Seconds to start CHILD_SA rekeying after setup. + # child_rekey = 600 + + # Delay between initiatons for each thread. + # delay = 0 + + # Delete an IKE_SA as soon as it has been established. + # delete_after_established = no + + # Digest algorithm used when issuing certificates. + # digest = sha1 + + # DPD delay to use in load test. + # dpd_delay = 0 + + # Base port to be used for requests (each client uses a different port). + # dynamic_port = 0 + + # EAP secret to use in load test. + # eap_password = default-pwd + + # Enable the load testing plugin. WARNING: Never enable this plugin on + # productive systems. It provides preconfigured credentials and allows an + # attacker to authenticate as any user. + # enable = no + + # CHILD_SA proposal to use for load tests. + # esp = aes128-sha1 + + # Fake the kernel interface to allow load-testing against self. + # fake_kernel = no + + # Seconds to start IKE_SA rekeying after setup. + # ike_rekey = 0 + + # Global limit of concurrently established SAs during load test. + # init_limit = 0 + + # Address to initiate from. + # initiator = 0.0.0.0 + + # Authentication method(s) the intiator uses. + # initiator_auth = pubkey + + # Initiator ID used in load test. + # initiator_id = + + # Initiator ID to match against as responder. + # initiator_match = + + # Traffic selector on initiator side, as proposed by initiator. + # initiator_tsi = + + # Traffic selector on responder side, as proposed by initiator. + # initiator_tsr = + + # Number of concurrent initiator threads to use in load test. + # initiators = 0 + + # Path to the issuer certificate (if not configured a hard-coded default + # value is used). + # issuer_cert = + + # Path to private key that is used to issue certificates (if not configured + # a hard-coded default value is used). + # issuer_key = + + # Number of IKE_SAs to initiate by each initiator in load test. + # iterations = 1 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # IPsec mode to use, one of tunnel, transport, or beet. + # mode = tunnel + + # Provide INTERNAL_IPV4_ADDRs from a named pool. + # pool = + + # Preshared key to use in load test. + # preshared_key = <default-psk> + + # IKE proposal to use in load test. + # proposal = aes128-sha1-modp768 + + # Request an INTERNAL_IPV4_ADDR from the server. + # request_virtual_ip = no + + # Address to initiation connections to. + # responder = 127.0.0.1 + + # Authentication method(s) the responder uses. + # responder_auth = pubkey + + # Responder ID used in load test. + # responder_id = + + # Traffic selector on initiator side, as narrowed by responder. + # responder_tsi = initiator_tsi + + # Traffic selector on responder side, as narrowed by responder. + # responder_tsr = initiator_tsr + + # Shutdown the daemon after all IKE_SAs have been established. + # shutdown_when_complete = no + + # Socket provided by the load-tester plugin. + # socket = unix://${piddir}/charon.ldt + + # IKE version to use (0 means use IKEv2 as initiator and accept any version + # as responder). + # version = 0 + + # Section that contains key/value pairs with address pools (in CIDR + # notation) to use for a specific network interface e.g. eth0 = + # 10.10.0.0/16. + addrs { + + } + +} + diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt new file mode 100644 index 000000000..7afe32618 --- /dev/null +++ b/conf/plugins/load-tester.opt @@ -0,0 +1,128 @@ +charon.plugins.load-tester {} + Section to configure the load-tester plugin, see LOAD TESTS in + **strongswan.conf**(5) for details. + +charon.plugins.load-tester.addrs {} + Section that contains key/value pairs with address pools (in CIDR notation) + to use for a specific network interface e.g. eth0 = 10.10.0.0/16. + +charon.plugins.load-tester.addrs_keep = no + Whether to keep dynamic addresses even after the associated SA got + terminated. + +charon.plugins.load-tester.addrs_prefix = 16 + Network prefix length to use when installing dynamic addresses. + If set to -1 the full address is used (i.e. 32 or 128). + +charon.plugins.load-tester.ca_dir = + Directory to load (intermediate) CA certificates from. + +charon.plugins.load-tester.child_rekey = 600 + Seconds to start CHILD_SA rekeying after setup. + +charon.plugins.load-tester.delay = 0 + Delay between initiatons for each thread. + +charon.plugins.load-tester.delete_after_established = no + Delete an IKE_SA as soon as it has been established. + +charon.plugins.load-tester.digest = sha1 + Digest algorithm used when issuing certificates. + +charon.plugins.load-tester.dpd_delay = 0 + DPD delay to use in load test. + +charon.plugins.load-tester.dynamic_port = 0 + Base port to be used for requests (each client uses a different port). + +charon.plugins.load-tester.eap_password = default-pwd + EAP secret to use in load test. + +charon.plugins.load-tester.enable = no + Enable the load testing plugin. **WARNING**: Never enable this plugin on + productive systems. It provides preconfigured credentials and allows an + attacker to authenticate as any user. + +charon.plugins.load-tester.esp = aes128-sha1 + CHILD_SA proposal to use for load tests. + +charon.plugins.load-tester.fake_kernel = no + Fake the kernel interface to allow load-testing against self. + +charon.plugins.load-tester.ike_rekey = 0 + Seconds to start IKE_SA rekeying after setup. + +charon.plugins.load-tester.init_limit = 0 + Global limit of concurrently established SAs during load test. + +charon.plugins.load-tester.initiator = 0.0.0.0 + Address to initiate from. + +charon.plugins.load-tester.initiators = 0 + Number of concurrent initiator threads to use in load test. + +charon.plugins.load-tester.initiator_auth = pubkey + Authentication method(s) the intiator uses. + +charon.plugins.load-tester.initiator_id = + Initiator ID used in load test. + +charon.plugins.load-tester.initiator_match = + Initiator ID to match against as responder. + +charon.plugins.load-tester.initiator_tsi = + Traffic selector on initiator side, as proposed by initiator. + +charon.plugins.load-tester.initiator_tsr = + Traffic selector on responder side, as proposed by initiator. + +charon.plugins.load-tester.iterations = 1 + Number of IKE_SAs to initiate by each initiator in load test. + +charon.plugins.load-tester.issuer_cert = + Path to the issuer certificate (if not configured a hard-coded default value + is used). + +charon.plugins.load-tester.issuer_key = + Path to private key that is used to issue certificates (if not configured a + hard-coded default value is used). + +charon.plugins.load-tester.mode = tunnel + IPsec mode to use, one of _tunnel_, _transport_, or _beet_. + +charon.plugins.load-tester.pool = + Provide INTERNAL_IPV4_ADDRs from a named pool. + +charon.plugins.load-tester.preshared_key = <default-psk> + Preshared key to use in load test. + +charon.plugins.load-tester.proposal = aes128-sha1-modp768 + IKE proposal to use in load test. + +charon.plugins.load-tester.responder = 127.0.0.1 + Address to initiation connections to. + +charon.plugins.load-tester.responder_auth = pubkey + Authentication method(s) the responder uses. + +charon.plugins.load-tester.responder_id = + Responder ID used in load test. + +charon.plugins.load-tester.responder_tsi = initiator_tsi + Traffic selector on initiator side, as narrowed by responder. + +charon.plugins.load-tester.responder_tsr = initiator_tsr + Traffic selector on responder side, as narrowed by responder. + +charon.plugins.load-tester.request_virtual_ip = no + Request an INTERNAL_IPV4_ADDR from the server. + +charon.plugins.load-tester.shutdown_when_complete = no + Shutdown the daemon after all IKE_SAs have been established. + +charon.plugins.load-tester.socket = unix://${piddir}/charon.ldt + Socket provided by the load-tester plugin. + +charon.plugins.load-tester.version = 0 + IKE version to use (0 means use IKEv2 as initiator and accept any version as + responder). diff --git a/conf/plugins/lookip.conf b/conf/plugins/lookip.conf new file mode 100644 index 000000000..53958221f --- /dev/null +++ b/conf/plugins/lookip.conf @@ -0,0 +1,11 @@ +lookip { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the lookip plugin. + # socket = unix://${piddir}/charon.lkp + +} + diff --git a/conf/plugins/lookip.opt b/conf/plugins/lookip.opt new file mode 100644 index 000000000..443eb34bb --- /dev/null +++ b/conf/plugins/lookip.opt @@ -0,0 +1,2 @@ +charon.plugins.lookip.socket = unix://${piddir}/charon.lkp + Socket provided by the lookip plugin. diff --git a/conf/plugins/ntru.conf b/conf/plugins/ntru.conf new file mode 100644 index 000000000..6487b3653 --- /dev/null +++ b/conf/plugins/ntru.conf @@ -0,0 +1,17 @@ +ntru { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Number of pseudo-random bit requests from the DRBG before an automatic + # reseeding occurs. + # max_drbg_requests = 4294967294 + + # The following parameter sets are available: x9_98_speed, x9_98_bandwidth, + # x9_98_balance and optimum, the last set not being part of the X9.98 + # standard but having the best performance. + # parameter_set = optimum + +} + diff --git a/conf/plugins/ntru.opt b/conf/plugins/ntru.opt new file mode 100644 index 000000000..8e1bebd87 --- /dev/null +++ b/conf/plugins/ntru.opt @@ -0,0 +1,8 @@ +charon.plugins.ntru.max_drbg_requests = 4294967294 + Number of pseudo-random bit requests from the DRBG before an automatic + reseeding occurs. + +charon.plugins.ntru.parameter_set = optimum + The following parameter sets are available: **x9_98_speed**, + **x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not + being part of the X9.98 standard but having the best performance. diff --git a/conf/plugins/openssl.conf b/conf/plugins/openssl.conf new file mode 100644 index 000000000..08ed7592b --- /dev/null +++ b/conf/plugins/openssl.conf @@ -0,0 +1,14 @@ +openssl { + + # ENGINE ID to use in the OpenSSL plugin. + # engine_id = pkcs11 + + # Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). + # fips_mode = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/openssl.opt b/conf/plugins/openssl.opt new file mode 100644 index 000000000..55d8dcaa1 --- /dev/null +++ b/conf/plugins/openssl.opt @@ -0,0 +1,5 @@ +charon.plugins.openssl.engine_id = pkcs11 + ENGINE ID to use in the OpenSSL plugin. + +charon.plugins.openssl.fips_mode = 0 + Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf new file mode 100644 index 000000000..35248c2ce --- /dev/null +++ b/conf/plugins/pkcs11.conf @@ -0,0 +1,37 @@ +pkcs11 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to load certificates from tokens. + # load_certs = yes + + # Reload certificates from all tokens if charon receives a SIGHUP. + # reload_certs = no + + # Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc + # option). + # use_dh = no + + # Whether the PKCS#11 modules should be used for ECDH and ECDSA public key + # operations. ECDSA private keys can be used regardless of this option. + # use_ecc = no + + # Whether the PKCS#11 modules should be used to hash data. + # use_hasher = no + + # Whether the PKCS#11 modules should be used for public key operations, even + # for keys not stored on tokens. + # use_pubkey = no + + # Whether the PKCS#11 modules should be used as RNG. + # use_rng = no + + # List of available PKCS#11 modules. + modules { + + } + +} + diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt new file mode 100644 index 000000000..f5a202844 --- /dev/null +++ b/conf/plugins/pkcs11.opt @@ -0,0 +1,26 @@ +charon.plugins.pkcs11.modules {} + List of available PKCS#11 modules. + +charon.plugins.pkcs11.load_certs = yes + Whether to load certificates from tokens. + +charon.plugins.pkcs11.reload_certs = no + Reload certificates from all tokens if charon receives a SIGHUP. + +charon.plugins.pkcs11.use_dh = no + Whether the PKCS#11 modules should be used for DH and ECDH (see _use_ecc_ + option). + +charon.plugins.pkcs11.use_ecc = no + Whether the PKCS#11 modules should be used for ECDH and ECDSA public key + operations. ECDSA private keys can be used regardless of this option. + +charon.plugins.pkcs11.use_hasher = no + Whether the PKCS#11 modules should be used to hash data. + +charon.plugins.pkcs11.use_pubkey = no + Whether the PKCS#11 modules should be used for public key operations, even + for keys not stored on tokens. + +charon.plugins.pkcs11.use_rng = no + Whether the PKCS#11 modules should be used as RNG. diff --git a/conf/plugins/radattr.conf b/conf/plugins/radattr.conf new file mode 100644 index 000000000..6b085987d --- /dev/null +++ b/conf/plugins/radattr.conf @@ -0,0 +1,15 @@ +radattr { + + # Directory where RADIUS attributes are stored in client-ID specific files. + # dir = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Add attributes to all IKE_AUTH messages (-1) or only to the one with the + # given message ID. + # message_id = -1 + +} + diff --git a/conf/plugins/radattr.opt b/conf/plugins/radattr.opt new file mode 100644 index 000000000..dcc1bf2f7 --- /dev/null +++ b/conf/plugins/radattr.opt @@ -0,0 +1,9 @@ +charon.plugins.radattr.dir = + Directory where RADIUS attributes are stored in client-ID specific files. + +charon.plugins.radattr.message_id = -1 + Add attributes to all IKE_AUTH messages (-1) or only to the one with the + given message ID. + + Attributes are added to all IKE_AUTH messages by default (-1), or only to + the IKE_AUTH message with the given IKEv2 message ID. diff --git a/conf/plugins/random.conf b/conf/plugins/random.conf new file mode 100644 index 000000000..e0af75fd7 --- /dev/null +++ b/conf/plugins/random.conf @@ -0,0 +1,18 @@ +random { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # File to read random bytes from. + # random = ${random_device} + + # If set to yes the RNG_STRONG class reads random bytes from the same source + # as the RNG_TRUE class. + # strong_equals_true = no + + # File to read pseudo random bytes from. + # urandom = ${urandom_device} + +} + diff --git a/conf/plugins/random.opt b/conf/plugins/random.opt new file mode 100644 index 000000000..1cbde288b --- /dev/null +++ b/conf/plugins/random.opt @@ -0,0 +1,9 @@ +charon.plugins.random.random = ${random_device} + File to read random bytes from. + +charon.plugins.random.urandom = ${urandom_device} + File to read pseudo random bytes from. + +charon.plugins.random.strong_equals_true = no + If set to yes the RNG_STRONG class reads random bytes from the same source + as the RNG_TRUE class. diff --git a/conf/plugins/resolve.conf b/conf/plugins/resolve.conf new file mode 100644 index 000000000..5d9ca72de --- /dev/null +++ b/conf/plugins/resolve.conf @@ -0,0 +1,18 @@ +resolve { + + # File where to add DNS server entries. + # file = /etc/resolv.conf + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + resolvconf { + + # Prefix used for interface names sent to resolvconf(8). + # iface_prefix = lo.inet.ipsec. + + } + +} + diff --git a/conf/plugins/resolve.opt b/conf/plugins/resolve.opt new file mode 100644 index 000000000..ce65eff9e --- /dev/null +++ b/conf/plugins/resolve.opt @@ -0,0 +1,11 @@ +charon.plugins.resolve.file = /etc/resolv.conf + File where to add DNS server entries. + +charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec. + Prefix used for interface names sent to resolvconf(8). + + Prefix used for interface names sent to **resolvconf**(8). The nameserver + address is appended to this prefix to make it unique. The result has to be + a valid interface name according to the rules defined by resolvconf. Also, + it should have a high priority according to the order defined in + **interface-order**(5). diff --git a/conf/plugins/socket-default.conf b/conf/plugins/socket-default.conf new file mode 100644 index 000000000..6d4b73dd5 --- /dev/null +++ b/conf/plugins/socket-default.conf @@ -0,0 +1,20 @@ +socket-default { + + # Firewall mark to set on outbound packets. + # fwmark = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Set source address on outbound packets, if possible. + # set_source = yes + + # Listen on IPv4, if possible. + # use_ipv4 = yes + + # Listen on IPv6, if possible. + # use_ipv6 = yes + +} + diff --git a/conf/plugins/socket-default.opt b/conf/plugins/socket-default.opt new file mode 100644 index 000000000..483a0f03d --- /dev/null +++ b/conf/plugins/socket-default.opt @@ -0,0 +1,11 @@ +charon.plugins.socket-default.fwmark = + Firewall mark to set on outbound packets. + +charon.plugins.socket-default.set_source = yes + Set source address on outbound packets, if possible. + +charon.plugins.socket-default.use_ipv4 = yes + Listen on IPv4, if possible. + +charon.plugins.socket-default.use_ipv6 = yes + Listen on IPv6, if possible. diff --git a/conf/plugins/sql.conf b/conf/plugins/sql.conf new file mode 100644 index 000000000..094231b9c --- /dev/null +++ b/conf/plugins/sql.conf @@ -0,0 +1,15 @@ +sql { + + # Database URI for charon's SQL plugin. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Loglevel for logging to SQL database. + # loglevel = -1 + +} + diff --git a/conf/plugins/sql.opt b/conf/plugins/sql.opt new file mode 100644 index 000000000..f573bba7e --- /dev/null +++ b/conf/plugins/sql.opt @@ -0,0 +1,6 @@ +charon.plugins.sql.database = + Database URI for charon's SQL plugin. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +charon.plugins.sql.loglevel = -1 + Loglevel for logging to SQL database. diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf new file mode 100644 index 000000000..6dd063053 --- /dev/null +++ b/conf/plugins/stroke.conf @@ -0,0 +1,24 @@ +stroke { + + # Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA + # certificates even if they don't contain a CA basic constraint. + # ignore_missing_ca_basic_constraint = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of stroke messages handled concurrently. + # max_concurrent = 4 + + # If enabled log level changes via stroke socket are not allowed. + # prevent_loglevel_changes = no + + # Socket provided by the stroke plugin. + # socket = unix://${piddir}/charon.ctl + + # Timeout in ms for any stroke command. Use 0 to disable the timeout. + # timeout = 0 + +} + diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt new file mode 100644 index 000000000..2cfc2c6fa --- /dev/null +++ b/conf/plugins/stroke.opt @@ -0,0 +1,15 @@ +charon.plugins.stroke.ignore_missing_ca_basic_constraint = no + Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA + certificates even if they don't contain a CA basic constraint. + +charon.plugins.stroke.max_concurrent = 4 + Maximum number of stroke messages handled concurrently. + +charon.plugins.stroke.prevent_loglevel_changes = no + If enabled log level changes via stroke socket are not allowed. + +charon.plugins.stroke.socket = unix://${piddir}/charon.ctl + Socket provided by the stroke plugin. + +charon.plugins.stroke.timeout = 0 + Timeout in ms for any stroke command. Use 0 to disable the timeout. diff --git a/conf/plugins/systime-fix.conf b/conf/plugins/systime-fix.conf new file mode 100644 index 000000000..f5cd4cd5d --- /dev/null +++ b/conf/plugins/systime-fix.conf @@ -0,0 +1,22 @@ +systime-fix { + + # Interval in seconds to check system time for validity. 0 disables the + # check. + # interval = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to use reauth or delete if an invalid cert lifetime is detected. + # reauth = no + + # Threshold date where system time is considered valid. Disabled if not + # specified. + # threshold = + + # strptime(3) format used to parse threshold option. + # threshold_format = %Y + +} + diff --git a/conf/plugins/systime-fix.opt b/conf/plugins/systime-fix.opt new file mode 100644 index 000000000..7abd03627 --- /dev/null +++ b/conf/plugins/systime-fix.opt @@ -0,0 +1,12 @@ +charon.plugins.systime-fix.interval = 0 + Interval in seconds to check system time for validity. 0 disables the check. + +charon.plugins.systime-fix.reauth = no + Whether to use reauth or delete if an invalid cert lifetime is detected. + +charon.plugins.systime-fix.threshold = + Threshold date where system time is considered valid. Disabled if not + specified. + +charon.plugins.systime-fix.threshold_format = %Y + **strptime**(3) format used to parse threshold option. diff --git a/conf/plugins/tnc-ifmap.conf b/conf/plugins/tnc-ifmap.conf new file mode 100644 index 000000000..02f7c881f --- /dev/null +++ b/conf/plugins/tnc-ifmap.conf @@ -0,0 +1,30 @@ +tnc-ifmap { + + # Path to X.509 certificate file of IF-MAP client. + # client_cert = + + # Path to private key file of IF-MAP client. + # client_key = + + # Unique name of strongSwan server as a PEP and/or PDP device. + # device_name = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Interval in seconds between periodic IF-MAP RenewSession requests. + # renew_session_interval = 150 + + # Path to X.509 certificate file of IF-MAP server. + # server_cert = + + # URI of the form [https://]servername[:port][/path]. + # server_uri = https://localhost:8444/imap + + # Credentials of IF-MAP client of the form username:password. If set, make + # sure to adjust the permissions of the config file accordingly. + # username_password = + +} + diff --git a/conf/plugins/tnc-ifmap.opt b/conf/plugins/tnc-ifmap.opt new file mode 100644 index 000000000..155c30697 --- /dev/null +++ b/conf/plugins/tnc-ifmap.opt @@ -0,0 +1,21 @@ +charon.plugins.tnc-ifmap.client_cert = + Path to X.509 certificate file of IF-MAP client. + +charon.plugins.tnc-ifmap.client_key = + Path to private key file of IF-MAP client. + +charon.plugins.tnc-ifmap.device_name = + Unique name of strongSwan server as a PEP and/or PDP device. + +charon.plugins.tnc-ifmap.renew_session_interval = 150 + Interval in seconds between periodic IF-MAP RenewSession requests. + +charon.plugins.tnc-ifmap.server_uri = https://localhost:8444/imap + URI of the form [https://]servername[:port][/path]. + +charon.plugins.tnc-ifmap.server_cert = + Path to X.509 certificate file of IF-MAP server. + +charon.plugins.tnc-ifmap.username_password = + Credentials of IF-MAP client of the form username:password. If set, make + sure to adjust the permissions of the config file accordingly. diff --git a/conf/plugins/tnc-imc.conf b/conf/plugins/tnc-imc.conf new file mode 100644 index 000000000..f517abcaf --- /dev/null +++ b/conf/plugins/tnc-imc.conf @@ -0,0 +1,14 @@ +tnc-imc { + + # Unload IMC after use. + # dlclose = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Preferred language for TNC recommendations. + # preferred_language = en + +} + diff --git a/conf/plugins/tnc-imc.opt b/conf/plugins/tnc-imc.opt new file mode 100644 index 000000000..7c9af2a30 --- /dev/null +++ b/conf/plugins/tnc-imc.opt @@ -0,0 +1,5 @@ +charon.plugins.tnc-imc.dlclose = yes + Unload IMC after use. + +charon.plugins.tnc-imc.preferred_language = en + Preferred language for TNC recommendations. diff --git a/conf/plugins/tnc-imv.conf b/conf/plugins/tnc-imv.conf new file mode 100644 index 000000000..799421983 --- /dev/null +++ b/conf/plugins/tnc-imv.conf @@ -0,0 +1,14 @@ +tnc-imv { + + # Unload IMV after use. + # dlclose = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # TNC recommendation policy, one of default, any, or all. + # recommendation_policy = default + +} + diff --git a/conf/plugins/tnc-imv.opt b/conf/plugins/tnc-imv.opt new file mode 100644 index 000000000..788753ce7 --- /dev/null +++ b/conf/plugins/tnc-imv.opt @@ -0,0 +1,5 @@ +charon.plugins.tnc-imv.dlclose = yes + Unload IMV after use. + +charon.plugins.tnc-imv.recommendation_policy = default + TNC recommendation policy, one of _default_, _any_, or _all_. diff --git a/conf/plugins/tnc-pdp.conf b/conf/plugins/tnc-pdp.conf new file mode 100644 index 000000000..d9e926c9e --- /dev/null +++ b/conf/plugins/tnc-pdp.conf @@ -0,0 +1,41 @@ +tnc-pdp { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Name of the strongSwan PDP as contained in the AAA certificate. + # server = + + # Timeout in seconds before closing incomplete connections. + # timeout = + + pt_tls { + + # Enable PT-TLS protocol on the strongSwan PDP. + # enable = yes + + # PT-TLS server port the strongSwan PDP is listening on. + # port = 271 + + } + + radius { + + # Enable RADIUS protocol on the strongSwan PDP. + # enable = yes + + # EAP tunnel method to be used. + # method = ttls + + # RADIUS server port the strongSwan PDP is listening on. + # port = 1812 + + # Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure + # to adjust the permissions of the config file accordingly. + # secret = + + } + +} + diff --git a/conf/plugins/tnc-pdp.opt b/conf/plugins/tnc-pdp.opt new file mode 100644 index 000000000..22b00db5e --- /dev/null +++ b/conf/plugins/tnc-pdp.opt @@ -0,0 +1,24 @@ +charon.plugins.tnc-pdp.pt_tls.enable = yes + Enable PT-TLS protocol on the strongSwan PDP. + +charon.plugins.tnc-pdp.pt_tls.port = 271 + PT-TLS server port the strongSwan PDP is listening on. + +charon.plugins.tnc-pdp.radius.enable = yes + Enable RADIUS protocol on the strongSwan PDP. + +charon.plugins.tnc-pdp.radius.method = ttls + EAP tunnel method to be used. + +charon.plugins.tnc-pdp.radius.port = 1812 + RADIUS server port the strongSwan PDP is listening on. + +charon.plugins.tnc-pdp.radius.secret = + Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to + adjust the permissions of the config file accordingly. + +charon.plugins.tnc-pdp.server = + Name of the strongSwan PDP as contained in the AAA certificate. + +charon.plugins.tnc-pdp.timeout = + Timeout in seconds before closing incomplete connections. diff --git a/conf/plugins/tnccs-11.conf b/conf/plugins/tnccs-11.conf new file mode 100644 index 000000000..9b99786b2 --- /dev/null +++ b/conf/plugins/tnccs-11.conf @@ -0,0 +1,11 @@ +tnccs-11 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum size of a PA-TNC message (XML & Base64 encoding). + # max_message_size = 45000 + +} + diff --git a/conf/plugins/tnccs-11.opt b/conf/plugins/tnccs-11.opt new file mode 100644 index 000000000..eb313fe06 --- /dev/null +++ b/conf/plugins/tnccs-11.opt @@ -0,0 +1,2 @@ +charon.plugins.tnccs-11.max_message_size = 45000 + Maximum size of a PA-TNC message (XML & Base64 encoding). diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf new file mode 100644 index 000000000..9a57ee14d --- /dev/null +++ b/conf/plugins/tnccs-20.conf @@ -0,0 +1,14 @@ +tnccs-20 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529). + # max_batch_size = 65522 + + # Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). + # max_message_size = 65490 + +} + diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt new file mode 100644 index 000000000..b15bc3fa1 --- /dev/null +++ b/conf/plugins/tnccs-20.opt @@ -0,0 +1,5 @@ +charon.plugins.tnccs-20.max_batch_size = 65522 + Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529). + +charon.plugins.tnccs-20.max_message_size = 65490 + Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). diff --git a/conf/plugins/unbound.conf b/conf/plugins/unbound.conf new file mode 100644 index 000000000..8d3003118 --- /dev/null +++ b/conf/plugins/unbound.conf @@ -0,0 +1,17 @@ +unbound { + + # File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. + # dlv_anchors = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # File to read DNS resolver configuration from. + # resolv_conf = /etc/resolv.conf + + # File to read DNSSEC trust anchors from (usually root zone KSK). + # trust_anchors = /etc/ipsec.d/dnssec.keys + +} + diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt new file mode 100644 index 000000000..f8ca9ca12 --- /dev/null +++ b/conf/plugins/unbound.opt @@ -0,0 +1,17 @@ +charon.plugins.unbound.resolv_conf = /etc/resolv.conf + File to read DNS resolver configuration from. + +charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys + File to read DNSSEC trust anchors from (usually root zone KSK). + + File to read DNSSEC trust anchors from (usually root zone KSK). The format + of the file is the standard DNS Zone file format, anchors can be stored as + DS or DNSKEY entries in the file. + +charon.plugins.unbound.dlv_anchors = + File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. + + File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It + uses the same format as _trust_anchors_. Only one DLV can be configured, + which is then used as a root trusted DLV, this means that it is a lookaside + for the root. diff --git a/conf/plugins/updown.conf b/conf/plugins/updown.conf new file mode 100644 index 000000000..8bcd330a8 --- /dev/null +++ b/conf/plugins/updown.conf @@ -0,0 +1,12 @@ +updown { + + # Whether the updown script should handle assigned DNS servers (if enabled + # they can't be handled by other plugins, like resolve). + # dns_handler = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/updown.opt b/conf/plugins/updown.opt new file mode 100644 index 000000000..d8bcc82ab --- /dev/null +++ b/conf/plugins/updown.opt @@ -0,0 +1,7 @@ +charon.plugins.updown.dns_handler = no + Whether the updown script should handle assigned DNS servers (if enabled + they can't be handled by other plugins, like resolve). + + Whether the updown script should handle DNS servers assigned via IKEv1 Mode + Config or IKEv2 Config Payloads (if enabled they can't be handled by other + plugins, like resolve) diff --git a/conf/plugins/whitelist.conf b/conf/plugins/whitelist.conf new file mode 100644 index 000000000..c68358bf2 --- /dev/null +++ b/conf/plugins/whitelist.conf @@ -0,0 +1,14 @@ +whitelist { + + # Enable loaded whitelist plugin. + # enable = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the whitelist plugin. + # socket = unix://${piddir}/charon.wlst + +} + diff --git a/conf/plugins/whitelist.opt b/conf/plugins/whitelist.opt new file mode 100644 index 000000000..023f7e235 --- /dev/null +++ b/conf/plugins/whitelist.opt @@ -0,0 +1,6 @@ +charon.plugins.whitelist.enable = yes + Enable loaded whitelist plugin. + +charon.plugins.whitelist.socket = unix://${piddir}/charon.wlst + Socket provided by the whitelist plugin. + diff --git a/conf/plugins/xauth-eap.conf b/conf/plugins/xauth-eap.conf new file mode 100644 index 000000000..25ea2aa36 --- /dev/null +++ b/conf/plugins/xauth-eap.conf @@ -0,0 +1,11 @@ +xauth-eap { + + # EAP plugin to be used as backend for XAuth credential verification. + # backend = radius + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/xauth-eap.opt b/conf/plugins/xauth-eap.opt new file mode 100644 index 000000000..1663f935c --- /dev/null +++ b/conf/plugins/xauth-eap.opt @@ -0,0 +1,2 @@ +charon.plugins.xauth-eap.backend = radius + EAP plugin to be used as backend for XAuth credential verification. diff --git a/conf/plugins/xauth-pam.conf b/conf/plugins/xauth-pam.conf new file mode 100644 index 000000000..aeba19195 --- /dev/null +++ b/conf/plugins/xauth-pam.conf @@ -0,0 +1,18 @@ +xauth-pam { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # PAM service to be used for authentication. + # pam_service = login + + # Open/close a PAM session for each active IKE_SA. + # session = no + + # If an email address is received as an XAuth username, trim it to just the + # username part. + # trim_email = yes + +} + diff --git a/conf/plugins/xauth-pam.opt b/conf/plugins/xauth-pam.opt new file mode 100644 index 000000000..637dea6a6 --- /dev/null +++ b/conf/plugins/xauth-pam.opt @@ -0,0 +1,9 @@ +charon.plugins.xauth-pam.pam_service = login + PAM service to be used for authentication. + +charon.plugins.xauth-pam.session = no + Open/close a PAM session for each active IKE_SA. + +charon.plugins.xauth-pam.trim_email = yes + If an email address is received as an XAuth username, trim it to just the + username part. |