diff options
Diffstat (limited to 'conf/strongswan.conf.5.main')
-rw-r--r-- | conf/strongswan.conf.5.main | 332 |
1 files changed, 207 insertions, 125 deletions
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 12fde4903..d93c208ae 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -1,4 +1,8 @@ .TP +.BR aikgen.load " []" +Plugins to load in ipsec aikgen tool. + +.TP .BR attest.database " []" File measurement information database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly. @@ -28,6 +32,20 @@ in the section. .TP +.BR charon.accept_unencrypted_mainmode_messages " [no]" +Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + +Some implementations send the third Main Mode message unencrypted, probably to +find the PSKs for the specified ID for authentication. This is very similar to +Aggressive Mode, and has the same security implications: A passive attacker can +sniff the negotiated Identity, and start brute forcing the PSK using the HASH +payload. + +It is recommended to keep this option to no, unless you know exactly what the +implications are and require compatibility to such devices (for example, some +SonicWall boxes). + +.TP .BR charon.block_threshold " [5]" Maximum number of half\-open IKE_SAs for a single peer IP. @@ -666,7 +684,7 @@ Maximum number of processed EAP\-TLS packets (0 = no limit). Maximum number of processed EAP\-TNC packets (0 = no limit). .TP -.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]" +.BR charon.plugins.eap-tnc.protocol " [tnccs-2.0]" IF\-TNCCS protocol version to be used .RI "(" "tnccs\-1.1" "," .RI "" "tnccs\-2.0" "," @@ -698,6 +716,14 @@ Phase2 EAP Identity request piggybacked by server onto TLS Finished message. Start phase2 EAP TNC protocol after successful client authentication. .TP +.BR charon.plugins.eap-ttls.phase2_tnc_method " [pt]" +Phase2 EAP TNC transport protocol +.RI "(" "pt" "" +as IETF standard or legacy +.RI "" "tnc" ")" + + +.TP .BR charon.plugins.eap-ttls.request_peer_auth " [no]" Request peer authentication based on a client certificate. @@ -735,134 +761,10 @@ to 0 to disable. .TP .BR charon.plugins.ha.segment_count " [1]" .TP -.BR charon.plugins.imc-attestation.aik_blob " []" -AIK encrypted private key blob file. - -.TP -.BR charon.plugins.imc-attestation.aik_cert " []" -AIK certificate file. - -.TP -.BR charon.plugins.imc-attestation.aik_key " []" -AIK public key file. - -.TP -.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]" -Enforce mandatory Diffie\-Hellman groups. - -.TP -.BR charon.plugins.imc-attestation.nonce_len " [20]" -DH nonce length. - -.TP -.BR charon.plugins.imc-attestation.pcr17_after " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr17_before " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr17_meas " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr18_after " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr18_before " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr18_meas " []" -Dummy data if the TBOOT log is not retrieved. - -.TP -.BR charon.plugins.imc-attestation.pcr_info " [yes]" -Whether to send pcr_before and pcr_after info. - -.TP -.BR charon.plugins.imc-attestation.use_quote2 " [yes]" -Use Quote2 AIK signature instead of Quote signature. - -.TP -.BR charon.plugins.imc-os.push_info " [yes]" -Send operating system info without being prompted. - -.TP -.BR charon.plugins.imc-scanner.push_info " [yes]" -Send open listening ports without being prompted. - -.TP -.BR charon.plugins.imc-swid.swid_directory " [${prefix}/share]" -Directory where SWID tags are located. - -.TP -.BR charon.plugins.imc-test.additional_ids " [0]" -Number of additional IMC IDs. - -.TP -.BR charon.plugins.imc-test.command " [none]" -Command to be sent to the Test IMV. - -.TP -.BR charon.plugins.imc-test.dummy_size " [0]" -Size of dummy attribute to be sent to the Test IMV (0 = disabled). - -.TP -.BR charon.plugins.imc-test.retry " [no]" -Do a handshake retry. - -.TP -.BR charon.plugins.imc-test.retry_command " []" -Command to be sent to the Test IMV in the handshake retry. - -.TP -.BR charon.plugins.imv-attestation.cadir " []" -Path to directory with AIK cacerts. - -.TP -.BR charon.plugins.imv-attestation.dh_group " [ecp256]" -Preferred Diffie\-Hellman group. - -.TP -.BR charon.plugins.imv-attestation.hash_algorithm " [sha256]" -Preferred measurement hash algorithm. - -.TP -.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]" -Enforce mandatory Diffie\-Hellman groups. - -.TP -.BR charon.plugins.imv-attestation.min_nonce_len " [0]" -DH minimum nonce length. - -.TP -.BR charon.plugins.imv-os.remediation_uri " []" -URI pointing to operating system remediation instructions. - -.TP -.BR charon.plugins.imv-scanner.remediation_uri " []" -URI pointing to scanner remediation instructions. - -.TP -.BR charon.plugins.imv-test.rounds " [0]" -Number of IMC\-IMV retry rounds. - -.TP .BR charon.plugins.ipseckey.enable " [no]" Enable fetching of IPSECKEY RRs via DNS. .TP -.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" -Number of ipsecN devices. - -.TP -.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" -Set MTU of ipsecN device. - -.TP .BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]" Allow that the remote traffic selector equals the IKE peer. The route installed for such traffic (via TUN device) usually prevents further IKE traffic. The @@ -928,6 +830,11 @@ Directory to load (intermediate) CA certificates from. Seconds to start CHILD_SA rekeying after setup. .TP +.BR charon.plugins.load-tester.crl " []" +URI to a CRL to include as certificate distribution point in generated +certificates. + +.TP .BR charon.plugins.load-tester.delay " [0]" Delay between initiatons for each thread. @@ -1360,6 +1267,10 @@ Config or IKEv2 Config Payloads (if enabled they can't be handled by other plugins, like resolve) .TP +.BR charon.plugins.vici.socket " [unix://${piddir}/charon.vici]" +Socket the vici plugin serves clients. + +.TP .BR charon.plugins.whitelist.enable " [yes]" Enable loaded whitelist plugin. @@ -1397,6 +1308,11 @@ otherwise a random port will be allocated. .TP +.BR charon.prefer_temporary_addrs " [no]" +By default public IPv6 addresses are preferred over temporary ones (RFC 4941), +to make connections more stable. Enable this option to reverse this. + +.TP .BR charon.process_route " [yes]" Process RTM_NEWROUTE and RTM_DELROUTE events. @@ -1480,6 +1396,18 @@ Specific IKEv2 message type to delay, 0 for any. Send strongSwan vendor ID payload .TP +.B charon.start-scripts +.br +Section containing a list of scripts (name = path) that are executed when the +daemon is started. + +.TP +.B charon.stop-scripts +.br +Section containing a list of scripts (name = path) that are executed when the +daemon is terminated. + +.TP .B charon.syslog .br Section to define syslog loggers, see LOGGER CONFIGURATION in @@ -1567,6 +1495,156 @@ Plugins to load in IMC/IMVs with stand\-alone library. .TP +.BR libimcv.plugins.imc-attestation.aik_blob " []" +AIK encrypted private key blob file. + +.TP +.BR libimcv.plugins.imc-attestation.aik_cert " []" +AIK certificate file. + +.TP +.BR libimcv.plugins.imc-attestation.aik_pubkey " []" +AIK public key file. + +.TP +.BR libimcv.plugins.imc-attestation.mandatory_dh_groups " [yes]" +Enforce mandatory Diffie\-Hellman groups. + +.TP +.BR libimcv.plugins.imc-attestation.nonce_len " [20]" +DH nonce length. + +.TP +.BR libimcv.plugins.imc-attestation.pcr17_after " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr17_before " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr17_meas " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr18_after " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr18_before " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr18_meas " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR libimcv.plugins.imc-attestation.pcr_info " [no]" +Whether to send pcr_before and pcr_after info. + +.TP +.BR libimcv.plugins.imc-attestation.use_quote2 " [yes]" +Use Quote2 AIK signature instead of Quote signature. + +.TP +.BR libimcv.plugins.imc-os.device_cert " []" +Manually set the path to the client device certificate (e.g. +/etc/pts/aikCert.der) + +.TP +.BR libimcv.plugins.imc-os.device_id " []" +Manually set the client device ID in hexadecimal format (e.g. +1083f03988c9762703b1c1080c2e46f72b99cc31) + +.TP +.BR libimcv.plugins.imc-os.device_pubkey " []" +Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der) + +.TP +.BR libimcv.plugins.imc-os.push_info " [yes]" +Send operating system info without being prompted. + +.TP +.BR libimcv.plugins.imc-scanner.push_info " [yes]" +Send open listening ports without being prompted. + +.TP +.BR libimcv.plugins.imc-swid.swid_directory " [${prefix}/share]" +Directory where SWID tags are located. + +.TP +.BR libimcv.plugins.imc-swid.swid_full " [FALSE]" +Include file information in the XML\-encoded SWID tags. + +.TP +.BR libimcv.plugins.imc-swid.swid_generator " [/usr/local/bin/swid_generator]" +SWID generator command to be executed. + +.TP +.BR libimcv.plugins.imc-swid.swid_pretty " [FALSE]" +Generate XML\-encoded SWID tags with pretty indentation. + +.TP +.BR libimcv.plugins.imc-test.additional_ids " [0]" +Number of additional IMC IDs. + +.TP +.BR libimcv.plugins.imc-test.command " [none]" +Command to be sent to the Test IMV. + +.TP +.BR libimcv.plugins.imc-test.dummy_size " [0]" +Size of dummy attribute to be sent to the Test IMV (0 = disabled). + +.TP +.BR libimcv.plugins.imc-test.retry " [no]" +Do a handshake retry. + +.TP +.BR libimcv.plugins.imc-test.retry_command " []" +Command to be sent to the Test IMV in the handshake retry. + +.TP +.BR libimcv.plugins.imv-attestation.cadir " []" +Path to directory with AIK cacerts. + +.TP +.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" +Preferred Diffie\-Hellman group. + +.TP +.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" +Preferred measurement hash algorithm. + +.TP +.BR libimcv.plugins.imv-attestation.mandatory_dh_groups " [yes]" +Enforce mandatory Diffie\-Hellman groups. + +.TP +.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" +DH minimum nonce length. + +.TP +.BR libimcv.plugins.imv-os.remediation_uri " []" +URI pointing to operating system remediation instructions. + +.TP +.BR libimcv.plugins.imv-scanner.remediation_uri " []" +URI pointing to scanner remediation instructions. + +.TP +.BR libimcv.plugins.imv-swid.rest_api_timeout " [120]" +Timeout of SWID REST API HTTP POST transaction. + +.TP +.BR libimcv.plugins.imv-swid.rest_api_uri " []" +HTTP URI of the SWID REST API. + +.TP +.BR libimcv.plugins.imv-test.rounds " [0]" +Number of IMC\-IMV retry rounds. + +.TP .BR libimcv.stderr_quiet " [no]" Disable output to stderr with a stand\-alone .RI "" "libimcv" "" @@ -1670,3 +1748,7 @@ Plugins to load in starter. .BR starter.load_warning " [yes]" Disable charon plugin load option warning. +.TP +.BR swanctl.load " []" +Plugins to load in swanctl. + |