diff options
Diffstat (limited to 'conf/strongswan.conf.5.main')
-rw-r--r-- | conf/strongswan.conf.5.main | 47 |
1 files changed, 45 insertions, 2 deletions
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index b54f3e492..977403e91 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -51,7 +51,7 @@ Maximum number of half\-open IKE_SAs for a single peer IP. .TP .BR charon.cache_crls " [no]" -Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be +Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to .RB "" "/etc/ipsec.d/crls" "" @@ -406,6 +406,14 @@ WINS servers assigned to peer via configuration payload (CP). WINS servers assigned to peer via configuration payload (CP). .TP +.BR charon.plugin.ha.buflen " [2048]" +Buffer size for received HA messages. For IKEv1 the public DH factors are also +transmitted so depending on the DH group the HA messages can get quite big (the +default should be fine up to +.RI "" "modp4096" ")." + + +.TP .BR charon.plugins.addrblock.strict " [yes]" If set to yes, a subject certificate without an addrblock extension is rejected if the issuer certificate has such an addrblock extension. If set to no, subject @@ -973,7 +981,7 @@ If the maximum Netlink socket receive buffer in bytes set by .RI "" "receive_buffer_size" "" exceeds the system\-wide maximum from /proc/sys/net/core/rmem_max, this option can be used to override the limit. -Enabling this option requires special priviliges (CAP_NET_ADMIN). +Enabling this option requires special privileges (CAP_NET_ADMIN). .TP .BR charon.plugins.kernel-netlink.fwmark " []" @@ -1016,6 +1024,12 @@ based policies are directly tied to the IKE UDP sockets, port based policies use global XFRM bypass policies for the used IKE UDP ports. .TP +.BR charon.plugins.kernel-netlink.process_rules " [no]" +Whether to process changes in routing rules to trigger roam events. This is +currently only useful if the kernel based route lookup is used (i.e. if route +installation is disabled or an inverted fwmark match is configured). + +.TP .BR charon.plugins.kernel-netlink.receive_buffer_size " [0]" Maximum Netlink socket receive buffer in bytes. This value controls how many bytes of Netlink messages can be received on a Netlink socket. The default value @@ -1417,6 +1431,30 @@ Whether CRL validation should be enabled. Whether OCSP validation should be enabled. .TP +.BR charon.plugins.save-keys.esp " [no]" +Whether to save ESP keys. + +.TP +.BR charon.plugins.save-keys.ike " [no]" +Whether to save IKE keys. + +.TP +.BR charon.plugins.save-keys.load " [no]" +Whether to load the plugin. + +.TP +.BR charon.plugins.save-keys.wireshark_keys " []" +Directory where the keys are stored in the format supported by Wireshark. IKEv1 +keys are stored in the +.RI "" "ikev1_decryption_table" "" +file. IKEv2 keys are stored in +the +.RI "" "ikev2_decryption_table" "" +file. Keys for ESP CHILD_SAs are stored in the +.RI "" "esp_sa" "" +file. + +.TP .BR charon.plugins.socket-default.fwmark " []" Firewall mark to set on outbound packets. @@ -2121,6 +2159,11 @@ Manually set the path to the client device certificate (e.g. /etc/pts/aikCert.der) .TP +.BR libimcv.plugins.imc-os.device_handle " []" +Manually set handle to a private key bound to a smartcard or TPM (e.g. +0x81010004) + +.TP .BR libimcv.plugins.imc-os.device_id " []" Manually set the client device ID in hexadecimal format (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31) |