diff options
Diffstat (limited to 'conf/strongswan.conf.5.main')
-rw-r--r-- | conf/strongswan.conf.5.main | 582 |
1 files changed, 295 insertions, 287 deletions
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 282b8fa70..12fde4903 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -48,6 +48,37 @@ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. Number of half\-open IKE_SAs that activate the cookie mechanism. .TP +.BR charon.crypto_test.bench " [no]" +Benchmark crypto algorithms and order them by efficiency. + +.TP +.BR charon.crypto_test.bench_size " [1024]" +Buffer size used for crypto benchmark. + +.TP +.BR charon.crypto_test.bench_time " [50]" +Number of iterations to test each algorithm. + +.TP +.BR charon.crypto_test.on_add " [no]" +Test crypto algorithms during registration (requires test vectors provided by +the +.RI "" "test\-vectors" "" +plugin). + +.TP +.BR charon.crypto_test.on_create " [no]" +Test crypto algorithms on each crypto primitive instantiation. + +.TP +.BR charon.crypto_test.required " [no]" +Strictly require at least one test vector to enable an algorithm. + +.TP +.BR charon.crypto_test.rng_true " [no]" +Whether to test RNG with TRUE quality; requires a lot of entropy. + +.TP .BR charon.dh_exponent_ansi_x9_42 " [yes]" Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. @@ -69,6 +100,47 @@ Enable Denial of Service protection using cookies and aggressiveness checks. Compliance with the errata for RFC 4753. .TP +.B charon.filelog +.br +Section to define file loggers, see LOGGER CONFIGURATION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.B charon.filelog.<filename> +.br +<filename> is the full path to the log file. + +.TP +.BR charon.filelog.<filename>.<subsystem> " [<default>]" +Loglevel for a specific subsystem. + +.TP +.BR charon.filelog.<filename>.append " [yes]" +If this option is enabled log entries are appended to the existing file. + +.TP +.BR charon.filelog.<filename>.default " [1]" +Specifies the default loglevel to be used for subsystems for which no specific +loglevel is defined. + +.TP +.BR charon.filelog.<filename>.flush_line " [no]" +Enabling this option disables block buffering and enables line buffering. + +.TP +.BR charon.filelog.<filename>.ike_name " [no]" +Prefix each log entry with the connection name and a unique numerical identifier +for each IKE_SA. + +.TP +.BR charon.filelog.<filename>.time_format " []" +Prefix each log entry with a timestamp. The option accepts a format string as +passed to +.RB "" "strftime" "(3)." + + +.TP .BR charon.flush_auth_cfg " [no]" If enabled objects used during authentication (certificates, identities etc.) are released to free memory once an IKE_SA is established. Enabling this might @@ -92,6 +164,14 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). Enable hash and URL support. .TP +.BR charon.host_resolver.max_threads " [3]" +Maximum number of concurrent resolver threads (they are terminated if unused). + +.TP +.BR charon.host_resolver.min_threads " [0]" +Minimum number of resolver threads to keep around. + +.TP .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared keys, which is discouraged due to security concerns (offline attacks on the @@ -115,6 +195,34 @@ Number of exclusively locked segments in the hash table. Size of the IKE_SA hash table. .TP +.B charon.imcv +.br +Defaults for options in this section can be configured in the +.RI "" "libimcv" "" +section. + +.TP +.BR charon.imcv.assessment_result " [yes]" +Whether IMVs send a standard IETF Assessment Result attribute. + +.TP +.BR charon.imcv.database " []" +Global IMV policy database URI. If it contains a password, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR charon.imcv.os_info.name " []" +Manually set the name of the client OS (e.g. Ubuntu). + +.TP +.BR charon.imcv.os_info.version " []" +Manually set the version of the client OS (e.g. 12.04 i686). + +.TP +.BR charon.imcv.policy_script " [ipsec _imv_policy]" +Script called for each TNC connection to generate IMV policies. + +.TP .BR charon.inactivity_close_ike " [no]" Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. @@ -167,6 +275,18 @@ other interfaces are ignored. NAT keep alive interval. .TP +.BR charon.leak_detective.detailed " [yes]" +Includes source file names and line numbers in leak detective output. + +.TP +.BR charon.leak_detective.usage_threshold " [10240]" +Threshold in bytes for leaks to be reported (0 to report all). + +.TP +.BR charon.leak_detective.usage_threshold_count " [0]" +Threshold in number of allocations for leaks to be reported (0 to report all). + +.TP .BR charon.load " []" Plugins to load in the IKE daemon charon. @@ -198,225 +318,6 @@ WINS servers assigned to peer via configuration payload (CP). WINS servers assigned to peer via configuration payload (CP). .TP -.BR charon.port " [500]" -UDP port used locally. If set to 0 a random port will be allocated. - -.TP -.BR charon.port_nat_t " [4500]" -UDP port used locally in case of NAT\-T. If set to 0 a random port will be -allocated. Has to be different from -.RB "" "charon.port" "," -otherwise a random port -will be allocated. - -.TP -.BR charon.process_route " [yes]" -Process RTM_NEWROUTE and RTM_DELROUTE events. - -.TP -.BR charon.receive_delay " [0]" -Delay in ms for receiving packets, to simulate larger RTT. - -.TP -.BR charon.receive_delay_request " [yes]" -Delay request messages. - -.TP -.BR charon.receive_delay_response " [yes]" -Delay response messages. - -.TP -.BR charon.receive_delay_type " [0]" -Specific IKEv2 message type to delay, 0 for any. - -.TP -.BR charon.replay_window " [32]" -Size of the AH/ESP replay window, in packets. - -.TP -.BR charon.retransmit_base " [1.8]" -Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in -.RB "" "strongswan.conf" "(5)." - - -.TP -.BR charon.retransmit_timeout " [4.0]" -Timeout in seconds before sending first retransmit. - -.TP -.BR charon.retransmit_tries " [5]" -Number of times to retransmit a packet before giving up. - -.TP -.BR charon.retry_initiate_interval " [0]" -Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution -failed), 0 to disable retries. - -.TP -.BR charon.reuse_ikesa " [yes]" -Initiate CHILD_SA within existing IKE_SAs. - -.TP -.BR charon.routing_table " []" -Numerical routing table to install routes to. - -.TP -.BR charon.routing_table_prio " []" -Priority of the routing table. - -.TP -.BR charon.send_delay " [0]" -Delay in ms for sending packets, to simulate larger RTT. - -.TP -.BR charon.send_delay_request " [yes]" -Delay request messages. - -.TP -.BR charon.send_delay_response " [yes]" -Delay response messages. - -.TP -.BR charon.send_delay_type " [0]" -Specific IKEv2 message type to delay, 0 for any. - -.TP -.BR charon.send_vendor_id " [no]" -Send strongSwan vendor ID payload - -.TP -.BR charon.threads " [16]" -Number of worker threads in charon. Several of these are reserved for long -running tasks in internal modules and plugins. Therefore, make sure you don't -set this value too low. The number of idle worker threads listed in -.RI "" "ipsec statusall" "" -might be used as indicator on the number of reserved threads. - -.TP -.BR charon.user " []" -Name of the user the daemon changes to after startup. - -.TP -.BR charon.crypto_test.bench " [no]" -Benchmark crypto algorithms and order them by efficiency. - -.TP -.BR charon.crypto_test.bench_size " [1024]" -Buffer size used for crypto benchmark. - -.TP -.BR charon.crypto_test.bench_time " [50]" -Number of iterations to test each algorithm. - -.TP -.BR charon.crypto_test.on_add " [no]" -Test crypto algorithms during registration (requires test vectors provided by -the -.RI "" "test\-vectors" "" -plugin). - -.TP -.BR charon.crypto_test.on_create " [no]" -Test crypto algorithms on each crypto primitive instantiation. - -.TP -.BR charon.crypto_test.required " [no]" -Strictly require at least one test vector to enable an algorithm. - -.TP -.BR charon.crypto_test.rng_true " [no]" -Whether to test RNG with TRUE quality; requires a lot of entropy. - -.TP -.B charon.filelog -.br -Section to define file loggers, see LOGGER CONFIGURATION in -.RB "" "strongswan.conf" "(5)." - - -.TP -.B charon.filelog.<filename> -.br -<filename> is the full path to the log file. - -.TP -.BR charon.filelog.<filename>.<subsystem> " [<default>]" -Loglevel for a specific subsystem. - -.TP -.BR charon.filelog.<filename>.append " [yes]" -If this option is enabled log entries are appended to the existing file. - -.TP -.BR charon.filelog.<filename>.default " [1]" -Specifies the default loglevel to be used for subsystems for which no specific -loglevel is defined. - -.TP -.BR charon.filelog.<filename>.flush_line " [no]" -Enabling this option disables block buffering and enables line buffering. - -.TP -.BR charon.filelog.<filename>.ike_name " [no]" -Prefix each log entry with the connection name and a unique numerical identifier -for each IKE_SA. - -.TP -.BR charon.filelog.<filename>.time_format " []" -Prefix each log entry with a timestamp. The option accepts a format string as -passed to -.RB "" "strftime" "(3)." - - -.TP -.BR charon.host_resolver.max_threads " [3]" -Maximum number of concurrent resolver threads (they are terminated if unused). - -.TP -.BR charon.host_resolver.min_threads " [0]" -Minimum number of resolver threads to keep around. - -.TP -.B charon.imcv -.br -Defaults for options in this section can be configured in the -.RI "" "libimcv" "" -section. - -.TP -.BR charon.imcv.assessment_result " [yes]" -Whether IMVs send a standard IETF Assessment Result attribute. - -.TP -.BR charon.imcv.database " []" -Global IMV policy database URI. If it contains a password, make sure to adjust -the permissions of the config file accordingly. - -.TP -.BR charon.imcv.policy_script " [ipsec _imv_policy]" -Script called for each TNC connection to generate IMV policies. - -.TP -.BR charon.imcv.os_info.name " []" -Manually set the name of the client OS (e.g. Ubuntu). - -.TP -.BR charon.imcv.os_info.version " []" -Manually set the version of the client OS (e.g. 12.04 i686). - -.TP -.BR charon.leak_detective.detailed " [yes]" -Includes source file names and line numbers in leak detective output. - -.TP -.BR charon.leak_detective.usage_threshold " [10240]" -Threshold in bytes for leaks to be reported (0 to report all). - -.TP -.BR charon.leak_detective.usage_threshold_count " [0]" -Threshold in number of allocations for leaks to be reported (0 to report all). - -.TP .BR charon.plugins.android_log.loglevel " [1]" Loglevel for logging to Android specific logger. @@ -588,6 +489,10 @@ Request peer authentication based on a client certificate. Send RADIUS accounting information to RADIUS servers. .TP +.BR charon.plugins.eap-radius.accounting_close_on_timeout " [yes]" +Close the IKE_SA if there is a timeout during interim RADIUS accounting updates. + +.TP .BR charon.plugins.eap-radius.accounting_requires_vip " [no]" If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. @@ -608,6 +513,23 @@ Closes all IKE_SAs if communication with the RADIUS server times out. If it is not set only the current IKE_SA is closed. .TP +.BR charon.plugins.eap-radius.dae.enable " [no]" +Enables support for the Dynamic Authorization Extension (RFC 5176). + +.TP +.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" +Address to listen for DAE messages from the RADIUS server. + +.TP +.BR charon.plugins.eap-radius.dae.port " [3799]" +Port to listen for DAE requests. + +.TP +.BR charon.plugins.eap-radius.dae.secret " []" +Shared secret used to verify/sign DAE messages. If set, make sure to adjust the +permissions of the config file accordingly. + +.TP .BR charon.plugins.eap-radius.eap_start " [no]" Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation. @@ -627,6 +549,20 @@ option in .TP +.BR charon.plugins.eap-radius.forward.ike_to_radius " []" +RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name +or attribute number, a colon can be used to specify vendor\-specific attributes, +e.g. Reply\-Message, or 11, or 36906:12). + +.TP +.BR charon.plugins.eap-radius.forward.radius_to_ike " []" +Same as +.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" "" +but from RADIUS to +IKEv2, a strongSwan specific private notify (40969) is used to transmit the +attributes. + +.TP .BR charon.plugins.eap-radius.id_prefix " []" Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP method. @@ -649,41 +585,6 @@ permissions of the config file accordingly. IP/Hostname of RADIUS server. .TP -.BR charon.plugins.eap-radius.sockets " [1]" -Number of sockets (ports) to use, increase for high load. - -.TP -.BR charon.plugins.eap-radius.dae.enable " [no]" -Enables support for the Dynamic Authorization Extension (RFC 5176). - -.TP -.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" -Address to listen for DAE messages from the RADIUS server. - -.TP -.BR charon.plugins.eap-radius.dae.port " [3799]" -Port to listen for DAE requests. - -.TP -.BR charon.plugins.eap-radius.dae.secret " []" -Shared secret used to verify/sign DAE messages. If set, make sure to adjust the -permissions of the config file accordingly. - -.TP -.BR charon.plugins.eap-radius.forward.ike_to_radius " []" -RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name -or attribute number, a colon can be used to specify vendor\-specific attributes, -e.g. Reply\-Message, or 11, or 36906:12). - -.TP -.BR charon.plugins.eap-radius.forward.radius_to_ike " []" -Same as -.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" "" -but from RADIUS to -IKEv2, a strongSwan specific private notify (40969) is used to transmit the -attributes. - -.TP .B charon.plugins.eap-radius.servers .br Section to specify multiple RADIUS servers. The @@ -706,6 +607,10 @@ accounting. For each RADIUS server a priority can be specified using the [0] option. .TP +.BR charon.plugins.eap-radius.sockets " [1]" +Number of sockets (ports) to use, increase for high load. + +.TP .B charon.plugins.eap-radius.xauth .br Section to configure multiple XAuth authentication rounds via RADIUS. The @@ -842,6 +747,10 @@ AIK certificate file. AIK public key file. .TP +.BR charon.plugins.imc-attestation.mandatory_dh_groups " [yes]" +Enforce mandatory Diffie\-Hellman groups. + +.TP .BR charon.plugins.imc-attestation.nonce_len " [20]" DH nonce length. @@ -922,6 +831,10 @@ Preferred Diffie\-Hellman group. Preferred measurement hash algorithm. .TP +.BR charon.plugins.imv-attestation.mandatory_dh_groups " [yes]" +Enforce mandatory Diffie\-Hellman groups. + +.TP .BR charon.plugins.imv-attestation.min_nonce_len " [0]" DH minimum nonce length. @@ -992,6 +905,12 @@ Section to configure the load\-tester plugin, see LOAD TESTS in for details. .TP +.B charon.plugins.load-tester.addrs +.br +Section that contains key/value pairs with address pools (in CIDR notation) to +use for a specific network interface e.g. eth0 = 10.10.0.0/16. + +.TP .BR charon.plugins.load-tester.addrs_keep " [no]" Whether to keep dynamic addresses even after the associated SA got terminated. @@ -1157,12 +1076,6 @@ IKE version to use (0 means use IKEv2 as initiator and accept any version as responder). .TP -.B charon.plugins.load-tester.addrs -.br -Section that contains key/value pairs with address pools (in CIDR notation) to -use for a specific network interface e.g. eth0 = 10.10.0.0/16. - -.TP .BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" Socket provided by the lookip plugin. @@ -1195,6 +1108,11 @@ Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). Whether to load certificates from tokens. .TP +.B charon.plugins.pkcs11.modules +.br +List of available PKCS#11 modules. + +.TP .BR charon.plugins.pkcs11.reload_certs " [no]" Reload certificates from all tokens if charon receives a SIGHUP. @@ -1223,11 +1141,6 @@ keys not stored on tokens. Whether the PKCS#11 modules should be used as RNG. .TP -.B charon.plugins.pkcs11.modules -.br -List of available PKCS#11 modules. - -.TP .BR charon.plugins.radattr.dir " []" Directory where RADIUS attributes are stored in client\-ID specific files. @@ -1378,14 +1291,6 @@ or .TP -.BR charon.plugins.tnc-pdp.server " []" -Name of the strongSwan PDP as contained in the AAA certificate. - -.TP -.BR charon.plugins.tnc-pdp.timeout " []" -Timeout in seconds before closing incomplete connections. - -.TP .BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]" Enable PT\-TLS protocol on the strongSwan PDP. @@ -1411,6 +1316,14 @@ Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust the permissions of the config file accordingly. .TP +.BR charon.plugins.tnc-pdp.server " []" +Name of the strongSwan PDP as contained in the AAA certificate. + +.TP +.BR charon.plugins.tnc-pdp.timeout " []" +Timeout in seconds before closing incomplete connections. + +.TP .BR charon.plugins.tnccs-11.max_message_size " [45000]" Maximum size of a PA\-TNC message (XML & Base64 encoding). @@ -1472,6 +1385,22 @@ If an email address is received as an XAuth username, trim it to just the username part. .TP +.BR charon.port " [500]" +UDP port used locally. If set to 0 a random port will be allocated. + +.TP +.BR charon.port_nat_t " [4500]" +UDP port used locally in case of NAT\-T. If set to 0 a random port will be +allocated. Has to be different from +.RB "" "charon.port" "," +otherwise a random port +will be allocated. + +.TP +.BR charon.process_route " [yes]" +Process RTM_NEWROUTE and RTM_DELROUTE events. + +.TP .B charon.processor.priority_threads .br Section to configure the number of reserved threads per priority class see JOB @@ -1480,6 +1409,77 @@ PRIORITY MANAGEMENT in .TP +.BR charon.receive_delay " [0]" +Delay in ms for receiving packets, to simulate larger RTT. + +.TP +.BR charon.receive_delay_request " [yes]" +Delay request messages. + +.TP +.BR charon.receive_delay_response " [yes]" +Delay response messages. + +.TP +.BR charon.receive_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any. + +.TP +.BR charon.replay_window " [32]" +Size of the AH/ESP replay window, in packets. + +.TP +.BR charon.retransmit_base " [1.8]" +Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.retransmit_timeout " [4.0]" +Timeout in seconds before sending first retransmit. + +.TP +.BR charon.retransmit_tries " [5]" +Number of times to retransmit a packet before giving up. + +.TP +.BR charon.retry_initiate_interval " [0]" +Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution +failed), 0 to disable retries. + +.TP +.BR charon.reuse_ikesa " [yes]" +Initiate CHILD_SA within existing IKE_SAs. + +.TP +.BR charon.routing_table " []" +Numerical routing table to install routes to. + +.TP +.BR charon.routing_table_prio " []" +Priority of the routing table. + +.TP +.BR charon.send_delay " [0]" +Delay in ms for sending packets, to simulate larger RTT. + +.TP +.BR charon.send_delay_request " [yes]" +Delay request messages. + +.TP +.BR charon.send_delay_response " [yes]" +Delay response messages. + +.TP +.BR charon.send_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any. + +.TP +.BR charon.send_vendor_id " [no]" +Send strongSwan vendor ID payload + +.TP .B charon.syslog .br Section to define syslog loggers, see LOGGER CONFIGURATION in @@ -1487,16 +1487,6 @@ Section to define syslog loggers, see LOGGER CONFIGURATION in .TP -.BR charon.syslog.identifier " []" -Global identifier used for an -.RB "" "openlog" "(3)" -call, prepended to each log message -by syslog. If not configured, -.RB "" "openlog" "(3)" -is not called, so the value will -depend on system defaults (often the program name). - -.TP .B charon.syslog.<facility> .br <facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION @@ -1519,6 +1509,24 @@ Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. .TP +.BR charon.syslog.identifier " []" +Global identifier used for an +.RB "" "openlog" "(3)" +call, prepended to each log message +by syslog. If not configured, +.RB "" "openlog" "(3)" +is not called, so the value will +depend on system defaults (often the program name). + +.TP +.BR charon.threads " [16]" +Number of worker threads in charon. Several of these are reserved for long +running tasks in internal modules and plugins. Therefore, make sure you don't +set this value too low. The number of idle worker threads listed in +.RI "" "ipsec statusall" "" +might be used as indicator on the number of reserved threads. + +.TP .BR charon.tls.cipher " []" List of TLS encryption ciphers. @@ -1539,6 +1547,10 @@ List of TLS cipher suites. TNC IMC/IMV configuration file. .TP +.BR charon.user " []" +Name of the user the daemon changes to after startup. + +.TP .BR charon.x509.enforce_critical " [yes]" Discard certificates with unsupported or unknown critical extensions. @@ -1623,10 +1635,6 @@ Number of thread for mediation service web application. Session timeout for mediation service. .TP -.BR openac.load " []" -Plugins to load in ipsec openac tool. - -.TP .BR pacman.database " []" Database URI for the database that stores the package information. If it contains a password, make sure to adjust the permissions of the config file |