diff options
Diffstat (limited to 'conf')
151 files changed, 6593 insertions, 0 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am new file mode 100644 index 000000000..61a0add4d --- /dev/null +++ b/conf/Makefile.am @@ -0,0 +1,163 @@ +# make this relative to the location of strongswan.conf +strongswanconfdir = `dirname $(strongswan_conf)` +strongswanddir = $(strongswanconfdir)/strongswan.d +charonconfdir = $(strongswanddir)/charon +# copy these files also to /usr/share +templatesdir = $(pkgdatadir)/templates/config +optionstemplatedir = $(templatesdir)/strongswan.d +pluginstemplatedir = $(templatesdir)/plugins + +options = \ + options/attest.opt \ + options/charon.opt \ + options/charon-logging.opt \ + options/imcv.opt \ + options/manager.opt \ + options/medsrv.opt \ + options/pacman.opt \ + options/pool.opt \ + options/starter.opt \ + options/tnc.opt \ + options/tools.opt + +plugins = \ + plugins/android_log.opt \ + plugins/attr.opt \ + plugins/attr-sql.opt \ + plugins/certexpire.opt \ + plugins/coupling.opt \ + plugins/dhcp.opt \ + plugins/dnscert.opt \ + plugins/duplicheck.opt \ + plugins/eap-aka.opt \ + plugins/eap-aka-3ggp2.opt \ + plugins/eap-dynamic.opt \ + plugins/eap-gtc.opt \ + plugins/eap-peap.opt \ + plugins/eap-radius.opt \ + plugins/eap-sim.opt \ + plugins/eap-simaka-sql.opt \ + plugins/eap-tls.opt \ + plugins/eap-tnc.opt \ + plugins/eap-ttls.opt \ + plugins/error-notify.opt \ + plugins/gcrypt.opt \ + plugins/ha.opt \ + plugins/imc-attestation.opt \ + plugins/imc-os.opt \ + plugins/imc-scanner.opt \ + plugins/imc-swid.opt \ + plugins/imc-test.opt \ + plugins/imv-attestation.opt \ + plugins/imv-os.opt \ + plugins/imv-scanner.opt \ + plugins/imv-test.opt \ + plugins/ipseckey.opt \ + plugins/led.opt \ + plugins/kernel-klips.opt \ + plugins/kernel-libipsec.opt \ + plugins/kernel-netlink.opt \ + plugins/kernel-pfroute.opt \ + plugins/load-tester.opt \ + plugins/lookip.opt \ + plugins/ntru.opt \ + plugins/openssl.opt \ + plugins/pkcs11.opt \ + plugins/radattr.opt \ + plugins/random.opt \ + plugins/resolve.opt \ + plugins/socket-default.opt \ + plugins/sql.opt \ + plugins/stroke.opt \ + plugins/systime-fix.opt \ + plugins/tnc-ifmap.opt \ + plugins/tnc-imc.opt \ + plugins/tnc-imv.opt \ + plugins/tnc-pdp.opt \ + plugins/tnccs-11.opt \ + plugins/tnccs-20.opt \ + plugins/unbound.opt \ + plugins/updown.opt \ + plugins/whitelist.opt \ + plugins/xauth-eap.opt \ + plugins/xauth-pam.opt + +alloptions = $(options) $(plugins) + +confsnippets = $(alloptions:opt=conf) + +# we only install snippets for enabled plugins +plugins_install_tmp = $(charon_plugins:%=plugins/%.tmp) +plugins_install_src = $(charon_plugins:%=plugins/%.conf) +# only install snippets for enabled components +# has to be defined via autoconf as we can't do it with automake conditionals +options_install_src = $(strongswan_options:%=options/%.conf) + +templates_DATA = strongswan.conf +optionstemplate_DATA = $(options_install_src) +pluginstemplate_DATA = $(plugins_install_src) +man_MANS = \ + strongswan.conf.5 + +BUILT_SOURCES = default.conf strongswan.conf.5.main $(confsnippets) +EXTRA_DIST = format-options.py strongswan.conf default.opt \ + default.conf strongswan.conf.5.main $(alloptions) $(confsnippets) + +CLEANFILES=$(man_MANS) + +.opt.conf: + $(AM_V_GEN) \ + case "$<" in \ + *plugins/*) \ + sed \ + -e "s:\@PLUGIN_NAME\@:`basename $< .opt`:" \ + $(srcdir)/default.opt | cat - $< | \ + $(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins > $(srcdir)/$@ \ + ;; \ + *) \ + $(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins $< > $(srcdir)/$@ \ + ;; \ + esac + +# we need another implicit rule to generate files from the generic template only +# if the rules above did not catch it. this requires an intermediate step that +# generates a copy of the generic config template. +$(plugins_install_tmp): + @mkdir -p $(builddir)/plugins + @cp $(srcdir)/default.conf $(builddir)/$@ + +.tmp.conf: + $(AM_V_GEN) \ + sed \ + -e "s:\@PLUGIN_NAME\@:`basename $< .tmp`:" \ + $(builddir)/$< > $(builddir)/$@ + +strongswan.conf.5.main: $(alloptions) + $(AM_V_GEN) \ + cd $(srcdir) && $(PYTHON) format-options.py -f man $(alloptions) > $@ + +strongswan.conf.5: strongswan.conf.5.head strongswan.conf.5.main strongswan.conf.5.tail + $(AM_V_GEN) \ + cat strongswan.conf.5.head $(srcdir)/strongswan.conf.5.main strongswan.conf.5.tail > $@ + +clean-local: + rm -f plugins/*.conf plugins/*.tmp + +maintainer-clean-local: + cd $(srcdir) && \ + rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp + +install-data-local: $(plugins_install_src) + test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" + test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" + test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" + test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true + for f in $(options_install_src); do \ + name=`basename $$f`; \ + test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \ + done + for f in $(plugins_install_src); do \ + name=`basename $$f`; \ + if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \ + test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(charonconfdir)/$$name" || true; \ + done diff --git a/conf/Makefile.in b/conf/Makefile.in new file mode 100644 index 000000000..d92593219 --- /dev/null +++ b/conf/Makefile.in @@ -0,0 +1,873 @@ +# Makefile.in generated by automake 1.13.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = conf +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(srcdir)/strongswan.conf.5.head.in \ + $(srcdir)/strongswan.conf.5.tail.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = strongswan.conf.5.head strongswan.conf.5.tail +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man5dir = $(mandir)/man5 +am__installdirs = "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(optionstemplatedir)" \ + "$(DESTDIR)$(pluginstemplatedir)" "$(DESTDIR)$(templatesdir)" +NROFF = nroff +MANS = $(man_MANS) +DATA = $(optionstemplate_DATA) $(pluginstemplate_DATA) \ + $(templates_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ + +# make this relative to the location of strongswan.conf +strongswanconfdir = `dirname $(strongswan_conf)` +strongswanddir = $(strongswanconfdir)/strongswan.d +charonconfdir = $(strongswanddir)/charon +# copy these files also to /usr/share +templatesdir = $(pkgdatadir)/templates/config +optionstemplatedir = $(templatesdir)/strongswan.d +pluginstemplatedir = $(templatesdir)/plugins +options = \ + options/attest.opt \ + options/charon.opt \ + options/charon-logging.opt \ + options/imcv.opt \ + options/manager.opt \ + options/medsrv.opt \ + options/pacman.opt \ + options/pool.opt \ + options/starter.opt \ + options/tnc.opt \ + options/tools.opt + +plugins = \ + plugins/android_log.opt \ + plugins/attr.opt \ + plugins/attr-sql.opt \ + plugins/certexpire.opt \ + plugins/coupling.opt \ + plugins/dhcp.opt \ + plugins/dnscert.opt \ + plugins/duplicheck.opt \ + plugins/eap-aka.opt \ + plugins/eap-aka-3ggp2.opt \ + plugins/eap-dynamic.opt \ + plugins/eap-gtc.opt \ + plugins/eap-peap.opt \ + plugins/eap-radius.opt \ + plugins/eap-sim.opt \ + plugins/eap-simaka-sql.opt \ + plugins/eap-tls.opt \ + plugins/eap-tnc.opt \ + plugins/eap-ttls.opt \ + plugins/error-notify.opt \ + plugins/gcrypt.opt \ + plugins/ha.opt \ + plugins/imc-attestation.opt \ + plugins/imc-os.opt \ + plugins/imc-scanner.opt \ + plugins/imc-swid.opt \ + plugins/imc-test.opt \ + plugins/imv-attestation.opt \ + plugins/imv-os.opt \ + plugins/imv-scanner.opt \ + plugins/imv-test.opt \ + plugins/ipseckey.opt \ + plugins/led.opt \ + plugins/kernel-klips.opt \ + plugins/kernel-libipsec.opt \ + plugins/kernel-netlink.opt \ + plugins/kernel-pfroute.opt \ + plugins/load-tester.opt \ + plugins/lookip.opt \ + plugins/ntru.opt \ + plugins/openssl.opt \ + plugins/pkcs11.opt \ + plugins/radattr.opt \ + plugins/random.opt \ + plugins/resolve.opt \ + plugins/socket-default.opt \ + plugins/sql.opt \ + plugins/stroke.opt \ + plugins/systime-fix.opt \ + plugins/tnc-ifmap.opt \ + plugins/tnc-imc.opt \ + plugins/tnc-imv.opt \ + plugins/tnc-pdp.opt \ + plugins/tnccs-11.opt \ + plugins/tnccs-20.opt \ + plugins/unbound.opt \ + plugins/updown.opt \ + plugins/whitelist.opt \ + plugins/xauth-eap.opt \ + plugins/xauth-pam.opt + +alloptions = $(options) $(plugins) +confsnippets = $(alloptions:opt=conf) + +# we only install snippets for enabled plugins +plugins_install_tmp = $(charon_plugins:%=plugins/%.tmp) +plugins_install_src = $(charon_plugins:%=plugins/%.conf) +# only install snippets for enabled components +# has to be defined via autoconf as we can't do it with automake conditionals +options_install_src = $(strongswan_options:%=options/%.conf) +templates_DATA = strongswan.conf +optionstemplate_DATA = $(options_install_src) +pluginstemplate_DATA = $(plugins_install_src) +man_MANS = \ + strongswan.conf.5 + +BUILT_SOURCES = default.conf strongswan.conf.5.main $(confsnippets) +EXTRA_DIST = format-options.py strongswan.conf default.opt \ + default.conf strongswan.conf.5.main $(alloptions) $(confsnippets) + +CLEANFILES = $(man_MANS) +all: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) all-am + +.SUFFIXES: +.SUFFIXES: .conf .opt .tmp +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu conf/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu conf/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +strongswan.conf.5.head: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.head.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +strongswan.conf.5.tail: $(top_builddir)/config.status $(srcdir)/strongswan.conf.5.tail.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +install-optionstemplateDATA: $(optionstemplate_DATA) + @$(NORMAL_INSTALL) + @list='$(optionstemplate_DATA)'; test -n "$(optionstemplatedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(optionstemplatedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(optionstemplatedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(optionstemplatedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(optionstemplatedir)" || exit $$?; \ + done + +uninstall-optionstemplateDATA: + @$(NORMAL_UNINSTALL) + @list='$(optionstemplate_DATA)'; test -n "$(optionstemplatedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(optionstemplatedir)'; $(am__uninstall_files_from_dir) +install-pluginstemplateDATA: $(pluginstemplate_DATA) + @$(NORMAL_INSTALL) + @list='$(pluginstemplate_DATA)'; test -n "$(pluginstemplatedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pluginstemplatedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pluginstemplatedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pluginstemplatedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pluginstemplatedir)" || exit $$?; \ + done + +uninstall-pluginstemplateDATA: + @$(NORMAL_UNINSTALL) + @list='$(pluginstemplate_DATA)'; test -n "$(pluginstemplatedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(pluginstemplatedir)'; $(am__uninstall_files_from_dir) +install-templatesDATA: $(templates_DATA) + @$(NORMAL_INSTALL) + @list='$(templates_DATA)'; test -n "$(templatesdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(templatesdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(templatesdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(templatesdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(templatesdir)" || exit $$?; \ + done + +uninstall-templatesDATA: + @$(NORMAL_UNINSTALL) + @list='$(templates_DATA)'; test -n "$(templatesdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(templatesdir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-am +all-am: Makefile $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(optionstemplatedir)" "$(DESTDIR)$(pluginstemplatedir)" "$(DESTDIR)$(templatesdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) +clean: clean-am + +clean-am: clean-generic clean-libtool clean-local mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-data-local install-man \ + install-optionstemplateDATA install-pluginstemplateDATA \ + install-templatesDATA + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man5 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic \ + maintainer-clean-local + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-optionstemplateDATA \ + uninstall-pluginstemplateDATA uninstall-templatesDATA + +uninstall-man: uninstall-man5 + +.MAKE: all check install install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + clean-local cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-data-local install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 \ + install-optionstemplateDATA install-pdf install-pdf-am \ + install-pluginstemplateDATA install-ps install-ps-am \ + install-strip install-templatesDATA installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic maintainer-clean-local mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags-am uninstall uninstall-am uninstall-man uninstall-man5 \ + uninstall-optionstemplateDATA uninstall-pluginstemplateDATA \ + uninstall-templatesDATA + + +.opt.conf: + $(AM_V_GEN) \ + case "$<" in \ + *plugins/*) \ + sed \ + -e "s:\@PLUGIN_NAME\@:`basename $< .opt`:" \ + $(srcdir)/default.opt | cat - $< | \ + $(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins > $(srcdir)/$@ \ + ;; \ + *) \ + $(PYTHON) $(srcdir)/format-options.py -f conf -r charon.plugins $< > $(srcdir)/$@ \ + ;; \ + esac + +# we need another implicit rule to generate files from the generic template only +# if the rules above did not catch it. this requires an intermediate step that +# generates a copy of the generic config template. +$(plugins_install_tmp): + @mkdir -p $(builddir)/plugins + @cp $(srcdir)/default.conf $(builddir)/$@ + +.tmp.conf: + $(AM_V_GEN) \ + sed \ + -e "s:\@PLUGIN_NAME\@:`basename $< .tmp`:" \ + $(builddir)/$< > $(builddir)/$@ + +strongswan.conf.5.main: $(alloptions) + $(AM_V_GEN) \ + cd $(srcdir) && $(PYTHON) format-options.py -f man $(alloptions) > $@ + +strongswan.conf.5: strongswan.conf.5.head strongswan.conf.5.main strongswan.conf.5.tail + $(AM_V_GEN) \ + cat strongswan.conf.5.head $(srcdir)/strongswan.conf.5.main strongswan.conf.5.tail > $@ + +clean-local: + rm -f plugins/*.conf plugins/*.tmp + +maintainer-clean-local: + cd $(srcdir) && \ + rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp + +install-data-local: $(plugins_install_src) + test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" + test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" + test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" + test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true + for f in $(options_install_src); do \ + name=`basename $$f`; \ + test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \ + done + for f in $(plugins_install_src); do \ + name=`basename $$f`; \ + if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \ + test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(charonconfdir)/$$name" || true; \ + done + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/conf/default.conf b/conf/default.conf new file mode 100644 index 000000000..41d2e1f85 --- /dev/null +++ b/conf/default.conf @@ -0,0 +1,8 @@ +@PLUGIN_NAME@ { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/default.opt b/conf/default.opt new file mode 100644 index 000000000..8c833642d --- /dev/null +++ b/conf/default.opt @@ -0,0 +1,3 @@ +charon.plugins.@PLUGIN_NAME@.load := yes + Whether to load the plugin. Can also be an integer to increase the priority + of this plugin. diff --git a/conf/format-options.py b/conf/format-options.py new file mode 100755 index 000000000..04afed6d6 --- /dev/null +++ b/conf/format-options.py @@ -0,0 +1,337 @@ +#!/usr/bin/env python +# +# Copyright (C) 2014 Tobias Brunner +# Hochschule fuer Technik Rapperswil +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +""" +Parses strongswan.conf option descriptions and produces configuration file +and man page snippets. + +The format for description files is as follows: + +full.option.name [[:]= default] + Short description intended as comment in config snippet + + Long description for use in the man page, with + simple formatting: _italic_, **bold** + + Second paragraph of the long description + +The descriptions must be indented by tabs or spaces but are both optional. +If only a short description is given it is used for both intended usages. +Line breaks within a paragraph of the long description or the short description +are not preserved. But multiple paragraphs will be separated in the man page. +Any formatting in the short description is removed when producing config +snippets. + +Options for which a value is assigned with := are not commented out in the +produced configuration file snippet. This allows to override a default value, +that e.g. has to be preserved for legacy reasons, in the generated default +config. + +To describe sections the following format can be used: + +full.section.name {[#]} + Short description of this section + + Long description as above + +If a # is added between the curly braces the section header will be commented +out in the configuration file snippet, which is useful for example sections. +""" + +import sys +import re +from textwrap import TextWrapper +from optparse import OptionParser + +class ConfigOption: + """Representing a configuration option or described section in strongswan.conf""" + def __init__(self, name, default = None, section = False, commented = False): + self.name = name.split('.')[-1] + self.fullname = name + self.default = default + self.section = section + self.commented = commented + self.desc = [] + self.options = [] + + def __cmp__(self, other): + if self.section == other.section: + return cmp(self.name, other.name) + return 1 if self.section else -1 + + def add_paragraph(self): + """Adds a new paragraph to the description""" + if len(self.desc) and len(self.desc[-1]): + self.desc.append("") + + def add(self, line): + """Adds a line to the last paragraph""" + if not len(self.desc): + self.desc.append(line) + elif not len(self.desc[-1]): + self.desc[-1] = line + else: + self.desc[-1] += ' ' + line + + def adopt(self, other): + """Adopts settings from other, which should be more recently parsed""" + self.default = other.default + self.commented = other.commented + self.desc = other.desc + +class Parser: + """Parses one or more files of configuration options""" + def __init__(self): + self.options = [] + + def parse(self, file): + """Parses the given file and adds all options to the internal store""" + self.__current = None + for line in file: + self.__parse_line(line) + if self.__current: + self.__add_option(self.__current) + + def __parse_line(self, line): + """Parses a single line""" + if re.match(r'^\s*#', line): + return + # option definition + m = re.match(r'^(?P<name>\S+)\s*((?P<assign>:)?=\s*(?P<default>.+)?)?\s*$', line) + if m: + if self.__current: + self.__add_option(self.__current) + self.__current = ConfigOption(m.group('name'), m.group('default'), + commented = not m.group('assign')) + return + # section definition + m = re.match(r'^(?P<name>\S+)\s*\{\s*(?P<comment>#)?\s*\}\s*$', line) + if m: + if self.__current: + self.__add_option(self.__current) + self.__current = ConfigOption(m.group('name'), section = True, + commented = m.group('comment')) + return + # paragraph separator + m = re.match(r'^\s*$', line) + if m and self.__current: + self.__current.add_paragraph() + # description line + m = re.match(r'^\s+(?P<text>.+?)\s*$', line) + if m and self.__current: + self.__current.add(m.group('text')) + + def __add_option(self, option): + """Adds the given option to the abstract storage""" + option.desc = [desc for desc in option.desc if len(desc)] + parts = option.fullname.split('.') + parent = self.__get_option(parts[:-1], True) + if not parent: + parent = self + found = next((x for x in parent.options if x.name == option.name + and x.section == option.section), None) + if found: + found.adopt(option) + else: + parent.options.append(option) + parent.options.sort() + + def __get_option(self, parts, create = False): + """Searches/Creates the option (section) based on a list of section names""" + option = None + options = self.options + fullname = "" + for name in parts: + fullname += '.' + name if len(fullname) else name + option = next((x for x in options if x.name == name and x.section), None) + if not option: + if not create: + break + option = ConfigOption(fullname, section = True) + options.append(option) + options.sort() + options = option.options + return option + + def get_option(self, name): + """Retrieves the option with the given name""" + return self.__get_option(name.split('.')) + +class TagReplacer: + """Replaces formatting tags in text""" + def __init__(self): + self.__matcher_b = self.__create_matcher('**') + self.__matcher_i = self.__create_matcher('_') + self.__replacer = None + + def __create_matcher(self, tag): + tag = re.escape(tag) + return re.compile(r''' + (^|\s|(?P<brack>[(\[])) # prefix with optional opening bracket + (?P<tag>''' + tag + r''') # start tag + (?P<text>\w|\S.*?\S) # text + ''' + tag + r''' # end tag + (?P<punct>([.,!:)\]]|\(\d+\))*) # punctuation + (?=$|\s) # suffix (don't consume it so that subsequent tags can match) + ''', flags = re.DOTALL | re.VERBOSE) + + def _create_replacer(self): + def replacer(m): + punct = m.group('punct') + if not punct: + punct = '' + return '{0}{1}{2}'.format(m.group(1), m.group('text'), punct) + return replacer + + def replace(self, text): + if not self.__replacer: + self.__replacer = self._create_replacer() + text = re.sub(self.__matcher_b, self.__replacer, text) + return re.sub(self.__matcher_i, self.__replacer, text) + +class GroffTagReplacer(TagReplacer): + def _create_replacer(self): + def replacer(m): + nl = '\n' if m.group(1) else '' + format = 'I' if m.group('tag') == '_' else 'B' + brack = m.group('brack') + if not brack: + brack = '' + punct = m.group('punct') + if not punct: + punct = '' + text = re.sub(r'[\r\n\t]', ' ', m.group('text')) + return '{0}.R{1} "{2}" "{3}" "{4}"\n'.format(nl, format, brack, text, punct) + return replacer + +class ConfFormatter: + """Formats options to a strongswan.conf snippet""" + def __init__(self): + self.__indent = ' ' + self.__wrapper = TextWrapper(width = 80, replace_whitespace = True, + break_long_words = False, break_on_hyphens = False) + self.__tags = TagReplacer() + + def __print_description(self, opt, indent): + if len(opt.desc): + self.__wrapper.initial_indent = '{0}# '.format(self.__indent * indent) + self.__wrapper.subsequent_indent = self.__wrapper.initial_indent + print format(self.__wrapper.fill(self.__tags.replace(opt.desc[0]))) + + def __print_option(self, opt, indent, commented): + """Print a single option with description and default value""" + comment = "# " if commented or opt.commented else "" + self.__print_description(opt, indent) + if opt.default: + print '{0}{1}{2} = {3}'.format(self.__indent * indent, comment, opt.name, opt.default) + else: + print '{0}{1}{2} ='.format(self.__indent * indent, comment, opt.name) + print + + def __print_section(self, section, indent, commented): + """Print a section with all options""" + comment = "# " if commented or section.commented else "" + self.__print_description(section, indent) + print '{0}{1}{2} {{'.format(self.__indent * indent, comment, section.name) + print + for o in section.options: + if o.section: + self.__print_section(o, indent + 1, section.commented) + else: + self.__print_option(o, indent + 1, section.commented) + print '{0}{1}}}'.format(self.__indent * indent, comment) + print + + def format(self, options): + """Print a list of options""" + if not options: + return + for option in options: + if option.section: + self.__print_section(option, 0, False) + else: + self.__print_option(option, 0, False) + +class ManFormatter: + """Formats a list of options into a groff snippet""" + def __init__(self): + self.__wrapper = TextWrapper(width = 80, replace_whitespace = False, + break_long_words = False, break_on_hyphens = False) + self.__tags = GroffTagReplacer() + + def __groffize(self, text): + """Encode text as groff text""" + text = self.__tags.replace(text) + text = re.sub(r'(?<!\\)-', r'\\-', text) + # remove any leading whitespace + return re.sub(r'^\s+', '', text, flags = re.MULTILINE) + + def __format_option(self, option): + """Print a single option""" + if option.section and not len(option.desc): + return + if option.section: + print '.TP\n.B {0}\n.br'.format(option.fullname) + else: + print '.TP' + default = option.default if option.default else '' + print '.BR {0} " [{1}]"'.format(option.fullname, default) + for para in option.desc if len(option.desc) < 2 else option.desc[1:]: + print self.__groffize(self.__wrapper.fill(para)) + print '' + + def format(self, options): + """Print a list of options""" + if not options: + return + for option in options: + if option.section: + self.__format_option(option) + self.format(option.options) + else: + self.__format_option(option) + +options = OptionParser(usage = "Usage: %prog [options] file1 file2\n\n" + "If no filenames are provided the input is read from stdin.") +options.add_option("-f", "--format", dest="format", type="choice", choices=["conf", "man"], + help="output format: conf, man [default: %default]", default="conf") +options.add_option("-r", "--root", dest="root", metavar="NAME", + help="root section of which options are printed, " + "if not found everything is printed") +(opts, args) = options.parse_args() + +parser = Parser() +if len(args): + for filename in args: + try: + with open(filename, 'r') as file: + parser.parse(file) + except IOError as e: + sys.stderr.write("Unable to open '{0}': {1}\n".format(filename, e.strerror)) +else: + parser.parse(sys.stdin) + +options = parser.options +if (opts.root): + root = parser.get_option(opts.root) + if root: + options = root.options + +if opts.format == "conf": + formatter = ConfFormatter() +elif opts.format == "man": + formatter = ManFormatter() + +formatter.format(options) diff --git a/conf/options/attest.conf b/conf/options/attest.conf new file mode 100644 index 000000000..1f7f57cb4 --- /dev/null +++ b/conf/options/attest.conf @@ -0,0 +1,11 @@ +attest { + + # File measurement information database URI. If it contains a password, make + # sure to adjust the permissions of the config file accordingly. + # database = + + # Plugins to load in ipsec attest tool. + # load = + +} + diff --git a/conf/options/attest.opt b/conf/options/attest.opt new file mode 100644 index 000000000..20b14f42d --- /dev/null +++ b/conf/options/attest.opt @@ -0,0 +1,6 @@ +attest.database = + File measurement information database URI. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +attest.load = + Plugins to load in ipsec attest tool. diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf new file mode 100644 index 000000000..c91421dea --- /dev/null +++ b/conf/options/charon-logging.conf @@ -0,0 +1,62 @@ +charon { + + # Section to define file loggers, see LOGGER CONFIGURATION in + # strongswan.conf(5). + filelog { + + # <filename> is the full path to the log file. + # <filename> { + + # Loglevel for a specific subsystem. + # <subsystem> = <default> + + # If this option is enabled log entries are appended to the existing + # file. + # append = yes + + # Default loglevel. + # default = 1 + + # Enabling this option disables block buffering and enables line + # buffering. + # flush_line = no + + # Prefix each log entry with the connection name and a unique + # numerical identifier for each IKE_SA. + # ike_name = no + + # Prefix each log entry with a timestamp. The option accepts a + # format string as passed to strftime(3). + # time_format = + + # } + + } + + # Section to define syslog loggers, see LOGGER CONFIGURATION in + # strongswan.conf(5). + syslog { + + # Identifier for use with openlog(3). + # identifier = + + # <facility> is one of the supported syslog facilities, see LOGGER + # CONFIGURATION in strongswan.conf(5). + # <facility> { + + # Loglevel for a specific subsystem. + # <subsystem> = <default> + + # Default loglevel. + # default = 1 + + # Prefix each log entry with the connection name and a unique + # numerical identifier for each IKE_SA. + # ike_name = no + + # } + + } + +} + diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt new file mode 100644 index 000000000..b437a9cc3 --- /dev/null +++ b/conf/options/charon-logging.opt @@ -0,0 +1,57 @@ +charon.filelog {} + Section to define file loggers, see LOGGER CONFIGURATION in + **strongswan.conf**(5). + +charon.filelog.<filename> { # } + <filename> is the full path to the log file. + +charon.filelog.<filename>.default = 1 + Default loglevel. + + Specifies the default loglevel to be used for subsystems for which no + specific loglevel is defined. + +charon.filelog.<filename>.<subsystem> = <default> + Loglevel for a specific subsystem. + +charon.filelog.<filename>.append = yes + If this option is enabled log entries are appended to the existing file. + +charon.filelog.<filename>.flush_line = no + Enabling this option disables block buffering and enables line buffering. + +charon.filelog.<filename>.ike_name = no + Prefix each log entry with the connection name and a unique numerical + identifier for each IKE_SA. + +charon.filelog.<filename>.time_format + Prefix each log entry with a timestamp. The option accepts a format string + as passed to **strftime**(3). + +charon.syslog {} + Section to define syslog loggers, see LOGGER CONFIGURATION in + **strongswan.conf**(5). + +charon.syslog.identifier + Identifier for use with openlog(3). + + Global identifier used for an **openlog**(3) call, prepended to each log + message by syslog. If not configured, **openlog**(3) is not called, so the + value will depend on system defaults (often the program name). + +charon.syslog.<facility> { # } + <facility> is one of the supported syslog facilities, see LOGGER + CONFIGURATION in **strongswan.conf**(5). + +charon.syslog.<facility>.default = 1 + Default loglevel. + + Specifies the default loglevel to be used for subsystems for which no + specific loglevel is defined. + +charon.syslog.<facility>.<subsystem> = <default> + Loglevel for a specific subsystem. + +charon.syslog.<facility>.ike_name = no + Prefix each log entry with the connection name and a unique numerical + identifier for each IKE_SA. diff --git a/conf/options/charon.conf b/conf/options/charon.conf new file mode 100644 index 000000000..5cab2b1c4 --- /dev/null +++ b/conf/options/charon.conf @@ -0,0 +1,281 @@ +# Options for the charon IKE daemon. +charon { + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Maximum size (in bytes) of a sent fragment when using the proprietary + # IKEv1 fragmentation extension. + # fragment_size = 512 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + # install_routes = yes + + # Install virtual IP addresses. + # install_virtual_ip = yes + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS + # resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs. + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Number of iterations to test each algorithm. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/conf/options/charon.opt b/conf/options/charon.opt new file mode 100644 index 000000000..c6f4f1e9e --- /dev/null +++ b/conf/options/charon.opt @@ -0,0 +1,284 @@ +charon {} + Options for the charon IKE daemon. + + Options for the charon IKE daemon. + + **Note**: Many of the options in this section also apply to **charon-cmd** + and other **charon** derivatives. Just use their respective name (e.g. + **charon-cmd** instead of **charon**). For many options defaults can be + defined in the **libstrongswan** section. + +charon.block_threshold = 5 + Maximum number of half-open IKE_SAs for a single peer IP. + +charon.cert_cache = yes + Whether relations in validated certificate chains should be cached in + memory. + +charon.cisco_unity = no + Send Cisco Unity vendor ID payload (IKEv1 only). + +charon.close_ike_on_child_failure = no + Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + +charon.cookie_threshold = 10 + Number of half-open IKE_SAs that activate the cookie mechanism. + +charon.crypto_test.bench = no + Benchmark crypto algorithms and order them by efficiency. + +charon.crypto_test.bench_size = 1024 + Buffer size used for crypto benchmark. + +charon.crypto_test.bench_time = 50 + Number of iterations to test each algorithm. + +charon.crypto_test.on_add = no + Test crypto algorithms during registration (requires test vectors provided + by the _test-vectors_ plugin). + +charon.crypto_test.on_create = no + Test crypto algorithms on each crypto primitive instantiation. + +charon.crypto_test.required = no + Strictly require at least one test vector to enable an algorithm. + +charon.crypto_test.rng_true = no + Whether to test RNG with TRUE quality; requires a lot of entropy. + +charon.dh_exponent_ansi_x9_42 = yes + Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + strength. + +charon.dns1 + DNS server assigned to peer via configuration payload (CP). + +charon.dns2 + DNS server assigned to peer via configuration payload (CP). + +charon.dos_protection = yes + Enable Denial of Service protection using cookies and aggressiveness checks. + +charon.ecp_x_coordinate_only = yes + Compliance with the errata for RFC 4753. + +charon.flush_auth_cfg = no + Free objects during authentication (might conflict with plugins). + + If enabled objects used during authentication (certificates, identities + etc.) are released to free memory once an IKE_SA is established. Enabling + this might conflict with plugins that later need access to e.g. the used + certificates. + +charon.fragment_size = 512 + Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 + fragmentation extension. + +charon.group + Name of the group the daemon changes to after startup. + +charon.half_open_timeout = 30 + Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + +charon.hash_and_url = no + Enable hash and URL support. + +charon.host_resolver.max_threads = 3 + Maximum number of concurrent resolver threads (they are terminated if + unused). + +charon.host_resolver.min_threads = 0 + Minimum number of resolver threads to keep around. + +charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no + Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + + If enabled responders are allowed to use IKEv1 Aggressive Mode with + pre-shared keys, which is discouraged due to security concerns (offline + attacks on the openly transmitted hash of the PSK). + +charon.ignore_routing_tables + A space-separated list of routing tables to be excluded from route lookups. + +charon.ikesa_limit = 0 + Maximum number of IKE_SAs that can be established at the same time before + new connection attempts are blocked. + +charon.ikesa_table_segments = 1 + Number of exclusively locked segments in the hash table. + +charon.ikesa_table_size = 1 + Size of the IKE_SA hash table. + +charon.inactivity_close_ike = no + Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + +charon.init_limit_half_open = 0 + Limit new connections based on the current number of half open IKE_SAs, see + IKE_SA_INIT DROPPING in **strongswan.conf**(5). + +charon.init_limit_job_load = 0 + Limit new connections based on the number of queued jobs. + + Limit new connections based on the number of jobs currently queued for + processing (see IKE_SA_INIT DROPPING). + +charon.initiator_only = no + Causes charon daemon to ignore IKE initiation requests. + +charon.install_routes = yes + Install routes into a separate routing table for established IPsec tunnels. + +charon.install_virtual_ip = yes + Install virtual IP addresses. + +charon.install_virtual_ip_on + The name of the interface on which virtual IP addresses should be installed. + + The name of the interface on which virtual IP addresses should be installed. + If not specified the addresses will be installed on the outbound interface. + +charon.integrity_test = no + Check daemon, libstrongswan and plugin integrity at startup. + +charon.interfaces_ignore + A comma-separated list of network interfaces that should be ignored, if + **interfaces_use** is specified this option has no effect. + +charon.interfaces_use + A comma-separated list of network interfaces that should be used by charon. + All other interfaces are ignored. + +charon.keep_alive = 20s + NAT keep alive interval. + +charon.leak_detective.detailed = yes + Includes source file names and line numbers in leak detective output. + +charon.leak_detective.usage_threshold = 10240 + Threshold in bytes for leaks to be reported (0 to report all). + +charon.leak_detective.usage_threshold_count = 0 + Threshold in number of allocations for leaks to be reported (0 to report + all). + +charon.load + Plugins to load in the IKE daemon charon. + +charon.load_modular = no + Determine plugins to load via each plugin's load option. + + If enabled, the list of plugins to load is determined via the value of the + _charon.plugins.<name>.load_ options. In addition to a simple boolean flag + that option may take an integer value indicating the priority of a plugin, + which would influence the order of a plugin in the plugin list (the default + is 1). If two plugins have the same priority their order in the default + plugin list is preserved. Enabled plugins not found in that list are ordered + alphabetically before other plugins with the same priority. + +charon.max_packet = 10000 + Maximum packet size accepted by charon. + +charon.multiple_authentication = yes + Enable multiple authentication exchanges (RFC 4739). + +charon.nbns1 + WINS servers assigned to peer via configuration payload (CP). + +charon.nbns2 + WINS servers assigned to peer via configuration payload (CP). + +charon.port = 500 + UDP port used locally. If set to 0 a random port will be allocated. + +charon.port_nat_t = 4500 + UDP port used locally in case of NAT-T. If set to 0 a random port will be + allocated. Has to be different from **charon.port**, otherwise a random + port will be allocated. + +charon.process_route = yes + Process RTM_NEWROUTE and RTM_DELROUTE events. + +charon.processor.priority_threads {} + Section to configure the number of reserved threads per priority class + see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5). + +charon.receive_delay = 0 + Delay in ms for receiving packets, to simulate larger RTT. + +charon.receive_delay_response = yes + Delay response messages. + +charon.receive_delay_request = yes + Delay request messages. + +charon.receive_delay_type = 0 + Specific IKEv2 message type to delay, 0 for any. + +charon.replay_window = 32 + Size of the AH/ESP replay window, in packets. + +charon.retransmit_base = 1.8 + Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + in **strongswan.conf**(5). + +charon.retransmit_timeout = 4.0 + Timeout in seconds before sending first retransmit. + +charon.retransmit_tries = 5 + Number of times to retransmit a packet before giving up. + +charon.retry_initiate_interval = 0 + Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution + failed), 0 to disable retries. + +charon.reuse_ikesa = yes + Initiate CHILD_SA within existing IKE_SAs. + +charon.routing_table + Numerical routing table to install routes to. + +charon.routing_table_prio + Priority of the routing table. + +charon.send_delay = 0 + Delay in ms for sending packets, to simulate larger RTT. + +charon.send_delay_response = yes + Delay response messages. + +charon.send_delay_request = yes + Delay request messages. + +charon.send_delay_type = 0 + Specific IKEv2 message type to delay, 0 for any. + +charon.send_vendor_id = no + Send strongSwan vendor ID payload + +charon.threads = 16 + Number of worker threads in charon. + + Number of worker threads in charon. Several of these are reserved for long + running tasks in internal modules and plugins. Therefore, make sure you + don't set this value too low. The number of idle worker threads listed in + _ipsec statusall_ might be used as indicator on the number of reserved + threads. + +charon.tls.cipher + List of TLS encryption ciphers. + +charon.tls.key_exchange + List of TLS key exchange methods. + +charon.tls.mac + List of TLS MAC algorithms. + +charon.tls.suites + List of TLS cipher suites. + +charon.user + Name of the user the daemon changes to after startup. + +charon.x509.enforce_critical = yes + Discard certificates with unsupported or unknown critical extensions. diff --git a/conf/options/imcv.conf b/conf/options/imcv.conf new file mode 100644 index 000000000..92016ef52 --- /dev/null +++ b/conf/options/imcv.conf @@ -0,0 +1,43 @@ +charon { + + # Defaults for options in this section can be configured in the libimcv + # section. + imcv { + + # Whether IMVs send a standard IETF Assessment Result attribute. + # assessment_result = yes + + # Global IMV policy database URI. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Script called for each TNC connection to generate IMV policies. + # policy_script = ipsec _imv_policy + + os_info { + + # Manually set the name of the client OS (e.g. Ubuntu). + # name = + + # Manually set the version of the client OS (e.g. 12.04 i686). + # version = + + } + + } + +} + +libimcv { + + # Debug level for a stand-alone libimcv library. + # debug_level = 1 + + # Plugins to load in IMC/IMVs with stand-alone libimcv library. + # load = random nonce gmp pubkey x509 + + # Disable output to stderr with a stand-alone libimcv library. + # stderr_quiet = no + +} + diff --git a/conf/options/imcv.opt b/conf/options/imcv.opt new file mode 100644 index 000000000..a249a7b14 --- /dev/null +++ b/conf/options/imcv.opt @@ -0,0 +1,28 @@ +charon.imcv {} + Defaults for options in this section can be configured in the _libimcv_ + section. + +charon.imcv.assessment_result = yes + Whether IMVs send a standard IETF Assessment Result attribute. + +charon.imcv.database = + Global IMV policy database URI. If it contains a password, make sure to + adjust the permissions of the config file accordingly. + +charon.imcv.os_info.name = + Manually set the name of the client OS (e.g. Ubuntu). + +charon.imcv.os_info.version = + Manually set the version of the client OS (e.g. 12.04 i686). + +charon.imcv.policy_script = ipsec _imv_policy + Script called for each TNC connection to generate IMV policies. + +libimcv.debug_level = 1 + Debug level for a stand-alone _libimcv_ library. + +libimcv.load = random nonce gmp pubkey x509 + Plugins to load in IMC/IMVs with stand-alone _libimcv_ library. + +libimcv.stderr_quiet = no + Disable output to stderr with a stand-alone _libimcv_ library. diff --git a/conf/options/manager.conf b/conf/options/manager.conf new file mode 100644 index 000000000..bb0934688 --- /dev/null +++ b/conf/options/manager.conf @@ -0,0 +1,23 @@ +manager { + + # Credential database URI for manager. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Enable debugging in manager. + # debug = no + + # Plugins to load in manager. + # load = + + # FastCGI socket of manager, to run it statically. + # socket = + + # Threads to use for request handling. + # threads = 10 + + # Session timeout for manager. + # timeout = 15m + +} + diff --git a/conf/options/manager.opt b/conf/options/manager.opt new file mode 100644 index 000000000..dbac73110 --- /dev/null +++ b/conf/options/manager.opt @@ -0,0 +1,18 @@ +manager.database = + Credential database URI for manager. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +manager.debug = no + Enable debugging in manager. + +manager.load = + Plugins to load in manager. + +manager.socket = + FastCGI socket of manager, to run it statically. + +manager.threads = 10 + Threads to use for request handling. + +manager.timeout = 15m + Session timeout for manager. diff --git a/conf/options/medsrv.conf b/conf/options/medsrv.conf new file mode 100644 index 000000000..b3026ea3f --- /dev/null +++ b/conf/options/medsrv.conf @@ -0,0 +1,32 @@ +medsrv { + + # Mediation server database URI. If it contains a password, make sure to + # adjust the permissions of the config file accordingly. + # database = + + # Debugging in mediation server web application. + # debug = no + + # DPD timeout to use in mediation server plugin. + # dpd = 5m + + # Plugins to load in mediation server plugin. + # load = + + # Minimum password length required for mediation server user accounts. + # password_length = 6 + + # Rekeying time on mediation connections in mediation server plugin. + # rekey = 20m + + # Run Mediation server web application statically on socket. + # socket = + + # Number of thread for mediation service web application. + # threads = 5 + + # Session timeout for mediation service. + # timeout = 15m + +} + diff --git a/conf/options/medsrv.opt b/conf/options/medsrv.opt new file mode 100644 index 000000000..f673b7e03 --- /dev/null +++ b/conf/options/medsrv.opt @@ -0,0 +1,27 @@ +medsrv.database = + Mediation server database URI. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +medsrv.debug = no + Debugging in mediation server web application. + +medsrv.dpd = 5m + DPD timeout to use in mediation server plugin. + +medsrv.load = + Plugins to load in mediation server plugin. + +medsrv.password_length = 6 + Minimum password length required for mediation server user accounts. + +medsrv.rekey = 20m + Rekeying time on mediation connections in mediation server plugin. + +medsrv.socket = + Run Mediation server web application statically on socket. + +medsrv.threads = 5 + Number of thread for mediation service web application. + +medsrv.timeout = 15m + Session timeout for mediation service. diff --git a/conf/options/pacman.conf b/conf/options/pacman.conf new file mode 100644 index 000000000..730e5435c --- /dev/null +++ b/conf/options/pacman.conf @@ -0,0 +1,12 @@ +pacman { + + # Database URI for the database that stores the package information. If it + # contains a password, make sure to adjust the permissions of the config + # file accordingly. + # database = + + # Plugins to load in package manager. + # load = + +} + diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt new file mode 100644 index 000000000..dfb4ba2b1 --- /dev/null +++ b/conf/options/pacman.opt @@ -0,0 +1,7 @@ +pacman.database = + Database URI for the database that stores the package information. If it + contains a password, make sure to adjust the permissions of the config file + accordingly. + +pacman.load = + Plugins to load in package manager. diff --git a/conf/options/pool.conf b/conf/options/pool.conf new file mode 100644 index 000000000..297c0f8cf --- /dev/null +++ b/conf/options/pool.conf @@ -0,0 +1,12 @@ +pool { + + # Database URI for the database that stores IP pools and configuration + # attributes. If it contains a password, make sure to adjust the + # permissions of the config file accordingly. + # database = + + # Plugins to load in ipsec pool tool. + # load = + +} + diff --git a/conf/options/pool.opt b/conf/options/pool.opt new file mode 100644 index 000000000..79458c779 --- /dev/null +++ b/conf/options/pool.opt @@ -0,0 +1,7 @@ +pool.database + Database URI for the database that stores IP pools and configuration + attributes. If it contains a password, make sure to adjust the permissions + of the config file accordingly. + +pool.load = + Plugins to load in ipsec pool tool. diff --git a/conf/options/starter.conf b/conf/options/starter.conf new file mode 100644 index 000000000..8465f7e53 --- /dev/null +++ b/conf/options/starter.conf @@ -0,0 +1,10 @@ +starter { + + # Plugins to load in starter. + # load = + + # Disable charon plugin load option warning. + # load_warning = yes + +} + diff --git a/conf/options/starter.opt b/conf/options/starter.opt new file mode 100644 index 000000000..4e6574d58 --- /dev/null +++ b/conf/options/starter.opt @@ -0,0 +1,5 @@ +starter.load = + Plugins to load in starter. + +starter.load_warning = yes + Disable charon plugin load option warning. diff --git a/conf/options/tnc.conf b/conf/options/tnc.conf new file mode 100644 index 000000000..6736a2d0a --- /dev/null +++ b/conf/options/tnc.conf @@ -0,0 +1,11 @@ +charon { + + tnc { + + # TNC IMC/IMV configuration file. + # tnc_config = /etc/tnc_config + + } + +} + diff --git a/conf/options/tnc.opt b/conf/options/tnc.opt new file mode 100644 index 000000000..467723ea6 --- /dev/null +++ b/conf/options/tnc.opt @@ -0,0 +1,2 @@ +charon.tnc.tnc_config = /etc/tnc_config + TNC IMC/IMV configuration file. diff --git a/conf/options/tools.conf b/conf/options/tools.conf new file mode 100644 index 000000000..a3ab099ed --- /dev/null +++ b/conf/options/tools.conf @@ -0,0 +1,21 @@ +openac { + + # Plugins to load in ipsec openac tool. + # load = + +} + +pki { + + # Plugins to load in ipsec pki tool. + # load = + +} + +scepclient { + + # Plugins to load in ipsec scepclient tool. + # load = + +} + diff --git a/conf/options/tools.opt b/conf/options/tools.opt new file mode 100644 index 000000000..23e6a1c9f --- /dev/null +++ b/conf/options/tools.opt @@ -0,0 +1,8 @@ +openac.load = + Plugins to load in ipsec openac tool. + +pki.load = + Plugins to load in ipsec pki tool. + +scepclient.load = + Plugins to load in ipsec scepclient tool. diff --git a/conf/plugins/android_log.conf b/conf/plugins/android_log.conf new file mode 100644 index 000000000..4d87eed85 --- /dev/null +++ b/conf/plugins/android_log.conf @@ -0,0 +1,11 @@ +android_log { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Loglevel for logging to Android specific logger. + # loglevel = 1 + +} + diff --git a/conf/plugins/android_log.opt b/conf/plugins/android_log.opt new file mode 100644 index 000000000..801b8bf19 --- /dev/null +++ b/conf/plugins/android_log.opt @@ -0,0 +1,2 @@ +charon.plugins.android_log.loglevel = 1 + Loglevel for logging to Android specific logger. diff --git a/conf/plugins/attr-sql.conf b/conf/plugins/attr-sql.conf new file mode 100644 index 000000000..24d4e809d --- /dev/null +++ b/conf/plugins/attr-sql.conf @@ -0,0 +1,16 @@ +attr-sql { + + # Database URI for attr-sql plugin used by charon. If it contains a + # password, make sure to adjust the permissions of the config file + # accordingly. + # database = + + # Enable logging of SQL IP pool leases. + # lease_history = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/attr-sql.opt b/conf/plugins/attr-sql.opt new file mode 100644 index 000000000..abd749e3e --- /dev/null +++ b/conf/plugins/attr-sql.opt @@ -0,0 +1,6 @@ +charon.plugins.attr-sql.database + Database URI for attr-sql plugin used by charon. If it contains a password, + make sure to adjust the permissions of the config file accordingly. + +charon.plugins.attr-sql.lease_history = yes + Enable logging of SQL IP pool leases. diff --git a/conf/plugins/attr.conf b/conf/plugins/attr.conf new file mode 100644 index 000000000..7a3645b79 --- /dev/null +++ b/conf/plugins/attr.conf @@ -0,0 +1,14 @@ +# Section to specify arbitrary attributes that are assigned to a peer via +# configuration payload (CP). +attr { + + # <attr> is an attribute name or an integer, values can be an IP address, + # subnet or arbitrary value. + # <attr> = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/attr.opt b/conf/plugins/attr.opt new file mode 100644 index 000000000..f3c187c7b --- /dev/null +++ b/conf/plugins/attr.opt @@ -0,0 +1,14 @@ +charon.plugins.attr {} + Section to specify arbitrary attributes that are assigned to a peer via + configuration payload (CP). + +charon.plugins.attr.<attr> + <attr> is an attribute name or an integer, values can be an IP address, + subnet or arbitrary value. + + **<attr>** can be either _address_, _netmask_, _dns_, _nbns_, _dhcp_, + _subnet_, _split-include_, _split-exclude_ or the numeric identifier of the + attribute type. The assigned value can be an IPv4/IPv6 address, a subnet in + CIDR notation or an arbitrary value depending on the attribute type. For + some attribute types multiple values may be specified as a comma separated + list. diff --git a/conf/plugins/certexpire.conf b/conf/plugins/certexpire.conf new file mode 100644 index 000000000..543848c15 --- /dev/null +++ b/conf/plugins/certexpire.conf @@ -0,0 +1,38 @@ +certexpire { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + csv { + + # Cron style string specifying CSV export times. + # cron = + + # String to use in empty intermediate CA fields. + # empty_string = + + # Use a fixed intermediate CA field count. + # fixed_fields = yes + + # Force export of all trustchains we have a private key for. + # force = yes + + # strftime(3) format string to export expiration dates as. + # format = %d:%m:%Y + + # strftime(3) format string for the CSV file name to export local + # certificates to. + # local = + + # strftime(3) format string for the CSV file name to export remote + # certificates to. + # remote = + + # CSV field separator. + # separator = , + + } + +} + diff --git a/conf/plugins/certexpire.opt b/conf/plugins/certexpire.opt new file mode 100644 index 000000000..7c165383a --- /dev/null +++ b/conf/plugins/certexpire.opt @@ -0,0 +1,25 @@ +charon.plugins.certexpire.csv.cron + Cron style string specifying CSV export times. + +charon.plugins.certexpire.csv.empty_string = + String to use in empty intermediate CA fields. + +charon.plugins.certexpire.csv.fixed_fields = yes + Use a fixed intermediate CA field count. + +charon.plugins.certexpire.csv.force = yes + Force export of all trustchains we have a private key for. + +charon.plugins.certexpire.csv.format = %d:%m:%Y + **strftime**(3) format string to export expiration dates as. + +charon.plugins.certexpire.csv.local + **strftime**(3) format string for the CSV file name to export local + certificates to. + +charon.plugins.certexpire.csv.remote + **strftime**(3) format string for the CSV file name to export remote + certificates to. + +charon.plugins.certexpire.csv.separator = , + CSV field separator. diff --git a/conf/plugins/coupling.conf b/conf/plugins/coupling.conf new file mode 100644 index 000000000..a5c3d7868 --- /dev/null +++ b/conf/plugins/coupling.conf @@ -0,0 +1,17 @@ +coupling { + + # File to store coupling list to. + # file = + + # Hashing algorithm to fingerprint coupled certificates. + # hash = sha1 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of coupling entries to create. + # max = 1 + +} + diff --git a/conf/plugins/coupling.opt b/conf/plugins/coupling.opt new file mode 100644 index 000000000..179579d47 --- /dev/null +++ b/conf/plugins/coupling.opt @@ -0,0 +1,8 @@ +charon.plugins.coupling.file + File to store coupling list to. + +charon.plugins.coupling.hash = sha1 + Hashing algorithm to fingerprint coupled certificates. + +charon.plugins.coupling.max = 1 + Maximum number of coupling entries to create. diff --git a/conf/plugins/dhcp.conf b/conf/plugins/dhcp.conf new file mode 100644 index 000000000..b0e8c84c8 --- /dev/null +++ b/conf/plugins/dhcp.conf @@ -0,0 +1,20 @@ +dhcp { + + # Always use the configured server address. + # force_server_address = no + + # Derive user-defined MAC address from hash of IKE identity. + # identity_lease = no + + # Interface name the plugin uses for address allocation. + # interface = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DHCP server unicast or broadcast IP address. + # server = 255.255.255.255 + +} + diff --git a/conf/plugins/dhcp.opt b/conf/plugins/dhcp.opt new file mode 100644 index 000000000..9c7b86091 --- /dev/null +++ b/conf/plugins/dhcp.opt @@ -0,0 +1,22 @@ +charon.plugins.dhcp.force_server_address = no + Always use the configured server address. + + Always use the configured server address. This might be helpful if the DHCP + server runs on the same host as strongSwan, and the DHCP daemon does not + listen on the loopback interface. In that case the server cannot be reached + via unicast (or even 255.255.255.255) as that would be routed via loopback. + Setting this option to yes and configuring the local broadcast address (e.g. + 192.168.0.255) as server address might work. + +charon.plugins.dhcp.identity_lease = no + Derive user-defined MAC address from hash of IKE identity. + +charon.plugins.dhcp.server = 255.255.255.255 + DHCP server unicast or broadcast IP address. + +charon.plugins.dhcp.interface + Interface name the plugin uses for address allocation. + + Interface name the plugin uses for address allocation. The default is to + bind to any (0.0.0.0) and let the system decide which way to route the + packets to the DHCP server. diff --git a/conf/plugins/dnscert.conf b/conf/plugins/dnscert.conf new file mode 100644 index 000000000..c29b6ed43 --- /dev/null +++ b/conf/plugins/dnscert.conf @@ -0,0 +1,11 @@ +dnscert { + + # Enable fetching of CERT RRs via DNS. + # enable = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/dnscert.opt b/conf/plugins/dnscert.opt new file mode 100644 index 000000000..fd5a8d819 --- /dev/null +++ b/conf/plugins/dnscert.opt @@ -0,0 +1,2 @@ +charon.plugins.dnscert.enable = no + Enable fetching of CERT RRs via DNS. diff --git a/conf/plugins/duplicheck.conf b/conf/plugins/duplicheck.conf new file mode 100644 index 000000000..212fe404d --- /dev/null +++ b/conf/plugins/duplicheck.conf @@ -0,0 +1,14 @@ +duplicheck { + + # Enable duplicheck plugin (if loaded). + # enable = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the duplicheck plugin. + # socket = unix://${piddir}/charon.dck + +} + diff --git a/conf/plugins/duplicheck.opt b/conf/plugins/duplicheck.opt new file mode 100644 index 000000000..ff54fe3a8 --- /dev/null +++ b/conf/plugins/duplicheck.opt @@ -0,0 +1,5 @@ +charon.plugins.duplicheck.enable = yes + Enable duplicheck plugin (if loaded). + +charon.plugins.duplicheck.socket = unix://${piddir}/charon.dck + Socket provided by the duplicheck plugin. diff --git a/conf/plugins/eap-aka-3ggp2.conf b/conf/plugins/eap-aka-3ggp2.conf new file mode 100644 index 000000000..c52c99609 --- /dev/null +++ b/conf/plugins/eap-aka-3ggp2.conf @@ -0,0 +1,10 @@ +eap-aka-3ggp2 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # seq_check = + +} + diff --git a/conf/plugins/eap-aka-3ggp2.opt b/conf/plugins/eap-aka-3ggp2.opt new file mode 100644 index 000000000..9e2a42b3f --- /dev/null +++ b/conf/plugins/eap-aka-3ggp2.opt @@ -0,0 +1 @@ +charon.plugins.eap-aka-3ggp2.seq_check = diff --git a/conf/plugins/eap-aka.conf b/conf/plugins/eap-aka.conf new file mode 100644 index 000000000..278f1d677 --- /dev/null +++ b/conf/plugins/eap-aka.conf @@ -0,0 +1,10 @@ +eap-aka { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # request_identity = yes + +} + diff --git a/conf/plugins/eap-aka.opt b/conf/plugins/eap-aka.opt new file mode 100644 index 000000000..e8d166db9 --- /dev/null +++ b/conf/plugins/eap-aka.opt @@ -0,0 +1 @@ +charon.plugins.eap-aka.request_identity = yes diff --git a/conf/plugins/eap-dynamic.conf b/conf/plugins/eap-dynamic.conf new file mode 100644 index 000000000..7b738b1b2 --- /dev/null +++ b/conf/plugins/eap-dynamic.conf @@ -0,0 +1,14 @@ +eap-dynamic { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Prefer peer's proposed EAP methods. + # prefer_user = no + + # The preferred EAP method(s) to be used. + # preferred = + +} + diff --git a/conf/plugins/eap-dynamic.opt b/conf/plugins/eap-dynamic.opt new file mode 100644 index 000000000..2d50a0aab --- /dev/null +++ b/conf/plugins/eap-dynamic.opt @@ -0,0 +1,13 @@ +charon.plugins.eap-dynamic.preferred = + The preferred EAP method(s) to be used. + + The preferred EAP method(s) to be used. If it is not given the first + registered method will be used initially. If a comma separated list is + given the methods are tried in the given order before trying the rest of + the registered methods. + +charon.plugins.eap-dynamic.prefer_user = no + Prefer peer's proposed EAP methods. + + If enabled the EAP methods proposed in an EAP-Nak message sent by the peer + are preferred over the methods registered locally. diff --git a/conf/plugins/eap-gtc.conf b/conf/plugins/eap-gtc.conf new file mode 100644 index 000000000..4760f3fc8 --- /dev/null +++ b/conf/plugins/eap-gtc.conf @@ -0,0 +1,11 @@ +eap-gtc { + + # XAuth backend to be used for credential verification. + # backend = pam + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/eap-gtc.opt b/conf/plugins/eap-gtc.opt new file mode 100644 index 000000000..3fe8b7d68 --- /dev/null +++ b/conf/plugins/eap-gtc.opt @@ -0,0 +1,2 @@ +charon.plugins.eap-gtc.backend = pam + XAuth backend to be used for credential verification. diff --git a/conf/plugins/eap-peap.conf b/conf/plugins/eap-peap.conf new file mode 100644 index 000000000..600e16426 --- /dev/null +++ b/conf/plugins/eap-peap.conf @@ -0,0 +1,30 @@ +eap-peap { + + # Maximum size of an EAP-PEAP packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-PEAP packets. + # include_length = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-PEAP packets (0 = no limit). + # max_message_count = 32 + + # Phase2 EAP client authentication method. + # phase2_method = mschapv2 + + # Phase2 EAP Identity request piggybacked by server onto TLS Finished + # message. + # phase2_piggyback = no + + # Start phase2 EAP TNC protocol after successful client authentication. + # phase2_tnc = no + + # Request peer authentication based on a client certificate. + # request_peer_auth = no + +} + diff --git a/conf/plugins/eap-peap.opt b/conf/plugins/eap-peap.opt new file mode 100644 index 000000000..6fe88606d --- /dev/null +++ b/conf/plugins/eap-peap.opt @@ -0,0 +1,20 @@ +charon.plugins.eap-peap.fragment_size = 1024 + Maximum size of an EAP-PEAP packet. + +charon.plugins.eap-peap.max_message_count = 32 + Maximum number of processed EAP-PEAP packets (0 = no limit). + +charon.plugins.eap-peap.include_length = no + Include length in non-fragmented EAP-PEAP packets. + +charon.plugins.eap-peap.phase2_method = mschapv2 + Phase2 EAP client authentication method. + +charon.plugins.eap-peap.phase2_piggyback = no + Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +charon.plugins.eap-peap.phase2_tnc = no + Start phase2 EAP TNC protocol after successful client authentication. + +charon.plugins.eap-peap.request_peer_auth = no + Request peer authentication based on a client certificate. diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf new file mode 100644 index 000000000..53023b81e --- /dev/null +++ b/conf/plugins/eap-radius.conf @@ -0,0 +1,86 @@ +eap-radius { + + # Send RADIUS accounting information to RADIUS servers. + # accounting = no + + # If enabled, accounting is disabled unless an IKE_SA has at least one + # virtual IP. + # accounting_requires_vip = no + + # Use class attributes in RADIUS-Accept messages as group membership + # information. + # class_group = no + + # Closes all IKE_SAs if communication with the RADIUS server times out. If + # it is not set only the current IKE_SA is closed. + # close_all_on_timeout = no + + # Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + # eap_start = no + + # Use filter_id attribute as group membership information. + # filter_id = no + + # Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + # EAP method. + # id_prefix = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # NAS-Identifier to include in RADIUS messages. + # nas_identifier = strongSwan + + # Port of RADIUS server (authentication). + # port = 1812 + + # Shared secret between RADIUS and NAS. If set, make sure to adjust the + # permissions of the config file accordingly. + # secret = + + # IP/Hostname of RADIUS server. + # server = + + # Number of sockets (ports) to use, increase for high load. + # sockets = 1 + + dae { + + # Enables support for the Dynamic Authorization Extension (RFC 5176). + # enable = no + + # Address to listen for DAE messages from the RADIUS server. + # listen = 0.0.0.0 + + # Port to listen for DAE requests. + # port = 3799 + + # Shared secret used to verify/sign DAE messages. If set, make sure to + # adjust the permissions of the config file accordingly. + # secret = + + } + + forward { + + # RADIUS attributes to be forwarded from IKEv2 to RADIUS. + # ike_to_radius = + + # Same as ike_to_radius but from RADIUS to IKEv2. + # radius_to_ike = + + } + + # Section to specify multiple RADIUS servers. + servers { + + } + + # Section to configure multiple XAuth authentication rounds via RADIUS. + xauth { + + } + +} + diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt new file mode 100644 index 000000000..0edd3458c --- /dev/null +++ b/conf/plugins/eap-radius.opt @@ -0,0 +1,105 @@ +charon.plugins.eap-radius.accounting = no + Send RADIUS accounting information to RADIUS servers. + +charon.plugins.eap-radius.accounting_requires_vip = no + If enabled, accounting is disabled unless an IKE_SA has at least one + virtual IP. + +charon.plugins.eap-radius.class_group = no + Use class attributes in RADIUS-Accept messages as group membership + information. + + Use the _class_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.close_all_on_timeout = no + Closes all IKE_SAs if communication with the RADIUS server times out. If it + is not set only the current IKE_SA is closed. + +charon.plugins.eap-radius.dae.enable = no + Enables support for the Dynamic Authorization Extension (RFC 5176). + +charon.plugins.eap-radius.dae.listen = 0.0.0.0 + Address to listen for DAE messages from the RADIUS server. + +charon.plugins.eap-radius.dae.port = 3799 + Port to listen for DAE requests. + +charon.plugins.eap-radius.dae.secret + Shared secret used to verify/sign DAE messages. If set, make sure to adjust + the permissions of the config file accordingly. + +charon.plugins.eap-radius.eap_start = no + Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + +charon.plugins.eap-radius.filter_id = no + Use filter_id attribute as group membership information. + + If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use + the _filter_id_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.forward.ike_to_radius + RADIUS attributes to be forwarded from IKEv2 to RADIUS. + + RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by + name or attribute number, a colon can be used to specify vendor-specific + attributes, e.g. Reply-Message, or 11, or 36906:12). + +charon.plugins.eap-radius.forward.radius_to_ike = + Same as ike_to_radius but from RADIUS to IKEv2. + + Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to + IKEv2, a strongSwan specific private notify (40969) is used to transmit the + attributes. + +charon.plugins.eap-radius.id_prefix + Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + EAP method. + +charon.plugins.eap-radius.nas_identifier = strongSwan + NAS-Identifier to include in RADIUS messages. + +charon.plugins.eap-radius.port = 1812 + Port of RADIUS server (authentication). + +charon.plugins.eap-radius.secret = + Shared secret between RADIUS and NAS. If set, make sure to adjust the + permissions of the config file accordingly. + +charon.plugins.eap-radius.server = + IP/Hostname of RADIUS server. + +charon.plugins.eap-radius.servers {} + Section to specify multiple RADIUS servers. + + Section to specify multiple RADIUS servers. The **nas_identifier**, + **secret**, **sockets** and **port** (or **auth_port**) options can be + specified for each server. A server's IP/Hostname can be configured using + the **address** option. The **acct_port** [1813] option can be used to + specify the port used for RADIUS accounting. For each RADIUS server a + priority can be specified using the **preference** [0] option. + +charon.plugins.eap-radius.sockets = 1 + Number of sockets (ports) to use, increase for high load. + +charon.plugins.eap-radius.xauth {} + Section to configure multiple XAuth authentication rounds via RADIUS. + + Section to configure multiple XAuth authentication rounds via RADIUS. + The subsections define so called authentication profiles with arbitrary + names. In each profile section one or more XAuth types can be configured, + with an assigned message. For each type a separate XAuth exchange will be + initiated and all replies get concatenated into the User-Password attribute, + which then gets verified over RADIUS. + + Available XAuth types are **password**, **passcode**, **nextpin**, and + **answer**. This type is not relevant to strongSwan or the AAA server, but + the client may show a different dialog (along with the configured message). + + To use the configured profiles, they have to be configured in the respective + connection in **ipsec.conf**(5) by appending the profile name, separated by + a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_ + or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_. diff --git a/conf/plugins/eap-sim.conf b/conf/plugins/eap-sim.conf new file mode 100644 index 000000000..96ec2e02c --- /dev/null +++ b/conf/plugins/eap-sim.conf @@ -0,0 +1,10 @@ +eap-sim { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # request_identity = yes + +} + diff --git a/conf/plugins/eap-sim.opt b/conf/plugins/eap-sim.opt new file mode 100644 index 000000000..052454c0e --- /dev/null +++ b/conf/plugins/eap-sim.opt @@ -0,0 +1 @@ +charon.plugins.eap-sim.request_identity = yes diff --git a/conf/plugins/eap-simaka-sql.conf b/conf/plugins/eap-simaka-sql.conf new file mode 100644 index 000000000..1574a5a85 --- /dev/null +++ b/conf/plugins/eap-simaka-sql.conf @@ -0,0 +1,12 @@ +eap-simaka-sql { + + # database = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # remove_used = no + +} + diff --git a/conf/plugins/eap-simaka-sql.opt b/conf/plugins/eap-simaka-sql.opt new file mode 100644 index 000000000..6b87a7e94 --- /dev/null +++ b/conf/plugins/eap-simaka-sql.opt @@ -0,0 +1,3 @@ +charon.plugins.eap-simaka-sql.database = + +charon.plugins.eap-simaka-sql.remove_used = no diff --git a/conf/plugins/eap-tls.conf b/conf/plugins/eap-tls.conf new file mode 100644 index 000000000..e3ce7ded7 --- /dev/null +++ b/conf/plugins/eap-tls.conf @@ -0,0 +1,17 @@ +eap-tls { + + # Maximum size of an EAP-TLS packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-TLS packets. + # include_length = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TLS packets (0 = no limit). + # max_message_count = 32 + +} + diff --git a/conf/plugins/eap-tls.opt b/conf/plugins/eap-tls.opt new file mode 100644 index 000000000..e7b96523a --- /dev/null +++ b/conf/plugins/eap-tls.opt @@ -0,0 +1,8 @@ +charon.plugins.eap-tls.fragment_size = 1024 + Maximum size of an EAP-TLS packet. + +charon.plugins.eap-tls.max_message_count = 32 + Maximum number of processed EAP-TLS packets (0 = no limit). + +charon.plugins.eap-tls.include_length = yes + Include length in non-fragmented EAP-TLS packets. diff --git a/conf/plugins/eap-tnc.conf b/conf/plugins/eap-tnc.conf new file mode 100644 index 000000000..aca72f1ed --- /dev/null +++ b/conf/plugins/eap-tnc.conf @@ -0,0 +1,15 @@ +eap-tnc { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TNC packets (0 = no limit). + # max_message_count = 10 + + # IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, + # tnccs-dynamic). + # protocol = tnccs-1.1 + +} + diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt new file mode 100644 index 000000000..8e060ceda --- /dev/null +++ b/conf/plugins/eap-tnc.opt @@ -0,0 +1,6 @@ +charon.plugins.eap-tnc.max_message_count = 10 + Maximum number of processed EAP-TNC packets (0 = no limit). + +charon.plugins.eap-tnc.protocol = tnccs-1.1 + IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_, + _tnccs-dynamic_). diff --git a/conf/plugins/eap-ttls.conf b/conf/plugins/eap-ttls.conf new file mode 100644 index 000000000..5229625e0 --- /dev/null +++ b/conf/plugins/eap-ttls.conf @@ -0,0 +1,30 @@ +eap-ttls { + + # Maximum size of an EAP-TTLS packet. + # fragment_size = 1024 + + # Include length in non-fragmented EAP-TTLS packets. + # include_length = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of processed EAP-TTLS packets (0 = no limit). + # max_message_count = 32 + + # Phase2 EAP client authentication method. + # phase2_method = md5 + + # Phase2 EAP Identity request piggybacked by server onto TLS Finished + # message. + # phase2_piggyback = no + + # Start phase2 EAP TNC protocol after successful client authentication. + # phase2_tnc = no + + # Request peer authentication based on a client certificate. + # request_peer_auth = no + +} + diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt new file mode 100644 index 000000000..21a6cb674 --- /dev/null +++ b/conf/plugins/eap-ttls.opt @@ -0,0 +1,20 @@ +charon.plugins.eap-ttls.fragment_size = 1024 + Maximum size of an EAP-TTLS packet. + +charon.plugins.eap-ttls.max_message_count = 32 + Maximum number of processed EAP-TTLS packets (0 = no limit). + +charon.plugins.eap-ttls.include_length = yes + Include length in non-fragmented EAP-TTLS packets. + +charon.plugins.eap-ttls.phase2_method = md5 + Phase2 EAP client authentication method. + +charon.plugins.eap-ttls.phase2_piggyback = no + Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +charon.plugins.eap-ttls.phase2_tnc = no + Start phase2 EAP TNC protocol after successful client authentication. + +charon.plugins.eap-ttls.request_peer_auth = no + Request peer authentication based on a client certificate. diff --git a/conf/plugins/error-notify.conf b/conf/plugins/error-notify.conf new file mode 100644 index 000000000..5915a0971 --- /dev/null +++ b/conf/plugins/error-notify.conf @@ -0,0 +1,11 @@ +error-notify { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the error-notify plugin. + # socket = unix://${piddir}/charon.enfy + +} + diff --git a/conf/plugins/error-notify.opt b/conf/plugins/error-notify.opt new file mode 100644 index 000000000..44ea0551e --- /dev/null +++ b/conf/plugins/error-notify.opt @@ -0,0 +1,2 @@ +charon.plugins.error-notify.socket = unix://${piddir}/charon.enfy + Socket provided by the error-notify plugin. diff --git a/conf/plugins/gcrypt.conf b/conf/plugins/gcrypt.conf new file mode 100644 index 000000000..fce2c7a6e --- /dev/null +++ b/conf/plugins/gcrypt.conf @@ -0,0 +1,11 @@ +gcrypt { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Use faster random numbers in gcrypt; for testing only, produces weak keys! + # quick_random = no + +} + diff --git a/conf/plugins/gcrypt.opt b/conf/plugins/gcrypt.opt new file mode 100644 index 000000000..c6b0505d7 --- /dev/null +++ b/conf/plugins/gcrypt.opt @@ -0,0 +1,2 @@ +charon.plugins.gcrypt.quick_random = no + Use faster random numbers in gcrypt; for testing only, produces weak keys! diff --git a/conf/plugins/ha.conf b/conf/plugins/ha.conf new file mode 100644 index 000000000..e8b2fa48d --- /dev/null +++ b/conf/plugins/ha.conf @@ -0,0 +1,32 @@ +ha { + + # Interval in seconds to automatically balance handled segments between + # nodes. Set to 0 to disable. + # autobalance = 0 + + # fifo_interface = yes + + # heartbeat_delay = 1000 + + # heartbeat_timeout = 2100 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # local = + + # monitor = yes + + # pools = + + # remote = + + # resync = yes + + # secret = + + # segment_count = 1 + +} + diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt new file mode 100644 index 000000000..77d5b7888 --- /dev/null +++ b/conf/plugins/ha.opt @@ -0,0 +1,23 @@ +charon.plugins.ha.autobalance = 0 + Interval in seconds to automatically balance handled segments between nodes. + Set to 0 to disable. + +charon.plugins.ha.fifo_interface = yes + +charon.plugins.ha.heartbeat_delay = 1000 + +charon.plugins.ha.heartbeat_timeout = 2100 + +charon.plugins.ha.local = + +charon.plugins.ha.monitor = yes + +charon.plugins.ha.pools = + +charon.plugins.ha.remote = + +charon.plugins.ha.resync = yes + +charon.plugins.ha.secret = + +charon.plugins.ha.segment_count = 1 diff --git a/conf/plugins/imc-attestation.conf b/conf/plugins/imc-attestation.conf new file mode 100644 index 000000000..ffb1b45a3 --- /dev/null +++ b/conf/plugins/imc-attestation.conf @@ -0,0 +1,26 @@ +imc-attestation { + + # AIK encrypted private key blob file. + # aik_blob = + + # AIK certificate file. + # aik_cert = + + # AIK public key file. + # aik_key = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DH nonce length. + # nonce_len = 20 + + # Whether to send pcr_before and pcr_after info. + # pcr_info = yes + + # Use Quote2 AIK signature instead of Quote signature. + # use_quote2 = yes + +} + diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt new file mode 100644 index 000000000..9c108053b --- /dev/null +++ b/conf/plugins/imc-attestation.opt @@ -0,0 +1,17 @@ +charon.plugins.imc-attestation.aik_blob = + AIK encrypted private key blob file. + +charon.plugins.imc-attestation.aik_cert = + AIK certificate file. + +charon.plugins.imc-attestation.aik_key = + AIK public key file. + +charon.plugins.imc-attestation.nonce_len = 20 + DH nonce length. + +charon.plugins.imc-attestation.use_quote2 = yes + Use Quote2 AIK signature instead of Quote signature. + +charon.plugins.imc-attestation.pcr_info = yes + Whether to send pcr_before and pcr_after info.
\ No newline at end of file diff --git a/conf/plugins/imc-os.conf b/conf/plugins/imc-os.conf new file mode 100644 index 000000000..1d245d3f3 --- /dev/null +++ b/conf/plugins/imc-os.conf @@ -0,0 +1,11 @@ +imc-os { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Send operating system info without being prompted. + # push_info = yes + +} + diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt new file mode 100644 index 000000000..2a6333f93 --- /dev/null +++ b/conf/plugins/imc-os.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-os.push_info = yes + Send operating system info without being prompted. diff --git a/conf/plugins/imc-scanner.conf b/conf/plugins/imc-scanner.conf new file mode 100644 index 000000000..7f2f53106 --- /dev/null +++ b/conf/plugins/imc-scanner.conf @@ -0,0 +1,11 @@ +imc-scanner { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Send open listening ports without being prompted. + # push_info = yes + +} + diff --git a/conf/plugins/imc-scanner.opt b/conf/plugins/imc-scanner.opt new file mode 100644 index 000000000..84e6dfa2f --- /dev/null +++ b/conf/plugins/imc-scanner.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-scanner.push_info = yes + Send open listening ports without being prompted. diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf new file mode 100644 index 000000000..8b3317163 --- /dev/null +++ b/conf/plugins/imc-swid.conf @@ -0,0 +1,11 @@ +imc-swid { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Directory where SWID tags are located. + # swid_directory = ${prefix}/share + +} + diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt new file mode 100644 index 000000000..67f7c79c4 --- /dev/null +++ b/conf/plugins/imc-swid.opt @@ -0,0 +1,2 @@ +charon.plugins.imc-swid.swid_directory = ${prefix}/share + Directory where SWID tags are located. diff --git a/conf/plugins/imc-test.conf b/conf/plugins/imc-test.conf new file mode 100644 index 000000000..0d66e3d0c --- /dev/null +++ b/conf/plugins/imc-test.conf @@ -0,0 +1,23 @@ +imc-test { + + # Number of additional IMC IDs. + # additional_ids = 0 + + # Command to be sent to the Test IMV. + # command = none + + # Size of dummy attribute to be sent to the Test IMV (0 = disabled). + # dummy_size = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Do a handshake retry. + # retry = no + + # Command to be sent to the Test IMV in the handshake retry. + # retry_command = + +} + diff --git a/conf/plugins/imc-test.opt b/conf/plugins/imc-test.opt new file mode 100644 index 000000000..c3169b5af --- /dev/null +++ b/conf/plugins/imc-test.opt @@ -0,0 +1,14 @@ +charon.plugins.imc-test.additional_ids = 0 + Number of additional IMC IDs. + +charon.plugins.imc-test.command = none + Command to be sent to the Test IMV. + +charon.plugins.imc-test.dummy_size = 0 + Size of dummy attribute to be sent to the Test IMV (0 = disabled). + +charon.plugins.imc-test.retry = no + Do a handshake retry. + +charon.plugins.imc-test.retry_command = + Command to be sent to the Test IMV in the handshake retry. diff --git a/conf/plugins/imv-attestation.conf b/conf/plugins/imv-attestation.conf new file mode 100644 index 000000000..48ffba839 --- /dev/null +++ b/conf/plugins/imv-attestation.conf @@ -0,0 +1,42 @@ +imc-attestation { + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_after = + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_before = + + # Dummy data if the TBOOT log is not retrieved. + # pcr17_meas = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_after = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_before = + + # Dummy data if the TBOOT log is not retrieved. + # pcr18_meas = + +} + +imv-attestation { + + # Path to directory with AIK cacerts. + # cadir = + + # Preferred Diffie-Hellman group. + # dh_group = ecp256 + + # Preferred measurement hash algorithm. + # hash_algorithm = sha256 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # DH minimum nonce length. + # min_nonce_len = 0 + +} + diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt new file mode 100644 index 000000000..c0ae20488 --- /dev/null +++ b/conf/plugins/imv-attestation.opt @@ -0,0 +1,29 @@ +charon.plugins.imv-attestation.cadir = + Path to directory with AIK cacerts. + +charon.plugins.imv-attestation.dh_group = ecp256 + Preferred Diffie-Hellman group. + +charon.plugins.imv-attestation.hash_algorithm = sha256 + Preferred measurement hash algorithm. + +charon.plugins.imv-attestation.min_nonce_len = 0 + DH minimum nonce length. + +charon.plugins.imc-attestation.pcr17_after + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr17_before + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr17_meas + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_after + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_before + Dummy data if the TBOOT log is not retrieved. + +charon.plugins.imc-attestation.pcr18_meas + Dummy data if the TBOOT log is not retrieved. diff --git a/conf/plugins/imv-os.conf b/conf/plugins/imv-os.conf new file mode 100644 index 000000000..8f0da3760 --- /dev/null +++ b/conf/plugins/imv-os.conf @@ -0,0 +1,11 @@ +imv-os { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # URI pointing to operating system remediation instructions. + # remediation_uri = + +} + diff --git a/conf/plugins/imv-os.opt b/conf/plugins/imv-os.opt new file mode 100644 index 000000000..eab926201 --- /dev/null +++ b/conf/plugins/imv-os.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-os.remediation_uri = + URI pointing to operating system remediation instructions. diff --git a/conf/plugins/imv-scanner.conf b/conf/plugins/imv-scanner.conf new file mode 100644 index 000000000..25719d0ef --- /dev/null +++ b/conf/plugins/imv-scanner.conf @@ -0,0 +1,11 @@ +imv-scanner { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # URI pointing to scanner remediation instructions. + # remediation_uri = + +} + diff --git a/conf/plugins/imv-scanner.opt b/conf/plugins/imv-scanner.opt new file mode 100644 index 000000000..7af87493b --- /dev/null +++ b/conf/plugins/imv-scanner.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-scanner.remediation_uri = + URI pointing to scanner remediation instructions. diff --git a/conf/plugins/imv-test.conf b/conf/plugins/imv-test.conf new file mode 100644 index 000000000..9bd248792 --- /dev/null +++ b/conf/plugins/imv-test.conf @@ -0,0 +1,11 @@ +imv-test { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Number of IMC-IMV retry rounds. + # rounds = 0 + +} + diff --git a/conf/plugins/imv-test.opt b/conf/plugins/imv-test.opt new file mode 100644 index 000000000..2cbddc8f6 --- /dev/null +++ b/conf/plugins/imv-test.opt @@ -0,0 +1,2 @@ +charon.plugins.imv-test.rounds = 0 + Number of IMC-IMV retry rounds. diff --git a/conf/plugins/ipseckey.conf b/conf/plugins/ipseckey.conf new file mode 100644 index 000000000..f2e5e5877 --- /dev/null +++ b/conf/plugins/ipseckey.conf @@ -0,0 +1,11 @@ +ipseckey { + + # Enable fetching of IPSECKEY RRs via DNS. + # enable = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/ipseckey.opt b/conf/plugins/ipseckey.opt new file mode 100644 index 000000000..d4cff26dd --- /dev/null +++ b/conf/plugins/ipseckey.opt @@ -0,0 +1,2 @@ +charon.plugins.ipseckey.enable = no + Enable fetching of IPSECKEY RRs via DNS. diff --git a/conf/plugins/kernel-klips.conf b/conf/plugins/kernel-klips.conf new file mode 100644 index 000000000..10ca30839 --- /dev/null +++ b/conf/plugins/kernel-klips.conf @@ -0,0 +1,14 @@ +kernel-klips { + + # Number of ipsecN devices. + # ipsec_dev_count = 4 + + # Set MTU of ipsecN device. + # ipsec_dev_mtu = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt new file mode 100644 index 000000000..ad9806e71 --- /dev/null +++ b/conf/plugins/kernel-klips.opt @@ -0,0 +1,5 @@ +charon.plugins.kernel-klips.ipsec_dev_count = 4 + Number of ipsecN devices. + +charon.plugins.kernel-klips.ipsec_dev_mtu = 0 + Set MTU of ipsecN device. diff --git a/conf/plugins/kernel-libipsec.conf b/conf/plugins/kernel-libipsec.conf new file mode 100644 index 000000000..3411be2ff --- /dev/null +++ b/conf/plugins/kernel-libipsec.conf @@ -0,0 +1,11 @@ +kernel-libipsec { + + # Allow that the remote traffic selector equals the IKE peer. + # allow_peer_ts = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/kernel-libipsec.opt b/conf/plugins/kernel-libipsec.opt new file mode 100644 index 000000000..e76db63d9 --- /dev/null +++ b/conf/plugins/kernel-libipsec.opt @@ -0,0 +1,7 @@ +charon.plugins.kernel-libipsec.allow_peer_ts = no + Allow that the remote traffic selector equals the IKE peer. + + Allow that the remote traffic selector equals the IKE peer. The route + installed for such traffic (via TUN device) usually prevents further IKE + traffic. The fwmark options for the _kernel-netlink_ and _socket-default_ + plugins can be used to circumvent that problem. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf new file mode 100644 index 000000000..670746963 --- /dev/null +++ b/conf/plugins/kernel-netlink.conf @@ -0,0 +1,19 @@ +kernel-netlink { + + # Firewall mark to set on the routing rule that directs traffic to our + # routing table. + # fwmark = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to trigger roam events when interfaces, addresses or routes + # change. + # roam_events = yes + + # Lifetime of XFRM acquire state in kernel. + # xfrm_acq_expires = 165 + +} + diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt new file mode 100644 index 000000000..a8e421b6e --- /dev/null +++ b/conf/plugins/kernel-netlink.opt @@ -0,0 +1,18 @@ +charon.plugins.kernel-netlink.fwmark = + Firewall mark to set on the routing rule that directs traffic to our routing + table. + + Firewall mark to set on the routing rule that directs traffic to our routing + table. The format is [!]mark[/mask], where the optional exclamation mark + inverts the meaning (i.e. the rule only applies to packets that don't match + the mark). + +charon.plugins.kernel-netlink.roam_events = yes + Whether to trigger roam events when interfaces, addresses or routes change. + +charon.plugins.kernel-netlink.xfrm_acq_expires = 165 + Lifetime of XFRM acquire state in kernel. + + Lifetime of XFRM acquire state in kernel. The value gets written to + /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM + acquire messages sent. diff --git a/conf/plugins/kernel-pfroute.conf b/conf/plugins/kernel-pfroute.conf new file mode 100644 index 000000000..9aa4dcac0 --- /dev/null +++ b/conf/plugins/kernel-pfroute.conf @@ -0,0 +1,12 @@ +kernel-pfroute { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Time in ms to wait until virtual IP addresses appear/disappear before + # failing. + # vip_wait = 1000 + +} + diff --git a/conf/plugins/kernel-pfroute.opt b/conf/plugins/kernel-pfroute.opt new file mode 100644 index 000000000..8b9bb9169 --- /dev/null +++ b/conf/plugins/kernel-pfroute.opt @@ -0,0 +1,3 @@ +charon.plugins.kernel-pfroute.vip_wait = 1000 + Time in ms to wait until virtual IP addresses appear/disappear before + failing. diff --git a/conf/plugins/led.conf b/conf/plugins/led.conf new file mode 100644 index 000000000..0f34adb07 --- /dev/null +++ b/conf/plugins/led.conf @@ -0,0 +1,12 @@ +led { + + # activity_led = + + # blink_time = 50 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/led.opt b/conf/plugins/led.opt new file mode 100644 index 000000000..9e2f1ac61 --- /dev/null +++ b/conf/plugins/led.opt @@ -0,0 +1,3 @@ +charon.plugins.led.activity_led = + +charon.plugins.led.blink_time = 50 diff --git a/conf/plugins/load-tester.conf b/conf/plugins/load-tester.conf new file mode 100644 index 000000000..e69c029d6 --- /dev/null +++ b/conf/plugins/load-tester.conf @@ -0,0 +1,138 @@ +# Section to configure the load-tester plugin, see LOAD TESTS in +# strongswan.conf(5) for details. +load-tester { + + # Whether to keep dynamic addresses even after the associated SA got + # terminated. + # addrs_keep = no + + # Network prefix length to use when installing dynamic addresses. If set to + # -1 the full address is used (i.e. 32 or 128). + # addrs_prefix = 16 + + # Directory to load (intermediate) CA certificates from. + # ca_dir = + + # Seconds to start CHILD_SA rekeying after setup. + # child_rekey = 600 + + # Delay between initiatons for each thread. + # delay = 0 + + # Delete an IKE_SA as soon as it has been established. + # delete_after_established = no + + # Digest algorithm used when issuing certificates. + # digest = sha1 + + # DPD delay to use in load test. + # dpd_delay = 0 + + # Base port to be used for requests (each client uses a different port). + # dynamic_port = 0 + + # EAP secret to use in load test. + # eap_password = default-pwd + + # Enable the load testing plugin. WARNING: Never enable this plugin on + # productive systems. It provides preconfigured credentials and allows an + # attacker to authenticate as any user. + # enable = no + + # CHILD_SA proposal to use for load tests. + # esp = aes128-sha1 + + # Fake the kernel interface to allow load-testing against self. + # fake_kernel = no + + # Seconds to start IKE_SA rekeying after setup. + # ike_rekey = 0 + + # Global limit of concurrently established SAs during load test. + # init_limit = 0 + + # Address to initiate from. + # initiator = 0.0.0.0 + + # Authentication method(s) the intiator uses. + # initiator_auth = pubkey + + # Initiator ID used in load test. + # initiator_id = + + # Initiator ID to match against as responder. + # initiator_match = + + # Traffic selector on initiator side, as proposed by initiator. + # initiator_tsi = + + # Traffic selector on responder side, as proposed by initiator. + # initiator_tsr = + + # Number of concurrent initiator threads to use in load test. + # initiators = 0 + + # Path to the issuer certificate (if not configured a hard-coded default + # value is used). + # issuer_cert = + + # Path to private key that is used to issue certificates (if not configured + # a hard-coded default value is used). + # issuer_key = + + # Number of IKE_SAs to initiate by each initiator in load test. + # iterations = 1 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # IPsec mode to use, one of tunnel, transport, or beet. + # mode = tunnel + + # Provide INTERNAL_IPV4_ADDRs from a named pool. + # pool = + + # Preshared key to use in load test. + # preshared_key = <default-psk> + + # IKE proposal to use in load test. + # proposal = aes128-sha1-modp768 + + # Request an INTERNAL_IPV4_ADDR from the server. + # request_virtual_ip = no + + # Address to initiation connections to. + # responder = 127.0.0.1 + + # Authentication method(s) the responder uses. + # responder_auth = pubkey + + # Responder ID used in load test. + # responder_id = + + # Traffic selector on initiator side, as narrowed by responder. + # responder_tsi = initiator_tsi + + # Traffic selector on responder side, as narrowed by responder. + # responder_tsr = initiator_tsr + + # Shutdown the daemon after all IKE_SAs have been established. + # shutdown_when_complete = no + + # Socket provided by the load-tester plugin. + # socket = unix://${piddir}/charon.ldt + + # IKE version to use (0 means use IKEv2 as initiator and accept any version + # as responder). + # version = 0 + + # Section that contains key/value pairs with address pools (in CIDR + # notation) to use for a specific network interface e.g. eth0 = + # 10.10.0.0/16. + addrs { + + } + +} + diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt new file mode 100644 index 000000000..7afe32618 --- /dev/null +++ b/conf/plugins/load-tester.opt @@ -0,0 +1,128 @@ +charon.plugins.load-tester {} + Section to configure the load-tester plugin, see LOAD TESTS in + **strongswan.conf**(5) for details. + +charon.plugins.load-tester.addrs {} + Section that contains key/value pairs with address pools (in CIDR notation) + to use for a specific network interface e.g. eth0 = 10.10.0.0/16. + +charon.plugins.load-tester.addrs_keep = no + Whether to keep dynamic addresses even after the associated SA got + terminated. + +charon.plugins.load-tester.addrs_prefix = 16 + Network prefix length to use when installing dynamic addresses. + If set to -1 the full address is used (i.e. 32 or 128). + +charon.plugins.load-tester.ca_dir = + Directory to load (intermediate) CA certificates from. + +charon.plugins.load-tester.child_rekey = 600 + Seconds to start CHILD_SA rekeying after setup. + +charon.plugins.load-tester.delay = 0 + Delay between initiatons for each thread. + +charon.plugins.load-tester.delete_after_established = no + Delete an IKE_SA as soon as it has been established. + +charon.plugins.load-tester.digest = sha1 + Digest algorithm used when issuing certificates. + +charon.plugins.load-tester.dpd_delay = 0 + DPD delay to use in load test. + +charon.plugins.load-tester.dynamic_port = 0 + Base port to be used for requests (each client uses a different port). + +charon.plugins.load-tester.eap_password = default-pwd + EAP secret to use in load test. + +charon.plugins.load-tester.enable = no + Enable the load testing plugin. **WARNING**: Never enable this plugin on + productive systems. It provides preconfigured credentials and allows an + attacker to authenticate as any user. + +charon.plugins.load-tester.esp = aes128-sha1 + CHILD_SA proposal to use for load tests. + +charon.plugins.load-tester.fake_kernel = no + Fake the kernel interface to allow load-testing against self. + +charon.plugins.load-tester.ike_rekey = 0 + Seconds to start IKE_SA rekeying after setup. + +charon.plugins.load-tester.init_limit = 0 + Global limit of concurrently established SAs during load test. + +charon.plugins.load-tester.initiator = 0.0.0.0 + Address to initiate from. + +charon.plugins.load-tester.initiators = 0 + Number of concurrent initiator threads to use in load test. + +charon.plugins.load-tester.initiator_auth = pubkey + Authentication method(s) the intiator uses. + +charon.plugins.load-tester.initiator_id = + Initiator ID used in load test. + +charon.plugins.load-tester.initiator_match = + Initiator ID to match against as responder. + +charon.plugins.load-tester.initiator_tsi = + Traffic selector on initiator side, as proposed by initiator. + +charon.plugins.load-tester.initiator_tsr = + Traffic selector on responder side, as proposed by initiator. + +charon.plugins.load-tester.iterations = 1 + Number of IKE_SAs to initiate by each initiator in load test. + +charon.plugins.load-tester.issuer_cert = + Path to the issuer certificate (if not configured a hard-coded default value + is used). + +charon.plugins.load-tester.issuer_key = + Path to private key that is used to issue certificates (if not configured a + hard-coded default value is used). + +charon.plugins.load-tester.mode = tunnel + IPsec mode to use, one of _tunnel_, _transport_, or _beet_. + +charon.plugins.load-tester.pool = + Provide INTERNAL_IPV4_ADDRs from a named pool. + +charon.plugins.load-tester.preshared_key = <default-psk> + Preshared key to use in load test. + +charon.plugins.load-tester.proposal = aes128-sha1-modp768 + IKE proposal to use in load test. + +charon.plugins.load-tester.responder = 127.0.0.1 + Address to initiation connections to. + +charon.plugins.load-tester.responder_auth = pubkey + Authentication method(s) the responder uses. + +charon.plugins.load-tester.responder_id = + Responder ID used in load test. + +charon.plugins.load-tester.responder_tsi = initiator_tsi + Traffic selector on initiator side, as narrowed by responder. + +charon.plugins.load-tester.responder_tsr = initiator_tsr + Traffic selector on responder side, as narrowed by responder. + +charon.plugins.load-tester.request_virtual_ip = no + Request an INTERNAL_IPV4_ADDR from the server. + +charon.plugins.load-tester.shutdown_when_complete = no + Shutdown the daemon after all IKE_SAs have been established. + +charon.plugins.load-tester.socket = unix://${piddir}/charon.ldt + Socket provided by the load-tester plugin. + +charon.plugins.load-tester.version = 0 + IKE version to use (0 means use IKEv2 as initiator and accept any version as + responder). diff --git a/conf/plugins/lookip.conf b/conf/plugins/lookip.conf new file mode 100644 index 000000000..53958221f --- /dev/null +++ b/conf/plugins/lookip.conf @@ -0,0 +1,11 @@ +lookip { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the lookip plugin. + # socket = unix://${piddir}/charon.lkp + +} + diff --git a/conf/plugins/lookip.opt b/conf/plugins/lookip.opt new file mode 100644 index 000000000..443eb34bb --- /dev/null +++ b/conf/plugins/lookip.opt @@ -0,0 +1,2 @@ +charon.plugins.lookip.socket = unix://${piddir}/charon.lkp + Socket provided by the lookip plugin. diff --git a/conf/plugins/ntru.conf b/conf/plugins/ntru.conf new file mode 100644 index 000000000..6487b3653 --- /dev/null +++ b/conf/plugins/ntru.conf @@ -0,0 +1,17 @@ +ntru { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Number of pseudo-random bit requests from the DRBG before an automatic + # reseeding occurs. + # max_drbg_requests = 4294967294 + + # The following parameter sets are available: x9_98_speed, x9_98_bandwidth, + # x9_98_balance and optimum, the last set not being part of the X9.98 + # standard but having the best performance. + # parameter_set = optimum + +} + diff --git a/conf/plugins/ntru.opt b/conf/plugins/ntru.opt new file mode 100644 index 000000000..8e1bebd87 --- /dev/null +++ b/conf/plugins/ntru.opt @@ -0,0 +1,8 @@ +charon.plugins.ntru.max_drbg_requests = 4294967294 + Number of pseudo-random bit requests from the DRBG before an automatic + reseeding occurs. + +charon.plugins.ntru.parameter_set = optimum + The following parameter sets are available: **x9_98_speed**, + **x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not + being part of the X9.98 standard but having the best performance. diff --git a/conf/plugins/openssl.conf b/conf/plugins/openssl.conf new file mode 100644 index 000000000..08ed7592b --- /dev/null +++ b/conf/plugins/openssl.conf @@ -0,0 +1,14 @@ +openssl { + + # ENGINE ID to use in the OpenSSL plugin. + # engine_id = pkcs11 + + # Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). + # fips_mode = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/openssl.opt b/conf/plugins/openssl.opt new file mode 100644 index 000000000..55d8dcaa1 --- /dev/null +++ b/conf/plugins/openssl.opt @@ -0,0 +1,5 @@ +charon.plugins.openssl.engine_id = pkcs11 + ENGINE ID to use in the OpenSSL plugin. + +charon.plugins.openssl.fips_mode = 0 + Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf new file mode 100644 index 000000000..35248c2ce --- /dev/null +++ b/conf/plugins/pkcs11.conf @@ -0,0 +1,37 @@ +pkcs11 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to load certificates from tokens. + # load_certs = yes + + # Reload certificates from all tokens if charon receives a SIGHUP. + # reload_certs = no + + # Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc + # option). + # use_dh = no + + # Whether the PKCS#11 modules should be used for ECDH and ECDSA public key + # operations. ECDSA private keys can be used regardless of this option. + # use_ecc = no + + # Whether the PKCS#11 modules should be used to hash data. + # use_hasher = no + + # Whether the PKCS#11 modules should be used for public key operations, even + # for keys not stored on tokens. + # use_pubkey = no + + # Whether the PKCS#11 modules should be used as RNG. + # use_rng = no + + # List of available PKCS#11 modules. + modules { + + } + +} + diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt new file mode 100644 index 000000000..f5a202844 --- /dev/null +++ b/conf/plugins/pkcs11.opt @@ -0,0 +1,26 @@ +charon.plugins.pkcs11.modules {} + List of available PKCS#11 modules. + +charon.plugins.pkcs11.load_certs = yes + Whether to load certificates from tokens. + +charon.plugins.pkcs11.reload_certs = no + Reload certificates from all tokens if charon receives a SIGHUP. + +charon.plugins.pkcs11.use_dh = no + Whether the PKCS#11 modules should be used for DH and ECDH (see _use_ecc_ + option). + +charon.plugins.pkcs11.use_ecc = no + Whether the PKCS#11 modules should be used for ECDH and ECDSA public key + operations. ECDSA private keys can be used regardless of this option. + +charon.plugins.pkcs11.use_hasher = no + Whether the PKCS#11 modules should be used to hash data. + +charon.plugins.pkcs11.use_pubkey = no + Whether the PKCS#11 modules should be used for public key operations, even + for keys not stored on tokens. + +charon.plugins.pkcs11.use_rng = no + Whether the PKCS#11 modules should be used as RNG. diff --git a/conf/plugins/radattr.conf b/conf/plugins/radattr.conf new file mode 100644 index 000000000..6b085987d --- /dev/null +++ b/conf/plugins/radattr.conf @@ -0,0 +1,15 @@ +radattr { + + # Directory where RADIUS attributes are stored in client-ID specific files. + # dir = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Add attributes to all IKE_AUTH messages (-1) or only to the one with the + # given message ID. + # message_id = -1 + +} + diff --git a/conf/plugins/radattr.opt b/conf/plugins/radattr.opt new file mode 100644 index 000000000..dcc1bf2f7 --- /dev/null +++ b/conf/plugins/radattr.opt @@ -0,0 +1,9 @@ +charon.plugins.radattr.dir = + Directory where RADIUS attributes are stored in client-ID specific files. + +charon.plugins.radattr.message_id = -1 + Add attributes to all IKE_AUTH messages (-1) or only to the one with the + given message ID. + + Attributes are added to all IKE_AUTH messages by default (-1), or only to + the IKE_AUTH message with the given IKEv2 message ID. diff --git a/conf/plugins/random.conf b/conf/plugins/random.conf new file mode 100644 index 000000000..e0af75fd7 --- /dev/null +++ b/conf/plugins/random.conf @@ -0,0 +1,18 @@ +random { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # File to read random bytes from. + # random = ${random_device} + + # If set to yes the RNG_STRONG class reads random bytes from the same source + # as the RNG_TRUE class. + # strong_equals_true = no + + # File to read pseudo random bytes from. + # urandom = ${urandom_device} + +} + diff --git a/conf/plugins/random.opt b/conf/plugins/random.opt new file mode 100644 index 000000000..1cbde288b --- /dev/null +++ b/conf/plugins/random.opt @@ -0,0 +1,9 @@ +charon.plugins.random.random = ${random_device} + File to read random bytes from. + +charon.plugins.random.urandom = ${urandom_device} + File to read pseudo random bytes from. + +charon.plugins.random.strong_equals_true = no + If set to yes the RNG_STRONG class reads random bytes from the same source + as the RNG_TRUE class. diff --git a/conf/plugins/resolve.conf b/conf/plugins/resolve.conf new file mode 100644 index 000000000..5d9ca72de --- /dev/null +++ b/conf/plugins/resolve.conf @@ -0,0 +1,18 @@ +resolve { + + # File where to add DNS server entries. + # file = /etc/resolv.conf + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + resolvconf { + + # Prefix used for interface names sent to resolvconf(8). + # iface_prefix = lo.inet.ipsec. + + } + +} + diff --git a/conf/plugins/resolve.opt b/conf/plugins/resolve.opt new file mode 100644 index 000000000..ce65eff9e --- /dev/null +++ b/conf/plugins/resolve.opt @@ -0,0 +1,11 @@ +charon.plugins.resolve.file = /etc/resolv.conf + File where to add DNS server entries. + +charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec. + Prefix used for interface names sent to resolvconf(8). + + Prefix used for interface names sent to **resolvconf**(8). The nameserver + address is appended to this prefix to make it unique. The result has to be + a valid interface name according to the rules defined by resolvconf. Also, + it should have a high priority according to the order defined in + **interface-order**(5). diff --git a/conf/plugins/socket-default.conf b/conf/plugins/socket-default.conf new file mode 100644 index 000000000..6d4b73dd5 --- /dev/null +++ b/conf/plugins/socket-default.conf @@ -0,0 +1,20 @@ +socket-default { + + # Firewall mark to set on outbound packets. + # fwmark = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Set source address on outbound packets, if possible. + # set_source = yes + + # Listen on IPv4, if possible. + # use_ipv4 = yes + + # Listen on IPv6, if possible. + # use_ipv6 = yes + +} + diff --git a/conf/plugins/socket-default.opt b/conf/plugins/socket-default.opt new file mode 100644 index 000000000..483a0f03d --- /dev/null +++ b/conf/plugins/socket-default.opt @@ -0,0 +1,11 @@ +charon.plugins.socket-default.fwmark = + Firewall mark to set on outbound packets. + +charon.plugins.socket-default.set_source = yes + Set source address on outbound packets, if possible. + +charon.plugins.socket-default.use_ipv4 = yes + Listen on IPv4, if possible. + +charon.plugins.socket-default.use_ipv6 = yes + Listen on IPv6, if possible. diff --git a/conf/plugins/sql.conf b/conf/plugins/sql.conf new file mode 100644 index 000000000..094231b9c --- /dev/null +++ b/conf/plugins/sql.conf @@ -0,0 +1,15 @@ +sql { + + # Database URI for charon's SQL plugin. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Loglevel for logging to SQL database. + # loglevel = -1 + +} + diff --git a/conf/plugins/sql.opt b/conf/plugins/sql.opt new file mode 100644 index 000000000..f573bba7e --- /dev/null +++ b/conf/plugins/sql.opt @@ -0,0 +1,6 @@ +charon.plugins.sql.database = + Database URI for charon's SQL plugin. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +charon.plugins.sql.loglevel = -1 + Loglevel for logging to SQL database. diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf new file mode 100644 index 000000000..6dd063053 --- /dev/null +++ b/conf/plugins/stroke.conf @@ -0,0 +1,24 @@ +stroke { + + # Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA + # certificates even if they don't contain a CA basic constraint. + # ignore_missing_ca_basic_constraint = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of stroke messages handled concurrently. + # max_concurrent = 4 + + # If enabled log level changes via stroke socket are not allowed. + # prevent_loglevel_changes = no + + # Socket provided by the stroke plugin. + # socket = unix://${piddir}/charon.ctl + + # Timeout in ms for any stroke command. Use 0 to disable the timeout. + # timeout = 0 + +} + diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt new file mode 100644 index 000000000..2cfc2c6fa --- /dev/null +++ b/conf/plugins/stroke.opt @@ -0,0 +1,15 @@ +charon.plugins.stroke.ignore_missing_ca_basic_constraint = no + Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA + certificates even if they don't contain a CA basic constraint. + +charon.plugins.stroke.max_concurrent = 4 + Maximum number of stroke messages handled concurrently. + +charon.plugins.stroke.prevent_loglevel_changes = no + If enabled log level changes via stroke socket are not allowed. + +charon.plugins.stroke.socket = unix://${piddir}/charon.ctl + Socket provided by the stroke plugin. + +charon.plugins.stroke.timeout = 0 + Timeout in ms for any stroke command. Use 0 to disable the timeout. diff --git a/conf/plugins/systime-fix.conf b/conf/plugins/systime-fix.conf new file mode 100644 index 000000000..f5cd4cd5d --- /dev/null +++ b/conf/plugins/systime-fix.conf @@ -0,0 +1,22 @@ +systime-fix { + + # Interval in seconds to check system time for validity. 0 disables the + # check. + # interval = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Whether to use reauth or delete if an invalid cert lifetime is detected. + # reauth = no + + # Threshold date where system time is considered valid. Disabled if not + # specified. + # threshold = + + # strptime(3) format used to parse threshold option. + # threshold_format = %Y + +} + diff --git a/conf/plugins/systime-fix.opt b/conf/plugins/systime-fix.opt new file mode 100644 index 000000000..7abd03627 --- /dev/null +++ b/conf/plugins/systime-fix.opt @@ -0,0 +1,12 @@ +charon.plugins.systime-fix.interval = 0 + Interval in seconds to check system time for validity. 0 disables the check. + +charon.plugins.systime-fix.reauth = no + Whether to use reauth or delete if an invalid cert lifetime is detected. + +charon.plugins.systime-fix.threshold = + Threshold date where system time is considered valid. Disabled if not + specified. + +charon.plugins.systime-fix.threshold_format = %Y + **strptime**(3) format used to parse threshold option. diff --git a/conf/plugins/tnc-ifmap.conf b/conf/plugins/tnc-ifmap.conf new file mode 100644 index 000000000..02f7c881f --- /dev/null +++ b/conf/plugins/tnc-ifmap.conf @@ -0,0 +1,30 @@ +tnc-ifmap { + + # Path to X.509 certificate file of IF-MAP client. + # client_cert = + + # Path to private key file of IF-MAP client. + # client_key = + + # Unique name of strongSwan server as a PEP and/or PDP device. + # device_name = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Interval in seconds between periodic IF-MAP RenewSession requests. + # renew_session_interval = 150 + + # Path to X.509 certificate file of IF-MAP server. + # server_cert = + + # URI of the form [https://]servername[:port][/path]. + # server_uri = https://localhost:8444/imap + + # Credentials of IF-MAP client of the form username:password. If set, make + # sure to adjust the permissions of the config file accordingly. + # username_password = + +} + diff --git a/conf/plugins/tnc-ifmap.opt b/conf/plugins/tnc-ifmap.opt new file mode 100644 index 000000000..155c30697 --- /dev/null +++ b/conf/plugins/tnc-ifmap.opt @@ -0,0 +1,21 @@ +charon.plugins.tnc-ifmap.client_cert = + Path to X.509 certificate file of IF-MAP client. + +charon.plugins.tnc-ifmap.client_key = + Path to private key file of IF-MAP client. + +charon.plugins.tnc-ifmap.device_name = + Unique name of strongSwan server as a PEP and/or PDP device. + +charon.plugins.tnc-ifmap.renew_session_interval = 150 + Interval in seconds between periodic IF-MAP RenewSession requests. + +charon.plugins.tnc-ifmap.server_uri = https://localhost:8444/imap + URI of the form [https://]servername[:port][/path]. + +charon.plugins.tnc-ifmap.server_cert = + Path to X.509 certificate file of IF-MAP server. + +charon.plugins.tnc-ifmap.username_password = + Credentials of IF-MAP client of the form username:password. If set, make + sure to adjust the permissions of the config file accordingly. diff --git a/conf/plugins/tnc-imc.conf b/conf/plugins/tnc-imc.conf new file mode 100644 index 000000000..f517abcaf --- /dev/null +++ b/conf/plugins/tnc-imc.conf @@ -0,0 +1,14 @@ +tnc-imc { + + # Unload IMC after use. + # dlclose = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Preferred language for TNC recommendations. + # preferred_language = en + +} + diff --git a/conf/plugins/tnc-imc.opt b/conf/plugins/tnc-imc.opt new file mode 100644 index 000000000..7c9af2a30 --- /dev/null +++ b/conf/plugins/tnc-imc.opt @@ -0,0 +1,5 @@ +charon.plugins.tnc-imc.dlclose = yes + Unload IMC after use. + +charon.plugins.tnc-imc.preferred_language = en + Preferred language for TNC recommendations. diff --git a/conf/plugins/tnc-imv.conf b/conf/plugins/tnc-imv.conf new file mode 100644 index 000000000..799421983 --- /dev/null +++ b/conf/plugins/tnc-imv.conf @@ -0,0 +1,14 @@ +tnc-imv { + + # Unload IMV after use. + # dlclose = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # TNC recommendation policy, one of default, any, or all. + # recommendation_policy = default + +} + diff --git a/conf/plugins/tnc-imv.opt b/conf/plugins/tnc-imv.opt new file mode 100644 index 000000000..788753ce7 --- /dev/null +++ b/conf/plugins/tnc-imv.opt @@ -0,0 +1,5 @@ +charon.plugins.tnc-imv.dlclose = yes + Unload IMV after use. + +charon.plugins.tnc-imv.recommendation_policy = default + TNC recommendation policy, one of _default_, _any_, or _all_. diff --git a/conf/plugins/tnc-pdp.conf b/conf/plugins/tnc-pdp.conf new file mode 100644 index 000000000..d9e926c9e --- /dev/null +++ b/conf/plugins/tnc-pdp.conf @@ -0,0 +1,41 @@ +tnc-pdp { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Name of the strongSwan PDP as contained in the AAA certificate. + # server = + + # Timeout in seconds before closing incomplete connections. + # timeout = + + pt_tls { + + # Enable PT-TLS protocol on the strongSwan PDP. + # enable = yes + + # PT-TLS server port the strongSwan PDP is listening on. + # port = 271 + + } + + radius { + + # Enable RADIUS protocol on the strongSwan PDP. + # enable = yes + + # EAP tunnel method to be used. + # method = ttls + + # RADIUS server port the strongSwan PDP is listening on. + # port = 1812 + + # Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure + # to adjust the permissions of the config file accordingly. + # secret = + + } + +} + diff --git a/conf/plugins/tnc-pdp.opt b/conf/plugins/tnc-pdp.opt new file mode 100644 index 000000000..22b00db5e --- /dev/null +++ b/conf/plugins/tnc-pdp.opt @@ -0,0 +1,24 @@ +charon.plugins.tnc-pdp.pt_tls.enable = yes + Enable PT-TLS protocol on the strongSwan PDP. + +charon.plugins.tnc-pdp.pt_tls.port = 271 + PT-TLS server port the strongSwan PDP is listening on. + +charon.plugins.tnc-pdp.radius.enable = yes + Enable RADIUS protocol on the strongSwan PDP. + +charon.plugins.tnc-pdp.radius.method = ttls + EAP tunnel method to be used. + +charon.plugins.tnc-pdp.radius.port = 1812 + RADIUS server port the strongSwan PDP is listening on. + +charon.plugins.tnc-pdp.radius.secret = + Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to + adjust the permissions of the config file accordingly. + +charon.plugins.tnc-pdp.server = + Name of the strongSwan PDP as contained in the AAA certificate. + +charon.plugins.tnc-pdp.timeout = + Timeout in seconds before closing incomplete connections. diff --git a/conf/plugins/tnccs-11.conf b/conf/plugins/tnccs-11.conf new file mode 100644 index 000000000..9b99786b2 --- /dev/null +++ b/conf/plugins/tnccs-11.conf @@ -0,0 +1,11 @@ +tnccs-11 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum size of a PA-TNC message (XML & Base64 encoding). + # max_message_size = 45000 + +} + diff --git a/conf/plugins/tnccs-11.opt b/conf/plugins/tnccs-11.opt new file mode 100644 index 000000000..eb313fe06 --- /dev/null +++ b/conf/plugins/tnccs-11.opt @@ -0,0 +1,2 @@ +charon.plugins.tnccs-11.max_message_size = 45000 + Maximum size of a PA-TNC message (XML & Base64 encoding). diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf new file mode 100644 index 000000000..9a57ee14d --- /dev/null +++ b/conf/plugins/tnccs-20.conf @@ -0,0 +1,14 @@ +tnccs-20 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529). + # max_batch_size = 65522 + + # Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). + # max_message_size = 65490 + +} + diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt new file mode 100644 index 000000000..b15bc3fa1 --- /dev/null +++ b/conf/plugins/tnccs-20.opt @@ -0,0 +1,5 @@ +charon.plugins.tnccs-20.max_batch_size = 65522 + Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529). + +charon.plugins.tnccs-20.max_message_size = 65490 + Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). diff --git a/conf/plugins/unbound.conf b/conf/plugins/unbound.conf new file mode 100644 index 000000000..8d3003118 --- /dev/null +++ b/conf/plugins/unbound.conf @@ -0,0 +1,17 @@ +unbound { + + # File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. + # dlv_anchors = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # File to read DNS resolver configuration from. + # resolv_conf = /etc/resolv.conf + + # File to read DNSSEC trust anchors from (usually root zone KSK). + # trust_anchors = /etc/ipsec.d/dnssec.keys + +} + diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt new file mode 100644 index 000000000..f8ca9ca12 --- /dev/null +++ b/conf/plugins/unbound.opt @@ -0,0 +1,17 @@ +charon.plugins.unbound.resolv_conf = /etc/resolv.conf + File to read DNS resolver configuration from. + +charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys + File to read DNSSEC trust anchors from (usually root zone KSK). + + File to read DNSSEC trust anchors from (usually root zone KSK). The format + of the file is the standard DNS Zone file format, anchors can be stored as + DS or DNSKEY entries in the file. + +charon.plugins.unbound.dlv_anchors = + File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. + + File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It + uses the same format as _trust_anchors_. Only one DLV can be configured, + which is then used as a root trusted DLV, this means that it is a lookaside + for the root. diff --git a/conf/plugins/updown.conf b/conf/plugins/updown.conf new file mode 100644 index 000000000..8bcd330a8 --- /dev/null +++ b/conf/plugins/updown.conf @@ -0,0 +1,12 @@ +updown { + + # Whether the updown script should handle assigned DNS servers (if enabled + # they can't be handled by other plugins, like resolve). + # dns_handler = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/updown.opt b/conf/plugins/updown.opt new file mode 100644 index 000000000..d8bcc82ab --- /dev/null +++ b/conf/plugins/updown.opt @@ -0,0 +1,7 @@ +charon.plugins.updown.dns_handler = no + Whether the updown script should handle assigned DNS servers (if enabled + they can't be handled by other plugins, like resolve). + + Whether the updown script should handle DNS servers assigned via IKEv1 Mode + Config or IKEv2 Config Payloads (if enabled they can't be handled by other + plugins, like resolve) diff --git a/conf/plugins/whitelist.conf b/conf/plugins/whitelist.conf new file mode 100644 index 000000000..c68358bf2 --- /dev/null +++ b/conf/plugins/whitelist.conf @@ -0,0 +1,14 @@ +whitelist { + + # Enable loaded whitelist plugin. + # enable = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Socket provided by the whitelist plugin. + # socket = unix://${piddir}/charon.wlst + +} + diff --git a/conf/plugins/whitelist.opt b/conf/plugins/whitelist.opt new file mode 100644 index 000000000..023f7e235 --- /dev/null +++ b/conf/plugins/whitelist.opt @@ -0,0 +1,6 @@ +charon.plugins.whitelist.enable = yes + Enable loaded whitelist plugin. + +charon.plugins.whitelist.socket = unix://${piddir}/charon.wlst + Socket provided by the whitelist plugin. + diff --git a/conf/plugins/xauth-eap.conf b/conf/plugins/xauth-eap.conf new file mode 100644 index 000000000..25ea2aa36 --- /dev/null +++ b/conf/plugins/xauth-eap.conf @@ -0,0 +1,11 @@ +xauth-eap { + + # EAP plugin to be used as backend for XAuth credential verification. + # backend = radius + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/conf/plugins/xauth-eap.opt b/conf/plugins/xauth-eap.opt new file mode 100644 index 000000000..1663f935c --- /dev/null +++ b/conf/plugins/xauth-eap.opt @@ -0,0 +1,2 @@ +charon.plugins.xauth-eap.backend = radius + EAP plugin to be used as backend for XAuth credential verification. diff --git a/conf/plugins/xauth-pam.conf b/conf/plugins/xauth-pam.conf new file mode 100644 index 000000000..aeba19195 --- /dev/null +++ b/conf/plugins/xauth-pam.conf @@ -0,0 +1,18 @@ +xauth-pam { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # PAM service to be used for authentication. + # pam_service = login + + # Open/close a PAM session for each active IKE_SA. + # session = no + + # If an email address is received as an XAuth username, trim it to just the + # username part. + # trim_email = yes + +} + diff --git a/conf/plugins/xauth-pam.opt b/conf/plugins/xauth-pam.opt new file mode 100644 index 000000000..637dea6a6 --- /dev/null +++ b/conf/plugins/xauth-pam.opt @@ -0,0 +1,9 @@ +charon.plugins.xauth-pam.pam_service = login + PAM service to be used for authentication. + +charon.plugins.xauth-pam.session = no + Open/close a PAM session for each active IKE_SA. + +charon.plugins.xauth-pam.trim_email = yes + If an email address is received as an XAuth username, trim it to just the + username part. diff --git a/conf/strongswan.conf b/conf/strongswan.conf new file mode 100644 index 000000000..d90672861 --- /dev/null +++ b/conf/strongswan.conf @@ -0,0 +1,14 @@ +# strongswan.conf - strongSwan configuration file +# +# Refer to the strongswan.conf(5) manpage for details +# +# Configuration changes should be made in the included files + +charon { + load_modular = yes + plugins { + include strongswan.d/charon/*.conf + } +} + +include strongswan.d/*.conf diff --git a/conf/strongswan.conf.5.head.in b/conf/strongswan.conf.5.head.in new file mode 100644 index 000000000..23454e758 --- /dev/null +++ b/conf/strongswan.conf.5.head.in @@ -0,0 +1,127 @@ +.TH STRONGSWAN.CONF 5 "" "@PACKAGE_VERSION@" "strongSwan" +.SH NAME +strongswan.conf \- strongSwan configuration file +.SH DESCRIPTION +While the +.IR ipsec.conf (5) +configuration file is well suited to define IPsec related configuration +parameters, it is not useful for other strongSwan applications to read options +from this file. +The file is hard to parse and only +.I ipsec starter +is capable of doing so. As the number of components of the strongSwan project +is continually growing, a more flexible configuration file was needed, one that +is easy to extend and can be used by all components. With strongSwan 4.2.1 +.IR strongswan.conf (5) +was introduced which meets these requirements. + +.SH SYNTAX +The format of the strongswan.conf file consists of hierarchical +.B sections +and a list of +.B key/value pairs +in each section. Each section has a name, followed by C-Style curly brackets +defining the section body. Each section body contains a set of subsections +and key/value pairs: +.PP +.EX + settings := (section|keyvalue)* + section := name { settings } + keyvalue := key = value\\n +.EE +.PP +Values must be terminated by a newline. +.PP +Comments are possible using the \fB#\fP-character, but be careful: The parser +implementation is currently limited and does not like brackets in comments. +.PP +Section names and keys may contain any printable character except: +.PP +.EX + . { } # \\n \\t space +.EE +.PP +An example file in this format might look like this: +.PP +.EX + a = b + section-one { + somevalue = asdf + subsection { + othervalue = xxx + } + # yei, a comment + yetanother = zz + } + section-two { + x = 12 + } +.EE +.PP +Indentation is optional, you may use tabs or spaces. + +.SH INCLUDING FILES +Using the +.B include +statement it is possible to include other files into strongswan.conf, e.g. +.PP +.EX + include /some/path/*.conf +.EE +.PP +If the file name is not an absolute path, it is considered to be relative +to the directory of the file containing the include statement. The file name +may include shell wildcards (see +.IR sh (1)). +Also, such inclusions can be nested. +.PP +Sections loaded from included files +.I extend +previously loaded sections; already existing values are +.IR replaced . +It is important to note that settings are added relative to the section the +include statement is in. +.PP +As an example, the following three files result in the same final +config as the one given above: +.PP +.EX + a = b + section-one { + somevalue = before include + include include.conf + } + include other.conf + +include.conf: + # settings loaded from this file are added to section-one + # the following replaces the previous value + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + +other.conf: + # this extends section-one and subsection + section-one { + subsection { + # this replaces the previous value + othervalue = xxx + } + } + section-two { + x = 12 + } +.EE + +.SH READING VALUES +Values are accessed using a dot-separated section list and a key. +With reference to the example above, accessing +.B section-one.subsection.othervalue +will return +.BR xxx . + +.SH DEFINED KEYS +The following keys are currently defined (using dot notation). The default +value (if any) is listed in brackets after the key. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main new file mode 100644 index 000000000..282b8fa70 --- /dev/null +++ b/conf/strongswan.conf.5.main @@ -0,0 +1,1664 @@ +.TP +.BR attest.database " []" +File measurement information database URI. If it contains a password, make sure +to adjust the permissions of the config file accordingly. + +.TP +.BR attest.load " []" +Plugins to load in ipsec attest tool. + +.TP +.B charon +.br +Options for the charon IKE daemon. + +.RB "" "Note" ":" +Many of the options in this section also apply to +.RB "" "charon\-cmd" "" +and +other +.RB "" "charon" "" +derivatives. Just use their respective name (e.g. +.RB "" "charon\-cmd" "" +instead of +.RB "" "charon" ")." +For many options defaults can be defined +in the +.RB "" "libstrongswan" "" +section. + +.TP +.BR charon.block_threshold " [5]" +Maximum number of half\-open IKE_SAs for a single peer IP. + +.TP +.BR charon.cert_cache " [yes]" +Whether relations in validated certificate chains should be cached in memory. + +.TP +.BR charon.cisco_unity " [no]" +Send Cisco Unity vendor ID payload (IKEv1 only). + +.TP +.BR charon.close_ike_on_child_failure " [no]" +Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + +.TP +.BR charon.cookie_threshold " [10]" +Number of half\-open IKE_SAs that activate the cookie mechanism. + +.TP +.BR charon.dh_exponent_ansi_x9_42 " [yes]" +Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic +strength. + +.TP +.BR charon.dns1 " []" +DNS server assigned to peer via configuration payload (CP). + +.TP +.BR charon.dns2 " []" +DNS server assigned to peer via configuration payload (CP). + +.TP +.BR charon.dos_protection " [yes]" +Enable Denial of Service protection using cookies and aggressiveness checks. + +.TP +.BR charon.ecp_x_coordinate_only " [yes]" +Compliance with the errata for RFC 4753. + +.TP +.BR charon.flush_auth_cfg " [no]" +If enabled objects used during authentication (certificates, identities etc.) +are released to free memory once an IKE_SA is established. Enabling this might +conflict with plugins that later need access to e.g. the used certificates. + +.TP +.BR charon.fragment_size " [512]" +Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 +fragmentation extension. + +.TP +.BR charon.group " []" +Name of the group the daemon changes to after startup. + +.TP +.BR charon.half_open_timeout " [30]" +Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + +.TP +.BR charon.hash_and_url " [no]" +Enable hash and URL support. + +.TP +.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" +If enabled responders are allowed to use IKEv1 Aggressive Mode with pre\-shared +keys, which is discouraged due to security concerns (offline attacks on the +openly transmitted hash of the PSK). + +.TP +.BR charon.ignore_routing_tables " []" +A space\-separated list of routing tables to be excluded from route lookups. + +.TP +.BR charon.ikesa_limit " [0]" +Maximum number of IKE_SAs that can be established at the same time before new +connection attempts are blocked. + +.TP +.BR charon.ikesa_table_segments " [1]" +Number of exclusively locked segments in the hash table. + +.TP +.BR charon.ikesa_table_size " [1]" +Size of the IKE_SA hash table. + +.TP +.BR charon.inactivity_close_ike " [no]" +Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + +.TP +.BR charon.init_limit_half_open " [0]" +Limit new connections based on the current number of half open IKE_SAs, see +IKE_SA_INIT DROPPING in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.init_limit_job_load " [0]" +Limit new connections based on the number of jobs currently queued for +processing (see IKE_SA_INIT DROPPING). + +.TP +.BR charon.initiator_only " [no]" +Causes charon daemon to ignore IKE initiation requests. + +.TP +.BR charon.install_routes " [yes]" +Install routes into a separate routing table for established IPsec tunnels. + +.TP +.BR charon.install_virtual_ip " [yes]" +Install virtual IP addresses. + +.TP +.BR charon.install_virtual_ip_on " []" +The name of the interface on which virtual IP addresses should be installed. If +not specified the addresses will be installed on the outbound interface. + +.TP +.BR charon.integrity_test " [no]" +Check daemon, libstrongswan and plugin integrity at startup. + +.TP +.BR charon.interfaces_ignore " []" +A comma\-separated list of network interfaces that should be ignored, if +.RB "" "interfaces_use" "" +is specified this option has no effect. + +.TP +.BR charon.interfaces_use " []" +A comma\-separated list of network interfaces that should be used by charon. All +other interfaces are ignored. + +.TP +.BR charon.keep_alive " [20s]" +NAT keep alive interval. + +.TP +.BR charon.load " []" +Plugins to load in the IKE daemon charon. + +.TP +.BR charon.load_modular " [no]" +If enabled, the list of plugins to load is determined via the value of the +.RI "" "charon.plugins.<name>.load" "" +options. In addition to a simple boolean flag that +option may take an integer value indicating the priority of a plugin, which +would influence the order of a plugin in the plugin list (the default is 1). If +two plugins have the same priority their order in the default plugin list is +preserved. Enabled plugins not found in that list are ordered alphabetically +before other plugins with the same priority. + +.TP +.BR charon.max_packet " [10000]" +Maximum packet size accepted by charon. + +.TP +.BR charon.multiple_authentication " [yes]" +Enable multiple authentication exchanges (RFC 4739). + +.TP +.BR charon.nbns1 " []" +WINS servers assigned to peer via configuration payload (CP). + +.TP +.BR charon.nbns2 " []" +WINS servers assigned to peer via configuration payload (CP). + +.TP +.BR charon.port " [500]" +UDP port used locally. If set to 0 a random port will be allocated. + +.TP +.BR charon.port_nat_t " [4500]" +UDP port used locally in case of NAT\-T. If set to 0 a random port will be +allocated. Has to be different from +.RB "" "charon.port" "," +otherwise a random port +will be allocated. + +.TP +.BR charon.process_route " [yes]" +Process RTM_NEWROUTE and RTM_DELROUTE events. + +.TP +.BR charon.receive_delay " [0]" +Delay in ms for receiving packets, to simulate larger RTT. + +.TP +.BR charon.receive_delay_request " [yes]" +Delay request messages. + +.TP +.BR charon.receive_delay_response " [yes]" +Delay response messages. + +.TP +.BR charon.receive_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any. + +.TP +.BR charon.replay_window " [32]" +Size of the AH/ESP replay window, in packets. + +.TP +.BR charon.retransmit_base " [1.8]" +Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.retransmit_timeout " [4.0]" +Timeout in seconds before sending first retransmit. + +.TP +.BR charon.retransmit_tries " [5]" +Number of times to retransmit a packet before giving up. + +.TP +.BR charon.retry_initiate_interval " [0]" +Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution +failed), 0 to disable retries. + +.TP +.BR charon.reuse_ikesa " [yes]" +Initiate CHILD_SA within existing IKE_SAs. + +.TP +.BR charon.routing_table " []" +Numerical routing table to install routes to. + +.TP +.BR charon.routing_table_prio " []" +Priority of the routing table. + +.TP +.BR charon.send_delay " [0]" +Delay in ms for sending packets, to simulate larger RTT. + +.TP +.BR charon.send_delay_request " [yes]" +Delay request messages. + +.TP +.BR charon.send_delay_response " [yes]" +Delay response messages. + +.TP +.BR charon.send_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any. + +.TP +.BR charon.send_vendor_id " [no]" +Send strongSwan vendor ID payload + +.TP +.BR charon.threads " [16]" +Number of worker threads in charon. Several of these are reserved for long +running tasks in internal modules and plugins. Therefore, make sure you don't +set this value too low. The number of idle worker threads listed in +.RI "" "ipsec statusall" "" +might be used as indicator on the number of reserved threads. + +.TP +.BR charon.user " []" +Name of the user the daemon changes to after startup. + +.TP +.BR charon.crypto_test.bench " [no]" +Benchmark crypto algorithms and order them by efficiency. + +.TP +.BR charon.crypto_test.bench_size " [1024]" +Buffer size used for crypto benchmark. + +.TP +.BR charon.crypto_test.bench_time " [50]" +Number of iterations to test each algorithm. + +.TP +.BR charon.crypto_test.on_add " [no]" +Test crypto algorithms during registration (requires test vectors provided by +the +.RI "" "test\-vectors" "" +plugin). + +.TP +.BR charon.crypto_test.on_create " [no]" +Test crypto algorithms on each crypto primitive instantiation. + +.TP +.BR charon.crypto_test.required " [no]" +Strictly require at least one test vector to enable an algorithm. + +.TP +.BR charon.crypto_test.rng_true " [no]" +Whether to test RNG with TRUE quality; requires a lot of entropy. + +.TP +.B charon.filelog +.br +Section to define file loggers, see LOGGER CONFIGURATION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.B charon.filelog.<filename> +.br +<filename> is the full path to the log file. + +.TP +.BR charon.filelog.<filename>.<subsystem> " [<default>]" +Loglevel for a specific subsystem. + +.TP +.BR charon.filelog.<filename>.append " [yes]" +If this option is enabled log entries are appended to the existing file. + +.TP +.BR charon.filelog.<filename>.default " [1]" +Specifies the default loglevel to be used for subsystems for which no specific +loglevel is defined. + +.TP +.BR charon.filelog.<filename>.flush_line " [no]" +Enabling this option disables block buffering and enables line buffering. + +.TP +.BR charon.filelog.<filename>.ike_name " [no]" +Prefix each log entry with the connection name and a unique numerical identifier +for each IKE_SA. + +.TP +.BR charon.filelog.<filename>.time_format " []" +Prefix each log entry with a timestamp. The option accepts a format string as +passed to +.RB "" "strftime" "(3)." + + +.TP +.BR charon.host_resolver.max_threads " [3]" +Maximum number of concurrent resolver threads (they are terminated if unused). + +.TP +.BR charon.host_resolver.min_threads " [0]" +Minimum number of resolver threads to keep around. + +.TP +.B charon.imcv +.br +Defaults for options in this section can be configured in the +.RI "" "libimcv" "" +section. + +.TP +.BR charon.imcv.assessment_result " [yes]" +Whether IMVs send a standard IETF Assessment Result attribute. + +.TP +.BR charon.imcv.database " []" +Global IMV policy database URI. If it contains a password, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR charon.imcv.policy_script " [ipsec _imv_policy]" +Script called for each TNC connection to generate IMV policies. + +.TP +.BR charon.imcv.os_info.name " []" +Manually set the name of the client OS (e.g. Ubuntu). + +.TP +.BR charon.imcv.os_info.version " []" +Manually set the version of the client OS (e.g. 12.04 i686). + +.TP +.BR charon.leak_detective.detailed " [yes]" +Includes source file names and line numbers in leak detective output. + +.TP +.BR charon.leak_detective.usage_threshold " [10240]" +Threshold in bytes for leaks to be reported (0 to report all). + +.TP +.BR charon.leak_detective.usage_threshold_count " [0]" +Threshold in number of allocations for leaks to be reported (0 to report all). + +.TP +.BR charon.plugins.android_log.loglevel " [1]" +Loglevel for logging to Android specific logger. + +.TP +.B charon.plugins.attr +.br +Section to specify arbitrary attributes that are assigned to a peer via +configuration payload (CP). + +.TP +.BR charon.plugins.attr.<attr> " []" +.RB "" "<attr>" "" +can be either +.RI "" "address" "," +.RI "" "netmask" "," +.RI "" "dns" "," +.RI "" "nbns" "," +.RI "" "dhcp" "," +.RI "" "subnet" "," +.RI "" "split\-include" "," +.RI "" "split\-exclude" "" +or the numeric identifier of the attribute +type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation +or an arbitrary value depending on the attribute type. For some attribute types +multiple values may be specified as a comma separated list. + +.TP +.BR charon.plugins.attr-sql.database " []" +Database URI for attr\-sql plugin used by charon. If it contains a password, make +sure to adjust the permissions of the config file accordingly. + +.TP +.BR charon.plugins.attr-sql.lease_history " [yes]" +Enable logging of SQL IP pool leases. + +.TP +.BR charon.plugins.certexpire.csv.cron " []" +Cron style string specifying CSV export times. + +.TP +.BR charon.plugins.certexpire.csv.empty_string " []" +String to use in empty intermediate CA fields. + +.TP +.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" +Use a fixed intermediate CA field count. + +.TP +.BR charon.plugins.certexpire.csv.force " [yes]" +Force export of all trustchains we have a private key for. + +.TP +.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" +.RB "" "strftime" "(3)" +format string to export expiration dates as. + +.TP +.BR charon.plugins.certexpire.csv.local " []" +.RB "" "strftime" "(3)" +format string for the CSV file name to export local certificates +to. + +.TP +.BR charon.plugins.certexpire.csv.remote " []" +.RB "" "strftime" "(3)" +format string for the CSV file name to export remote +certificates to. + +.TP +.BR charon.plugins.certexpire.csv.separator " [,]" +CSV field separator. + +.TP +.BR charon.plugins.coupling.file " []" +File to store coupling list to. + +.TP +.BR charon.plugins.coupling.hash " [sha1]" +Hashing algorithm to fingerprint coupled certificates. + +.TP +.BR charon.plugins.coupling.max " [1]" +Maximum number of coupling entries to create. + +.TP +.BR charon.plugins.dhcp.force_server_address " [no]" +Always use the configured server address. This might be helpful if the DHCP +server runs on the same host as strongSwan, and the DHCP daemon does not listen +on the loopback interface. In that case the server cannot be reached via +unicast (or even 255.255.255.255) as that would be routed via loopback. Setting +this option to yes and configuring the local broadcast address (e.g. +192.168.0.255) as server address might work. + +.TP +.BR charon.plugins.dhcp.identity_lease " [no]" +Derive user\-defined MAC address from hash of IKE identity. + +.TP +.BR charon.plugins.dhcp.interface " []" +Interface name the plugin uses for address allocation. The default is to bind to +any (0.0.0.0) and let the system decide which way to route the packets to the +DHCP server. + +.TP +.BR charon.plugins.dhcp.server " [255.255.255.255]" +DHCP server unicast or broadcast IP address. + +.TP +.BR charon.plugins.dnscert.enable " [no]" +Enable fetching of CERT RRs via DNS. + +.TP +.BR charon.plugins.duplicheck.enable " [yes]" +Enable duplicheck plugin (if loaded). + +.TP +.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]" +Socket provided by the duplicheck plugin. + +.TP +.BR charon.plugins.eap-aka.request_identity " [yes]" +.TP +.BR charon.plugins.eap-aka-3ggp2.seq_check " []" +.TP +.BR charon.plugins.eap-dynamic.prefer_user " [no]" +If enabled the EAP methods proposed in an EAP\-Nak message sent by the peer are +preferred over the methods registered locally. + +.TP +.BR charon.plugins.eap-dynamic.preferred " []" +The preferred EAP method(s) to be used. If it is not given the first registered +method will be used initially. If a comma separated list is given the methods +are tried in the given order before trying the rest of the registered methods. + +.TP +.BR charon.plugins.eap-gtc.backend " [pam]" +XAuth backend to be used for credential verification. + +.TP +.BR charon.plugins.eap-peap.fragment_size " [1024]" +Maximum size of an EAP\-PEAP packet. + +.TP +.BR charon.plugins.eap-peap.include_length " [no]" +Include length in non\-fragmented EAP\-PEAP packets. + +.TP +.BR charon.plugins.eap-peap.max_message_count " [32]" +Maximum number of processed EAP\-PEAP packets (0 = no limit). + +.TP +.BR charon.plugins.eap-peap.phase2_method " [mschapv2]" +Phase2 EAP client authentication method. + +.TP +.BR charon.plugins.eap-peap.phase2_piggyback " [no]" +Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +.TP +.BR charon.plugins.eap-peap.phase2_tnc " [no]" +Start phase2 EAP TNC protocol after successful client authentication. + +.TP +.BR charon.plugins.eap-peap.request_peer_auth " [no]" +Request peer authentication based on a client certificate. + +.TP +.BR charon.plugins.eap-radius.accounting " [no]" +Send RADIUS accounting information to RADIUS servers. + +.TP +.BR charon.plugins.eap-radius.accounting_requires_vip " [no]" +If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. + +.TP +.BR charon.plugins.eap-radius.class_group " [no]" +Use the +.RI "" "class" "" +attribute sent in the RADIUS\-Accept message as group membership +information that is compared to the groups specified in the +.RB "" "rightgroups" "" +option in +.RB "" "ipsec.conf" "(5)." + + +.TP +.BR charon.plugins.eap-radius.close_all_on_timeout " [no]" +Closes all IKE_SAs if communication with the RADIUS server times out. If it is +not set only the current IKE_SA is closed. + +.TP +.BR charon.plugins.eap-radius.eap_start " [no]" +Send EAP\-Start instead of EAP\-Identity to start RADIUS conversation. + +.TP +.BR charon.plugins.eap-radius.filter_id " [no]" +If the RADIUS +.RI "" "tunnel_type" "" +attribute with value +.RB "" "ESP" "" +is received, use the +.RI "" "filter_id" "" +attribute sent in the RADIUS\-Accept message as group membership +information that is compared to the groups specified in the +.RB "" "rightgroups" "" +option in +.RB "" "ipsec.conf" "(5)." + + +.TP +.BR charon.plugins.eap-radius.id_prefix " []" +Prefix to EAP\-Identity, some AAA servers use a IMSI prefix to select the EAP +method. + +.TP +.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]" +NAS\-Identifier to include in RADIUS messages. + +.TP +.BR charon.plugins.eap-radius.port " [1812]" +Port of RADIUS server (authentication). + +.TP +.BR charon.plugins.eap-radius.secret " []" +Shared secret between RADIUS and NAS. If set, make sure to adjust the +permissions of the config file accordingly. + +.TP +.BR charon.plugins.eap-radius.server " []" +IP/Hostname of RADIUS server. + +.TP +.BR charon.plugins.eap-radius.sockets " [1]" +Number of sockets (ports) to use, increase for high load. + +.TP +.BR charon.plugins.eap-radius.dae.enable " [no]" +Enables support for the Dynamic Authorization Extension (RFC 5176). + +.TP +.BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" +Address to listen for DAE messages from the RADIUS server. + +.TP +.BR charon.plugins.eap-radius.dae.port " [3799]" +Port to listen for DAE requests. + +.TP +.BR charon.plugins.eap-radius.dae.secret " []" +Shared secret used to verify/sign DAE messages. If set, make sure to adjust the +permissions of the config file accordingly. + +.TP +.BR charon.plugins.eap-radius.forward.ike_to_radius " []" +RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name +or attribute number, a colon can be used to specify vendor\-specific attributes, +e.g. Reply\-Message, or 11, or 36906:12). + +.TP +.BR charon.plugins.eap-radius.forward.radius_to_ike " []" +Same as +.RI "" "charon.plugins.eap\-radius.forward.ike_to_radius" "" +but from RADIUS to +IKEv2, a strongSwan specific private notify (40969) is used to transmit the +attributes. + +.TP +.B charon.plugins.eap-radius.servers +.br +Section to specify multiple RADIUS servers. The +.RB "" "nas_identifier" "," +.RB "" "secret" "," +.RB "" "sockets" "" +and +.RB "" "port" "" +(or +.RB "" "auth_port" ")" +options can be specified for each +server. A server's IP/Hostname can be configured using the +.RB "" "address" "" +option. +The +.RB "" "acct_port" "" +[1813] option can be used to specify the port used for RADIUS +accounting. For each RADIUS server a priority can be specified using the +.RB "" "preference" "" +[0] option. + +.TP +.B charon.plugins.eap-radius.xauth +.br +Section to configure multiple XAuth authentication rounds via RADIUS. The +subsections define so called authentication profiles with arbitrary names. In +each profile section one or more XAuth types can be configured, with an assigned +message. For each type a separate XAuth exchange will be initiated and all +replies get concatenated into the User\-Password attribute, which then gets +verified over RADIUS. + +Available XAuth types are +.RB "" "password" "," +.RB "" "passcode" "," +.RB "" "nextpin" "," +and +.RB "" "answer" "." +This type is not relevant to strongSwan or the AAA server, but the +client may show a different dialog (along with the configured message). + +To use the configured profiles, they have to be configured in the respective +connection in +.RB "" "ipsec.conf" "(5)" +by appending the profile name, separated by a +colon, to the +.RB "" "xauth\-radius" "" +XAauth backend configuration in +.RI "" "rightauth" "" +or +.RI "" "rightauth2" "," +for instance, +.RI "" "rightauth2=xauth\-radius:profile" "." + + +.TP +.BR charon.plugins.eap-sim.request_identity " [yes]" +.TP +.BR charon.plugins.eap-simaka-sql.database " []" +.TP +.BR charon.plugins.eap-simaka-sql.remove_used " [no]" +.TP +.BR charon.plugins.eap-tls.fragment_size " [1024]" +Maximum size of an EAP\-TLS packet. + +.TP +.BR charon.plugins.eap-tls.include_length " [yes]" +Include length in non\-fragmented EAP\-TLS packets. + +.TP +.BR charon.plugins.eap-tls.max_message_count " [32]" +Maximum number of processed EAP\-TLS packets (0 = no limit). + +.TP +.BR charon.plugins.eap-tnc.max_message_count " [10]" +Maximum number of processed EAP\-TNC packets (0 = no limit). + +.TP +.BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]" +IF\-TNCCS protocol version to be used +.RI "(" "tnccs\-1.1" "," +.RI "" "tnccs\-2.0" "," +.RI "" "tnccs\-dynamic" ")." + + +.TP +.BR charon.plugins.eap-ttls.fragment_size " [1024]" +Maximum size of an EAP\-TTLS packet. + +.TP +.BR charon.plugins.eap-ttls.include_length " [yes]" +Include length in non\-fragmented EAP\-TTLS packets. + +.TP +.BR charon.plugins.eap-ttls.max_message_count " [32]" +Maximum number of processed EAP\-TTLS packets (0 = no limit). + +.TP +.BR charon.plugins.eap-ttls.phase2_method " [md5]" +Phase2 EAP client authentication method. + +.TP +.BR charon.plugins.eap-ttls.phase2_piggyback " [no]" +Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +.TP +.BR charon.plugins.eap-ttls.phase2_tnc " [no]" +Start phase2 EAP TNC protocol after successful client authentication. + +.TP +.BR charon.plugins.eap-ttls.request_peer_auth " [no]" +Request peer authentication based on a client certificate. + +.TP +.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]" +Socket provided by the error\-notify plugin. + +.TP +.BR charon.plugins.gcrypt.quick_random " [no]" +Use faster random numbers in gcrypt; for testing only, produces weak keys! + +.TP +.BR charon.plugins.ha.autobalance " [0]" +Interval in seconds to automatically balance handled segments between nodes. Set +to 0 to disable. + +.TP +.BR charon.plugins.ha.fifo_interface " [yes]" +.TP +.BR charon.plugins.ha.heartbeat_delay " [1000]" +.TP +.BR charon.plugins.ha.heartbeat_timeout " [2100]" +.TP +.BR charon.plugins.ha.local " []" +.TP +.BR charon.plugins.ha.monitor " [yes]" +.TP +.BR charon.plugins.ha.pools " []" +.TP +.BR charon.plugins.ha.remote " []" +.TP +.BR charon.plugins.ha.resync " [yes]" +.TP +.BR charon.plugins.ha.secret " []" +.TP +.BR charon.plugins.ha.segment_count " [1]" +.TP +.BR charon.plugins.imc-attestation.aik_blob " []" +AIK encrypted private key blob file. + +.TP +.BR charon.plugins.imc-attestation.aik_cert " []" +AIK certificate file. + +.TP +.BR charon.plugins.imc-attestation.aik_key " []" +AIK public key file. + +.TP +.BR charon.plugins.imc-attestation.nonce_len " [20]" +DH nonce length. + +.TP +.BR charon.plugins.imc-attestation.pcr17_after " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr17_before " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr17_meas " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr18_after " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr18_before " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr18_meas " []" +Dummy data if the TBOOT log is not retrieved. + +.TP +.BR charon.plugins.imc-attestation.pcr_info " [yes]" +Whether to send pcr_before and pcr_after info. + +.TP +.BR charon.plugins.imc-attestation.use_quote2 " [yes]" +Use Quote2 AIK signature instead of Quote signature. + +.TP +.BR charon.plugins.imc-os.push_info " [yes]" +Send operating system info without being prompted. + +.TP +.BR charon.plugins.imc-scanner.push_info " [yes]" +Send open listening ports without being prompted. + +.TP +.BR charon.plugins.imc-swid.swid_directory " [${prefix}/share]" +Directory where SWID tags are located. + +.TP +.BR charon.plugins.imc-test.additional_ids " [0]" +Number of additional IMC IDs. + +.TP +.BR charon.plugins.imc-test.command " [none]" +Command to be sent to the Test IMV. + +.TP +.BR charon.plugins.imc-test.dummy_size " [0]" +Size of dummy attribute to be sent to the Test IMV (0 = disabled). + +.TP +.BR charon.plugins.imc-test.retry " [no]" +Do a handshake retry. + +.TP +.BR charon.plugins.imc-test.retry_command " []" +Command to be sent to the Test IMV in the handshake retry. + +.TP +.BR charon.plugins.imv-attestation.cadir " []" +Path to directory with AIK cacerts. + +.TP +.BR charon.plugins.imv-attestation.dh_group " [ecp256]" +Preferred Diffie\-Hellman group. + +.TP +.BR charon.plugins.imv-attestation.hash_algorithm " [sha256]" +Preferred measurement hash algorithm. + +.TP +.BR charon.plugins.imv-attestation.min_nonce_len " [0]" +DH minimum nonce length. + +.TP +.BR charon.plugins.imv-os.remediation_uri " []" +URI pointing to operating system remediation instructions. + +.TP +.BR charon.plugins.imv-scanner.remediation_uri " []" +URI pointing to scanner remediation instructions. + +.TP +.BR charon.plugins.imv-test.rounds " [0]" +Number of IMC\-IMV retry rounds. + +.TP +.BR charon.plugins.ipseckey.enable " [no]" +Enable fetching of IPSECKEY RRs via DNS. + +.TP +.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" +Number of ipsecN devices. + +.TP +.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" +Set MTU of ipsecN device. + +.TP +.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]" +Allow that the remote traffic selector equals the IKE peer. The route installed +for such traffic (via TUN device) usually prevents further IKE traffic. The +fwmark options for the +.RI "" "kernel\-netlink" "" +and +.RI "" "socket\-default" "" +plugins can be used +to circumvent that problem. + +.TP +.BR charon.plugins.kernel-netlink.fwmark " []" +Firewall mark to set on the routing rule that directs traffic to our routing +table. The format is [!]mark[/mask], where the optional exclamation mark inverts +the meaning (i.e. the rule only applies to packets that don't match the mark). + +.TP +.BR charon.plugins.kernel-netlink.roam_events " [yes]" +Whether to trigger roam events when interfaces, addresses or routes change. + +.TP +.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" +Lifetime of XFRM acquire state in kernel. The value gets written to +/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM +acquire messages sent. + +.TP +.BR charon.plugins.kernel-pfroute.vip_wait " [1000]" +Time in ms to wait until virtual IP addresses appear/disappear before failing. + +.TP +.BR charon.plugins.led.activity_led " []" +.TP +.BR charon.plugins.led.blink_time " [50]" +.TP +.B charon.plugins.load-tester +.br +Section to configure the load\-tester plugin, see LOAD TESTS in +.RB "" "strongswan.conf" "(5)" +for details. + +.TP +.BR charon.plugins.load-tester.addrs_keep " [no]" +Whether to keep dynamic addresses even after the associated SA got terminated. + +.TP +.BR charon.plugins.load-tester.addrs_prefix " [16]" +Network prefix length to use when installing dynamic addresses. If set to \-1 the +full address is used (i.e. 32 or 128). + +.TP +.BR charon.plugins.load-tester.ca_dir " []" +Directory to load (intermediate) CA certificates from. + +.TP +.BR charon.plugins.load-tester.child_rekey " [600]" +Seconds to start CHILD_SA rekeying after setup. + +.TP +.BR charon.plugins.load-tester.delay " [0]" +Delay between initiatons for each thread. + +.TP +.BR charon.plugins.load-tester.delete_after_established " [no]" +Delete an IKE_SA as soon as it has been established. + +.TP +.BR charon.plugins.load-tester.digest " [sha1]" +Digest algorithm used when issuing certificates. + +.TP +.BR charon.plugins.load-tester.dpd_delay " [0]" +DPD delay to use in load test. + +.TP +.BR charon.plugins.load-tester.dynamic_port " [0]" +Base port to be used for requests (each client uses a different port). + +.TP +.BR charon.plugins.load-tester.eap_password " [default-pwd]" +EAP secret to use in load test. + +.TP +.BR charon.plugins.load-tester.enable " [no]" +Enable the load testing plugin. +.RB "" "WARNING" ":" +Never enable this plugin on +productive systems. It provides preconfigured credentials and allows an attacker +to authenticate as any user. + +.TP +.BR charon.plugins.load-tester.esp " [aes128-sha1]" +CHILD_SA proposal to use for load tests. + +.TP +.BR charon.plugins.load-tester.fake_kernel " [no]" +Fake the kernel interface to allow load\-testing against self. + +.TP +.BR charon.plugins.load-tester.ike_rekey " [0]" +Seconds to start IKE_SA rekeying after setup. + +.TP +.BR charon.plugins.load-tester.init_limit " [0]" +Global limit of concurrently established SAs during load test. + +.TP +.BR charon.plugins.load-tester.initiator " [0.0.0.0]" +Address to initiate from. + +.TP +.BR charon.plugins.load-tester.initiator_auth " [pubkey]" +Authentication method(s) the intiator uses. + +.TP +.BR charon.plugins.load-tester.initiator_id " []" +Initiator ID used in load test. + +.TP +.BR charon.plugins.load-tester.initiator_match " []" +Initiator ID to match against as responder. + +.TP +.BR charon.plugins.load-tester.initiator_tsi " []" +Traffic selector on initiator side, as proposed by initiator. + +.TP +.BR charon.plugins.load-tester.initiator_tsr " []" +Traffic selector on responder side, as proposed by initiator. + +.TP +.BR charon.plugins.load-tester.initiators " [0]" +Number of concurrent initiator threads to use in load test. + +.TP +.BR charon.plugins.load-tester.issuer_cert " []" +Path to the issuer certificate (if not configured a hard\-coded default value is +used). + +.TP +.BR charon.plugins.load-tester.issuer_key " []" +Path to private key that is used to issue certificates (if not configured a +hard\-coded default value is used). + +.TP +.BR charon.plugins.load-tester.iterations " [1]" +Number of IKE_SAs to initiate by each initiator in load test. + +.TP +.BR charon.plugins.load-tester.mode " [tunnel]" +IPsec mode to use, one of +.RI "" "tunnel" "," +.RI "" "transport" "," +or +.RI "" "beet" "." + + +.TP +.BR charon.plugins.load-tester.pool " []" +Provide INTERNAL_IPV4_ADDRs from a named pool. + +.TP +.BR charon.plugins.load-tester.preshared_key " [<default-psk>]" +Preshared key to use in load test. + +.TP +.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" +IKE proposal to use in load test. + +.TP +.BR charon.plugins.load-tester.request_virtual_ip " [no]" +Request an INTERNAL_IPV4_ADDR from the server. + +.TP +.BR charon.plugins.load-tester.responder " [127.0.0.1]" +Address to initiation connections to. + +.TP +.BR charon.plugins.load-tester.responder_auth " [pubkey]" +Authentication method(s) the responder uses. + +.TP +.BR charon.plugins.load-tester.responder_id " []" +Responder ID used in load test. + +.TP +.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]" +Traffic selector on initiator side, as narrowed by responder. + +.TP +.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]" +Traffic selector on responder side, as narrowed by responder. + +.TP +.BR charon.plugins.load-tester.shutdown_when_complete " [no]" +Shutdown the daemon after all IKE_SAs have been established. + +.TP +.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]" +Socket provided by the load\-tester plugin. + +.TP +.BR charon.plugins.load-tester.version " [0]" +IKE version to use (0 means use IKEv2 as initiator and accept any version as +responder). + +.TP +.B charon.plugins.load-tester.addrs +.br +Section that contains key/value pairs with address pools (in CIDR notation) to +use for a specific network interface e.g. eth0 = 10.10.0.0/16. + +.TP +.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" +Socket provided by the lookip plugin. + +.TP +.BR charon.plugins.ntru.max_drbg_requests " [4294967294]" +Number of pseudo\-random bit requests from the DRBG before an automatic reseeding +occurs. + +.TP +.BR charon.plugins.ntru.parameter_set " [optimum]" +The following parameter sets are available: +.RB "" "x9_98_speed" "," +.RB "" "x9_98_bandwidth" "," +.RB "" "x9_98_balance" "" +and +.RB "" "optimum" "," +the last set not being +part of the X9.98 standard but having the best performance. + +.TP +.BR charon.plugins.openssl.engine_id " [pkcs11]" +ENGINE ID to use in the OpenSSL plugin. + +.TP +.BR charon.plugins.openssl.fips_mode " [0]" +Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). + +.TP +.BR charon.plugins.pkcs11.load_certs " [yes]" +Whether to load certificates from tokens. + +.TP +.BR charon.plugins.pkcs11.reload_certs " [no]" +Reload certificates from all tokens if charon receives a SIGHUP. + +.TP +.BR charon.plugins.pkcs11.use_dh " [no]" +Whether the PKCS#11 modules should be used for DH and ECDH (see +.RI "" "use_ecc" "" +option). + +.TP +.BR charon.plugins.pkcs11.use_ecc " [no]" +Whether the PKCS#11 modules should be used for ECDH and ECDSA public key +operations. ECDSA private keys can be used regardless of this option. + +.TP +.BR charon.plugins.pkcs11.use_hasher " [no]" +Whether the PKCS#11 modules should be used to hash data. + +.TP +.BR charon.plugins.pkcs11.use_pubkey " [no]" +Whether the PKCS#11 modules should be used for public key operations, even for +keys not stored on tokens. + +.TP +.BR charon.plugins.pkcs11.use_rng " [no]" +Whether the PKCS#11 modules should be used as RNG. + +.TP +.B charon.plugins.pkcs11.modules +.br +List of available PKCS#11 modules. + +.TP +.BR charon.plugins.radattr.dir " []" +Directory where RADIUS attributes are stored in client\-ID specific files. + +.TP +.BR charon.plugins.radattr.message_id " [-1]" +Attributes are added to all IKE_AUTH messages by default (\-1), or only to the +IKE_AUTH message with the given IKEv2 message ID. + +.TP +.BR charon.plugins.random.random " [${random_device}]" +File to read random bytes from. + +.TP +.BR charon.plugins.random.strong_equals_true " [no]" +If set to yes the RNG_STRONG class reads random bytes from the same source as +the RNG_TRUE class. + +.TP +.BR charon.plugins.random.urandom " [${urandom_device}]" +File to read pseudo random bytes from. + +.TP +.BR charon.plugins.resolve.file " [/etc/resolv.conf]" +File where to add DNS server entries. + +.TP +.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]" +Prefix used for interface names sent to +.RB "" "resolvconf" "(8)." +The nameserver +address is appended to this prefix to make it unique. The result has to be a +valid interface name according to the rules defined by resolvconf. Also, it +should have a high priority according to the order defined in +.RB "" "interface\-order" "(5)." + + +.TP +.BR charon.plugins.socket-default.fwmark " []" +Firewall mark to set on outbound packets. + +.TP +.BR charon.plugins.socket-default.set_source " [yes]" +Set source address on outbound packets, if possible. + +.TP +.BR charon.plugins.socket-default.use_ipv4 " [yes]" +Listen on IPv4, if possible. + +.TP +.BR charon.plugins.socket-default.use_ipv6 " [yes]" +Listen on IPv6, if possible. + +.TP +.BR charon.plugins.sql.database " []" +Database URI for charon's SQL plugin. If it contains a password, make sure to +adjust the permissions of the config file accordingly. + +.TP +.BR charon.plugins.sql.loglevel " [-1]" +Loglevel for logging to SQL database. + +.TP +.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]" +Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA +certificates even if they don't contain a CA basic constraint. + +.TP +.BR charon.plugins.stroke.max_concurrent " [4]" +Maximum number of stroke messages handled concurrently. + +.TP +.BR charon.plugins.stroke.prevent_loglevel_changes " [no]" +If enabled log level changes via stroke socket are not allowed. + +.TP +.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" +Socket provided by the stroke plugin. + +.TP +.BR charon.plugins.stroke.timeout " [0]" +Timeout in ms for any stroke command. Use 0 to disable the timeout. + +.TP +.BR charon.plugins.systime-fix.interval " [0]" +Interval in seconds to check system time for validity. 0 disables the check. + +.TP +.BR charon.plugins.systime-fix.reauth " [no]" +Whether to use reauth or delete if an invalid cert lifetime is detected. + +.TP +.BR charon.plugins.systime-fix.threshold " []" +Threshold date where system time is considered valid. Disabled if not specified. + +.TP +.BR charon.plugins.systime-fix.threshold_format " [%Y]" +.RB "" "strptime" "(3)" +format used to parse threshold option. + +.TP +.BR charon.plugins.tnc-ifmap.client_cert " []" +Path to X.509 certificate file of IF\-MAP client. + +.TP +.BR charon.plugins.tnc-ifmap.client_key " []" +Path to private key file of IF\-MAP client. + +.TP +.BR charon.plugins.tnc-ifmap.device_name " []" +Unique name of strongSwan server as a PEP and/or PDP device. + +.TP +.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]" +Interval in seconds between periodic IF\-MAP RenewSession requests. + +.TP +.BR charon.plugins.tnc-ifmap.server_cert " []" +Path to X.509 certificate file of IF\-MAP server. + +.TP +.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]" +URI of the form [https://]servername[:port][/path]. + +.TP +.BR charon.plugins.tnc-ifmap.username_password " []" +Credentials of IF\-MAP client of the form username:password. If set, make sure to +adjust the permissions of the config file accordingly. + +.TP +.BR charon.plugins.tnc-imc.dlclose " [yes]" +Unload IMC after use. + +.TP +.BR charon.plugins.tnc-imc.preferred_language " [en]" +Preferred language for TNC recommendations. + +.TP +.BR charon.plugins.tnc-imv.dlclose " [yes]" +Unload IMV after use. + +.TP +.BR charon.plugins.tnc-imv.recommendation_policy " [default]" +TNC recommendation policy, one of +.RI "" "default" "," +.RI "" "any" "," +or +.RI "" "all" "." + + +.TP +.BR charon.plugins.tnc-pdp.server " []" +Name of the strongSwan PDP as contained in the AAA certificate. + +.TP +.BR charon.plugins.tnc-pdp.timeout " []" +Timeout in seconds before closing incomplete connections. + +.TP +.BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]" +Enable PT\-TLS protocol on the strongSwan PDP. + +.TP +.BR charon.plugins.tnc-pdp.pt_tls.port " [271]" +PT\-TLS server port the strongSwan PDP is listening on. + +.TP +.BR charon.plugins.tnc-pdp.radius.enable " [yes]" +Enable RADIUS protocol on the strongSwan PDP. + +.TP +.BR charon.plugins.tnc-pdp.radius.method " [ttls]" +EAP tunnel method to be used. + +.TP +.BR charon.plugins.tnc-pdp.radius.port " [1812]" +RADIUS server port the strongSwan PDP is listening on. + +.TP +.BR charon.plugins.tnc-pdp.radius.secret " []" +Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR charon.plugins.tnccs-11.max_message_size " [45000]" +Maximum size of a PA\-TNC message (XML & Base64 encoding). + +.TP +.BR charon.plugins.tnccs-20.max_batch_size " [65522]" +Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529). + +.TP +.BR charon.plugins.tnccs-20.max_message_size " [65490]" +Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497). + +.TP +.BR charon.plugins.unbound.dlv_anchors " []" +File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses +the same format as +.RI "" "trust_anchors" "." +Only one DLV can be configured, which is +then used as a root trusted DLV, this means that it is a lookaside for the root. + +.TP +.BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]" +File to read DNS resolver configuration from. + +.TP +.BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" +File to read DNSSEC trust anchors from (usually root zone KSK). The format of +the file is the standard DNS Zone file format, anchors can be stored as DS or +DNSKEY entries in the file. + +.TP +.BR charon.plugins.updown.dns_handler " [no]" +Whether the updown script should handle DNS servers assigned via IKEv1 Mode +Config or IKEv2 Config Payloads (if enabled they can't be handled by other +plugins, like resolve) + +.TP +.BR charon.plugins.whitelist.enable " [yes]" +Enable loaded whitelist plugin. + +.TP +.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]" +Socket provided by the whitelist plugin. + +.TP +.BR charon.plugins.xauth-eap.backend " [radius]" +EAP plugin to be used as backend for XAuth credential verification. + +.TP +.BR charon.plugins.xauth-pam.pam_service " [login]" +PAM service to be used for authentication. + +.TP +.BR charon.plugins.xauth-pam.session " [no]" +Open/close a PAM session for each active IKE_SA. + +.TP +.BR charon.plugins.xauth-pam.trim_email " [yes]" +If an email address is received as an XAuth username, trim it to just the +username part. + +.TP +.B charon.processor.priority_threads +.br +Section to configure the number of reserved threads per priority class see JOB +PRIORITY MANAGEMENT in +.RB "" "strongswan.conf" "(5)." + + +.TP +.B charon.syslog +.br +Section to define syslog loggers, see LOGGER CONFIGURATION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.syslog.identifier " []" +Global identifier used for an +.RB "" "openlog" "(3)" +call, prepended to each log message +by syslog. If not configured, +.RB "" "openlog" "(3)" +is not called, so the value will +depend on system defaults (often the program name). + +.TP +.B charon.syslog.<facility> +.br +<facility> is one of the supported syslog facilities, see LOGGER CONFIGURATION +in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon.syslog.<facility>.<subsystem> " [<default>]" +Loglevel for a specific subsystem. + +.TP +.BR charon.syslog.<facility>.default " [1]" +Specifies the default loglevel to be used for subsystems for which no specific +loglevel is defined. + +.TP +.BR charon.syslog.<facility>.ike_name " [no]" +Prefix each log entry with the connection name and a unique numerical identifier +for each IKE_SA. + +.TP +.BR charon.tls.cipher " []" +List of TLS encryption ciphers. + +.TP +.BR charon.tls.key_exchange " []" +List of TLS key exchange methods. + +.TP +.BR charon.tls.mac " []" +List of TLS MAC algorithms. + +.TP +.BR charon.tls.suites " []" +List of TLS cipher suites. + +.TP +.BR charon.tnc.tnc_config " [/etc/tnc_config]" +TNC IMC/IMV configuration file. + +.TP +.BR charon.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions. + +.TP +.BR libimcv.debug_level " [1]" +Debug level for a stand\-alone +.RI "" "libimcv" "" +library. + +.TP +.BR libimcv.load " [random nonce gmp pubkey x509]" +Plugins to load in IMC/IMVs with stand\-alone +.RI "" "libimcv" "" +library. + +.TP +.BR libimcv.stderr_quiet " [no]" +Disable output to stderr with a stand\-alone +.RI "" "libimcv" "" +library. + +.TP +.BR manager.database " []" +Credential database URI for manager. If it contains a password, make sure to +adjust the permissions of the config file accordingly. + +.TP +.BR manager.debug " [no]" +Enable debugging in manager. + +.TP +.BR manager.load " []" +Plugins to load in manager. + +.TP +.BR manager.socket " []" +FastCGI socket of manager, to run it statically. + +.TP +.BR manager.threads " [10]" +Threads to use for request handling. + +.TP +.BR manager.timeout " [15m]" +Session timeout for manager. + +.TP +.BR medsrv.database " []" +Mediation server database URI. If it contains a password, make sure to adjust +the permissions of the config file accordingly. + +.TP +.BR medsrv.debug " [no]" +Debugging in mediation server web application. + +.TP +.BR medsrv.dpd " [5m]" +DPD timeout to use in mediation server plugin. + +.TP +.BR medsrv.load " []" +Plugins to load in mediation server plugin. + +.TP +.BR medsrv.password_length " [6]" +Minimum password length required for mediation server user accounts. + +.TP +.BR medsrv.rekey " [20m]" +Rekeying time on mediation connections in mediation server plugin. + +.TP +.BR medsrv.socket " []" +Run Mediation server web application statically on socket. + +.TP +.BR medsrv.threads " [5]" +Number of thread for mediation service web application. + +.TP +.BR medsrv.timeout " [15m]" +Session timeout for mediation service. + +.TP +.BR openac.load " []" +Plugins to load in ipsec openac tool. + +.TP +.BR pacman.database " []" +Database URI for the database that stores the package information. If it +contains a password, make sure to adjust the permissions of the config file +accordingly. + +.TP +.BR pacman.load " []" +Plugins to load in package manager. + +.TP +.BR pki.load " []" +Plugins to load in ipsec pki tool. + +.TP +.BR pool.database " []" +Database URI for the database that stores IP pools and configuration attributes. +If it contains a password, make sure to adjust the permissions of the +config file accordingly. + +.TP +.BR pool.load " []" +Plugins to load in ipsec pool tool. + +.TP +.BR scepclient.load " []" +Plugins to load in ipsec scepclient tool. + +.TP +.BR starter.load " []" +Plugins to load in starter. + +.TP +.BR starter.load_warning " [yes]" +Disable charon plugin load option warning. + diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in new file mode 100644 index 000000000..72aa7f856 --- /dev/null +++ b/conf/strongswan.conf.5.tail.in @@ -0,0 +1,470 @@ +.SH LOGGER CONFIGURATION +Options in +.BR strongswan.conf (5) +provide a much more flexible way to configure loggers for the IKE daemon charon +than using the +.B charondebug +option in +.BR ipsec.conf (5). +.PP +.BR Note : +If any loggers are specified in strongswan.conf, +.B charondebug +does not have any effect. +.PP +There are currently two types of loggers: +.TP +.B File loggers +Log directly to a file and are defined by specifying the full path to the +file as subsection in the +.B charon.filelog +section. To log to the console the two special filenames +.BR stdout " and " stderr +can be used. +.TP +.B Syslog loggers +Log into a syslog facility and are defined by specifying the facility to log to +as the name of a subsection in the +.B charon.syslog +section. The following facilities are currently supported: +.BR daemon " and " auth . +.PP +Multiple loggers can be defined for each type with different log verbosity for +the different subsystems of the daemon. + +.SS Subsystems +.TP +.B dmn +Main daemon setup/cleanup/signal handling +.TP +.B mgr +IKE_SA manager, handling synchronization for IKE_SA access +.TP +.B ike +IKE_SA +.TP +.B chd +CHILD_SA +.TP +.B job +Jobs queueing/processing and thread pool management +.TP +.B cfg +Configuration management and plugins +.TP +.B knl +IPsec/Networking kernel interface +.TP +.B net +IKE network communication +.TP +.B asn +Low-level encoding/decoding (ASN.1, X.509 etc.) +.TP +.B enc +Packet encoding/decoding encryption/decryption operations +.TP +.B tls +libtls library messages +.TP +.B esp +libipsec library messages +.TP +.B lib +libstrongwan library messages +.TP +.B tnc +Trusted Network Connect +.TP +.B imc +Integrity Measurement Collector +.TP +.B imv +Integrity Measurement Verifier +.TP +.B pts +Platform Trust Service +.SS Loglevels +.TP +.B -1 +Absolutely silent +.TP +.B 0 +Very basic auditing logs, (e.g. SA up/SA down) +.TP +.B 1 +Generic control flow with errors, a good default to see whats going on +.TP +.B 2 +More detailed debugging control flow +.TP +.B 3 +Including RAW data dumps in Hex +.TP +.B 4 +Also include sensitive material in dumps, e.g. keys +.SS Example +.PP +.EX + charon { + filelog { + /var/log/charon.log { + time_format = %b %e %T + append = no + default = 1 + } + stderr { + ike = 2 + knl = 3 + ike_name = yes + } + } + syslog { + # enable logging to LOG_DAEMON, use defaults + daemon { + } + # minimalistic IKE auditing logging to LOG_AUTHPRIV + auth { + default = -1 + ike = 0 + } + } + } +.EE + +.SH JOB PRIORITY MANAGEMENT +Some operations in the IKEv2 daemon charon are currently implemented +synchronously and blocking. Two examples for such operations are communication +with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during +certificate chain verification. Under high load conditions, the thread pool may +run out of available threads, and some more important jobs, such as liveness +checking, may not get executed in time. +.PP +To prevent thread starvation in such situations job priorities were introduced. +The job processor will reserve some threads for higher priority jobs, these +threads are not available for lower priority, locking jobs. +.SS Implementation +Currently 4 priorities have been defined, and they are used in charon as +follows: +.TP +.B CRITICAL +Priority for long-running dispatcher jobs. +.TP +.B HIGH +INFORMATIONAL exchanges, as used by liveness checking (DPD). +.TP +.B MEDIUM +Everything not HIGH/LOW, including IKE_SA_INIT processing. +.TP +.B LOW +IKE_AUTH message processing. RADIUS and CRL fetching block here +.PP +Although IKE_SA_INIT processing is computationally expensive, it is explicitly +assigned to the MEDIUM class. This allows charon to do the DH exchange while +other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more +IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING. +.PP +The thread pool processes jobs strictly by priority, meaning it will consume all +higher priority jobs before looking for ones with lower priority. Further, it +reserves threads for certain priorities. A priority class having reserved +.I n +threads will always have +.I n +threads available for this class (either currently processing a job, or waiting +for one). +.SS Configuration +To ensure that there are always enough threads available for higher priority +tasks, threads must be reserved for each priority class. +.TP +.BR charon.processor.priority_threads.critical " [0]" +Threads reserved for CRITICAL priority class jobs +.TP +.BR charon.processor.priority_threads.high " [0]" +Threads reserved for HIGH priority class jobs +.TP +.BR charon.processor.priority_threads.medium " [0]" +Threads reserved for MEDIUM priority class jobs +.TP +.BR charon.processor.priority_threads.low " [0]" +Threads reserved for LOW priority class jobs +.PP +Let's consider the following configuration: +.PP +.EX + charon { + processor { + priority_threads { + high = 1 + medium = 4 + } + } + } +.EE +.PP +With this configuration, one thread is reserved for HIGH priority tasks. As +currently only liveness checking and stroke message processing is done with +high priority, one or two threads should be sufficient. +.PP +The MEDIUM class mostly processes non-blocking jobs. Unless your setup is +experiencing many blocks in locks while accessing shared resources, threads for +one or two times the number of CPU cores is fine. +.PP +It is usually not required to reserve threads for CRITICAL jobs. Jobs in this +class rarely return and do not release their thread to the pool. +.PP +The remaining threads are available for LOW priority jobs. Reserving threads +does not make sense (until we have an even lower priority). +.SS Monitoring +To see what the threads are actually doing, invoke +.IR "ipsec statusall" . +Under high load, something like this will show up: +.PP +.EX + worker threads: 2 or 32 idle, 5/1/2/22 working, + job queue: 0/0/1/149, scheduled: 198 +.EE +.PP +From 32 worker threads, +.IP 2 +are currently idle. +.IP 5 +are running CRITICAL priority jobs (dispatching from sockets, etc.). +.IP 1 +is currently handling a HIGH priority job. This is actually the thread currently +providing this information via stroke. +.IP 2 +are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA +messages. +.IP 22 +are handling LOW priority jobs, probably waiting for an EAP-RADIUS response +while processing IKE_AUTH messages. +.PP +The job queue load shows how many jobs are queued for each priority, ready for +execution. The single MEDIUM priority job will get executed immediately, as +we have two spare threads reserved for MEDIUM class jobs. + +.SH IKE_SA_INIT DROPPING +If a responder receives more connection requests per seconds than it can handle, +it does not make sense to accept more IKE_SA_INIT messages. And if they are +queued but can't get processed in time, an answer might be sent after the +client has already given up and restarted its connection setup. This +additionally increases the load on the responder. +.PP +To limit the responder load resulting from new connection attempts, the daemon +can drop IKE_SA_INIT messages just after reception. There are two mechanisms to +decide if this should happen, configured with the following options: +.TP +.BR charon.init_limit_half_open " [0]" +Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in +connecting state, but not yet established. +.TP +.BR charon.init_limit_job_load " [0]" +Limit based on the number of jobs currently queued for processing (sum over all +job priorities). +.PP +The second limit includes load from other jobs, such as rekeying. Choosing a +good value is difficult and depends on the hardware and expected load. +.PP +The first limit is simpler to calculate, but includes the load from new +connections only. If your responder is capable of negotiating 100 tunnels/s, you +might set this limit to 1000. The daemon will then drop new connection attempts +if generating a response would require more than 10 seconds. If you are +allowing for a maximum response time of more than 30 seconds, consider adjusting +the timeout for connecting IKE_SAs +.RB ( charon.half_open_timeout ). +A responder, by default, deletes an IKE_SA if the initiator does not establish +it within 30 seconds. Under high load, a higher value might be required. + +.SH LOAD TESTS +To do stability testing and performance optimizations, the IKE daemon charon +provides the \fIload-tester\fR plugin. This plugin allows one to setup thousands +of tunnels concurrently against the daemon itself or a remote host. +.PP +.B WARNING: +Never enable the load-testing plugin on productive systems. It provides +preconfigured credentials and allows an attacker to authenticate as any user. +.PP +.SS Configuration details +For public key authentication, the responder uses the +.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq +identity. For the initiator, each connection attempt uses a different identity +in the form +.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , +where the first number inidicates the client number, the second the +authentication round (if multiple authentication rounds are used). +.PP +For PSK authentication, FQDN identities are used. The server uses +.BR srv.strongswan.org , +the client uses an identity in the form +.BR c1-r1.strongswan.org . +.PP +For EAP authentication, the client uses a NAI in the form +.BR 100000000010001@strongswan.org . +.PP +To configure multiple authentication rounds, concatenate multiple methods using, +e.g. +.EX + initiator_auth = pubkey|psk|eap-md5|eap-aka +.EE +.PP +The responder uses a hardcoded certificate based on a 1024-bit RSA key. +This certificate additionally serves as CA certificate. A peer uses the same +private key, but generates client certificates on demand signed by the CA +certificate. Install the Responder/CA certificate on the remote host to +authenticate all clients. +.PP +To speed up testing, the load tester plugin implements a special Diffie-Hellman +implementation called \fImodpnull\fR. By setting +.EX + proposal = aes128-sha1-modpnull +.EE +this wicked fast DH implementation is used. It does not provide any security +at all, but allows one to run tests without DH calculation overhead. +.SS Examples +.PP +In the simplest case, the daemon initiates IKE_SAs against itself using the +loopback interface. This will actually establish double the number of IKE_SAs, +as the daemon is initiator and responder for each IKE_SA at the same time. +Installation of IPsec SAs would fail, as each SA gets installed twice. To +simulate the correct behavior, a fake kernel interface can be enabled which does +not install the IPsec SAs at the kernel level. +.PP +A simple loopback configuration might look like this: +.PP +.EX + charon { + # create new IKE_SAs for each CHILD_SA to simulate + # different clients + reuse_ikesa = no + # turn off denial of service protection + dos_protection = no + + plugins { + load-tester { + # enable the plugin + enable = yes + # use 4 threads to initiate connections + # simultaneously + initiators = 4 + # each thread initiates 1000 connections + iterations = 1000 + # delay each initiation in each thread by 20ms + delay = 20 + # enable the fake kernel interface to + # avoid SA conflicts + fake_kernel = yes + } + } + } +.EE +.PP +This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay +value if your box can not handle that much load, or decrease it to put more +load on it. If the daemon starts retransmitting messages your box probably can +not handle all connection attempts. +.PP +The plugin also allows one to test against a remote host. This might help to +test against a real world configuration. A connection setup to do stress +testing of a gateway might look like this: +.PP +.EX + charon { + reuse_ikesa = no + threads = 32 + + plugins { + load-tester { + enable = yes + # 10000 connections, ten in parallel + initiators = 10 + iterations = 1000 + # use a delay of 100ms, overall time is: + # iterations * delay = 100s + delay = 100 + # address of the gateway + remote = 1.2.3.4 + # IKE-proposal to use + proposal = aes128-sha1-modp1024 + # use faster PSK authentication instead + # of 1024bit RSA + initiator_auth = psk + responder_auth = psk + # request a virtual IP using configuration + # payloads + request_virtual_ip = yes + # enable CHILD_SA every 60s + child_rekey = 60 + } + } + } +.EE + +.SH IKEv2 RETRANSMISSION +Retransmission timeouts in the IKEv2 daemon charon can be configured globally +using the three keys listed below: +.PP +.RS +.nf +.BR charon.retransmit_base " [1.8]" +.BR charon.retransmit_timeout " [4.0]" +.BR charon.retransmit_tries " [5]" +.fi +.RE +.PP +The following algorithm is used to calculate the timeout: +.PP +.EX + relative timeout = retransmit_timeout * retransmit_base ^ (n-1) +.EE +.PP +Where +.I n +is the current retransmission count. +.PP +Using the default values, packets are retransmitted in: + +.TS +l r r +--- +lB r r. +Retransmission Relative Timeout Absolute Timeout +1 4s 4s +2 7s 11s +3 13s 24s +4 23s 47s +5 42s 89s +giving up 76s 165s +.TE +. +.SH VARIABLES +. +The variables used above are configured as follows: + +.nf +.na +${piddir} @piddir@ +${prefix} @prefix@ +${random_device} @random_device@ +${urandom_device} @urandom_device@ +.ad +.fi +. +.SH FILES +. +.nf +.na +/etc/strongswan.conf configuration file +/etc/strongswan.d/ directory containing included config snippets +/etc/strongswan.d/charon/ plugin specific config snippets +.ad +.fi +. +.SH SEE ALSO +\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) + +.SH HISTORY +Written for the +.UR http://www.strongswan.org +strongSwan project +.UE +by Tobias Brunner, Andreas Steffen and Martin Willi. |