diff options
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/Makefile.am | 1 | ||||
| -rw-r--r-- | conf/Makefile.in | 1 | ||||
| -rw-r--r-- | conf/options/charon.conf | 6 | ||||
| -rw-r--r-- | conf/options/charon.opt | 2 | ||||
| -rw-r--r-- | conf/plugins/ha.opt | 7 | ||||
| -rw-r--r-- | conf/plugins/imc-os.opt | 4 | ||||
| -rw-r--r-- | conf/plugins/kernel-netlink.conf | 3 | ||||
| -rw-r--r-- | conf/plugins/kernel-netlink.opt | 9 | ||||
| -rw-r--r-- | conf/plugins/save-keys.conf | 16 | ||||
| -rw-r--r-- | conf/plugins/save-keys.opt | 16 | ||||
| -rw-r--r-- | conf/strongswan.conf.5.main | 47 |
11 files changed, 105 insertions, 7 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am index 38181db2c..eb662c2e0 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -87,6 +87,7 @@ plugins = \ plugins/random.opt \ plugins/resolve.opt \ plugins/revocation.opt \ + plugins/save-keys.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index c2cb213f7..e83d3b98f 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -493,6 +493,7 @@ plugins = \ plugins/random.opt \ plugins/resolve.opt \ plugins/revocation.opt \ + plugins/save-keys.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ diff --git a/conf/options/charon.conf b/conf/options/charon.conf index cef9fe36c..93dff172d 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -7,9 +7,9 @@ charon { # Maximum number of half-open IKE_SAs for a single peer IP. # block_threshold = 5 - # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should - # be saved under a unique file name derived from the public key of the - # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or # /etc/swanctl/x509crl (vici), respectively. # cache_crls = no diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 161ebb724..fcde5f0b5 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -31,7 +31,7 @@ charon.cert_cache = yes memory. charon.cache_crls = no - Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should + Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or **/etc/swanctl/x509crl** (vici), respectively. diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt index 77d5b7888..c821a880b 100644 --- a/conf/plugins/ha.opt +++ b/conf/plugins/ha.opt @@ -2,6 +2,13 @@ charon.plugins.ha.autobalance = 0 Interval in seconds to automatically balance handled segments between nodes. Set to 0 to disable. +charon.plugin.ha.buflen = 2048 + Buffer size for received HA messages. + + Buffer size for received HA messages. For IKEv1 the public DH factors are + also transmitted so depending on the DH group the HA messages can get quite + big (the default should be fine up to _modp4096_). + charon.plugins.ha.fifo_interface = yes charon.plugins.ha.heartbeat_delay = 1000 diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt index 4f559f2b9..6c1da5e89 100644 --- a/conf/plugins/imc-os.opt +++ b/conf/plugins/imc-os.opt @@ -6,6 +6,10 @@ libimcv.plugins.imc-os.device_id = Manually set the client device ID in hexadecimal format (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31) +libimcv.plugins.imc-os.device_handle = + Manually set handle to a private key bound to a smartcard or TPM + (e.g. 0x81010004) + libimcv.plugins.imc-os.device_pubkey = Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der) diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index 22d94ee38..9827b2282 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -35,6 +35,9 @@ kernel-netlink { # Whether to use port or socket based IKE XFRM bypass policies. # port_bypass = no + # Whether to process changes in routing rules to trigger roam events. + # process_rules = no + # Maximum Netlink socket receive buffer in bytes. # receive_buffer_size = 0 diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 3d9c4a7a9..0e368ca1e 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -7,7 +7,7 @@ charon.plugins.kernel-netlink.force_receive_buffer_size = no If the maximum Netlink socket receive buffer in bytes set by _receive_buffer_size_ exceeds the system-wide maximum from /proc/sys/net/core/rmem_max, this option can be used to override the limit. - Enabling this option requires special priviliges (CAP_NET_ADMIN). + Enabling this option requires special privileges (CAP_NET_ADMIN). charon.plugins.kernel-netlink.fwmark = Firewall mark to set on the routing rule that directs traffic to our routing @@ -47,6 +47,13 @@ charon.plugins.kernel-netlink.port_bypass = no port based policies use global XFRM bypass policies for the used IKE UDP ports. +charon.plugins.kernel-netlink.process_rules = no + Whether to process changes in routing rules to trigger roam events. + + Whether to process changes in routing rules to trigger roam events. This is + currently only useful if the kernel based route lookup is used (i.e. if + route installation is disabled or an inverted fwmark match is configured). + charon.plugins.kernel-netlink.receive_buffer_size = 0 Maximum Netlink socket receive buffer in bytes. diff --git a/conf/plugins/save-keys.conf b/conf/plugins/save-keys.conf new file mode 100644 index 000000000..c38cdcf69 --- /dev/null +++ b/conf/plugins/save-keys.conf @@ -0,0 +1,16 @@ +save-keys { + + # Whether to save ESP keys. + # esp = no + + # Whether to save IKE keys. + # ike = no + + # Whether to load the plugin. + load = no + + # Directory where the keys are stored in the format supported by Wireshark + # wireshark_keys = + +} + diff --git a/conf/plugins/save-keys.opt b/conf/plugins/save-keys.opt new file mode 100644 index 000000000..22a766a6f --- /dev/null +++ b/conf/plugins/save-keys.opt @@ -0,0 +1,16 @@ +charon.plugins.save-keys.load := no + Whether to load the plugin. + +charon.plugins.save-keys.esp = no + Whether to save ESP keys. + +charon.plugins.save-keys.ike = no + Whether to save IKE keys. + +charon.plugins.save-keys.wireshark_keys + Directory where the keys are stored in the format supported by Wireshark + + Directory where the keys are stored in the format supported by Wireshark. + IKEv1 keys are stored in the _ikev1_decryption_table_ file. + IKEv2 keys are stored in the _ikev2_decryption_table_ file. + Keys for ESP CHILD_SAs are stored in the _esp_sa_ file. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index b54f3e492..977403e91 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -51,7 +51,7 @@ Maximum number of half\-open IKE_SAs for a single peer IP. .TP .BR charon.cache_crls " [no]" -Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be +Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to .RB "" "/etc/ipsec.d/crls" "" @@ -406,6 +406,14 @@ WINS servers assigned to peer via configuration payload (CP). WINS servers assigned to peer via configuration payload (CP). .TP +.BR charon.plugin.ha.buflen " [2048]" +Buffer size for received HA messages. For IKEv1 the public DH factors are also +transmitted so depending on the DH group the HA messages can get quite big (the +default should be fine up to +.RI "" "modp4096" ")." + + +.TP .BR charon.plugins.addrblock.strict " [yes]" If set to yes, a subject certificate without an addrblock extension is rejected if the issuer certificate has such an addrblock extension. If set to no, subject @@ -973,7 +981,7 @@ If the maximum Netlink socket receive buffer in bytes set by .RI "" "receive_buffer_size" "" exceeds the system\-wide maximum from /proc/sys/net/core/rmem_max, this option can be used to override the limit. -Enabling this option requires special priviliges (CAP_NET_ADMIN). +Enabling this option requires special privileges (CAP_NET_ADMIN). .TP .BR charon.plugins.kernel-netlink.fwmark " []" @@ -1016,6 +1024,12 @@ based policies are directly tied to the IKE UDP sockets, port based policies use global XFRM bypass policies for the used IKE UDP ports. .TP +.BR charon.plugins.kernel-netlink.process_rules " [no]" +Whether to process changes in routing rules to trigger roam events. This is +currently only useful if the kernel based route lookup is used (i.e. if route +installation is disabled or an inverted fwmark match is configured). + +.TP .BR charon.plugins.kernel-netlink.receive_buffer_size " [0]" Maximum Netlink socket receive buffer in bytes. This value controls how many bytes of Netlink messages can be received on a Netlink socket. The default value @@ -1417,6 +1431,30 @@ Whether CRL validation should be enabled. Whether OCSP validation should be enabled. .TP +.BR charon.plugins.save-keys.esp " [no]" +Whether to save ESP keys. + +.TP +.BR charon.plugins.save-keys.ike " [no]" +Whether to save IKE keys. + +.TP +.BR charon.plugins.save-keys.load " [no]" +Whether to load the plugin. + +.TP +.BR charon.plugins.save-keys.wireshark_keys " []" +Directory where the keys are stored in the format supported by Wireshark. IKEv1 +keys are stored in the +.RI "" "ikev1_decryption_table" "" +file. IKEv2 keys are stored in +the +.RI "" "ikev2_decryption_table" "" +file. Keys for ESP CHILD_SAs are stored in the +.RI "" "esp_sa" "" +file. + +.TP .BR charon.plugins.socket-default.fwmark " []" Firewall mark to set on outbound packets. @@ -2121,6 +2159,11 @@ Manually set the path to the client device certificate (e.g. /etc/pts/aikCert.der) .TP +.BR libimcv.plugins.imc-os.device_handle " []" +Manually set handle to a private key bound to a smartcard or TPM (e.g. +0x81010004) + +.TP .BR libimcv.plugins.imc-os.device_id " []" Manually set the client device ID in hexadecimal format (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31) |