diff options
Diffstat (limited to 'conf')
-rw-r--r-- | conf/Makefile.am | 2 | ||||
-rw-r--r-- | conf/Makefile.in | 13 | ||||
-rw-r--r-- | conf/options/charon-logging.conf | 11 | ||||
-rw-r--r-- | conf/options/charon-logging.opt | 23 | ||||
-rw-r--r-- | conf/options/charon.conf | 2 | ||||
-rw-r--r-- | conf/options/charon.opt | 2 | ||||
-rw-r--r-- | conf/plugins/dhcp.conf | 4 | ||||
-rw-r--r-- | conf/plugins/dhcp.opt | 15 | ||||
-rw-r--r-- | conf/plugins/eap-radius.conf | 4 | ||||
-rw-r--r-- | conf/plugins/eap-radius.opt | 4 | ||||
-rw-r--r-- | conf/plugins/imc-swid.conf | 8 | ||||
-rw-r--r-- | conf/plugins/imc-swid.opt | 8 | ||||
-rw-r--r-- | conf/plugins/imc-swima.opt | 3 | ||||
-rw-r--r-- | conf/plugins/imv-swid.conf | 8 | ||||
-rw-r--r-- | conf/plugins/imv-swid.opt | 5 | ||||
-rw-r--r-- | conf/plugins/tpm.conf | 14 | ||||
-rw-r--r-- | conf/plugins/tpm.opt | 10 | ||||
-rw-r--r-- | conf/strongswan.conf.5.head.in | 70 | ||||
-rw-r--r-- | conf/strongswan.conf.5.main | 95 | ||||
-rw-r--r-- | conf/strongswan.conf.5.tail.in | 16 |
20 files changed, 227 insertions, 90 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am index eb662c2e0..d7917664b 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -61,13 +61,11 @@ plugins = \ plugins/imc-hcd.opt \ plugins/imc-os.opt \ plugins/imc-scanner.opt \ - plugins/imc-swid.opt \ plugins/imc-swima.opt \ plugins/imc-test.opt \ plugins/imv-attestation.opt \ plugins/imv-os.opt \ plugins/imv-scanner.opt \ - plugins/imv-swid.opt \ plugins/imv-swima.opt \ plugins/imv-test.opt \ plugins/ipseckey.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index e83d3b98f..ae4640068 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -265,7 +265,6 @@ PYTHON_VERSION = @PYTHON_VERSION@ PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ -RUBY = @RUBY@ RUBYGEMDIR = @RUBYGEMDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ @@ -291,6 +290,8 @@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ bindir = @bindir@ +botan_CFLAGS = @botan_CFLAGS@ +botan_LIBS = @botan_LIBS@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ @@ -311,8 +312,6 @@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ fuzz_plugins = @fuzz_plugins@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -367,8 +366,6 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ -ruby_CFLAGS = @ruby_CFLAGS@ -ruby_LIBS = @ruby_LIBS@ runstatedir = @runstatedir@ s_plugins = @s_plugins@ sbindir = @sbindir@ @@ -397,8 +394,12 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ tss2_CFLAGS = @tss2_CFLAGS@ tss2_LIBS = @tss2_LIBS@ +tss2_esys_CFLAGS = @tss2_esys_CFLAGS@ +tss2_esys_LIBS = @tss2_esys_LIBS@ tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_sys_CFLAGS = @tss2_sys_CFLAGS@ +tss2_sys_LIBS = @tss2_sys_LIBS@ tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ urandom_device = @urandom_device@ @@ -467,13 +468,11 @@ plugins = \ plugins/imc-hcd.opt \ plugins/imc-os.opt \ plugins/imc-scanner.opt \ - plugins/imc-swid.opt \ plugins/imc-swima.opt \ plugins/imc-test.opt \ plugins/imv-attestation.opt \ plugins/imv-os.opt \ plugins/imv-scanner.opt \ - plugins/imv-swid.opt \ plugins/imv-swima.opt \ plugins/imv-test.opt \ plugins/ipseckey.opt \ diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf index 454405985..ed3c027dc 100644 --- a/conf/options/charon-logging.conf +++ b/conf/options/charon-logging.conf @@ -4,8 +4,10 @@ charon { # strongswan.conf(5). filelog { - # <filename> is the full path to the log file. - # <filename> { + # <name> may be the full path to the log file if it only contains + # characters permitted in section names. Is ignored if path is + # specified. + # <name> { # Loglevel for a specific subsystem. # <subsystem> = <default> @@ -25,6 +27,11 @@ charon { # numerical identifier for each IKE_SA. # ike_name = no + # Optional path to the log file. Overrides the section name. Must be + # used if the path contains characters that aren't allowed in + # section names. + # path = + # Adds the milliseconds within the current second after the # timestamp (separated by a dot, so time_format should end with %S # or %T). diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt index 2bbb5dce4..e850c4487 100644 --- a/conf/options/charon-logging.opt +++ b/conf/options/charon-logging.opt @@ -2,33 +2,38 @@ charon.filelog {} Section to define file loggers, see LOGGER CONFIGURATION in **strongswan.conf**(5). -charon.filelog.<filename> { # } - <filename> is the full path to the log file. +charon.filelog.<name> { # } + <name> may be the full path to the log file if it only contains + characters permitted in section names. Is ignored if _path_ is specified. -charon.filelog.<filename>.default = 1 +charon.filelog.<name>.path = + Optional path to the log file. Overrides the section name. Must be used + if the path contains characters that aren't allowed in section names. + +charon.filelog.<name>.default = 1 Default loglevel. Specifies the default loglevel to be used for subsystems for which no specific loglevel is defined. -charon.filelog.<filename>.<subsystem> = <default> +charon.filelog.<name>.<subsystem> = <default> Loglevel for a specific subsystem. -charon.filelog.<filename>.append = yes +charon.filelog.<name>.append = yes If this option is enabled log entries are appended to the existing file. -charon.filelog.<filename>.flush_line = no +charon.filelog.<name>.flush_line = no Enabling this option disables block buffering and enables line buffering. -charon.filelog.<filename>.ike_name = no +charon.filelog.<name>.ike_name = no Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. -charon.filelog.<filename>.time_format +charon.filelog.<name>.time_format Prefix each log entry with a timestamp. The option accepts a format string as passed to **strftime**(3). -charon.filelog.<filename>.time_add_ms = no +charon.filelog.<name>.time_add_ms = no Adds the milliseconds within the current second after the timestamp (separated by a dot, so _time_format_ should end with %S or %T). diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 93dff172d..857ddde9b 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -274,7 +274,7 @@ charon { # Buffer size used for crypto benchmark. # bench_size = 1024 - # Number of iterations to test each algorithm. + # Time in ms during which crypto algorithm performance is measured. # bench_time = 50 # Test crypto algorithms during registration (requires test vectors diff --git a/conf/options/charon.opt b/conf/options/charon.opt index fcde5f0b5..8fb64bc25 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -52,7 +52,7 @@ charon.crypto_test.bench_size = 1024 Buffer size used for crypto benchmark. charon.crypto_test.bench_time = 50 - Number of iterations to test each algorithm. + Time in ms during which crypto algorithm performance is measured. charon.crypto_test.on_add = no Test crypto algorithms during registration (requires test vectors provided diff --git a/conf/plugins/dhcp.conf b/conf/plugins/dhcp.conf index 88bbe36e3..c880cfa59 100644 --- a/conf/plugins/dhcp.conf +++ b/conf/plugins/dhcp.conf @@ -17,5 +17,9 @@ dhcp { # DHCP server unicast or broadcast IP address. # server = 255.255.255.255 + # Use the DHCP server port (67) as source port when a unicast server address + # is configured. + # use_server_port = no + } diff --git a/conf/plugins/dhcp.opt b/conf/plugins/dhcp.opt index 6b337bc34..7c6d31c87 100644 --- a/conf/plugins/dhcp.opt +++ b/conf/plugins/dhcp.opt @@ -15,6 +15,21 @@ charon.plugins.dhcp.identity_lease = no charon.plugins.dhcp.server = 255.255.255.255 DHCP server unicast or broadcast IP address. +charon.plugins.dhcp.use_server_port = no + Use the DHCP server port (67) as source port when a unicast server address + is configured. + + Use the DHCP server port (67) as source port, instead of the DHCP client + port (68), when a unicast server address is configured and the plugin acts + as relay agent. When replying in this mode the DHCP server will always send + packets to the DHCP server port and if no process binds that port an ICMP + port unreachables will be sent back, which might be problematic for some + DHCP servers. To avoid that, enabling this option will cause the plugin to + bind the DHCP server port to send its requests when acting as relay agent. + This is not necessary if a DHCP server is already running on the same host + and might even cause conflicts (and since the server port is already bound, + ICMPs should not be an issue). + charon.plugins.dhcp.interface Interface name the plugin uses for address allocation. diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf index 5a486114e..24f2eaacd 100644 --- a/conf/plugins/eap-radius.conf +++ b/conf/plugins/eap-radius.conf @@ -66,6 +66,10 @@ eap-radius { # Number of sockets (ports) to use, increase for high load. # sockets = 1 + # Whether to include the UDP port in the Called- and Calling-Station-Id + # RADIUS attributes. + # station_id_with_port = yes + dae { # Enables support for the Dynamic Authorization Extension (RFC 5176). diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt index f18a74c49..192996c73 100644 --- a/conf/plugins/eap-radius.opt +++ b/conf/plugins/eap-radius.opt @@ -108,6 +108,10 @@ charon.plugins.eap-radius.servers {} charon.plugins.eap-radius.sockets = 1 Number of sockets (ports) to use, increase for high load. +charon.plugins.eap-radius.station_id_with_port = yes + Whether to include the UDP port in the Called- and Calling-Station-Id + RADIUS attributes. + charon.plugins.eap-radius.xauth {} Section to configure multiple XAuth authentication rounds via RADIUS. diff --git a/conf/plugins/imc-swid.conf b/conf/plugins/imc-swid.conf deleted file mode 100644 index 4893703ad..000000000 --- a/conf/plugins/imc-swid.conf +++ /dev/null @@ -1,8 +0,0 @@ -imc-swid { - - # Whether to load the plugin. Can also be an integer to increase the - # priority of this plugin. - load = yes - -} - diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt deleted file mode 100644 index e622aa683..000000000 --- a/conf/plugins/imc-swid.opt +++ /dev/null @@ -1,8 +0,0 @@ -libimcv.plugins.imc-swid.swid_directory = ${prefix}/share - Directory where SWID tags are located. - -libimcv.plugins.imc-swid.swid_pretty = no - Generate XML-encoded SWID tags with pretty indentation. - -libimcv.plugins.imc-swid.swid_full = no - Include file information in the XML-encoded SWID tags. diff --git a/conf/plugins/imc-swima.opt b/conf/plugins/imc-swima.opt index 099a3c80f..daa4ecadd 100644 --- a/conf/plugins/imc-swima.opt +++ b/conf/plugins/imc-swima.opt @@ -19,3 +19,6 @@ libimcv.plugins.imc-swima.swid_pretty = no libimcv.plugins.imc-swima.swid_full = no Include file information in the XML-encoded SWID tags. + +libimcv.plugins.imc-swima.subscriptions = no + Accept SW Inventory or SW Events subscriptions. diff --git a/conf/plugins/imv-swid.conf b/conf/plugins/imv-swid.conf deleted file mode 100644 index bfd49bd1c..000000000 --- a/conf/plugins/imv-swid.conf +++ /dev/null @@ -1,8 +0,0 @@ -imv-swid { - - # Whether to load the plugin. Can also be an integer to increase the - # priority of this plugin. - load = yes - -} - diff --git a/conf/plugins/imv-swid.opt b/conf/plugins/imv-swid.opt deleted file mode 100644 index d451c78ce..000000000 --- a/conf/plugins/imv-swid.opt +++ /dev/null @@ -1,5 +0,0 @@ -libimcv.plugins.imv-swid.rest_api_uri = - HTTP URI of the SWID REST API. - -libimcv.plugins.imv-swid.rest_api_timeout = 120 - Timeout of SWID REST API HTTP POST transaction. diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf index 222bb7b0a..1be961e89 100644 --- a/conf/plugins/tpm.conf +++ b/conf/plugins/tpm.conf @@ -7,5 +7,19 @@ tpm { # Whether the TPM should be used as RNG. # use_rng = no + tcti { + + # Name of TPM 2.0 TCTI library. Valid values: tabrmd, device or mssim. + # Defaults are device if the /dev/tpmrm0 in-kernel TPM 2.0 resource + # manager device exists, and tabrmd otherwise, requiring the d-bus based + # TPM 2.0 access broker and resource manager to be available. + # name = device|tabrmd + + # Options for the TPM 2.0 TCTI library. Defaults are /dev/tpmrm0 if the + # TCTI library name is device and no options otherwise. + # opts = /dev/tpmrm0|<none> + + } + } diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt index cd666dde8..df7adb098 100644 --- a/conf/plugins/tpm.opt +++ b/conf/plugins/tpm.opt @@ -1,2 +1,12 @@ charon.plugins.tpm.use_rng = no Whether the TPM should be used as RNG. + +charon.plugins.tpm.tcti.name = device|tabrmd + Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_. + Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager + device exists, and _tabrmd_ otherwise, requiring the d-bus based TPM 2.0 + access broker and resource manager to be available. + +charon.plugins.tpm.tcti.opts = /dev/tpmrm0|<none> + Options for the TPM 2.0 TCTI library. Defaults are _/dev/tpmrm0_ if the + TCTI library name is _device_ and no options otherwise. diff --git a/conf/strongswan.conf.5.head.in b/conf/strongswan.conf.5.head.in index 23454e758..9337c19e2 100644 --- a/conf/strongswan.conf.5.head.in +++ b/conf/strongswan.conf.5.head.in @@ -32,13 +32,12 @@ and key/value pairs: .PP Values must be terminated by a newline. .PP -Comments are possible using the \fB#\fP-character, but be careful: The parser -implementation is currently limited and does not like brackets in comments. +Comments are possible using the \fB#\fP-character. .PP Section names and keys may contain any printable character except: .PP .EX - . { } # \\n \\t space + . , : { } = " # \\n \\t space .EE .PP An example file in this format might look like this: @@ -60,6 +59,71 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. + +.SH REFERENCING OTHER SECTIONS +It is possible to inherit settings and sections from another section. This +feature is mainly useful in swanctl.conf (which uses the same file format). +The syntax is as follows: +.PP +.EX + section := name : references { settings } + references := absname[, absname]* + absname := name[.name]* +.EE +.PP +All key/value pairs and all subsections of the referenced sections will be +inherited by the section that references them via their absolute name. Values +may be overridden in the section or any of its sub-sections (use an empty +assignment to clear a value so its default value, if any, will apply). It is +currently not possible to limit the inclusion level or clear/remove inherited +sub-sections. + +If the order is important (e.g. for auth rounds in a connection, if \fIround\fR +is not used), it should be noted that inherited settings/sections will follow +those defined in the current section (if multiple sections are referenced, their +settings are enumerated left to right). + +References are evaluated dynamically at runtime, so referring to sections later +in the config file or included via other files is no problem. + +Here is an example of how this might look like: +.PP +.EX + conn-defaults { + # default settings for all conns (e.g. a cert, or IP pools) + } + eap-defaults { + # defaults if eap is used (e.g. a remote auth round) + } + child-defaults { + # defaults for child configs (e.g. traffic selectors) + } + connections { + conn-a : conn-defaults, eap-defaults { + # set/override stuff specific to this connection + children { + child-a : child-defaults { + # set/override stuff specific to this child + } + } + } + conn-b : conn-defaults { + # set/override stuff specific to this connection + children { + child-b : child-defaults { + # set/override stuff specific to this child + } + } + } + conn-c : connections.conn-a { + # everything is inherited, including everything conn-a + # already inherits from the sections it and its + # sub-section reference + } + } +.EE +.PP + .SH INCLUDING FILES Using the .B include diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index f83211805..486ee5af9 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -85,7 +85,7 @@ Buffer size used for crypto benchmark. .TP .BR charon.crypto_test.bench_time " [50]" -Number of iterations to test each algorithm. +Time in ms during which crypto algorithm performance is measured. .TP .BR charon.crypto_test.on_add " [no]" @@ -155,41 +155,49 @@ Section to define file loggers, see LOGGER CONFIGURATION in .TP -.B charon.filelog.<filename> +.B charon.filelog.<name> .br -<filename> is the full path to the log file. +<name> may be the full path to the log file if it only contains characters +permitted in section names. Is ignored if +.RI "" "path" "" +is specified. .TP -.BR charon.filelog.<filename>.<subsystem> " [<default>]" +.BR charon.filelog.<name>.<subsystem> " [<default>]" Loglevel for a specific subsystem. .TP -.BR charon.filelog.<filename>.append " [yes]" +.BR charon.filelog.<name>.append " [yes]" If this option is enabled log entries are appended to the existing file. .TP -.BR charon.filelog.<filename>.default " [1]" +.BR charon.filelog.<name>.default " [1]" Specifies the default loglevel to be used for subsystems for which no specific loglevel is defined. .TP -.BR charon.filelog.<filename>.flush_line " [no]" +.BR charon.filelog.<name>.flush_line " [no]" Enabling this option disables block buffering and enables line buffering. .TP -.BR charon.filelog.<filename>.ike_name " [no]" +.BR charon.filelog.<name>.ike_name " [no]" Prefix each log entry with the connection name and a unique numerical identifier for each IKE_SA. .TP -.BR charon.filelog.<filename>.time_add_ms " [no]" +.BR charon.filelog.<name>.path " []" +Optional path to the log file. Overrides the section name. Must be used if the +path contains characters that aren't allowed in section names. + +.TP +.BR charon.filelog.<name>.time_add_ms " [no]" Adds the milliseconds within the current second after the timestamp (separated by a dot, so .RI "" "time_format" "" should end with %S or %T). .TP -.BR charon.filelog.<filename>.time_format " []" +.BR charon.filelog.<name>.time_format " []" Prefix each log entry with a timestamp. The option accepts a format string as passed to .RB "" "strftime" "(3)." @@ -556,6 +564,18 @@ DHCP server. DHCP server unicast or broadcast IP address. .TP +.BR charon.plugins.dhcp.use_server_port " [no]" +Use the DHCP server port (67) as source port, instead of the DHCP client port +(68), when a unicast server address is configured and the plugin acts as relay +agent. When replying in this mode the DHCP server will always send packets to +the DHCP server port and if no process binds that port an ICMP port unreachables +will be sent back, which might be problematic for some DHCP servers. To avoid +that, enabling this option will cause the plugin to bind the DHCP server port to +send its requests when acting as relay agent. This is not necessary if a DHCP +server is already running on the same host and might even cause conflicts (and +since the server port is already bound, ICMPs should not be an issue). + +.TP .BR charon.plugins.dnscert.enable " [no]" Enable fetching of CERT RRs via DNS. @@ -778,6 +798,11 @@ and Number of sockets (ports) to use, increase for high load. .TP +.BR charon.plugins.eap-radius.station_id_with_port " [yes]" +Whether to include the UDP port in the Called\- and Calling\-Station\-Id RADIUS +attributes. + +.TP .B charon.plugins.eap-radius.xauth .br Section to configure multiple XAuth authentication rounds via RADIUS. The @@ -1660,6 +1685,32 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set. Send a PB\-TNC batch with a modified PB\-TNC version. .TP +.BR charon.plugins.tpm.tcti.name " [device|tabrmd]" +Name of TPM 2.0 TCTI library. Valid values: +.RI "" "tabrmd" "," +.RI "" "device" "" +or +.RI "" "mssim" "." +Defaults are +.RI "" "device" "" +if the +.RI "" "/dev/tpmrm0" "" +in\-kernel TPM 2.0 resource manager +device exists, and +.RI "" "tabrmd" "" +otherwise, requiring the d\-bus based TPM 2.0 access +broker and resource manager to be available. + +.TP +.BR charon.plugins.tpm.tcti.opts " [/dev/tpmrm0|<none>]" +Options for the TPM 2.0 TCTI library. Defaults are +.RI "" "/dev/tpmrm0" "" +if the TCTI +library name is +.RI "" "device" "" +and no options otherwise. + +.TP .BR charon.plugins.tpm.use_rng " [no]" Whether the TPM should be used as RNG. @@ -2191,23 +2242,15 @@ Send operating system info without being prompted. Send open listening ports without being prompted. .TP -.BR libimcv.plugins.imc-swid.swid_directory " [${prefix}/share]" -Directory where SWID tags are located. - -.TP -.BR libimcv.plugins.imc-swid.swid_full " [no]" -Include file information in the XML\-encoded SWID tags. - -.TP -.BR libimcv.plugins.imc-swid.swid_pretty " [no]" -Generate XML\-encoded SWID tags with pretty indentation. - -.TP .BR libimcv.plugins.imc-swima.eid_epoch " [0x11223344]" Set 32 bit epoch value for event IDs manually if software collector database is not available. .TP +.BR libimcv.plugins.imc-swima.subscriptions " [no]" +Accept SW Inventory or SW Events subscriptions. + +.TP .BR libimcv.plugins.imc-swima.swid_database " []" URI to software collector database containing event timestamps, software creation and deletion events and collected software identifiers. If it contains @@ -2274,14 +2317,6 @@ URI pointing to operating system remediation instructions. URI pointing to scanner remediation instructions. .TP -.BR libimcv.plugins.imv-swid.rest_api_timeout " [120]" -Timeout of SWID REST API HTTP POST transaction. - -.TP -.BR libimcv.plugins.imv-swid.rest_api_uri " []" -HTTP URI of the SWID REST API. - -.TP .BR libimcv.plugins.imv-swima.rest_api.timeout " [120]" Timeout of SWID REST API HTTP POST transaction. diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in index a93fe020a..4dd177ca0 100644 --- a/conf/strongswan.conf.5.tail.in +++ b/conf/strongswan.conf.5.tail.in @@ -15,12 +15,15 @@ does not have any effect. There are currently two types of loggers: .TP .B File loggers -Log directly to a file and are defined by specifying the full path to the -file as subsection in the +Log directly to a file and are defined by specifying an arbitrarily named +subsection in the .B charon.filelog -section. To log to the console the two special filenames +section. The full path to the file is configured in the \fIpath\fR setting of +that subsection, however, if it only contains characters permitted in section +names, the setting may also be omitted and the path specified as name of the +subsection. To log to the console the two special filenames .BR stdout " and " stderr -can be used. +may be used. .TP .B Syslog loggers Log into a syslog facility and are defined by specifying the facility to log to @@ -108,7 +111,8 @@ Also include sensitive material in dumps, e.g. keys .EX charon { filelog { - /var/log/charon.log { + charon { + path = /var/log/charon.log time_format = %b %e %T append = no default = 1 @@ -290,7 +294,7 @@ For public key authentication, the responder uses the identity. For the initiator, each connection attempt uses a different identity in the form .BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , -where the first number inidicates the client number, the second the +where the first number indicates the client number, the second the authentication round (if multiple authentication rounds are used). .PP For PSK authentication, FQDN identities are used. The server uses |