diff options
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/Makefile.am | 8 | ||||
| -rw-r--r-- | conf/Makefile.in | 16 | ||||
| -rw-r--r-- | conf/options/charon-systemd.conf | 16 | ||||
| -rw-r--r-- | conf/options/charon-systemd.opt | 13 | ||||
| -rw-r--r-- | conf/options/charon.conf | 8 | ||||
| -rw-r--r-- | conf/options/charon.opt | 8 | ||||
| -rw-r--r-- | conf/options/starter.conf | 3 | ||||
| -rw-r--r-- | conf/options/starter.opt | 3 | ||||
| -rw-r--r-- | conf/plugins/eap-radius.conf | 6 | ||||
| -rw-r--r-- | conf/plugins/eap-radius.opt | 6 | ||||
| -rw-r--r-- | conf/plugins/ext-auth.conf | 11 | ||||
| -rw-r--r-- | conf/plugins/ext-auth.opt | 15 | ||||
| -rw-r--r-- | conf/plugins/kernel-netlink.conf | 10 | ||||
| -rw-r--r-- | conf/plugins/kernel-netlink.opt | 15 | ||||
| -rw-r--r-- | conf/plugins/stroke.conf | 3 | ||||
| -rw-r--r-- | conf/plugins/stroke.opt | 3 | ||||
| -rw-r--r-- | conf/strongswan.conf.5.main | 75 |
17 files changed, 202 insertions, 17 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am index 373be1631..e5077391a 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -12,6 +12,7 @@ options = \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ + options/charon-systemd.opt \ options/imcv.opt \ options/manager.opt \ options/medsrv.opt \ @@ -44,6 +45,7 @@ plugins = \ plugins/eap-tnc.opt \ plugins/eap-ttls.opt \ plugins/error-notify.opt \ + plugins/ext-auth.opt \ plugins/gcrypt.opt \ plugins/ha.opt \ plugins/imc-attestation.opt \ @@ -152,9 +154,9 @@ maintainer-clean-local: rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp install-data-local: $(plugins_install_src) - test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" - test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" - test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" + test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true + test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true + test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true for f in $(options_install_src); do \ name=`basename $$f`; \ diff --git a/conf/Makefile.in b/conf/Makefile.in index a0ad980ca..d5bb3ffa7 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -186,6 +186,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +GEM = @GEM@ GENHTML = @GENHTML@ GPERF = @GPERF@ GPRBUILD = @GPRBUILD@ @@ -246,6 +247,7 @@ PYTHON_VERSION = @PYTHON_VERSION@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ RUBYINCLUDE = @RUBYINCLUDE@ RUBYLIB = @RUBYLIB@ SED = @SED@ @@ -311,6 +313,8 @@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ @@ -358,6 +362,10 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ target_alias = @target_alias@ @@ -381,6 +389,7 @@ options = \ options/attest.opt \ options/charon.opt \ options/charon-logging.opt \ + options/charon-systemd.opt \ options/imcv.opt \ options/manager.opt \ options/medsrv.opt \ @@ -413,6 +422,7 @@ plugins = \ plugins/eap-tnc.opt \ plugins/eap-ttls.opt \ plugins/error-notify.opt \ + plugins/ext-auth.opt \ plugins/gcrypt.opt \ plugins/ha.opt \ plugins/imc-attestation.opt \ @@ -839,9 +849,9 @@ maintainer-clean-local: rm -f $(confsnippets) default.conf plugins/*.conf plugins/*.tmp install-data-local: $(plugins_install_src) - test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" - test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" - test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" + test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true + test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true + test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true test -e "$(DESTDIR)$(strongswanconfdir)/strongswan.conf" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswanconfdir)/strongswan.conf || true for f in $(options_install_src); do \ name=`basename $$f`; \ diff --git a/conf/options/charon-systemd.conf b/conf/options/charon-systemd.conf new file mode 100644 index 000000000..630488ad8 --- /dev/null +++ b/conf/options/charon-systemd.conf @@ -0,0 +1,16 @@ +charon-systemd { + + # Section to configure native systemd journal logger, very similar to the + # syslog logger as described in LOGGER CONFIGURATION in strongswan.conf(5). + journal { + + # Loglevel for a specific subsystem. + # <subsystem> = <default> + + # Default loglevel. + # default = 1 + + } + +} + diff --git a/conf/options/charon-systemd.opt b/conf/options/charon-systemd.opt new file mode 100644 index 000000000..3482f449f --- /dev/null +++ b/conf/options/charon-systemd.opt @@ -0,0 +1,13 @@ +charon-systemd.journal {} + Section to configure native systemd journal logger, very similar to the + syslog logger as described in LOGGER CONFIGURATION in + **strongswan.conf**(5). + +charon-systemd.journal.default = 1 + Default loglevel. + + Specifies the default loglevel to be used for subsystems for which no + specific loglevel is defined. + +charon-systemd.journal.<subsystem> = <default> + Loglevel for a specific subsystem. diff --git a/conf/options/charon.conf b/conf/options/charon.conf index ec3a39a40..0bec9bb0a 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -40,9 +40,11 @@ charon { # Free objects during authentication (might conflict with plugins). # flush_auth_cfg = no - # Maximum size (in bytes) of a sent fragment when using the proprietary - # IKEv1 fragmentation extension. - # fragment_size = 512 + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for + # address family specific default values). If specified this limit is + # used for both IPv4 and IPv6. + # fragment_size = 0 # Name of the group the daemon changes to after startup. # group = diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 1eb1b8877..678aa37bc 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -85,9 +85,11 @@ charon.flush_auth_cfg = no this might conflict with plugins that later need access to e.g. the used certificates. -charon.fragment_size = 512 - Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 - fragmentation extension. +charon.fragment_size = 0 + Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for + address family specific default values). If specified this limit is used + for both IPv4 and IPv6. charon.group Name of the group the daemon changes to after startup. diff --git a/conf/options/starter.conf b/conf/options/starter.conf index 8465f7e53..447397b0d 100644 --- a/conf/options/starter.conf +++ b/conf/options/starter.conf @@ -1,5 +1,8 @@ starter { + # Location of the ipsec.conf file + # config_file = ${sysconfdir}/ipsec.conf + # Plugins to load in starter. # load = diff --git a/conf/options/starter.opt b/conf/options/starter.opt index 4e6574d58..54689e976 100644 --- a/conf/options/starter.opt +++ b/conf/options/starter.opt @@ -1,3 +1,6 @@ +starter.config_file = ${sysconfdir}/ipsec.conf + Location of the ipsec.conf file + starter.load = Plugins to load in starter. diff --git a/conf/plugins/eap-radius.conf b/conf/plugins/eap-radius.conf index 64db67456..b98b195d1 100644 --- a/conf/plugins/eap-radius.conf +++ b/conf/plugins/eap-radius.conf @@ -7,11 +7,15 @@ eap-radius { # updates. # accounting_close_on_timeout = yes + # Interval for interim RADIUS accounting updates, if not specified by the + # RADIUS server in the Access-Accept message. + # accounting_interval = 0 + # If enabled, accounting is disabled unless an IKE_SA has at least one # virtual IP. # accounting_requires_vip = no - # Use class attributes in RADIUS-Accept messages as group membership + # Use class attributes in Access-Accept messages as group membership # information. # class_group = no diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt index 0df6a0d6f..2a6786dd9 100644 --- a/conf/plugins/eap-radius.opt +++ b/conf/plugins/eap-radius.opt @@ -5,12 +5,16 @@ charon.plugins.eap-radius.accounting_close_on_timeout = yes Close the IKE_SA if there is a timeout during interim RADIUS accounting updates. +charon.plugins.eap-radius.accounting_interval = 0 + Interval for interim RADIUS accounting updates, if not specified by the + RADIUS server in the Access-Accept message. + charon.plugins.eap-radius.accounting_requires_vip = no If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. charon.plugins.eap-radius.class_group = no - Use class attributes in RADIUS-Accept messages as group membership + Use class attributes in Access-Accept messages as group membership information. Use the _class_ attribute sent in the RADIUS-Accept message as group diff --git a/conf/plugins/ext-auth.conf b/conf/plugins/ext-auth.conf new file mode 100644 index 000000000..f5aa45f6f --- /dev/null +++ b/conf/plugins/ext-auth.conf @@ -0,0 +1,11 @@ +ext-auth { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Shell script to invoke for peer authorization. + # script = + +} + diff --git a/conf/plugins/ext-auth.opt b/conf/plugins/ext-auth.opt new file mode 100644 index 000000000..bf127b9d7 --- /dev/null +++ b/conf/plugins/ext-auth.opt @@ -0,0 +1,15 @@ +charon.plugins.ext-auth.script = + Shell script to invoke for peer authorization. + + Command to pass to the system shell for peer authorization. Authorization + is considered successful if the command executes normally with an exit code + of zero. For all other exit codes IKE_SA authorization is rejected. + + The following environment variables get passed to the script: + _IKE_UNIQUE_ID_: The IKE_SA numerical unique identifier. + _IKE_NAME_: The peer configuration connection name. + _IKE_LOCAL_HOST_: Local IKE IP address. + _IKE_REMOTE_HOST_: Remote IKE IP address. + _IKE_LOCAL_ID_: Local IKE identity. + _IKE_REMOTE_ID_: Remote IKE identity. + _IKE_REMOTE_EAP_ID_: Remote EAP or XAuth identity, if used. diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index 670746963..f05f486b1 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -8,10 +8,20 @@ kernel-netlink { # priority of this plugin. load = yes + # MSS to set on installed routes, 0 to disable. + # mss = 0 + + # MTU to set on installed routes, 0 to disable. + # mtu = 0 + # Whether to trigger roam events when interfaces, addresses or routes # change. # roam_events = yes + # Whether to set protocol and ports in the selector installed on transport + # mode IPsec SAs in the kernel. + # set_proto_port_transport_sa = no + # Lifetime of XFRM acquire state in kernel. # xfrm_acq_expires = 165 diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index a8e421b6e..7d44581a5 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -7,9 +7,24 @@ charon.plugins.kernel-netlink.fwmark = inverts the meaning (i.e. the rule only applies to packets that don't match the mark). +charon.plugins.kernel-netlink.mss = 0 + MSS to set on installed routes, 0 to disable. + +charon.plugins.kernel-netlink.mtu = 0 + MTU to set on installed routes, 0 to disable. + charon.plugins.kernel-netlink.roam_events = yes Whether to trigger roam events when interfaces, addresses or routes change. +charon.plugins.kernel-netlink.set_proto_port_transport_sa = no + Whether to set protocol and ports in the selector installed on transport + mode IPsec SAs in the kernel. + + Whether to set protocol and ports in the selector installed on transport + mode IPsec SAs in the kernel. While doing so enforces policies for inbound + traffic, it also prevents the use of a single IPsec SA by more than one + traffic selector. + charon.plugins.kernel-netlink.xfrm_acq_expires = 165 Lifetime of XFRM acquire state in kernel. diff --git a/conf/plugins/stroke.conf b/conf/plugins/stroke.conf index 6dd063053..3d8ee0acc 100644 --- a/conf/plugins/stroke.conf +++ b/conf/plugins/stroke.conf @@ -14,6 +14,9 @@ stroke { # If enabled log level changes via stroke socket are not allowed. # prevent_loglevel_changes = no + # Location of the ipsec.secrets file + # secrets_file = ${sysconfdir}/ipsec.secrets + # Socket provided by the stroke plugin. # socket = unix://${piddir}/charon.ctl diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt index 2cfc2c6fa..4b49b1f04 100644 --- a/conf/plugins/stroke.opt +++ b/conf/plugins/stroke.opt @@ -8,6 +8,9 @@ charon.plugins.stroke.max_concurrent = 4 charon.plugins.stroke.prevent_loglevel_changes = no If enabled log level changes via stroke socket are not allowed. +charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets + Location of the ipsec.secrets file + charon.plugins.stroke.socket = unix://${piddir}/charon.ctl Socket provided by the stroke plugin. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index d93c208ae..28f6b12ec 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -165,9 +165,11 @@ are released to free memory once an IKE_SA is established. Enabling this might conflict with plugins that later need access to e.g. the used certificates. .TP -.BR charon.fragment_size " [512]" -Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 -fragmentation extension. +.BR charon.fragment_size " [0]" +Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when +using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for address +family specific default values). If specified this limit is used for both +IPv4 and IPv6. .TP .BR charon.group " []" @@ -511,6 +513,11 @@ Send RADIUS accounting information to RADIUS servers. Close the IKE_SA if there is a timeout during interim RADIUS accounting updates. .TP +.BR charon.plugins.eap-radius.accounting_interval " [0]" +Interval for interim RADIUS accounting updates, if not specified by the RADIUS +server in the Access\-Accept message. + +.TP .BR charon.plugins.eap-radius.accounting_requires_vip " [no]" If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP. @@ -732,6 +739,29 @@ Request peer authentication based on a client certificate. Socket provided by the error\-notify plugin. .TP +.BR charon.plugins.ext-auth.script " []" +Command to pass to the system shell for peer authorization. Authorization is +considered successful if the command executes normally with an exit code of +zero. For all other exit codes IKE_SA authorization is rejected. + +The following environment variables get passed to the script: +.RI "" "IKE_UNIQUE_ID" ":" +The IKE_SA numerical unique identifier. +.RI "" "IKE_NAME" ":" +The peer configuration +connection name. +.RI "" "IKE_LOCAL_HOST" ":" +Local IKE IP address. +.RI "" "IKE_REMOTE_HOST" ":" +Remote IKE IP address. +.RI "" "IKE_LOCAL_ID" ":" +Local IKE identity. +.RI "" "IKE_REMOTE_ID" ":" +Remote IKE identity. +.RI "" "IKE_REMOTE_EAP_ID" ":" +Remote EAP or XAuth identity, if used. + +.TP .BR charon.plugins.gcrypt.quick_random " [no]" Use faster random numbers in gcrypt; for testing only, produces weak keys! @@ -782,10 +812,24 @@ table. The format is [!]mark[/mask], where the optional exclamation mark inverts the meaning (i.e. the rule only applies to packets that don't match the mark). .TP +.BR charon.plugins.kernel-netlink.mss " [0]" +MSS to set on installed routes, 0 to disable. + +.TP +.BR charon.plugins.kernel-netlink.mtu " [0]" +MTU to set on installed routes, 0 to disable. + +.TP .BR charon.plugins.kernel-netlink.roam_events " [yes]" Whether to trigger roam events when interfaces, addresses or routes change. .TP +.BR charon.plugins.kernel-netlink.set_proto_port_transport_sa " [no]" +Whether to set protocol and ports in the selector installed on transport mode +IPsec SAs in the kernel. While doing so enforces policies for inbound traffic, +it also prevents the use of a single IPsec SA by more than one traffic selector. + +.TP .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" Lifetime of XFRM acquire state in kernel. The value gets written to /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM @@ -1123,6 +1167,10 @@ Maximum number of stroke messages handled concurrently. If enabled log level changes via stroke socket are not allowed. .TP +.BR charon.plugins.stroke.secrets_file " [${sysconfdir}/ipsec.secrets]" +Location of the ipsec.secrets file + +.TP .BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" Socket provided by the stroke plugin. @@ -1483,6 +1531,23 @@ Name of the user the daemon changes to after startup. Discard certificates with unsupported or unknown critical extensions. .TP +.B charon-systemd.journal +.br +Section to configure native systemd journal logger, very similar to the syslog +logger as described in LOGGER CONFIGURATION in +.RB "" "strongswan.conf" "(5)." + + +.TP +.BR charon-systemd.journal.<subsystem> " [<default>]" +Loglevel for a specific subsystem. + +.TP +.BR charon-systemd.journal.default " [1]" +Specifies the default loglevel to be used for subsystems for which no specific +loglevel is defined. + +.TP .BR libimcv.debug_level " [1]" Debug level for a stand\-alone .RI "" "libimcv" "" @@ -1741,6 +1806,10 @@ Plugins to load in ipsec pool tool. Plugins to load in ipsec scepclient tool. .TP +.BR starter.config_file " [${sysconfdir}/ipsec.conf]" +Location of the ipsec.conf file + +.TP .BR starter.load " []" Plugins to load in starter. |