diff options
Diffstat (limited to 'man/strongswan.conf.5.in')
-rw-r--r-- | man/strongswan.conf.5.in | 347 |
1 files changed, 342 insertions, 5 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 2d7475225..05493ec75 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2010-09-09" "@IPSEC_VERSION@" "strongSwan" +.TH STRONGSWAN.CONF 5 "2011-07-26" "@IPSEC_VERSION@" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -126,6 +126,13 @@ will return The following keys are currently defined (using dot notation). The default value (if any) is listed in brackets after the key. +.SS attest section +.TP +.BR attest.database +Path to database with file measurement information +.TP +.BR attest.load +Plugins to load in ipsec attest tool .SS charon section .TP .BR charon.block_threshold " [5]" @@ -151,6 +158,9 @@ Section to define file loggers, see LOGGER CONFIGURATION .BR charon.flush_auth_cfg " [no]" .TP +.BR charon.half_open_timeout " [30]" +Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). +.TP .BR charon.hash_and_url " [no]" Enable hash and URL support .TP @@ -166,6 +176,14 @@ Size of the IKE_SA hash table .BR charon.inactivity_close_ike " [no]" Whether to close IKE_SA if the only CHILD_SA closed due to inactivity .TP +.BR charon.init_limit_half_open " [0]" +Limit new connections based on the current number of half open IKE_SAs (see +IKE_SA_INIT DROPPING). +.TP +.BR charon.init_limit_job_load " [0]" +Limit new connections based on the number of jobs currently queued for +processing (see IKE_SA_INIT DROPPING). +.TP .BR charon.install_routes " [yes]" Install routes into a separate routing table for established IPsec tunnels .TP @@ -295,6 +313,9 @@ Start phase2 EAP TNC protocol after successful client authentication Request peer authentication based on a client certificate .TP +.BR charon.plugins.eap-radius.accounting " [no]" +Send RADIUS accounting information to RADIUS servers. +.TP .BR charon.plugins.eap-radius.class_group " [no]" Use the .I class @@ -449,20 +470,57 @@ Section to configure the load-tester plugin, see LOAD TESTS .BR charon.plugins.resolve.file " [/etc/resolv.conf]" File where to add DNS server entries .TP +.BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]" +Prefix used for interface names sent to resolvconf(8). The nameserver address +is appended to this prefix to make it unique. The result has to be a valid +interface name according to the rules defined by resolvconf. Also, it should +have a high priority according to the order defined in interface-order(5). +.TP .BR charon.plugins.sql.database Database URI for charons SQL plugin .TP .BR charon.plugins.sql.loglevel " [-1]" Loglevel for logging to SQL database .TP +.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]" +Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA +certificates even if they don't contain a CA basic constraint. +.TP +.BR charon.plugins.stroke.max_concurrent " [4]" +Maximum number of stroke messages handled concurrently +.TP +.BR charon.plugins.tnc-ifmap.device_name +Unique name of strongSwan as a PEP and/or PDP device +.TP +.BR charon.plugins.tnc-ifmap.key_file +Concatenated client certificate and private key +.TP +.BR charon.plugins.tnc-ifmap.password +Authentication password of strongSwan MAP client +.TP +.BR charon.plugins.tnc-ifmap.server_cert +Certificate of MAP server +.TP +.BR charon.plugins.tnc-ifmap.ssl_passphrase +Passphrase protecting the private key +.TP +.BR charon.plugins.tnc-ifmap.username +Authentication username of strongSwan MAP client +.TP .BR charon.plugins.tnc-imc.preferred_language " [en]" Preferred language for TNC recommendations .TP -.BR charon.plugins.tnc-imc.tnc_config " [/etc/tnc_config]" -TNC IMC configuration directory +.BR charon.plugins.tnc-pdp.method " [ttls]" +EAP tunnel method to be used .TP -.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]" -TNC IMV configuration directory +.BR charon.plugins.tnc-pdp.port " [1812]" +RADIUS server port the strongSwan PDP is listening on +.TP +.BR charon.plugins.tnc-pdp.secret +Shared RADIUS secret between strongSwan PDP and NAS +.TP +.BR charon.plugins.tnc-pdp.server +name of the strongSwan PDP as contained in the AAA certificate .TP .BR charon.plugins.whitelist.enable " [yes]" enable loaded whitelist plugin @@ -502,6 +560,10 @@ Check daemon, libstrongswan and plugin integrity at startup .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output .TP +.BR libstrongswan.processor.priority_threads +Subsection to configure the number of reserved threads per priority class +see JOB PRIORITY MANAGEMENT +.TP .BR libstrongswan.x509.enforce_critical " [yes]" Discard certificates with unsupported or unknown critical extensions .SS libstrongswan.plugins subsection @@ -519,8 +581,96 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules +List of available PKCS#11 modules +.TP +.BR libstrongswan.plugins.pkcs11.use_dh " [no]" +Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option) +.TP +.BR libstrongswan.plugins.pkcs11.use_ecc " [no]" +Whether the PKCS#11 modules should be used for ECDH and ECDSA public key +operations. ECDSA private keys can be used regardless of this option .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" +Whether the PKCS#11 modules should be used to hash data +.TP +.BR libstrongswan.plugins.pkcs11.use_pubkey " [no]" +Whether the PKCS#11 modules should be used for public key operations, even for +keys not stored on tokens +.TP +.BR libstrongswan.plugins.pkcs11.use_rng " [no]" +Whether the PKCS#11 modules should be used as RNG +.SS libtnccs section +.TP +.BR libtnccs.tnc_config " [/etc/tnc_config]" +TNC IMC/IMV configuration directory +.SS libimcv section +.TP +.BR libimcv.debug_level " [1]" +Debug level for a stand-alone libimcv library +.TP +.BR libimcv.stderr_quiet " [no]" +Disable output to stderr with a stand-alone libimcv library +.SS libimcv plugins section +.TP +.BR libimcv.plugins.imc-attestation.platform_info +Information on operating system and hardware platform +.TP +.BR libimcv.plugins.imc-attestation.aik_blob +AIK encrypted private key blob file +.TP +.BR libimcv.plugins.imc-attestation.aik_cert +AIK certificate file +.TP +.BR libimcv.plugins.imc-attestation.aik_key +AIK public key file +.TP +.BR libimcv.plugins.imv-attestation.nonce_len " [20]" +DH nonce length +.TP +.BR libimcv.plugins.imv-attestation.use_quote2 " [yes]" +Use Quote2 AIK signature instead of Quote signature +.TP +.BR libimcv.plugins.imv-attestation.cadir +Path to directory with AIK cacerts +.TP +.BR libimcv.plugins.imv-attestation.database +Path to database with file measurement information +.TP +.BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" +Preferred Diffie-Hellman group +.TP +.BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" +Preferred measurement hash algorithm +.TP +.BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" +DH minimum nonce length +.TP +.BR libimcv.plugins.imv-attestation.platform_info +Information on operating system and hardware platform +.TP +.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]" +By default all ports must be closed (yes) or can be open (no) +.TP +.BR libimcv.plugins.imv-scanner.tcp_ports +List of TCP ports that can be open or must be closed +.TP +.BR libimcv.plugins.imv-scanner.udp_ports +List of UDP ports that can be open or must be closed +.TP +.BR libimcv.plugins.imc-test.additional_ids " [0]" +Number of additional IMC IDs +.TP +.BR libimcv.plugins.imc-test.command " [none]" +Command to be sent to the Test IMV +.TP +.BR libimcv.plugins.imc-test.retry " [no]" +Do a handshake retry +.TP +.BR libimcv.plugins.imc-test.retry_command +Command to be sent to the Test IMV in the handshake retry +.TP +.BR libimcv.plugins.imv-test.rounds " [0]" +Number of IMC-IMV retry rounds .SS libtls section .TP .BR libtls.cipher @@ -637,6 +787,9 @@ Plugins to load in ipsec pool tool Plugins to load in ipsec scepclient tool .SS starter section .TP +.BR starter.load +Plugins to load in starter +.TP .BR starter.load_warning " [yes]" Disable charon/pluto plugin load option warning @@ -700,6 +853,14 @@ identifier for each IKE_SA. Prefix each log entry with a timestamp. The option accepts a format string as passed to .BR strftime (3). +.TP +.BR charon.syslog.identifier +Global identifier used for an +.BR openlog (3) +call, prepended to each log message by syslog. If not configured, +.BR openlog (3) +is not called, so the value will depend on system defaults (often the program +name). .SS Subsystems .TP @@ -727,6 +888,9 @@ IPsec/Networking kernel interface .B net IKE network communication .TP +.B asn +Low-level encoding/decoding (ASN.1, X.509 etc.) +.TP .B enc Packet encoding/decoding encryption/decryption operations .TP @@ -735,6 +899,18 @@ libtls library messages .TP .B lib libstrongwan library messages +.TP +.B tnc +Trusted Network Connect +.TP +.B imc +Integrity Measurement Collector +.TP +.B imv +Integrity Measurement Verifier +.TP +.B pts +Platform Trust Service .SS Loglevels .TP .B -1 @@ -783,6 +959,149 @@ Also include sensitive material in dumps, e.g. keys } .EE +.SH JOB PRIORITY MANAGEMENT +Some operations in the IKEv2 daemon charon are currently implemented +synchronously and blocking. Two examples for such operations are communication +with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during +certificate chain verification. Under high load conditions, the thread pool may +run out of available threads, and some more important jobs, such as liveness +checking, may not get executed in time. +.PP +To prevent thread starvation in such situations job priorities were introduced. +The job processor will reserve some threads for higher priority jobs, these +threads are not available for lower priority, locking jobs. +.SS Implementation +Currently 4 priorities have been defined, and they are used in charon as +follows: +.TP +.B CRITICAL +Priority for long-running dispatcher jobs. +.TP +.B HIGH +INFORMATIONAL exchanges, as used by liveness checking (DPD). +.TP +.B MEDIUM +Everything not HIGH/LOW, including IKE_SA_INIT processing. +.TP +.B LOW +IKE_AUTH message processing. RADIUS and CRL fetching block here +.PP +Although IKE_SA_INIT processing is computationally expensive, it is explicitly +assigned to the MEDIUM class. This allows charon to do the DH exchange while +other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more +IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING. +.PP +The thread pool processes jobs strictly by priority, meaning it will consume all +higher priority jobs before looking for ones with lower priority. Further, it +reserves threads for certain priorities. A priority class having reserved +.I n +threads will always have +.I n +threads available for this class (either currently processing a job, or waiting +for one). +.SS Configuration +To ensure that there are always enough threads available for higher priority +tasks, threads must be reserved for each priority class. +.TP +.BR libstrongswan.processor.priority_threads.critical " [0]" +Threads reserved for CRITICAL priority class jobs +.TP +.BR libstrongswan.processor.priority_threads.high " [0]" +Threads reserved for HIGH priority class jobs +.TP +.BR libstrongswan.processor.priority_threads.medium " [0]" +Threads reserved for MEDIUM priority class jobs +.TP +.BR libstrongswan.processor.priority_threads.low " [0]" +Threads reserved for LOW priority class jobs +.PP +Let's consider the following configuration: +.PP +.EX + libstrongswan { + processor { + priority_threads { + high = 1 + medium = 4 + } + } + } +.EE +.PP +With this configuration, one thread is reserved for HIGH priority tasks. As +currently only liveness checking and stroke message processing is done with +high priority, one or two threads should be sufficient. +.PP +The MEDIUM class mostly processes non-blocking jobs. Unless your setup is +experiencing many blocks in locks while accessing shared resources, threads for +one or two times the number of CPU cores is fine. +.PP +It is usually not required to reserve threads for CRITICAL jobs. Jobs in this +class rarely return and do not release their thread to the pool. +.PP +The remaining threads are available for LOW priority jobs. Reserving threads +does not make sense (until we have an even lower priority). +.SS Monitoring +To see what the threads are actually doing, invoke +.IR "ipsec statusall" . +Under high load, something like this will show up: +.PP +.EX + worker threads: 2 or 32 idle, 5/1/2/22 working, + job queue: 0/0/1/149, scheduled: 198 +.EE +.PP +From 32 worker threads, +.IP 2 +are currently idle. +.IP 5 +are running CRITICAL priority jobs (dispatching from sockets, etc.). +.IP 1 +is currently handling a HIGH priority job. This is actually the thread currently +providing this information via stroke. +.IP 2 +are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA +messages. +.IP 22 +are handling LOW priority jobs, probably waiting for an EAP-RADIUS response +while processing IKE_AUTH messages. +.PP +The job queue load shows how many jobs are queued for each priority, ready for +execution. The single MEDIUM priority job will get executed immediately, as +we have two spare threads reserved for MEDIUM class jobs. + +.SH IKE_SA_INIT DROPPING +If a responder receives more connection requests per seconds than it can handle, +it does not make sense to accept more IKE_SA_INIT messages. And if they are +queued but can't get processed in time, an answer might be sent after the +client has already given up and restarted its connection setup. This +additionally increases the load on the responder. +.PP +To limit the responder load resulting from new connection attempts, the daemon +can drop IKE_SA_INIT messages just after reception. There are two mechanisms to +decide if this should happen, configured with the following options: +.TP +.BR charon.init_limit_half_open " [0]" +Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in +connecting state, but not yet established. +.TP +.BR charon.init_limit_job_load " [0]" +Limit based on the number of jobs currently queued for processing (sum over all +job priorities). +.PP +The second limit includes load from other jobs, such as rekeying. Choosing a +good value is difficult and depends on the hardware and expected load. +.PP +The first limit is simpler to calculate, but includes the load from new +connections only. If your responder is capable of negotiating 100 tunnels/s, you +might set this limit to 1000. The daemon will then drop new connection attempts +if generating a response would require more than 10 seconds. If you are +allowing for a maximum response time of more than 30 seconds, consider adjusting +the timeout for connecting IKE_SAs +.RB ( charon.half_open_timeout ). +A responder, by default, deletes an IKE_SA if the initiator does not establish +it within 30 seconds. Under high load, a higher value might be required. + .SH LOAD TESTS To do stability testing and performance optimizations, the IKEv2 daemon charon provides the load-tester plugin. This plugin allows to setup thousands of @@ -802,9 +1121,15 @@ Delay between initiatons for each thread .BR charon.plugins.load-tester.delete_after_established " [no]" Delete an IKE_SA as soon as it has been established .TP +.BR charon.plugins.load-tester.dpd_delay " [0]" +DPD delay to use in load test +.TP .BR charon.plugins.load-tester.dynamic_port " [0]" Base port to be used for requests (each client uses a different port) .TP +.BR charon.plugins.load-tester.eap_password " [default-pwd]" +EAP secret to use in load test +.TP .BR charon.plugins.load-tester.enable " [no]" Enable the load testing plugin .TP @@ -814,18 +1139,27 @@ Fake the kernel interface to allow load-testing against self .BR charon.plugins.load-tester.ike_rekey " [0]" Seconds to start IKE_SA rekeying after setup .TP +.BR charon.plugins.load-tester.init_limit " [0]" +Global limit of concurrently established SAs during load test +.TP .BR charon.plugins.load-tester.initiators " [0]" Number of concurrent initiator threads to use in load test .TP .BR charon.plugins.load-tester.initiator_auth " [pubkey]" Authentication method(s) the intiator uses .TP +.BR charon.plugins.load-tester.initiator_id +Initiator ID used in load test +.TP .BR charon.plugins.load-tester.iterations " [1]" Number of IKE_SAs to initate by each initiator in load test .TP .BR charon.plugins.load-tester.pool Provide INTERNAL_IPV4_ADDRs from a named pool .TP +.BR charon.plugins.load-tester.preshared_key " [default-psk]" +Preshared key to use in load test +.TP .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" IKE proposal to use in load test .TP @@ -835,6 +1169,9 @@ Address to initiation connections to .BR charon.plugins.load-tester.responder_auth " [pubkey]" Authentication method(s) the responder uses .TP +.BR charon.plugins.load-tester.responder_id +Responder ID used in load test +.TP .BR charon.plugins.load-tester.request_virtual_ip " [no]" Request an INTERNAL_IPV4_ADDR from the server .TP |