diff options
Diffstat (limited to 'man/strongswan.conf.5')
-rw-r--r-- | man/strongswan.conf.5 | 110 |
1 files changed, 102 insertions, 8 deletions
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 16b9f245a..8a34a7f93 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2012-05-01" "5.0.1" "strongSwan" +.TH STRONGSWAN.CONF 5 "2013-01-25" "5.0.2" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -164,6 +164,10 @@ are released to free memory once an IKE_SA is established. Enabling this might conflict with plugins that later need access to e.g. the used certificates. .TP +.BR charon.fragment_size " [512]" +Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 +fragmentation extension. +.TP .BR charon.half_open_timeout " [30]" Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). .TP @@ -178,6 +182,10 @@ openly transmitted hash of the PSK) .BR charon.ignore_routing_tables A space-separated list of routing tables to be excluded from route lookups .TP +.BR charon.ikesa_limit " [0]" +Maximum number of IKE_SAs that can be established at the same time before new +connection attempts are blocked +.TP .BR charon.ikesa_table_segments " [1]" Number of exclusively locked segments in the hash table .TP @@ -635,9 +643,15 @@ Passphrase protecting the private key .BR charon.plugins.tnc-ifmap.username Authentication username of strongSwan MAP client .TP +.BR charon.plugins.tnc-imc.dlclose " [yes]" +Unload IMC after use +.TP .BR charon.plugins.tnc-imc.preferred_language " [en]" Preferred language for TNC recommendations .TP +.BR charon.plugins.tnc-imv.dlclose " [yes]" +Unload IMV after use +.TP .BR charon.plugins.tnc-pdp.method " [ttls]" EAP tunnel method to be used .TP @@ -696,6 +710,12 @@ strength .BR libstrongswan.ecp_x_coordinate_only " [yes]" Compliance with the errata for RFC 4753 .TP +.BR libstrongswan.host_resolver.max_threads " [3]" +Maximum number of concurrent resolver threads (they are terminated if unused) +.TP +.BR libstrongswan.host_resolver.min_threads " [0]" +Minimum number of resolver threads to keep around +.TP .BR libstrongswan.integrity_test " [no]" Check daemon, libstrongswan and plugin integrity at startup .TP @@ -728,6 +748,12 @@ ENGINE ID to use in the OpenSSL plugin .BR libstrongswan.plugins.pkcs11.modules List of available PKCS#11 modules .TP +.BR libstrongswan.plugins.pkcs11.load_certs " [yes]" +Whether to load certificates from tokens +.TP +.BR libstrongswan.plugins.pkcs11.reload_certs " [no]" +Reload certificates from all tokens if charon receives a SIGHUP +.TP .BR libstrongswan.plugins.pkcs11.use_dh " [no]" Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option) .TP @@ -764,10 +790,13 @@ Debug level for a stand-alone libimcv library .TP .BR libimcv.stderr_quiet " [no]" Disable output to stderr with a stand-alone libimcv library -.SS libimcv plugins section .TP -.BR libimcv.plugins.imc-attestation.platform_info -Information on operating system and hardware platform +.BR libimcv.os_info.name +Manually set the name of the client OS (e.g. Ubuntu) +.TP +.BR libimcv.os_info.version +Manually set the version of the client OS (e.g. 12.04 i686) +.SS libimcv plugins section .TP .BR libimcv.plugins.imc-attestation.aik_blob AIK encrypted private key blob file @@ -799,12 +828,27 @@ Preferred measurement hash algorithm .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" DH minimum nonce length .TP -.BR libimcv.plugins.imv-attestation.platform_info -Information on operating system and hardware platform +.BR libimcv.plugins.imv-attestation.remediation_uri +URI pointing to attestation remediation instructions +.TP +.BR libimcv.plugins.imc-os.push_info " [yes]" +Send operating system info without being prompted +.TP +.BR libimcv.plugins.imv-os.database +Database URI for the database that stores operating system information +.TP +.BR libimcv.plugins.imv-os.remediation_uri +URI pointing to operating system remediation instructions +.TP +.BR libimcv.plugins.imc-scanner.push_info " [yes]" +Send open listening ports without being prompted .TP .BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]" By default all ports must be closed (yes) or can be open (no) .TP +.BR libimcv.plugins.imv-scanner.remediation_uri +URI pointing to scanner remediation instructions +.TP .BR libimcv.plugins.imv-scanner.tcp_ports List of TCP ports that can be open or must be closed .TP @@ -826,6 +870,9 @@ Do a handshake retry .BR libimcv.plugins.imc-test.retry_command Command to be sent to the Test IMV in the handshake retry .TP +.BR libimcv.plugins.imv-test.remediation_uri +URI pointing to test remediation instructions +.TP .BR libimcv.plugins.imv-test.rounds " [0]" Number of IMC-IMV retry rounds .SS libtls section @@ -902,6 +949,10 @@ Session timeout for mediation service .TP .BR openac.load Plugins to load in ipsec openac tool +.SS pacman section +.TP +.BR pacman.database +Database URI for the database that stores the package information .SS pki section .TP .BR pki.load @@ -1244,6 +1295,17 @@ Never enable the load-testing plugin on productive systems. It provides preconfigured credentials and allows an attacker to authenticate as any user. .SS Options .TP +.BR charon.plugins.load-tester.addrs +Subsection that contains key/value pairs with address pools (in CIDR notation) +to use for a specific network interface e.g. eth0 = 10.10.0.0/16 +.TP +.BR charon.plugins.load-tester.addrs_prefix " [16]" +Network prefix length to use when installing dynamic addresses. If set to -1 the +full address is used (i.e. 32 or 128) +.TP +.BR charon.plugins.load-tester.ca_dir +Directory to load (intermediate) CA certificates from +.TP .BR charon.plugins.load-tester.child_rekey " [600]" Seconds to start CHILD_SA rekeying after setup .TP @@ -1253,6 +1315,9 @@ Delay between initiatons for each thread .BR charon.plugins.load-tester.delete_after_established " [no]" Delete an IKE_SA as soon as it has been established .TP +.BR charon.plugins.load-tester.digest " [sha1]" +Digest algorithm used when issuing certificates +.TP .BR charon.plugins.load-tester.dpd_delay " [0]" DPD delay to use in load test .TP @@ -1274,6 +1339,9 @@ Seconds to start IKE_SA rekeying after setup .BR charon.plugins.load-tester.init_limit " [0]" Global limit of concurrently established SAs during load test .TP +.BR charon.plugins.load-tester.initiator " [0.0.0.0]" +Address to initiate from +.TP .BR charon.plugins.load-tester.initiators " [0]" Number of concurrent initiator threads to use in load test .TP @@ -1283,8 +1351,24 @@ Authentication method(s) the intiator uses .BR charon.plugins.load-tester.initiator_id Initiator ID used in load test .TP +.BR charon.plugins.load-tester.initiator_match +Initiator ID to to match against as responder +.TP +.BR charon.plugins.load-tester.initiator_tsi +Traffic selector on initiator side, as proposed by initiator +.TP +.BR charon.plugins.load-tester.initiator_tsr +Traffic selector on responder side, as proposed by initiator +.TP .BR charon.plugins.load-tester.iterations " [1]" -Number of IKE_SAs to initate by each initiator in load test +Number of IKE_SAs to initiate by each initiator in load test +.TP +.BR charon.plugins.load-tester.issuer_cert +Path to the issuer certificate (if not configured a hard-coded value is used) +.TP +.BR charon.plugins.load-tester.issuer_key +Path to private key that is used to issue certificates (if not configured a +hard-coded value is used) .TP .BR charon.plugins.load-tester.pool Provide INTERNAL_IPV4_ADDRs from a named pool @@ -1295,7 +1379,7 @@ Preshared key to use in load test .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" IKE proposal to use in load test .TP -.BR charon.plugins.load-tester.remote " [127.0.0.1]" +.BR charon.plugins.load-tester.responder " [127.0.0.1]" Address to initiation connections to .TP .BR charon.plugins.load-tester.responder_auth " [pubkey]" @@ -1304,11 +1388,21 @@ Authentication method(s) the responder uses .BR charon.plugins.load-tester.responder_id Responder ID used in load test .TP +.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]" +Traffic selector on initiator side, as narrowed by responder +.TP +.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]" +Traffic selector on responder side, as narrowed by responder +.TP .BR charon.plugins.load-tester.request_virtual_ip " [no]" Request an INTERNAL_IPV4_ADDR from the server .TP .BR charon.plugins.load-tester.shutdown_when_complete " [no]" Shutdown the daemon after all IKE_SAs have been established +.TP +.BR charon.plugins.load-tester.version " [0]" +IKE version to use (0 means use IKEv2 as initiator and accept any version as +responder) .SS Configuration details For public key authentication, the responder uses the .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq |