diff options
Diffstat (limited to 'man/strongswan.conf.5')
-rw-r--r-- | man/strongswan.conf.5 | 910 |
1 files changed, 910 insertions, 0 deletions
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 new file mode 100644 index 000000000..2a8703503 --- /dev/null +++ b/man/strongswan.conf.5 @@ -0,0 +1,910 @@ +.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan" +.SH NAME +strongswan.conf \- strongSwan configuration file +.SH DESCRIPTION +While the +.IR ipsec.conf (5) +configuration file is well suited to define IPsec related configuration +parameters, it is not useful for other strongSwan applications to read options +from this file. +The file is hard to parse and only +.I ipsec starter +is capable of doing so. As the number of components of the strongSwan project +is continually growing, a more flexible configuration file was needed, one that +is easy to extend and can be used by all components. With strongSwan 4.2.1 +.IR strongswan.conf (5) +was introduced which meets these requirements. + +.SH SYNTAX +The format of the strongswan.conf file consists of hierarchical +.B sections +and a list of +.B key/value pairs +in each section. Each section has a name, followed by C-Style curly brackets +defining the section body. Each section body contains a set of subsections +and key/value pairs: +.PP +.EX + settings := (section|keyvalue)* + section := name { settings } + keyvalue := key = value\\n +.EE +.PP +Values must be terminated by a newline. +.PP +Comments are possible using the \fB#\fP-character, but be careful: The parser +implementation is currently limited and does not like brackets in comments. +.PP +Section names and keys may contain any printable character except: +.PP +.EX + . { } # \\n \\t space +.EE +.PP +An example file in this format might look like this: +.PP +.EX + a = b + section-one { + somevalue = asdf + subsection { + othervalue = xxx + } + # yei, a comment + yetanother = zz + } + section-two { + x = 12 + } +.EE +.PP +Indentation is optional, you may use tabs or spaces. + +.SH READING VALUES +Values are accessed using a dot-separated section list and a key. +With reference to the example above, accessing +.B section-one.subsection.othervalue +will return +.BR xxx . + +.SH DEFINED KEYS +The following keys are currently defined (using dot notation). The default +value (if any) is listed in brackets after the key. + +.SS charon section +.TP +.BR charon.block_threshold " [5]" +Maximum number of half-open IKE_SAs for a single peer IP +.TP +.BR charon.close_ike_on_child_failure " [no]" +Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed +.TP +.BR charon.cookie_threshold " [10]" +Number of half-open IKE_SAs that activate the cookie mechanism +.TP +.BR charon.dns1 +.TQ +.BR charon.dns2 +DNS servers assigned to peer via configuration payload (CP) +.TP +.BR charon.dos_protection " [yes]" +Enable Denial of Service protection using cookies and aggressiveness checks +.TP +.BR charon.filelog +Section to define file loggers, see LOGGER CONFIGURATION +.TP +.BR charon.flush_auth_cfg " [no]" + +.TP +.BR charon.hash_and_url " [no]" +Enable hash and URL support +.TP +.BR charon.ignore_routing_tables +A list of routing tables to be excluded from route lookup +.TP +.BR charon.ikesa_table_segments " [1]" +Number of exclusively locked segments in the hash table +.TP +.BR charon.ikesa_table_size " [1]" +Size of the IKE_SA hash table +.TP +.BR charon.inactivity_close_ike " [no]" +Whether to close IKE_SA if the only CHILD_SA closed due to inactivity +.TP +.BR charon.install_routes " [yes]" +Install routes into a separate routing table for established IPsec tunnels +.TP +.BR charon.install_virtual_ip " [yes]" +Install virtual IP addresses +.TP +.BR charon.keep_alive " [20s]" +NAT keep alive interval +.TP +.BR charon.load +Plugins to load in the IKEv2 daemon charon +.TP +.BR charon.max_packet " [10000]" +Maximum packet size accepted by charon +.TP +.BR charon.multiple_authentication " [yes]" +Enable multiple authentication exchanges (RFC 4739) +.TP +.BR charon.nbns1 +.TQ +.BR charon.nbns2 +WINS servers assigned to peer via configuration payload (CP) +.TP +.BR charon.process_route " [yes]" +Process RTM_NEWROUTE and RTM_DELROUTE events +.TP +.BR charon.receive_delay " [0]" +Delay for receiving packets, to simulate larger RTT +.TP +.BR charon.receive_delay_response " [yes]" +Delay response messages +.TP +.BR charon.receive_delay_request " [yes]" +Delay request messages +.TP +.BR charon.receive_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any +.TP +.BR charon.retransmit_base " [1.8]" +Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION +.TP +.BR charon.retransmit_timeout " [4.0] +Timeout in seconds before sending first retransmit +.TP +.BR charon.retransmit_tries " [5]" +Number of times to retransmit a packet before giving up +.TP +.BR charon.reuse_ikesa " [yes] +Initiate CHILD_SA within existing IKE_SAs +.TP +.BR charon.routing_table +Numerical routing table to install routes to +.TP +.BR charon.routing_table_prio +Priority of the routing table +.TP +.BR charon.send_delay " [0]" +Delay for sending packets, to simulate larger RTT +.TP +.BR charon.send_delay_response " [yes]" +Delay response messages +.TP +.BR charon.send_delay_request " [yes]" +Delay request messages +.TP +.BR charon.send_delay_type " [0]" +Specific IKEv2 message type to delay, 0 for any +.TP +.BR charon.send_vendor_id " [no] +Send strongSwan vendor ID payload +.TP +.BR charon.syslog +Section to define syslog loggers, see LOGGER CONFIGURATION +.TP +.BR charon.threads " [16]" +Number of worker threads in charon +.SS charon.plugins subsection +.TP +.BR charon.plugins.android.loglevel " [1]" +Loglevel for logging to Android specific logger +.TP +.BR charon.plugins.attr +Section to specify arbitrary attributes that are assigned to a peer via +configuration payload (CP) +.TP +.BR charon.plugins.dhcp.identity_lease " [no]" +Derive user-defined MAC address from hash of IKEv2 identity +.TP +.BR charon.plugins.dhcp.server " [255.255.255.255]" +DHCP server unicast or broadcast IP address +.TP +.BR charon.plugins.eap-aka.request_identity " [yes]" + +.TP +.BR charon.plugins.eap-aka-3ggp2.seq_check + +.TP +.BR charon.plugins.eap-gtc.pam_service " [login]" +PAM service to be used for authentication +.TP +.BR charon.plugins.eap-radius.class_group " [no]" +Use the +.I class +attribute sent in the RADIUS-Accept message as group membership information that +is compared to the groups specified in the +.B rightgroups +option in +.B ipsec.conf (5). +.TP +.BR charon.plugins.eap-radius.eap_start " [no]" +Send EAP-Start instead of EAP-Identity to start RADIUS conversation +.TP +.BR charon.plugins.eap-radius.filter_id " [no]" +If the RADIUS +.I tunnel_type +attribute with value +.B ESP +is received, use the +.I filter_id +attribute sent in the RADIUS-Accept message as group membership information that +is compared to the groups specified in the +.B rightgroups +option in +.B ipsec.conf (5). +.TP +.BR charon.plugins.eap-radius.id_prefix +Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the +EAP method +.TP +.BR charon.plugins.eap-radius.nas_identifier " [strongSwan]" +NAS-Identifier to include in RADIUS messages +.TP +.BR charon.plugins.eap-radius.port " [1812]" +Port of RADIUS server (authentication) +.TP +.BR charon.plugins.eap-radius.secret +Shared secret between RADIUS and NAS +.TP +.BR charon.plugins.eap-radius.server +IP/Hostname of RADIUS server +.TP +.BR charon.plugins.eap-radius.servers +Section to specify multiple RADIUS servers. The +.BR nas_identifier , +.BR secret , +.B sockets +and +.B port +options can be specified for each server. A server's IP/Hostname can be +configured using the +.B address +option. For each RADIUS server a priority can be specified using the +.BR preference " [0]" +option. +.TP +.BR charon.plugins.eap-radius.sockets " [1]" +Number of sockets (ports) to use, increase for high load +.TP +.BR charon.plugins.eap-sim.request_identity " [yes]" + +.TP +.BR charon.plugins.eap-simaka-sql.database + +.TP +.BR charon.plugins.eap-simaka-sql.remove_used + +.TP +.BR charon.plugins.eap-tls.fragment_size " [1024]" +Maximum size of an EAP-TLS packet +.TP +.BR charon.plugins.eap-tls.max_message_count " [32]" +Maximum number of processed EAP-TLS packets +.TP +.BR charon.plugins.eap-tnc.fragment_size " [50000]" +Maximum size of an EAP-TNC packet +.TP +.BR charon.plugins.eap-tnc.max_message_count " [10]" +Maximum number of processed EAP-TNC packets +.TP +.BR charon.plugins.eap-ttls.fragment_size " [1024]" +Maximum size of an EAP-TTLS packet +.TP +.BR charon.plugins.eap-ttls.max_message_count " [32]" +Maximum number of processed EAP-TTLS packets +.TP +.BR charon.plugins.eap-ttls.phase2_method " [md5]" +Phase2 EAP client authentication method +.TP +.BR charon.plugins.eap-ttls.phase2_piggyback " [no]" +Phase2 EAP Identity request piggybacked by server onto TLS Finished message +.TP +.BR charon.plugins.eap-ttls.phase2_tnc " [no]" +Start phase2 EAP TNC protocol after successful client authentication +.TP +.BR charon.plugins.eap-ttls.request_peer_auth " [no]" +Request peer authentication based on a client certificate +.TP +.BR charon.plugins.ha.fifo_interface " [yes]" + +.TP +.BR charon.plugins.ha.heartbeat_delay " [1000]" + +.TP +.BR charon.plugins.ha.heartbeat_timeout " [2100]" + +.TP +.BR charon.plugins.ha.local + +.TP +.BR charon.plugins.ha.monitor " [yes]" + +.TP +.BR charon.plugins.ha.pools + +.TP +.BR charon.plugins.ha.remote + +.TP +.BR charon.plugins.ha.resync " [yes]" + +.TP +.BR charon.plugins.ha.secret + +.TP +.BR charon.plugins.ha.segment_count " [1]" + +.TP +.BR charon.plugins.led.activity_led + +.TP +.BR charon.plugins.led.blink_time " [50]" + +.TP +.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" +Number of ipsecN devices +.TP +.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" +Set MTU of ipsecN device +.TP +.BR charon.plugins.load-tester +Section to configure the load-tester plugin, see LOAD TESTS +.TP +.BR charon.plugins.resolve.file " [/etc/resolv.conf]" +File where to add DNS server entries +.TP +.BR charon.plugins.sql.database +Database URI for charons SQL plugin +.TP +.BR charon.plugins.sql.loglevel " [-1]" +Loglevel for logging to SQL database +.TP +.BR charon.plugins.tnc-imc.preferred_language " [en]" +Preferred language for TNC recommendations +.TP +.BR charon.plugins.tnc-imc.tnc_config " [/etc/tnc_config]" +TNC IMC configuration directory +.TP +.BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]" +TNC IMV configuration directory +.SS libstrongswan section +.TP +.BR libstrongswan.crypto_test.bench " [no]" + +.TP +.BR libstrongswan.crypto_test.bench_size " [1024]" + +.TP +.BR libstrongswan.crypto_test.bench_time " [50]" + +.TP +.BR libstrongswan.crypto_test.on_add " [no]" +Test crypto algorithms during registration +.TP +.BR libstrongswan.crypto_test.on_create " [no]" +Test crypto algorithms on each crypto primitive instantiation +.TP +.BR libstrongswan.crypto_test.required " [no]" +Strictly require at least one test vector to enable an algorithm +.TP +.BR libstrongswan.crypto_test.rng_true " [no]" +Whether to test RNG with TRUE quality; requires a lot of entropy +.TP +.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]" +Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical +strength +.TP +.BR libstrongswan.ecp_x_coordinate_only " [yes]" +Compliance with the errata for RFC 4753 +.TP +.BR libstrongswan.integrity_test " [no]" +Check daemon, libstrongswan and plugin integrity at startup +.TP +.BR libstrongswan.leak_detective.detailed " [yes]" +Includes source file names and line numbers in leak detective output +.SS libstrongswan.plugins subsection +.TP +.BR libstrongswan.plugins.attr-sql.database +Database URI for attr-sql plugin used by charon and pluto +.TP +.BR libstrongswan.plugins.attr-sql.lease_history " [yes]" +Enable logging of SQL IP pool leases +.TP +.BR libstrongswan.plugins.gcrypt.quick_random " [no]" +Use faster random numbers in gcrypt; for testing only, produces weak keys! +.TP +.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]" +ENGINE ID to use in the OpenSSL plugin +.TP +.BR libstrongswan.plugins.pkcs11.modules + +.TP +.BR libstrongswan.plugins.pkcs11.use_hasher " [no]" + +.TP +.BR libstrongswan.plugins.x509.enforce_critical " [no]" +Discard certificates with unsupported or unknown critical extensions +.SS libtls section +.TP +.BR libtls.cipher +List of TLS encryption ciphers +.TP +.BR libtls.key_exchange +List of TLS key exchange methods +.TP +.BR libtls.mac +List of TLS MAC algorithms +.TP +.BR libtls.suites +List of TLS cipher suites +.SS manager section +.TP +.BR manager.database +Credential database URI for manager +.TP +.BR manager.debug " [no]" +Enable debugging in manager +.TP +.BR manager.load +Plugins to load in manager +.TP +.BR manager.socket +FastCGI socket of manager, to run it statically +.TP +.BR manager.threads " [10]" +Threads to use for request handling +.TP +.BR manager.timeout " [15m]" +Session timeout for manager +.SS mediation client section +.TP +.BR medcli.database +Mediation client database URI +.TP +.BR medcli.dpd " [5m]" +DPD timeout to use in mediation client plugin +.TP +.BR medcli.rekey " [20m]" +Rekeying time on mediation connections in mediation client plugin +.SS mediation server section +.TP +.BR medsrv.database +Mediation server database URI +.TP +.BR medsrv.debug " [no]" +Debugging in mediation server web application +.TP +.BR medsrv.dpd " [5m]" +DPD timeout to use in mediation server plugin +.TP +.BR medsrv.load +Plugins to load in mediation server plugin +.TP +.BR medsrv.password_length " [6]" +Minimum password length required for mediation server user accounts +.TP +.BR medsrv.rekey " [20m]" +Rekeying time on mediation connections in mediation server plugin +.TP +.BR medsrv.socket +Run Mediation server web application statically on socket +.TP +.BR medsrv.threads " [5]" +Number of thread for mediation service web application +.TP +.BR medsrv.timeout " [15m]" +Session timeout for mediation service +.SS openac section +.TP +.BR openac.load +Plugins to load in ipsec openac tool +.SS pki section +.TP +.BR pki.load +Plugins to load in ipsec pki tool +.SS pluto section +.TP +.BR pluto.dns1 +.TQ +.BR pluto.dns2 +DNS servers assigned to peer via Mode Config +.TP +.BR pluto.load +Plugins to load in IKEv1 pluto daemon +.TP +.BR pluto.nbns1 +.TQ +.BR pluto.nbns2 +WINS servers assigned to peer via Mode Config +.TP +.BR pluto.threads " [4]" +Number of worker threads in pluto +.SS pluto.plugins section +.TP +.BR pluto.plugins.attr +Section to specify arbitrary attributes that are assigned to a peer via +Mode Config +.TP +.BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" +Number of ipsecN devices +.TP +.BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" +Set MTU of ipsecN device +.SS pool section +.TP +.BR pool.load +Plugins to load in ipsec pool tool +.SS scepclient section +.TP +.BR scepclient.load +Plugins to load in ipsec scepclient tool +.SS starter section +.TP +.BR starter.load_warning " [yes]" +Disable charon/pluto plugin load option warning + +.SH LOGGER CONFIGURATION +The options described below provide a much more flexible way to configure +loggers for the IKEv2 daemon charon than using the +.B charondebug +option in +.BR ipsec.conf (5). +.PP +.B Please note +that if any loggers are specified in strongswan.conf, +.B charondebug +does not have any effect. +.PP +There are currently two types of loggers defined: +.TP +.B File loggers +Log directly to a file and are defined by specifying the full path to the +file as subsection in the +.B charon.filelog +section. To log to the console the two special filenames +.BR stdout " and " stderr +can be used. +.TP +.B Syslog loggers +Log into a syslog facility and are defined by specifying the facility to log to +as the name of a subsection in the +.B charon.syslog +section. The following facilities are currently supported: +.BR daemon " and " auth . +.PP +Multiple loggers can be defined for each type with different log verbosity for +the different subsystems of the daemon. +.SS Options +.TP +.BR charon.filelog.<filename>.default " [1]" +.TQ +.BR charon.syslog.<facility>.default +Specifies the default loglevel to be used for subsystems for which no specific +loglevel is defined. +.TP +.BR charon.filelog.<filename>.<subsystem> " [<default>]" +.TQ +.BR charon.syslog.<facility>.<subsystem> +Specifies the loglevel for the given subsystem. +.TP +.BR charon.filelog.<filename>.append " [yes]" +If this option is enabled log entries are appended to the existing file. +.TP +.BR charon.filelog.<filename>.flush_line " [no]" +Enabling this option disables block buffering and enables line buffering. +.TP +.BR charon.filelog.<filename>.ike_name " [no]" +.TQ +.BR charon.syslog.<facility>.ike_name +Prefix each log entry with the connection name and a unique numerical +identifier for each IKE_SA. +.TP +.BR charon.filelog.<filename>.time_format +Prefix each log entry with a timestamp. The option accepts a format string as +passed to +.BR strftime (3). + +.SS Subsystems +.TP +.B dmn +Main daemon setup/cleanup/signal handling +.TP +.B mgr +IKE_SA manager, handling synchronization for IKE_SA access +.TP +.B ike +IKE_SA +.TP +.B chd +CHILD_SA +.TP +.B job +Jobs queueing/processing and thread pool management +.TP +.B cfg +Configuration management and plugins +.TP +.B knl +IPsec/Networking kernel interface +.TP +.B net +IKE network communication +.TP +.B enc +Packet encoding/decoding encryption/decryption operations +.TP +.B tls +libtls library messages +.TP +.B lib +libstrongwan library messages +.SS Loglevels +.TP +.B -1 +Absolutely silent +.TP +.B 0 +Very basic auditing logs, (e.g. SA up/SA down) +.TP +.B 1 +Generic control flow with errors, a good default to see whats going on +.TP +.B 2 +More detailed debugging control flow +.TP +.B 3 +Including RAW data dumps in Hex +.TP +.B 4 +Also include sensitive material in dumps, e.g. keys +.SS Example +.PP +.EX + charon { + filelog { + /var/log/charon.log { + time_format = %b %e %T + append = no + default = 1 + } + stderr { + ike = 2 + knl = 3 + ike_name = yes + } + } + syslog { + # enable logging to LOG_DAEMON, use defaults + daemon { + } + # minimalistic IKE auditing logging to LOG_AUTHPRIV + auth { + default = -1 + ike = 0 + } + } + } +.EE + +.SH LOAD TESTS +To do stability testing and performance optimizations, the IKEv2 daemon charon +provides the load-tester plugin. This plugin allows to setup thousands of +tunnels concurrently against the daemon itself or a remote host. +.PP +.B WARNING: +Never enable the load-testing plugin on productive systems. It provides +preconfigured credentials and allows an attacker to authenticate as any user. +.SS Options +.TP +.BR charon.plugins.load-tester.child_rekey " [600]" +Seconds to start CHILD_SA rekeying after setup +.TP +.BR charon.plugins.load-tester.delay " [0]" +Delay between initiatons for each thread +.TP +.BR charon.plugins.load-tester.delete_after_established " [no]" +Delete an IKE_SA as soon as it has been established +.TP +.BR charon.plugins.load-tester.dynamic_port " [0]" +Base port to be used for requests (each client uses a different port) +.TP +.BR charon.plugins.load-tester.enable " [no]" +Enable the load testing plugin +.TP +.BR charon.plugins.load-tester.fake_kernel " [no]" +Fake the kernel interface to allow load-testing against self +.TP +.BR charon.plugins.load-tester.ike_rekey " [0]" +Seconds to start IKE_SA rekeying after setup +.TP +.BR charon.plugins.load-tester.initiators " [0]" +Number of concurrent initiator threads to use in load test +.TP +.BR charon.plugins.load-tester.initiator_auth " [pubkey]" +Authentication method(s) the intiator uses +.TP +.BR charon.plugins.load-tester.iterations " [1]" +Number of IKE_SAs to initate by each initiator in load test +.TP +.BR charon.plugins.load-tester.pool +Provide INTERNAL_IPV4_ADDRs from a named pool +.TP +.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" +IKE proposal to use in load test +.TP +.BR charon.plugins.load-tester.remote " [127.0.0.1]" +Address to initiation connections to +.TP +.BR charon.plugins.load-tester.responder_auth " [pubkey]" +Authentication method(s) the responder uses +.TP +.BR charon.plugins.load-tester.request_virtual_ip " [no]" +Request an INTERNAL_IPV4_ADDR from the server +.TP +.BR charon.plugins.load-tester.shutdown_when_complete " [no]" +Shutdown the daemon after all IKE_SAs have been established +.SS Configuration details +For public key authentication, the responder uses the +.B \(dqCN=srv, OU=load-test, O=strongSwan\(dq +identity. For the initiator, each connection attempt uses a different identity +in the form +.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , +where the first number inidicates the client number, the second the +authentication round (if multiple authentication is used). +.PP +For PSK authentication, FQDN identities are used. The server uses +.BR srv.strongswan.org , +the client uses an identity in the form +.BR c1-r1.strongswan.org . +.PP +For EAP authentication, the client uses a NAI in the form +.BR 100000000010001@strongswan.org . +.PP +To configure multiple authentication, concatenate multiple methods using, e.g. +.EX + initiator_auth = pubkey|psk|eap-md5|eap-aka +.EE +.PP +The responder uses a hardcoded certificate based on a 1024-bit RSA key. +This certificate additionally serves as CA certificate. A peer uses the same +private key, but generates client certificates on demand signed by the CA +certificate. Install the Responder/CA certificate on the remote host to +authenticate all clients. +.PP +To speed up testing, the load tester plugin implements a special Diffie-Hellman +implementation called modpnull. By setting +.EX + proposal = aes128-sha1-modpnull +.EE +this wicked fast DH implementation is used. It does not provide any security +at all, but allows to run tests without DH calculation overhead. +.SS Examples +.PP +In the simplest case, the daemon initiates IKE_SAs against itself using the +loopback interface. This will actually establish double the number of IKE_SAs, +as the daemon is initiator and responder for each IKE_SA at the same time. +Installation of IPsec SAs would fails, as each SA gets installed twice. To +simulate the correct behavior, a fake kernel interface can be enabled which does +not install the IPsec SAs at the kernel level. +.PP +A simple loopback configuration might look like this: +.PP +.EX + charon { + # create new IKE_SAs for each CHILD_SA to simulate + # different clients + reuse_ikesa = no + # turn off denial of service protection + dos_protection = no + + plugins { + load-tester { + # enable the plugin + enable = yes + # use 4 threads to initiate connections + # simultaneously + initiators = 4 + # each thread initiates 1000 connections + iterations = 1000 + # delay each initiation in each thread by 20ms + delay = 20 + # enable the fake kernel interface to + # avoid SA conflicts + fake_kernel = yes + } + } + } +.EE +.PP +This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay +value if your box can not handle that much load, or decrease it to put more +load on it. If the daemon starts retransmitting messages your box probably can +not handle all connection attempts. +.PP +The plugin also allows to test against a remote host. This might help to test +against a real world configuration. A connection setup to do stress testing of +a gateway might look like this: +.PP +.EX + charon { + reuse_ikesa = no + threads = 32 + + plugins { + load-tester { + enable = yes + # 10000 connections, ten in parallel + initiators = 10 + iterations = 1000 + # use a delay of 100ms, overall time is: + # iterations * delay = 100s + delay = 100 + # address of the gateway + remote = 1.2.3.4 + # IKE-proposal to use + proposal = aes128-sha1-modp1024 + # use faster PSK authentication instead + # of 1024bit RSA + initiator_auth = psk + responder_auth = psk + # request a virtual IP using configuration + # payloads + request_virtual_ip = yes + # enable CHILD_SA every 60s + child_rekey = 60 + } + } + } +.EE + +.SH IKEv2 RETRANSMISSION +Retransmission timeouts in the IKEv2 daemon charon can be configured globally +using the three keys listed below: +.PP +.RS +.nf +.BR charon.retransmit_base " [1.8]" +.BR charon.retransmit_timeout " [4.0]" +.BR charon.retransmit_tries " [5]" +.fi +.RE +.PP +The following algorithm is used to calculate the timeout: +.PP +.EX + relative timeout = retransmit_timeout * retransmit_base ^ (n-1) +.EE +.PP +Where +.I n +is the current retransmission count. +.PP +Using the default values, packets are retransmitted in: + +.TS +l r r +--- +lB r r. +Retransmission Relative Timeout Absolute Timeout +1 4s 4s +2 7s 11s +3 13s 24s +4 23s 47s +5 42s 89s +giving up 76s 165s +.TE + +.SH FILES +/etc/strongswan.conf + +.SH SEE ALSO +ipsec.conf(5), ipsec.secrets(5), ipsec(8) +.SH HISTORY +Written for the +.UR http://www.strongswan.org +strongSwan project +.UE +by Tobias Brunner, Andreas Steffen and Martin Willi. |