diff options
Diffstat (limited to 'man/strongswan.conf.5')
-rw-r--r-- | man/strongswan.conf.5 | 138 |
1 files changed, 93 insertions, 45 deletions
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 3c820dbf9..fc99c8c47 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.4" "strongSwan" +.TH STRONGSWAN.CONF 5 "2013-07-22" "5.1.0" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -133,8 +133,14 @@ Path to database with file measurement information .TP .BR attest.load Plugins to load in ipsec attest tool + .SS charon section .TP +.BR Note : +Many of these options also apply to \fBcharon\-cmd\fR and other +\fBcharon\fR derivatives. Just use their respective name (e.g. +\fIcharon\-cmd\fR) instead of \fIcharon\fR. +.TP .BR charon.block_threshold " [5]" Maximum number of half-open IKE_SAs for a single peer IP .TP @@ -168,6 +174,9 @@ used certificates. Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 fragmentation extension. .TP +.BR charon.group +Name of the group the daemon changes to after startup +.TP .BR charon.half_open_timeout " [30]" Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). .TP @@ -311,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION .TP .BR charon.threads " [16]" Number of worker threads in charon +.TP +.BR charon.user +Name of the user the daemon changes to after startup .SS charon.plugins subsection .TP .BR charon.plugins.android_log.loglevel " [1]" @@ -323,6 +335,18 @@ configuration payload (CP) .BR charon.plugins.certexpire.csv.cron Cron style string specifying CSV export times .TP +.BR charon.plugins.certexpire.csv.empty_string +String to use in empty intermediate CA fields +.TP +.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" +Use a fixed intermediate CA field count +.TP +.BR charon.plugins.certexpire.csv.force " [yes]" +Force export of all trustchains we have a private key for +.TP +.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" +strftime(3) format string to export expiration dates as +.TP .BR charon.plugins.certexpire.csv.local strftime(3) format string for the CSV file name to export local certificates to .TP @@ -332,15 +356,6 @@ strftime(3) format string for the CSV file name to export remote certificates to .BR charon.plugins.certexpire.csv.separator " [,]" CSV field separator .TP -.BR charon.plugins.certexpire.csv.empty_string -String to use in empty intermediate CA fields -.TP -.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" -strftime(3) format string to export expiration dates as -.TP -.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" -Use a fixed intermediate CA field count -.TP .BR charon.plugins.coupling.file File to store coupling list to .TP @@ -367,6 +382,9 @@ DHCP server unicast or broadcast IP address .BR charon.plugins.duplicheck.enable " [yes]" Enable duplicheck plugin (if loaded) .TP +.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]" +Socket provided by the duplicheck plugin +.TP .BR charon.plugins.eap-aka.request_identity " [yes]" .TP @@ -410,6 +428,9 @@ Request peer authentication based on a client certificate .BR charon.plugins.eap-radius.accounting " [no]" Send RADIUS accounting information to RADIUS servers. .TP +.BR charon.plugins.eap-radius.accounting_requires_vip " [no]" +If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP +.TP .BR charon.plugins.eap-radius.class_group " [no]" Use the .I class @@ -546,6 +567,9 @@ Start phase2 EAP TNC protocol after successful client authentication .BR charon.plugins.eap-ttls.request_peer_auth " [no]" Request peer authentication based on a client certificate .TP +.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]" +Socket provided by the error-notify plugin +.TP .BR charon.plugins.ha.autobalance " [0]" Interval in seconds to automatically balance handled segments between nodes. Set to 0 to disable. @@ -581,7 +605,7 @@ Set to 0 to disable. .TP .BR charon.plugins.ipseckey.enable " [no]" -Enable the fetching of IPSECKEY RRs from the DNS +Enable the fetching of IPSECKEY RRs via DNS .TP .BR charon.plugins.led.activity_led @@ -595,9 +619,18 @@ Number of ipsecN devices .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" Set MTU of ipsecN device .TP +.BR charon.plugins.kernel-netlink.roam_events " [yes]" +Whether to trigger roam events when interfaces, addresses or routes change +.TP +.BR charon.plugins.kernel-pfroute.vip_wait " [1000]" +Time in ms to wait until virtual IP addresses appear/disappear before failing. +.TP .BR charon.plugins.load-tester Section to configure the load-tester plugin, see LOAD TESTS .TP +.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" +Socket provided by the lookip plugin +.TP .BR charon.plugins.radattr.dir Directory where RADIUS attributes are stored in client-ID specific files. .TP @@ -617,6 +650,12 @@ have a high priority according to the order defined in interface-order(5). .BR charon.plugins.socket-default.set_source " [yes]" Set source address on outbound packets, if possible. .TP +.BR charon.plugins.socket-default.use_ipv4 " [yes]" +Listen on IPv4, if possible. +.TP +.BR charon.plugins.socket-default.use_ipv6 " [yes]" +Listen on IPv6, if possible. +.TP .BR charon.plugins.sql.database Database URI for charons SQL plugin .TP @@ -630,6 +669,9 @@ certificates even if they don't contain a CA basic constraint. .BR charon.plugins.stroke.max_concurrent " [4]" Maximum number of stroke messages handled concurrently .TP +.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" +Socket provided by the stroke plugin +.TP .BR charon.plugins.stroke.timeout " [0]" Timeout in ms for any stroke command. Use 0 to disable the timeout .TP @@ -707,6 +749,9 @@ plugins, like resolve) .BR charon.plugins.whitelist.enable " [yes]" Enable loaded whitelist plugin .TP +.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]" +Socket provided by the whitelist plugin +.TP .BR charon.plugins.xauth-eap.backend " [radius]" EAP plugin to be used as backend for XAuth credential verification .TP @@ -760,6 +805,9 @@ Includes source file names and line numbers in leak detective output .BR libstrongswan.leak_detective.usage_threshold " [10240]" Threshold in bytes for leaks to be reported (0 to report all) .TP +.BR libstrongswan.leak_detective.usage_threshold_count " [0]" +Threshold in number of allocations for leaks to be reported (0 to report all) +.TP .BR libstrongswan.processor.priority_threads Subsection to configure the number of reserved threads per priority class see JOB PRIORITY MANAGEMENT @@ -820,6 +868,19 @@ File to read DNS resolver configuration from .TP .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" File to read DNSSEC trust anchors from (usually root zone KSK) +.SS libtls section +.TP +.BR libtls.cipher +List of TLS encryption ciphers +.TP +.BR libtls.key_exchange +List of TLS key exchange methods +.TP +.BR libtls.mac +List of TLS MAC algorithms +.TP +.BR libtls.suites +List of TLS cipher suites .SS libtnccs section .TP .BR libtnccs.tnc_config " [/etc/tnc_config]" @@ -829,17 +890,27 @@ TNC IMC/IMV configuration directory .BR libimcv.assessment_result " [yes]" Whether IMVs send a standard IETF Assessment Result attribute .TP +.BR libimcv.database +Global IMV policy database URI +.TP .BR libimcv.debug_level " [1]" Debug level for a stand-alone libimcv library .TP -.BR libimcv.stderr_quiet " [no]" -Disable output to stderr with a stand-alone libimcv library +.BR libimcv.load " [random nonce gmp pubkey x509]" +Plugins to load in IMC/IMVs .TP .BR libimcv.os_info.name Manually set the name of the client OS (e.g. Ubuntu) .TP .BR libimcv.os_info.version Manually set the version of the client OS (e.g. 12.04 i686) +.TP +.BR libimcv.policy_script " [ipsec _imv_policy]" +Script called for each TNC connection to generate IMV policies +.TP +.BR libimcv.stderr_quiet " [no]" +isable output to stderr with a stand-alone libimcv library +.PP .SS libimcv plugins section .TP .BR libimcv.plugins.imc-attestation.aik_blob @@ -860,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature .BR libimcv.plugins.imv-attestation.cadir Path to directory with AIK cacerts .TP -.BR libimcv.plugins.imv-attestation.database -Path to database with file measurement information -.TP .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" Preferred Diffie-Hellman group .TP @@ -878,27 +946,15 @@ URI pointing to attestation remediation instructions .BR libimcv.plugins.imc-os.push_info " [yes]" Send operating system info without being prompted .TP -.BR libimcv.plugins.imv-os.database -Database URI for the database that stores operating system information -.TP .BR libimcv.plugins.imv-os.remediation_uri URI pointing to operating system remediation instructions .TP .BR libimcv.plugins.imc-scanner.push_info " [yes]" Send open listening ports without being prompted .TP -.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]" -By default all ports must be closed (yes) or can be open (no) -.TP .BR libimcv.plugins.imv-scanner.remediation_uri URI pointing to scanner remediation instructions .TP -.BR libimcv.plugins.imv-scanner.tcp_ports -List of TCP ports that can be open or must be closed -.TP -.BR libimcv.plugins.imv-scanner.udp_ports -List of UDP ports that can be open or must be closed -.TP .BR libimcv.plugins.imc-test.additional_ids " [0]" Number of additional IMC IDs .TP @@ -908,30 +964,17 @@ Command to be sent to the Test IMV .BR libimcv.plugins.imc-test.dummy_size " [0]" Size of dummy attribute to be sent to the Test IMV (0 = disabled) .TP +.BR libimcv.plugins.imv-test.remediation_uri +URI pointing to test remediation instructions +.TP .BR libimcv.plugins.imc-test.retry " [no]" Do a handshake retry .TP .BR libimcv.plugins.imc-test.retry_command Command to be sent to the Test IMV in the handshake retry .TP -.BR libimcv.plugins.imv-test.remediation_uri -URI pointing to test remediation instructions -.TP .BR libimcv.plugins.imv-test.rounds " [0]" Number of IMC-IMV retry rounds -.SS libtls section -.TP -.BR libtls.cipher -List of TLS encryption ciphers -.TP -.BR libtls.key_exchange -List of TLS key exchange methods -.TP -.BR libtls.mac -List of TLS MAC algorithms -.TP -.BR libtls.suites -List of TLS cipher suites .SS manager section .TP .BR manager.database @@ -1450,9 +1493,13 @@ Request an INTERNAL_IPV4_ADDR from the server .BR charon.plugins.load-tester.shutdown_when_complete " [no]" Shutdown the daemon after all IKE_SAs have been established .TP +.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]" +Socket provided by the load-tester plugin +.TP .BR charon.plugins.load-tester.version " [0]" IKE version to use (0 means use IKEv2 as initiator and accept any version as responder) +.PP .SS Configuration details For public key authentication, the responder uses the .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq @@ -1608,7 +1655,8 @@ giving up 76s 165s /etc/strongswan.conf .SH SEE ALSO -ipsec.conf(5), ipsec.secrets(5), ipsec(8) +\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) + .SH HISTORY Written for the .UR http://www.strongswan.org |