diff options
Diffstat (limited to 'man')
-rw-r--r-- | man/Makefile.in | 4 | ||||
-rw-r--r-- | man/ipsec.conf.5 | 24 | ||||
-rw-r--r-- | man/ipsec.conf.5.in | 22 | ||||
-rw-r--r-- | man/ipsec.secrets.5 | 2 | ||||
-rw-r--r-- | man/strongswan.conf.5 | 65 | ||||
-rw-r--r-- | man/strongswan.conf.5.in | 63 |
6 files changed, 159 insertions, 21 deletions
diff --git a/man/Makefile.in b/man/Makefile.in index 4388e318b..f0d8cde7d 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -198,9 +198,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -239,6 +237,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5 index b1e60b280..1b74fab08 100644 --- a/man/ipsec.conf.5 +++ b/man/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "2010-10-19" "4.5.0rc2" "strongSwan" +.TH IPSEC.CONF 5 "2010-10-19" "4.5.1" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of +to (require the) use of the Extensible Authentication Protocol. +To require a trustchain public key strength for the remote side, specify the +key type followed by the strength in bits (for example +.BR rsa-2048 +or +.BR ecdsa-256 ). +For .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , @@ -589,7 +594,7 @@ sets to the distinguished name of the certificate's subject and .B leftca to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a +The left participant's ID can be overridden by specifying a .B leftid value which must be certified by the certificate, though. .TP @@ -598,6 +603,10 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +.BR leftcertpolicy " = <OIDs>" +Comma separated list of certificate policy OIDs the peers certificate must have. +OIDs are specified using the numerical dotted representation (IKEv2 only). +.TP .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -953,6 +962,13 @@ synonym for .BR reqid " = <number>" sets the reqid for a given connection to a pre-configured fixed value. .TP +.BR tfc " = <value>" +number of bytes to pad ESP payload data to. Traffic Flow Confidentiality +is currently supported in IKEv2 and applies to outgoing packets only. The +special value +.BR %mtu +fills up ESP packets with padding to have the size of the MTU. +.TP .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" the type of the connection; currently the accepted values are diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 187f36957..9a789acef 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of +to (require the) use of the Extensible Authentication Protocol. +To require a trustchain public key strength for the remote side, specify the +key type followed by the strength in bits (for example +.BR rsa-2048 +or +.BR ecdsa-256 ). +For .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , @@ -589,7 +594,7 @@ sets to the distinguished name of the certificate's subject and .B leftca to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a +The left participant's ID can be overridden by specifying a .B leftid value which must be certified by the certificate, though. .TP @@ -598,6 +603,10 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +.BR leftcertpolicy " = <OIDs>" +Comma separated list of certificate policy OIDs the peers certificate must have. +OIDs are specified using the numerical dotted representation (IKEv2 only). +.TP .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -953,6 +962,13 @@ synonym for .BR reqid " = <number>" sets the reqid for a given connection to a pre-configured fixed value. .TP +.BR tfc " = <value>" +number of bytes to pad ESP payload data to. Traffic Flow Confidentiality +is currently supported in IKEv2 and applies to outgoing packets only. The +special value +.BR %mtu +fills up ESP packets with padding to have the size of the MTU. +.TP .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" the type of the connection; currently the accepted values are diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 index 1e586a491..3eb60afcf 100644 --- a/man/ipsec.secrets.5 +++ b/man/ipsec.secrets.5 @@ -1,4 +1,4 @@ -.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.0rc2" "strongSwan" +.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.1" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 2a8703503..2e58a87d0 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan" +.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.1" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -60,6 +60,61 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +.SH INCLUDING FILES +Using the +.B include +statement it is possible to include other files into strongswan.conf, e.g. +.PP +.EX + include /some/path/*.conf +.EE +.PP +If the file name is not an absolute path, it is considered to be relative +to the directory of the file containing the include statement. The file name +may include shell wildcards (see +.IR sh (1)). +Also, such inclusions can be nested. +.PP +Sections loaded from included files +.I extend +previously loaded sections; already existing values are +.IR replaced . +It is important to note that settings are added relative to the section the +include statement is in. +.PP +As an example, the following three files result in the same final +config as the one given above: +.PP +.EX + a = b + section-one { + somevalue = before include + include include.conf + } + include other.conf + +include.conf: + # settings loaded from this file are added to section-one + # the following replaces the previous value + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + +other.conf: + # this extends section-one and subsection + section-one { + subsection { + # this replaces the previous value + othervalue = xxx + } + } + section-two { + x = 12 + } +.EE + .SH READING VALUES Values are accessed using a dot-separated section list and a key. With reference to the example above, accessing @@ -405,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +.TP +.BR libstrongswan.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -420,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules - .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" - -.TP -.BR libstrongswan.plugins.x509.enforce_critical " [no]" -Discard certificates with unsupported or unknown critical extensions .SS libtls section .TP .BR libtls.cipher diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 77db9a3c0..47aa6d552 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -60,6 +60,61 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +.SH INCLUDING FILES +Using the +.B include +statement it is possible to include other files into strongswan.conf, e.g. +.PP +.EX + include /some/path/*.conf +.EE +.PP +If the file name is not an absolute path, it is considered to be relative +to the directory of the file containing the include statement. The file name +may include shell wildcards (see +.IR sh (1)). +Also, such inclusions can be nested. +.PP +Sections loaded from included files +.I extend +previously loaded sections; already existing values are +.IR replaced . +It is important to note that settings are added relative to the section the +include statement is in. +.PP +As an example, the following three files result in the same final +config as the one given above: +.PP +.EX + a = b + section-one { + somevalue = before include + include include.conf + } + include other.conf + +include.conf: + # settings loaded from this file are added to section-one + # the following replaces the previous value + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + +other.conf: + # this extends section-one and subsection + section-one { + subsection { + # this replaces the previous value + othervalue = xxx + } + } + section-two { + x = 12 + } +.EE + .SH READING VALUES Values are accessed using a dot-separated section list and a key. With reference to the example above, accessing @@ -405,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +.TP +.BR libstrongswan.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -420,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules - .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" - -.TP -.BR libstrongswan.plugins.x509.enforce_critical " [no]" -Discard certificates with unsupported or unknown critical extensions .SS libtls section .TP .BR libtls.cipher |