diff options
Diffstat (limited to 'man')
-rw-r--r-- | man/Makefile.in | 47 | ||||
-rw-r--r-- | man/ipsec.conf.5 | 19 | ||||
-rw-r--r-- | man/ipsec.conf.5.in | 17 | ||||
-rw-r--r-- | man/ipsec.secrets.5 | 2 | ||||
-rw-r--r-- | man/strongswan.conf.5 | 70 | ||||
-rw-r--r-- | man/strongswan.conf.5.in | 70 |
6 files changed, 188 insertions, 37 deletions
diff --git a/man/Makefile.in b/man/Makefile.in index e313a4fff..daebe3b90 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -15,6 +15,23 @@ @SET_MAKE@ VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \ + | grep '^AM OK$$' >/dev/null || am__dry=yes;; \ + *) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + *=*|--*) ;; \ + *n*) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -54,6 +71,11 @@ CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = SOURCES = DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -99,6 +121,8 @@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -115,6 +139,7 @@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -183,8 +208,6 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ -axis2c_CFLAGS = @axis2c_CFLAGS@ -axis2c_LIBS = @axis2c_LIBS@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -240,7 +263,6 @@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ -p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -320,11 +342,18 @@ clean-libtool: -rm -rf .libs _libs install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" - @list=''; test -n "$(man5dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ + @list1=''; \ + list2='$(dist_man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ } | while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5 index e24196c2b..554a6e8ca 100644 --- a/man/ipsec.conf.5 +++ b/man/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "2012-06-26" "5.0.2" "strongSwan" +.TH IPSEC.CONF 5 "2012-06-26" "5.0.3rc1" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -452,6 +452,11 @@ suites, the strict flag exclamation mark) can be used, e.g: .BR aes256-sha512-modp4096! .TP +.BR ikedscp " = " 000000 " | <DSCP field>" +Differentiated Services Field Codepoint to set on outgoing IKE packets sent +from this connection. The value is a six digit binary encoded string defining +the Codepoint to set, as defined in RFC 2474. +.TP .BR ikelifetime " = " 3h " | <time>" how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated. Also see EXPIRY/REKEY below. @@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions. is required only if selecting the certificate with .B leftid is not sufficient, for example if multiple certificates use the same subject. +.br +Multiple certificate paths or PKCS#11 backends can be specified in a comma +separated list. The daemon chooses the certificate based on the received +certificate requests if possible before enforcing the first. .TP .BR leftcert2 " = <path>" Same as @@ -737,6 +746,14 @@ can be used to the same effect, e.g. .B leftprotoport=udp/%any or .BR leftprotoport=%any/53 . + +The port value can alternatively take the value +.B %opaque +for RFC 4301 OPAQUE selectors, or a numerical range in the form +.BR 1024-65535 . +None of the kernel backends currently supports opaque or port ranges and uses +.B %any +for policy installation instead. .TP .BR leftrsasigkey " = <raw rsa public key> | <path to public key>" the left participant's public key for RSA signature authentication, in RFC 2537 diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 2766cc4ed..e778ab773 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -452,6 +452,11 @@ suites, the strict flag exclamation mark) can be used, e.g: .BR aes256-sha512-modp4096! .TP +.BR ikedscp " = " 000000 " | <DSCP field>" +Differentiated Services Field Codepoint to set on outgoing IKE packets sent +from this connection. The value is a six digit binary encoded string defining +the Codepoint to set, as defined in RFC 2474. +.TP .BR ikelifetime " = " 3h " | <time>" how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated. Also see EXPIRY/REKEY below. @@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions. is required only if selecting the certificate with .B leftid is not sufficient, for example if multiple certificates use the same subject. +.br +Multiple certificate paths or PKCS#11 backends can be specified in a comma +separated list. The daemon chooses the certificate based on the received +certificate requests if possible before enforcing the first. .TP .BR leftcert2 " = <path>" Same as @@ -737,6 +746,14 @@ can be used to the same effect, e.g. .B leftprotoport=udp/%any or .BR leftprotoport=%any/53 . + +The port value can alternatively take the value +.B %opaque +for RFC 4301 OPAQUE selectors, or a numerical range in the form +.BR 1024-65535 . +None of the kernel backends currently supports opaque or port ranges and uses +.B %any +for policy installation instead. .TP .BR leftrsasigkey " = <raw rsa public key> | <path to public key>" the left participant's public key for RSA signature authentication, in RFC 2537 diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 index 127f18f20..0948e5cc9 100644 --- a/man/ipsec.secrets.5 +++ b/man/ipsec.secrets.5 @@ -1,4 +1,4 @@ -.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.2" "strongSwan" +.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.3rc1" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 8a34a7f93..34dfde735 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2013-01-25" "5.0.2" "strongSwan" +.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.3" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -416,6 +416,10 @@ is compared to the groups specified in the option in .B ipsec.conf (5). .TP +.BR charon.plugins.eap-radius.close_all_on_timeout " [no]" +Closes all IKE_SAs if communication with the RADIUS server times out. If it is +not set only the current IKE_SA is closed. +.TP .BR charon.plugins.eap-radius.dae.enable " [no]" Enables support for the Dynamic Authorization Extension (RFC 5176) .TP @@ -539,6 +543,10 @@ Start phase2 EAP TNC protocol after successful client authentication .BR charon.plugins.eap-ttls.request_peer_auth " [no]" Request peer authentication based on a client certificate .TP +.BR charon.plugins.ha.autobalance " [0]" +Interval in seconds to automatically balance handled segments between nodes. +Set to 0 to disable. +.TP .BR charon.plugins.ha.fifo_interface " [yes]" .TP @@ -569,6 +577,9 @@ Request peer authentication based on a client certificate .BR charon.plugins.ha.segment_count " [1]" .TP +.BR charon.plugins.ipseckey.enable " [no]" +Enable the fetching of IPSECKEY RRs from the DNS +.TP .BR charon.plugins.led.activity_led .TP @@ -616,6 +627,21 @@ certificates even if they don't contain a CA basic constraint. .BR charon.plugins.stroke.max_concurrent " [4]" Maximum number of stroke messages handled concurrently .TP +.BR charon.plugins.stroke.timeout " [0]" +Timeout in ms for any stroke command. Use 0 to disable the timeout +.TP +.BR charon.plugins.systime-fix.interval " [0]" +Interval in seconds to check system time for validity. 0 disables the check +.TP +.BR charon.plugins.systime-fix.reauth " [no]" +Whether to use reauth or delete if an invalid cert lifetime is detected +.TP +.BR charon.plugins.systime-fix.threshold +Threshold date where system time is considered valid. Disabled if not specified +.TP +.BR charon.plugins.systime-fix.threshold_format " [%Y]" +strptime(3) format used to parse threshold option +.TP .BR charon.plugins.tnccs-11.max_message_size " [45000]" Maximum size of a PA-TNC message (XML & Base64 encoding) .TP @@ -625,23 +651,26 @@ Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) .BR charon.plugins.tnccs-20.max_message_size " [65490]" Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) .TP +.BR charon.plugins.tnc-ifmap.client_cert +Path to X.509 certificate file of IF-MAP client +.TP +.BR charon.plugins.tnc-ifmap.client_key +Path to private key file of IF-MAP client +.TP .BR charon.plugins.tnc-ifmap.device_name -Unique name of strongSwan as a PEP and/or PDP device +Unique name of strongSwan server as a PEP and/or PDP device .TP -.BR charon.plugins.tnc-ifmap.key_file -Concatenated client certificate and private key +.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]" +Interval in seconds between periodic IF-MAP RenewSession requests .TP -.BR charon.plugins.tnc-ifmap.password -Authentication password of strongSwan MAP client +.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]" +URI of the form [https://]servername[:port][/path] .TP .BR charon.plugins.tnc-ifmap.server_cert -Certificate of MAP server +Path to X.509 certificate file of IF-MAP server .TP -.BR charon.plugins.tnc-ifmap.ssl_passphrase -Passphrase protecting the private key -.TP -.BR charon.plugins.tnc-ifmap.username -Authentication username of strongSwan MAP client +.BR charon.plugins.tnc-ifmap.username_password +Credentials of IF-MAP client of the form username:password .TP .BR charon.plugins.tnc-imc.dlclose " [yes]" Unload IMC after use @@ -664,6 +693,9 @@ Shared RADIUS secret between strongSwan PDP and NAS .BR charon.plugins.tnc-pdp.server Name of the strongSwan PDP as contained in the AAA certificate .TP +.BR charon.plugins.tnc-pdp.timeout +Timeout in seconds before closing incomplete connections +.TP .BR charon.plugins.updown.dns_handler " [no]" Whether the updown script should handle DNS serves assigned via IKEv1 Mode Config or IKEv2 Config Payloads (if enabled they can't be handled by other @@ -776,6 +808,12 @@ File to read random bytes from, instead of /dev/random .TP .BR libstrongswan.plugins.random.urandom " [/dev/urandom]" File to read pseudo random bytes from, instead of /dev/urandom +.TP +.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]" +File to read DNS resolver configuration from +.TP +.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" +File to read DNSSEC trust anchors from (usually root zone KSK) .SS libtnccs section .TP .BR libtnccs.tnc_config " [/etc/tnc_config]" @@ -1299,6 +1337,9 @@ preconfigured credentials and allows an attacker to authenticate as any user. Subsection that contains key/value pairs with address pools (in CIDR notation) to use for a specific network interface e.g. eth0 = 10.10.0.0/16 .TP +.BR charon.plugins.load-tester.addrs_keep " [no]" +Whether to keep dynamic addresses even after the associated SA got terminated +.TP .BR charon.plugins.load-tester.addrs_prefix " [16]" Network prefix length to use when installing dynamic addresses. If set to -1 the full address is used (i.e. 32 or 128) @@ -1330,6 +1371,9 @@ EAP secret to use in load test .BR charon.plugins.load-tester.enable " [no]" Enable the load testing plugin .TP +.BR charon.plugins.load-tester.esp " [aes128-sha1]" +CHILD_SA proposal to use for load tests +.TP .BR charon.plugins.load-tester.fake_kernel " [no]" Fake the kernel interface to allow load-testing against self .TP @@ -1352,7 +1396,7 @@ Authentication method(s) the intiator uses Initiator ID used in load test .TP .BR charon.plugins.load-tester.initiator_match -Initiator ID to to match against as responder +Initiator ID to match against as responder .TP .BR charon.plugins.load-tester.initiator_tsi Traffic selector on initiator side, as proposed by initiator diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 2fafed62d..d483addbd 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2013-01-25" "@IPSEC_VERSION@" "strongSwan" +.TH STRONGSWAN.CONF 5 "2013-04-01" "@IPSEC_VERSION@" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -416,6 +416,10 @@ is compared to the groups specified in the option in .B ipsec.conf (5). .TP +.BR charon.plugins.eap-radius.close_all_on_timeout " [no]" +Closes all IKE_SAs if communication with the RADIUS server times out. If it is +not set only the current IKE_SA is closed. +.TP .BR charon.plugins.eap-radius.dae.enable " [no]" Enables support for the Dynamic Authorization Extension (RFC 5176) .TP @@ -539,6 +543,10 @@ Start phase2 EAP TNC protocol after successful client authentication .BR charon.plugins.eap-ttls.request_peer_auth " [no]" Request peer authentication based on a client certificate .TP +.BR charon.plugins.ha.autobalance " [0]" +Interval in seconds to automatically balance handled segments between nodes. +Set to 0 to disable. +.TP .BR charon.plugins.ha.fifo_interface " [yes]" .TP @@ -569,6 +577,9 @@ Request peer authentication based on a client certificate .BR charon.plugins.ha.segment_count " [1]" .TP +.BR charon.plugins.ipseckey.enable " [no]" +Enable the fetching of IPSECKEY RRs from the DNS +.TP .BR charon.plugins.led.activity_led .TP @@ -616,6 +627,21 @@ certificates even if they don't contain a CA basic constraint. .BR charon.plugins.stroke.max_concurrent " [4]" Maximum number of stroke messages handled concurrently .TP +.BR charon.plugins.stroke.timeout " [0]" +Timeout in ms for any stroke command. Use 0 to disable the timeout +.TP +.BR charon.plugins.systime-fix.interval " [0]" +Interval in seconds to check system time for validity. 0 disables the check +.TP +.BR charon.plugins.systime-fix.reauth " [no]" +Whether to use reauth or delete if an invalid cert lifetime is detected +.TP +.BR charon.plugins.systime-fix.threshold +Threshold date where system time is considered valid. Disabled if not specified +.TP +.BR charon.plugins.systime-fix.threshold_format " [%Y]" +strptime(3) format used to parse threshold option +.TP .BR charon.plugins.tnccs-11.max_message_size " [45000]" Maximum size of a PA-TNC message (XML & Base64 encoding) .TP @@ -625,23 +651,26 @@ Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) .BR charon.plugins.tnccs-20.max_message_size " [65490]" Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) .TP +.BR charon.plugins.tnc-ifmap.client_cert +Path to X.509 certificate file of IF-MAP client +.TP +.BR charon.plugins.tnc-ifmap.client_key +Path to private key file of IF-MAP client +.TP .BR charon.plugins.tnc-ifmap.device_name -Unique name of strongSwan as a PEP and/or PDP device +Unique name of strongSwan server as a PEP and/or PDP device .TP -.BR charon.plugins.tnc-ifmap.key_file -Concatenated client certificate and private key +.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]" +Interval in seconds between periodic IF-MAP RenewSession requests .TP -.BR charon.plugins.tnc-ifmap.password -Authentication password of strongSwan MAP client +.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]" +URI of the form [https://]servername[:port][/path] .TP .BR charon.plugins.tnc-ifmap.server_cert -Certificate of MAP server +Path to X.509 certificate file of IF-MAP server .TP -.BR charon.plugins.tnc-ifmap.ssl_passphrase -Passphrase protecting the private key -.TP -.BR charon.plugins.tnc-ifmap.username -Authentication username of strongSwan MAP client +.BR charon.plugins.tnc-ifmap.username_password +Credentials of IF-MAP client of the form username:password .TP .BR charon.plugins.tnc-imc.dlclose " [yes]" Unload IMC after use @@ -664,6 +693,9 @@ Shared RADIUS secret between strongSwan PDP and NAS .BR charon.plugins.tnc-pdp.server Name of the strongSwan PDP as contained in the AAA certificate .TP +.BR charon.plugins.tnc-pdp.timeout +Timeout in seconds before closing incomplete connections +.TP .BR charon.plugins.updown.dns_handler " [no]" Whether the updown script should handle DNS serves assigned via IKEv1 Mode Config or IKEv2 Config Payloads (if enabled they can't be handled by other @@ -776,6 +808,12 @@ File to read random bytes from, instead of @DEV_RANDOM@ .TP .BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]" File to read pseudo random bytes from, instead of @DEV_URANDOM@ +.TP +.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]" +File to read DNS resolver configuration from +.TP +.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" +File to read DNSSEC trust anchors from (usually root zone KSK) .SS libtnccs section .TP .BR libtnccs.tnc_config " [/etc/tnc_config]" @@ -1299,6 +1337,9 @@ preconfigured credentials and allows an attacker to authenticate as any user. Subsection that contains key/value pairs with address pools (in CIDR notation) to use for a specific network interface e.g. eth0 = 10.10.0.0/16 .TP +.BR charon.plugins.load-tester.addrs_keep " [no]" +Whether to keep dynamic addresses even after the associated SA got terminated +.TP .BR charon.plugins.load-tester.addrs_prefix " [16]" Network prefix length to use when installing dynamic addresses. If set to -1 the full address is used (i.e. 32 or 128) @@ -1330,6 +1371,9 @@ EAP secret to use in load test .BR charon.plugins.load-tester.enable " [no]" Enable the load testing plugin .TP +.BR charon.plugins.load-tester.esp " [aes128-sha1]" +CHILD_SA proposal to use for load tests +.TP .BR charon.plugins.load-tester.fake_kernel " [no]" Fake the kernel interface to allow load-testing against self .TP @@ -1352,7 +1396,7 @@ Authentication method(s) the intiator uses Initiator ID used in load test .TP .BR charon.plugins.load-tester.initiator_match -Initiator ID to to match against as responder +Initiator ID to match against as responder .TP .BR charon.plugins.load-tester.initiator_tsi Traffic selector on initiator side, as proposed by initiator |