summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
Diffstat (limited to 'man')
-rw-r--r--man/Makefile.in47
-rw-r--r--man/ipsec.conf.519
-rw-r--r--man/ipsec.conf.5.in17
-rw-r--r--man/ipsec.secrets.52
-rw-r--r--man/strongswan.conf.570
-rw-r--r--man/strongswan.conf.5.in70
6 files changed, 188 insertions, 37 deletions
diff --git a/man/Makefile.in b/man/Makefile.in
index e313a4fff..daebe3b90 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -15,6 +15,23 @@
@SET_MAKE@
VPATH = @srcdir@
+am__make_dryrun = \
+ { \
+ am__dry=no; \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \
+ | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+ *) \
+ for am__flg in $$MAKEFLAGS; do \
+ case $$am__flg in \
+ *=*|--*) ;; \
+ *n*) am__dry=yes; break;; \
+ esac; \
+ done;; \
+ esac; \
+ test $$am__dry = yes; \
+ }
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -54,6 +71,11 @@ CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
SOURCES =
DIST_SOURCES =
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -99,6 +121,8 @@ BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
@@ -115,6 +139,7 @@ EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
@@ -183,8 +208,6 @@ am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -240,7 +263,6 @@ nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -320,11 +342,18 @@ clean-libtool:
-rm -rf .libs _libs
install-man5: $(dist_man_MANS)
@$(NORMAL_INSTALL)
- test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
- @list=''; test -n "$(man5dir)" || exit 0; \
- { for i in $$list; do echo "$$i"; done; \
- l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
- sed -n '/\.5[a-z]*$$/p'; \
+ @list1=''; \
+ list2='$(dist_man_MANS)'; \
+ test -n "$(man5dir)" \
+ && test -n "`echo $$list1$$list2`" \
+ || exit 0; \
+ echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \
+ { for i in $$list1; do echo "$$i"; done; \
+ if test -n "$$list2"; then \
+ for i in $$list2; do echo "$$i"; done \
+ | sed -n '/\.5[a-z]*$$/p'; \
+ fi; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index e24196c2b..554a6e8ca 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,4 +1,4 @@
-.TH IPSEC.CONF 5 "2012-06-26" "5.0.2" "strongSwan"
+.TH IPSEC.CONF 5 "2012-06-26" "5.0.3rc1" "strongSwan"
.SH NAME
ipsec.conf \- IPsec configuration and connections
.SH DESCRIPTION
@@ -452,6 +452,11 @@ suites, the strict flag
exclamation mark) can be used, e.g:
.BR aes256-sha512-modp4096!
.TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)
should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions.
is required only if selecting the certificate with
.B leftid
is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
.TP
.BR leftcert2 " = <path>"
Same as
@@ -737,6 +746,14 @@ can be used to the same effect, e.g.
.B leftprotoport=udp/%any
or
.BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
.TP
.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
the left participant's public key for RSA signature authentication, in RFC 2537
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 2766cc4ed..e778ab773 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -452,6 +452,11 @@ suites, the strict flag
exclamation mark) can be used, e.g:
.BR aes256-sha512-modp4096!
.TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)
should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -613,6 +618,10 @@ connection. See ipsec.secrets(5) for details about smartcard definitions.
is required only if selecting the certificate with
.B leftid
is not sufficient, for example if multiple certificates use the same subject.
+.br
+Multiple certificate paths or PKCS#11 backends can be specified in a comma
+separated list. The daemon chooses the certificate based on the received
+certificate requests if possible before enforcing the first.
.TP
.BR leftcert2 " = <path>"
Same as
@@ -737,6 +746,14 @@ can be used to the same effect, e.g.
.B leftprotoport=udp/%any
or
.BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
.TP
.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
the left participant's public key for RSA signature authentication, in RFC 2537
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index 127f18f20..0948e5cc9 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,4 +1,4 @@
-.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.2" "strongSwan"
+.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.3rc1" "strongSwan"
.SH NAME
ipsec.secrets \- secrets for IKE/IPsec authentication
.SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 8a34a7f93..34dfde735 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-01-25" "5.0.2" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.3" "strongSwan"
.SH NAME
strongswan.conf \- strongSwan configuration file
.SH DESCRIPTION
@@ -416,6 +416,10 @@ is compared to the groups specified in the
option in
.B ipsec.conf (5).
.TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+.TP
.BR charon.plugins.eap-radius.dae.enable " [no]"
Enables support for the Dynamic Authorization Extension (RFC 5176)
.TP
@@ -539,6 +543,10 @@ Start phase2 EAP TNC protocol after successful client authentication
.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
Request peer authentication based on a client certificate
.TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes.
+Set to 0 to disable.
+.TP
.BR charon.plugins.ha.fifo_interface " [yes]"
.TP
@@ -569,6 +577,9 @@ Request peer authentication based on a client certificate
.BR charon.plugins.ha.segment_count " [1]"
.TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
+.TP
.BR charon.plugins.led.activity_led
.TP
@@ -616,6 +627,21 @@ certificates even if they don't contain a CA basic constraint.
.BR charon.plugins.stroke.max_concurrent " [4]"
Maximum number of stroke messages handled concurrently
.TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected
+.TP
+.BR charon.plugins.systime-fix.threshold
+Threshold date where system time is considered valid. Disabled if not specified
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+strptime(3) format used to parse threshold option
+.TP
.BR charon.plugins.tnccs-11.max_message_size " [45000]"
Maximum size of a PA-TNC message (XML & Base64 encoding)
.TP
@@ -625,23 +651,26 @@ Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
.BR charon.plugins.tnccs-20.max_message_size " [65490]"
Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
.TP
+.BR charon.plugins.tnc-ifmap.client_cert
+Path to X.509 certificate file of IF-MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.client_key
+Path to private key file of IF-MAP client
+.TP
.BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan as a PEP and/or PDP device
+Unique name of strongSwan server as a PEP and/or PDP device
.TP
-.BR charon.plugins.tnc-ifmap.key_file
-Concatenated client certificate and private key
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF-MAP RenewSession requests
.TP
-.BR charon.plugins.tnc-ifmap.password
-Authentication password of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path]
.TP
.BR charon.plugins.tnc-ifmap.server_cert
-Certificate of MAP server
+Path to X.509 certificate file of IF-MAP server
.TP
-.BR charon.plugins.tnc-ifmap.ssl_passphrase
-Passphrase protecting the private key
-.TP
-.BR charon.plugins.tnc-ifmap.username
-Authentication username of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.username_password
+Credentials of IF-MAP client of the form username:password
.TP
.BR charon.plugins.tnc-imc.dlclose " [yes]"
Unload IMC after use
@@ -664,6 +693,9 @@ Shared RADIUS secret between strongSwan PDP and NAS
.BR charon.plugins.tnc-pdp.server
Name of the strongSwan PDP as contained in the AAA certificate
.TP
+.BR charon.plugins.tnc-pdp.timeout
+Timeout in seconds before closing incomplete connections
+.TP
.BR charon.plugins.updown.dns_handler " [no]"
Whether the updown script should handle DNS serves assigned via IKEv1 Mode
Config or IKEv2 Config Payloads (if enabled they can't be handled by other
@@ -776,6 +808,12 @@ File to read random bytes from, instead of /dev/random
.TP
.BR libstrongswan.plugins.random.urandom " [/dev/urandom]"
File to read pseudo random bytes from, instead of /dev/urandom
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
.SS libtnccs section
.TP
.BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -1299,6 +1337,9 @@ preconfigured credentials and allows an attacker to authenticate as any user.
Subsection that contains key/value pairs with address pools (in CIDR notation)
to use for a specific network interface e.g. eth0 = 10.10.0.0/16
.TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated
+.TP
.BR charon.plugins.load-tester.addrs_prefix " [16]"
Network prefix length to use when installing dynamic addresses. If set to -1 the
full address is used (i.e. 32 or 128)
@@ -1330,6 +1371,9 @@ EAP secret to use in load test
.BR charon.plugins.load-tester.enable " [no]"
Enable the load testing plugin
.TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests
+.TP
.BR charon.plugins.load-tester.fake_kernel " [no]"
Fake the kernel interface to allow load-testing against self
.TP
@@ -1352,7 +1396,7 @@ Authentication method(s) the intiator uses
Initiator ID used in load test
.TP
.BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
.TP
.BR charon.plugins.load-tester.initiator_tsi
Traffic selector on initiator side, as proposed by initiator
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 2fafed62d..d483addbd 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -1,4 +1,4 @@
-.TH STRONGSWAN.CONF 5 "2013-01-25" "@IPSEC_VERSION@" "strongSwan"
+.TH STRONGSWAN.CONF 5 "2013-04-01" "@IPSEC_VERSION@" "strongSwan"
.SH NAME
strongswan.conf \- strongSwan configuration file
.SH DESCRIPTION
@@ -416,6 +416,10 @@ is compared to the groups specified in the
option in
.B ipsec.conf (5).
.TP
+.BR charon.plugins.eap-radius.close_all_on_timeout " [no]"
+Closes all IKE_SAs if communication with the RADIUS server times out. If it is
+not set only the current IKE_SA is closed.
+.TP
.BR charon.plugins.eap-radius.dae.enable " [no]"
Enables support for the Dynamic Authorization Extension (RFC 5176)
.TP
@@ -539,6 +543,10 @@ Start phase2 EAP TNC protocol after successful client authentication
.BR charon.plugins.eap-ttls.request_peer_auth " [no]"
Request peer authentication based on a client certificate
.TP
+.BR charon.plugins.ha.autobalance " [0]"
+Interval in seconds to automatically balance handled segments between nodes.
+Set to 0 to disable.
+.TP
.BR charon.plugins.ha.fifo_interface " [yes]"
.TP
@@ -569,6 +577,9 @@ Request peer authentication based on a client certificate
.BR charon.plugins.ha.segment_count " [1]"
.TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
+.TP
.BR charon.plugins.led.activity_led
.TP
@@ -616,6 +627,21 @@ certificates even if they don't contain a CA basic constraint.
.BR charon.plugins.stroke.max_concurrent " [4]"
Maximum number of stroke messages handled concurrently
.TP
+.BR charon.plugins.stroke.timeout " [0]"
+Timeout in ms for any stroke command. Use 0 to disable the timeout
+.TP
+.BR charon.plugins.systime-fix.interval " [0]"
+Interval in seconds to check system time for validity. 0 disables the check
+.TP
+.BR charon.plugins.systime-fix.reauth " [no]"
+Whether to use reauth or delete if an invalid cert lifetime is detected
+.TP
+.BR charon.plugins.systime-fix.threshold
+Threshold date where system time is considered valid. Disabled if not specified
+.TP
+.BR charon.plugins.systime-fix.threshold_format " [%Y]"
+strptime(3) format used to parse threshold option
+.TP
.BR charon.plugins.tnccs-11.max_message_size " [45000]"
Maximum size of a PA-TNC message (XML & Base64 encoding)
.TP
@@ -625,23 +651,26 @@ Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
.BR charon.plugins.tnccs-20.max_message_size " [65490]"
Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
.TP
+.BR charon.plugins.tnc-ifmap.client_cert
+Path to X.509 certificate file of IF-MAP client
+.TP
+.BR charon.plugins.tnc-ifmap.client_key
+Path to private key file of IF-MAP client
+.TP
.BR charon.plugins.tnc-ifmap.device_name
-Unique name of strongSwan as a PEP and/or PDP device
+Unique name of strongSwan server as a PEP and/or PDP device
.TP
-.BR charon.plugins.tnc-ifmap.key_file
-Concatenated client certificate and private key
+.BR charon.plugins.tnc-ifmap.renew_session_interval " [150]"
+Interval in seconds between periodic IF-MAP RenewSession requests
.TP
-.BR charon.plugins.tnc-ifmap.password
-Authentication password of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]"
+URI of the form [https://]servername[:port][/path]
.TP
.BR charon.plugins.tnc-ifmap.server_cert
-Certificate of MAP server
+Path to X.509 certificate file of IF-MAP server
.TP
-.BR charon.plugins.tnc-ifmap.ssl_passphrase
-Passphrase protecting the private key
-.TP
-.BR charon.plugins.tnc-ifmap.username
-Authentication username of strongSwan MAP client
+.BR charon.plugins.tnc-ifmap.username_password
+Credentials of IF-MAP client of the form username:password
.TP
.BR charon.plugins.tnc-imc.dlclose " [yes]"
Unload IMC after use
@@ -664,6 +693,9 @@ Shared RADIUS secret between strongSwan PDP and NAS
.BR charon.plugins.tnc-pdp.server
Name of the strongSwan PDP as contained in the AAA certificate
.TP
+.BR charon.plugins.tnc-pdp.timeout
+Timeout in seconds before closing incomplete connections
+.TP
.BR charon.plugins.updown.dns_handler " [no]"
Whether the updown script should handle DNS serves assigned via IKEv1 Mode
Config or IKEv2 Config Payloads (if enabled they can't be handled by other
@@ -776,6 +808,12 @@ File to read random bytes from, instead of @DEV_RANDOM@
.TP
.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
.SS libtnccs section
.TP
.BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -1299,6 +1337,9 @@ preconfigured credentials and allows an attacker to authenticate as any user.
Subsection that contains key/value pairs with address pools (in CIDR notation)
to use for a specific network interface e.g. eth0 = 10.10.0.0/16
.TP
+.BR charon.plugins.load-tester.addrs_keep " [no]"
+Whether to keep dynamic addresses even after the associated SA got terminated
+.TP
.BR charon.plugins.load-tester.addrs_prefix " [16]"
Network prefix length to use when installing dynamic addresses. If set to -1 the
full address is used (i.e. 32 or 128)
@@ -1330,6 +1371,9 @@ EAP secret to use in load test
.BR charon.plugins.load-tester.enable " [no]"
Enable the load testing plugin
.TP
+.BR charon.plugins.load-tester.esp " [aes128-sha1]"
+CHILD_SA proposal to use for load tests
+.TP
.BR charon.plugins.load-tester.fake_kernel " [no]"
Fake the kernel interface to allow load-testing against self
.TP
@@ -1352,7 +1396,7 @@ Authentication method(s) the intiator uses
Initiator ID used in load test
.TP
.BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
.TP
.BR charon.plugins.load-tester.initiator_tsi
Traffic selector on initiator side, as proposed by initiator