diff options
Diffstat (limited to 'man')
| -rw-r--r-- | man/Makefile.am | 2 | ||||
| -rw-r--r-- | man/Makefile.in | 16 | ||||
| -rw-r--r-- | man/ipsec.conf.5 | 80 | ||||
| -rw-r--r-- | man/ipsec.conf.5.in | 78 | ||||
| -rw-r--r-- | man/ipsec.secrets.5 | 23 | ||||
| -rw-r--r-- | man/ipsec.secrets.5.in | 21 | ||||
| -rw-r--r-- | man/strongswan.conf.5 | 138 | ||||
| -rw-r--r-- | man/strongswan.conf.5.in | 138 |
8 files changed, 334 insertions, 162 deletions
diff --git a/man/Makefile.am b/man/Makefile.am index ea04303bd..0becd24c7 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -5,9 +5,9 @@ CLEANFILES = ipsec.conf.5 ipsec.secrets.5 strongswan.conf.5 SUFFIXES = .in .in: + $(AM_V_GEN) \ sed \ -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ -e "s:@DEV_URANDOM@:$(urandom_device):" \ -e "s:@DEV_RANDOM@:$(random_device):" \ $(srcdir)/$@.in > $@ - diff --git a/man/Makefile.in b/man/Makefile.in index 50b7144a1..0bc64a6eb 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -62,13 +62,19 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.in + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ SOURCES = DIST_SOURCES = am__can_run_installinfo = \ @@ -111,6 +117,7 @@ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ @@ -123,6 +130,8 @@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CHECK_CFLAGS = @CHECK_CFLAGS@ CHECK_LIBS = @CHECK_LIBS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ @@ -138,6 +147,7 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +GENHTML = @GENHTML@ GPERF = @GPERF@ GPRBUILD = @GPRBUILD@ GREP = @GREP@ @@ -146,6 +156,7 @@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ @@ -192,6 +203,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ VERSION = @VERSION@ YACC = @YACC@ YFLAGS = @YFLAGS@ @@ -220,6 +232,7 @@ charon_natt_port = @charon_natt_port@ charon_plugins = @charon_plugins@ charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ @@ -556,6 +569,7 @@ uninstall-man: uninstall-man5 .in: + $(AM_V_GEN) \ sed \ -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ -e "s:@DEV_URANDOM@:$(urandom_device):" \ diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5 index 981b53dba..76bef614f 100644 --- a/man/ipsec.conf.5 +++ b/man/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "2012-06-26" "5.0.4" "strongSwan" +.TH IPSEC.CONF 5 "2012-06-26" "5.1.0" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -300,8 +300,7 @@ for meaning of values). A .B closeaction should not be used if the peer uses reauthentication or uniquids checking, as these events -might trigger the defined action when not desired. Currently not supported with -IKEv1. +might trigger the defined action when not desired. .TP .BR compress " = yes | " no whether IPComp compression of content is proposed on the connection @@ -731,34 +730,23 @@ different from the default additionally requires a socket implementation that listens on this port. .TP .BR leftprotoport " = <protocol>/<port>" -restrict the traffic selector to a single protocol and/or port. -Examples: -.B leftprotoport=tcp/http -or -.B leftprotoport=6/80 -or -.B leftprotoport=udp +restrict the traffic selector to a single protocol and/or port. This option +is now deprecated, protocol/port information can be defined for each subnet +directly in +.BR leftsubnet . +.TP +.BR leftsigkey " = <raw public key> | <path to public key>" +the left participant's public key for public key signature authentication, +in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the +optional +.B dns: or -.BR leftprotoport=/53 . -Instead of omitting either value -.B %any -can be used to the same effect, e.g. -.B leftprotoport=udp/%any -or -.BR leftprotoport=%any/53 . - -The port value can alternatively take the value -.B %opaque -for RFC 4301 OPAQUE selectors, or a numerical range in the form -.BR 1024-65535 . -None of the kernel backends currently supports opaque or port ranges and uses -.B %any -for policy installation instead. -.TP -.BR leftrsasigkey " = <raw rsa public key> | <path to public key>" -the left participant's public key for RSA signature authentication, in RFC 2537 -format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is -the path to a file containing the public key in PEM or DER encoding. +.B ssh: +prefix in front of 0x or 0s, the public key is expected to be in either +the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format, +respectively. +Also accepted is the path to a file containing the public key in PEM or DER +encoding. .TP .BR leftsendcert " = never | no | " ifasked " | always | yes" Accepted values are @@ -799,7 +787,7 @@ echoed back. Also supported are address pools expressed as or the use of an external IP address pool using %\fIpoolname\fR, where \fIpoolname\fR is the name of the IP address pool used for the lookup. .TP -.BR leftsubnet " = <ip subnet>" +.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]" private subnet behind the left participant, expressed as \fInetwork\fB/\fInetmask\fR; if omitted, essentially assumed to be \fIleft\fB/32\fR, @@ -810,6 +798,36 @@ implementations, make sure to configure identical subnets in such configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only interprets the first subnet of such a definition, unless the Cisco Unity extension plugin is enabled. + +The optional part after each subnet enclosed in square brackets specifies a +protocol/port to restrict the selector for that subnet. + +Examples: +.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or" +.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] . +Instead of omitting either value +.B %any +can be used to the same effect, e.g. +.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] . + +The port value can alternatively take the value +.B %opaque +for RFC 4301 OPAQUE selectors, or a numerical range in the form +.BR 1024-65535 . +None of the kernel backends currently supports opaque or port ranges and uses +.B %any +for policy installation instead. + +Instead of specifying a subnet, +.B %dynamic +can be used to replace it with the IKE address, having the same effect +as omitting +.B leftsubnet +completely. Using +.B %dynamic +can be used to define multiple dynamic selectors, each having a potentially +different protocol/port definition. + .TP .BR leftupdown " = <path>" what ``updown'' script to run to adjust routing and/or firewalling diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index e778ab773..4c64e86ca 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -300,8 +300,7 @@ for meaning of values). A .B closeaction should not be used if the peer uses reauthentication or uniquids checking, as these events -might trigger the defined action when not desired. Currently not supported with -IKEv1. +might trigger the defined action when not desired. .TP .BR compress " = yes | " no whether IPComp compression of content is proposed on the connection @@ -731,34 +730,23 @@ different from the default additionally requires a socket implementation that listens on this port. .TP .BR leftprotoport " = <protocol>/<port>" -restrict the traffic selector to a single protocol and/or port. -Examples: -.B leftprotoport=tcp/http -or -.B leftprotoport=6/80 -or -.B leftprotoport=udp +restrict the traffic selector to a single protocol and/or port. This option +is now deprecated, protocol/port information can be defined for each subnet +directly in +.BR leftsubnet . +.TP +.BR leftsigkey " = <raw public key> | <path to public key>" +the left participant's public key for public key signature authentication, +in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the +optional +.B dns: or -.BR leftprotoport=/53 . -Instead of omitting either value -.B %any -can be used to the same effect, e.g. -.B leftprotoport=udp/%any -or -.BR leftprotoport=%any/53 . - -The port value can alternatively take the value -.B %opaque -for RFC 4301 OPAQUE selectors, or a numerical range in the form -.BR 1024-65535 . -None of the kernel backends currently supports opaque or port ranges and uses -.B %any -for policy installation instead. -.TP -.BR leftrsasigkey " = <raw rsa public key> | <path to public key>" -the left participant's public key for RSA signature authentication, in RFC 2537 -format using hex (0x prefix) or base64 (0s prefix) encoding. Also accepted is -the path to a file containing the public key in PEM or DER encoding. +.B ssh: +prefix in front of 0x or 0s, the public key is expected to be in either +the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format, +respectively. +Also accepted is the path to a file containing the public key in PEM or DER +encoding. .TP .BR leftsendcert " = never | no | " ifasked " | always | yes" Accepted values are @@ -799,7 +787,7 @@ echoed back. Also supported are address pools expressed as or the use of an external IP address pool using %\fIpoolname\fR, where \fIpoolname\fR is the name of the IP address pool used for the lookup. .TP -.BR leftsubnet " = <ip subnet>" +.BR leftsubnet " = <ip subnet>[[<proto/port>]][,...]" private subnet behind the left participant, expressed as \fInetwork\fB/\fInetmask\fR; if omitted, essentially assumed to be \fIleft\fB/32\fR, @@ -810,6 +798,36 @@ implementations, make sure to configure identical subnets in such configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only interprets the first subnet of such a definition, unless the Cisco Unity extension plugin is enabled. + +The optional part after each subnet enclosed in square brackets specifies a +protocol/port to restrict the selector for that subnet. + +Examples: +.BR leftsubnet=10.0.0.1[tcp/http],10.0.0.2[6/80] " or" +.BR leftsubnet=fec1::1[udp],10.0.0.0/16[/53] . +Instead of omitting either value +.B %any +can be used to the same effect, e.g. +.BR leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53] . + +The port value can alternatively take the value +.B %opaque +for RFC 4301 OPAQUE selectors, or a numerical range in the form +.BR 1024-65535 . +None of the kernel backends currently supports opaque or port ranges and uses +.B %any +for policy installation instead. + +Instead of specifying a subnet, +.B %dynamic +can be used to replace it with the IKE address, having the same effect +as omitting +.B leftsubnet +completely. Using +.B %dynamic +can be used to define multiple dynamic selectors, each having a potentially +different protocol/port definition. + .TP .BR leftupdown " = <path>" what ``updown'' script to run to adjust routing and/or firewalling diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 index 9b3d19190..a4a58f261 100644 --- a/man/ipsec.secrets.5 +++ b/man/ipsec.secrets.5 @@ -1,4 +1,4 @@ -.TH IPSEC.SECRETS 5 "2011-12-14" "5.0.4" "strongSwan" +.TH IPSEC.SECRETS 5 "2011-12-14" "5.1.0rc1" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION @@ -91,6 +91,9 @@ defines an RSA private key .B ECDSA defines an ECDSA private key .TP +.B P12 +defines a PKCS#12 container +.TP .B EAP defines EAP credentials .TP @@ -133,16 +136,26 @@ Similarly, a character sequence beginning with .B 0s is interpreted as Base64 encoded binary data. .TP -.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ] +.B : RSA <private key file> [ <passphrase> | %prompt ] .TQ -.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ] +.B : ECDSA <private key file> [ <passphrase> | %prompt ] For the private key file both absolute paths or paths relative to \fI/etc/ipsec.d/private\fP are accepted. If the private key file is encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase .B %prompt -can be used which then causes the daemons to ask the user for the password +can be used which then causes the daemon to ask the user for the password whenever it is required to decrypt the key. .TP +.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ] +For the PKCS#12 file both absolute paths or paths relative to +\fI/etc/ipsec.d/private\fP are accepted. If the container is +encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase +.B %prompt +can be used which then causes the daemon to ask the user for the password +whenever it is required to decrypt the container. Private keys, client and CA +certificates are extracted from the container. To use such a client certificate +in a connection set leftid to one of the subjects of the certificate. +.TP .B <user id> : EAP <secret> The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets. .br @@ -165,7 +178,7 @@ key. The slot number defines the slot on the token, the module name refers to the module name defined in strongswan.conf(5). Instead of specifying the pin code statically, .B %prompt -can be specified, which causes the daemons to ask the user for the pin code. +can be specified, which causes the daemon to ask the user for the pin code. .LP .SH FILES diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in index 319d4856b..ee20c9670 100644 --- a/man/ipsec.secrets.5.in +++ b/man/ipsec.secrets.5.in @@ -91,6 +91,9 @@ defines an RSA private key .B ECDSA defines an ECDSA private key .TP +.B P12 +defines a PKCS#12 container +.TP .B EAP defines EAP credentials .TP @@ -133,16 +136,26 @@ Similarly, a character sequence beginning with .B 0s is interpreted as Base64 encoded binary data. .TP -.B [ <selectors> ] : RSA <private key file> [ <passphrase> | %prompt ] +.B : RSA <private key file> [ <passphrase> | %prompt ] .TQ -.B [ <selectors> ] : ECDSA <private key file> [ <passphrase> | %prompt ] +.B : ECDSA <private key file> [ <passphrase> | %prompt ] For the private key file both absolute paths or paths relative to \fI/etc/ipsec.d/private\fP are accepted. If the private key file is encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase .B %prompt -can be used which then causes the daemons to ask the user for the password +can be used which then causes the daemon to ask the user for the password whenever it is required to decrypt the key. .TP +.B : P12 <PKCS#12 file> [ <passphrase> | %prompt ] +For the PKCS#12 file both absolute paths or paths relative to +\fI/etc/ipsec.d/private\fP are accepted. If the container is +encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase +.B %prompt +can be used which then causes the daemon to ask the user for the password +whenever it is required to decrypt the container. Private keys, client and CA +certificates are extracted from the container. To use such a client certificate +in a connection set leftid to one of the subjects of the certificate. +.TP .B <user id> : EAP <secret> The format of \fIsecret\fP is the same as that of \fBPSK\fP secrets. .br @@ -165,7 +178,7 @@ key. The slot number defines the slot on the token, the module name refers to the module name defined in strongswan.conf(5). Instead of specifying the pin code statically, .B %prompt -can be specified, which causes the daemons to ask the user for the pin code. +can be specified, which causes the daemon to ask the user for the pin code. .LP .SH FILES diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 3c820dbf9..fc99c8c47 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2013-04-01" "5.0.4" "strongSwan" +.TH STRONGSWAN.CONF 5 "2013-07-22" "5.1.0" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -133,8 +133,14 @@ Path to database with file measurement information .TP .BR attest.load Plugins to load in ipsec attest tool + .SS charon section .TP +.BR Note : +Many of these options also apply to \fBcharon\-cmd\fR and other +\fBcharon\fR derivatives. Just use their respective name (e.g. +\fIcharon\-cmd\fR) instead of \fIcharon\fR. +.TP .BR charon.block_threshold " [5]" Maximum number of half-open IKE_SAs for a single peer IP .TP @@ -168,6 +174,9 @@ used certificates. Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 fragmentation extension. .TP +.BR charon.group +Name of the group the daemon changes to after startup +.TP .BR charon.half_open_timeout " [30]" Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). .TP @@ -311,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION .TP .BR charon.threads " [16]" Number of worker threads in charon +.TP +.BR charon.user +Name of the user the daemon changes to after startup .SS charon.plugins subsection .TP .BR charon.plugins.android_log.loglevel " [1]" @@ -323,6 +335,18 @@ configuration payload (CP) .BR charon.plugins.certexpire.csv.cron Cron style string specifying CSV export times .TP +.BR charon.plugins.certexpire.csv.empty_string +String to use in empty intermediate CA fields +.TP +.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" +Use a fixed intermediate CA field count +.TP +.BR charon.plugins.certexpire.csv.force " [yes]" +Force export of all trustchains we have a private key for +.TP +.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" +strftime(3) format string to export expiration dates as +.TP .BR charon.plugins.certexpire.csv.local strftime(3) format string for the CSV file name to export local certificates to .TP @@ -332,15 +356,6 @@ strftime(3) format string for the CSV file name to export remote certificates to .BR charon.plugins.certexpire.csv.separator " [,]" CSV field separator .TP -.BR charon.plugins.certexpire.csv.empty_string -String to use in empty intermediate CA fields -.TP -.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" -strftime(3) format string to export expiration dates as -.TP -.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" -Use a fixed intermediate CA field count -.TP .BR charon.plugins.coupling.file File to store coupling list to .TP @@ -367,6 +382,9 @@ DHCP server unicast or broadcast IP address .BR charon.plugins.duplicheck.enable " [yes]" Enable duplicheck plugin (if loaded) .TP +.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]" +Socket provided by the duplicheck plugin +.TP .BR charon.plugins.eap-aka.request_identity " [yes]" .TP @@ -410,6 +428,9 @@ Request peer authentication based on a client certificate .BR charon.plugins.eap-radius.accounting " [no]" Send RADIUS accounting information to RADIUS servers. .TP +.BR charon.plugins.eap-radius.accounting_requires_vip " [no]" +If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP +.TP .BR charon.plugins.eap-radius.class_group " [no]" Use the .I class @@ -546,6 +567,9 @@ Start phase2 EAP TNC protocol after successful client authentication .BR charon.plugins.eap-ttls.request_peer_auth " [no]" Request peer authentication based on a client certificate .TP +.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]" +Socket provided by the error-notify plugin +.TP .BR charon.plugins.ha.autobalance " [0]" Interval in seconds to automatically balance handled segments between nodes. Set to 0 to disable. @@ -581,7 +605,7 @@ Set to 0 to disable. .TP .BR charon.plugins.ipseckey.enable " [no]" -Enable the fetching of IPSECKEY RRs from the DNS +Enable the fetching of IPSECKEY RRs via DNS .TP .BR charon.plugins.led.activity_led @@ -595,9 +619,18 @@ Number of ipsecN devices .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" Set MTU of ipsecN device .TP +.BR charon.plugins.kernel-netlink.roam_events " [yes]" +Whether to trigger roam events when interfaces, addresses or routes change +.TP +.BR charon.plugins.kernel-pfroute.vip_wait " [1000]" +Time in ms to wait until virtual IP addresses appear/disappear before failing. +.TP .BR charon.plugins.load-tester Section to configure the load-tester plugin, see LOAD TESTS .TP +.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" +Socket provided by the lookip plugin +.TP .BR charon.plugins.radattr.dir Directory where RADIUS attributes are stored in client-ID specific files. .TP @@ -617,6 +650,12 @@ have a high priority according to the order defined in interface-order(5). .BR charon.plugins.socket-default.set_source " [yes]" Set source address on outbound packets, if possible. .TP +.BR charon.plugins.socket-default.use_ipv4 " [yes]" +Listen on IPv4, if possible. +.TP +.BR charon.plugins.socket-default.use_ipv6 " [yes]" +Listen on IPv6, if possible. +.TP .BR charon.plugins.sql.database Database URI for charons SQL plugin .TP @@ -630,6 +669,9 @@ certificates even if they don't contain a CA basic constraint. .BR charon.plugins.stroke.max_concurrent " [4]" Maximum number of stroke messages handled concurrently .TP +.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" +Socket provided by the stroke plugin +.TP .BR charon.plugins.stroke.timeout " [0]" Timeout in ms for any stroke command. Use 0 to disable the timeout .TP @@ -707,6 +749,9 @@ plugins, like resolve) .BR charon.plugins.whitelist.enable " [yes]" Enable loaded whitelist plugin .TP +.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]" +Socket provided by the whitelist plugin +.TP .BR charon.plugins.xauth-eap.backend " [radius]" EAP plugin to be used as backend for XAuth credential verification .TP @@ -760,6 +805,9 @@ Includes source file names and line numbers in leak detective output .BR libstrongswan.leak_detective.usage_threshold " [10240]" Threshold in bytes for leaks to be reported (0 to report all) .TP +.BR libstrongswan.leak_detective.usage_threshold_count " [0]" +Threshold in number of allocations for leaks to be reported (0 to report all) +.TP .BR libstrongswan.processor.priority_threads Subsection to configure the number of reserved threads per priority class see JOB PRIORITY MANAGEMENT @@ -820,6 +868,19 @@ File to read DNS resolver configuration from .TP .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" File to read DNSSEC trust anchors from (usually root zone KSK) +.SS libtls section +.TP +.BR libtls.cipher +List of TLS encryption ciphers +.TP +.BR libtls.key_exchange +List of TLS key exchange methods +.TP +.BR libtls.mac +List of TLS MAC algorithms +.TP +.BR libtls.suites +List of TLS cipher suites .SS libtnccs section .TP .BR libtnccs.tnc_config " [/etc/tnc_config]" @@ -829,17 +890,27 @@ TNC IMC/IMV configuration directory .BR libimcv.assessment_result " [yes]" Whether IMVs send a standard IETF Assessment Result attribute .TP +.BR libimcv.database +Global IMV policy database URI +.TP .BR libimcv.debug_level " [1]" Debug level for a stand-alone libimcv library .TP -.BR libimcv.stderr_quiet " [no]" -Disable output to stderr with a stand-alone libimcv library +.BR libimcv.load " [random nonce gmp pubkey x509]" +Plugins to load in IMC/IMVs .TP .BR libimcv.os_info.name Manually set the name of the client OS (e.g. Ubuntu) .TP .BR libimcv.os_info.version Manually set the version of the client OS (e.g. 12.04 i686) +.TP +.BR libimcv.policy_script " [ipsec _imv_policy]" +Script called for each TNC connection to generate IMV policies +.TP +.BR libimcv.stderr_quiet " [no]" +isable output to stderr with a stand-alone libimcv library +.PP .SS libimcv plugins section .TP .BR libimcv.plugins.imc-attestation.aik_blob @@ -860,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature .BR libimcv.plugins.imv-attestation.cadir Path to directory with AIK cacerts .TP -.BR libimcv.plugins.imv-attestation.database -Path to database with file measurement information -.TP .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" Preferred Diffie-Hellman group .TP @@ -878,27 +946,15 @@ URI pointing to attestation remediation instructions .BR libimcv.plugins.imc-os.push_info " [yes]" Send operating system info without being prompted .TP -.BR libimcv.plugins.imv-os.database -Database URI for the database that stores operating system information -.TP .BR libimcv.plugins.imv-os.remediation_uri URI pointing to operating system remediation instructions .TP .BR libimcv.plugins.imc-scanner.push_info " [yes]" Send open listening ports without being prompted .TP -.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]" -By default all ports must be closed (yes) or can be open (no) -.TP .BR libimcv.plugins.imv-scanner.remediation_uri URI pointing to scanner remediation instructions .TP -.BR libimcv.plugins.imv-scanner.tcp_ports -List of TCP ports that can be open or must be closed -.TP -.BR libimcv.plugins.imv-scanner.udp_ports -List of UDP ports that can be open or must be closed -.TP .BR libimcv.plugins.imc-test.additional_ids " [0]" Number of additional IMC IDs .TP @@ -908,30 +964,17 @@ Command to be sent to the Test IMV .BR libimcv.plugins.imc-test.dummy_size " [0]" Size of dummy attribute to be sent to the Test IMV (0 = disabled) .TP +.BR libimcv.plugins.imv-test.remediation_uri +URI pointing to test remediation instructions +.TP .BR libimcv.plugins.imc-test.retry " [no]" Do a handshake retry .TP .BR libimcv.plugins.imc-test.retry_command Command to be sent to the Test IMV in the handshake retry .TP -.BR libimcv.plugins.imv-test.remediation_uri -URI pointing to test remediation instructions -.TP .BR libimcv.plugins.imv-test.rounds " [0]" Number of IMC-IMV retry rounds -.SS libtls section -.TP -.BR libtls.cipher -List of TLS encryption ciphers -.TP -.BR libtls.key_exchange -List of TLS key exchange methods -.TP -.BR libtls.mac -List of TLS MAC algorithms -.TP -.BR libtls.suites -List of TLS cipher suites .SS manager section .TP .BR manager.database @@ -1450,9 +1493,13 @@ Request an INTERNAL_IPV4_ADDR from the server .BR charon.plugins.load-tester.shutdown_when_complete " [no]" Shutdown the daemon after all IKE_SAs have been established .TP +.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]" +Socket provided by the load-tester plugin +.TP .BR charon.plugins.load-tester.version " [0]" IKE version to use (0 means use IKEv2 as initiator and accept any version as responder) +.PP .SS Configuration details For public key authentication, the responder uses the .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq @@ -1608,7 +1655,8 @@ giving up 76s 165s /etc/strongswan.conf .SH SEE ALSO -ipsec.conf(5), ipsec.secrets(5), ipsec(8) +\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) + .SH HISTORY Written for the .UR http://www.strongswan.org diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 44fe330e8..847d9d520 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2013-04-01" "@IPSEC_VERSION@" "strongSwan" +.TH STRONGSWAN.CONF 5 "2013-07-22" "@IPSEC_VERSION@" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -133,8 +133,14 @@ Path to database with file measurement information .TP .BR attest.load Plugins to load in ipsec attest tool + .SS charon section .TP +.BR Note : +Many of these options also apply to \fBcharon\-cmd\fR and other +\fBcharon\fR derivatives. Just use their respective name (e.g. +\fIcharon\-cmd\fR) instead of \fIcharon\fR. +.TP .BR charon.block_threshold " [5]" Maximum number of half-open IKE_SAs for a single peer IP .TP @@ -168,6 +174,9 @@ used certificates. Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 fragmentation extension. .TP +.BR charon.group +Name of the group the daemon changes to after startup +.TP .BR charon.half_open_timeout " [30]" Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). .TP @@ -311,6 +320,9 @@ Section to define syslog loggers, see LOGGER CONFIGURATION .TP .BR charon.threads " [16]" Number of worker threads in charon +.TP +.BR charon.user +Name of the user the daemon changes to after startup .SS charon.plugins subsection .TP .BR charon.plugins.android_log.loglevel " [1]" @@ -323,6 +335,18 @@ configuration payload (CP) .BR charon.plugins.certexpire.csv.cron Cron style string specifying CSV export times .TP +.BR charon.plugins.certexpire.csv.empty_string +String to use in empty intermediate CA fields +.TP +.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" +Use a fixed intermediate CA field count +.TP +.BR charon.plugins.certexpire.csv.force " [yes]" +Force export of all trustchains we have a private key for +.TP +.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" +strftime(3) format string to export expiration dates as +.TP .BR charon.plugins.certexpire.csv.local strftime(3) format string for the CSV file name to export local certificates to .TP @@ -332,15 +356,6 @@ strftime(3) format string for the CSV file name to export remote certificates to .BR charon.plugins.certexpire.csv.separator " [,]" CSV field separator .TP -.BR charon.plugins.certexpire.csv.empty_string -String to use in empty intermediate CA fields -.TP -.BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" -strftime(3) format string to export expiration dates as -.TP -.BR charon.plugins.certexpire.csv.fixed_fields " [yes]" -Use a fixed intermediate CA field count -.TP .BR charon.plugins.coupling.file File to store coupling list to .TP @@ -367,6 +382,9 @@ DHCP server unicast or broadcast IP address .BR charon.plugins.duplicheck.enable " [yes]" Enable duplicheck plugin (if loaded) .TP +.BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]" +Socket provided by the duplicheck plugin +.TP .BR charon.plugins.eap-aka.request_identity " [yes]" .TP @@ -410,6 +428,9 @@ Request peer authentication based on a client certificate .BR charon.plugins.eap-radius.accounting " [no]" Send RADIUS accounting information to RADIUS servers. .TP +.BR charon.plugins.eap-radius.accounting_requires_vip " [no]" +If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP +.TP .BR charon.plugins.eap-radius.class_group " [no]" Use the .I class @@ -546,6 +567,9 @@ Start phase2 EAP TNC protocol after successful client authentication .BR charon.plugins.eap-ttls.request_peer_auth " [no]" Request peer authentication based on a client certificate .TP +.BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]" +Socket provided by the error-notify plugin +.TP .BR charon.plugins.ha.autobalance " [0]" Interval in seconds to automatically balance handled segments between nodes. Set to 0 to disable. @@ -581,7 +605,7 @@ Set to 0 to disable. .TP .BR charon.plugins.ipseckey.enable " [no]" -Enable the fetching of IPSECKEY RRs from the DNS +Enable the fetching of IPSECKEY RRs via DNS .TP .BR charon.plugins.led.activity_led @@ -595,9 +619,18 @@ Number of ipsecN devices .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" Set MTU of ipsecN device .TP +.BR charon.plugins.kernel-netlink.roam_events " [yes]" +Whether to trigger roam events when interfaces, addresses or routes change +.TP +.BR charon.plugins.kernel-pfroute.vip_wait " [1000]" +Time in ms to wait until virtual IP addresses appear/disappear before failing. +.TP .BR charon.plugins.load-tester Section to configure the load-tester plugin, see LOAD TESTS .TP +.BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" +Socket provided by the lookip plugin +.TP .BR charon.plugins.radattr.dir Directory where RADIUS attributes are stored in client-ID specific files. .TP @@ -617,6 +650,12 @@ have a high priority according to the order defined in interface-order(5). .BR charon.plugins.socket-default.set_source " [yes]" Set source address on outbound packets, if possible. .TP +.BR charon.plugins.socket-default.use_ipv4 " [yes]" +Listen on IPv4, if possible. +.TP +.BR charon.plugins.socket-default.use_ipv6 " [yes]" +Listen on IPv6, if possible. +.TP .BR charon.plugins.sql.database Database URI for charons SQL plugin .TP @@ -630,6 +669,9 @@ certificates even if they don't contain a CA basic constraint. .BR charon.plugins.stroke.max_concurrent " [4]" Maximum number of stroke messages handled concurrently .TP +.BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" +Socket provided by the stroke plugin +.TP .BR charon.plugins.stroke.timeout " [0]" Timeout in ms for any stroke command. Use 0 to disable the timeout .TP @@ -707,6 +749,9 @@ plugins, like resolve) .BR charon.plugins.whitelist.enable " [yes]" Enable loaded whitelist plugin .TP +.BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]" +Socket provided by the whitelist plugin +.TP .BR charon.plugins.xauth-eap.backend " [radius]" EAP plugin to be used as backend for XAuth credential verification .TP @@ -760,6 +805,9 @@ Includes source file names and line numbers in leak detective output .BR libstrongswan.leak_detective.usage_threshold " [10240]" Threshold in bytes for leaks to be reported (0 to report all) .TP +.BR libstrongswan.leak_detective.usage_threshold_count " [0]" +Threshold in number of allocations for leaks to be reported (0 to report all) +.TP .BR libstrongswan.processor.priority_threads Subsection to configure the number of reserved threads per priority class see JOB PRIORITY MANAGEMENT @@ -820,6 +868,19 @@ File to read DNS resolver configuration from .TP .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" File to read DNSSEC trust anchors from (usually root zone KSK) +.SS libtls section +.TP +.BR libtls.cipher +List of TLS encryption ciphers +.TP +.BR libtls.key_exchange +List of TLS key exchange methods +.TP +.BR libtls.mac +List of TLS MAC algorithms +.TP +.BR libtls.suites +List of TLS cipher suites .SS libtnccs section .TP .BR libtnccs.tnc_config " [/etc/tnc_config]" @@ -829,17 +890,27 @@ TNC IMC/IMV configuration directory .BR libimcv.assessment_result " [yes]" Whether IMVs send a standard IETF Assessment Result attribute .TP +.BR libimcv.database +Global IMV policy database URI +.TP .BR libimcv.debug_level " [1]" Debug level for a stand-alone libimcv library .TP -.BR libimcv.stderr_quiet " [no]" -Disable output to stderr with a stand-alone libimcv library +.BR libimcv.load " [random nonce gmp pubkey x509]" +Plugins to load in IMC/IMVs .TP .BR libimcv.os_info.name Manually set the name of the client OS (e.g. Ubuntu) .TP .BR libimcv.os_info.version Manually set the version of the client OS (e.g. 12.04 i686) +.TP +.BR libimcv.policy_script " [ipsec _imv_policy]" +Script called for each TNC connection to generate IMV policies +.TP +.BR libimcv.stderr_quiet " [no]" +isable output to stderr with a stand-alone libimcv library +.PP .SS libimcv plugins section .TP .BR libimcv.plugins.imc-attestation.aik_blob @@ -860,9 +931,6 @@ Use Quote2 AIK signature instead of Quote signature .BR libimcv.plugins.imv-attestation.cadir Path to directory with AIK cacerts .TP -.BR libimcv.plugins.imv-attestation.database -Path to database with file measurement information -.TP .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" Preferred Diffie-Hellman group .TP @@ -878,27 +946,15 @@ URI pointing to attestation remediation instructions .BR libimcv.plugins.imc-os.push_info " [yes]" Send operating system info without being prompted .TP -.BR libimcv.plugins.imv-os.database -Database URI for the database that stores operating system information -.TP .BR libimcv.plugins.imv-os.remediation_uri URI pointing to operating system remediation instructions .TP .BR libimcv.plugins.imc-scanner.push_info " [yes]" Send open listening ports without being prompted .TP -.BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]" -By default all ports must be closed (yes) or can be open (no) -.TP .BR libimcv.plugins.imv-scanner.remediation_uri URI pointing to scanner remediation instructions .TP -.BR libimcv.plugins.imv-scanner.tcp_ports -List of TCP ports that can be open or must be closed -.TP -.BR libimcv.plugins.imv-scanner.udp_ports -List of UDP ports that can be open or must be closed -.TP .BR libimcv.plugins.imc-test.additional_ids " [0]" Number of additional IMC IDs .TP @@ -908,30 +964,17 @@ Command to be sent to the Test IMV .BR libimcv.plugins.imc-test.dummy_size " [0]" Size of dummy attribute to be sent to the Test IMV (0 = disabled) .TP +.BR libimcv.plugins.imv-test.remediation_uri +URI pointing to test remediation instructions +.TP .BR libimcv.plugins.imc-test.retry " [no]" Do a handshake retry .TP .BR libimcv.plugins.imc-test.retry_command Command to be sent to the Test IMV in the handshake retry .TP -.BR libimcv.plugins.imv-test.remediation_uri -URI pointing to test remediation instructions -.TP .BR libimcv.plugins.imv-test.rounds " [0]" Number of IMC-IMV retry rounds -.SS libtls section -.TP -.BR libtls.cipher -List of TLS encryption ciphers -.TP -.BR libtls.key_exchange -List of TLS key exchange methods -.TP -.BR libtls.mac -List of TLS MAC algorithms -.TP -.BR libtls.suites -List of TLS cipher suites .SS manager section .TP .BR manager.database @@ -1450,9 +1493,13 @@ Request an INTERNAL_IPV4_ADDR from the server .BR charon.plugins.load-tester.shutdown_when_complete " [no]" Shutdown the daemon after all IKE_SAs have been established .TP +.BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]" +Socket provided by the load-tester plugin +.TP .BR charon.plugins.load-tester.version " [0]" IKE version to use (0 means use IKEv2 as initiator and accept any version as responder) +.PP .SS Configuration details For public key authentication, the responder uses the .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq @@ -1608,7 +1655,8 @@ giving up 76s 165s /etc/strongswan.conf .SH SEE ALSO -ipsec.conf(5), ipsec.secrets(5), ipsec(8) +\fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) + .SH HISTORY Written for the .UR http://www.strongswan.org |