6 files changed, 122 insertions, 98 deletions
diff --git a/man/Makefile.in b/man/Makefile.in
index 9eb5e3330..679e3464b 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -198,13 +198,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-<<<<<<< HEAD
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-=======
-ipsecgroup = @ipsecgroup@
->>>>>>> upstream/4.5.1
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -225,6 +219,8 @@ nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
 p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
@@ -243,14 +239,12 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
-<<<<<<< HEAD
-=======
 soup_CFLAGS = @soup_CFLAGS@
 soup_LIBS = @soup_LIBS@
->>>>>>> upstream/4.5.1
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5
index c422b50ec..b36a7ece7 100644
--- a/man/ipsec.conf.5
+++ b/man/ipsec.conf.5
@@ -1,8 +1,4 @@
-<<<<<<< HEAD
-.TH IPSEC.CONF 5 "2010-10-19" "4.5.0rc2" "strongSwan"
-=======
-.TH IPSEC.CONF 5 "2010-10-19" "4.5.1" "strongSwan"
->>>>>>> upstream/4.5.1
+.TH IPSEC.CONF 5 "2010-10-19" "4.5.2" "strongSwan"
 .SH NAME
 ipsec.conf \- IPsec configuration and connections
 .SH DESCRIPTION
@@ -413,12 +409,20 @@ comma-separated list of ESP encryption/authentication algorithms to be used
 for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
-.BR encryption-integrity-[dh-group] .
+.BR encryption-integrity[-dhgroup][-esnmodes] .
 .br
 If
 .B dh-group
 is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
+exchange (IKEv2 only). Valid
+.B esnmodes
+(IKEv2 only) are
+.B esn
+and
+.B noesn.
+Specifying both negotiates Extended Sequence number support with the peer,
+the defaut is
+.B noesn.
 .TP
 .BR forceencaps " = yes | " no
 force UDP encapsulation for ESP packets even if no NAT situation is detected.
@@ -548,10 +552,6 @@ for public key authentication (RSA/ECDSA),
 .B psk
 for pre-shared key authentication and
 .B eap
-<<<<<<< HEAD
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
-=======
 to (require the) use of the Extensible Authentication Protocol.
 To require a trustchain public key strength for the remote side, specify the
 key type followed by the strength in bits (for example
@@ -559,7 +559,6 @@ key type followed by the strength in bits (for example
 or
 .BR ecdsa-256 ).
 For
->>>>>>> upstream/4.5.1
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
@@ -603,11 +602,7 @@ sets
 to the distinguished name of the certificate's subject and
 .B leftca
 to the distinguished name of the certificate's issuer.
-<<<<<<< HEAD
-The left participant's ID can be overriden by specifying a
-=======
 The left participant's ID can be overridden by specifying a
->>>>>>> upstream/4.5.1
 .B leftid
 value which must be certified by the certificate, though.
 .TP
@@ -616,13 +611,10 @@ Same as
 .B leftcert,
 but for the second authentication round (IKEv2 only).
 .TP
-<<<<<<< HEAD
-=======
 .BR leftcertpolicy " = <OIDs>"
 Comma separated list of certificate policy OIDs the peers certificate must have.
 OIDs are specified using the numerical dotted representation (IKEv2 only).
 .TP
->>>>>>> upstream/4.5.1
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
@@ -978,8 +970,6 @@ synonym for
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
-<<<<<<< HEAD
-=======
 .BR tfc " = <value>"
 number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
 is currently supported in IKEv2 and applies to outgoing packets only. The
@@ -987,7 +977,6 @@ special value
 .BR %mtu
 fills up ESP packets with padding to have the size of the MTU.
 .TP
->>>>>>> upstream/4.5.1
 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are
@@ -1054,8 +1043,11 @@ is not given, the
 of this connection will be used as peer ID.
 
 .SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
+These are optional sections that can be used to assign special
+parameters to a Certification Authority (CA). Because the daemons
+automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+there is no need to explicitly add them with a CA section, unless you
+want to assign special parameters (like a CRL) to a CA.
 .TP
 .BR also " = <name>"
 includes ca section
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 8b36d0f32..295100444 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -409,12 +409,20 @@ comma-separated list of ESP encryption/authentication algorithms to be used
 for the connection, e.g.
 .BR aes128-sha256 .
 The notation is
-.BR encryption-integrity-[dh-group] .
+.BR encryption-integrity[-dhgroup][-esnmodes] .
 .br
 If
 .B dh-group
 is specified, CHILD_SA setup and rekeying include a separate diffe hellman
-exchange (IKEv2 only).
+exchange (IKEv2 only). Valid
+.B esnmodes
+(IKEv2 only) are
+.B esn
+and
+.B noesn.
+Specifying both negotiates Extended Sequence number support with the peer,
+the defaut is
+.B noesn.
 .TP
 .BR forceencaps " = yes | " no
 force UDP encapsulation for ESP packets even if no NAT situation is detected.
@@ -544,10 +552,6 @@ for public key authentication (RSA/ECDSA),
 .B psk
 for pre-shared key authentication and
 .B eap
-<<<<<<< HEAD
-to (require the) use of the Extensible Authentication Protocol. In the case
-of
-=======
 to (require the) use of the Extensible Authentication Protocol.
 To require a trustchain public key strength for the remote side, specify the
 key type followed by the strength in bits (for example
@@ -555,7 +559,6 @@ key type followed by the strength in bits (for example
 or
 .BR ecdsa-256 ).
 For
->>>>>>> upstream/4.5.1
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
@@ -599,11 +602,7 @@ sets
 to the distinguished name of the certificate's subject and
 .B leftca
 to the distinguished name of the certificate's issuer.
-<<<<<<< HEAD
-The left participant's ID can be overriden by specifying a
-=======
 The left participant's ID can be overridden by specifying a
->>>>>>> upstream/4.5.1
 .B leftid
 value which must be certified by the certificate, though.
 .TP
@@ -612,13 +611,10 @@ Same as
 .B leftcert,
 but for the second authentication round (IKEv2 only).
 .TP
-<<<<<<< HEAD
-=======
 .BR leftcertpolicy " = <OIDs>"
 Comma separated list of certificate policy OIDs the peers certificate must have.
 OIDs are specified using the numerical dotted representation (IKEv2 only).
 .TP
->>>>>>> upstream/4.5.1
 .BR leftfirewall " = yes | " no
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
@@ -974,8 +970,6 @@ synonym for
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
-<<<<<<< HEAD
-=======
 .BR tfc " = <value>"
 number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
 is currently supported in IKEv2 and applies to outgoing packets only. The
@@ -983,7 +977,6 @@ special value
 .BR %mtu
 fills up ESP packets with padding to have the size of the MTU.
 .TP
->>>>>>> upstream/4.5.1
 .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop"
 the type of the connection; currently the accepted values
 are
@@ -1050,8 +1043,11 @@ is not given, the
 of this connection will be used as peer ID.
 
 .SH "CA SECTIONS"
-This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
+These are optional sections that can be used to assign special
+parameters to a Certification Authority (CA). Because the daemons
+automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
+there is no need to explicitly add them with a CA section, unless you
+want to assign special parameters (like a CRL) to a CA.
 .TP
 .BR also " = <name>"
 includes ca section
diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5
index cdefee24d..993b2ad10 100644
--- a/man/ipsec.secrets.5
+++ b/man/ipsec.secrets.5
@@ -1,8 +1,4 @@
-<<<<<<< HEAD
-.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.0rc2" "strongSwan"
-=======
-.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.1" "strongSwan"
->>>>>>> upstream/4.5.1
+.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.2" "strongSwan"
 .SH NAME
 ipsec.secrets \- secrets for IKE/IPsec authentication
 .SH DESCRIPTION
diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5
index 04e29c245..e1e4dbe91 100644
--- a/man/strongswan.conf.5
+++ b/man/strongswan.conf.5
@@ -1,8 +1,4 @@
-<<<<<<< HEAD
-.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan"
-=======
-.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.1" "strongSwan"
->>>>>>> upstream/4.5.1
+.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.2" "strongSwan"
 .SH NAME
 strongswan.conf \- strongSwan configuration file
 .SH DESCRIPTION
@@ -64,8 +60,6 @@ An example file in this format might look like this:
 .PP
 Indentation is optional, you may use tabs or spaces.
 
-<<<<<<< HEAD
-=======
 .SH INCLUDING FILES
 Using the
 .B include
@@ -121,7 +115,6 @@ other.conf:
 	}
 .EE
 
->>>>>>> upstream/4.5.1
 .SH READING VALUES
 Values are accessed using a dot-separated section list and a key.
 With reference to the example above, accessing
@@ -211,6 +204,9 @@ Delay request messages
 .BR charon.receive_delay_type " [0]"
 Specific IKEv2 message type to delay, 0 for any
 .TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+.TP
 .BR charon.retransmit_base " [1.8]"
 Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
 .TP
@@ -264,6 +260,9 @@ Derive user-defined MAC address from hash of IKEv2 identity
 .BR charon.plugins.dhcp.server " [255.255.255.255]"
 DHCP server unicast or broadcast IP address
 .TP
+.BR charon.plugins.duplicheck.enable " [yes]"
+enable loaded duplicheck plugin
+.TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
 .TP
@@ -272,6 +271,29 @@ DHCP server unicast or broadcast IP address
 .TP
 .BR charon.plugins.eap-gtc.pam_service " [login]"
 PAM service to be used for authentication
+
+.TP
+.BR charon.plugins.eap-peap.fragment_size " [1024]"
+Maximum size of an EAP-PEAP packet
+.TP
+.BR charon.plugins.eap-peap.max_message_count " [32]"
+Maximum number of processed EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non-fragmented EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-peap.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-peap.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+
 .TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
@@ -291,7 +313,7 @@ If the RADIUS
 attribute with value
 .B ESP
 is received, use the
-.I filter_id 
+.I filter_id
 attribute sent in the RADIUS-Accept message as group membership information that
 is compared to the groups specified in the
 .B rightgroups
@@ -346,18 +368,27 @@ Maximum size of an EAP-TLS packet
 .BR charon.plugins.eap-tls.max_message_count " [32]"
 Maximum number of processed EAP-TLS packets
 .TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non-fragmented EAP-TLS packets
+.TP
 .BR charon.plugins.eap-tnc.fragment_size " [50000]"
 Maximum size of an EAP-TNC packet
 .TP
 .BR charon.plugins.eap-tnc.max_message_count " [10]"
 Maximum number of processed EAP-TNC packets
 .TP
+.BR charon.plugins.eap-tnc.include_length " [yes]"
+Include length in non-fragmented EAP-TNC packets
+.TP
 .BR charon.plugins.eap-ttls.fragment_size " [1024]"
 Maximum size of an EAP-TTLS packet
 .TP
 .BR charon.plugins.eap-ttls.max_message_count " [32]"
 Maximum number of processed EAP-TTLS packets
 .TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non-fragmented EAP-TTLS packets
+.TP
 .BR charon.plugins.eap-ttls.phase2_method " [md5]"
 Phase2 EAP client authentication method
 .TP
@@ -389,7 +420,7 @@ Request peer authentication based on a client certificate
 
 .TP
 .BR charon.plugins.ha.remote
- 
+
 .TP
 .BR charon.plugins.ha.resync " [yes]"
 
@@ -432,6 +463,9 @@ TNC IMC configuration directory
 .TP
 .BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
 TNC IMV configuration directory
+.TP
+.BR charon.plugins.whitelist.enable " [yes]"
+enable loaded whitelist plugin
 .SS libstrongswan section
 .TP
 .BR libstrongswan.crypto_test.bench " [no]"
@@ -467,12 +501,9 @@ Check daemon, libstrongswan and plugin integrity at startup
 .TP
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
-<<<<<<< HEAD
-=======
 .TP
 .BR libstrongswan.x509.enforce_critical " [yes]"
 Discard certificates with unsupported or unknown critical extensions
->>>>>>> upstream/4.5.1
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
@@ -488,18 +519,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 ENGINE ID to use in the OpenSSL plugin
 .TP
 .BR libstrongswan.plugins.pkcs11.modules
-<<<<<<< HEAD
-
-.TP
-.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-
-.TP
-.BR libstrongswan.plugins.x509.enforce_critical " [no]"
-Discard certificates with unsupported or unknown critical extensions
-=======
 .TP
 .BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
->>>>>>> upstream/4.5.1
 .SS libtls section
 .TP
 .BR libtls.cipher
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 7d3cf8388..2d7475225 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -60,8 +60,6 @@ An example file in this format might look like this:
 .PP
 Indentation is optional, you may use tabs or spaces.
 
-<<<<<<< HEAD
-=======
 .SH INCLUDING FILES
 Using the
 .B include
@@ -117,7 +115,6 @@ other.conf:
 	}
 .EE
 
->>>>>>> upstream/4.5.1
 .SH READING VALUES
 Values are accessed using a dot-separated section list and a key.
 With reference to the example above, accessing
@@ -207,6 +204,9 @@ Delay request messages
 .BR charon.receive_delay_type " [0]"
 Specific IKEv2 message type to delay, 0 for any
 .TP
+.BR charon.replay_window " [32]"
+Size of the AH/ESP replay window, in packets.
+.TP
 .BR charon.retransmit_base " [1.8]"
 Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
 .TP
@@ -260,6 +260,9 @@ Derive user-defined MAC address from hash of IKEv2 identity
 .BR charon.plugins.dhcp.server " [255.255.255.255]"
 DHCP server unicast or broadcast IP address
 .TP
+.BR charon.plugins.duplicheck.enable " [yes]"
+enable loaded duplicheck plugin
+.TP
 .BR charon.plugins.eap-aka.request_identity " [yes]"
 
 .TP
@@ -268,6 +271,29 @@ DHCP server unicast or broadcast IP address
 .TP
 .BR charon.plugins.eap-gtc.pam_service " [login]"
 PAM service to be used for authentication
+
+.TP
+.BR charon.plugins.eap-peap.fragment_size " [1024]"
+Maximum size of an EAP-PEAP packet
+.TP
+.BR charon.plugins.eap-peap.max_message_count " [32]"
+Maximum number of processed EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non-fragmented EAP-PEAP packets
+.TP
+.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
+Phase2 EAP client authentication method
+.TP
+.BR charon.plugins.eap-peap.phase2_piggyback " [no]"
+Phase2 EAP Identity request piggybacked by server onto TLS Finished message
+.TP
+.BR charon.plugins.eap-peap.phase2_tnc " [no]"
+Start phase2 EAP TNC protocol after successful client authentication
+.TP
+.BR charon.plugins.eap-peap.request_peer_auth " [no]"
+Request peer authentication based on a client certificate
+
 .TP
 .BR charon.plugins.eap-radius.class_group " [no]"
 Use the
@@ -287,7 +313,7 @@ If the RADIUS
 attribute with value
 .B ESP
 is received, use the
-.I filter_id 
+.I filter_id
 attribute sent in the RADIUS-Accept message as group membership information that
 is compared to the groups specified in the
 .B rightgroups
@@ -342,18 +368,27 @@ Maximum size of an EAP-TLS packet
 .BR charon.plugins.eap-tls.max_message_count " [32]"
 Maximum number of processed EAP-TLS packets
 .TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non-fragmented EAP-TLS packets
+.TP
 .BR charon.plugins.eap-tnc.fragment_size " [50000]"
 Maximum size of an EAP-TNC packet
 .TP
 .BR charon.plugins.eap-tnc.max_message_count " [10]"
 Maximum number of processed EAP-TNC packets
 .TP
+.BR charon.plugins.eap-tnc.include_length " [yes]"
+Include length in non-fragmented EAP-TNC packets
+.TP
 .BR charon.plugins.eap-ttls.fragment_size " [1024]"
 Maximum size of an EAP-TTLS packet
 .TP
 .BR charon.plugins.eap-ttls.max_message_count " [32]"
 Maximum number of processed EAP-TTLS packets
 .TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non-fragmented EAP-TTLS packets
+.TP
 .BR charon.plugins.eap-ttls.phase2_method " [md5]"
 Phase2 EAP client authentication method
 .TP
@@ -385,7 +420,7 @@ Request peer authentication based on a client certificate
 
 .TP
 .BR charon.plugins.ha.remote
- 
+
 .TP
 .BR charon.plugins.ha.resync " [yes]"
 
@@ -428,6 +463,9 @@ TNC IMC configuration directory
 .TP
 .BR charon.plugins.tnc-imv.tnc_config " [/etc/tnc_config]"
 TNC IMV configuration directory
+.TP
+.BR charon.plugins.whitelist.enable " [yes]"
+enable loaded whitelist plugin
 .SS libstrongswan section
 .TP
 .BR libstrongswan.crypto_test.bench " [no]"
@@ -463,12 +501,9 @@ Check daemon, libstrongswan and plugin integrity at startup
 .TP
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
-<<<<<<< HEAD
-=======
 .TP
 .BR libstrongswan.x509.enforce_critical " [yes]"
 Discard certificates with unsupported or unknown critical extensions
->>>>>>> upstream/4.5.1
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
@@ -484,18 +519,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 ENGINE ID to use in the OpenSSL plugin
 .TP
 .BR libstrongswan.plugins.pkcs11.modules
-<<<<<<< HEAD
-
-.TP
-.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-
-.TP
-.BR libstrongswan.plugins.x509.enforce_critical " [no]"
-Discard certificates with unsupported or unknown critical extensions
-=======
 .TP
 .BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
->>>>>>> upstream/4.5.1
 .SS libtls section
 .TP
 .BR libtls.cipher