diff options
Diffstat (limited to 'src/swanctl/swanctl.conf.5.main')
| -rw-r--r-- | src/swanctl/swanctl.conf.5.main | 72 |
1 files changed, 57 insertions, 15 deletions
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index d1aced493..6c73d4775 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -252,11 +252,9 @@ to enforce the uniqueness policy instead. On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer -(determined by the identities of the first authentication round). Only if set to -.RI "" "keep" "" -or -.RI "" "replace" "" -will the client send a notify. +(determined by the identities of the first authentication round). Unless set to +.RI "" "never" "" +the client will send a notify. .TP .BR connections.<conn>.reauth_time " [0s]" @@ -485,6 +483,20 @@ configured any signature scheme constraint (without prefix) will also apply to IKEv2 authentication, unless this is disabled in .RB "" "strongswan.conf" "(5)." +To use RSASSA\-PSS signatures use +.RI "" "rsa/pss" "" +instead of +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +as in e.g. +.RI "" "ike:rsa/pss\-sha256" "." +If +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +constraints are configured RSASSA\-PSS signatures will only be used if enabled in +.RB "" "strongswan.conf" "(5)." .TP @@ -726,7 +738,24 @@ section's .RB "" "auth" "" keyword for details), such key types and hash algorithms are also applied as constraints -against IKEv2 signature authentication schemes used by the remote side. +against IKEv2 signature authentication schemes used by the remote side. To +require RSASSA\-PSS signatures use +.RI "" "rsa/pss" "" +instead of +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +as in +e.g. +.RI "" "rsa/pss\-sha256" "." +If +.RI "" "pubkey" "" +or +.RI "" "rsa" "" +constraints are configured +RSASSA\-PSS signatures will only be accepted if enabled in +.RB "" "strongswan.conf" "(5)." + To specify trust chain constraints for EAP\-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed above @@ -1053,9 +1082,11 @@ Optional interface name to restrict IPsec policies. .TP .BR connections.<conn>.children.<child>.mark_in " [0/0x00000000]" -Netfilter mark and mask for input traffic. On Linux Netfilter may require marks -on each packet to match an SA having that option set. This allows Netfilter -rules to select specific tunnels for incoming traffic. The special value +Netfilter mark and mask for input traffic. On Linux, Netfilter may require marks +on each packet to match an SA/policy having that option set. This allows +installing duplicate policies and enables Netfilter rules to select specific +SAs/policies for incoming traffic. Note that inbound marks are only set on +policies, by default, unless *mark_in_sa* is enabled. The special value .RI "" "%unique" "" sets a unique mark on each CHILD_SA instance, beyond that the value .RI "" "%unique\-dir" "" @@ -1068,15 +1099,26 @@ The default mask if omitted is 0xffffffff. .TP +.BR connections.<conn>.children.<child>.mark_in_sa " [no]" +Whether to set *mark_in* on the inbound SA. By default, the inbound mark is only +set on the inbound policy. The tuple destination address, protocol and SPI is +unique and the mark is not required to find the correct SA, allowing to mark +traffic after decryption instead (where more specific selectors may be used) to +match different policies. Marking packets before decryption is still possible, +even if no mark is set on the SA. + +.TP .BR connections.<conn>.children.<child>.mark_out " [0/0x00000000]" -Netfilter mark and mask for output traffic. On Linux Netfilter may require marks -on each packet to match a policy having that option set. This allows Netfilter -rules to select specific tunnels for outgoing traffic. The special value +Netfilter mark and mask for output traffic. On Linux, Netfilter may require +marks on each packet to match a policy/SA having that option set. This allows +installing duplicate policies and enables Netfilter rules to select specific +policies/SAs for outgoing traffic. The special value .RI "" "%unique" "" -sets a unique mark on each CHILD_SA instance, beyond that the value +sets a unique +mark on each CHILD_SA instance, beyond that the value .RI "" "%unique\-dir" "" -assigns a different unique mark for each CHILD_SA direction -(in/out). +assigns a +different unique mark for each CHILD_SA direction (in/out). An additional mask may be appended to the mark, separated by .RI "" "/" "." |