From 15fb7904f4431a6e7c305fd08732458f7f885e7e Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 11 Mar 2014 20:48:48 +0100 Subject: Imported Upstream version 5.1.2 --- conf/options/attest.conf | 11 ++ conf/options/attest.opt | 6 + conf/options/charon-logging.conf | 62 +++++++++ conf/options/charon-logging.opt | 57 ++++++++ conf/options/charon.conf | 281 ++++++++++++++++++++++++++++++++++++++ conf/options/charon.opt | 284 +++++++++++++++++++++++++++++++++++++++ conf/options/imcv.conf | 43 ++++++ conf/options/imcv.opt | 28 ++++ conf/options/manager.conf | 23 ++++ conf/options/manager.opt | 18 +++ conf/options/medsrv.conf | 32 +++++ conf/options/medsrv.opt | 27 ++++ conf/options/pacman.conf | 12 ++ conf/options/pacman.opt | 7 + conf/options/pool.conf | 12 ++ conf/options/pool.opt | 7 + conf/options/starter.conf | 10 ++ conf/options/starter.opt | 5 + conf/options/tnc.conf | 11 ++ conf/options/tnc.opt | 2 + conf/options/tools.conf | 21 +++ conf/options/tools.opt | 8 ++ 22 files changed, 967 insertions(+) create mode 100644 conf/options/attest.conf create mode 100644 conf/options/attest.opt create mode 100644 conf/options/charon-logging.conf create mode 100644 conf/options/charon-logging.opt create mode 100644 conf/options/charon.conf create mode 100644 conf/options/charon.opt create mode 100644 conf/options/imcv.conf create mode 100644 conf/options/imcv.opt create mode 100644 conf/options/manager.conf create mode 100644 conf/options/manager.opt create mode 100644 conf/options/medsrv.conf create mode 100644 conf/options/medsrv.opt create mode 100644 conf/options/pacman.conf create mode 100644 conf/options/pacman.opt create mode 100644 conf/options/pool.conf create mode 100644 conf/options/pool.opt create mode 100644 conf/options/starter.conf create mode 100644 conf/options/starter.opt create mode 100644 conf/options/tnc.conf create mode 100644 conf/options/tnc.opt create mode 100644 conf/options/tools.conf create mode 100644 conf/options/tools.opt (limited to 'conf/options') diff --git a/conf/options/attest.conf b/conf/options/attest.conf new file mode 100644 index 000000000..1f7f57cb4 --- /dev/null +++ b/conf/options/attest.conf @@ -0,0 +1,11 @@ +attest { + + # File measurement information database URI. If it contains a password, make + # sure to adjust the permissions of the config file accordingly. + # database = + + # Plugins to load in ipsec attest tool. + # load = + +} + diff --git a/conf/options/attest.opt b/conf/options/attest.opt new file mode 100644 index 000000000..20b14f42d --- /dev/null +++ b/conf/options/attest.opt @@ -0,0 +1,6 @@ +attest.database = + File measurement information database URI. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +attest.load = + Plugins to load in ipsec attest tool. diff --git a/conf/options/charon-logging.conf b/conf/options/charon-logging.conf new file mode 100644 index 000000000..c91421dea --- /dev/null +++ b/conf/options/charon-logging.conf @@ -0,0 +1,62 @@ +charon { + + # Section to define file loggers, see LOGGER CONFIGURATION in + # strongswan.conf(5). + filelog { + + # is the full path to the log file. + # { + + # Loglevel for a specific subsystem. + # = + + # If this option is enabled log entries are appended to the existing + # file. + # append = yes + + # Default loglevel. + # default = 1 + + # Enabling this option disables block buffering and enables line + # buffering. + # flush_line = no + + # Prefix each log entry with the connection name and a unique + # numerical identifier for each IKE_SA. + # ike_name = no + + # Prefix each log entry with a timestamp. The option accepts a + # format string as passed to strftime(3). + # time_format = + + # } + + } + + # Section to define syslog loggers, see LOGGER CONFIGURATION in + # strongswan.conf(5). + syslog { + + # Identifier for use with openlog(3). + # identifier = + + # is one of the supported syslog facilities, see LOGGER + # CONFIGURATION in strongswan.conf(5). + # { + + # Loglevel for a specific subsystem. + # = + + # Default loglevel. + # default = 1 + + # Prefix each log entry with the connection name and a unique + # numerical identifier for each IKE_SA. + # ike_name = no + + # } + + } + +} + diff --git a/conf/options/charon-logging.opt b/conf/options/charon-logging.opt new file mode 100644 index 000000000..b437a9cc3 --- /dev/null +++ b/conf/options/charon-logging.opt @@ -0,0 +1,57 @@ +charon.filelog {} + Section to define file loggers, see LOGGER CONFIGURATION in + **strongswan.conf**(5). + +charon.filelog. { # } + is the full path to the log file. + +charon.filelog..default = 1 + Default loglevel. + + Specifies the default loglevel to be used for subsystems for which no + specific loglevel is defined. + +charon.filelog.. = + Loglevel for a specific subsystem. + +charon.filelog..append = yes + If this option is enabled log entries are appended to the existing file. + +charon.filelog..flush_line = no + Enabling this option disables block buffering and enables line buffering. + +charon.filelog..ike_name = no + Prefix each log entry with the connection name and a unique numerical + identifier for each IKE_SA. + +charon.filelog..time_format + Prefix each log entry with a timestamp. The option accepts a format string + as passed to **strftime**(3). + +charon.syslog {} + Section to define syslog loggers, see LOGGER CONFIGURATION in + **strongswan.conf**(5). + +charon.syslog.identifier + Identifier for use with openlog(3). + + Global identifier used for an **openlog**(3) call, prepended to each log + message by syslog. If not configured, **openlog**(3) is not called, so the + value will depend on system defaults (often the program name). + +charon.syslog. { # } + is one of the supported syslog facilities, see LOGGER + CONFIGURATION in **strongswan.conf**(5). + +charon.syslog..default = 1 + Default loglevel. + + Specifies the default loglevel to be used for subsystems for which no + specific loglevel is defined. + +charon.syslog.. = + Loglevel for a specific subsystem. + +charon.syslog..ike_name = no + Prefix each log entry with the connection name and a unique numerical + identifier for each IKE_SA. diff --git a/conf/options/charon.conf b/conf/options/charon.conf new file mode 100644 index 000000000..5cab2b1c4 --- /dev/null +++ b/conf/options/charon.conf @@ -0,0 +1,281 @@ +# Options for the charon IKE daemon. +charon { + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Maximum size (in bytes) of a sent fragment when using the proprietary + # IKEv1 fragmentation extension. + # fragment_size = 512 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + # install_routes = yes + + # Install virtual IP addresses. + # install_virtual_ip = yes + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS + # resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs. + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Number of iterations to test each algorithm. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/conf/options/charon.opt b/conf/options/charon.opt new file mode 100644 index 000000000..c6f4f1e9e --- /dev/null +++ b/conf/options/charon.opt @@ -0,0 +1,284 @@ +charon {} + Options for the charon IKE daemon. + + Options for the charon IKE daemon. + + **Note**: Many of the options in this section also apply to **charon-cmd** + and other **charon** derivatives. Just use their respective name (e.g. + **charon-cmd** instead of **charon**). For many options defaults can be + defined in the **libstrongswan** section. + +charon.block_threshold = 5 + Maximum number of half-open IKE_SAs for a single peer IP. + +charon.cert_cache = yes + Whether relations in validated certificate chains should be cached in + memory. + +charon.cisco_unity = no + Send Cisco Unity vendor ID payload (IKEv1 only). + +charon.close_ike_on_child_failure = no + Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + +charon.cookie_threshold = 10 + Number of half-open IKE_SAs that activate the cookie mechanism. + +charon.crypto_test.bench = no + Benchmark crypto algorithms and order them by efficiency. + +charon.crypto_test.bench_size = 1024 + Buffer size used for crypto benchmark. + +charon.crypto_test.bench_time = 50 + Number of iterations to test each algorithm. + +charon.crypto_test.on_add = no + Test crypto algorithms during registration (requires test vectors provided + by the _test-vectors_ plugin). + +charon.crypto_test.on_create = no + Test crypto algorithms on each crypto primitive instantiation. + +charon.crypto_test.required = no + Strictly require at least one test vector to enable an algorithm. + +charon.crypto_test.rng_true = no + Whether to test RNG with TRUE quality; requires a lot of entropy. + +charon.dh_exponent_ansi_x9_42 = yes + Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + strength. + +charon.dns1 + DNS server assigned to peer via configuration payload (CP). + +charon.dns2 + DNS server assigned to peer via configuration payload (CP). + +charon.dos_protection = yes + Enable Denial of Service protection using cookies and aggressiveness checks. + +charon.ecp_x_coordinate_only = yes + Compliance with the errata for RFC 4753. + +charon.flush_auth_cfg = no + Free objects during authentication (might conflict with plugins). + + If enabled objects used during authentication (certificates, identities + etc.) are released to free memory once an IKE_SA is established. Enabling + this might conflict with plugins that later need access to e.g. the used + certificates. + +charon.fragment_size = 512 + Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 + fragmentation extension. + +charon.group + Name of the group the daemon changes to after startup. + +charon.half_open_timeout = 30 + Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + +charon.hash_and_url = no + Enable hash and URL support. + +charon.host_resolver.max_threads = 3 + Maximum number of concurrent resolver threads (they are terminated if + unused). + +charon.host_resolver.min_threads = 0 + Minimum number of resolver threads to keep around. + +charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no + Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + + If enabled responders are allowed to use IKEv1 Aggressive Mode with + pre-shared keys, which is discouraged due to security concerns (offline + attacks on the openly transmitted hash of the PSK). + +charon.ignore_routing_tables + A space-separated list of routing tables to be excluded from route lookups. + +charon.ikesa_limit = 0 + Maximum number of IKE_SAs that can be established at the same time before + new connection attempts are blocked. + +charon.ikesa_table_segments = 1 + Number of exclusively locked segments in the hash table. + +charon.ikesa_table_size = 1 + Size of the IKE_SA hash table. + +charon.inactivity_close_ike = no + Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + +charon.init_limit_half_open = 0 + Limit new connections based on the current number of half open IKE_SAs, see + IKE_SA_INIT DROPPING in **strongswan.conf**(5). + +charon.init_limit_job_load = 0 + Limit new connections based on the number of queued jobs. + + Limit new connections based on the number of jobs currently queued for + processing (see IKE_SA_INIT DROPPING). + +charon.initiator_only = no + Causes charon daemon to ignore IKE initiation requests. + +charon.install_routes = yes + Install routes into a separate routing table for established IPsec tunnels. + +charon.install_virtual_ip = yes + Install virtual IP addresses. + +charon.install_virtual_ip_on + The name of the interface on which virtual IP addresses should be installed. + + The name of the interface on which virtual IP addresses should be installed. + If not specified the addresses will be installed on the outbound interface. + +charon.integrity_test = no + Check daemon, libstrongswan and plugin integrity at startup. + +charon.interfaces_ignore + A comma-separated list of network interfaces that should be ignored, if + **interfaces_use** is specified this option has no effect. + +charon.interfaces_use + A comma-separated list of network interfaces that should be used by charon. + All other interfaces are ignored. + +charon.keep_alive = 20s + NAT keep alive interval. + +charon.leak_detective.detailed = yes + Includes source file names and line numbers in leak detective output. + +charon.leak_detective.usage_threshold = 10240 + Threshold in bytes for leaks to be reported (0 to report all). + +charon.leak_detective.usage_threshold_count = 0 + Threshold in number of allocations for leaks to be reported (0 to report + all). + +charon.load + Plugins to load in the IKE daemon charon. + +charon.load_modular = no + Determine plugins to load via each plugin's load option. + + If enabled, the list of plugins to load is determined via the value of the + _charon.plugins..load_ options. In addition to a simple boolean flag + that option may take an integer value indicating the priority of a plugin, + which would influence the order of a plugin in the plugin list (the default + is 1). If two plugins have the same priority their order in the default + plugin list is preserved. Enabled plugins not found in that list are ordered + alphabetically before other plugins with the same priority. + +charon.max_packet = 10000 + Maximum packet size accepted by charon. + +charon.multiple_authentication = yes + Enable multiple authentication exchanges (RFC 4739). + +charon.nbns1 + WINS servers assigned to peer via configuration payload (CP). + +charon.nbns2 + WINS servers assigned to peer via configuration payload (CP). + +charon.port = 500 + UDP port used locally. If set to 0 a random port will be allocated. + +charon.port_nat_t = 4500 + UDP port used locally in case of NAT-T. If set to 0 a random port will be + allocated. Has to be different from **charon.port**, otherwise a random + port will be allocated. + +charon.process_route = yes + Process RTM_NEWROUTE and RTM_DELROUTE events. + +charon.processor.priority_threads {} + Section to configure the number of reserved threads per priority class + see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5). + +charon.receive_delay = 0 + Delay in ms for receiving packets, to simulate larger RTT. + +charon.receive_delay_response = yes + Delay response messages. + +charon.receive_delay_request = yes + Delay request messages. + +charon.receive_delay_type = 0 + Specific IKEv2 message type to delay, 0 for any. + +charon.replay_window = 32 + Size of the AH/ESP replay window, in packets. + +charon.retransmit_base = 1.8 + Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + in **strongswan.conf**(5). + +charon.retransmit_timeout = 4.0 + Timeout in seconds before sending first retransmit. + +charon.retransmit_tries = 5 + Number of times to retransmit a packet before giving up. + +charon.retry_initiate_interval = 0 + Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution + failed), 0 to disable retries. + +charon.reuse_ikesa = yes + Initiate CHILD_SA within existing IKE_SAs. + +charon.routing_table + Numerical routing table to install routes to. + +charon.routing_table_prio + Priority of the routing table. + +charon.send_delay = 0 + Delay in ms for sending packets, to simulate larger RTT. + +charon.send_delay_response = yes + Delay response messages. + +charon.send_delay_request = yes + Delay request messages. + +charon.send_delay_type = 0 + Specific IKEv2 message type to delay, 0 for any. + +charon.send_vendor_id = no + Send strongSwan vendor ID payload + +charon.threads = 16 + Number of worker threads in charon. + + Number of worker threads in charon. Several of these are reserved for long + running tasks in internal modules and plugins. Therefore, make sure you + don't set this value too low. The number of idle worker threads listed in + _ipsec statusall_ might be used as indicator on the number of reserved + threads. + +charon.tls.cipher + List of TLS encryption ciphers. + +charon.tls.key_exchange + List of TLS key exchange methods. + +charon.tls.mac + List of TLS MAC algorithms. + +charon.tls.suites + List of TLS cipher suites. + +charon.user + Name of the user the daemon changes to after startup. + +charon.x509.enforce_critical = yes + Discard certificates with unsupported or unknown critical extensions. diff --git a/conf/options/imcv.conf b/conf/options/imcv.conf new file mode 100644 index 000000000..92016ef52 --- /dev/null +++ b/conf/options/imcv.conf @@ -0,0 +1,43 @@ +charon { + + # Defaults for options in this section can be configured in the libimcv + # section. + imcv { + + # Whether IMVs send a standard IETF Assessment Result attribute. + # assessment_result = yes + + # Global IMV policy database URI. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Script called for each TNC connection to generate IMV policies. + # policy_script = ipsec _imv_policy + + os_info { + + # Manually set the name of the client OS (e.g. Ubuntu). + # name = + + # Manually set the version of the client OS (e.g. 12.04 i686). + # version = + + } + + } + +} + +libimcv { + + # Debug level for a stand-alone libimcv library. + # debug_level = 1 + + # Plugins to load in IMC/IMVs with stand-alone libimcv library. + # load = random nonce gmp pubkey x509 + + # Disable output to stderr with a stand-alone libimcv library. + # stderr_quiet = no + +} + diff --git a/conf/options/imcv.opt b/conf/options/imcv.opt new file mode 100644 index 000000000..a249a7b14 --- /dev/null +++ b/conf/options/imcv.opt @@ -0,0 +1,28 @@ +charon.imcv {} + Defaults for options in this section can be configured in the _libimcv_ + section. + +charon.imcv.assessment_result = yes + Whether IMVs send a standard IETF Assessment Result attribute. + +charon.imcv.database = + Global IMV policy database URI. If it contains a password, make sure to + adjust the permissions of the config file accordingly. + +charon.imcv.os_info.name = + Manually set the name of the client OS (e.g. Ubuntu). + +charon.imcv.os_info.version = + Manually set the version of the client OS (e.g. 12.04 i686). + +charon.imcv.policy_script = ipsec _imv_policy + Script called for each TNC connection to generate IMV policies. + +libimcv.debug_level = 1 + Debug level for a stand-alone _libimcv_ library. + +libimcv.load = random nonce gmp pubkey x509 + Plugins to load in IMC/IMVs with stand-alone _libimcv_ library. + +libimcv.stderr_quiet = no + Disable output to stderr with a stand-alone _libimcv_ library. diff --git a/conf/options/manager.conf b/conf/options/manager.conf new file mode 100644 index 000000000..bb0934688 --- /dev/null +++ b/conf/options/manager.conf @@ -0,0 +1,23 @@ +manager { + + # Credential database URI for manager. If it contains a password, make sure + # to adjust the permissions of the config file accordingly. + # database = + + # Enable debugging in manager. + # debug = no + + # Plugins to load in manager. + # load = + + # FastCGI socket of manager, to run it statically. + # socket = + + # Threads to use for request handling. + # threads = 10 + + # Session timeout for manager. + # timeout = 15m + +} + diff --git a/conf/options/manager.opt b/conf/options/manager.opt new file mode 100644 index 000000000..dbac73110 --- /dev/null +++ b/conf/options/manager.opt @@ -0,0 +1,18 @@ +manager.database = + Credential database URI for manager. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +manager.debug = no + Enable debugging in manager. + +manager.load = + Plugins to load in manager. + +manager.socket = + FastCGI socket of manager, to run it statically. + +manager.threads = 10 + Threads to use for request handling. + +manager.timeout = 15m + Session timeout for manager. diff --git a/conf/options/medsrv.conf b/conf/options/medsrv.conf new file mode 100644 index 000000000..b3026ea3f --- /dev/null +++ b/conf/options/medsrv.conf @@ -0,0 +1,32 @@ +medsrv { + + # Mediation server database URI. If it contains a password, make sure to + # adjust the permissions of the config file accordingly. + # database = + + # Debugging in mediation server web application. + # debug = no + + # DPD timeout to use in mediation server plugin. + # dpd = 5m + + # Plugins to load in mediation server plugin. + # load = + + # Minimum password length required for mediation server user accounts. + # password_length = 6 + + # Rekeying time on mediation connections in mediation server plugin. + # rekey = 20m + + # Run Mediation server web application statically on socket. + # socket = + + # Number of thread for mediation service web application. + # threads = 5 + + # Session timeout for mediation service. + # timeout = 15m + +} + diff --git a/conf/options/medsrv.opt b/conf/options/medsrv.opt new file mode 100644 index 000000000..f673b7e03 --- /dev/null +++ b/conf/options/medsrv.opt @@ -0,0 +1,27 @@ +medsrv.database = + Mediation server database URI. If it contains a password, make + sure to adjust the permissions of the config file accordingly. + +medsrv.debug = no + Debugging in mediation server web application. + +medsrv.dpd = 5m + DPD timeout to use in mediation server plugin. + +medsrv.load = + Plugins to load in mediation server plugin. + +medsrv.password_length = 6 + Minimum password length required for mediation server user accounts. + +medsrv.rekey = 20m + Rekeying time on mediation connections in mediation server plugin. + +medsrv.socket = + Run Mediation server web application statically on socket. + +medsrv.threads = 5 + Number of thread for mediation service web application. + +medsrv.timeout = 15m + Session timeout for mediation service. diff --git a/conf/options/pacman.conf b/conf/options/pacman.conf new file mode 100644 index 000000000..730e5435c --- /dev/null +++ b/conf/options/pacman.conf @@ -0,0 +1,12 @@ +pacman { + + # Database URI for the database that stores the package information. If it + # contains a password, make sure to adjust the permissions of the config + # file accordingly. + # database = + + # Plugins to load in package manager. + # load = + +} + diff --git a/conf/options/pacman.opt b/conf/options/pacman.opt new file mode 100644 index 000000000..dfb4ba2b1 --- /dev/null +++ b/conf/options/pacman.opt @@ -0,0 +1,7 @@ +pacman.database = + Database URI for the database that stores the package information. If it + contains a password, make sure to adjust the permissions of the config file + accordingly. + +pacman.load = + Plugins to load in package manager. diff --git a/conf/options/pool.conf b/conf/options/pool.conf new file mode 100644 index 000000000..297c0f8cf --- /dev/null +++ b/conf/options/pool.conf @@ -0,0 +1,12 @@ +pool { + + # Database URI for the database that stores IP pools and configuration + # attributes. If it contains a password, make sure to adjust the + # permissions of the config file accordingly. + # database = + + # Plugins to load in ipsec pool tool. + # load = + +} + diff --git a/conf/options/pool.opt b/conf/options/pool.opt new file mode 100644 index 000000000..79458c779 --- /dev/null +++ b/conf/options/pool.opt @@ -0,0 +1,7 @@ +pool.database + Database URI for the database that stores IP pools and configuration + attributes. If it contains a password, make sure to adjust the permissions + of the config file accordingly. + +pool.load = + Plugins to load in ipsec pool tool. diff --git a/conf/options/starter.conf b/conf/options/starter.conf new file mode 100644 index 000000000..8465f7e53 --- /dev/null +++ b/conf/options/starter.conf @@ -0,0 +1,10 @@ +starter { + + # Plugins to load in starter. + # load = + + # Disable charon plugin load option warning. + # load_warning = yes + +} + diff --git a/conf/options/starter.opt b/conf/options/starter.opt new file mode 100644 index 000000000..4e6574d58 --- /dev/null +++ b/conf/options/starter.opt @@ -0,0 +1,5 @@ +starter.load = + Plugins to load in starter. + +starter.load_warning = yes + Disable charon plugin load option warning. diff --git a/conf/options/tnc.conf b/conf/options/tnc.conf new file mode 100644 index 000000000..6736a2d0a --- /dev/null +++ b/conf/options/tnc.conf @@ -0,0 +1,11 @@ +charon { + + tnc { + + # TNC IMC/IMV configuration file. + # tnc_config = /etc/tnc_config + + } + +} + diff --git a/conf/options/tnc.opt b/conf/options/tnc.opt new file mode 100644 index 000000000..467723ea6 --- /dev/null +++ b/conf/options/tnc.opt @@ -0,0 +1,2 @@ +charon.tnc.tnc_config = /etc/tnc_config + TNC IMC/IMV configuration file. diff --git a/conf/options/tools.conf b/conf/options/tools.conf new file mode 100644 index 000000000..a3ab099ed --- /dev/null +++ b/conf/options/tools.conf @@ -0,0 +1,21 @@ +openac { + + # Plugins to load in ipsec openac tool. + # load = + +} + +pki { + + # Plugins to load in ipsec pki tool. + # load = + +} + +scepclient { + + # Plugins to load in ipsec scepclient tool. + # load = + +} + diff --git a/conf/options/tools.opt b/conf/options/tools.opt new file mode 100644 index 000000000..23e6a1c9f --- /dev/null +++ b/conf/options/tools.opt @@ -0,0 +1,8 @@ +openac.load = + Plugins to load in ipsec openac tool. + +pki.load = + Plugins to load in ipsec pki tool. + +scepclient.load = + Plugins to load in ipsec scepclient tool. -- cgit v1.2.3