From bba25e2ff6c4a193acb54560ea4417537bd2954e Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 30 May 2017 20:59:31 +0200 Subject: New upstream version 5.5.3 --- conf/strongswan.conf.5.main | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) (limited to 'conf/strongswan.conf.5.main') diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 72ab3a77a..4df7ce42d 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -113,6 +113,14 @@ the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However, this might cause problems with implementations that continue to use rekeyed SAs until they expire. +.TP +.BR charon.delete_rekeyed_delay " [5]" +Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 +only). To process delayed packets the inbound part of a CHILD_SA is kept +installed up to the configured number of seconds after it got replaced during a +rekeying. If set to 0 the CHILD_SA will be kept installed until it expires (if +no lifetime is set it will be destroyed immediately). + .TP .BR charon.dh_exponent_ansi_x9_42 " [yes]" Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic @@ -431,6 +439,11 @@ type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation or an arbitrary value depending on the attribute type. For some attribute types multiple values may be specified as a comma separated list. +.TP +.BR charon.plugins.attr-sql.crash_recovery " [yes]" +Release all online leases during startup. Disable this to share the DB between +multiple VPN gateways. + .TP .BR charon.plugins.attr-sql.database " []" Database URI for attr\-sql plugin used by charon. If it contains a password, make @@ -1049,8 +1062,8 @@ Lifetime of XFRM acquire state created by the kernel when traffic matches a trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay between XFRM acquire messages triggered by the kernel for a trap policy. The same value is used as timeout for SPIs allocated -by the kernel. The default value equals the default total retransmission timeout -for IKE messages, see IKEv2 RETRANSMISSION in +by the kernel. The default value equals the total retransmission timeout for +IKE messages, see IKEv2 RETRANSMISSION in .RB "" "strongswan.conf" "(5)." @@ -1393,6 +1406,11 @@ Firewall mark to set on outbound packets. .BR charon.plugins.socket-default.set_source " [yes]" Set source address on outbound packets, if possible. +.TP +.BR charon.plugins.socket-default.set_sourceif " [no]" +Force sending interface on outbound packets, if possible. This allows using IPv6 +link\-local addresses as tunnel endpoints. + .TP .BR charon.plugins.socket-default.use_ipv4 " [yes]" Listen on IPv4, if possible. @@ -1697,6 +1715,15 @@ Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in .RB "" "strongswan.conf" "(5)." +.TP +.BR charon.retransmit_jitter " [0]" +Maximum jitter in percent to apply randomly to calculated retransmission timeout +(0 to disable). + +.TP +.BR charon.retransmit_limit " [0]" +Upper limit in seconds for calculated retransmission timeout (0 to disable). + .TP .BR charon.retransmit_timeout " [4.0]" Timeout in seconds before sending first retransmit. -- cgit v1.2.3