From bba25e2ff6c4a193acb54560ea4417537bd2954e Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 30 May 2017 20:59:31 +0200 Subject: New upstream version 5.5.3 --- conf/Makefile.in | 2 ++ conf/options/charon.conf | 12 ++++++++++++ conf/options/charon.opt | 17 +++++++++++++++++ conf/plugins/attr-sql.conf | 4 ++++ conf/plugins/attr-sql.opt | 4 ++++ conf/plugins/kernel-netlink.opt | 6 +++--- conf/plugins/socket-default.conf | 3 +++ conf/plugins/socket-default.opt | 6 ++++++ conf/strongswan.conf.5.main | 31 +++++++++++++++++++++++++++++-- conf/strongswan.conf.5.tail.in | 12 +++++++++++- 10 files changed, 91 insertions(+), 6 deletions(-) (limited to 'conf') diff --git a/conf/Makefile.in b/conf/Makefile.in index 70e1b01ec..9a85514ed 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -310,6 +310,7 @@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ host = @host@ @@ -332,6 +333,7 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ libiptc_CFLAGS = @libiptc_CFLAGS@ libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ diff --git a/conf/options/charon.conf b/conf/options/charon.conf index 1b5d52d02..7ccb74939 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -29,6 +29,10 @@ charon { # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). # delete_rekeyed = no + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic # strength. # dh_exponent_ansi_x9_42 = yes @@ -199,6 +203,14 @@ charon { # in strongswan.conf(5). # retransmit_base = 1.8 + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + # Timeout in seconds before sending first retransmit. # retransmit_timeout = 4.0 diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 4c4311e81..3593c6a5f 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -75,6 +75,16 @@ charon.delete_rekeyed = no However, this might cause problems with implementations that continue to use rekeyed SAs until they expire. +charon.delete_rekeyed_delay = 5 + Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 + only). + + Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 + only). To process delayed packets the inbound part of a CHILD_SA is kept + installed up to the configured number of seconds after it got replaced + during a rekeying. If set to 0 the CHILD_SA will be kept installed until it + expires (if no lifetime is set it will be destroyed immediately). + charon.dh_exponent_ansi_x9_42 = yes Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. @@ -311,6 +321,13 @@ charon.retransmit_timeout = 4.0 charon.retransmit_tries = 5 Number of times to retransmit a packet before giving up. +charon.retransmit_jitter = 0 + Maximum jitter in percent to apply randomly to calculated retransmission + timeout (0 to disable). + +charon.retransmit_limit = 0 + Upper limit in seconds for calculated retransmission timeout (0 to disable). + charon.retry_initiate_interval = 0 Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS resolution failed), 0 to disable retries. diff --git a/conf/plugins/attr-sql.conf b/conf/plugins/attr-sql.conf index 24d4e809d..f56f54aee 100644 --- a/conf/plugins/attr-sql.conf +++ b/conf/plugins/attr-sql.conf @@ -1,5 +1,9 @@ attr-sql { + # Release all online leases during startup. Disable this to share the DB + # between multiple VPN gateways. + # crash_recovery = yes + # Database URI for attr-sql plugin used by charon. If it contains a # password, make sure to adjust the permissions of the config file # accordingly. diff --git a/conf/plugins/attr-sql.opt b/conf/plugins/attr-sql.opt index abd749e3e..58f05bb5f 100644 --- a/conf/plugins/attr-sql.opt +++ b/conf/plugins/attr-sql.opt @@ -1,3 +1,7 @@ +charon.plugins.attr-sql.crash_recovery = yes + Release all online leases during startup. Disable this to share the DB + between multiple VPN gateways. + charon.plugins.attr-sql.database Database URI for attr-sql plugin used by charon. If it contains a password, make sure to adjust the permissions of the config file accordingly. diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 1136af1be..3d9c4a7a9 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -113,6 +113,6 @@ charon.plugins.kernel-netlink.xfrm_acq_expires = 165 trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay between XFRM acquire messages triggered by the kernel for a trap policy. The same value is used as timeout for SPIs - allocated by the kernel. The default value equals the default total - retransmission timeout for IKE messages, see IKEv2 RETRANSMISSION - in **strongswan.conf**(5). + allocated by the kernel. The default value equals the total retransmission + timeout for IKE messages, see IKEv2 RETRANSMISSION in + **strongswan.conf**(5). diff --git a/conf/plugins/socket-default.conf b/conf/plugins/socket-default.conf index 6d4b73dd5..abf4650ed 100644 --- a/conf/plugins/socket-default.conf +++ b/conf/plugins/socket-default.conf @@ -10,6 +10,9 @@ socket-default { # Set source address on outbound packets, if possible. # set_source = yes + # Force sending interface on outbound packets, if possible. + # set_sourceif = no + # Listen on IPv4, if possible. # use_ipv4 = yes diff --git a/conf/plugins/socket-default.opt b/conf/plugins/socket-default.opt index 483a0f03d..570bd0ec7 100644 --- a/conf/plugins/socket-default.opt +++ b/conf/plugins/socket-default.opt @@ -4,6 +4,12 @@ charon.plugins.socket-default.fwmark = charon.plugins.socket-default.set_source = yes Set source address on outbound packets, if possible. +charon.plugins.socket-default.set_sourceif = no + Force sending interface on outbound packets, if possible. + + Force sending interface on outbound packets, if possible. This allows + using IPv6 link-local addresses as tunnel endpoints. + charon.plugins.socket-default.use_ipv4 = yes Listen on IPv4, if possible. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index 72ab3a77a..4df7ce42d 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -113,6 +113,14 @@ the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However, this might cause problems with implementations that continue to use rekeyed SAs until they expire. +.TP +.BR charon.delete_rekeyed_delay " [5]" +Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 +only). To process delayed packets the inbound part of a CHILD_SA is kept +installed up to the configured number of seconds after it got replaced during a +rekeying. If set to 0 the CHILD_SA will be kept installed until it expires (if +no lifetime is set it will be destroyed immediately). + .TP .BR charon.dh_exponent_ansi_x9_42 " [yes]" Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic @@ -431,6 +439,11 @@ type. The assigned value can be an IPv4/IPv6 address, a subnet in CIDR notation or an arbitrary value depending on the attribute type. For some attribute types multiple values may be specified as a comma separated list. +.TP +.BR charon.plugins.attr-sql.crash_recovery " [yes]" +Release all online leases during startup. Disable this to share the DB between +multiple VPN gateways. + .TP .BR charon.plugins.attr-sql.database " []" Database URI for attr\-sql plugin used by charon. If it contains a password, make @@ -1049,8 +1062,8 @@ Lifetime of XFRM acquire state created by the kernel when traffic matches a trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay between XFRM acquire messages triggered by the kernel for a trap policy. The same value is used as timeout for SPIs allocated -by the kernel. The default value equals the default total retransmission timeout -for IKE messages, see IKEv2 RETRANSMISSION in +by the kernel. The default value equals the total retransmission timeout for +IKE messages, see IKEv2 RETRANSMISSION in .RB "" "strongswan.conf" "(5)." @@ -1393,6 +1406,11 @@ Firewall mark to set on outbound packets. .BR charon.plugins.socket-default.set_source " [yes]" Set source address on outbound packets, if possible. +.TP +.BR charon.plugins.socket-default.set_sourceif " [no]" +Force sending interface on outbound packets, if possible. This allows using IPv6 +link\-local addresses as tunnel endpoints. + .TP .BR charon.plugins.socket-default.use_ipv4 " [yes]" Listen on IPv4, if possible. @@ -1697,6 +1715,15 @@ Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION in .RB "" "strongswan.conf" "(5)." +.TP +.BR charon.retransmit_jitter " [0]" +Maximum jitter in percent to apply randomly to calculated retransmission timeout +(0 to disable). + +.TP +.BR charon.retransmit_limit " [0]" +Upper limit in seconds for calculated retransmission timeout (0 to disable). + .TP .BR charon.retransmit_timeout " [4.0]" Timeout in seconds before sending first retransmit. diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in index 72aa7f856..f428fc323 100644 --- a/conf/strongswan.conf.5.tail.in +++ b/conf/strongswan.conf.5.tail.in @@ -408,6 +408,8 @@ using the three keys listed below: .BR charon.retransmit_base " [1.8]" .BR charon.retransmit_timeout " [4.0]" .BR charon.retransmit_tries " [5]" +.BR charon.retransmit_jitter " [0]" +.BR charon.retransmit_limit " [0]" .fi .RE .PP @@ -419,7 +421,15 @@ The following algorithm is used to calculate the timeout: .PP Where .I n -is the current retransmission count. +is the current retransmission count. The calculated timeout can't exceed the +configured retransmit_limit (if any), which is useful if the number of retries +is high. +.PP +If a jitter in percent is configured, the timeout is modified as follows: +.PP +.EX + relative timeout -= random(0, retransmit_jitter * relative timeout) +.EE .PP Using the default values, packets are retransmitted in: -- cgit v1.2.3