From 25663e04c3ab01ef8dc9f906608282319cfea2db Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 20 Oct 2016 16:18:38 +0200 Subject: New upstream version 5.5.1 --- man/Makefile.in | 5 ++--- man/ipsec.conf.5.in | 36 ++++++++++++++++++++++++------------ 2 files changed, 26 insertions(+), 15 deletions(-) (limited to 'man') diff --git a/man/Makefile.in b/man/Makefile.in index a473efdfb..4d04d25c6 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -303,7 +303,6 @@ clearsilver_LIBS = @clearsilver_LIBS@ cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ @@ -337,8 +336,6 @@ libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ mandir = @mandir@ medsrv_plugins = @medsrv_plugins@ @@ -392,6 +389,8 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 54440c0c7..6f80709a6 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -247,7 +247,9 @@ can be added at the end. If .B dh-group is specified, CHILD_SA/Quick Mode setup and rekeying include a separate -Diffie-Hellman exchange. +Diffie-Hellman exchange (refer to the +.B esp +keyword for details). .TP .BR also " = " includes conn section @@ -410,18 +412,27 @@ exclamation mark can be added at the end. .BR Note : -As a responder the daemon accepts the first supported proposal received from -the peer. In order to restrict a responder to only accept specific cipher -suites, the strict flag +As a responder, the daemon defaults to selecting the first configured proposal +that's also supported by the peer. This may be changed via +.BR strongswan.conf (5) +to selecting the first acceptable proposal sent by the peer instead. In order to +restrict a responder to only accept specific cipher suites, the strict flag .RB ( ! , exclamation mark) can be used, e.g: aes256-sha512-modp4096! -.br + If .B dh-group -is specified, CHILD_SA/Quick Mode setup and rekeying include a separate -Diffie-Hellman exchange. Valid values for +is specified, CHILD_SA/Quick Mode rekeying and initial negotiation use a +separate Diffie-Hellman exchange using the specified group. However, for IKEv2, +the keys of the CHILD_SA created implicitly with the IKE_SA will always be +derived from the IKE_SA's key material. So any DH group specified here will only +apply when the CHILD_SA is later rekeyed or is created with a separate +CREATE_CHILD_SA exchange. Therefore, a proposal mismatch might not immediately +be noticed when the SA is established, but may later cause rekeying to fail. + +Valid values for .B esnmode -(IKEv2 only) are +are .B esn and .BR noesn . @@ -434,14 +445,15 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected. This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked. .TP -.BR fragmentation " = yes | force | " no +.BR fragmentation " = " yes " | force | no" whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per RFC 7383). Acceptable values are -.BR yes , +.B yes +(the default), .B force and -.B no -(the default). Fragmented IKE messages sent by a peer are always accepted +.BR no . +Fragmented IKE messages sent by a peer are always accepted irrespective of the value of this option. If set to .BR yes , and the peer supports it, larger IKE messages will be sent in fragments. -- cgit v1.2.3