From 335b7e322c795d86705aab67d2ecf72f1c9c5614 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 30 May 2017 20:59:31 +0200 Subject: New upstream version 5.5.3 --- src/swanctl/swanctl.conf.5.main | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) (limited to 'src/swanctl/swanctl.conf.5.main') diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index 6e1e9adfb..9f4044d7e 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -168,18 +168,29 @@ Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 fragmentation). Acceptable values are .RI "" "yes" "" (the default), +.RI "" "accept" "," .RI "" "force" "" and .RI "" "no" "." -Fragmented IKE messages sent by a peer are always accepted irrespective of -the value of this option. If set to +If set to .RI "" "yes" "," -and the peer supports it, -oversized IKE messages will be sent in fragments. If set to +and the peer supports it, oversized IKE +messages will be sent in fragments. If set to +.RI "" "accept" "," +support for +fragmentation is announced to the peer but the daemon does not send its own +messages in fragments. If set to .RI "" "force" "" -(only -supported for IKEv1) the initial IKE message will already be fragmented if -required. +(only supported for IKEv1) the initial +IKE message will already be fragmented if required. Finally, setting the option +to +.RI "" "no" "" +will disable announcing support for this feature. + +Note that fragmented IKE messages sent by a peer are always accepted +irrespective of the value of this option (even when set to +.RI "" "no" ")." + .TP .BR connections..send_certreq " [yes]" @@ -785,6 +796,14 @@ interoperability. If no algorithms are specified for AH nor ESP, the .RI "" "default" "" set of algorithms for ESP is included. +.TP +.BR connections..children..sha256_96 " [no]" +HMAC\-SHA\-256 is used with 128\-bit truncation with IPsec. For compatibility with +implementations that incorrectly use 96\-bit truncation this option may be +enabled to configure the shorter truncation length in the kernel. This is not +negotiated, so this only works with peers that use the incorrect truncation +length (or have this option enabled). + .TP .BR connections..children..local_ts " [dynamic]" Comma separated list of local traffic selectors to include in CHILD_SA. Each @@ -1064,6 +1083,11 @@ IPsec replay window to configure for this CHILD_SA. Larger values than the default of 32 are supported using the Netlink backend only, a value of 0 disables IPsec replay protection. +.TP +.BR connections..children..hw_offload " [no]" +Enable hardware offload for this CHILD_SA, if supported by the IPsec +implementation. + .TP .BR connections..children..start_action " [none]" Action to perform after loading the configuration. The default of -- cgit v1.2.3