1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
|
charon {}
Options for the charon IKE daemon.
Options for the charon IKE daemon.
**Note**: Many of the options in this section also apply to **charon-cmd**
and other **charon** derivatives. Just use their respective name (e.g.
**charon-cmd** instead of **charon**). For many options defaults can be
defined in the **libstrongswan** section.
charon.block_threshold = 5
Maximum number of half-open IKE_SAs for a single peer IP.
charon.cert_cache = yes
Whether relations in validated certificate chains should be cached in
memory.
charon.cisco_unity = no
Send Cisco Unity vendor ID payload (IKEv1 only).
charon.close_ike_on_child_failure = no
Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
charon.cookie_threshold = 10
Number of half-open IKE_SAs that activate the cookie mechanism.
charon.crypto_test.bench = no
Benchmark crypto algorithms and order them by efficiency.
charon.crypto_test.bench_size = 1024
Buffer size used for crypto benchmark.
charon.crypto_test.bench_time = 50
Number of iterations to test each algorithm.
charon.crypto_test.on_add = no
Test crypto algorithms during registration (requires test vectors provided
by the _test-vectors_ plugin).
charon.crypto_test.on_create = no
Test crypto algorithms on each crypto primitive instantiation.
charon.crypto_test.required = no
Strictly require at least one test vector to enable an algorithm.
charon.crypto_test.rng_true = no
Whether to test RNG with TRUE quality; requires a lot of entropy.
charon.dh_exponent_ansi_x9_42 = yes
Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
strength.
charon.dns1
DNS server assigned to peer via configuration payload (CP).
charon.dns2
DNS server assigned to peer via configuration payload (CP).
charon.dos_protection = yes
Enable Denial of Service protection using cookies and aggressiveness checks.
charon.ecp_x_coordinate_only = yes
Compliance with the errata for RFC 4753.
charon.flush_auth_cfg = no
Free objects during authentication (might conflict with plugins).
If enabled objects used during authentication (certificates, identities
etc.) are released to free memory once an IKE_SA is established. Enabling
this might conflict with plugins that later need access to e.g. the used
certificates.
charon.fragment_size = 512
Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1
fragmentation extension.
charon.group
Name of the group the daemon changes to after startup.
charon.half_open_timeout = 30
Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
charon.hash_and_url = no
Enable hash and URL support.
charon.host_resolver.max_threads = 3
Maximum number of concurrent resolver threads (they are terminated if
unused).
charon.host_resolver.min_threads = 0
Minimum number of resolver threads to keep around.
charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
If enabled responders are allowed to use IKEv1 Aggressive Mode with
pre-shared keys, which is discouraged due to security concerns (offline
attacks on the openly transmitted hash of the PSK).
charon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookups.
charon.ikesa_limit = 0
Maximum number of IKE_SAs that can be established at the same time before
new connection attempts are blocked.
charon.ikesa_table_segments = 1
Number of exclusively locked segments in the hash table.
charon.ikesa_table_size = 1
Size of the IKE_SA hash table.
charon.inactivity_close_ike = no
Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
charon.init_limit_half_open = 0
Limit new connections based on the current number of half open IKE_SAs, see
IKE_SA_INIT DROPPING in **strongswan.conf**(5).
charon.init_limit_job_load = 0
Limit new connections based on the number of queued jobs.
Limit new connections based on the number of jobs currently queued for
processing (see IKE_SA_INIT DROPPING).
charon.initiator_only = no
Causes charon daemon to ignore IKE initiation requests.
charon.install_routes = yes
Install routes into a separate routing table for established IPsec tunnels.
charon.install_virtual_ip = yes
Install virtual IP addresses.
charon.install_virtual_ip_on
The name of the interface on which virtual IP addresses should be installed.
The name of the interface on which virtual IP addresses should be installed.
If not specified the addresses will be installed on the outbound interface.
charon.integrity_test = no
Check daemon, libstrongswan and plugin integrity at startup.
charon.interfaces_ignore
A comma-separated list of network interfaces that should be ignored, if
**interfaces_use** is specified this option has no effect.
charon.interfaces_use
A comma-separated list of network interfaces that should be used by charon.
All other interfaces are ignored.
charon.keep_alive = 20s
NAT keep alive interval.
charon.leak_detective.detailed = yes
Includes source file names and line numbers in leak detective output.
charon.leak_detective.usage_threshold = 10240
Threshold in bytes for leaks to be reported (0 to report all).
charon.leak_detective.usage_threshold_count = 0
Threshold in number of allocations for leaks to be reported (0 to report
all).
charon.load
Plugins to load in the IKE daemon charon.
charon.load_modular = no
Determine plugins to load via each plugin's load option.
If enabled, the list of plugins to load is determined via the value of the
_charon.plugins.<name>.load_ options. In addition to a simple boolean flag
that option may take an integer value indicating the priority of a plugin,
which would influence the order of a plugin in the plugin list (the default
is 1). If two plugins have the same priority their order in the default
plugin list is preserved. Enabled plugins not found in that list are ordered
alphabetically before other plugins with the same priority.
charon.max_packet = 10000
Maximum packet size accepted by charon.
charon.multiple_authentication = yes
Enable multiple authentication exchanges (RFC 4739).
charon.nbns1
WINS servers assigned to peer via configuration payload (CP).
charon.nbns2
WINS servers assigned to peer via configuration payload (CP).
charon.port = 500
UDP port used locally. If set to 0 a random port will be allocated.
charon.port_nat_t = 4500
UDP port used locally in case of NAT-T. If set to 0 a random port will be
allocated. Has to be different from **charon.port**, otherwise a random
port will be allocated.
charon.process_route = yes
Process RTM_NEWROUTE and RTM_DELROUTE events.
charon.processor.priority_threads {}
Section to configure the number of reserved threads per priority class
see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
charon.receive_delay = 0
Delay in ms for receiving packets, to simulate larger RTT.
charon.receive_delay_response = yes
Delay response messages.
charon.receive_delay_request = yes
Delay request messages.
charon.receive_delay_type = 0
Specific IKEv2 message type to delay, 0 for any.
charon.replay_window = 32
Size of the AH/ESP replay window, in packets.
charon.retransmit_base = 1.8
Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
in **strongswan.conf**(5).
charon.retransmit_timeout = 4.0
Timeout in seconds before sending first retransmit.
charon.retransmit_tries = 5
Number of times to retransmit a packet before giving up.
charon.retry_initiate_interval = 0
Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution
failed), 0 to disable retries.
charon.reuse_ikesa = yes
Initiate CHILD_SA within existing IKE_SAs.
charon.routing_table
Numerical routing table to install routes to.
charon.routing_table_prio
Priority of the routing table.
charon.send_delay = 0
Delay in ms for sending packets, to simulate larger RTT.
charon.send_delay_response = yes
Delay response messages.
charon.send_delay_request = yes
Delay request messages.
charon.send_delay_type = 0
Specific IKEv2 message type to delay, 0 for any.
charon.send_vendor_id = no
Send strongSwan vendor ID payload
charon.threads = 16
Number of worker threads in charon.
Number of worker threads in charon. Several of these are reserved for long
running tasks in internal modules and plugins. Therefore, make sure you
don't set this value too low. The number of idle worker threads listed in
_ipsec statusall_ might be used as indicator on the number of reserved
threads.
charon.tls.cipher
List of TLS encryption ciphers.
charon.tls.key_exchange
List of TLS key exchange methods.
charon.tls.mac
List of TLS MAC algorithms.
charon.tls.suites
List of TLS cipher suites.
charon.user
Name of the user the daemon changes to after startup.
charon.x509.enforce_critical = yes
Discard certificates with unsupported or unknown critical extensions.
|