1STRONGSWAN.CONF(5) strongSwan STRONGSWAN.CONF(5)
2
6 strongswan.conf - strongSwan configuration file
7
9 While the ipsec.conf(5) configuration file is well suited to define
10 IPsec related configuration parameters, it is not useful for other
11 strongSwan applications to read options from this file. The file is
12 hard to parse and only ipsec starter is capable of doing so. As the
13 number of components of the strongSwan project is continually growing,
14 a more flexible configuration file was needed, one that is easy to
15 extend and can be used by all components. With strongSwan 4.2.1
16 strongswan.conf(5) was introduced which meets these requirements.
17
20 The format of the strongswan.conf file consists of hierarchical sec‐
21 tions and a list of key/value pairs in each section. Each section has a
22 name, followed by C-Style curly brackets defining the section body.
23 Each section body contains a set of subsections and key/value pairs:
24 settings := (section|keyvalue)*
26 section := name { settings }
27 keyvalue := key = value\n
28 Values must be terminated by a newline.
30 Comments are possible using the #-character.
32 Section names and keys may contain any printable character except:
34 . , : { } = " # \n \t space
36 An example file in this format might look like this:
38 a = b
40 section-one {
41 somevalue = asdf
42 subsection {
43 othervalue = xxx
44 }
45 # yei, a comment
46 yetanother = zz
47 }
48 section-two {
49 x = 12
50 }
51 Indentation is optional, you may use tabs or spaces.
53
57 It is possible to inherit settings and sections from another section.
58 This feature is mainly useful in swanctl.conf (which uses the same file
59 format). The syntax is as follows:
60 section := name : references { settings }
62 references := absname[, absname]*
63 absname := name[.name]*
64 All key/value pairs and all subsections of the referenced sections will
66 be inherited by the section that references them via their absolute
67 name. Values may be overridden in the section or any of its sub-sec‐
68 tions (use an empty assignment to clear a value so its default value,
69 if any, will apply). It is currently not possible to limit the inclu‐
70 sion level or clear/remove inherited sub-sections.
71 If the order is important (e.g. for auth rounds in a connection, if
73 round is not used), it should be noted that inherited settings/sections
74 will follow those defined in the current section (if multiple sections
75 are referenced, their settings are enumerated left to right).
76 References are evaluated dynamically at runtime, so referring to sec‐
78 tions later in the config file or included via other files is no prob‐
79 lem.
80 Here is an example of how this might look like:
82 conn-defaults {
84 # default settings for all conns (e.g. a cert, or IP pools)
85 }
86 eap-defaults {
87 # defaults if eap is used (e.g. a remote auth round)
88 }
89 child-defaults {
90 # defaults for child configs (e.g. traffic selectors)
91 }
92 connections {
93 conn-a : conn-defaults, eap-defaults {
94 # set/override stuff specific to this connection
95 children {
96 child-a : child-defaults {
97 # set/override stuff specific to this child
98 }
99 }
100 }
101 conn-b : conn-defaults {
102 # set/override stuff specific to this connection
103 children {
104 child-b : child-defaults {
105 # set/override stuff specific to this child
106 }
107 }
108 }
109 conn-c : connections.conn-a {
110 # everything is inherited, including everything conn-a
111 # already inherits from the sections it and its
112 # sub-section reference
113 }
114 }
115
117 Using the include statement it is possible to include other files into
118 strongswan.conf, e.g.
119 include /some/path/*.conf
121 If the file name is not an absolute path, it is considered to be rela‐
123 tive to the directory of the file containing the include statement. The
124 file name may include shell wildcards (see sh(1)). Also, such inclu‐
125 sions can be nested.
126 Sections loaded from included files extend previously loaded sections;
128 already existing values are replaced. It is important to note that
129 settings are added relative to the section the include statement is in.
130 As an example, the following three files result in the same final con‐
132 fig as the one given above:
133 a = b
135 section-one {
136 somevalue = before include
137 include include.conf
138 }
139 include other.conf
140 include.conf:
142 # settings loaded from this file are added to section-one
143 # the following replaces the previous value
144 somevalue = asdf
145 subsection {
146 othervalue = yyy
147 }
148 yetanother = zz
149 other.conf:
151 # this extends section-one and subsection
152 section-one {
153 subsection {
154 # this replaces the previous value
155 othervalue = xxx
156 }
157 }
158 section-two {
159 x = 12
160 }
161
164 Values are accessed using a dot-separated section list and a key. With
165 reference to the example above, accessing section-one.subsection.other‐
166 value will return xxx.
167
170 The following keys are currently defined (using dot notation). The
171 default value (if any) is listed in brackets after the key.
172 aikgen.load []
174 Plugins to load in ipsec aikgen tool.
175 attest.database []
178 File measurement information database URI. If it contains a
179 password, make sure to adjust the permissions of the config file
180 accordingly.
181 attest.load []
184 Plugins to load in ipsec attest tool.
185 charon
188 Options for the charon IKE daemon.
189 Note: Many of the options in this section also apply to
191 charon-cmd and other charon derivatives. Just use their respec‐
192 tive name (e.g. charon-cmd instead of charon). For many
193 options defaults can be defined in the libstrongswan section.
194 charon.accept_unencrypted_mainmode_messages [no]
197 Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
198 Some implementations send the third Main Mode message unen‐
200 crypted, probably to find the PSKs for the specified ID for
201 authentication. This is very similar to Aggressive Mode, and has
202 the same security implications: A passive attacker can sniff the
203 negotiated Identity, and start brute forcing the PSK using the
204 HASH payload.
205 It is recommended to keep this option to no, unless you know
207 exactly what the implications are and require compatibility to
208 such devices (for example, some SonicWall boxes).
209 charon.block_threshold [5]
212 Maximum number of half-open IKE_SAs for a single peer IP.
213 charon.cache_crls [no]
216 Whether Certificate Revocation Lists (CRLs) fetched via HTTP or
217 LDAP should be saved under a unique file name derived from the
218 public key of the Certification Authority (CA) to
219 /etc/ipsec.d/crls (stroke) or /etc/swanctl/x509crl (vici),
220 respectively.
221 charon.cert_cache [yes]
224 Whether relations in validated certificate chains should be
225 cached in memory.
226 charon.cisco_unity [no]
229 Send Cisco Unity vendor ID payload (IKEv1 only).
230 charon.close_ike_on_child_failure [no]
233 Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH
234 failed.
235 charon.cookie_threshold [10]
238 Number of half-open IKE_SAs that activate the cookie mechanism.
239 charon.crypto_test.bench [no]
242 Benchmark crypto algorithms and order them by efficiency.
243 charon.crypto_test.bench_size [1024]
246 Buffer size used for crypto benchmark.
247 charon.crypto_test.bench_time [50]
250 Time in ms during which crypto algorithm performance is mea‐
251 sured.
252 charon.crypto_test.on_add [no]
255 Test crypto algorithms during registration (requires test vec‐
256 tors provided by the test-vectors plugin).
257 charon.crypto_test.on_create [no]
260 Test crypto algorithms on each crypto primitive instantiation.
261 charon.crypto_test.required [no]
264 Strictly require at least one test vector to enable an algo‐
265 rithm.
266 charon.crypto_test.rng_true [no]
269 Whether to test RNG with TRUE quality; requires a lot of
270 entropy.
271 charon.delete_rekeyed [no]
274 Delete CHILD_SAs right after they got successfully rekeyed
275 (IKEv1 only). Reduces the number of stale CHILD_SAs in scenarios
276 with a lot of rekeyings. However, this might cause problems with
277 implementations that continue to use rekeyed SAs until they
278 expire.
279 charon.delete_rekeyed_delay [5]
282 Delay in seconds until inbound IPsec SAs are deleted after
283 rekeyings (IKEv2 only). To process delayed packets the inbound
284 part of a CHILD_SA is kept installed up to the configured number
285 of seconds after it got replaced during a rekeying. If set to 0
286 the CHILD_SA will be kept installed until it expires (if no
287 lifetime is set it will be destroyed immediately).
288 charon.dh_exponent_ansi_x9_42 [yes]
291 Use ANSI X9.42 DH exponent size or optimum size matched to cryp‐
292 tographic strength.
293 charon.dlopen_use_rtld_now [no]
296 Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to
297 reveal missing symbols immediately.
298 charon.dns1 []
301 DNS server assigned to peer via configuration payload (CP).
302 charon.dns2 []
305 DNS server assigned to peer via configuration payload (CP).
306 charon.dos_protection [yes]
309 Enable Denial of Service protection using cookies and aggres‐
310 siveness checks.
311 charon.ecp_x_coordinate_only [yes]
314 Compliance with the errata for RFC 4753.
315 charon.filelog
318 Section to define file loggers, see LOGGER CONFIGURATION in
319 strongswan.conf(5).
320 charon.filelog.<name>
324 <name> may be the full path to the log file if it only contains
325 characters permitted in section names. Is ignored if path is
326 specified.
327 charon.filelog.<name>.<subsystem> [<default>]
330 Loglevel for a specific subsystem.
331 charon.filelog.<name>.append [yes]
334 If this option is enabled log entries are appended to the exist‐
335 ing file.
336 charon.filelog.<name>.default [1]
339 Specifies the default loglevel to be used for subsystems for
340 which no specific loglevel is defined.
341 charon.filelog.<name>.flush_line [no]
344 Enabling this option disables block buffering and enables line
345 buffering.
346 charon.filelog.<name>.ike_name [no]
349 Prefix each log entry with the connection name and a unique
350 numerical identifier for each IKE_SA.
351 charon.filelog.<name>.path []
354 Optional path to the log file. Overrides the section name. Must
355 be used if the path contains characters that aren't allowed in
356 section names.
357 charon.filelog.<name>.time_add_ms [no]
360 Adds the milliseconds within the current second after the time‐
361 stamp (separated by a dot, so time_format should end with %S or
362 %T).
363 charon.filelog.<name>.time_format []
366 Prefix each log entry with a timestamp. The option accepts a
367 format string as passed to strftime(3).
368 charon.flush_auth_cfg [no]
372 If enabled objects used during authentication (certificates,
373 identities etc.) are released to free memory once an IKE_SA is
374 established. Enabling this might conflict with plugins that
375 later need access to e.g. the used certificates.
376 charon.follow_redirects [yes]
379 Whether to follow IKEv2 redirects (RFC 5685).
380 charon.fragment_size [1280]
383 Maximum size (complete IP datagram size in bytes) of a sent IKE
384 fragment when using proprietary IKEv1 or standardized IKEv2
385 fragmentation, defaults to 1280 (use 0 for address family spe‐
386 cific default values, which uses a lower value for IPv4). If
387 specified this limit is used for both IPv4 and IPv6.
388 charon.group []
391 Name of the group the daemon changes to after startup.
392 charon.half_open_timeout [30]
395 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT
396 DROPPING).
397 charon.hash_and_url [no]
400 Enable hash and URL support.
401 charon.host_resolver.max_threads [3]
404 Maximum number of concurrent resolver threads (they are termi‐
405 nated if unused).
406 charon.host_resolver.min_threads [0]
409 Minimum number of resolver threads to keep around.
410 charon.i_dont_care_about_security_and_use_aggressive_mode_psk [no]
413 If enabled responders are allowed to use IKEv1 Aggressive Mode
414 with pre-shared keys, which is discouraged due to security con‐
415 cerns (offline attacks on the openly transmitted hash of the
416 PSK).
417 charon.ignore_acquire_ts [no]
420 If this is disabled the traffic selectors from the kernel's
421 acquire events, which are derived from the triggering packet,
422 are prepended to the traffic selectors from the configuration
423 for IKEv2 connection. By enabling this, such specific traffic
424 selectors will be ignored and only the ones in the config will
425 be sent. This always happens for IKEv1 connections as the proto‐
426 col only supports one set of traffic selectors per CHILD_SA.
427 charon.ignore_routing_tables []
430 A space-separated list of routing tables to be excluded from
431 route lookups.
432 charon.ikesa_limit [0]
435 Maximum number of IKE_SAs that can be established at the same
436 time before new connection attempts are blocked.
437 charon.ikesa_table_segments [1]
440 Number of exclusively locked segments in the hash table.
441 charon.ikesa_table_size [1]
444 Size of the IKE_SA hash table.
445 charon.imcv
448 Defaults for options in this section can be configured in the
449 libimcv section.
450 charon.imcv.assessment_result [yes]
453 Whether IMVs send a standard IETF Assessment Result attribute.
454 charon.imcv.database []
457 Global IMV policy database URI. If it contains a password, make
458 sure to adjust the permissions of the config file accordingly.
459 charon.imcv.os_info.default_password_enabled [no]
462 Manually set whether a default password is enabled
463 charon.imcv.os_info.name []
466 Manually set the name of the client OS (e.g. Ubuntu).
467 charon.imcv.os_info.version []
470 Manually set the version of the client OS (e.g. 12.04 i686).
471 charon.imcv.policy_script [ipsec _imv_policy]
474 Script called for each TNC connection to generate IMV policies.
475 charon.inactivity_close_ike [no]
478 Whether to close IKE_SA if the only CHILD_SA closed due to inac‐
479 tivity.
480 charon.init_limit_half_open [0]
483 Limit new connections based on the current number of half open
484 IKE_SAs, see IKE_SA_INIT DROPPING in strongswan.conf(5).
485 charon.init_limit_job_load [0]
489 Limit new connections based on the number of jobs currently
490 queued for processing (see IKE_SA_INIT DROPPING).
491 charon.initiator_only [no]
494 Causes charon daemon to ignore IKE initiation requests.
495 charon.install_routes [yes]
498 Install routes into a separate routing table for established
499 IPsec tunnels.
500 charon.install_virtual_ip [yes]
503 Install virtual IP addresses.
504 charon.install_virtual_ip_on []
507 The name of the interface on which virtual IP addresses should
508 be installed. If not specified the addresses will be installed
509 on the outbound interface.
510 charon.integrity_test [no]
513 Check daemon, libstrongswan and plugin integrity at startup.
514 charon.interfaces_ignore []
517 A comma-separated list of network interfaces that should be
518 ignored, if interfaces_use is specified this option has no
519 effect.
520 charon.interfaces_use []
523 A comma-separated list of network interfaces that should be used
524 by charon. All other interfaces are ignored.
525 charon.keep_alive [20s]
528 NAT keep alive interval.
529 charon.leak_detective.detailed [yes]
532 Includes source file names and line numbers in leak detective
533 output.
534 charon.leak_detective.usage_threshold [10240]
537 Threshold in bytes for leaks to be reported (0 to report all).
538 charon.leak_detective.usage_threshold_count [0]
541 Threshold in number of allocations for leaks to be reported (0
542 to report all).
543 charon.load []
546 Plugins to load in the IKE daemon charon.
547 charon.load_modular [no]
550 If enabled, the list of plugins to load is determined via the
551 value of the charon.plugins.<name>.load options. In addition to
552 a simple boolean flag that option may take an integer value
553 indicating the priority of a plugin, which would influence the
554 order of a plugin in the plugin list (the default is 1). If two
555 plugins have the same priority their order in the default plugin
556 list is preserved. Enabled plugins not found in that list are
557 ordered alphabetically before other plugins with the same prior‐
558 ity.
559 charon.make_before_break [no]
562 Initiate IKEv2 reauthentication with a make-before-break instead
563 of a break-before-make scheme. Make-before-break uses overlap‐
564 ping IKE and CHILD_SA during reauthentication by first recreat‐
565 ing all new SAs before deleting the old ones. This behavior can
566 be beneficial to avoid connectivity gaps during reauthentica‐
567 tion, but requires support for overlapping SAs by the peer.
568 strongSwan can handle such overlapping SAs since version 5.3.0.
569 charon.max_ikev1_exchanges [3]
572 Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep
573 state about and track concurrently.
574 charon.max_packet [10000]
577 Maximum packet size accepted by charon.
578 charon.multiple_authentication [yes]
581 Enable multiple authentication exchanges (RFC 4739).
582 charon.nbns1 []
585 WINS servers assigned to peer via configuration payload (CP).
586 charon.nbns2 []
589 WINS servers assigned to peer via configuration payload (CP).
590 charon.plugin.ha.buflen [2048]
593 Buffer size for received HA messages. For IKEv1 the public DH
594 factors are also transmitted so depending on the DH group the HA
595 messages can get quite big (the default should be fine up to
596 modp4096).
597 charon.plugins.addrblock.strict [yes]
601 If set to yes, a subject certificate without an addrblock exten‐
602 sion is rejected if the issuer certificate has such an addrblock
603 extension. If set to no, subject certificates issued without the
604 addrblock extension are accepted without any traffic selector
605 checks and no policy is enforced by the plugin.
606 charon.plugins.android_log.loglevel [1]
609 Loglevel for logging to Android specific logger.
610 charon.plugins.attr
613 Section to specify arbitrary attributes that are assigned to a
614 peer via configuration payload (CP).
615 charon.plugins.attr.<attr> []
618 <attr> can be either address, netmask, dns, nbns, dhcp, subnet,
619 split-include, split-exclude or the numeric identifier of the
620 attribute type. The assigned value can be an IPv4/IPv6 address,
621 a subnet in CIDR notation or an arbitrary value depending on the
622 attribute type. For some attribute types multiple values may be
623 specified as a comma separated list.
624 charon.plugins.attr-sql.crash_recovery [yes]
627 Release all online leases during startup. Disable this to share
628 the DB between multiple VPN gateways.
629 charon.plugins.attr-sql.database []
632 Database URI for attr-sql plugin used by charon. If it contains
633 a password, make sure to adjust the permissions of the config
634 file accordingly.
635 charon.plugins.attr-sql.lease_history [yes]
638 Enable logging of SQL IP pool leases.
639 charon.plugins.bliss.use_bliss_b [yes]
642 Use the enhanced BLISS-B key generation and signature algorithm.
643 charon.plugins.bypass-lan.interfaces_ignore []
646 A comma-separated list of network interfaces for which connected
647 subnets should be ignored, if interfaces_use is specified this
648 option has no effect.
649 charon.plugins.bypass-lan.interfaces_use []
652 A comma-separated list of network interfaces for which connected
653 subnets should be considered. All other interfaces are ignored.
654 charon.plugins.bypass-lan.load [no]
657 charon.plugins.certexpire.csv.cron []
659 Cron style string specifying CSV export times.
660 charon.plugins.certexpire.csv.empty_string []
663 String to use in empty intermediate CA fields.
664 charon.plugins.certexpire.csv.fixed_fields [yes]
667 Use a fixed intermediate CA field count.
668 charon.plugins.certexpire.csv.force [yes]
671 Force export of all trustchains we have a private key for.
672 charon.plugins.certexpire.csv.format [%d:%m:%Y]
675 strftime(3) format string to export expiration dates as.
676 charon.plugins.certexpire.csv.local []
679 strftime(3) format string for the CSV file name to export local
680 certificates to.
681 charon.plugins.certexpire.csv.remote []
684 strftime(3) format string for the CSV file name to export remote
685 certificates to.
686 charon.plugins.certexpire.csv.separator [,]
689 CSV field separator.
690 charon.plugins.coupling.file []
693 File to store coupling list to.
694 charon.plugins.coupling.hash [sha1]
697 Hashing algorithm to fingerprint coupled certificates.
698 charon.plugins.coupling.max [1]
701 Maximum number of coupling entries to create.
702 charon.plugins.curl.redir [-1]
705 Maximum number of redirects followed by the plugin, set to 0 to
706 disable following redirects, set to -1 for no limit.
707 charon.plugins.dhcp.force_server_address [no]
710 Always use the configured server address. This might be helpful
711 if the DHCP server runs on the same host as strongSwan, and the
712 DHCP daemon does not listen on the loopback interface. In that
713 case the server cannot be reached via unicast (or even
714 255.255.255.255) as that would be routed via loopback. Setting
715 this option to yes and configuring the local broadcast address
716 (e.g. 192.168.0.255) as server address might work.
717 charon.plugins.dhcp.identity_lease [no]
720 Derive user-defined MAC address from hash of IKE identity and
721 send client identity DHCP option.
722 charon.plugins.dhcp.interface []
725 Interface name the plugin uses for address allocation. The
726 default is to bind to any (0.0.0.0) and let the system decide
727 which way to route the packets to the DHCP server.
728 charon.plugins.dhcp.server [255.255.255.255]
731 DHCP server unicast or broadcast IP address.
732 charon.plugins.dhcp.use_server_port [no]
735 Use the DHCP server port (67) as source port, instead of the
736 DHCP client port (68), when a unicast server address is config‐
737 ured and the plugin acts as relay agent. When replying in this
738 mode the DHCP server will always send packets to the DHCP server
739 port and if no process binds that port an ICMP port unreachables
740 will be sent back, which might be problematic for some DHCP
741 servers. To avoid that, enabling this option will cause the
742 plugin to bind the DHCP server port to send its requests when
743 acting as relay agent. This is not necessary if a DHCP server is
744 already running on the same host and might even cause conflicts
745 (and since the server port is already bound, ICMPs should not be
746 an issue).
747 charon.plugins.dnscert.enable [no]
750 Enable fetching of CERT RRs via DNS.
751 charon.plugins.duplicheck.enable [yes]
754 Enable duplicheck plugin (if loaded).
755 charon.plugins.duplicheck.socket [unix://${piddir}/charon.dck]
758 Socket provided by the duplicheck plugin.
759 charon.plugins.eap-aka.request_identity [yes]
762 charon.plugins.eap-aka-3gpp.seq_check []
764 Enable to activate sequence check of the AKA SQN values in order
765 to trigger resync cycles.
766 charon.plugins.eap-aka-3gpp2.seq_check []
769 Enable to activate sequence check of the AKA SQN values in order
770 to trigger resync cycles.
771 charon.plugins.eap-dynamic.prefer_user [no]
774 If enabled the EAP methods proposed in an EAP-Nak message sent
775 by the peer are preferred over the methods registered locally.
776 charon.plugins.eap-dynamic.preferred []
779 The preferred EAP method(s) to be used. If it is not given the
780 first registered method will be used initially. If a comma sep‐
781 arated list is given the methods are tried in the given order
782 before trying the rest of the registered methods.
783 charon.plugins.eap-gtc.backend [pam]
786 XAuth backend to be used for credential verification.
787 charon.plugins.eap-peap.fragment_size [1024]
790 Maximum size of an EAP-PEAP packet.
791 charon.plugins.eap-peap.include_length [no]
794 Include length in non-fragmented EAP-PEAP packets.
795 charon.plugins.eap-peap.max_message_count [32]
798 Maximum number of processed EAP-PEAP packets (0 = no limit).
799 charon.plugins.eap-peap.phase2_method [mschapv2]
802 Phase2 EAP client authentication method.
803 charon.plugins.eap-peap.phase2_piggyback [no]
806 Phase2 EAP Identity request piggybacked by server onto TLS Fin‐
807 ished message.
808 charon.plugins.eap-peap.phase2_tnc [no]
811 Start phase2 EAP TNC protocol after successful client authenti‐
812 cation.
813 charon.plugins.eap-peap.request_peer_auth [no]
816 Request peer authentication based on a client certificate.
817 charon.plugins.eap-radius.accounting [no]
820 Send RADIUS accounting information to RADIUS servers.
821 charon.plugins.eap-radius.accounting_close_on_timeout [yes]
824 Close the IKE_SA if there is a timeout during interim RADIUS
825 accounting updates.
826 charon.plugins.eap-radius.accounting_interval [0]
829 Interval in seconds for interim RADIUS accounting updates, if
830 not specified by the RADIUS server in the Access-Accept message.
831 charon.plugins.eap-radius.accounting_requires_vip [no]
834 If enabled, accounting is disabled unless an IKE_SA has at least
835 one virtual IP. Only for IKEv2, for IKEv1 a virtual IP is
836 strictly necessary.
837 charon.plugins.eap-radius.accounting_send_class [no]
840 If enabled, adds the Class attributes received in Access-Accept
841 message to the RADIUS accounting messages.
842 charon.plugins.eap-radius.class_group [no]
845 Use the class attribute sent in the RADIUS-Accept message as
846 group membership information that is compared to the groups
847 specified in the rightgroups option in ipsec.conf(5).
848 charon.plugins.eap-radius.close_all_on_timeout [no]
852 Closes all IKE_SAs if communication with the RADIUS server times
853 out. If it is not set only the current IKE_SA is closed.
854 charon.plugins.eap-radius.dae.enable [no]
857 Enables support for the Dynamic Authorization Extension (RFC
858 5176).
859 charon.plugins.eap-radius.dae.listen [0.0.0.0]
862 Address to listen for DAE messages from the RADIUS server.
863 charon.plugins.eap-radius.dae.port [3799]
866 Port to listen for DAE requests.
867 charon.plugins.eap-radius.dae.secret []
870 Shared secret used to verify/sign DAE messages. If set, make
871 sure to adjust the permissions of the config file accordingly.
872 charon.plugins.eap-radius.eap_start [no]
875 Send EAP-Start instead of EAP-Identity to start RADIUS conversa‐
876 tion.
877 charon.plugins.eap-radius.filter_id [no]
880 If the RADIUS tunnel_type attribute with value ESP is received,
881 use the filter_id attribute sent in the RADIUS-Accept message as
882 group membership information that is compared to the groups
883 specified in the rightgroups option in ipsec.conf(5).
884 charon.plugins.eap-radius.forward.ike_to_radius []
888 RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be
889 defined by name or attribute number, a colon can be used to
890 specify vendor-specific attributes, e.g. Reply-Message, or 11,
891 or 36906:12).
892 charon.plugins.eap-radius.forward.radius_to_ike []
895 Same as charon.plugins.eap-radius.forward.ike_to_radius but from
896 RADIUS to IKEv2, a strongSwan specific private notify (40969) is
897 used to transmit the attributes.
898 charon.plugins.eap-radius.id_prefix []
901 Prefix to EAP-Identity, some AAA servers use a IMSI prefix to
902 select the EAP method.
903 charon.plugins.eap-radius.nas_identifier [strongSwan]
906 NAS-Identifier to include in RADIUS messages.
907 charon.plugins.eap-radius.port [1812]
910 Port of RADIUS server (authentication).
911 charon.plugins.eap-radius.retransmit_base [1.4]
914 Base to use for calculating exponential back off.
915 charon.plugins.eap-radius.retransmit_timeout [2.0]
918 Timeout in seconds before sending first retransmit.
919 charon.plugins.eap-radius.retransmit_tries [4]
922 Number of times to retransmit a packet before giving up.
923 charon.plugins.eap-radius.secret []
926 Shared secret between RADIUS and NAS. If set, make sure to
927 adjust the permissions of the config file accordingly.
928 charon.plugins.eap-radius.server []
931 IP/Hostname of RADIUS server.
932 charon.plugins.eap-radius.servers
935 Section to specify multiple RADIUS servers. The nas_identifier,
936 secret, sockets and port (or auth_port) options can be specified
937 for each server. A server's IP/Hostname can be configured using
938 the address option. The acct_port [1813] option can be used to
939 specify the port used for RADIUS accounting. For each RADIUS
940 server a priority can be specified using the preference [0]
941 option. The retransmission time for each server can set set
942 using retransmit_base, retransmit_timeout and retransmit_tries.
943 charon.plugins.eap-radius.sockets [1]
947 Number of sockets (ports) to use, increase for high load.
948 charon.plugins.eap-radius.station_id_with_port [yes]
951 Whether to include the UDP port in the Called- and Calling-Sta‐
952 tion-Id RADIUS attributes.
953 charon.plugins.eap-radius.xauth
956 Section to configure multiple XAuth authentication rounds via
957 RADIUS. The subsections define so called authentication profiles
958 with arbitrary names. In each profile section one or more XAuth
959 types can be configured, with an assigned message. For each type
960 a separate XAuth exchange will be initiated and all replies get
961 concatenated into the User-Password attribute, which then gets
962 verified over RADIUS.
963 Available XAuth types are password, passcode, nextpin, and
965 answer. This type is not relevant to strongSwan or the AAA
966 server, but the client may show a different dialog (along with
967 the configured message).
968 To use the configured profiles, they have to be configured in
970 the respective connection in ipsec.conf(5) by appending the pro‐
971 file name, separated by a colon, to the xauth-radius XAauth
972 backend configuration in rightauth or rightauth2, for instance,
973 rightauth2=xauth-radius:profile.
974 charon.plugins.eap-sim.request_identity [yes]
978 charon.plugins.eap-simaka-sql.database []
980 charon.plugins.eap-simaka-sql.remove_used [no]
982 charon.plugins.eap-tls.fragment_size [1024]
984 Maximum size of an EAP-TLS packet.
985 charon.plugins.eap-tls.include_length [yes]
988 Include length in non-fragmented EAP-TLS packets.
989 charon.plugins.eap-tls.max_message_count [32]
992 Maximum number of processed EAP-TLS packets (0 = no limit).
993 charon.plugins.eap-tnc.max_message_count [10]
996 Maximum number of processed EAP-TNC packets (0 = no limit).
997 charon.plugins.eap-tnc.protocol [tnccs-2.0]
1000 IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0,
1001 tnccs-dynamic).
1002 charon.plugins.eap-ttls.fragment_size [1024]
1006 Maximum size of an EAP-TTLS packet.
1007 charon.plugins.eap-ttls.include_length [yes]
1010 Include length in non-fragmented EAP-TTLS packets.
1011 charon.plugins.eap-ttls.max_message_count [32]
1014 Maximum number of processed EAP-TTLS packets (0 = no limit).
1015 charon.plugins.eap-ttls.phase2_method [md5]
1018 Phase2 EAP client authentication method.
1019 charon.plugins.eap-ttls.phase2_piggyback [no]
1022 Phase2 EAP Identity request piggybacked by server onto TLS Fin‐
1023 ished message.
1024 charon.plugins.eap-ttls.phase2_tnc [no]
1027 Start phase2 EAP TNC protocol after successful client authenti‐
1028 cation.
1029 charon.plugins.eap-ttls.phase2_tnc_method [pt]
1032 Phase2 EAP TNC transport protocol (pt as IETF standard or legacy
1033 tnc)
1034 charon.plugins.eap-ttls.request_peer_auth [no]
1038 Request peer authentication based on a client certificate.
1039 charon.plugins.error-notify.socket [unix://${piddir}/charon.enfy]
1042 Socket provided by the error-notify plugin.
1043 charon.plugins.ext-auth.script []
1046 Command to pass to the system shell for peer authorization.
1047 Authorization is considered successful if the command executes
1048 normally with an exit code of zero. For all other exit codes
1049 IKE_SA authorization is rejected.
1050 The following environment variables get passed to the script:
1052 IKE_UNIQUE_ID: The IKE_SA numerical unique identifier.
1053 IKE_NAME: The peer configuration connection name.
1054 IKE_LOCAL_HOST: Local IKE IP address. IKE_REMOTE_HOST: Remote
1055 IKE IP address. IKE_LOCAL_ID: Local IKE identity.
1056 IKE_REMOTE_ID: Remote IKE identity. IKE_REMOTE_EAP_ID: Remote
1057 EAP or XAuth identity, if used.
1058 charon.plugins.forecast.groups
1061 [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]
1062 Comma separated list of multicast groups to join locally. The
1063 local host receives and forwards packets in the local LAN for
1064 joined multicast groups only. Packets matching the list of mul‐
1065 ticast groups get forwarded to connected clients. The default
1066 group includes host multicasts, IGMP, mDNS, LLMNR and
1067 SSDP/WS-Discovery, and is usually a good choice for Windows
1068 clients.
1069 charon.plugins.forecast.interface []
1072 Name of the local interface to listen for broadcasts messages to
1073 forward. If no interface is configured, the first usable inter‐
1074 face is used, which is usually just fine for single-homed hosts.
1075 If your host has multiple interfaces, set this option to the
1076 local LAN interface you want to forward broadcasts from/to.
1077 charon.plugins.forecast.reinject []
1080 Comma separated list of CHILD_SA configuration names for which
1081 to perform multi/broadcast reinjection. For clients connecting
1082 over such a configuration, any multi/broadcast received over the
1083 tunnel gets reinjected to all active tunnels. This makes the
1084 broadcasts visible to other peers, and for examples allows
1085 clients to see others shares. If disabled, multi/broadcast mes‐
1086 sages received over a tunnel are injected to the local network
1087 only, but not to other IPsec clients.
1088 charon.plugins.gcrypt.quick_random [no]
1091 Use faster random numbers in gcrypt; for testing only, produces
1092 weak keys!
1093 charon.plugins.ha.autobalance [0]
1096 Interval in seconds to automatically balance handled segments
1097 between nodes. Set to 0 to disable.
1098 charon.plugins.ha.fifo_interface [yes]
1101 charon.plugins.ha.heartbeat_delay [1000]
1103 charon.plugins.ha.heartbeat_timeout [2100]
1105 charon.plugins.ha.local []
1107 charon.plugins.ha.monitor [yes]
1109 charon.plugins.ha.pools []
1111 charon.plugins.ha.remote []
1113 charon.plugins.ha.resync [yes]
1115 charon.plugins.ha.secret []
1117 charon.plugins.ha.segment_count [1]
1119 charon.plugins.ipseckey.enable [no]
1121 Enable fetching of IPSECKEY RRs via DNS.
1122 charon.plugins.kernel-libipsec.allow_peer_ts [no]
1125 Allow that the remote traffic selector equals the IKE peer. The
1126 route installed for such traffic (via TUN device) usually pre‐
1127 vents further IKE traffic. The fwmark options for the ker‐
1128 nel-netlink and socket-default plugins can be used to circumvent
1129 that problem.
1130 charon.plugins.kernel-netlink.buflen [<min(PAGE_SIZE, 8192)>]
1133 Buffer size for received Netlink messages.
1134 charon.plugins.kernel-netlink.force_receive_buffer_size [no]
1137 If the maximum Netlink socket receive buffer in bytes set by
1138 receive_buffer_size exceeds the system-wide maximum from
1139 /proc/sys/net/core/rmem_max, this option can be used to override
1140 the limit. Enabling this option requires special privileges
1141 (CAP_NET_ADMIN).
1142 charon.plugins.kernel-netlink.fwmark []
1145 Firewall mark to set on the routing rule that directs traffic to
1146 our routing table. The format is [!]mark[/mask], where the
1147 optional exclamation mark inverts the meaning (i.e. the rule
1148 only applies to packets that don't match the mark).
1149 charon.plugins.kernel-netlink.ignore_retransmit_errors [no]
1152 Whether to ignore errors potentially resulting from a retrans‐
1153 mission.
1154 charon.plugins.kernel-netlink.mss [0]
1157 MSS to set on installed routes, 0 to disable.
1158 charon.plugins.kernel-netlink.mtu [0]
1161 MTU to set on installed routes, 0 to disable.
1162 charon.plugins.kernel-netlink.parallel_route [no]
1165 Whether to perform concurrent Netlink ROUTE queries on a single
1166 socket. While parallel queries can improve throughput, it has
1167 more overhead. On vanilla Linux, DUMP queries fail with EBUSY
1168 and must be retried, further decreasing performance.
1169 charon.plugins.kernel-netlink.parallel_xfrm [no]
1172 Whether to perform concurrent Netlink XFRM queries on a single
1173 socket.
1174 charon.plugins.kernel-netlink.policy_update [no]
1177 Whether to always use XFRM_MSG_UPDPOLICY to install policies.
1178 charon.plugins.kernel-netlink.port_bypass [no]
1181 Whether to use port or socket based IKE XFRM bypass policies.
1182 IKE bypass policies are used to exempt IKE traffic from XFRM
1183 processing. The default socket based policies are directly tied
1184 to the IKE UDP sockets, port based policies use global XFRM
1185 bypass policies for the used IKE UDP ports.
1186 charon.plugins.kernel-netlink.process_rules [no]
1189 Whether to process changes in routing rules to trigger roam
1190 events. This is currently only useful if the kernel based route
1191 lookup is used (i.e. if route installation is disabled or an
1192 inverted fwmark match is configured).
1193 charon.plugins.kernel-netlink.receive_buffer_size [0]
1196 Maximum Netlink socket receive buffer in bytes. This value con‐
1197 trols how many bytes of Netlink messages can be received on a
1198 Netlink socket. The default value is set by
1199 /proc/sys/net/core/rmem_default. The specified value cannot
1200 exceed the system-wide maximum from /proc/sys/net/core/rmem_max,
1201 unless force_receive_buffer_size is enabled.
1202 charon.plugins.kernel-netlink.retries [0]
1205 Number of Netlink message retransmissions to send on timeout.
1206 charon.plugins.kernel-netlink.roam_events [yes]
1209 Whether to trigger roam events when interfaces, addresses or
1210 routes change.
1211 charon.plugins.kernel-netlink.set_proto_port_transport_sa [no]
1214 Whether to set protocol and ports in the selector installed on
1215 transport mode IPsec SAs in the kernel. While doing so enforces
1216 policies for inbound traffic, it also prevents the use of a sin‐
1217 gle IPsec SA by more than one traffic selector.
1218 charon.plugins.kernel-netlink.spdh_thresh
1221 XFRM policy hashing threshold configuration for IPv4 and IPv6.
1222 The section defines hashing thresholds to configure in the ker‐
1224 nel during daemon startup. Each address family takes a threshold
1225 for the local subnet of an IPsec policy (src in out-policies,
1226 dst in in- and forward-policies) and the remote subnet (dst in
1227 out-policies, src in in- and forward-policies).
1228 If the subnet has more or equal net bits than the threshold, the
1230 first threshold bits are used to calculate a hash to lookup the
1231 policy.
1232 Policy hashing thresholds are not supported before Linux 3.18
1234 and might conflict with socket policies before Linux 4.8.
1235 charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits [32]
1238 Local subnet XFRM policy hashing threshold for IPv4.
1239 charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits [32]
1242 Remote subnet XFRM policy hashing threshold for IPv4.
1243 charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits [128]
1246 Local subnet XFRM policy hashing threshold for IPv6.
1247 charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits [128]
1250 Remote subnet XFRM policy hashing threshold for IPv6.
1251 charon.plugins.kernel-netlink.timeout [0]
1254 Netlink message retransmission timeout, 0 to disable retransmis‐
1255 sions.
1256 charon.plugins.kernel-netlink.xfrm_acq_expires [165]
1259 Lifetime of XFRM acquire state created by the kernel when traf‐
1260 fic matches a trap policy. The value gets written to
1261 /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the
1262 delay between XFRM acquire messages triggered by the kernel for
1263 a trap policy. The same value is used as timeout for SPIs allo‐
1264 cated by the kernel. The default value equals the total
1265 retransmission timeout for IKE messages, see IKEv2 RETRANSMIS‐
1266 SION in strongswan.conf(5).
1267 charon.plugins.kernel-pfkey.events_buffer_size [0]
1271 Size of the receive buffer for the event socket (0 for default
1272 size). Because events are received asynchronously installing
1273 e.g. lots of policies may require a larger buffer than the
1274 default on certain platforms in order to receive all messages.
1275 charon.plugins.kernel-pfkey.route_via_internal [no]
1278 Whether to use the internal or external interface in installed
1279 routes. The internal interface is the one where the IP address
1280 contained in the local traffic selector is located, the external
1281 interface is the one over which the destination address of the
1282 IPsec tunnel can be reached. This is not relevant if virtual IPs
1283 are used, for which a TUN device is created that's used in the
1284 routes.
1285 charon.plugins.kernel-pfroute.vip_wait [1000]
1288 Time in ms to wait until virtual IP addresses appear/disappear
1289 before failing.
1290 charon.plugins.led.activity_led []
1293 charon.plugins.led.blink_time [50]
1295 charon.plugins.load-tester
1297 Section to configure the load-tester plugin, see LOAD TESTS in
1298 strongswan.conf(5) for details.
1299 charon.plugins.load-tester.addrs
1302 Section that contains key/value pairs with address pools (in
1303 CIDR notation) to use for a specific network interface e.g. eth0
1304 = 10.10.0.0/16.
1305 charon.plugins.load-tester.addrs_keep [no]
1308 Whether to keep dynamic addresses even after the associated SA
1309 got terminated.
1310 charon.plugins.load-tester.addrs_prefix [16]
1313 Network prefix length to use when installing dynamic addresses.
1314 If set to -1 the full address is used (i.e. 32 or 128).
1315 charon.plugins.load-tester.ca_dir []
1318 Directory to load (intermediate) CA certificates from.
1319 charon.plugins.load-tester.child_rekey [600]
1322 Seconds to start CHILD_SA rekeying after setup.
1323 charon.plugins.load-tester.crl []
1326 URI to a CRL to include as certificate distribution point in
1327 generated certificates.
1328 charon.plugins.load-tester.delay [0]
1331 Delay between initiatons for each thread.
1332 charon.plugins.load-tester.delete_after_established [no]
1335 Delete an IKE_SA as soon as it has been established.
1336 charon.plugins.load-tester.digest [sha1]
1339 Digest algorithm used when issuing certificates.
1340 charon.plugins.load-tester.dpd_delay [0]
1343 DPD delay to use in load test.
1344 charon.plugins.load-tester.dynamic_port [0]
1347 Base port to be used for requests (each client uses a different
1348 port).
1349 charon.plugins.load-tester.eap_password [default-pwd]
1352 EAP secret to use in load test.
1353 charon.plugins.load-tester.enable [no]
1356 Enable the load testing plugin. WARNING: Never enable this
1357 plugin on productive systems. It provides preconfigured creden‐
1358 tials and allows an attacker to authenticate as any user.
1359 charon.plugins.load-tester.esp [aes128-sha1]
1362 CHILD_SA proposal to use for load tests.
1363 charon.plugins.load-tester.fake_kernel [no]
1366 Fake the kernel interface to allow load-testing against self.
1367 charon.plugins.load-tester.ike_rekey [0]
1370 Seconds to start IKE_SA rekeying after setup.
1371 charon.plugins.load-tester.init_limit [0]
1374 Global limit of concurrently established SAs during load test.
1375 charon.plugins.load-tester.initiator [0.0.0.0]
1378 Address to initiate from.
1379 charon.plugins.load-tester.initiator_auth [pubkey]
1382 Authentication method(s) the intiator uses.
1383 charon.plugins.load-tester.initiator_id []
1386 Initiator ID used in load test.
1387 charon.plugins.load-tester.initiator_match []
1390 Initiator ID to match against as responder.
1391 charon.plugins.load-tester.initiator_tsi []
1394 Traffic selector on initiator side, as proposed by initiator.
1395 charon.plugins.load-tester.initiator_tsr []
1398 Traffic selector on responder side, as proposed by initiator.
1399 charon.plugins.load-tester.initiators [0]
1402 Number of concurrent initiator threads to use in load test.
1403 charon.plugins.load-tester.issuer_cert []
1406 Path to the issuer certificate (if not configured a hard-coded
1407 default value is used).
1408 charon.plugins.load-tester.issuer_key []
1411 Path to private key that is used to issue certificates (if not
1412 configured a hard-coded default value is used).
1413 charon.plugins.load-tester.iterations [1]
1416 Number of IKE_SAs to initiate by each initiator in load test.
1417 charon.plugins.load-tester.mode [tunnel]
1420 IPsec mode to use, one of tunnel, transport, or beet.
1421 charon.plugins.load-tester.pool []
1425 Provide INTERNAL_IPV4_ADDRs from a named pool.
1426 charon.plugins.load-tester.preshared_key [<default-psk>]
1429 Preshared key to use in load test.
1430 charon.plugins.load-tester.proposal [aes128-sha1-modp768]
1433 IKE proposal to use in load test.
1434 charon.plugins.load-tester.request_virtual_ip [no]
1437 Request an INTERNAL_IPV4_ADDR from the server.
1438 charon.plugins.load-tester.responder [127.0.0.1]
1441 Address to initiation connections to.
1442 charon.plugins.load-tester.responder_auth [pubkey]
1445 Authentication method(s) the responder uses.
1446 charon.plugins.load-tester.responder_id []
1449 Responder ID used in load test.
1450 charon.plugins.load-tester.responder_tsi [initiator_tsi]
1453 Traffic selector on initiator side, as narrowed by responder.
1454 charon.plugins.load-tester.responder_tsr [initiator_tsr]
1457 Traffic selector on responder side, as narrowed by responder.
1458 charon.plugins.load-tester.shutdown_when_complete [no]
1461 Shutdown the daemon after all IKE_SAs have been established.
1462 charon.plugins.load-tester.socket [unix://${piddir}/charon.ldt]
1465 Socket provided by the load-tester plugin.
1466 charon.plugins.load-tester.version [0]
1469 IKE version to use (0 means use IKEv2 as initiator and accept
1470 any version as responder).
1471 charon.plugins.lookip.socket [unix://${piddir}/charon.lkp]
1474 Socket provided by the lookip plugin.
1475 charon.plugins.ntru.max_drbg_requests [4294967294]
1478 Number of pseudo-random bit requests from the DRBG before an
1479 automatic reseeding occurs.
1480 charon.plugins.ntru.parameter_set [optimum]
1483 The following parameter sets are available: x9_98_speed,
1484 x9_98_bandwidth, x9_98_balance and optimum, the last set not
1485 being part of the X9.98 standard but having the best perfor‐
1486 mance.
1487 charon.plugins.openssl.engine_id [pkcs11]
1490 ENGINE ID to use in the OpenSSL plugin.
1491 charon.plugins.openssl.fips_mode [0]
1494 Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B
1495 enabled(2).
1496 charon.plugins.osx-attr.append [yes]
1499 Whether DNS servers are appended to existing entries, instead of
1500 replacing them.
1501 charon.plugins.p-cscf.enable
1504 Section to enable requesting P-CSCF server addresses for indi‐
1505 vidual connections.
1506 charon.plugins.p-cscf.enable.<conn> [no]
1509 <conn> is the name of a connection with an ePDG from which to
1510 request P-CSCF server addresses. Requests will be sent for
1511 addresses of the same families for which internal IPs are
1512 requested.
1513 charon.plugins.pkcs11.modules
1516 List of available PKCS#11 modules.
1517 charon.plugins.pkcs11.modules.<name>.load_certs [yes]
1520 Whether to automatically load certificates from tokens.
1521 charon.plugins.pkcs11.modules.<name>.os_locking [no]
1524 Whether OS locking should be enabled for this module.
1525 charon.plugins.pkcs11.modules.<name>.path []
1528 Full path to the shared object file of this PKCS#11 module.
1529 charon.plugins.pkcs11.reload_certs [no]
1532 Reload certificates from all tokens if charon receives a SIGHUP.
1533 charon.plugins.pkcs11.use_dh [no]
1536 Whether the PKCS#11 modules should be used for DH and ECDH (see
1537 use_ecc option).
1538 charon.plugins.pkcs11.use_ecc [no]
1541 Whether the PKCS#11 modules should be used for ECDH and ECDSA
1542 public key operations. ECDSA private keys can be used regardless
1543 of this option.
1544 charon.plugins.pkcs11.use_hasher [no]
1547 Whether the PKCS#11 modules should be used to hash data.
1548 charon.plugins.pkcs11.use_pubkey [no]
1551 Whether the PKCS#11 modules should be used for public key opera‐
1552 tions, even for keys not stored on tokens.
1553 charon.plugins.pkcs11.use_rng [no]
1556 Whether the PKCS#11 modules should be used as RNG.
1557 charon.plugins.radattr.dir []
1560 Directory where RADIUS attributes are stored in client-ID spe‐
1561 cific files.
1562 charon.plugins.radattr.message_id [-1]
1565 Attributes are added to all IKE_AUTH messages by default (-1),
1566 or only to the IKE_AUTH message with the given IKEv2 message ID.
1567 charon.plugins.random.random [${random_device}]
1570 File to read random bytes from.
1571 charon.plugins.random.strong_equals_true [no]
1574 If set to yes the RNG_STRONG class reads random bytes from the
1575 same source as the RNG_TRUE class.
1576 charon.plugins.random.urandom [${urandom_device}]
1579 File to read pseudo random bytes from.
1580 charon.plugins.resolve.file [/etc/resolv.conf]
1583 File where to add DNS server entries.
1584 charon.plugins.resolve.resolvconf.iface_prefix [lo.inet.ipsec.]
1587 Prefix used for interface names sent to resolvconf(8). The
1588 nameserver address is appended to this prefix to make it unique.
1589 The result has to be a valid interface name according to the
1590 rules defined by resolvconf. Also, it should have a high prior‐
1591 ity according to the order defined in interface-order(5).
1592 charon.plugins.revocation.enable_crl [yes]
1596 Whether CRL validation should be enabled.
1597 charon.plugins.revocation.enable_ocsp [yes]
1600 Whether OCSP validation should be enabled.
1601 charon.plugins.save-keys.esp [no]
1604 Whether to save ESP keys.
1605 charon.plugins.save-keys.ike [no]
1608 Whether to save IKE keys.
1609 charon.plugins.save-keys.load [no]
1612 Whether to load the plugin.
1613 charon.plugins.save-keys.wireshark_keys []
1616 Directory where the keys are stored in the format supported by
1617 Wireshark. IKEv1 keys are stored in the ikev1_decryption_table
1618 file. IKEv2 keys are stored in the ikev2_decryption_table file.
1619 Keys for ESP CHILD_SAs are stored in the esp_sa file.
1620 charon.plugins.socket-default.fwmark []
1623 Firewall mark to set on outbound packets.
1624 charon.plugins.socket-default.set_source [yes]
1627 Set source address on outbound packets, if possible.
1628 charon.plugins.socket-default.set_sourceif [no]
1631 Force sending interface on outbound packets, if possible. This
1632 allows using IPv6 link-local addresses as tunnel endpoints.
1633 charon.plugins.socket-default.use_ipv4 [yes]
1636 Listen on IPv4, if possible.
1637 charon.plugins.socket-default.use_ipv6 [yes]
1640 Listen on IPv6, if possible.
1641 charon.plugins.sql.database []
1644 Database URI for charon's SQL plugin. If it contains a password,
1645 make sure to adjust the permissions of the config file accord‐
1646 ingly.
1647 charon.plugins.sql.loglevel [-1]
1650 Loglevel for logging to SQL database.
1651 charon.plugins.stroke.allow_swap [yes]
1654 Analyze addresses/hostnames in left|right to detect which side
1655 is local and swap configuration options if necessary. If dis‐
1656 abled left is always local.
1657 charon.plugins.stroke.ignore_missing_ca_basic_constraint [no]
1661 Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections
1662 as CA certificates even if they don't contain a CA basic con‐
1663 straint.
1664 charon.plugins.stroke.max_concurrent [4]
1667 Maximum number of stroke messages handled concurrently.
1668 charon.plugins.stroke.prevent_loglevel_changes [no]
1671 If enabled log level changes via stroke socket are not allowed.
1672 charon.plugins.stroke.secrets_file [${sysconfdir}/ipsec.secrets]
1675 Location of the ipsec.secrets file
1676 charon.plugins.stroke.socket [unix://${piddir}/charon.ctl]
1679 Socket provided by the stroke plugin.
1680 charon.plugins.stroke.timeout [0]
1683 Timeout in ms for any stroke command. Use 0 to disable the time‐
1684 out.
1685 charon.plugins.systime-fix.interval [0]
1688 Interval in seconds to check system time for validity. 0 dis‐
1689 ables the check.
1690 charon.plugins.systime-fix.reauth [no]
1693 Whether to use reauth or delete if an invalid cert lifetime is
1694 detected.
1695 charon.plugins.systime-fix.threshold []
1698 Threshold date where system time is considered valid. Disabled
1699 if not specified.
1700 charon.plugins.systime-fix.threshold_format [%Y]
1703 strptime(3) format used to parse threshold option.
1704 charon.plugins.systime-fix.timeout [0s]
1707 How long to wait for a valid system time if an interval is con‐
1708 figured. 0 to recheck indefinitely.
1709 charon.plugins.tnc-ifmap.client_cert []
1712 Path to X.509 certificate file of IF-MAP client.
1713 charon.plugins.tnc-ifmap.client_key []
1716 Path to private key file of IF-MAP client.
1717 charon.plugins.tnc-ifmap.device_name []
1720 Unique name of strongSwan server as a PEP and/or PDP device.
1721 charon.plugins.tnc-ifmap.renew_session_interval [150]
1724 Interval in seconds between periodic IF-MAP RenewSession
1725 requests.
1726 charon.plugins.tnc-ifmap.server_cert []
1729 Path to X.509 certificate file of IF-MAP server.
1730 charon.plugins.tnc-ifmap.server_uri [https://localhost:8444/imap]
1733 URI of the form [https://]servername[:port][/path].
1734 charon.plugins.tnc-ifmap.username_password []
1737 Credentials of IF-MAP client of the form username:password. If
1738 set, make sure to adjust the permissions of the config file
1739 accordingly.
1740 charon.plugins.tnc-imc.dlclose [yes]
1743 Unload IMC after use.
1744 charon.plugins.tnc-imc.preferred_language [en]
1747 Preferred language for TNC recommendations.
1748 charon.plugins.tnc-imv.dlclose [yes]
1751 Unload IMV after use.
1752 charon.plugins.tnc-imv.recommendation_policy [default]
1755 TNC recommendation policy, one of default, any, or all.
1756 charon.plugins.tnc-pdp.pt_tls.enable [yes]
1760 Enable PT-TLS protocol on the strongSwan PDP.
1761 charon.plugins.tnc-pdp.pt_tls.port [271]
1764 PT-TLS server port the strongSwan PDP is listening on.
1765 charon.plugins.tnc-pdp.radius.enable [yes]
1768 Enable RADIUS protocol on the strongSwan PDP.
1769 charon.plugins.tnc-pdp.radius.method [ttls]
1772 EAP tunnel method to be used.
1773 charon.plugins.tnc-pdp.radius.port [1812]
1776 RADIUS server port the strongSwan PDP is listening on.
1777 charon.plugins.tnc-pdp.radius.secret []
1780 Shared RADIUS secret between strongSwan PDP and NAS. If set,
1781 make sure to adjust the permissions of the config file accord‐
1782 ingly.
1783 charon.plugins.tnc-pdp.server []
1786 Name of the strongSwan PDP as contained in the AAA certificate.
1787 charon.plugins.tnc-pdp.timeout []
1790 Timeout in seconds before closing incomplete connections.
1791 charon.plugins.tnccs-11.max_message_size [45000]
1794 Maximum size of a PA-TNC message (XML & Base64 encoding).
1795 charon.plugins.tnccs-20.max_batch_size [65522]
1798 Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529).
1799 charon.plugins.tnccs-20.max_message_size [65490]
1802 Maximum size of a PA-TNC message (upper limit via PT-EAP =
1803 65497).
1804 charon.plugins.tnccs-20.mutual [no]
1807 Enable PB-TNC mutual protocol.
1808 charon.plugins.tnccs-20.tests.pb_tnc_noskip [no]
1811 Send an unsupported PB-TNC message type with the NOSKIP flag
1812 set.
1813 charon.plugins.tnccs-20.tests.pb_tnc_version [2]
1816 Send a PB-TNC batch with a modified PB-TNC version.
1817 charon.plugins.tpm.fips_186_4 [no]
1820 Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the
1821 default salt length instead of maximum salt length with RSAPSS
1822 padding.
1823 charon.plugins.tpm.tcti.name [device|tabrmd]
1826 Name of TPM 2.0 TCTI library. Valid values: tabrmd, device or
1827 mssim. Defaults are device if the /dev/tpmrm0 in-kernel TPM 2.0
1828 resource manager device exists, and tabrmd otherwise, requiring
1829 the d-bus based TPM 2.0 access broker and resource manager to be
1830 available.
1831 charon.plugins.tpm.tcti.opts [/dev/tpmrm0|<none>]
1834 Options for the TPM 2.0 TCTI library. Defaults are /dev/tpmrm0
1835 if the TCTI library name is device and no options otherwise.
1836 charon.plugins.tpm.use_rng [no]
1839 Whether the TPM should be used as RNG.
1840 charon.plugins.unbound.dlv_anchors []
1843 File to read trusted keys for DLV (DNSSEC Lookaside Validation)
1844 from. It uses the same format as trust_anchors. Only one DLV
1845 can be configured, which is then used as a root trusted DLV,
1846 this means that it is a lookaside for the root.
1847 charon.plugins.unbound.resolv_conf [/etc/resolv.conf]
1850 File to read DNS resolver configuration from.
1851 charon.plugins.unbound.trust_anchors [/etc/ipsec.d/dnssec.keys]
1854 File to read DNSSEC trust anchors from (usually root zone KSK).
1855 The format of the file is the standard DNS Zone file format,
1856 anchors can be stored as DS or DNSKEY entries in the file.
1857 charon.plugins.updown.dns_handler [no]
1860 Whether the updown script should handle DNS servers assigned via
1861 IKEv1 Mode Config or IKEv2 Config Payloads (if enabled they
1862 can't be handled by other plugins, like resolve)
1863 charon.plugins.vici.socket [unix://${piddir}/charon.vici]
1866 Socket the vici plugin serves clients.
1867 charon.plugins.whitelist.enable [yes]
1870 Enable loaded whitelist plugin.
1871 charon.plugins.whitelist.socket [unix://${piddir}/charon.wlst]
1874 Socket provided by the whitelist plugin.
1875 charon.plugins.xauth-eap.backend [radius]
1878 EAP plugin to be used as backend for XAuth credential verifica‐
1879 tion.
1880 charon.plugins.xauth-pam.pam_service [login]
1883 PAM service to be used for authentication.
1884 charon.plugins.xauth-pam.session [no]
1887 Open/close a PAM session for each active IKE_SA.
1888 charon.plugins.xauth-pam.trim_email [yes]
1891 If an email address is received as an XAuth username, trim it to
1892 just the username part.
1893 charon.port [500]
1896 UDP port used locally. If set to 0 a random port will be allo‐
1897 cated.
1898 charon.port_nat_t [4500]
1901 UDP port used locally in case of NAT-T. If set to 0 a random
1902 port will be allocated. Has to be different from charon.port,
1903 otherwise a random port will be allocated.
1904 charon.prefer_best_path [no]
1907 By default, charon keeps SAs on the routing path with addresses
1908 it previously used if that path is still usable. By setting this
1909 option to yes, it tries more aggressively to update SAs with
1910 MOBIKE on routing priority changes using the cheapest path. This
1911 adds more noise, but allows to dynamically adapt SAs to routing
1912 priority changes. This option has no effect if MOBIKE is not
1913 supported or disabled.
1914 charon.prefer_configured_proposals [yes]
1917 Prefer locally configured proposals for IKE/IPsec over supplied
1918 ones as responder (disabling this can avoid keying retries due
1919 to INVALID_KE_PAYLOAD notifies).
1920 charon.prefer_temporary_addrs [no]
1923 By default public IPv6 addresses are preferred over temporary
1924 ones (RFC 4941), to make connections more stable. Enable this
1925 option to reverse this.
1926 charon.process_route [yes]
1929 Process RTM_NEWROUTE and RTM_DELROUTE events.
1930 charon.processor.priority_threads
1933 Section to configure the number of reserved threads per priority
1934 class see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
1935 charon.receive_delay [0]
1939 Delay in ms for receiving packets, to simulate larger RTT.
1940 charon.receive_delay_request [yes]
1943 Delay request messages.
1944 charon.receive_delay_response [yes]
1947 Delay response messages.
1948 charon.receive_delay_type [0]
1951 Specific IKEv2 message type to delay, 0 for any.
1952 charon.replay_window [32]
1955 Size of the AH/ESP replay window, in packets.
1956 charon.retransmit_base [1.8]
1959 Base to use for calculating exponential back off, see IKEv2
1960 RETRANSMISSION in strongswan.conf(5).
1961 charon.retransmit_jitter [0]
1965 Maximum jitter in percent to apply randomly to calculated
1966 retransmission timeout (0 to disable).
1967 charon.retransmit_limit [0]
1970 Upper limit in seconds for calculated retransmission timeout (0
1971 to disable).
1972 charon.retransmit_timeout [4.0]
1975 Timeout in seconds before sending first retransmit.
1976 charon.retransmit_tries [5]
1979 Number of times to retransmit a packet before giving up.
1980 charon.retry_initiate_interval [0]
1983 Interval in seconds to use when retrying to initiate an IKE_SA
1984 (e.g. if DNS resolution failed), 0 to disable retries.
1985 charon.reuse_ikesa [yes]
1988 Initiate CHILD_SA within existing IKE_SAs (always enabled for
1989 IKEv1).
1990 charon.routing_table []
1993 Numerical routing table to install routes to.
1994 charon.routing_table_prio []
1997 Priority of the routing table.
1998 charon.rsa_pss [no]
2001 Whether to use RSA with PSS padding instead of PKCS#1 padding by
2002 default.
2003 charon.send_delay [0]
2006 Delay in ms for sending packets, to simulate larger RTT.
2007 charon.send_delay_request [yes]
2010 Delay request messages.
2011 charon.send_delay_response [yes]
2014 Delay response messages.
2015 charon.send_delay_type [0]
2018 Specific IKEv2 message type to delay, 0 for any.
2019 charon.send_vendor_id [no]
2022 Send strongSwan vendor ID payload
2023 charon.signature_authentication [yes]
2026 Whether to enable Signature Authentication as per RFC 7427.
2027 charon.signature_authentication_constraints [yes]
2030 If enabled, signature schemes configured in rightauth, in addi‐
2031 tion to getting used as constraints against signature schemes
2032 employed in the certificate chain, are also used as constraints
2033 against the signature scheme used by peers during IKEv2.
2034 charon.spi_max [0xcfffffff]
2037 The upper limit for SPIs requested from the kernel for IPsec
2038 SAs.
2039 charon.spi_min [0xc0000000]
2042 The lower limit for SPIs requested from the kernel for IPsec
2043 SAs. Should not be set lower than 0x00000100 (256), as SPIs
2044 between 1 and 255 are reserved by IANA.
2045 charon.start-scripts
2048 Section containing a list of scripts (name = path) that are exe‐
2049 cuted when the daemon is started.
2050 charon.stop-scripts
2053 Section containing a list of scripts (name = path) that are exe‐
2054 cuted when the daemon is terminated.
2055 charon.syslog
2058 Section to define syslog loggers, see LOGGER CONFIGURATION in
2059 strongswan.conf(5).
2060 charon.syslog.<facility>
2064 <facility> is one of the supported syslog facilities, see LOGGER
2065 CONFIGURATION in strongswan.conf(5).
2066 charon.syslog.<facility>.<subsystem> [<default>]
2070 Loglevel for a specific subsystem.
2071 charon.syslog.<facility>.default [1]
2074 Specifies the default loglevel to be used for subsystems for
2075 which no specific loglevel is defined.
2076 charon.syslog.<facility>.ike_name [no]
2079 Prefix each log entry with the connection name and a unique
2080 numerical identifier for each IKE_SA.
2081 charon.syslog.identifier []
2084 Global identifier used for an openlog(3) call, prepended to each
2085 log message by syslog. If not configured, openlog(3) is not
2086 called, so the value will depend on system defaults (often the
2087 program name).
2088 charon.threads [16]
2091 Number of worker threads in charon. Several of these are
2092 reserved for long running tasks in internal modules and plugins.
2093 Therefore, make sure you don't set this value too low. The num‐
2094 ber of idle worker threads listed in ipsec statusall might be
2095 used as indicator on the number of reserved threads.
2096 charon.tls.cipher []
2099 List of TLS encryption ciphers.
2100 charon.tls.key_exchange []
2103 List of TLS key exchange methods.
2104 charon.tls.mac []
2107 List of TLS MAC algorithms.
2108 charon.tls.suites []
2111 List of TLS cipher suites.
2112 charon.tnc.tnc_config [/etc/tnc_config]
2115 TNC IMC/IMV configuration file.
2116 charon.user []
2119 Name of the user the daemon changes to after startup.
2120 charon.x509.enforce_critical [yes]
2123 Discard certificates with unsupported or unknown critical exten‐
2124 sions.
2125 charon-nm.ca_dir [<default>]
2128 Directory from which to load CA certificates if no certificate
2129 is configured.
2130 charon-systemd.journal
2133 Section to configure native systemd journal logger, very similar
2134 to the syslog logger as described in LOGGER CONFIGURATION in
2135 strongswan.conf(5).
2136 charon-systemd.journal.<subsystem> [<default>]
2140 Loglevel for a specific subsystem.
2141 charon-systemd.journal.default [1]
2144 Specifies the default loglevel to be used for subsystems for
2145 which no specific loglevel is defined.
2146 imv_policy_manager.command_allow []
2149 Shell command to be executed with recommendation allow.
2150 imv_policy_manager.command_block []
2153 Shell command to be executed with all other recommendations.
2154 imv_policy_manager.database []
2157 Database URI for the database that stores the package informa‐
2158 tion. If it contains a password, make sure to adjust the permis‐
2159 sions of the config file accordingly.
2160 imv_policy_manager.load [sqlite]
2163 Plugins to load in IMV policy manager.
2164 libimcv.debug_level [1]
2167 Debug level for a stand-alone libimcv library.
2168 libimcv.load [random nonce gmp pubkey x509]
2171 Plugins to load in IMC/IMVs with stand-alone libimcv library.
2172 libimcv.plugins.imc-attestation.aik_blob []
2175 AIK encrypted private key blob file.
2176 libimcv.plugins.imc-attestation.aik_cert []
2179 AIK certificate file.
2180 libimcv.plugins.imc-attestation.aik_handle []
2183 AIK object handle.
2184 libimcv.plugins.imc-attestation.aik_pubkey []
2187 AIK public key file.
2188 libimcv.plugins.imc-attestation.mandatory_dh_groups [yes]
2191 Enforce mandatory Diffie-Hellman groups.
2192 libimcv.plugins.imc-attestation.nonce_len [20]
2195 DH nonce length.
2196 libimcv.plugins.imc-attestation.pcr17_after []
2199 PCR17 value after measurement.
2200 libimcv.plugins.imc-attestation.pcr17_before []
2203 PCR17 value before measurement.
2204 libimcv.plugins.imc-attestation.pcr17_meas []
2207 Dummy measurement value extended into PCR17 if the TBOOT log is
2208 not available.
2209 libimcv.plugins.imc-attestation.pcr18_after []
2212 PCR18 value after measurement.
2213 libimcv.plugins.imc-attestation.pcr18_before []
2216 PCR18 value before measurement.
2217 libimcv.plugins.imc-attestation.pcr18_meas []
2220 Dummy measurement value extended into PCR17 if the TBOOT log is
2221 not available.
2222 libimcv.plugins.imc-attestation.pcr_info [no]
2225 Whether to send pcr_before and pcr_after info.
2226 libimcv.plugins.imc-attestation.use_quote2 [yes]
2229 Use Quote2 AIK signature instead of Quote signature.
2230 libimcv.plugins.imc-attestation.use_version_info [no]
2233 Version Info is included in Quote2 signature.
2234 libimcv.plugins.imc-hcd.push_info [yes]
2237 Send quadruple info without being prompted.
2238 libimcv.plugins.imc-hcd.subtypes []
2241 Section to define PWG HCD PA subtypes.
2242 libimcv.plugins.imc-hcd.subtypes.<section> []
2245 Defines a PWG HCD PA subtype section. Recognized subtype section
2246 names are system, control, marker, finisher, interface and scan‐
2247 ner.
2248 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> []
2252 Defines a software type section. Recognized software type sec‐
2253 tion names are firmware, resident_application and user_applica‐
2254 tion.
2255 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> []
2259 Defines a software section having an arbitrary name.
2260 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name []
2263 Name of the software installed on the hardcopy device.
2264 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches
2267 []
2268 String describing all patches applied to the given software on
2269 this hardcopy device. The individual patches are separated by a
2270 newline character '\n'.
2271 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<soft‐
2274 ware>.string_version []
2275 String describing the version of the given software on this
2276 hardcopy device.
2277 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version
2280 []
2281 Hex-encoded version string with a length of 16 octets consisting
2282 of the fields major version number (4 octets), minor version
2283 number (4 octets), build number (4 octets), service pack major
2284 number (2 octets) and service pack minor number (2 octets).
2285 libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language
2288 [en]
2289 Variable length natural language tag conforming to RFC 5646
2290 specifies the language to be used in the health assessment mes‐
2291 sage of a given subtype.
2292 libimcv.plugins.imc-hcd.subtypes.system.certification_state []
2295 Hex-encoded certification state.
2296 libimcv.plugins.imc-hcd.subtypes.system.configuration_state []
2299 Hex-encoded configuration state.
2300 libimcv.plugins.imc-hcd.subtypes.system.machine_type_model []
2303 String specifying the machine type and model of the hardcopy
2304 device.
2305 libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled [no]
2308 Specifies if a PSTN facsimile interface is installed and enabled
2309 on the hardcopy device.
2310 libimcv.plugins.imc-hcd.subtypes.system.time_source []
2313 String specifying the hostname of the network time server used
2314 by the hardcopy device.
2315 libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled [no]
2318 Specifies if users can dynamically download and execute applica‐
2319 tions on the hardcopy device.
2320 libimcv.plugins.imc-hcd.subtypes.system.user_application_persis‐
2323 tence_enabled [no]
2324 Specifies if user dynamically downloaded applications can per‐
2325 sist outside the boundaries of a single job on the hardcopy
2326 device.
2327 libimcv.plugins.imc-hcd.subtypes.system.vendor_name []
2330 String specifying the manufacturer of the hardcopy device.
2331 libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code []
2334 Integer specifying the globally unique 24-bit SMI code assigned
2335 to the manufacturer of the hardcopy device.
2336 libimcv.plugins.imc-os.device_cert []
2339 Manually set the path to the client device certificate (e.g.
2340 /etc/pts/aikCert.der)
2341 libimcv.plugins.imc-os.device_handle []
2344 Manually set handle to a private key bound to a smartcard or TPM
2345 (e.g. 0x81010004)
2346 libimcv.plugins.imc-os.device_id []
2349 Manually set the client device ID in hexadecimal format (e.g.
2350 1083f03988c9762703b1c1080c2e46f72b99cc31)
2351 libimcv.plugins.imc-os.device_pubkey []
2354 Manually set the path to the client device public key (e.g.
2355 /etc/pts/aikPub.der)
2356 libimcv.plugins.imc-os.push_info [yes]
2359 Send operating system info without being prompted.
2360 libimcv.plugins.imc-scanner.push_info [yes]
2363 Send open listening ports without being prompted.
2364 libimcv.plugins.imc-swima.eid_epoch [0x11223344]
2367 Set 32 bit epoch value for event IDs manually if software col‐
2368 lector database is not available.
2369 libimcv.plugins.imc-swima.subscriptions [no]
2372 Accept SW Inventory or SW Events subscriptions.
2373 libimcv.plugins.imc-swima.swid_database []
2376 URI to software collector database containing event timestamps,
2377 software creation and deletion events and collected software
2378 identifiers. If it contains a password, make sure to adjust the
2379 permissions of the config file accordingly.
2380 libimcv.plugins.imc-swima.swid_directory [${prefix}/share]
2383 Directory where SWID tags are located.
2384 libimcv.plugins.imc-swima.swid_full [no]
2387 Include file information in the XML-encoded SWID tags.
2388 libimcv.plugins.imc-swima.swid_pretty [no]
2391 Generate XML-encoded SWID tags with pretty indentation.
2392 libimcv.plugins.imc-test.additional_ids [0]
2395 Number of additional IMC IDs.
2396 libimcv.plugins.imc-test.command [none]
2399 Command to be sent to the Test IMV.
2400 libimcv.plugins.imc-test.dummy_size [0]
2403 Size of dummy attribute to be sent to the Test IMV (0 = dis‐
2404 abled).
2405 libimcv.plugins.imc-test.retry [no]
2408 Do a handshake retry.
2409 libimcv.plugins.imc-test.retry_command []
2412 Command to be sent to the Test IMV in the handshake retry.
2413 libimcv.plugins.imv-attestation.cadir []
2416 Path to directory with AIK cacerts.
2417 libimcv.plugins.imv-attestation.dh_group [ecp256]
2420 Preferred Diffie-Hellman group.
2421 libimcv.plugins.imv-attestation.hash_algorithm [sha256]
2424 Preferred measurement hash algorithm.
2425 libimcv.plugins.imv-attestation.mandatory_dh_groups [yes]
2428 Enforce mandatory Diffie-Hellman groups.
2429 libimcv.plugins.imv-attestation.min_nonce_len [0]
2432 DH minimum nonce length.
2433 libimcv.plugins.imv-os.remediation_uri []
2436 URI pointing to operating system remediation instructions.
2437 libimcv.plugins.imv-scanner.remediation_uri []
2440 URI pointing to scanner remediation instructions.
2441 libimcv.plugins.imv-swima.rest_api.timeout [120]
2444 Timeout of SWID REST API HTTP POST transaction.
2445 libimcv.plugins.imv-swima.rest_api.uri []
2448 HTTP URI of the SWID REST API.
2449 libimcv.plugins.imv-test.rounds [0]
2452 Number of IMC-IMV retry rounds.
2453 libimcv.stderr_quiet [no]
2456 Disable output to stderr with a stand-alone libimcv library.
2457 libimcv.swid_gen.command [/usr/local/bin/swid_generator]
2460 SWID generator command to be executed.
2461 libimcv.swid_gen.tag_creator.name [strongSwan Project]
2464 Name of the tagCreator entity.
2465 libimcv.swid_gen.tag_creator.regid [strongswan.org]
2468 regid of the tagCreator entity.
2469 manager.database []
2472 Credential database URI for manager. If it contains a password,
2473 make sure to adjust the permissions of the config file accord‐
2474 ingly.
2475 manager.debug [no]
2478 Enable debugging in manager.
2479 manager.load []
2482 Plugins to load in manager.
2483 manager.socket []
2486 FastCGI socket of manager, to run it statically.
2487 manager.threads [10]
2490 Threads to use for request handling.
2491 manager.timeout [15m]
2494 Session timeout for manager.
2495 medsrv.database []
2498 Mediation server database URI. If it contains a password, make
2499 sure to adjust the permissions of the config file accordingly.
2500 medsrv.debug [no]
2503 Debugging in mediation server web application.
2504 medsrv.dpd [5m]
2507 DPD timeout to use in mediation server plugin.
2508 medsrv.load []
2511 Plugins to load in mediation server plugin.
2512 medsrv.password_length [6]
2515 Minimum password length required for mediation server user
2516 accounts.
2517 medsrv.rekey [20m]
2520 Rekeying time on mediation connections in mediation server plug‐
2521 in.
2522 medsrv.socket []
2525 Run Mediation server web application statically on socket.
2526 medsrv.threads [5]
2529 Number of thread for mediation service web application.
2530 medsrv.timeout [15m]
2533 Session timeout for mediation service.
2534 pki.load []
2537 Plugins to load in ipsec pki tool.
2538 pool.database []
2541 Database URI for the database that stores IP pools and configu‐
2542 ration attributes. If it contains a password, make sure
2543 to adjust the permissions of the config file accordingly.
2544 pool.load []
2547 Plugins to load in ipsec pool tool.
2548 scepclient.load []
2551 Plugins to load in ipsec scepclient tool.
2552 sec-updater
2555 Options for the sec-updater tool.
2556 sec-updater.database []
2559 Global IMV policy database URI. If it contains a password, make
2560 sure to adjust the permissions of the config file accordingly.
2561 sec-updater.load []
2564 Plugins to load in sec-updater tool.
2565 sec-updater.swid_gen.command [/usr/local/bin/swid_generator]
2568 SWID generator command to be executed.
2569 sec-updater.swid_gen.tag_creator.name [strongSwan Project]
2572 Name of the tagCreator entity.
2573 sec-updater.swid_gen.tag_creator.regid [strongswan.org]
2576 regid of the tagCreator entity.
2577 sec-updater.tmp.deb_file [/tmp/sec-updater.deb]
2580 Temporary storage for downloaded deb package file.
2581 sec-updater.tmp.tag_file [/tmp/sec-updater.tag]
2584 Temporary storage for generated SWID tags.
2585 sec-updater.tnc_manage_command [/var/www/tnc/manage.py]
2588 strongTNC manage.py command used to import SWID tags.
2589 starter.config_file [${sysconfdir}/ipsec.conf]
2592 Location of the ipsec.conf file
2593 starter.load_warning [yes]
2596 Disable charon plugin load option warning.
2597 sw-collector
2600 Options for the sw-collector tool.
2601 sw-collector.database []
2604 URI to software collector database containing event timestamps,
2605 software creation and deletion events and collected software
2606 identifiers. If it contains a password, make sure to adjust the
2607 permissions of the config file accordingly.
2608 sw-collector.first_file [/var/log/bootstrap.log]
2611 Path pointing to file created when the Linux OS was installed.
2612 sw-collector.first_time [0000-00-00T00:00:00Z]
2615 Time in UTC when the Linux OS was installed.
2616 sw-collector.history []
2619 Path pointing to apt history.log file.
2620 sw-collector.load []
2623 Plugins to load in sw-collector tool.
2624 sw-collector.rest_api.timeout [120]
2627 Timeout of REST API HTTP POST transaction.
2628 sw-collector.rest_api.uri []
2631 HTTP URI of the central collector's REST API.
2632 swanctl.load []
2635 Plugins to load in swanctl.
2636 swanctl.socket [unix://${piddir}/charon.vici]
2639 VICI socket to connect to by default.
2640
2643 Options in strongswan.conf(5) provide a much more flexible way to con‐
2644 figure loggers for the IKE daemon charon than using the charondebug
2645 option in ipsec.conf(5).
2646 Note: If any loggers are specified in strongswan.conf, charondebug does
2648 not have any effect.
2649 There are currently two types of loggers:
2651 File loggers
2653 Log directly to a file and are defined by specifying an arbi‐
2654 trarily named subsection in the charon.filelog section. The full
2655 path to the file is configured in the path setting of that sub‐
2656 section, however, if it only contains characters permitted in
2657 section names, the setting may also be omitted and the path
2658 specified as name of the subsection. To log to the console the
2659 two special filenames stdout and stderr may be used.
2660 Syslog loggers
2662 Log into a syslog facility and are defined by specifying the
2663 facility to log to as the name of a subsection in the
2664 charon.syslog section. The following facilities are currently
2665 supported: daemon and auth.
2666 Multiple loggers can be defined for each type with different log ver‐
2668 bosity for the different subsystems of the daemon.
2669 Subsystems
2672 dmn Main daemon setup/cleanup/signal handling
2673 mgr IKE_SA manager, handling synchronization for IKE_SA access
2675 ike IKE_SA
2677 chd CHILD_SA
2679 job Jobs queueing/processing and thread pool management
2681 cfg Configuration management and plugins
2683 knl IPsec/Networking kernel interface
2685 net IKE network communication
2687 asn Low-level encoding/decoding (ASN.1, X.509 etc.)
2689 enc Packet encoding/decoding encryption/decryption operations
2691 tls libtls library messages
2693 esp libipsec library messages
2695 lib libstrongwan library messages
2697 tnc Trusted Network Connect
2699 imc Integrity Measurement Collector
2701 imv Integrity Measurement Verifier
2703 pts Platform Trust Service
2705 Loglevels
2707 -1 Absolutely silent
2708 0 Very basic auditing logs, (e.g. SA up/SA down)
2710 1 Generic control flow with errors, a good default to see what's
2712 going on
2713 2 More detailed debugging control flow
2715 3 Including RAW data dumps in Hex
2717 4 Also include sensitive material in dumps, e.g. keys
2719 Example
2721 charon {
2722 filelog {
2723 charon {
2724 path = /var/log/charon.log
2725 time_format = %b %e %T
2726 append = no
2727 default = 1
2728 }
2729 stderr {
2730 ike = 2
2731 knl = 3
2732 ike_name = yes
2733 }
2734 }
2735 syslog {
2736 # enable logging to LOG_DAEMON, use defaults
2737 daemon {
2738 }
2739 # minimalistic IKE auditing logging to LOG_AUTHPRIV
2740 auth {
2741 default = -1
2742 ike = 0
2743 }
2744 }
2745 }
2746
2749 Some operations in the IKEv2 daemon charon are currently implemented
2750 synchronously and blocking. Two examples for such operations are commu‐
2751 nication with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP
2752 information during certificate chain verification. Under high load con‐
2753 ditions, the thread pool may run out of available threads, and some
2754 more important jobs, such as liveness checking, may not get executed in
2755 time.
2756 To prevent thread starvation in such situations job priorities were
2758 introduced. The job processor will reserve some threads for higher
2759 priority jobs, these threads are not available for lower priority,
2760 locking jobs.
2761 Implementation
2763 Currently 4 priorities have been defined, and they are used in charon
2764 as follows:
2765 CRITICAL
2767 Priority for long-running dispatcher jobs.
2768 HIGH INFORMATIONAL exchanges, as used by liveness checking (DPD).
2770 MEDIUM Everything not HIGH/LOW, including IKE_SA_INIT processing.
2772 LOW IKE_AUTH message processing. RADIUS and CRL fetching block here
2774 Although IKE_SA_INIT processing is computationally expensive, it is
2776 explicitly assigned to the MEDIUM class. This allows charon to do the
2777 DH exchange while other threads are blocked in IKE_AUTH. To prevent the
2778 daemon from accepting more IKE_SA_INIT requests than it can handle, use
2779 IKE_SA_INIT DROPPING.
2780 The thread pool processes jobs strictly by priority, meaning it will
2782 consume all higher priority jobs before looking for ones with lower
2783 priority. Further, it reserves threads for certain priorities. A prior‐
2784 ity class having reserved n threads will always have n threads avail‐
2785 able for this class (either currently processing a job, or waiting for
2786 one).
2787 Configuration
2789 To ensure that there are always enough threads available for higher
2790 priority tasks, threads must be reserved for each priority class.
2791 charon.processor.priority_threads.critical [0]
2793 Threads reserved for CRITICAL priority class jobs
2794 charon.processor.priority_threads.high [0]
2796 Threads reserved for HIGH priority class jobs
2797 charon.processor.priority_threads.medium [0]
2799 Threads reserved for MEDIUM priority class jobs
2800 charon.processor.priority_threads.low [0]
2802 Threads reserved for LOW priority class jobs
2803 Let's consider the following configuration:
2805 charon {
2807 processor {
2808 priority_threads {
2809 high = 1
2810 medium = 4
2811 }
2812 }
2813 }
2814 With this configuration, one thread is reserved for HIGH priority
2816 tasks. As currently only liveness checking and stroke message process‐
2817 ing is done with high priority, one or two threads should be suffi‐
2818 cient.
2819 The MEDIUM class mostly processes non-blocking jobs. Unless your setup
2821 is experiencing many blocks in locks while accessing shared resources,
2822 threads for one or two times the number of CPU cores is fine.
2823 It is usually not required to reserve threads for CRITICAL jobs. Jobs
2825 in this class rarely return and do not release their thread to the
2826 pool.
2827 The remaining threads are available for LOW priority jobs. Reserving
2829 threads does not make sense (until we have an even lower priority).
2830 Monitoring
2832 To see what the threads are actually doing, invoke ipsec statusall.
2833 Under high load, something like this will show up:
2834 worker threads: 2 or 32 idle, 5/1/2/22 working,
2836 job queue: 0/0/1/149, scheduled: 198
2837 From 32 worker threads,
2839 2 are currently idle.
2841 5 are running CRITICAL priority jobs (dispatching from sockets,
2843 etc.).
2844 1 is currently handling a HIGH priority job. This is actually the
2846 thread currently providing this information via stroke.
2847 2 are handling MEDIUM priority jobs, likely IKE_SA_INIT or CRE‐
2849 ATE_CHILD_SA messages.
2850 22 are handling LOW priority jobs, probably waiting for an EAP-
2852 RADIUS response while processing IKE_AUTH messages.
2853 The job queue load shows how many jobs are queued for each priority,
2855 ready for execution. The single MEDIUM priority job will get executed
2856 immediately, as we have two spare threads reserved for MEDIUM class
2857 jobs.
2858
2861 If a responder receives more connection requests per seconds than it
2862 can handle, it does not make sense to accept more IKE_SA_INIT messages.
2863 And if they are queued but can't get processed in time, an answer might
2864 be sent after the client has already given up and restarted its connec‐
2865 tion setup. This additionally increases the load on the responder.
2866 To limit the responder load resulting from new connection attempts, the
2868 daemon can drop IKE_SA_INIT messages just after reception. There are
2869 two mechanisms to decide if this should happen, configured with the
2870 following options:
2871 charon.init_limit_half_open [0]
2873 Limit based on the number of half open IKE_SAs. Half open
2874 IKE_SAs are SAs in connecting state, but not yet established.
2875 charon.init_limit_job_load [0]
2877 Limit based on the number of jobs currently queued for process‐
2878 ing (sum over all job priorities).
2879 The second limit includes load from other jobs, such as rekeying.
2881 Choosing a good value is difficult and depends on the hardware and
2882 expected load.
2883 The first limit is simpler to calculate, but includes the load from new
2885 connections only. If your responder is capable of negotiating 100 tun‐
2886 nels/s, you might set this limit to 1000. The daemon will then drop new
2887 connection attempts if generating a response would require more than 10
2888 seconds. If you are allowing for a maximum response time of more than
2889 30 seconds, consider adjusting the timeout for connecting IKE_SAs
2890 (charon.half_open_timeout). A responder, by default, deletes an IKE_SA
2891 if the initiator does not establish it within 30 seconds. Under high
2892 load, a higher value might be required.
2893
2896 To do stability testing and performance optimizations, the IKE daemon
2897 charon provides the load-tester plugin. This plugin allows one to setup
2898 thousands of tunnels concurrently against the daemon itself or a remote
2899 host.
2900 WARNING: Never enable the load-testing plugin on productive systems. It
2902 provides preconfigured credentials and allows an attacker to authenti‐
2903 cate as any user.
2904 Configuration details
2906 For public key authentication, the responder uses the "CN=srv, OU=load-
2907 test, O=strongSwan" identity. For the initiator, each connection
2908 attempt uses a different identity in the form "CN=c1-r1, OU=load-test,
2909 O=strongSwan", where the first number indicates the client number, the
2910 second the authentication round (if multiple authentication rounds are
2911 used).
2912 For PSK authentication, FQDN identities are used. The server uses
2914 srv.strongswan.org, the client uses an identity in the form
2915 c1-r1.strongswan.org.
2916 For EAP authentication, the client uses a NAI in the form
2918 100000000010001@strongswan.org.
2919 To configure multiple authentication rounds, concatenate multiple meth‐
2921 ods using, e.g.
2922 initiator_auth = pubkey|psk|eap-md5|eap-aka
2923 The responder uses a hardcoded certificate based on a 1024-bit RSA key.
2925 This certificate additionally serves as CA certificate. A peer uses the
2926 same private key, but generates client certificates on demand signed by
2927 the CA certificate. Install the Responder/CA certificate on the remote
2928 host to authenticate all clients.
2929 To speed up testing, the load tester plugin implements a special
2931 Diffie-Hellman implementation called modpnull. By setting
2932 proposal = aes128-sha1-modpnull
2933 this wicked fast DH implementation is used. It does not provide any
2934 security at all, but allows one to run tests without DH calculation
2935 overhead.
2936 Examples
2938 In the simplest case, the daemon initiates IKE_SAs against itself using
2939 the loopback interface. This will actually establish double the number
2940 of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at
2941 the same time. Installation of IPsec SAs would fail, as each SA gets
2942 installed twice. To simulate the correct behavior, a fake kernel inter‐
2943 face can be enabled which does not install the IPsec SAs at the kernel
2944 level.
2945 A simple loopback configuration might look like this:
2947 charon {
2949 # create new IKE_SAs for each CHILD_SA to simulate
2950 # different clients
2951 reuse_ikesa = no
2952 # turn off denial of service protection
2953 dos_protection = no
2954 plugins {
2956 load-tester {
2957 # enable the plugin
2958 enable = yes
2959 # use 4 threads to initiate connections
2960 # simultaneously
2961 initiators = 4
2962 # each thread initiates 1000 connections
2963 iterations = 1000
2964 # delay each initiation in each thread by 20ms
2965 delay = 20
2966 # enable the fake kernel interface to
2967 # avoid SA conflicts
2968 fake_kernel = yes
2969 }
2970 }
2971 }
2972 This will initiate 4000 IKE_SAs within 20 seconds. You may increase the
2974 delay value if your box can not handle that much load, or decrease it
2975 to put more load on it. If the daemon starts retransmitting messages
2976 your box probably can not handle all connection attempts.
2977 The plugin also allows one to test against a remote host. This might
2979 help to test against a real world configuration. A connection setup to
2980 do stress testing of a gateway might look like this:
2981 charon {
2983 reuse_ikesa = no
2984 threads = 32
2985 plugins {
2987 load-tester {
2988 enable = yes
2989 # 10000 connections, ten in parallel
2990 initiators = 10
2991 iterations = 1000
2992 # use a delay of 100ms, overall time is:
2993 # iterations * delay = 100s
2994 delay = 100
2995 # address of the gateway
2996 remote = 1.2.3.4
2997 # IKE-proposal to use
2998 proposal = aes128-sha1-modp1024
2999 # use faster PSK authentication instead
3000 # of 1024bit RSA
3001 initiator_auth = psk
3002 responder_auth = psk
3003 # request a virtual IP using configuration
3004 # payloads
3005 request_virtual_ip = yes
3006 # enable CHILD_SA every 60s
3007 child_rekey = 60
3008 }
3009 }
3010 }
3011
3014 Retransmission timeouts in the IKEv2 daemon charon can be configured
3015 globally using the three keys listed below:
3016 charon.retransmit_base [1.8]
3018 charon.retransmit_timeout [4.0]
3019 charon.retransmit_tries [5]
3020 charon.retransmit_jitter [0]
3021 charon.retransmit_limit [0]
3022 The following algorithm is used to calculate the timeout:
3024 relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
3026 Where n is the current retransmission count. The calculated timeout
3028 can't exceed the configured retransmit_limit (if any), which is useful
3029 if the number of retries is high.
3030 If a jitter in percent is configured, the timeout is modified as fol‐
3032 lows:
3033 relative timeout -= random(0, retransmit_jitter * relative timeout)
3035 Using the default values, packets are retransmitted in:
3037 Retransmission Relative Timeout Absolute Timeout
3040 ─────────────────────────────────────────────────────
3041 1 4s 4s
3042 2 7s 11s
3043 3 13s 24s
3044 4 23s 47s
3045 5 42s 89s
3046 giving up 76s 165s
3047
3049 The variables used above are configured as follows:
3050 ${piddir} /var/run
3052 ${prefix} /usr
3053 ${random_device} /dev/random
3054 ${urandom_device} /dev/urandom
3055
3057 /etc/strongswan.conf configuration file
3058 /etc/strongswan.d/ directory containing included config snippets
3059 /etc/strongswan.d/charon/ plugin specific config snippets
3060
3062 ipsec.conf(5), ipsec.secrets(5), ipsec(8), charon-cmd(8)
3063
3066 Written for the strongSwan project ⟨http://www.strongswan.org⟩ by
3067 Tobias Brunner, Andreas Steffen and Martin Willi.
30685.7.2 STRONGSWAN.CONF(5)