1STRONGSWAN.CONF(5) strongSwan STRONGSWAN.CONF(5)
2
3
4
6 strongswan.conf - strongSwan configuration file
7
9 While the ipsec.conf(5) configuration file is well suited to define
10 IPsec related configuration parameters, it is not useful for other
11 strongSwan applications to read options from this file. The file is
12 hard to parse and only ipsec starter is capable of doing so. As the
13 number of components of the strongSwan project is continually growing,
14 a more flexible configuration file was needed, one that is easy to
15 extend and can be used by all components. With strongSwan 4.2.1
16 strongswan.conf(5) was introduced which meets these requirements.
17
18
20 The format of the strongswan.conf file consists of hierarchical sec‐
21 tions and a list of key/value pairs in each section. Each section has a
22 name, followed by C-Style curly brackets defining the section body.
23 Each section body contains a set of subsections and key/value pairs:
24
25 settings := (section|keyvalue)*
26 section := name { settings }
27 keyvalue := key = value\n
28
29 Values must be terminated by a newline.
30
31 Comments are possible using the #-character.
32
33 Section names and keys may contain any printable character except:
34
35 . , : { } = " # \n \t space
36
37 An example file in this format might look like this:
38
39 a = b
40 section-one {
41 somevalue = asdf
42 subsection {
43 othervalue = xxx
44 }
45 # yei, a comment
46 yetanother = zz
47 }
48 section-two {
49 x = 12
50 }
51
52 Indentation is optional, you may use tabs or spaces.
53
54
55
57 It is possible to inherit settings and sections from another section.
58 This feature is mainly useful in swanctl.conf (which uses the same file
59 format). The syntax is as follows:
60
61 section := name : references { settings }
62 references := absname[, absname]*
63 absname := name[.name]*
64
65 All key/value pairs and all subsections of the referenced sections will
66 be inherited by the section that references them via their absolute
67 name. Values may be overridden in the section or any of its sub-sec‐
68 tions (use an empty assignment to clear a value so its default value,
69 if any, will apply). It is currently not possible to limit the inclu‐
70 sion level or clear/remove inherited sub-sections.
71
72 If the order is important (e.g. for auth rounds in a connection, if
73 round is not used), it should be noted that inherited settings/sections
74 will follow those defined in the current section (if multiple sections
75 are referenced, their settings are enumerated left to right).
76
77 References are evaluated dynamically at runtime, so referring to sec‐
78 tions later in the config file or included via other files is no prob‐
79 lem.
80
81 Here is an example of how this might look like:
82
83 conn-defaults {
84 # default settings for all conns (e.g. a cert, or IP pools)
85 }
86 eap-defaults {
87 # defaults if eap is used (e.g. a remote auth round)
88 }
89 child-defaults {
90 # defaults for child configs (e.g. traffic selectors)
91 }
92 connections {
93 conn-a : conn-defaults, eap-defaults {
94 # set/override stuff specific to this connection
95 children {
96 child-a : child-defaults {
97 # set/override stuff specific to this child
98 }
99 }
100 }
101 conn-b : conn-defaults {
102 # set/override stuff specific to this connection
103 children {
104 child-b : child-defaults {
105 # set/override stuff specific to this child
106 }
107 }
108 }
109 conn-c : connections.conn-a {
110 # everything is inherited, including everything conn-a
111 # already inherits from the sections it and its
112 # sub-section reference
113 }
114 }
115
117 Using the include statement it is possible to include other files into
118 strongswan.conf, e.g.
119
120 include /some/path/*.conf
121
122 If the file name is not an absolute path, it is considered to be rela‐
123 tive to the directory of the file containing the include statement. The
124 file name may include shell wildcards (see sh(1)). Also, such inclu‐
125 sions can be nested.
126
127 Sections loaded from included files extend previously loaded sections;
128 already existing values are replaced. It is important to note that
129 settings are added relative to the section the include statement is in.
130
131 As an example, the following three files result in the same final con‐
132 fig as the one given above:
133
134 a = b
135 section-one {
136 somevalue = before include
137 include include.conf
138 }
139 include other.conf
140
141 include.conf:
142 # settings loaded from this file are added to section-one
143 # the following replaces the previous value
144 somevalue = asdf
145 subsection {
146 othervalue = yyy
147 }
148 yetanother = zz
149
150 other.conf:
151 # this extends section-one and subsection
152 section-one {
153 subsection {
154 # this replaces the previous value
155 othervalue = xxx
156 }
157 }
158 section-two {
159 x = 12
160 }
161
162
164 Values are accessed using a dot-separated section list and a key. With
165 reference to the example above, accessing section-one.subsection.other‐
166 value will return xxx.
167
168
170 The following keys are currently defined (using dot notation). The
171 default value (if any) is listed in brackets after the key.
172
173 aikgen.load []
174 Plugins to load in ipsec aikgen tool.
175
176
177 attest.database []
178 File measurement information database URI. If it contains a
179 password, make sure to adjust the permissions of the config file
180 accordingly.
181
182
183 attest.load []
184 Plugins to load in ipsec attest tool.
185
186
187 charon
188 Options for the charon IKE daemon.
189
190 Note: Many of the options in this section also apply to
191 charon-cmd and other charon derivatives. Just use their respec‐
192 tive name (e.g. charon-cmd instead of charon). For many
193 options defaults can be defined in the libstrongswan section.
194
195
196 charon.accept_private_algs [no]
197 Deliberately violate the IKE standard's requirement and allow
198 the use of private algorithm identifiers, even if the peer
199 implementation is unknown.
200
201
202 charon.accept_unencrypted_mainmode_messages [no]
203 Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
204
205 Some implementations send the third Main Mode message unen‐
206 crypted, probably to find the PSKs for the specified ID for
207 authentication. This is very similar to Aggressive Mode, and has
208 the same security implications: A passive attacker can sniff the
209 negotiated Identity, and start brute forcing the PSK using the
210 HASH payload.
211
212 It is recommended to keep this option to no, unless you know
213 exactly what the implications are and require compatibility to
214 such devices (for example, some SonicWall boxes).
215
216
217 charon.block_threshold [5]
218 Maximum number of half-open IKE_SAs for a single peer IP.
219
220
221 charon.cache_crls [no]
222 Whether Certificate Revocation Lists (CRLs) fetched via HTTP or
223 LDAP should be saved under a unique file name derived from the
224 public key of the Certification Authority (CA) to
225 /etc/ipsec.d/crls (stroke) or /etc/swanctl/x509crl (vici),
226 respectively.
227
228
229 charon.cert_cache [yes]
230 Whether relations in validated certificate chains should be
231 cached in memory.
232
233
234 charon.cisco_unity [no]
235 Send Cisco Unity vendor ID payload (IKEv1 only).
236
237
238 charon.close_ike_on_child_failure [no]
239 Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH
240 failed.
241
242
243 charon.cookie_threshold [10]
244 Number of half-open IKE_SAs that activate the cookie mechanism.
245
246
247 charon.crypto_test.bench [no]
248 Benchmark crypto algorithms and order them by efficiency.
249
250
251 charon.crypto_test.bench_size [1024]
252 Buffer size used for crypto benchmark.
253
254
255 charon.crypto_test.bench_time [50]
256 Time in ms during which crypto algorithm performance is mea‐
257 sured.
258
259
260 charon.crypto_test.on_add [no]
261 Test crypto algorithms during registration (requires test vec‐
262 tors provided by the test-vectors plugin).
263
264
265 charon.crypto_test.on_create [no]
266 Test crypto algorithms on each crypto primitive instantiation.
267
268
269 charon.crypto_test.required [no]
270 Strictly require at least one test vector to enable an algo‐
271 rithm.
272
273
274 charon.crypto_test.rng_true [no]
275 Whether to test RNG with TRUE quality; requires a lot of
276 entropy.
277
278
279 charon.delete_rekeyed [no]
280 Delete CHILD_SAs right after they got successfully rekeyed
281 (IKEv1 only). Reduces the number of stale CHILD_SAs in scenarios
282 with a lot of rekeyings. However, this might cause problems with
283 implementations that continue to use rekeyed SAs until they
284 expire.
285
286
287 charon.delete_rekeyed_delay [5]
288 Delay in seconds until inbound IPsec SAs are deleted after
289 rekeyings (IKEv2 only). To process delayed packets the inbound
290 part of a CHILD_SA is kept installed up to the configured number
291 of seconds after it got replaced during a rekeying. If set to 0
292 the CHILD_SA will be kept installed until it expires (if no
293 lifetime is set it will be destroyed immediately).
294
295
296 charon.dh_exponent_ansi_x9_42 [yes]
297 Use ANSI X9.42 DH exponent size or optimum size matched to cryp‐
298 tographic strength.
299
300
301 charon.dlopen_use_rtld_now [no]
302 Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to
303 reveal missing symbols immediately.
304
305
306 charon.dns1 []
307 DNS server assigned to peer via configuration payload (CP).
308
309
310 charon.dns2 []
311 DNS server assigned to peer via configuration payload (CP).
312
313
314 charon.dos_protection [yes]
315 Enable Denial of Service protection using cookies and aggres‐
316 siveness checks.
317
318
319 charon.ecp_x_coordinate_only [yes]
320 Compliance with the errata for RFC 4753.
321
322
323 charon.filelog
324 Section to define file loggers, see LOGGER CONFIGURATION in
325 strongswan.conf(5).
326
327
328
329 charon.filelog.<name>
330 <name> may be the full path to the log file if it only contains
331 characters permitted in section names. Is ignored if path is
332 specified.
333
334
335 charon.filelog.<name>.<subsystem> [<default>]
336 Loglevel for a specific subsystem.
337
338
339 charon.filelog.<name>.append [yes]
340 If this option is enabled log entries are appended to the exist‐
341 ing file.
342
343
344 charon.filelog.<name>.default [1]
345 Specifies the default loglevel to be used for subsystems for
346 which no specific loglevel is defined.
347
348
349 charon.filelog.<name>.flush_line [no]
350 Enabling this option disables block buffering and enables line
351 buffering.
352
353
354 charon.filelog.<name>.ike_name [no]
355 Prefix each log entry with the connection name and a unique
356 numerical identifier for each IKE_SA.
357
358
359 charon.filelog.<name>.path []
360 Optional path to the log file. Overrides the section name. Must
361 be used if the path contains characters that aren't allowed in
362 section names.
363
364
365 charon.filelog.<name>.time_add_ms [no]
366 Adds the milliseconds within the current second after the time‐
367 stamp (separated by a dot, so time_format should end with %S or
368 %T).
369
370
371 charon.filelog.<name>.time_format []
372 Prefix each log entry with a timestamp. The option accepts a
373 format string as passed to strftime(3).
374
375
376
377 charon.flush_auth_cfg [no]
378 If enabled objects used during authentication (certificates,
379 identities etc.) are released to free memory once an IKE_SA is
380 established. Enabling this might conflict with plugins that
381 later need access to e.g. the used certificates.
382
383
384 charon.follow_redirects [yes]
385 Whether to follow IKEv2 redirects (RFC 5685).
386
387
388 charon.fragment_size [1280]
389 Maximum size (complete IP datagram size in bytes) of a sent IKE
390 fragment when using proprietary IKEv1 or standardized IKEv2
391 fragmentation, defaults to 1280 (use 0 for address family spe‐
392 cific default values, which uses a lower value for IPv4). If
393 specified this limit is used for both IPv4 and IPv6.
394
395
396 charon.group []
397 Name of the group the daemon changes to after startup.
398
399
400 charon.half_open_timeout [30]
401 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT
402 DROPPING).
403
404
405 charon.hash_and_url [no]
406 Enable hash and URL support.
407
408
409 charon.host_resolver.max_threads [3]
410 Maximum number of concurrent resolver threads (they are termi‐
411 nated if unused).
412
413
414 charon.host_resolver.min_threads [0]
415 Minimum number of resolver threads to keep around.
416
417
418 charon.i_dont_care_about_security_and_use_aggressive_mode_psk [no]
419 If enabled responders are allowed to use IKEv1 Aggressive Mode
420 with pre-shared keys, which is discouraged due to security con‐
421 cerns (offline attacks on the openly transmitted hash of the
422 PSK).
423
424
425 charon.ignore_acquire_ts [no]
426 If this is disabled the traffic selectors from the kernel's
427 acquire events, which are derived from the triggering packet,
428 are prepended to the traffic selectors from the configuration
429 for IKEv2 connection. By enabling this, such specific traffic
430 selectors will be ignored and only the ones in the config will
431 be sent. This always happens for IKEv1 connections as the proto‐
432 col only supports one set of traffic selectors per CHILD_SA.
433
434
435 charon.ignore_routing_tables []
436 A space-separated list of routing tables to be excluded from
437 route lookups.
438
439
440 charon.ikesa_limit [0]
441 Maximum number of IKE_SAs that can be established at the same
442 time before new connection attempts are blocked.
443
444
445 charon.ikesa_table_segments [1]
446 Number of exclusively locked segments in the hash table.
447
448
449 charon.ikesa_table_size [1]
450 Size of the IKE_SA hash table.
451
452
453 charon.imcv
454 Defaults for options in this section can be configured in the
455 libimcv section.
456
457
458 charon.imcv.assessment_result [yes]
459 Whether IMVs send a standard IETF Assessment Result attribute.
460
461
462 charon.imcv.database []
463 Global IMV policy database URI. If it contains a password, make
464 sure to adjust the permissions of the config file accordingly.
465
466
467 charon.imcv.os_info.default_password_enabled [no]
468 Manually set whether a default password is enabled
469
470
471 charon.imcv.os_info.name []
472 Manually set the name of the client OS (e.g. Ubuntu).
473
474
475 charon.imcv.os_info.version []
476 Manually set the version of the client OS (e.g. 12.04 i686).
477
478
479 charon.imcv.policy_script [ipsec _imv_policy]
480 Script called for each TNC connection to generate IMV policies.
481
482
483 charon.inactivity_close_ike [no]
484 Whether to close IKE_SA if the only CHILD_SA closed due to inac‐
485 tivity.
486
487
488 charon.init_limit_half_open [0]
489 Limit new connections based on the current number of half open
490 IKE_SAs, see IKE_SA_INIT DROPPING in strongswan.conf(5).
491
492
493
494 charon.init_limit_job_load [0]
495 Limit new connections based on the number of jobs currently
496 queued for processing (see IKE_SA_INIT DROPPING).
497
498
499 charon.initiator_only [no]
500 Causes charon daemon to ignore IKE initiation requests.
501
502
503 charon.install_routes [yes]
504 Install routes into a separate routing table for established
505 IPsec tunnels.
506
507
508 charon.install_virtual_ip [yes]
509 Install virtual IP addresses.
510
511
512 charon.install_virtual_ip_on []
513 The name of the interface on which virtual IP addresses should
514 be installed. If not specified the addresses will be installed
515 on the outbound interface.
516
517
518 charon.integrity_test [no]
519 Check daemon, libstrongswan and plugin integrity at startup.
520
521
522 charon.interfaces_ignore []
523 A comma-separated list of network interfaces that should be
524 ignored, if interfaces_use is specified this option has no
525 effect.
526
527
528 charon.interfaces_use []
529 A comma-separated list of network interfaces that should be used
530 by charon. All other interfaces are ignored.
531
532
533 charon.keep_alive [20s]
534 NAT keep alive interval.
535
536
537 charon.leak_detective.detailed [yes]
538 Includes source file names and line numbers in leak detective
539 output.
540
541
542 charon.leak_detective.usage_threshold [10240]
543 Threshold in bytes for leaks to be reported (0 to report all).
544
545
546 charon.leak_detective.usage_threshold_count [0]
547 Threshold in number of allocations for leaks to be reported (0
548 to report all).
549
550
551 charon.load []
552 Plugins to load in the IKE daemon charon.
553
554
555 charon.load_modular [no]
556 If enabled, the list of plugins to load is determined via the
557 value of the charon.plugins.<name>.load options. In addition to
558 a simple boolean flag that option may take an integer value
559 indicating the priority of a plugin, which would influence the
560 order of a plugin in the plugin list (the default is 1). If two
561 plugins have the same priority their order in the default plugin
562 list is preserved. Enabled plugins not found in that list are
563 ordered alphabetically before other plugins with the same prior‐
564 ity.
565
566
567 charon.make_before_break [no]
568 Initiate IKEv2 reauthentication with a make-before-break instead
569 of a break-before-make scheme. Make-before-break uses overlap‐
570 ping IKE and CHILD_SA during reauthentication by first recreat‐
571 ing all new SAs before deleting the old ones. This behavior can
572 be beneficial to avoid connectivity gaps during reauthentica‐
573 tion, but requires support for overlapping SAs by the peer.
574 strongSwan can handle such overlapping SAs since version 5.3.0.
575
576
577 charon.max_ikev1_exchanges [3]
578 Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep
579 state about and track concurrently.
580
581
582 charon.max_packet [10000]
583 Maximum packet size accepted by charon.
584
585
586 charon.multiple_authentication [yes]
587 Enable multiple authentication exchanges (RFC 4739).
588
589
590 charon.nbns1 []
591 WINS servers assigned to peer via configuration payload (CP).
592
593
594 charon.nbns2 []
595 WINS servers assigned to peer via configuration payload (CP).
596
597
598 charon.plugin.ha.buflen [2048]
599 Buffer size for received HA messages. For IKEv1 the public DH
600 factors are also transmitted so depending on the DH group the HA
601 messages can get quite big (the default should be fine up to
602 modp4096).
603
604
605
606 charon.plugins.addrblock.strict [yes]
607 If set to yes, a subject certificate without an addrblock exten‐
608 sion is rejected if the issuer certificate has such an addrblock
609 extension. If set to no, subject certificates issued without the
610 addrblock extension are accepted without any traffic selector
611 checks and no policy is enforced by the plugin.
612
613
614 charon.plugins.android_log.loglevel [1]
615 Loglevel for logging to Android specific logger.
616
617
618 charon.plugins.attr
619 Section to specify arbitrary attributes that are assigned to a
620 peer via configuration payload (CP).
621
622
623 charon.plugins.attr.<attr> []
624 <attr> can be either address, netmask, dns, nbns, dhcp, subnet,
625 split-include, split-exclude or the numeric identifier of the
626 attribute type. The assigned value can be an IPv4/IPv6 address,
627 a subnet in CIDR notation or an arbitrary value depending on the
628 attribute type. For some attribute types multiple values may be
629 specified as a comma separated list.
630
631
632 charon.plugins.attr-sql.crash_recovery [yes]
633 Release all online leases during startup. Disable this to share
634 the DB between multiple VPN gateways.
635
636
637 charon.plugins.attr-sql.database []
638 Database URI for attr-sql plugin used by charon. If it contains
639 a password, make sure to adjust the permissions of the config
640 file accordingly.
641
642
643 charon.plugins.attr-sql.lease_history [yes]
644 Enable logging of SQL IP pool leases.
645
646
647 charon.plugins.bliss.use_bliss_b [yes]
648 Use the enhanced BLISS-B key generation and signature algorithm.
649
650
651 charon.plugins.bypass-lan.interfaces_ignore []
652 A comma-separated list of network interfaces for which connected
653 subnets should be ignored, if interfaces_use is specified this
654 option has no effect.
655
656
657 charon.plugins.bypass-lan.interfaces_use []
658 A comma-separated list of network interfaces for which connected
659 subnets should be considered. All other interfaces are ignored.
660
661
662 charon.plugins.bypass-lan.load [no]
663
664 charon.plugins.certexpire.csv.cron []
665 Cron style string specifying CSV export times.
666
667
668 charon.plugins.certexpire.csv.empty_string []
669 String to use in empty intermediate CA fields.
670
671
672 charon.plugins.certexpire.csv.fixed_fields [yes]
673 Use a fixed intermediate CA field count.
674
675
676 charon.plugins.certexpire.csv.force [yes]
677 Force export of all trustchains we have a private key for.
678
679
680 charon.plugins.certexpire.csv.format [%d:%m:%Y]
681 strftime(3) format string to export expiration dates as.
682
683
684 charon.plugins.certexpire.csv.local []
685 strftime(3) format string for the CSV file name to export local
686 certificates to.
687
688
689 charon.plugins.certexpire.csv.remote []
690 strftime(3) format string for the CSV file name to export remote
691 certificates to.
692
693
694 charon.plugins.certexpire.csv.separator [,]
695 CSV field separator.
696
697
698 charon.plugins.coupling.file []
699 File to store coupling list to.
700
701
702 charon.plugins.coupling.hash [sha1]
703 Hashing algorithm to fingerprint coupled certificates.
704
705
706 charon.plugins.coupling.max [1]
707 Maximum number of coupling entries to create.
708
709
710 charon.plugins.curl.redir [-1]
711 Maximum number of redirects followed by the plugin, set to 0 to
712 disable following redirects, set to -1 for no limit.
713
714
715 charon.plugins.dhcp.force_server_address [no]
716 Always use the configured server address. This might be helpful
717 if the DHCP server runs on the same host as strongSwan, and the
718 DHCP daemon does not listen on the loopback interface. In that
719 case the server cannot be reached via unicast (or even
720 255.255.255.255) as that would be routed via loopback. Setting
721 this option to yes and configuring the local broadcast address
722 (e.g. 192.168.0.255) as server address might work.
723
724
725 charon.plugins.dhcp.identity_lease [no]
726 Derive user-defined MAC address from hash of IKE identity and
727 send client identity DHCP option.
728
729
730 charon.plugins.dhcp.interface []
731 Interface name the plugin uses for address allocation. The
732 default is to bind to any (0.0.0.0) and let the system decide
733 which way to route the packets to the DHCP server.
734
735
736 charon.plugins.dhcp.server [255.255.255.255]
737 DHCP server unicast or broadcast IP address.
738
739
740 charon.plugins.dhcp.use_server_port [no]
741 Use the DHCP server port (67) as source port, instead of the
742 DHCP client port (68), when a unicast server address is config‐
743 ured and the plugin acts as relay agent. When replying in this
744 mode the DHCP server will always send packets to the DHCP server
745 port and if no process binds that port an ICMP port unreachables
746 will be sent back, which might be problematic for some DHCP
747 servers. To avoid that, enabling this option will cause the
748 plugin to bind the DHCP server port to send its requests when
749 acting as relay agent. This is not necessary if a DHCP server is
750 already running on the same host and might even cause conflicts
751 (and since the server port is already bound, ICMPs should not be
752 an issue).
753
754
755 charon.plugins.dnscert.enable [no]
756 Enable fetching of CERT RRs via DNS.
757
758
759 charon.plugins.drbg.max_drbg_requests [4294967294]
760 Number of pseudo-random bit requests from the DRBG before an
761 automatic reseeding occurs.
762
763
764 charon.plugins.duplicheck.enable [yes]
765 Enable duplicheck plugin (if loaded).
766
767
768 charon.plugins.duplicheck.socket [unix://${piddir}/charon.dck]
769 Socket provided by the duplicheck plugin.
770
771
772 charon.plugins.eap-aka.request_identity [yes]
773
774 charon.plugins.eap-aka-3gpp.seq_check []
775 Enable to activate sequence check of the AKA SQN values in order
776 to trigger resync cycles.
777
778
779 charon.plugins.eap-aka-3gpp2.seq_check []
780 Enable to activate sequence check of the AKA SQN values in order
781 to trigger resync cycles.
782
783
784 charon.plugins.eap-dynamic.prefer_user [no]
785 If enabled the EAP methods proposed in an EAP-Nak message sent
786 by the peer are preferred over the methods registered locally.
787
788
789 charon.plugins.eap-dynamic.preferred []
790 The preferred EAP method(s) to be used. If it is not given the
791 first registered method will be used initially. If a comma sep‐
792 arated list is given the methods are tried in the given order
793 before trying the rest of the registered methods.
794
795
796 charon.plugins.eap-gtc.backend [pam]
797 XAuth backend to be used for credential verification.
798
799
800 charon.plugins.eap-peap.fragment_size [1024]
801 Maximum size of an EAP-PEAP packet.
802
803
804 charon.plugins.eap-peap.include_length [no]
805 Include length in non-fragmented EAP-PEAP packets.
806
807
808 charon.plugins.eap-peap.max_message_count [32]
809 Maximum number of processed EAP-PEAP packets (0 = no limit).
810
811
812 charon.plugins.eap-peap.phase2_method [mschapv2]
813 Phase2 EAP client authentication method.
814
815
816 charon.plugins.eap-peap.phase2_piggyback [no]
817 Phase2 EAP Identity request piggybacked by server onto TLS Fin‐
818 ished message.
819
820
821 charon.plugins.eap-peap.phase2_tnc [no]
822 Start phase2 EAP TNC protocol after successful client authenti‐
823 cation.
824
825
826 charon.plugins.eap-peap.request_peer_auth [no]
827 Request peer authentication based on a client certificate.
828
829
830 charon.plugins.eap-radius.accounting [no]
831 Send RADIUS accounting information to RADIUS servers.
832
833
834 charon.plugins.eap-radius.accounting_close_on_timeout [yes]
835 Close the IKE_SA if there is a timeout during interim RADIUS
836 accounting updates.
837
838
839 charon.plugins.eap-radius.accounting_interval [0]
840 Interval in seconds for interim RADIUS accounting updates, if
841 not specified by the RADIUS server in the Access-Accept message.
842
843
844 charon.plugins.eap-radius.accounting_requires_vip [no]
845 If enabled, accounting is disabled unless an IKE_SA has at least
846 one virtual IP. Only for IKEv2, for IKEv1 a virtual IP is
847 strictly necessary.
848
849
850 charon.plugins.eap-radius.accounting_send_class [no]
851 If enabled, adds the Class attributes received in Access-Accept
852 message to the RADIUS accounting messages.
853
854
855 charon.plugins.eap-radius.class_group [no]
856 Use the class attribute sent in the RADIUS-Accept message as
857 group membership information that is compared to the groups
858 specified in the rightgroups option in ipsec.conf(5).
859
860
861
862 charon.plugins.eap-radius.close_all_on_timeout [no]
863 Closes all IKE_SAs if communication with the RADIUS server times
864 out. If it is not set only the current IKE_SA is closed.
865
866
867 charon.plugins.eap-radius.dae.enable [no]
868 Enables support for the Dynamic Authorization Extension (RFC
869 5176).
870
871
872 charon.plugins.eap-radius.dae.listen [0.0.0.0]
873 Address to listen for DAE messages from the RADIUS server.
874
875
876 charon.plugins.eap-radius.dae.port [3799]
877 Port to listen for DAE requests.
878
879
880 charon.plugins.eap-radius.dae.secret []
881 Shared secret used to verify/sign DAE messages. If set, make
882 sure to adjust the permissions of the config file accordingly.
883
884
885 charon.plugins.eap-radius.eap_start [no]
886 Send EAP-Start instead of EAP-Identity to start RADIUS conversa‐
887 tion.
888
889
890 charon.plugins.eap-radius.filter_id [no]
891 If the RADIUS tunnel_type attribute with value ESP is received,
892 use the filter_id attribute sent in the RADIUS-Accept message as
893 group membership information that is compared to the groups
894 specified in the rightgroups option in ipsec.conf(5).
895
896
897
898 charon.plugins.eap-radius.forward.ike_to_radius []
899 RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be
900 defined by name or attribute number, a colon can be used to
901 specify vendor-specific attributes, e.g. Reply-Message, or 11,
902 or 36906:12).
903
904
905 charon.plugins.eap-radius.forward.radius_to_ike []
906 Same as charon.plugins.eap-radius.forward.ike_to_radius but from
907 RADIUS to IKEv2, a strongSwan specific private notify (40969) is
908 used to transmit the attributes.
909
910
911 charon.plugins.eap-radius.id_prefix []
912 Prefix to EAP-Identity, some AAA servers use a IMSI prefix to
913 select the EAP method.
914
915
916 charon.plugins.eap-radius.nas_identifier [strongSwan]
917 NAS-Identifier to include in RADIUS messages.
918
919
920 charon.plugins.eap-radius.port [1812]
921 Port of RADIUS server (authentication).
922
923
924 charon.plugins.eap-radius.retransmit_base [1.4]
925 Base to use for calculating exponential back off.
926
927
928 charon.plugins.eap-radius.retransmit_timeout [2.0]
929 Timeout in seconds before sending first retransmit.
930
931
932 charon.plugins.eap-radius.retransmit_tries [4]
933 Number of times to retransmit a packet before giving up.
934
935
936 charon.plugins.eap-radius.secret []
937 Shared secret between RADIUS and NAS. If set, make sure to
938 adjust the permissions of the config file accordingly.
939
940
941 charon.plugins.eap-radius.server []
942 IP/Hostname of RADIUS server.
943
944
945 charon.plugins.eap-radius.servers
946 Section to specify multiple RADIUS servers. The nas_identifier,
947 secret, sockets and port (or auth_port) options can be specified
948 for each server. A server's IP/Hostname can be configured using
949 the address option. The acct_port [1813] option can be used to
950 specify the port used for RADIUS accounting. For each RADIUS
951 server a priority can be specified using the preference [0]
952 option. The retransmission time for each server can set set
953 using retransmit_base, retransmit_timeout and retransmit_tries.
954
955
956
957 charon.plugins.eap-radius.sockets [1]
958 Number of sockets (ports) to use, increase for high load.
959
960
961 charon.plugins.eap-radius.station_id_with_port [yes]
962 Whether to include the UDP port in the Called- and Calling-Sta‐
963 tion-Id RADIUS attributes.
964
965
966 charon.plugins.eap-radius.xauth
967 Section to configure multiple XAuth authentication rounds via
968 RADIUS. The subsections define so called authentication profiles
969 with arbitrary names. In each profile section one or more XAuth
970 types can be configured, with an assigned message. For each type
971 a separate XAuth exchange will be initiated and all replies get
972 concatenated into the User-Password attribute, which then gets
973 verified over RADIUS.
974
975 Available XAuth types are password, passcode, nextpin, and
976 answer. This type is not relevant to strongSwan or the AAA
977 server, but the client may show a different dialog (along with
978 the configured message).
979
980 To use the configured profiles, they have to be configured in
981 the respective connection in ipsec.conf(5) by appending the pro‐
982 file name, separated by a colon, to the xauth-radius XAauth
983 backend configuration in rightauth or rightauth2, for instance,
984 rightauth2=xauth-radius:profile.
985
986
987
988 charon.plugins.eap-sim.request_identity [yes]
989
990 charon.plugins.eap-simaka-sql.database []
991
992 charon.plugins.eap-simaka-sql.remove_used [no]
993
994 charon.plugins.eap-tls.fragment_size [1024]
995 Maximum size of an EAP-TLS packet.
996
997
998 charon.plugins.eap-tls.include_length [yes]
999 Include length in non-fragmented EAP-TLS packets.
1000
1001
1002 charon.plugins.eap-tls.max_message_count [32]
1003 Maximum number of processed EAP-TLS packets (0 = no limit).
1004
1005
1006 charon.plugins.eap-tnc.max_message_count [10]
1007 Maximum number of processed EAP-TNC packets (0 = no limit).
1008
1009
1010 charon.plugins.eap-tnc.protocol [tnccs-2.0]
1011 IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0,
1012 tnccs-dynamic).
1013
1014
1015
1016 charon.plugins.eap-ttls.fragment_size [1024]
1017 Maximum size of an EAP-TTLS packet.
1018
1019
1020 charon.plugins.eap-ttls.include_length [yes]
1021 Include length in non-fragmented EAP-TTLS packets.
1022
1023
1024 charon.plugins.eap-ttls.max_message_count [32]
1025 Maximum number of processed EAP-TTLS packets (0 = no limit).
1026
1027
1028 charon.plugins.eap-ttls.phase2_method [md5]
1029 Phase2 EAP client authentication method.
1030
1031
1032 charon.plugins.eap-ttls.phase2_piggyback [no]
1033 Phase2 EAP Identity request piggybacked by server onto TLS Fin‐
1034 ished message.
1035
1036
1037 charon.plugins.eap-ttls.phase2_tnc [no]
1038 Start phase2 EAP TNC protocol after successful client authenti‐
1039 cation.
1040
1041
1042 charon.plugins.eap-ttls.phase2_tnc_method [pt]
1043 Phase2 EAP TNC transport protocol (pt as IETF standard or legacy
1044 tnc)
1045
1046
1047
1048 charon.plugins.eap-ttls.request_peer_auth [no]
1049 Request peer authentication based on a client certificate.
1050
1051
1052 charon.plugins.error-notify.socket [unix://${piddir}/charon.enfy]
1053 Socket provided by the error-notify plugin.
1054
1055
1056 charon.plugins.ext-auth.script []
1057 Command to pass to the system shell for peer authorization.
1058 Authorization is considered successful if the command executes
1059 normally with an exit code of zero. For all other exit codes
1060 IKE_SA authorization is rejected.
1061
1062 The following environment variables get passed to the script:
1063 IKE_UNIQUE_ID: The IKE_SA numerical unique identifier.
1064 IKE_NAME: The peer configuration connection name.
1065 IKE_LOCAL_HOST: Local IKE IP address. IKE_REMOTE_HOST: Remote
1066 IKE IP address. IKE_LOCAL_ID: Local IKE identity.
1067 IKE_REMOTE_ID: Remote IKE identity. IKE_REMOTE_EAP_ID: Remote
1068 EAP or XAuth identity, if used.
1069
1070
1071 charon.plugins.forecast.groups
1072 [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]
1073 Comma separated list of multicast groups to join locally. The
1074 local host receives and forwards packets in the local LAN for
1075 joined multicast groups only. Packets matching the list of mul‐
1076 ticast groups get forwarded to connected clients. The default
1077 group includes host multicasts, IGMP, mDNS, LLMNR and
1078 SSDP/WS-Discovery, and is usually a good choice for Windows
1079 clients.
1080
1081
1082 charon.plugins.forecast.interface []
1083 Name of the local interface to listen for broadcasts messages to
1084 forward. If no interface is configured, the first usable inter‐
1085 face is used, which is usually just fine for single-homed hosts.
1086 If your host has multiple interfaces, set this option to the
1087 local LAN interface you want to forward broadcasts from/to.
1088
1089
1090 charon.plugins.forecast.reinject []
1091 Comma separated list of CHILD_SA configuration names for which
1092 to perform multi/broadcast reinjection. For clients connecting
1093 over such a configuration, any multi/broadcast received over the
1094 tunnel gets reinjected to all active tunnels. This makes the
1095 broadcasts visible to other peers, and for examples allows
1096 clients to see others shares. If disabled, multi/broadcast mes‐
1097 sages received over a tunnel are injected to the local network
1098 only, but not to other IPsec clients.
1099
1100
1101 charon.plugins.gcrypt.quick_random [no]
1102 Use faster random numbers in gcrypt; for testing only, produces
1103 weak keys!
1104
1105
1106 charon.plugins.ha.autobalance [0]
1107 Interval in seconds to automatically balance handled segments
1108 between nodes. Set to 0 to disable.
1109
1110
1111 charon.plugins.ha.fifo_interface [yes]
1112
1113 charon.plugins.ha.heartbeat_delay [1000]
1114
1115 charon.plugins.ha.heartbeat_timeout [2100]
1116
1117 charon.plugins.ha.local []
1118
1119 charon.plugins.ha.monitor [yes]
1120
1121 charon.plugins.ha.pools []
1122
1123 charon.plugins.ha.remote []
1124
1125 charon.plugins.ha.resync [yes]
1126
1127 charon.plugins.ha.secret []
1128
1129 charon.plugins.ha.segment_count [1]
1130
1131 charon.plugins.ipseckey.enable [no]
1132 Enable fetching of IPSECKEY RRs via DNS.
1133
1134
1135 charon.plugins.kernel-libipsec.allow_peer_ts [no]
1136 Allow that the remote traffic selector equals the IKE peer. The
1137 route installed for such traffic (via TUN device) usually pre‐
1138 vents further IKE traffic. The fwmark options for the ker‐
1139 nel-netlink and socket-default plugins can be used to circumvent
1140 that problem.
1141
1142
1143 charon.plugins.kernel-netlink.buflen [<min(PAGE_SIZE, 8192)>]
1144 Buffer size for received Netlink messages.
1145
1146
1147 charon.plugins.kernel-netlink.force_receive_buffer_size [no]
1148 If the maximum Netlink socket receive buffer in bytes set by
1149 receive_buffer_size exceeds the system-wide maximum from
1150 /proc/sys/net/core/rmem_max, this option can be used to override
1151 the limit. Enabling this option requires special privileges
1152 (CAP_NET_ADMIN).
1153
1154
1155 charon.plugins.kernel-netlink.fwmark []
1156 Firewall mark to set on the routing rule that directs traffic to
1157 our routing table. The format is [!]mark[/mask], where the
1158 optional exclamation mark inverts the meaning (i.e. the rule
1159 only applies to packets that don't match the mark).
1160
1161
1162 charon.plugins.kernel-netlink.hw_offload_feature_interface [lo]
1163 If the kernel supports hardware offloading, the plugin needs to
1164 find the feature flag which represents hardware offloading sup‐
1165 port for network devices. Using the loopback device for this
1166 purpose is usually fine, since it should always be present. For
1167 rare cases in which the loopback device cannot be used to obtain
1168 the appropriate feature flag, this option can be used to specify
1169 an alternative interface for offload feature detection.
1170
1171
1172 charon.plugins.kernel-netlink.ignore_retransmit_errors [no]
1173 Whether to ignore errors potentially resulting from a retrans‐
1174 mission.
1175
1176
1177 charon.plugins.kernel-netlink.mss [0]
1178 MSS to set on installed routes, 0 to disable.
1179
1180
1181 charon.plugins.kernel-netlink.mtu [0]
1182 MTU to set on installed routes, 0 to disable.
1183
1184
1185 charon.plugins.kernel-netlink.parallel_route [no]
1186 Whether to perform concurrent Netlink ROUTE queries on a single
1187 socket. While parallel queries can improve throughput, it has
1188 more overhead. On vanilla Linux, DUMP queries fail with EBUSY
1189 and must be retried, further decreasing performance.
1190
1191
1192 charon.plugins.kernel-netlink.parallel_xfrm [no]
1193 Whether to perform concurrent Netlink XFRM queries on a single
1194 socket.
1195
1196
1197 charon.plugins.kernel-netlink.policy_update [no]
1198 Whether to always use XFRM_MSG_UPDPOLICY to install policies.
1199
1200
1201 charon.plugins.kernel-netlink.port_bypass [no]
1202 Whether to use port or socket based IKE XFRM bypass policies.
1203 IKE bypass policies are used to exempt IKE traffic from XFRM
1204 processing. The default socket based policies are directly tied
1205 to the IKE UDP sockets, port based policies use global XFRM
1206 bypass policies for the used IKE UDP ports.
1207
1208
1209 charon.plugins.kernel-netlink.process_rules [no]
1210 Whether to process changes in routing rules to trigger roam
1211 events. This is currently only useful if the kernel based route
1212 lookup is used (i.e. if route installation is disabled or an
1213 inverted fwmark match is configured).
1214
1215
1216 charon.plugins.kernel-netlink.receive_buffer_size [0]
1217 Maximum Netlink socket receive buffer in bytes. This value con‐
1218 trols how many bytes of Netlink messages can be received on a
1219 Netlink socket. The default value is set by
1220 /proc/sys/net/core/rmem_default. The specified value cannot
1221 exceed the system-wide maximum from /proc/sys/net/core/rmem_max,
1222 unless force_receive_buffer_size is enabled.
1223
1224
1225 charon.plugins.kernel-netlink.retries [0]
1226 Number of Netlink message retransmissions to send on timeout.
1227
1228
1229 charon.plugins.kernel-netlink.roam_events [yes]
1230 Whether to trigger roam events when interfaces, addresses or
1231 routes change.
1232
1233
1234 charon.plugins.kernel-netlink.set_proto_port_transport_sa [no]
1235 Whether to set protocol and ports in the selector installed on
1236 transport mode IPsec SAs in the kernel. While doing so enforces
1237 policies for inbound traffic, it also prevents the use of a sin‐
1238 gle IPsec SA by more than one traffic selector.
1239
1240
1241 charon.plugins.kernel-netlink.spdh_thresh
1242 XFRM policy hashing threshold configuration for IPv4 and IPv6.
1243
1244 The section defines hashing thresholds to configure in the ker‐
1245 nel during daemon startup. Each address family takes a threshold
1246 for the local subnet of an IPsec policy (src in out-policies,
1247 dst in in- and forward-policies) and the remote subnet (dst in
1248 out-policies, src in in- and forward-policies).
1249
1250 If the subnet has more or equal net bits than the threshold, the
1251 first threshold bits are used to calculate a hash to lookup the
1252 policy.
1253
1254 Policy hashing thresholds are not supported before Linux 3.18
1255 and might conflict with socket policies before Linux 4.8.
1256
1257
1258 charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits [32]
1259 Local subnet XFRM policy hashing threshold for IPv4.
1260
1261
1262 charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits [32]
1263 Remote subnet XFRM policy hashing threshold for IPv4.
1264
1265
1266 charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits [128]
1267 Local subnet XFRM policy hashing threshold for IPv6.
1268
1269
1270 charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits [128]
1271 Remote subnet XFRM policy hashing threshold for IPv6.
1272
1273
1274 charon.plugins.kernel-netlink.timeout [0]
1275 Netlink message retransmission timeout, 0 to disable retransmis‐
1276 sions.
1277
1278
1279 charon.plugins.kernel-netlink.xfrm_acq_expires [165]
1280 Lifetime of XFRM acquire state created by the kernel when traf‐
1281 fic matches a trap policy. The value gets written to
1282 /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the
1283 delay between XFRM acquire messages triggered by the kernel for
1284 a trap policy. The same value is used as timeout for SPIs allo‐
1285 cated by the kernel. The default value equals the total
1286 retransmission timeout for IKE messages, see IKEv2 RETRANSMIS‐
1287 SION in strongswan.conf(5).
1288
1289
1290
1291 charon.plugins.kernel-pfkey.events_buffer_size [0]
1292 Size of the receive buffer for the event socket (0 for default
1293 size). Because events are received asynchronously installing
1294 e.g. lots of policies may require a larger buffer than the
1295 default on certain platforms in order to receive all messages.
1296
1297
1298 charon.plugins.kernel-pfkey.route_via_internal [no]
1299 Whether to use the internal or external interface in installed
1300 routes. The internal interface is the one where the IP address
1301 contained in the local traffic selector is located, the external
1302 interface is the one over which the destination address of the
1303 IPsec tunnel can be reached. This is not relevant if virtual IPs
1304 are used, for which a TUN device is created that's used in the
1305 routes.
1306
1307
1308 charon.plugins.kernel-pfroute.vip_wait [1000]
1309 Time in ms to wait until virtual IP addresses appear/disappear
1310 before failing.
1311
1312
1313 charon.plugins.led.activity_led []
1314
1315 charon.plugins.led.blink_time [50]
1316
1317 charon.plugins.load-tester
1318 Section to configure the load-tester plugin, see LOAD TESTS in
1319 strongswan.conf(5) for details.
1320
1321
1322 charon.plugins.load-tester.addrs
1323 Section that contains key/value pairs with address pools (in
1324 CIDR notation) to use for a specific network interface e.g. eth0
1325 = 10.10.0.0/16.
1326
1327
1328 charon.plugins.load-tester.addrs_keep [no]
1329 Whether to keep dynamic addresses even after the associated SA
1330 got terminated.
1331
1332
1333 charon.plugins.load-tester.addrs_prefix [16]
1334 Network prefix length to use when installing dynamic addresses.
1335 If set to -1 the full address is used (i.e. 32 or 128).
1336
1337
1338 charon.plugins.load-tester.ca_dir []
1339 Directory to load (intermediate) CA certificates from.
1340
1341
1342 charon.plugins.load-tester.child_rekey [600]
1343 Seconds to start CHILD_SA rekeying after setup.
1344
1345
1346 charon.plugins.load-tester.crl []
1347 URI to a CRL to include as certificate distribution point in
1348 generated certificates.
1349
1350
1351 charon.plugins.load-tester.delay [0]
1352 Delay between initiations for each thread.
1353
1354
1355 charon.plugins.load-tester.delete_after_established [no]
1356 Delete an IKE_SA as soon as it has been established.
1357
1358
1359 charon.plugins.load-tester.digest [sha1]
1360 Digest algorithm used when issuing certificates.
1361
1362
1363 charon.plugins.load-tester.dpd_delay [0]
1364 DPD delay to use in load test.
1365
1366
1367 charon.plugins.load-tester.dynamic_port [0]
1368 Base port to be used for requests (each client uses a different
1369 port).
1370
1371
1372 charon.plugins.load-tester.eap_password [default-pwd]
1373 EAP secret to use in load test.
1374
1375
1376 charon.plugins.load-tester.enable [no]
1377 Enable the load testing plugin. WARNING: Never enable this
1378 plugin on productive systems. It provides preconfigured creden‐
1379 tials and allows an attacker to authenticate as any user.
1380
1381
1382 charon.plugins.load-tester.esp [aes128-sha1]
1383 CHILD_SA proposal to use for load tests.
1384
1385
1386 charon.plugins.load-tester.fake_kernel [no]
1387 Fake the kernel interface to allow load-testing against self.
1388
1389
1390 charon.plugins.load-tester.ike_rekey [0]
1391 Seconds to start IKE_SA rekeying after setup.
1392
1393
1394 charon.plugins.load-tester.init_limit [0]
1395 Global limit of concurrently established SAs during load test.
1396
1397
1398 charon.plugins.load-tester.initiator [0.0.0.0]
1399 Address to initiate from.
1400
1401
1402 charon.plugins.load-tester.initiator_auth [pubkey]
1403 Authentication method(s) the initiator uses.
1404
1405
1406 charon.plugins.load-tester.initiator_id []
1407 Initiator ID used in load test.
1408
1409
1410 charon.plugins.load-tester.initiator_match []
1411 Initiator ID to match against as responder.
1412
1413
1414 charon.plugins.load-tester.initiator_tsi []
1415 Traffic selector on initiator side, as proposed by initiator.
1416
1417
1418 charon.plugins.load-tester.initiator_tsr []
1419 Traffic selector on responder side, as proposed by initiator.
1420
1421
1422 charon.plugins.load-tester.initiators [0]
1423 Number of concurrent initiator threads to use in load test.
1424
1425
1426 charon.plugins.load-tester.issuer_cert []
1427 Path to the issuer certificate (if not configured a hard-coded
1428 default value is used).
1429
1430
1431 charon.plugins.load-tester.issuer_key []
1432 Path to private key that is used to issue certificates (if not
1433 configured a hard-coded default value is used).
1434
1435
1436 charon.plugins.load-tester.iterations [1]
1437 Number of IKE_SAs to initiate by each initiator in load test.
1438
1439
1440 charon.plugins.load-tester.mode [tunnel]
1441 IPsec mode to use, one of tunnel, transport, or beet.
1442
1443
1444
1445 charon.plugins.load-tester.pool []
1446 Provide INTERNAL_IPV4_ADDRs from a named pool.
1447
1448
1449 charon.plugins.load-tester.preshared_key [<default-psk>]
1450 Preshared key to use in load test.
1451
1452
1453 charon.plugins.load-tester.proposal [aes128-sha1-modp768]
1454 IKE proposal to use in load test.
1455
1456
1457 charon.plugins.load-tester.request_virtual_ip [no]
1458 Request an INTERNAL_IPV4_ADDR from the server.
1459
1460
1461 charon.plugins.load-tester.responder [127.0.0.1]
1462 Address to initiation connections to.
1463
1464
1465 charon.plugins.load-tester.responder_auth [pubkey]
1466 Authentication method(s) the responder uses.
1467
1468
1469 charon.plugins.load-tester.responder_id []
1470 Responder ID used in load test.
1471
1472
1473 charon.plugins.load-tester.responder_tsi [initiator_tsi]
1474 Traffic selector on initiator side, as narrowed by responder.
1475
1476
1477 charon.plugins.load-tester.responder_tsr [initiator_tsr]
1478 Traffic selector on responder side, as narrowed by responder.
1479
1480
1481 charon.plugins.load-tester.shutdown_when_complete [no]
1482 Shutdown the daemon after all IKE_SAs have been established.
1483
1484
1485 charon.plugins.load-tester.socket [unix://${piddir}/charon.ldt]
1486 Socket provided by the load-tester plugin.
1487
1488
1489 charon.plugins.load-tester.version [0]
1490 IKE version to use (0 means use IKEv2 as initiator and accept
1491 any version as responder).
1492
1493
1494 charon.plugins.lookip.socket [unix://${piddir}/charon.lkp]
1495 Socket provided by the lookip plugin.
1496
1497
1498 charon.plugins.ntru.parameter_set [optimum]
1499 The following parameter sets are available: x9_98_speed,
1500 x9_98_bandwidth, x9_98_balance and optimum, the last set not
1501 being part of the X9.98 standard but having the best perfor‐
1502 mance.
1503
1504
1505 charon.plugins.openssl.engine_id [pkcs11]
1506 ENGINE ID to use in the OpenSSL plugin.
1507
1508
1509 charon.plugins.openssl.fips_mode [0]
1510 Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B
1511 enabled(2).
1512
1513
1514 charon.plugins.osx-attr.append [yes]
1515 Whether DNS servers are appended to existing entries, instead of
1516 replacing them.
1517
1518
1519 charon.plugins.p-cscf.enable
1520 Section to enable requesting P-CSCF server addresses for indi‐
1521 vidual connections.
1522
1523
1524 charon.plugins.p-cscf.enable.<conn> [no]
1525 <conn> is the name of a connection with an ePDG from which to
1526 request P-CSCF server addresses. Requests will be sent for
1527 addresses of the same families for which internal IPs are
1528 requested.
1529
1530
1531 charon.plugins.pkcs11.modules
1532 List of available PKCS#11 modules.
1533
1534
1535 charon.plugins.pkcs11.modules.<name>.load_certs [yes]
1536 Whether to automatically load certificates from tokens.
1537
1538
1539 charon.plugins.pkcs11.modules.<name>.os_locking [no]
1540 Whether OS locking should be enabled for this module.
1541
1542
1543 charon.plugins.pkcs11.modules.<name>.path []
1544 Full path to the shared object file of this PKCS#11 module.
1545
1546
1547 charon.plugins.pkcs11.reload_certs [no]
1548 Reload certificates from all tokens if charon receives a SIGHUP.
1549
1550
1551 charon.plugins.pkcs11.use_dh [no]
1552 Whether the PKCS#11 modules should be used for DH and ECDH (see
1553 use_ecc option).
1554
1555
1556 charon.plugins.pkcs11.use_ecc [no]
1557 Whether the PKCS#11 modules should be used for ECDH and ECDSA
1558 public key operations. ECDSA private keys can be used regardless
1559 of this option.
1560
1561
1562 charon.plugins.pkcs11.use_hasher [no]
1563 Whether the PKCS#11 modules should be used to hash data.
1564
1565
1566 charon.plugins.pkcs11.use_pubkey [no]
1567 Whether the PKCS#11 modules should be used for public key opera‐
1568 tions, even for keys not stored on tokens.
1569
1570
1571 charon.plugins.pkcs11.use_rng [no]
1572 Whether the PKCS#11 modules should be used as RNG.
1573
1574
1575 charon.plugins.radattr.dir []
1576 Directory where RADIUS attributes are stored in client-ID spe‐
1577 cific files.
1578
1579
1580 charon.plugins.radattr.message_id [-1]
1581 Attributes are added to all IKE_AUTH messages by default (-1),
1582 or only to the IKE_AUTH message with the given IKEv2 message ID.
1583
1584
1585 charon.plugins.random.random [${random_device}]
1586 File to read random bytes from.
1587
1588
1589 charon.plugins.random.strong_equals_true [no]
1590 If set to yes the RNG_STRONG class reads random bytes from the
1591 same source as the RNG_TRUE class.
1592
1593
1594 charon.plugins.random.urandom [${urandom_device}]
1595 File to read pseudo random bytes from.
1596
1597
1598 charon.plugins.resolve.file [/etc/resolv.conf]
1599 File where to add DNS server entries.
1600
1601
1602 charon.plugins.resolve.resolvconf.iface_prefix [lo.inet.ipsec.]
1603 Prefix used for interface names sent to resolvconf(8). The
1604 nameserver address is appended to this prefix to make it unique.
1605 The result has to be a valid interface name according to the
1606 rules defined by resolvconf. Also, it should have a high prior‐
1607 ity according to the order defined in interface-order(5).
1608
1609
1610
1611 charon.plugins.revocation.enable_crl [yes]
1612 Whether CRL validation should be enabled.
1613
1614
1615 charon.plugins.revocation.enable_ocsp [yes]
1616 Whether OCSP validation should be enabled.
1617
1618
1619 charon.plugins.save-keys.esp [no]
1620 Whether to save ESP keys.
1621
1622
1623 charon.plugins.save-keys.ike [no]
1624 Whether to save IKE keys.
1625
1626
1627 charon.plugins.save-keys.load [no]
1628 Whether to load the plugin.
1629
1630
1631 charon.plugins.save-keys.wireshark_keys []
1632 Directory where the keys are stored in the format supported by
1633 Wireshark. IKEv1 keys are stored in the ikev1_decryption_table
1634 file. IKEv2 keys are stored in the ikev2_decryption_table file.
1635 Keys for ESP CHILD_SAs are stored in the esp_sa file.
1636
1637
1638 charon.plugins.socket-default.fwmark []
1639 Firewall mark to set on outbound packets.
1640
1641
1642 charon.plugins.socket-default.set_source [yes]
1643 Set source address on outbound packets, if possible.
1644
1645
1646 charon.plugins.socket-default.set_sourceif [no]
1647 Force sending interface on outbound packets, if possible. This
1648 allows using IPv6 link-local addresses as tunnel endpoints.
1649
1650
1651 charon.plugins.socket-default.use_ipv4 [yes]
1652 Listen on IPv4, if possible.
1653
1654
1655 charon.plugins.socket-default.use_ipv6 [yes]
1656 Listen on IPv6, if possible.
1657
1658
1659 charon.plugins.sql.database []
1660 Database URI for charon's SQL plugin. If it contains a password,
1661 make sure to adjust the permissions of the config file accord‐
1662 ingly.
1663
1664
1665 charon.plugins.sql.loglevel [-1]
1666 Loglevel for logging to SQL database.
1667
1668
1669 charon.plugins.stroke.allow_swap [yes]
1670 Analyze addresses/hostnames in left|right to detect which side
1671 is local and swap configuration options if necessary. If dis‐
1672 abled left is always local.
1673
1674
1675
1676 charon.plugins.stroke.ignore_missing_ca_basic_constraint [no]
1677 Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections
1678 as CA certificates even if they don't contain a CA basic con‐
1679 straint.
1680
1681
1682 charon.plugins.stroke.max_concurrent [4]
1683 Maximum number of stroke messages handled concurrently.
1684
1685
1686 charon.plugins.stroke.prevent_loglevel_changes [no]
1687 If enabled log level changes via stroke socket are not allowed.
1688
1689
1690 charon.plugins.stroke.secrets_file [${sysconfdir}/ipsec.secrets]
1691 Location of the ipsec.secrets file
1692
1693
1694 charon.plugins.stroke.socket [unix://${piddir}/charon.ctl]
1695 Socket provided by the stroke plugin.
1696
1697
1698 charon.plugins.stroke.timeout [0]
1699 Timeout in ms for any stroke command. Use 0 to disable the time‐
1700 out.
1701
1702
1703 charon.plugins.systime-fix.interval [0]
1704 Interval in seconds to check system time for validity. 0 dis‐
1705 ables the check.
1706
1707
1708 charon.plugins.systime-fix.reauth [no]
1709 Whether to use reauth or delete if an invalid cert lifetime is
1710 detected.
1711
1712
1713 charon.plugins.systime-fix.threshold []
1714 Threshold date where system time is considered valid. Disabled
1715 if not specified.
1716
1717
1718 charon.plugins.systime-fix.threshold_format [%Y]
1719 strptime(3) format used to parse threshold option.
1720
1721
1722 charon.plugins.systime-fix.timeout [0s]
1723 How long to wait for a valid system time if an interval is con‐
1724 figured. 0 to recheck indefinitely.
1725
1726
1727 charon.plugins.tnc-ifmap.client_cert []
1728 Path to X.509 certificate file of IF-MAP client.
1729
1730
1731 charon.plugins.tnc-ifmap.client_key []
1732 Path to private key file of IF-MAP client.
1733
1734
1735 charon.plugins.tnc-ifmap.device_name []
1736 Unique name of strongSwan server as a PEP and/or PDP device.
1737
1738
1739 charon.plugins.tnc-ifmap.renew_session_interval [150]
1740 Interval in seconds between periodic IF-MAP RenewSession
1741 requests.
1742
1743
1744 charon.plugins.tnc-ifmap.server_cert []
1745 Path to X.509 certificate file of IF-MAP server.
1746
1747
1748 charon.plugins.tnc-ifmap.server_uri [https://localhost:8444/imap]
1749 URI of the form [https://]servername[:port][/path].
1750
1751
1752 charon.plugins.tnc-ifmap.username_password []
1753 Credentials of IF-MAP client of the form username:password. If
1754 set, make sure to adjust the permissions of the config file
1755 accordingly.
1756
1757
1758 charon.plugins.tnc-imc.dlclose [yes]
1759 Unload IMC after use.
1760
1761
1762 charon.plugins.tnc-imc.preferred_language [en]
1763 Preferred language for TNC recommendations.
1764
1765
1766 charon.plugins.tnc-imv.dlclose [yes]
1767 Unload IMV after use.
1768
1769
1770 charon.plugins.tnc-imv.recommendation_policy [default]
1771 TNC recommendation policy, one of default, any, or all.
1772
1773
1774
1775 charon.plugins.tnc-pdp.pt_tls.enable [yes]
1776 Enable PT-TLS protocol on the strongSwan PDP.
1777
1778
1779 charon.plugins.tnc-pdp.pt_tls.port [271]
1780 PT-TLS server port the strongSwan PDP is listening on.
1781
1782
1783 charon.plugins.tnc-pdp.radius.enable [yes]
1784 Enable RADIUS protocol on the strongSwan PDP.
1785
1786
1787 charon.plugins.tnc-pdp.radius.method [ttls]
1788 EAP tunnel method to be used.
1789
1790
1791 charon.plugins.tnc-pdp.radius.port [1812]
1792 RADIUS server port the strongSwan PDP is listening on.
1793
1794
1795 charon.plugins.tnc-pdp.radius.secret []
1796 Shared RADIUS secret between strongSwan PDP and NAS. If set,
1797 make sure to adjust the permissions of the config file accord‐
1798 ingly.
1799
1800
1801 charon.plugins.tnc-pdp.server []
1802 Name of the strongSwan PDP as contained in the AAA certificate.
1803
1804
1805 charon.plugins.tnc-pdp.timeout []
1806 Timeout in seconds before closing incomplete connections.
1807
1808
1809 charon.plugins.tnccs-11.max_message_size [45000]
1810 Maximum size of a PA-TNC message (XML & Base64 encoding).
1811
1812
1813 charon.plugins.tnccs-20.max_batch_size [65522]
1814 Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529).
1815
1816
1817 charon.plugins.tnccs-20.max_message_size [65490]
1818 Maximum size of a PA-TNC message (upper limit via PT-EAP =
1819 65497).
1820
1821
1822 charon.plugins.tnccs-20.mutual [no]
1823 Enable PB-TNC mutual protocol.
1824
1825
1826 charon.plugins.tnccs-20.tests.pb_tnc_noskip [no]
1827 Send an unsupported PB-TNC message type with the NOSKIP flag
1828 set.
1829
1830
1831 charon.plugins.tnccs-20.tests.pb_tnc_version [2]
1832 Send a PB-TNC batch with a modified PB-TNC version.
1833
1834
1835 charon.plugins.tpm.fips_186_4 [no]
1836 Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the
1837 default salt length instead of maximum salt length with RSAPSS
1838 padding.
1839
1840
1841 charon.plugins.tpm.tcti.name [device|tabrmd]
1842 Name of TPM 2.0 TCTI library. Valid values: tabrmd, device or
1843 mssim. Defaults are device if the /dev/tpmrm0 in-kernel TPM 2.0
1844 resource manager device exists, and tabrmd otherwise, requiring
1845 the d-bus based TPM 2.0 access broker and resource manager to be
1846 available.
1847
1848
1849 charon.plugins.tpm.tcti.opts [/dev/tpmrm0|<none>]
1850 Options for the TPM 2.0 TCTI library. Defaults are /dev/tpmrm0
1851 if the TCTI library name is device and no options otherwise.
1852
1853
1854 charon.plugins.tpm.use_rng [no]
1855 Whether the TPM should be used as RNG.
1856
1857
1858 charon.plugins.unbound.dlv_anchors []
1859 File to read trusted keys for DLV (DNSSEC Lookaside Validation)
1860 from. It uses the same format as trust_anchors. Only one DLV
1861 can be configured, which is then used as a root trusted DLV,
1862 this means that it is a lookaside for the root.
1863
1864
1865 charon.plugins.unbound.resolv_conf [/etc/resolv.conf]
1866 File to read DNS resolver configuration from.
1867
1868
1869 charon.plugins.unbound.trust_anchors [/etc/ipsec.d/dnssec.keys]
1870 File to read DNSSEC trust anchors from (usually root zone KSK).
1871 The format of the file is the standard DNS Zone file format,
1872 anchors can be stored as DS or DNSKEY entries in the file.
1873
1874
1875 charon.plugins.updown.dns_handler [no]
1876 Whether the updown script should handle DNS servers assigned via
1877 IKEv1 Mode Config or IKEv2 Config Payloads (if enabled they
1878 can't be handled by other plugins, like resolve)
1879
1880
1881 charon.plugins.vici.socket [unix://${piddir}/charon.vici]
1882 Socket the vici plugin serves clients.
1883
1884
1885 charon.plugins.whitelist.enable [yes]
1886 Enable loaded whitelist plugin.
1887
1888
1889 charon.plugins.whitelist.socket [unix://${piddir}/charon.wlst]
1890 Socket provided by the whitelist plugin.
1891
1892
1893 charon.plugins.wolfssl.fips_mode [no]
1894 Enable to prevent loading the plugin if wolfSSL is not in FIPS
1895 mode.
1896
1897
1898 charon.plugins.xauth-eap.backend [radius]
1899 EAP plugin to be used as backend for XAuth credential verifica‐
1900 tion.
1901
1902
1903 charon.plugins.xauth-pam.pam_service [login]
1904 PAM service to be used for authentication.
1905
1906
1907 charon.plugins.xauth-pam.session [no]
1908 Open/close a PAM session for each active IKE_SA.
1909
1910
1911 charon.plugins.xauth-pam.trim_email [yes]
1912 If an email address is received as an XAuth username, trim it to
1913 just the username part.
1914
1915
1916 charon.port [500]
1917 UDP port used locally. If set to 0 a random port will be allo‐
1918 cated.
1919
1920
1921 charon.port_nat_t [4500]
1922 UDP port used locally in case of NAT-T. If set to 0 a random
1923 port will be allocated. Has to be different from charon.port,
1924 otherwise a random port will be allocated.
1925
1926
1927 charon.prefer_best_path [no]
1928 By default, charon keeps SAs on the routing path with addresses
1929 it previously used if that path is still usable. By setting this
1930 option to yes, it tries more aggressively to update SAs with
1931 MOBIKE on routing priority changes using the cheapest path. This
1932 adds more noise, but allows to dynamically adapt SAs to routing
1933 priority changes. This option has no effect if MOBIKE is not
1934 supported or disabled.
1935
1936
1937 charon.prefer_configured_proposals [yes]
1938 Prefer locally configured proposals for IKE/IPsec over supplied
1939 ones as responder (disabling this can avoid keying retries due
1940 to INVALID_KE_PAYLOAD notifies).
1941
1942
1943 charon.prefer_temporary_addrs [no]
1944 By default, permanent IPv6 source addresses are preferred over
1945 temporary ones (RFC 4941), to make connections more stable.
1946 Enable this option to reverse this.
1947
1948 It also affects which IPv6 addresses are announced as additional
1949 addresses if MOBIKE is used. If the option is disabled, only
1950 permanent addresses are sent, and only temporary ones if it is
1951 enabled.
1952
1953
1954 charon.process_route [yes]
1955 Process RTM_NEWROUTE and RTM_DELROUTE events.
1956
1957
1958 charon.processor.priority_threads
1959 Section to configure the number of reserved threads per priority
1960 class see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
1961
1962
1963
1964 charon.rdn_matching [strict]
1965 How RDNs in subject DNs of certificates are matched against con‐
1966 figured identities. Possible values are strict (the default),
1967 reordered, and relaxed. With strict the number, type and order
1968 of all RDNs has to match, wildcards (*) for the values of RDNs
1969 are allowed (that's the case for all three variants). Using
1970 reordered also matches DNs if the RDNs appear in a different
1971 order, the number and type still has to match. Finally, relaxed
1972 also allows matches of DNs that contain more RDNs than the con‐
1973 figured identity (missing RDNs are treated like a wildcard
1974 match).
1975
1976 Note that reordered and relaxed impose a considerable overhead
1977 on memory usage and runtime, in particular, for mismatches, com‐
1978 pared to strict.
1979
1980
1981
1982 charon.receive_delay [0]
1983 Delay in ms for receiving packets, to simulate larger RTT.
1984
1985
1986 charon.receive_delay_request [yes]
1987 Delay request messages.
1988
1989
1990 charon.receive_delay_response [yes]
1991 Delay response messages.
1992
1993
1994 charon.receive_delay_type [0]
1995 Specific IKEv2 message type to delay, 0 for any.
1996
1997
1998 charon.replay_window [32]
1999 Size of the AH/ESP replay window, in packets.
2000
2001
2002 charon.retransmit_base [1.8]
2003 Base to use for calculating exponential back off, see IKEv2
2004 RETRANSMISSION in strongswan.conf(5).
2005
2006
2007
2008 charon.retransmit_jitter [0]
2009 Maximum jitter in percent to apply randomly to calculated
2010 retransmission timeout (0 to disable).
2011
2012
2013 charon.retransmit_limit [0]
2014 Upper limit in seconds for calculated retransmission timeout (0
2015 to disable).
2016
2017
2018 charon.retransmit_timeout [4.0]
2019 Timeout in seconds before sending first retransmit.
2020
2021
2022 charon.retransmit_tries [5]
2023 Number of times to retransmit a packet before giving up.
2024
2025
2026 charon.retry_initiate_interval [0]
2027 Interval in seconds to use when retrying to initiate an IKE_SA
2028 (e.g. if DNS resolution failed), 0 to disable retries.
2029
2030
2031 charon.reuse_ikesa [yes]
2032 Initiate CHILD_SA within existing IKE_SAs (always enabled for
2033 IKEv1).
2034
2035
2036 charon.routing_table []
2037 Numerical routing table to install routes to.
2038
2039
2040 charon.routing_table_prio []
2041 Priority of the routing table.
2042
2043
2044 charon.rsa_pss [no]
2045 Whether to use RSA with PSS padding instead of PKCS#1 padding by
2046 default.
2047
2048
2049 charon.send_delay [0]
2050 Delay in ms for sending packets, to simulate larger RTT.
2051
2052
2053 charon.send_delay_request [yes]
2054 Delay request messages.
2055
2056
2057 charon.send_delay_response [yes]
2058 Delay response messages.
2059
2060
2061 charon.send_delay_type [0]
2062 Specific IKEv2 message type to delay, 0 for any.
2063
2064
2065 charon.send_vendor_id [no]
2066 Send strongSwan vendor ID payload
2067
2068
2069 charon.signature_authentication [yes]
2070 Whether to enable Signature Authentication as per RFC 7427.
2071
2072
2073 charon.signature_authentication_constraints [yes]
2074 If enabled, signature schemes configured in rightauth, in addi‐
2075 tion to getting used as constraints against signature schemes
2076 employed in the certificate chain, are also used as constraints
2077 against the signature scheme used by peers during IKEv2.
2078
2079
2080 charon.spi_label [0x0000000000000000]
2081 Value mixed into the local IKE SPIs after applying spi_mask.
2082
2083
2084
2085 charon.spi_mask [0x0000000000000000]
2086 Mask applied to local IKE SPIs before mixing in spi_label (bits
2087 set will be replaced with spi_label).
2088
2089
2090
2091 charon.spi_max [0xcfffffff]
2092 The upper limit for SPIs requested from the kernel for IPsec
2093 SAs.
2094
2095
2096 charon.spi_min [0xc0000000]
2097 The lower limit for SPIs requested from the kernel for IPsec
2098 SAs. Should not be set lower than 0x00000100 (256), as SPIs
2099 between 1 and 255 are reserved by IANA.
2100
2101
2102 charon.start-scripts
2103 Section containing a list of scripts (name = path) that are exe‐
2104 cuted when the daemon is started.
2105
2106
2107 charon.stop-scripts
2108 Section containing a list of scripts (name = path) that are exe‐
2109 cuted when the daemon is terminated.
2110
2111
2112 charon.syslog
2113 Section to define syslog loggers, see LOGGER CONFIGURATION in
2114 strongswan.conf(5).
2115
2116
2117
2118 charon.syslog.<facility>
2119 <facility> is one of the supported syslog facilities, see LOGGER
2120 CONFIGURATION in strongswan.conf(5).
2121
2122
2123
2124 charon.syslog.<facility>.<subsystem> [<default>]
2125 Loglevel for a specific subsystem.
2126
2127
2128 charon.syslog.<facility>.default [1]
2129 Specifies the default loglevel to be used for subsystems for
2130 which no specific loglevel is defined.
2131
2132
2133 charon.syslog.<facility>.ike_name [no]
2134 Prefix each log entry with the connection name and a unique
2135 numerical identifier for each IKE_SA.
2136
2137
2138 charon.syslog.identifier []
2139 Global identifier used for an openlog(3) call, prepended to each
2140 log message by syslog. If not configured, openlog(3) is not
2141 called, so the value will depend on system defaults (often the
2142 program name).
2143
2144
2145 charon.threads [16]
2146 Number of worker threads in charon. Several of these are
2147 reserved for long running tasks in internal modules and plugins.
2148 Therefore, make sure you don't set this value too low. The num‐
2149 ber of idle worker threads listed in ipsec statusall might be
2150 used as indicator on the number of reserved threads.
2151
2152
2153 charon.tls.cipher []
2154 List of TLS encryption ciphers.
2155
2156
2157 charon.tls.key_exchange []
2158 List of TLS key exchange methods.
2159
2160
2161 charon.tls.mac []
2162 List of TLS MAC algorithms.
2163
2164
2165 charon.tls.suites []
2166 List of TLS cipher suites.
2167
2168
2169 charon.tnc.tnc_config [/etc/tnc_config]
2170 TNC IMC/IMV configuration file.
2171
2172
2173 charon.user []
2174 Name of the user the daemon changes to after startup.
2175
2176
2177 charon.x509.enforce_critical [yes]
2178 Discard certificates with unsupported or unknown critical exten‐
2179 sions.
2180
2181
2182 charon-nm.ca_dir [<default>]
2183 Directory from which to load CA certificates if no certificate
2184 is configured.
2185
2186
2187 charon-systemd.journal
2188 Section to configure native systemd journal logger, very similar
2189 to the syslog logger as described in LOGGER CONFIGURATION in
2190 strongswan.conf(5).
2191
2192
2193
2194 charon-systemd.journal.<subsystem> [<default>]
2195 Loglevel for a specific subsystem.
2196
2197
2198 charon-systemd.journal.default [1]
2199 Specifies the default loglevel to be used for subsystems for
2200 which no specific loglevel is defined.
2201
2202
2203 imv_policy_manager.command_allow []
2204 Shell command to be executed with recommendation allow.
2205
2206
2207 imv_policy_manager.command_block []
2208 Shell command to be executed with all other recommendations.
2209
2210
2211 imv_policy_manager.database []
2212 Database URI for the database that stores the package informa‐
2213 tion. If it contains a password, make sure to adjust the permis‐
2214 sions of the config file accordingly.
2215
2216
2217 imv_policy_manager.load [sqlite]
2218 Plugins to load in IMV policy manager.
2219
2220
2221 libimcv.debug_level [1]
2222 Debug level for a stand-alone libimcv library.
2223
2224
2225 libimcv.load [random nonce gmp pubkey x509]
2226 Plugins to load in IMC/IMVs with stand-alone libimcv library.
2227
2228
2229 libimcv.plugins.imc-attestation.aik_blob []
2230 AIK encrypted private key blob file.
2231
2232
2233 libimcv.plugins.imc-attestation.aik_cert []
2234 AIK certificate file.
2235
2236
2237 libimcv.plugins.imc-attestation.aik_handle []
2238 AIK object handle.
2239
2240
2241 libimcv.plugins.imc-attestation.aik_pubkey []
2242 AIK public key file.
2243
2244
2245 libimcv.plugins.imc-attestation.mandatory_dh_groups [yes]
2246 Enforce mandatory Diffie-Hellman groups.
2247
2248
2249 libimcv.plugins.imc-attestation.nonce_len [20]
2250 DH nonce length.
2251
2252
2253 libimcv.plugins.imc-attestation.pcr17_after []
2254 PCR17 value after measurement.
2255
2256
2257 libimcv.plugins.imc-attestation.pcr17_before []
2258 PCR17 value before measurement.
2259
2260
2261 libimcv.plugins.imc-attestation.pcr17_meas []
2262 Dummy measurement value extended into PCR17 if the TBOOT log is
2263 not available.
2264
2265
2266 libimcv.plugins.imc-attestation.pcr18_after []
2267 PCR18 value after measurement.
2268
2269
2270 libimcv.plugins.imc-attestation.pcr18_before []
2271 PCR18 value before measurement.
2272
2273
2274 libimcv.plugins.imc-attestation.pcr18_meas []
2275 Dummy measurement value extended into PCR17 if the TBOOT log is
2276 not available.
2277
2278
2279 libimcv.plugins.imc-attestation.pcr_info [no]
2280 Whether to send pcr_before and pcr_after info.
2281
2282
2283 libimcv.plugins.imc-attestation.use_quote2 [yes]
2284 Use Quote2 AIK signature instead of Quote signature.
2285
2286
2287 libimcv.plugins.imc-attestation.use_version_info [no]
2288 Version Info is included in Quote2 signature.
2289
2290
2291 libimcv.plugins.imc-hcd.push_info [yes]
2292 Send quadruple info without being prompted.
2293
2294
2295 libimcv.plugins.imc-hcd.subtypes []
2296 Section to define PWG HCD PA subtypes.
2297
2298
2299 libimcv.plugins.imc-hcd.subtypes.<section> []
2300 Defines a PWG HCD PA subtype section. Recognized subtype section
2301 names are system, control, marker, finisher, interface and scan‐
2302 ner.
2303
2304
2305
2306 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> []
2307 Defines a software type section. Recognized software type sec‐
2308 tion names are firmware, resident_application and user_applica‐
2309 tion.
2310
2311
2312
2313 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> []
2314 Defines a software section having an arbitrary name.
2315
2316
2317 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name []
2318 Name of the software installed on the hardcopy device.
2319
2320
2321 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches
2322 []
2323 String describing all patches applied to the given software on
2324 this hardcopy device. The individual patches are separated by a
2325 newline character '\n'.
2326
2327
2328 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<soft‐
2329 ware>.string_version []
2330 String describing the version of the given software on this
2331 hardcopy device.
2332
2333
2334 libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version
2335 []
2336 Hex-encoded version string with a length of 16 octets consisting
2337 of the fields major version number (4 octets), minor version
2338 number (4 octets), build number (4 octets), service pack major
2339 number (2 octets) and service pack minor number (2 octets).
2340
2341
2342 libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language
2343 [en]
2344 Variable length natural language tag conforming to RFC 5646
2345 specifies the language to be used in the health assessment mes‐
2346 sage of a given subtype.
2347
2348
2349 libimcv.plugins.imc-hcd.subtypes.system.certification_state []
2350 Hex-encoded certification state.
2351
2352
2353 libimcv.plugins.imc-hcd.subtypes.system.configuration_state []
2354 Hex-encoded configuration state.
2355
2356
2357 libimcv.plugins.imc-hcd.subtypes.system.machine_type_model []
2358 String specifying the machine type and model of the hardcopy
2359 device.
2360
2361
2362 libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled [no]
2363 Specifies if a PSTN facsimile interface is installed and enabled
2364 on the hardcopy device.
2365
2366
2367 libimcv.plugins.imc-hcd.subtypes.system.time_source []
2368 String specifying the hostname of the network time server used
2369 by the hardcopy device.
2370
2371
2372 libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled [no]
2373 Specifies if users can dynamically download and execute applica‐
2374 tions on the hardcopy device.
2375
2376
2377 libimcv.plugins.imc-hcd.subtypes.system.user_application_persis‐
2378 tence_enabled [no]
2379 Specifies if user dynamically downloaded applications can per‐
2380 sist outside the boundaries of a single job on the hardcopy
2381 device.
2382
2383
2384 libimcv.plugins.imc-hcd.subtypes.system.vendor_name []
2385 String specifying the manufacturer of the hardcopy device.
2386
2387
2388 libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code []
2389 Integer specifying the globally unique 24-bit SMI code assigned
2390 to the manufacturer of the hardcopy device.
2391
2392
2393 libimcv.plugins.imc-os.device_cert []
2394 Manually set the path to the client device certificate (e.g.
2395 /etc/pts/aikCert.der)
2396
2397
2398 libimcv.plugins.imc-os.device_handle []
2399 Manually set handle to a private key bound to a smartcard or TPM
2400 (e.g. 0x81010004)
2401
2402
2403 libimcv.plugins.imc-os.device_id []
2404 Manually set the client device ID in hexadecimal format (e.g.
2405 1083f03988c9762703b1c1080c2e46f72b99cc31)
2406
2407
2408 libimcv.plugins.imc-os.device_pubkey []
2409 Manually set the path to the client device public key (e.g.
2410 /etc/pts/aikPub.der)
2411
2412
2413 libimcv.plugins.imc-os.push_info [yes]
2414 Send operating system info without being prompted.
2415
2416
2417 libimcv.plugins.imc-scanner.push_info [yes]
2418 Send open listening ports without being prompted.
2419
2420
2421 libimcv.plugins.imc-swima.eid_epoch [0x11223344]
2422 Set 32 bit epoch value for event IDs manually if software col‐
2423 lector database is not available.
2424
2425
2426 libimcv.plugins.imc-swima.subscriptions [no]
2427 Accept SW Inventory or SW Events subscriptions.
2428
2429
2430 libimcv.plugins.imc-swima.swid_database []
2431 URI to software collector database containing event timestamps,
2432 software creation and deletion events and collected software
2433 identifiers. If it contains a password, make sure to adjust the
2434 permissions of the config file accordingly.
2435
2436
2437 libimcv.plugins.imc-swima.swid_directory [${prefix}/share]
2438 Directory where SWID tags are located.
2439
2440
2441 libimcv.plugins.imc-swima.swid_full [no]
2442 Include file information in the XML-encoded SWID tags.
2443
2444
2445 libimcv.plugins.imc-swima.swid_pretty [no]
2446 Generate XML-encoded SWID tags with pretty indentation.
2447
2448
2449 libimcv.plugins.imc-test.additional_ids [0]
2450 Number of additional IMC IDs.
2451
2452
2453 libimcv.plugins.imc-test.command [none]
2454 Command to be sent to the Test IMV.
2455
2456
2457 libimcv.plugins.imc-test.dummy_size [0]
2458 Size of dummy attribute to be sent to the Test IMV (0 = dis‐
2459 abled).
2460
2461
2462 libimcv.plugins.imc-test.retry [no]
2463 Do a handshake retry.
2464
2465
2466 libimcv.plugins.imc-test.retry_command []
2467 Command to be sent to the Test IMV in the handshake retry.
2468
2469
2470 libimcv.plugins.imv-attestation.cadir []
2471 Path to directory with AIK cacerts.
2472
2473
2474 libimcv.plugins.imv-attestation.dh_group [ecp256]
2475 Preferred Diffie-Hellman group.
2476
2477
2478 libimcv.plugins.imv-attestation.hash_algorithm [sha256]
2479 Preferred measurement hash algorithm.
2480
2481
2482 libimcv.plugins.imv-attestation.mandatory_dh_groups [yes]
2483 Enforce mandatory Diffie-Hellman groups.
2484
2485
2486 libimcv.plugins.imv-attestation.min_nonce_len [0]
2487 DH minimum nonce length.
2488
2489
2490 libimcv.plugins.imv-os.remediation_uri []
2491 URI pointing to operating system remediation instructions.
2492
2493
2494 libimcv.plugins.imv-scanner.remediation_uri []
2495 URI pointing to scanner remediation instructions.
2496
2497
2498 libimcv.plugins.imv-swima.rest_api.timeout [120]
2499 Timeout of SWID REST API HTTP POST transaction.
2500
2501
2502 libimcv.plugins.imv-swima.rest_api.uri []
2503 HTTP URI of the SWID REST API.
2504
2505
2506 libimcv.plugins.imv-test.rounds [0]
2507 Number of IMC-IMV retry rounds.
2508
2509
2510 libimcv.stderr_quiet [no]
2511 Disable output to stderr with a stand-alone libimcv library.
2512
2513
2514 libimcv.swid_gen.command [/usr/local/bin/swid_generator]
2515 SWID generator command to be executed.
2516
2517
2518 libimcv.swid_gen.tag_creator.name [strongSwan Project]
2519 Name of the tagCreator entity.
2520
2521
2522 libimcv.swid_gen.tag_creator.regid [strongswan.org]
2523 regid of the tagCreator entity.
2524
2525
2526 manager.database []
2527 Credential database URI for manager. If it contains a password,
2528 make sure to adjust the permissions of the config file accord‐
2529 ingly.
2530
2531
2532 manager.debug [no]
2533 Enable debugging in manager.
2534
2535
2536 manager.load []
2537 Plugins to load in manager.
2538
2539
2540 manager.socket []
2541 FastCGI socket of manager, to run it statically.
2542
2543
2544 manager.threads [10]
2545 Threads to use for request handling.
2546
2547
2548 manager.timeout [15m]
2549 Session timeout for manager.
2550
2551
2552 medsrv.database []
2553 Mediation server database URI. If it contains a password, make
2554 sure to adjust the permissions of the config file accordingly.
2555
2556
2557 medsrv.debug [no]
2558 Debugging in mediation server web application.
2559
2560
2561 medsrv.dpd [5m]
2562 DPD timeout to use in mediation server plugin.
2563
2564
2565 medsrv.load []
2566 Plugins to load in mediation server plugin.
2567
2568
2569 medsrv.password_length [6]
2570 Minimum password length required for mediation server user
2571 accounts.
2572
2573
2574 medsrv.rekey [20m]
2575 Rekeying time on mediation connections in mediation server plug‐
2576 in.
2577
2578
2579 medsrv.socket []
2580 Run Mediation server web application statically on socket.
2581
2582
2583 medsrv.threads [5]
2584 Number of thread for mediation service web application.
2585
2586
2587 medsrv.timeout [15m]
2588 Session timeout for mediation service.
2589
2590
2591 pki.load []
2592 Plugins to load in ipsec pki tool.
2593
2594
2595 pool.database []
2596 Database URI for the database that stores IP pools and configu‐
2597 ration attributes. If it contains a password, make sure
2598 to adjust the permissions of the config file accordingly.
2599
2600
2601 pool.load []
2602 Plugins to load in ipsec pool tool.
2603
2604
2605 scepclient.load []
2606 Plugins to load in ipsec scepclient tool.
2607
2608
2609 sec-updater
2610 Options for the sec-updater tool.
2611
2612
2613 sec-updater.database []
2614 Global IMV policy database URI. If it contains a password, make
2615 sure to adjust the permissions of the config file accordingly.
2616
2617
2618 sec-updater.load []
2619 Plugins to load in sec-updater tool.
2620
2621
2622 sec-updater.swid_gen.command [/usr/local/bin/swid_generator]
2623 SWID generator command to be executed.
2624
2625
2626 sec-updater.swid_gen.tag_creator.name [strongSwan Project]
2627 Name of the tagCreator entity.
2628
2629
2630 sec-updater.swid_gen.tag_creator.regid [strongswan.org]
2631 regid of the tagCreator entity.
2632
2633
2634 sec-updater.tmp.deb_file [/tmp/sec-updater.deb]
2635 Temporary storage for downloaded deb package file.
2636
2637
2638 sec-updater.tmp.tag_file [/tmp/sec-updater.tag]
2639 Temporary storage for generated SWID tags.
2640
2641
2642 sec-updater.tnc_manage_command [/var/www/tnc/manage.py]
2643 strongTNC manage.py command used to import SWID tags.
2644
2645
2646 starter.config_file [${sysconfdir}/ipsec.conf]
2647 Location of the ipsec.conf file
2648
2649
2650 starter.load_warning [yes]
2651 Disable charon plugin load option warning.
2652
2653
2654 sw-collector
2655 Options for the sw-collector tool.
2656
2657
2658 sw-collector.database []
2659 URI to software collector database containing event timestamps,
2660 software creation and deletion events and collected software
2661 identifiers. If it contains a password, make sure to adjust the
2662 permissions of the config file accordingly.
2663
2664
2665 sw-collector.first_file [/var/log/bootstrap.log]
2666 Path pointing to file created when the Linux OS was installed.
2667
2668
2669 sw-collector.first_time [0000-00-00T00:00:00Z]
2670 Time in UTC when the Linux OS was installed.
2671
2672
2673 sw-collector.history []
2674 Path pointing to apt history.log file.
2675
2676
2677 sw-collector.load []
2678 Plugins to load in sw-collector tool.
2679
2680
2681 sw-collector.rest_api.timeout [120]
2682 Timeout of REST API HTTP POST transaction.
2683
2684
2685 sw-collector.rest_api.uri []
2686 HTTP URI of the central collector's REST API.
2687
2688
2689 swanctl.load []
2690 Plugins to load in swanctl.
2691
2692
2693 swanctl.socket [unix://${piddir}/charon.vici]
2694 VICI socket to connect to by default.
2695
2696
2698 Options in strongswan.conf(5) provide a much more flexible way to con‐
2699 figure loggers for the IKE daemon charon than using the charondebug
2700 option in ipsec.conf(5).
2701
2702 Note: If any loggers are specified in strongswan.conf, charondebug does
2703 not have any effect.
2704
2705 There are currently two types of loggers:
2706
2707 File loggers
2708 Log directly to a file and are defined by specifying an arbi‐
2709 trarily named subsection in the charon.filelog section. The full
2710 path to the file is configured in the path setting of that sub‐
2711 section, however, if it only contains characters permitted in
2712 section names, the setting may also be omitted and the path
2713 specified as name of the subsection. To log to the console the
2714 two special filenames stdout and stderr may be used.
2715
2716 Syslog loggers
2717 Log into a syslog facility and are defined by specifying the
2718 facility to log to as the name of a subsection in the
2719 charon.syslog section. The following facilities are currently
2720 supported: daemon and auth.
2721
2722 Multiple loggers can be defined for each type with different log ver‐
2723 bosity for the different subsystems of the daemon.
2724
2725
2726 Subsystems
2727 dmn Main daemon setup/cleanup/signal handling
2728
2729 mgr IKE_SA manager, handling synchronization for IKE_SA access
2730
2731 ike IKE_SA
2732
2733 chd CHILD_SA
2734
2735 job Jobs queueing/processing and thread pool management
2736
2737 cfg Configuration management and plugins
2738
2739 knl IPsec/Networking kernel interface
2740
2741 net IKE network communication
2742
2743 asn Low-level encoding/decoding (ASN.1, X.509 etc.)
2744
2745 enc Packet encoding/decoding encryption/decryption operations
2746
2747 tls libtls library messages
2748
2749 esp libipsec library messages
2750
2751 lib libstrongswan library messages
2752
2753 tnc Trusted Network Connect
2754
2755 imc Integrity Measurement Collector
2756
2757 imv Integrity Measurement Verifier
2758
2759 pts Platform Trust Service
2760
2761 Loglevels
2762 -1 Absolutely silent
2763
2764 0 Very basic auditing logs, (e.g. SA up/SA down)
2765
2766 1 Generic control flow with errors, a good default to see what's
2767 going on
2768
2769 2 More detailed debugging control flow
2770
2771 3 Including RAW data dumps in Hex
2772
2773 4 Also include sensitive material in dumps, e.g. keys
2774
2775 Example
2776 charon {
2777 filelog {
2778 charon {
2779 path = /var/log/charon.log
2780 time_format = %b %e %T
2781 append = no
2782 default = 1
2783 }
2784 stderr {
2785 ike = 2
2786 knl = 3
2787 ike_name = yes
2788 }
2789 }
2790 syslog {
2791 # enable logging to LOG_DAEMON, use defaults
2792 daemon {
2793 }
2794 # minimalistic IKE auditing logging to LOG_AUTHPRIV
2795 auth {
2796 default = -1
2797 ike = 0
2798 }
2799 }
2800 }
2801
2802
2804 Some operations in the IKEv2 daemon charon are currently implemented
2805 synchronously and blocking. Two examples for such operations are commu‐
2806 nication with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP
2807 information during certificate chain verification. Under high load con‐
2808 ditions, the thread pool may run out of available threads, and some
2809 more important jobs, such as liveness checking, may not get executed in
2810 time.
2811
2812 To prevent thread starvation in such situations job priorities were
2813 introduced. The job processor will reserve some threads for higher
2814 priority jobs, these threads are not available for lower priority,
2815 locking jobs.
2816
2817 Implementation
2818 Currently 4 priorities have been defined, and they are used in charon
2819 as follows:
2820
2821 CRITICAL
2822 Priority for long-running dispatcher jobs.
2823
2824 HIGH INFORMATIONAL exchanges, as used by liveness checking (DPD).
2825
2826 MEDIUM Everything not HIGH/LOW, including IKE_SA_INIT processing.
2827
2828 LOW IKE_AUTH message processing. RADIUS and CRL fetching block here
2829
2830 Although IKE_SA_INIT processing is computationally expensive, it is
2831 explicitly assigned to the MEDIUM class. This allows charon to do the
2832 DH exchange while other threads are blocked in IKE_AUTH. To prevent the
2833 daemon from accepting more IKE_SA_INIT requests than it can handle, use
2834 IKE_SA_INIT DROPPING.
2835
2836 The thread pool processes jobs strictly by priority, meaning it will
2837 consume all higher priority jobs before looking for ones with lower
2838 priority. Further, it reserves threads for certain priorities. A prior‐
2839 ity class having reserved n threads will always have n threads avail‐
2840 able for this class (either currently processing a job, or waiting for
2841 one).
2842
2843 Configuration
2844 To ensure that there are always enough threads available for higher
2845 priority tasks, threads must be reserved for each priority class.
2846
2847 charon.processor.priority_threads.critical [0]
2848 Threads reserved for CRITICAL priority class jobs
2849
2850 charon.processor.priority_threads.high [0]
2851 Threads reserved for HIGH priority class jobs
2852
2853 charon.processor.priority_threads.medium [0]
2854 Threads reserved for MEDIUM priority class jobs
2855
2856 charon.processor.priority_threads.low [0]
2857 Threads reserved for LOW priority class jobs
2858
2859 Let's consider the following configuration:
2860
2861 charon {
2862 processor {
2863 priority_threads {
2864 high = 1
2865 medium = 4
2866 }
2867 }
2868 }
2869
2870 With this configuration, one thread is reserved for HIGH priority
2871 tasks. As currently only liveness checking and stroke message process‐
2872 ing is done with high priority, one or two threads should be suffi‐
2873 cient.
2874
2875 The MEDIUM class mostly processes non-blocking jobs. Unless your setup
2876 is experiencing many blocks in locks while accessing shared resources,
2877 threads for one or two times the number of CPU cores is fine.
2878
2879 It is usually not required to reserve threads for CRITICAL jobs. Jobs
2880 in this class rarely return and do not release their thread to the
2881 pool.
2882
2883 The remaining threads are available for LOW priority jobs. Reserving
2884 threads does not make sense (until we have an even lower priority).
2885
2886 Monitoring
2887 To see what the threads are actually doing, invoke ipsec statusall.
2888 Under high load, something like this will show up:
2889
2890 worker threads: 2 or 32 idle, 5/1/2/22 working,
2891 job queue: 0/0/1/149, scheduled: 198
2892
2893 From 32 worker threads,
2894
2895 2 are currently idle.
2896
2897 5 are running CRITICAL priority jobs (dispatching from sockets,
2898 etc.).
2899
2900 1 is currently handling a HIGH priority job. This is actually the
2901 thread currently providing this information via stroke.
2902
2903 2 are handling MEDIUM priority jobs, likely IKE_SA_INIT or CRE‐
2904 ATE_CHILD_SA messages.
2905
2906 22 are handling LOW priority jobs, probably waiting for an EAP-
2907 RADIUS response while processing IKE_AUTH messages.
2908
2909 The job queue load shows how many jobs are queued for each priority,
2910 ready for execution. The single MEDIUM priority job will get executed
2911 immediately, as we have two spare threads reserved for MEDIUM class
2912 jobs.
2913
2914
2916 If a responder receives more connection requests per seconds than it
2917 can handle, it does not make sense to accept more IKE_SA_INIT messages.
2918 And if they are queued but can't get processed in time, an answer might
2919 be sent after the client has already given up and restarted its connec‐
2920 tion setup. This additionally increases the load on the responder.
2921
2922 To limit the responder load resulting from new connection attempts, the
2923 daemon can drop IKE_SA_INIT messages just after reception. There are
2924 two mechanisms to decide if this should happen, configured with the
2925 following options:
2926
2927 charon.init_limit_half_open [0]
2928 Limit based on the number of half open IKE_SAs. Half open
2929 IKE_SAs are SAs in connecting state, but not yet established.
2930
2931 charon.init_limit_job_load [0]
2932 Limit based on the number of jobs currently queued for process‐
2933 ing (sum over all job priorities).
2934
2935 The second limit includes load from other jobs, such as rekeying.
2936 Choosing a good value is difficult and depends on the hardware and
2937 expected load.
2938
2939 The first limit is simpler to calculate, but includes the load from new
2940 connections only. If your responder is capable of negotiating 100 tun‐
2941 nels/s, you might set this limit to 1000. The daemon will then drop new
2942 connection attempts if generating a response would require more than 10
2943 seconds. If you are allowing for a maximum response time of more than
2944 30 seconds, consider adjusting the timeout for connecting IKE_SAs
2945 (charon.half_open_timeout). A responder, by default, deletes an IKE_SA
2946 if the initiator does not establish it within 30 seconds. Under high
2947 load, a higher value might be required.
2948
2949
2951 To do stability testing and performance optimizations, the IKE daemon
2952 charon provides the load-tester plugin. This plugin allows one to setup
2953 thousands of tunnels concurrently against the daemon itself or a remote
2954 host.
2955
2956 WARNING: Never enable the load-testing plugin on productive systems. It
2957 provides preconfigured credentials and allows an attacker to authenti‐
2958 cate as any user.
2959
2960 Configuration details
2961 For public key authentication, the responder uses the "CN=srv, OU=load-
2962 test, O=strongSwan" identity. For the initiator, each connection
2963 attempt uses a different identity in the form "CN=c1-r1, OU=load-test,
2964 O=strongSwan", where the first number indicates the client number, the
2965 second the authentication round (if multiple authentication rounds are
2966 used).
2967
2968 For PSK authentication, FQDN identities are used. The server uses
2969 srv.strongswan.org, the client uses an identity in the form
2970 c1-r1.strongswan.org.
2971
2972 For EAP authentication, the client uses a NAI in the form
2973 100000000010001@strongswan.org.
2974
2975 To configure multiple authentication rounds, concatenate multiple meth‐
2976 ods using, e.g.
2977 initiator_auth = pubkey|psk|eap-md5|eap-aka
2978
2979 The responder uses a hardcoded certificate based on a 1024-bit RSA key.
2980 This certificate additionally serves as CA certificate. A peer uses the
2981 same private key, but generates client certificates on demand signed by
2982 the CA certificate. Install the Responder/CA certificate on the remote
2983 host to authenticate all clients.
2984
2985 To speed up testing, the load tester plugin implements a special
2986 Diffie-Hellman implementation called modpnull. By setting
2987 proposal = aes128-sha1-modpnull
2988 this wicked fast DH implementation is used. It does not provide any
2989 security at all, but allows one to run tests without DH calculation
2990 overhead.
2991
2992 Examples
2993 In the simplest case, the daemon initiates IKE_SAs against itself using
2994 the loopback interface. This will actually establish double the number
2995 of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at
2996 the same time. Installation of IPsec SAs would fail, as each SA gets
2997 installed twice. To simulate the correct behavior, a fake kernel inter‐
2998 face can be enabled which does not install the IPsec SAs at the kernel
2999 level.
3000
3001 A simple loopback configuration might look like this:
3002
3003 charon {
3004 # create new IKE_SAs for each CHILD_SA to simulate
3005 # different clients
3006 reuse_ikesa = no
3007 # turn off denial of service protection
3008 dos_protection = no
3009
3010 plugins {
3011 load-tester {
3012 # enable the plugin
3013 enable = yes
3014 # use 4 threads to initiate connections
3015 # simultaneously
3016 initiators = 4
3017 # each thread initiates 1000 connections
3018 iterations = 1000
3019 # delay each initiation in each thread by 20ms
3020 delay = 20
3021 # enable the fake kernel interface to
3022 # avoid SA conflicts
3023 fake_kernel = yes
3024 }
3025 }
3026 }
3027
3028 This will initiate 4000 IKE_SAs within 20 seconds. You may increase the
3029 delay value if your box can not handle that much load, or decrease it
3030 to put more load on it. If the daemon starts retransmitting messages
3031 your box probably can not handle all connection attempts.
3032
3033 The plugin also allows one to test against a remote host. This might
3034 help to test against a real world configuration. A connection setup to
3035 do stress testing of a gateway might look like this:
3036
3037 charon {
3038 reuse_ikesa = no
3039 threads = 32
3040
3041 plugins {
3042 load-tester {
3043 enable = yes
3044 # 10000 connections, ten in parallel
3045 initiators = 10
3046 iterations = 1000
3047 # use a delay of 100ms, overall time is:
3048 # iterations * delay = 100s
3049 delay = 100
3050 # address of the gateway
3051 remote = 1.2.3.4
3052 # IKE-proposal to use
3053 proposal = aes128-sha1-modp1024
3054 # use faster PSK authentication instead
3055 # of 1024bit RSA
3056 initiator_auth = psk
3057 responder_auth = psk
3058 # request a virtual IP using configuration
3059 # payloads
3060 request_virtual_ip = yes
3061 # enable CHILD_SA every 60s
3062 child_rekey = 60
3063 }
3064 }
3065 }
3066
3067
3069 Retransmission timeouts in the IKEv2 daemon charon can be configured
3070 globally using the three keys listed below:
3071
3072 charon.retransmit_base [1.8]
3073 charon.retransmit_timeout [4.0]
3074 charon.retransmit_tries [5]
3075 charon.retransmit_jitter [0]
3076 charon.retransmit_limit [0]
3077
3078 The following algorithm is used to calculate the timeout:
3079
3080 relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
3081
3082 Where n is the current retransmission count. The calculated timeout
3083 can't exceed the configured retransmit_limit (if any), which is useful
3084 if the number of retries is high.
3085
3086 If a jitter in percent is configured, the timeout is modified as fol‐
3087 lows:
3088
3089 relative timeout -= random(0, retransmit_jitter * relative timeout)
3090
3091 Using the default values, packets are retransmitted in:
3092
3093
3094 Retransmission Relative Timeout Absolute Timeout
3095 ─────────────────────────────────────────────────────
3096 1 4s 4s
3097 2 7s 11s
3098 3 13s 24s
3099 4 23s 47s
3100 5 42s 89s
3101 giving up 76s 165s
3102
3104 The variables used above are configured as follows:
3105
3106 ${piddir} /run/strongswan
3107 ${prefix} /usr
3108 ${random_device} /dev/random
3109 ${urandom_device} /dev/urandom
3110
3112 /etc/strongswan.conf configuration file
3113 /etc/strongswan.d/ directory containing included config snippets
3114 /etc/strongswan.d/charon/ plugin specific config snippets
3115
3117 ipsec.conf(5), ipsec.secrets(5), ipsec(8), charon-cmd(8)
3118
3119
3121 Written for the strongSwan project ⟨http://www.strongswan.org⟩ by
3122 Tobias Brunner, Andreas Steffen and Martin Willi.
3123
3124
3125
31265.8.4 STRONGSWAN.CONF(5)