1STRONGSWAN.CONF(5)                strongSwan                STRONGSWAN.CONF(5)
2
3
4

NAME

6       strongswan.conf - strongSwan configuration file
7

DESCRIPTION

9       While  the  ipsec.conf(5)  configuration  file is well suited to define
10       IPsec related configuration parameters, it  is  not  useful  for  other
11       strongSwan  applications  to  read options from this file.  The file is
12       hard to parse and only ipsec starter is capable of  doing  so.  As  the
13       number  of components of the strongSwan project is continually growing,
14       a more flexible configuration file was needed, one that is easy to  ex‐
15       tend  and  can  be  used  by  all  components.  With  strongSwan  4.2.1
16       strongswan.conf(5) was introduced which meets these requirements.
17
18

SYNTAX

20       The format of the strongswan.conf file consists  of  hierarchical  sec‐
21       tions and a list of key/value pairs in each section. Each section has a
22       name, followed by C-Style curly brackets  defining  the  section  body.
23       Each section body contains a set of subsections and key/value pairs:
24
25            settings := (section|keyvalue)*
26            section  := name { settings }
27            keyvalue := key = value\n
28
29       Values must be terminated by a newline.
30
31       Comments are possible using the #-character.
32
33       Section names and keys may contain any printable character except:
34
35            . , : { } = " # \n \t space
36
37       An example file in this format might look like this:
38
39            a = b
40            section-one {
41                 somevalue = asdf
42                 subsection {
43                      othervalue = xxx
44                 }
45                 # yei, a comment
46                 yetanother = zz
47            }
48            section-two {
49                 x = 12
50            }
51
52       Indentation is optional, you may use tabs or spaces.
53
54

NUMBER FORMATS

56       Options  that  define an integer value can be specified as decimal (the
57       default) or hexadecimal ("0x" prefix, upper- or lowercase  letters  are
58       accepted).   Locale-dependent  strings (e.g. the thousands separator of
59       the current locale) may also be accepted in locales other than "C".
60
61       Options that define a floating-point value can be specified as  decimal
62       (the  default) or hexadecimal ("0x" prefix, upper- or lowercase letters
63       are accepted).  The radix character (decimal separator) in either  case
64       is locale-dependent, usually ".".
65
66

TIME FORMATS

68       Unless  stated  otherwise,  options that define a time are specified in
69       seconds.  The "s", "m", "h" and "d" suffixes may be used  to  automati‐
70       cally  convert values given in seconds, minutes, hours or days (for in‐
71       stance, instead of configuring a rekey time of 4 hours as "14400"  sec‐
72       onds, "4h" may be used).
73
74       There  are some global options that don't accept these suffixes as they
75       are configured as integer values in seconds or milliseconds, or even as
76       floating-point  numbers (e.g. the retransmission timeout). Options that
77       accept the suffixes have a corresponding default value.
78
79

REFERENCING OTHER SECTIONS

81       It is possible to inherit settings and sections from  another  section.
82       This feature is mainly useful in swanctl.conf (which uses the same file
83       format).  The syntax is as follows:
84
85            section    := name : references { settings }
86            references := absname[, absname]*
87            absname    := name[.name]*
88
89       All key/value pairs and all subsections of the referenced sections will
90       be  inherited  by  the  section that references them via their absolute
91       name. Values may be overridden in the section or any  of  its  sub-sec‐
92       tions  (use  an empty assignment to clear a value so its default value,
93       if any, will apply). It is currently not possible to limit  the  inclu‐
94       sion level or clear/remove inherited sub-sections.
95
96       If  the  order  is  important (e.g. for auth rounds in a connection, if
97       round is not used), it should be noted that inherited settings/sections
98       will  follow those defined in the current section (if multiple sections
99       are referenced, their settings are enumerated left to right).
100
101       References are evaluated dynamically at runtime, so referring  to  sec‐
102       tions  later in the config file or included via other files is no prob‐
103       lem.
104
105       Here is an example of how this might look like:
106
107            conn-defaults {
108                 # default settings for all conns (e.g. a cert, or IP pools)
109            }
110            eap-defaults {
111                 # defaults if eap is used (e.g. a remote auth round)
112            }
113            child-defaults {
114                 # defaults for child configs (e.g. traffic selectors)
115            }
116            connections {
117                 conn-a : conn-defaults, eap-defaults {
118                      # set/override stuff specific to this connection
119                      children {
120                           child-a : child-defaults {
121                                # set/override stuff specific to this child
122                           }
123                      }
124                 }
125                 conn-b : conn-defaults {
126                      # set/override stuff specific to this connection
127                      children {
128                           child-b : child-defaults {
129                                # set/override stuff specific to this child
130                           }
131                      }
132                 }
133                 conn-c : connections.conn-a {
134                      # everything is inherited, including everything conn-a
135                      # already inherits from the sections it and its
136                      # sub-section reference
137                 }
138            }
139

INCLUDING FILES

141       Using the include statement it is possible to include other files  into
142       strongswan.conf, e.g.
143
144            include /some/path/*.conf
145
146       If  the file name is not an absolute path, it is considered to be rela‐
147       tive to the directory of the file containing the include statement. The
148       file  name  may include shell wildcards (see sh(1)).  Also, such inclu‐
149       sions can be nested.
150
151       Sections loaded from included files extend previously loaded  sections;
152       already  existing  values  are  replaced.  It is important to note that
153       settings are added relative to the section the include statement is in.
154
155       As an example, the following three files result in the same final  con‐
156       fig as the one given above:
157
158            a = b
159            section-one {
160                 somevalue = before include
161                 include include.conf
162            }
163            include other.conf
164
165       include.conf:
166            # settings loaded from this file are added to section-one
167            # the following replaces the previous value
168            somevalue = asdf
169            subsection {
170                 othervalue = yyy
171            }
172            yetanother = zz
173
174       other.conf:
175            # this extends section-one and subsection
176            section-one {
177                 subsection {
178                      # this replaces the previous value
179                      othervalue = xxx
180                 }
181            }
182            section-two {
183                 x = 12
184            }
185
186

READING VALUES

188       Values are accessed using a dot-separated section list and a key.  With
189       reference to the example above, accessing section-one.subsection.other‐
190       value will return xxx.
191
192

DEFINED KEYS

194       The  following keys are currently defined (using dot notation). The de‐
195       fault value (if any) is listed in brackets after the key.
196
197       aikgen.load []
198              Plugins to load in ipsec aikgen tool.
199
200
201       attest.database []
202              File measurement information database  URI.  If  it  contains  a
203              password, make sure to adjust the permissions of the config file
204              accordingly.
205
206
207       attest.load []
208              Plugins to load in ipsec attest tool.
209
210
211       charon
212              Options for the charon IKE daemon.
213
214              Note: Many  of  the  options  in  this  section  also  apply  to
215              charon-cmd and other charon derivatives.  Just use their respec‐
216              tive name (e.g.  charon-cmd instead of charon).   For  many  op‐
217              tions defaults can be defined in the libstrongswan section.
218
219
220       charon.accept_private_algs [no]
221              Deliberately  violate  the  IKE standard's requirement and allow
222              the use of private algorithm identifiers, even if the  peer  im‐
223              plementation is unknown.
224
225
226       charon.accept_unencrypted_mainmode_messages [no]
227              Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
228
229              Some  implementations  send  the  third  Main Mode message unen‐
230              crypted, probably to find the PSKs for the specified ID for  au‐
231              thentication.  This  is very similar to Aggressive Mode, and has
232              the same security implications: A passive attacker can sniff the
233              negotiated  Identity,  and start brute forcing the PSK using the
234              HASH payload.
235
236              It is recommended to keep this option to no, unless you know ex‐
237              actly  what  the  implications  are and require compatibility to
238              such devices (for example, some SonicWall boxes).
239
240
241       charon.block_threshold [5]
242              Maximum  number  of  half-open  IKE_SAs  (including  unprocessed
243              IKE_SA_INITs) for a single peer IP.
244
245
246       charon.cache_crls [no]
247              Whether  Certificate Revocation Lists (CRLs) fetched via HTTP or
248              LDAP should be saved under a unique file name derived  from  the
249              public    key   of   the   Certification   Authority   (CA)   to
250              ${sysconfdir}/ipsec.d/crls              (stroke)              or
251              ${sysconfdir}/swanctl/x509crl (vici), respectively.
252
253
254       charon.cert_cache [yes]
255              Whether  relations  in  validated  certificate  chains should be
256              cached in memory.
257
258
259       charon.check_current_path [no]
260              By default, after detecting any changes to interfaces and/or ad‐
261              dresses  no  action  is  taken if the current path to the remote
262              peer still looks usable. Enabling this option will  use  DPD  to
263              check  if  the  path actually still works, or, for instance, the
264              peer removed the state after a longer phase  without  connectiv‐
265              ity.   It will also trigger a MOBIKE update if NAT mappings were
266              removed during the downtime.
267
268
269       charon.cisco_flexvpn [no]
270              Send the Cisco FlexVPN vendor ID payload, which is  required  in
271              order  to  make  Cisco  brand  devices allow negotiating a local
272              traffic selector (from strongSwan's point of view) that  is  not
273              the  assigned virtual IP address if such an address is requested
274              by    strongSwan.  Sending the Cisco FlexVPN vendor ID  prevents
275              the  peer  from narrowing the initiator's local traffic selector
276              and allows it to e.g. negotiate a TS of 0.0.0.0/0  ==  0.0.0.0/0
277              instead.   This  has been tested with a "tunnel mode ipsec ipv4"
278              Cisco template but should also work for GRE encapsulation.
279
280
281       charon.cisco_unity [no]
282              Send Cisco Unity vendor ID payload (IKEv1 only).
283
284
285       charon.close_ike_on_child_failure [no]
286              Close the IKE_SA if setup of the CHILD_SA  along  with  IKE_AUTH
287              failed.
288
289
290       charon.cookie_threshold [30]
291              Number of half-open IKE_SAs (including unprocessed IKE_SA_INITs)
292              that activate the cookie mechanism.
293
294
295       charon.cookie_threshold_ip [3]
296              Number of half-open IKE_SAs (including unprocessed IKE_SA_INITs)
297              for a single peer IP that activate the cookie  mechanism.
298
299
300       charon.crypto_test.bench [no]
301              Benchmark crypto algorithms and order them by efficiency.
302
303
304       charon.crypto_test.bench_size [1024]
305              Buffer size used for crypto benchmark.
306
307
308       charon.crypto_test.bench_time [50]
309              Time  in  ms  during  which crypto algorithm performance is mea‐
310              sured.
311
312
313       charon.crypto_test.on_add [no]
314              Test crypto algorithms during registration (requires  test  vec‐
315              tors provided by the test-vectors plugin).
316
317
318       charon.crypto_test.on_create [no]
319              Test crypto algorithms on each crypto primitive instantiation.
320
321
322       charon.crypto_test.required [no]
323              Strictly  require  at  least  one test vector to enable an algo‐
324              rithm.
325
326
327       charon.crypto_test.rng_true [no]
328              Whether to test RNG with TRUE quality; requires  a  lot  of  en‐
329              tropy.
330
331
332       charon.delete_rekeyed [no]
333              Delete  CHILD_SAs  right  after  they  got  successfully rekeyed
334              (IKEv1 only). Reduces the number of stale CHILD_SAs in scenarios
335              with a lot of rekeyings. However, this might cause problems with
336              implementations that continue to use rekeyed SAs until they  ex‐
337              pire.
338
339
340       charon.delete_rekeyed_delay [5]
341              Delay  in  seconds  until  inbound  IPsec  SAs are deleted after
342              rekeyings (IKEv2 only). To process delayed packets  the  inbound
343              part of a CHILD_SA is kept installed up to the configured number
344              of seconds after it got replaced during a rekeying. If set to  0
345              the  CHILD_SA  will  be  kept  installed until it expires (if no
346              lifetime is set it will be destroyed immediately).
347
348
349       charon.dh_exponent_ansi_x9_42 [yes]
350              Use ANSI X9.42 DH exponent size or optimum size matched to cryp‐
351              tographic strength.
352
353
354       charon.dlopen_use_rtld_now [no]
355              Use  RTLD_NOW  with  dlopen when loading plugins and IMV/IMCs to
356              reveal missing symbols immediately.
357
358
359       charon.dns1 []
360              DNS server assigned to peer via configuration payload (CP).
361
362
363       charon.dns2 []
364              DNS server assigned to peer via configuration payload (CP).
365
366
367       charon.dos_protection [yes]
368              Enable Denial of Service protection using  cookies  and  aggres‐
369              siveness checks.
370
371
372       charon.filelog
373              Section  to  define  file  loggers,  see LOGGER CONFIGURATION in
374              strongswan.conf(5).
375
376
377
378       charon.filelog.<name>
379              <name> may be the full path to the log file if it only  contains
380              characters  permitted  in  section  names. Is ignored if path is
381              specified.
382
383
384       charon.filelog.<name>.<subsystem> [<default>]
385              Loglevel for a specific subsystem.
386
387
388       charon.filelog.<name>.append [yes]
389              If this option is enabled log entries are appended to the exist‐
390              ing file.
391
392
393       charon.filelog.<name>.default [1]
394              Specifies  the  default  loglevel  to be used for subsystems for
395              which no specific loglevel is defined.
396
397
398       charon.filelog.<name>.flush_line [no]
399              Enabling this option disables block buffering and  enables  line
400              buffering.
401
402
403       charon.filelog.<name>.ike_name [no]
404              Prefix  each log entry with the connection name and a unique nu‐
405              merical identifier for each IKE_SA.
406
407
408       charon.filelog.<name>.log_level [no]
409              Add the log level of each  message  after  the  subsystem  (e.g.
410              [IKE2]).
411
412
413       charon.filelog.<name>.path []
414              Optional  path to the log file. Overrides the section name. Must
415              be used if the path contains characters that aren't  allowed  in
416              section names.
417
418
419       charon.filelog.<name>.time_add_ms [no]
420              Adds  the milliseconds within the current second after the time‐
421              stamp (separated by a dot, so time_format should end with %S  or
422              %T).
423
424
425       charon.filelog.<name>.time_format []
426              Prefix  each  log  entry  with a timestamp. The option accepts a
427              format string as passed to strftime(3).
428
429
430
431       charon.flush_auth_cfg [no]
432              If enabled objects  used  during  authentication  (certificates,
433              identities  etc.)  are released to free memory once an IKE_SA is
434              established. Enabling this  might  conflict  with  plugins  that
435              later need access to e.g. the used certificates.
436
437
438       charon.follow_redirects [yes]
439              Whether to follow IKEv2 redirects (RFC 5685).
440
441
442       charon.force_eap_only_authentication [no]
443              Violate  RFC  5998  and  use EAP-only authentication even if the
444              peer did  not  send  an  EAP_ONLY_AUTHENTICATION  notify  during
445              IKE_AUTH.
446
447
448       charon.fragment_size [1280]
449              Maximum  size (complete IP datagram size in bytes) of a sent IKE
450              fragment when using  proprietary  IKEv1  or  standardized  IKEv2
451              fragmentation,  defaults  to 1280 (use 0 for address family spe‐
452              cific default values, which uses a lower value  for  IPv4).   If
453              specified this limit is used for both IPv4 and IPv6.
454
455
456       charon.group []
457              Name of the group the daemon changes to after startup.
458
459
460       charon.half_open_timeout [30]
461              Timeout  in seconds for connecting IKE_SAs (also see IKE_SA_INIT
462              DROPPING).
463
464
465       charon.hash_and_url [no]
466              Enable hash and URL support.
467
468
469       charon.host_resolver.max_threads [3]
470              Maximum number of concurrent resolver threads (they  are  termi‐
471              nated if unused).
472
473
474       charon.host_resolver.min_threads [0]
475              Minimum number of resolver threads to keep around.
476
477
478       charon.i_dont_care_about_security_and_use_aggressive_mode_psk [no]
479              If  enabled  responders are allowed to use IKEv1 Aggressive Mode
480              with pre-shared keys, which is discouraged due to security  con‐
481              cerns  (offline  attacks  on  the openly transmitted hash of the
482              PSK).
483
484
485       charon.ignore_acquire_ts [no]
486              If this is disabled the traffic selectors from the kernel's  ac‐
487              quire  events, which are derived from the triggering packet, are
488              prepended to the traffic selectors from  the  configuration  for
489              IKEv2 connection. By enabling this, such specific traffic selec‐
490              tors will be ignored and only the ones in  the  config  will  be
491              sent.  This always happens for IKEv1 connections as the protocol
492              only supports one set of traffic selectors per CHILD_SA.
493
494
495       charon.ignore_routing_tables []
496              A space-separated list of routing tables  to  be  excluded  from
497              route lookups.
498
499
500       charon.ikesa_limit [0]
501              Maximum  number  of  IKE_SAs that can be established at the same
502              time before new connection attempts are blocked.
503
504
505       charon.ikesa_table_segments [1]
506              Number of exclusively locked segments in the hash table.
507
508
509       charon.ikesa_table_size [1]
510              Size of the IKE_SA hash table.
511
512
513       charon.imcv
514              Defaults for options in this section can be  configured  in  the
515              libimcv section.
516
517
518       charon.imcv.assessment_result [yes]
519              Whether IMVs send a standard IETF Assessment Result attribute.
520
521
522       charon.imcv.database []
523              Global  IMV policy database URI. If it contains a password, make
524              sure to adjust the permissions of the config file accordingly.
525
526
527       charon.imcv.os_info.default_password_enabled [no]
528              Manually set whether a default password is enabled
529
530
531       charon.imcv.os_info.name []
532              Manually set the name of the client OS (e.g. Ubuntu).
533
534
535       charon.imcv.os_info.version []
536              Manually set the version of the client OS (e.g. 12.04 i686).
537
538
539       charon.imcv.policy_script [ipsec _imv_policy]
540              Script called for each TNC connection to generate IMV policies.
541
542
543       charon.inactivity_close_ike [no]
544              Whether to close IKE_SA if the only CHILD_SA closed due to inac‐
545              tivity.
546
547
548       charon.init_limit_half_open [0]
549              Limit  new  connections based on the current number of half open
550              IKE_SAs, see IKE_SA_INIT DROPPING in strongswan.conf(5).
551
552
553
554       charon.init_limit_job_load [0]
555              Limit new connections based on  the  number  of  jobs  currently
556              queued for processing (see IKE_SA_INIT DROPPING).
557
558
559       charon.initiator_only [no]
560              Causes charon daemon to ignore IKE initiation requests.
561
562
563       charon.install_routes [yes]
564              Install  routes  into  a  separate routing table for established
565              IPsec tunnels.
566
567
568       charon.install_virtual_ip [yes]
569              Install virtual IP addresses.
570
571
572       charon.install_virtual_ip_on []
573              The name of the interface on which virtual IP  addresses  should
574              be  installed.  If not specified the addresses will be installed
575              on the outbound interface.
576
577
578       charon.integrity_test [no]
579              Check daemon, libstrongswan and plugin integrity at startup.
580
581
582       charon.interfaces_ignore []
583              A comma-separated list of network interfaces that should be  ig‐
584              nored, if interfaces_use is specified this option has no effect.
585
586
587       charon.interfaces_use []
588              A comma-separated list of network interfaces that should be used
589              by charon. All other interfaces are ignored.
590
591
592       charon.keep_alive [20s]
593              NAT keep alive interval.
594
595
596       charon.keep_alive_dpd_margin [0s]
597              Number of seconds the keep alive interval may be exceeded before
598              a  DPD is sent instead of a NAT keep alive (0 to disable).  This
599              is only useful if a clock is used that includes time spent  sus‐
600              pended (e.g. CLOCK_BOOTTIME).
601
602
603       charon.leak_detective.detailed [yes]
604              Includes  source  file  names and line numbers in leak detective
605              output.
606
607
608       charon.leak_detective.usage_threshold [10240]
609              Threshold in bytes for allocations to be included in  usage  re‐
610              ports (0 to include all).
611
612
613       charon.leak_detective.usage_threshold_count [0]
614              Threshold  in  number  of  allocations for allocations to be in‐
615              cluded in usage reports (0 to include all).
616
617
618       charon.load []
619              Plugins to load in the IKE daemon charon.
620
621
622       charon.load_modular [no]
623              If enabled, the list of plugins to load is  determined  via  the
624              value of the charon.plugins.<name>.load options.  In addition to
625              a simple boolean flag that option may take an integer value  in‐
626              dicating the priority of a plugin, which would influence the or‐
627              der of a plugin in the plugin list (the default is  1).  If  two
628              plugins have the same priority their order in the default plugin
629              list is preserved. Enabled plugins not found in  that  list  are
630              ordered alphabetically before other plugins with the same prior‐
631              ity.
632
633
634       charon.make_before_break [no]
635              Initiate IKEv2 reauthentication with a make-before-break instead
636              of  a  break-before-make scheme. Make-before-break uses overlap‐
637              ping IKE and CHILD_SA during reauthentication by first  recreat‐
638              ing  all new SAs before deleting the old ones. This behavior can
639              be beneficial to avoid connectivity  gaps  during  reauthentica‐
640              tion,  but  requires  support  for  overlapping SAs by the peer.
641              strongSwan can handle such overlapping SAs since version 5.3.0.
642
643
644       charon.max_ikev1_exchanges [3]
645              Maximum number of IKEv1 phase 2 exchanges  per  IKE_SA  to  keep
646              state about and track concurrently.
647
648
649       charon.max_packet [10000]
650              Maximum packet size accepted by charon.
651
652
653       charon.multiple_authentication [yes]
654              Enable multiple authentication exchanges (RFC 4739).
655
656
657       charon.nbns1 []
658              WINS servers assigned to peer via configuration payload (CP).
659
660
661       charon.nbns2 []
662              WINS servers assigned to peer via configuration payload (CP).
663
664
665       charon.plugins.addrblock.depth [-1]
666              RFC3779  requires  that  all addrblocks claimed by a certificate
667              must be contained in the addrblock extension of the issuer  cer‐
668              tificate, up to the root CA. The default depth setting of -1 en‐
669              forces this.
670
671              In practice, third party (root) CAs may not contain  the  exten‐
672              sion, making the addrblock extension unusable under such CAs. By
673              limiting the validation depth, only a certain  level  of  issuer
674              certificates  are  validated  for proper addrblock extensions: A
675              depth of 0 does not check any issuer certificate  extensions,  a
676              depth  of 1 only the direct issuer of the end entity certificate
677              is checkend, and so on.
678
679
680       charon.plugins.addrblock.strict [yes]
681              If set to yes, a subject certificate without an addrblock exten‐
682              sion is rejected if the issuer certificate has such an addrblock
683              extension. If set to no, subject certificates issued without the
684              addrblock  extension  are  accepted without any traffic selector
685              checks and no policy is enforced by the plugin.
686
687
688       charon.plugins.android_log.loglevel [1]
689              Loglevel for logging to Android specific logger.
690
691
692       charon.plugins.attr
693              Section to specify arbitrary attributes that are assigned  to  a
694              peer via configuration payload (CP).
695
696
697       charon.plugins.attr.<attr> []
698              <attr>  can be either address, netmask, dns, nbns, dhcp, subnet,
699              split-include, split-exclude or the numeric  identifier  of  the
700              attribute  type. The assigned value can be an IPv4/IPv6 address,
701              a subnet in CIDR notation or an arbitrary value depending on the
702              attribute type.  For some attribute types multiple values may be
703              specified as a comma separated list.
704
705
706       charon.plugins.attr-sql.crash_recovery [yes]
707              Release all online leases during startup.  Disable this to share
708              the DB between multiple VPN gateways.
709
710
711       charon.plugins.attr-sql.database []
712              Database  URI for attr-sql plugin used by charon. If it contains
713              a password, make sure to adjust the permissions  of  the  config
714              file accordingly.
715
716
717       charon.plugins.attr-sql.lease_history [yes]
718              Enable logging of SQL IP pool leases.
719
720
721       charon.plugins.bliss.use_bliss_b [yes]
722              Use the enhanced BLISS-B key generation and signature algorithm.
723
724
725       charon.plugins.botan.internal_rng_only [no]
726              If  enabled,  only  Botan's internal RNG will be used throughout
727              the plugin.  Otherwise, and if supported by Botan, rng_t  imple‐
728              mentations provided by other loaded plugins will be used as RNG.
729
730
731       charon.plugins.bypass-lan.interfaces_ignore []
732              A comma-separated list of network interfaces for which connected
733              subnets should be ignored, if interfaces_use is  specified  this
734              option has no effect.
735
736
737       charon.plugins.bypass-lan.interfaces_use []
738              A comma-separated list of network interfaces for which connected
739              subnets should be considered. All other interfaces are ignored.
740
741
742       charon.plugins.bypass-lan.load [no]
743
744       charon.plugins.certexpire.csv.cron []
745              Cron style string specifying CSV export times.
746
747
748       charon.plugins.certexpire.csv.empty_string []
749              String to use in empty intermediate CA fields.
750
751
752       charon.plugins.certexpire.csv.fixed_fields [yes]
753              Use a fixed intermediate CA field count.
754
755
756       charon.plugins.certexpire.csv.force [yes]
757              Force export of all trustchains we have a private key for.
758
759
760       charon.plugins.certexpire.csv.format [%d:%m:%Y]
761              strftime(3) format string to export expiration dates as.
762
763
764       charon.plugins.certexpire.csv.local []
765              strftime(3) format string for the CSV file name to export  local
766              certificates to.
767
768
769       charon.plugins.certexpire.csv.remote []
770              strftime(3) format string for the CSV file name to export remote
771              certificates to.
772
773
774       charon.plugins.certexpire.csv.separator [,]
775              CSV field separator.
776
777
778       charon.plugins.coupling.file []
779              File to store coupling list to.
780
781
782       charon.plugins.coupling.hash [sha1]
783              Hashing algorithm to fingerprint coupled certificates.
784
785
786       charon.plugins.coupling.max [1]
787              Maximum number of coupling entries to create.
788
789
790       charon.plugins.curl.redir [-1]
791              Maximum number of redirects followed by the plugin, set to 0  to
792              disable following redirects, set to -1 for no limit.
793
794
795       charon.plugins.curl.tls_backend []
796              The  SSL/TLS backend to configure in curl if multiple are avail‐
797              able (requires libcurl 7.56 or newer). A list of  available  op‐
798              tions is logged on level 2 if nothing is configured. Similar but
799              on level 1 if the selected backend isn't available.
800
801
802       charon.plugins.dhcp.force_server_address [no]
803              Always use the configured server address. This might be  helpful
804              if  the DHCP server runs on the same host as strongSwan, and the
805              DHCP daemon does not listen on the loopback interface.  In  that
806              case   the  server  cannot  be  reached  via  unicast  (or  even
807              255.255.255.255) as that would be routed via  loopback.  Setting
808              this  option  to yes and configuring the local broadcast address
809              (e.g.  192.168.0.255) as server address might work.
810
811
812       charon.plugins.dhcp.identity_lease [no]
813              Derive user-defined MAC address from hash of  IKE  identity  and
814              send client identity DHCP option.
815
816
817       charon.plugins.dhcp.interface []
818              Interface  name  the plugin uses for address allocation. The de‐
819              fault is to bind to any (0.0.0.0)  and  let  the  system  decide
820              which way to route the packets to the DHCP server.
821
822
823       charon.plugins.dhcp.server [255.255.255.255]
824              DHCP server unicast or broadcast IP address.
825
826
827       charon.plugins.dhcp.use_server_port [no]
828              Use  the  DHCP  server  port (67) as source port, instead of the
829              DHCP client port (68), when a unicast server address is  config‐
830              ured  and the plugin acts as relay agent.  When replying in this
831              mode the DHCP server will always send packets to the DHCP server
832              port and if no process binds that port an ICMP port unreachables
833              will be sent back, which might  be  problematic  for  some  DHCP
834              servers.   To  avoid  that,  enabling this option will cause the
835              plugin to bind the DHCP server port to send  its  requests  when
836              acting as relay agent. This is not necessary if a DHCP server is
837              already running on the same host and might even cause  conflicts
838              (and since the server port is already bound, ICMPs should not be
839              an issue).
840
841
842       charon.plugins.dnscert.enable [no]
843              Enable fetching of CERT RRs via DNS.
844
845
846       charon.plugins.drbg.max_drbg_requests [4294967294]
847              Number of pseudo-random bit requests from the DRBG before an au‐
848              tomatic reseeding occurs.
849
850
851       charon.plugins.duplicheck.enable [yes]
852              Enable duplicheck plugin (if loaded).
853
854
855       charon.plugins.duplicheck.socket [unix://${piddir}/charon.dck]
856              Socket provided by the duplicheck plugin.
857
858
859       charon.plugins.eap-aka.request_identity [yes]
860
861       charon.plugins.eap-aka-3gpp.seq_check []
862              Enable to activate sequence check of the AKA SQN values in order
863              to trigger resync cycles.
864
865
866       charon.plugins.eap-aka-3gpp2.seq_check []
867              Enable to activate sequence check of the AKA SQN values in order
868              to trigger resync cycles.
869
870
871       charon.plugins.eap-dynamic.prefer_user [no]
872              If  enabled  the EAP methods proposed in an EAP-Nak message sent
873              by the peer are preferred over the methods registered locally.
874
875
876       charon.plugins.eap-dynamic.preferred []
877              The preferred EAP method(s) to be used.  If it is not given  the
878              first registered method will be used initially.  If a comma sep‐
879              arated list is given the methods are tried in  the  given  order
880              before trying the rest of the registered methods.
881
882
883       charon.plugins.eap-gtc.backend [pam]
884              XAuth backend to be used for credential verification.
885
886
887       charon.plugins.eap-peap.fragment_size [1024]
888              Maximum size of an EAP-PEAP packet.
889
890
891       charon.plugins.eap-peap.include_length [no]
892              Include length in non-fragmented EAP-PEAP packets.
893
894
895       charon.plugins.eap-peap.max_message_count [32]
896              Maximum number of processed EAP-PEAP packets (0 = no limit).
897
898
899       charon.plugins.eap-peap.phase2_method [mschapv2]
900              Phase2 EAP client authentication method.
901
902
903       charon.plugins.eap-peap.phase2_piggyback [no]
904              Phase2  EAP Identity request piggybacked by server onto TLS Fin‐
905              ished message, relevant only if TLS 1.2 or  earlier  is  negoti‐
906              ated.
907
908
909       charon.plugins.eap-peap.phase2_tnc [no]
910              Start  phase2 EAP TNC protocol after successful client authenti‐
911              cation.
912
913
914       charon.plugins.eap-peap.request_peer_auth [no]
915              Request peer authentication based on a client certificate.
916
917
918       charon.plugins.eap-radius.accounting [no]
919              Send RADIUS accounting information to RADIUS servers.
920
921
922       charon.plugins.eap-radius.accounting_close_on_timeout [yes]
923              Close the IKE_SA if there is a timeout during interim RADIUS ac‐
924              counting updates.
925
926
927       charon.plugins.eap-radius.accounting_interval [0s]
928              Interval  in  seconds  for interim RADIUS accounting updates, if
929              not specified by the RADIUS server in the Access-Accept message.
930
931
932       charon.plugins.eap-radius.accounting_requires_vip [no]
933              If enabled, accounting is disabled unless an IKE_SA has at least
934              one  virtual  IP.   Only  for  IKEv2,  for IKEv1 a virtual IP is
935              strictly necessary.
936
937
938       charon.plugins.eap-radius.accounting_send_class [no]
939              If enabled, adds the Class attributes received in  Access-Accept
940              message to the RADIUS accounting messages.
941
942
943       charon.plugins.eap-radius.class_group [no]
944              Use  the  class  attribute  sent in the RADIUS-Accept message as
945              group membership information that  is  compared  to  the  groups
946              specified in the rightgroups option in ipsec.conf(5).
947
948
949
950       charon.plugins.eap-radius.close_all_on_timeout [no]
951              Closes all IKE_SAs if communication with the RADIUS server times
952              out. If it is not set only the current IKE_SA is closed.
953
954
955       charon.plugins.eap-radius.dae.enable [no]
956              Enables support for the  Dynamic  Authorization  Extension  (RFC
957              5176).
958
959
960       charon.plugins.eap-radius.dae.listen [0.0.0.0]
961              Address to listen for DAE messages from the RADIUS server.
962
963
964       charon.plugins.eap-radius.dae.port [3799]
965              Port to listen for DAE requests.
966
967
968       charon.plugins.eap-radius.dae.secret []
969              Shared  secret  used  to  verify/sign DAE messages. If set, make
970              sure to adjust the permissions of the config file accordingly.
971
972
973       charon.plugins.eap-radius.eap_start [no]
974              Send EAP-Start instead of EAP-Identity to start RADIUS conversa‐
975              tion.
976
977
978       charon.plugins.eap-radius.filter_id [no]
979              If  the RADIUS tunnel_type attribute with value ESP is received,
980              use the filter_id attribute sent in the RADIUS-Accept message as
981              group  membership  information  that  is  compared to the groups
982              specified in the rightgroups option in ipsec.conf(5).
983
984
985
986       charon.plugins.eap-radius.forward.ike_to_radius []
987              RADIUS attributes to be forwarded from IKEv2 to RADIUS  (can  be
988              defined  by  name  or  attribute  number, a colon can be used to
989              specify vendor-specific attributes, e.g. Reply-Message,  or  11,
990              or 36906:12).
991
992
993       charon.plugins.eap-radius.forward.radius_to_ike []
994              Same as charon.plugins.eap-radius.forward.ike_to_radius but from
995              RADIUS to IKEv2, a strongSwan specific private notify (40969) is
996              used to transmit the attributes.
997
998
999       charon.plugins.eap-radius.id_prefix []
1000              Prefix  to  EAP-Identity,  some AAA servers use a IMSI prefix to
1001              select the EAP method.
1002
1003
1004       charon.plugins.eap-radius.nas_identifier [strongSwan]
1005              NAS-Identifier to include in RADIUS messages.
1006
1007
1008       charon.plugins.eap-radius.port [1812]
1009              Port of RADIUS server (authentication).
1010
1011
1012       charon.plugins.eap-radius.retransmit_base [1.4]
1013              Base to use for calculating exponential back off.
1014
1015
1016       charon.plugins.eap-radius.retransmit_timeout [2.0]
1017              Timeout in seconds before sending first retransmit.
1018
1019
1020       charon.plugins.eap-radius.retransmit_tries [4]
1021              Number of times to retransmit a packet before giving up.
1022
1023
1024       charon.plugins.eap-radius.secret []
1025              Shared secret between RADIUS and NAS. If set, make sure  to  ad‐
1026              just the permissions of the config file accordingly.
1027
1028
1029       charon.plugins.eap-radius.server []
1030              IP/Hostname of RADIUS server.
1031
1032
1033       charon.plugins.eap-radius.servers
1034              Section  to specify multiple RADIUS servers. The nas_identifier,
1035              secret, sockets and port (or auth_port) options can be specified
1036              for  each server. A server's IP/Hostname can be configured using
1037              the address option.  The acct_port [1813] option can be used  to
1038              specify  the  port  used  for RADIUS accounting. For each RADIUS
1039              server a priority can be specified using the preference [0]  op‐
1040              tion.  The retransmission time for each server can set set using
1041              retransmit_base, retransmit_timeout and retransmit_tries.
1042
1043
1044
1045       charon.plugins.eap-radius.sockets [1]
1046              Number of sockets (ports) to use, increase for high load.
1047
1048
1049       charon.plugins.eap-radius.station_id_with_port [yes]
1050              Whether to include the UDP port in the Called- and  Calling-Sta‐
1051              tion-Id RADIUS attributes.
1052
1053
1054       charon.plugins.eap-radius.xauth
1055              Section  to  configure  multiple XAuth authentication rounds via
1056              RADIUS. The subsections define so called authentication profiles
1057              with  arbitrary names. In each profile section one or more XAuth
1058              types can be configured, with an assigned message. For each type
1059              a  separate XAuth exchange will be initiated and all replies get
1060              concatenated into the User-Password attribute, which  then  gets
1061              verified over RADIUS.
1062
1063              Available  XAuth  types are password, passcode, nextpin, and an‐
1064              swer.  This type is  not  relevant  to  strongSwan  or  the  AAA
1065              server,  but  the client may show a different dialog (along with
1066              the configured message).
1067
1068              To use the configured profiles, they have to  be  configured  in
1069              the respective connection in ipsec.conf(5) by appending the pro‐
1070              file name, separated by a  colon,  to  the  xauth-radius  XAauth
1071              backend  configuration in rightauth or rightauth2, for instance,
1072              rightauth2=xauth-radius:profile.
1073
1074
1075
1076       charon.plugins.eap-sim.request_identity [yes]
1077
1078       charon.plugins.eap-simaka-sql.database []
1079
1080       charon.plugins.eap-simaka-sql.remove_used [no]
1081
1082       charon.plugins.eap-tls.fragment_size [1024]
1083              Maximum size of an EAP-TLS packet.
1084
1085
1086       charon.plugins.eap-tls.include_length [yes]
1087              Include length in non-fragmented EAP-TLS packets.
1088
1089
1090       charon.plugins.eap-tls.max_message_count [32]
1091              Maximum number of processed EAP-TLS packets (0 = no limit).
1092
1093
1094       charon.plugins.eap-tnc.max_message_count [10]
1095              Maximum number of processed EAP-TNC packets (0 = no limit).
1096
1097
1098       charon.plugins.eap-tnc.protocol [tnccs-2.0]
1099              IF-TNCCS protocol version  to  be  used  (tnccs-1.1,  tnccs-2.0,
1100              tnccs-dynamic).
1101
1102
1103
1104       charon.plugins.eap-ttls.fragment_size [1024]
1105              Maximum size of an EAP-TTLS packet.
1106
1107
1108       charon.plugins.eap-ttls.include_length [yes]
1109              Include length in non-fragmented EAP-TTLS packets.
1110
1111
1112       charon.plugins.eap-ttls.max_message_count [32]
1113              Maximum number of processed EAP-TTLS packets (0 = no limit).
1114
1115
1116       charon.plugins.eap-ttls.phase2_method [md5]
1117              Phase2 EAP client authentication method.
1118
1119
1120       charon.plugins.eap-ttls.phase2_piggyback [no]
1121              Phase2  EAP Identity request piggybacked by server onto TLS Fin‐
1122              ished message.
1123
1124
1125       charon.plugins.eap-ttls.phase2_tnc [no]
1126              Start phase2 EAP TNC protocol after successful client  authenti‐
1127              cation.
1128
1129
1130       charon.plugins.eap-ttls.phase2_tnc_method [pt]
1131              Phase2 EAP TNC transport protocol (pt as IETF standard or legacy
1132              tnc)
1133
1134
1135
1136       charon.plugins.eap-ttls.request_peer_auth [no]
1137              Request peer authentication based on a client certificate.
1138
1139
1140       charon.plugins.error-notify.socket [unix://${piddir}/charon.enfy]
1141              Socket provided by the error-notify plugin.
1142
1143
1144       charon.plugins.ext-auth.script []
1145              Command to pass to the system shell for peer authorization.  Au‐
1146              thorization  is  considered  successful  if the command executes
1147              normally with an exit code of zero. For  all  other  exit  codes
1148              IKE_SA authorization is rejected.
1149
1150              The  following  environment  variables get passed to the script:
1151              IKE_UNIQUE_ID:   The   IKE_SA   numerical   unique   identifier.
1152              IKE_NAME:  The  peer  configuration  connection  name.   IKE_LO‐
1153              CAL_HOST: Local IKE IP address.  IKE_REMOTE_HOST: Remote IKE  IP
1154              address.   IKE_LOCAL_ID: Local IKE identity.  IKE_REMOTE_ID: Re‐
1155              mote IKE identity.  IKE_REMOTE_EAP_ID: Remote EAP or XAuth iden‐
1156              tity, if used.
1157
1158
1159       charon.plugins.forecast.groups
1160       [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]
1161              Comma separated list of multicast groups to  join  locally.  The
1162              local  host  receives  and forwards packets in the local LAN for
1163              joined multicast groups only.  Packets matching the list of mul‐
1164              ticast  groups  get  forwarded to connected clients. The default
1165              group  includes  host  multicasts,   IGMP,   mDNS,   LLMNR   and
1166              SSDP/WS-Discovery,  and  is  usually  a  good choice for Windows
1167              clients.
1168
1169
1170       charon.plugins.forecast.interface []
1171              Name of the local interface to listen for broadcasts messages to
1172              forward.  If no interface is configured, the first usable inter‐
1173              face is used, which is usually just fine for single-homed hosts.
1174              If your host has multiple interfaces, set this option to the lo‐
1175              cal LAN interface you want to forward broadcasts from/to.
1176
1177
1178       charon.plugins.forecast.reinject []
1179              Comma separated list of CHILD_SA configuration names  for  which
1180              to  perform  multi/broadcast reinjection. For clients connecting
1181              over such a configuration, any multi/broadcast received over the
1182              tunnel  gets  reinjected  to  all active tunnels. This makes the
1183              broadcasts visible to  other  peers,  and  for  examples  allows
1184              clients  to see others shares. If disabled, multi/broadcast mes‐
1185              sages received over a tunnel are injected to the  local  network
1186              only, but not to other IPsec clients.
1187
1188
1189       charon.plugins.gcrypt.quick_random [no]
1190              Use  faster random numbers in gcrypt; for testing only, produces
1191              weak keys!
1192
1193
1194       charon.plugins.ha.autobalance [0]
1195              Interval in seconds to automatically  balance  handled  segments
1196              between nodes. Set to 0 to disable.
1197
1198
1199       charon.plugins.ha.buflen [2048]
1200              Buffer  size  for  received HA messages. For IKEv1 the public DH
1201              factors are also transmitted so depending on the DH group the HA
1202              messages  can  get  quite  big (the default should be fine up to
1203              modp4096).
1204
1205
1206
1207       charon.plugins.ha.fifo_interface [yes]
1208
1209       charon.plugins.ha.heartbeat_delay [1000]
1210
1211       charon.plugins.ha.heartbeat_timeout [2100]
1212
1213       charon.plugins.ha.local []
1214
1215       charon.plugins.ha.monitor [yes]
1216
1217       charon.plugins.ha.pools []
1218
1219       charon.plugins.ha.remote []
1220
1221       charon.plugins.ha.resync [yes]
1222
1223       charon.plugins.ha.secret []
1224
1225       charon.plugins.ha.segment_count [1]
1226
1227       charon.plugins.ipseckey.enable [no]
1228              Enable fetching of IPSECKEY RRs via DNS.
1229
1230
1231       charon.plugins.kernel-libipsec.allow_peer_ts [no]
1232              Allow that the remote traffic selector equals the IKE peer.  The
1233              route  installed  for such traffic (via TUN device) usually pre‐
1234              vents further IKE traffic.  The  fwmark  options  for  the  ker‐
1235              nel-netlink and socket-default plugins can be used to circumvent
1236              that problem.
1237
1238
1239       charon.plugins.kernel-libipsec.fwmark        [charon.plugins.socket-de‐
1240       fault.fwmark]
1241              Firewall mark to set on outbound raw ESP packets.
1242
1243
1244       charon.plugins.kernel-libipsec.raw_esp [no]
1245              Whether  to  send and receive ESP packets without UDP encapsula‐
1246              tion if supported on this platform and no NAT is detected.
1247
1248
1249       charon.plugins.kernel-netlink.buflen [<min(PAGE_SIZE, 8192)>]
1250              Buffer size for received Netlink messages.
1251
1252
1253       charon.plugins.kernel-netlink.force_receive_buffer_size [no]
1254              If the maximum Netlink socket receive buffer in bytes set by re‐
1255              ceive_buffer_size   exceeds   the   system-wide   maximum   from
1256              /proc/sys/net/core/rmem_max, this option can be used to override
1257              the  limit.   Enabling  this  option requires special privileges
1258              (CAP_NET_ADMIN).
1259
1260
1261       charon.plugins.kernel-netlink.fwmark []
1262              Firewall mark to set on the routing rule that directs traffic to
1263              our  routing  table. The format is [!]mark[/mask], where the op‐
1264              tional exclamation mark inverts the meaning (i.e. the rule  only
1265              applies to packets that don't match the mark).
1266
1267
1268       charon.plugins.kernel-netlink.hw_offload_feature_interface [lo]
1269              If  the kernel supports hardware offloading, the plugin needs to
1270              find the feature flag which represents hardware offloading  sup‐
1271              port  for  network  devices.  Using the loopback device for this
1272              purpose is usually fine, since it should always be present.  For
1273              rare cases in which the loopback device cannot be used to obtain
1274              the appropriate feature flag, this option can be used to specify
1275              an alternative interface for offload feature detection.
1276
1277
1278       charon.plugins.kernel-netlink.ignore_retransmit_errors [no]
1279              Whether  to  ignore errors potentially resulting from a retrans‐
1280              mission.
1281
1282
1283       charon.plugins.kernel-netlink.install_routes_xfrmi [no]
1284              Whether routes via XFRM interfaces are  automatically  installed
1285              for  SAs that reference such an interface via if_id_out.  If the
1286              traffic selectors include the IKE traffic to the peer, this  re‐
1287              quires  special  care  (e.g.  installing  bypass policies and/or
1288              routes, or setting a mark on the IKE socket and  excluding  such
1289              packets from the configured routing table via fwmark option).
1290
1291
1292       charon.plugins.kernel-netlink.mss [0]
1293              MSS to set on installed routes, 0 to disable.
1294
1295
1296       charon.plugins.kernel-netlink.mtu [0]
1297              MTU to set on installed routes, 0 to disable.
1298
1299
1300       charon.plugins.kernel-netlink.parallel_route [no]
1301              Whether  to perform concurrent Netlink ROUTE queries on a single
1302              socket. While parallel queries can improve  throughput,  it  has
1303              more  overhead.  On  vanilla Linux, DUMP queries fail with EBUSY
1304              and must be retried, further decreasing performance.
1305
1306
1307       charon.plugins.kernel-netlink.parallel_xfrm [no]
1308              Whether to perform concurrent Netlink XFRM queries on  a  single
1309              socket.
1310
1311
1312       charon.plugins.kernel-netlink.policy_update [no]
1313              Whether to always use XFRM_MSG_UPDPOLICY to install policies.
1314
1315
1316       charon.plugins.kernel-netlink.port_bypass [no]
1317              Whether  to  use  port or socket based IKE XFRM bypass policies.
1318              IKE bypass policies are used to exempt  IKE  traffic  from  XFRM
1319              processing.  The default socket based policies are directly tied
1320              to the IKE UDP sockets, port based policies use global XFRM  by‐
1321              pass policies for the used IKE UDP ports.
1322
1323
1324       charon.plugins.kernel-netlink.process_rules [no]
1325              Whether  to  process  changes  in  routing rules to trigger roam
1326              events. This is currently only useful if the kernel based  route
1327              lookup is used (i.e. if route installation is disabled or an in‐
1328              verted fwmark match is configured).
1329
1330
1331       charon.plugins.kernel-netlink.receive_buffer_size [0]
1332              Maximum Netlink socket receive buffer in bytes. This value  con‐
1333              trols  how  many  bytes of Netlink messages can be received on a
1334              Netlink    socket.    The    default    value    is    set    by
1335              /proc/sys/net/core/rmem_default.  The specified value cannot ex‐
1336              ceed the system-wide maximum  from  /proc/sys/net/core/rmem_max,
1337              unless force_receive_buffer_size is enabled.
1338
1339
1340       charon.plugins.kernel-netlink.retries [0]
1341              Number of Netlink message retransmissions to send on timeout.
1342
1343
1344       charon.plugins.kernel-netlink.roam_events [yes]
1345              Whether  to  trigger  roam  events when interfaces, addresses or
1346              routes change.
1347
1348
1349       charon.plugins.kernel-netlink.set_proto_port_transport_sa [no]
1350              Whether to set protocol and ports in the selector  installed  on
1351              transport  mode IPsec SAs in the kernel. While doing so enforces
1352              policies for inbound traffic, it also prevents the use of a sin‐
1353              gle IPsec SA by more than one traffic selector.
1354
1355
1356       charon.plugins.kernel-netlink.spdh_thresh
1357              XFRM policy hashing threshold configuration for IPv4 and IPv6.
1358
1359              The  section defines hashing thresholds to configure in the ker‐
1360              nel during daemon startup. Each address family takes a threshold
1361              for  the  local  subnet of an IPsec policy (src in out-policies,
1362              dst in in- and forward-policies) and the remote subnet  (dst  in
1363              out-policies, src in in- and forward-policies).
1364
1365              If the subnet has more or equal net bits than the threshold, the
1366              first threshold bits are used to calculate a hash to lookup  the
1367              policy.
1368
1369              Policy  hashing  thresholds  are not supported before Linux 3.18
1370              and might conflict with socket policies before Linux 4.8.
1371
1372
1373       charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits [32]
1374              Local subnet XFRM policy hashing threshold for IPv4.
1375
1376
1377       charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits [32]
1378              Remote subnet XFRM policy hashing threshold for IPv4.
1379
1380
1381       charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits [128]
1382              Local subnet XFRM policy hashing threshold for IPv6.
1383
1384
1385       charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits [128]
1386              Remote subnet XFRM policy hashing threshold for IPv6.
1387
1388
1389       charon.plugins.kernel-netlink.timeout [0]
1390              Netlink message retransmission timeout, 0 to disable retransmis‐
1391              sions.
1392
1393
1394       charon.plugins.kernel-netlink.xfrm_acq_expires [165]
1395              Lifetime  of XFRM acquire state created by the kernel when traf‐
1396              fic  matches  a  trap  policy.  The  value   gets   written   to
1397              /proc/sys/net/core/xfrm_acq_expires.   Indirectly  controls  the
1398              delay between XFRM acquire messages triggered by the kernel  for
1399              a  trap policy. The same value is used as timeout for SPIs allo‐
1400              cated by the kernel. The default value equals  the  total    re‐
1401              transmission  timeout for IKE messages, see IKEv2 RETRANSMISSION
1402              in strongswan.conf(5).
1403
1404
1405
1406       charon.plugins.kernel-pfkey.events_buffer_size [0]
1407              Size of the receive buffer for the event socket (0  for  default
1408              size).  Because  events  are  received asynchronously installing
1409              e.g. lots of policies may require a larger buffer than  the  de‐
1410              fault on certain platforms in order to receive all messages.
1411
1412
1413       charon.plugins.kernel-pfkey.route_via_internal [no]
1414              Whether  to  use the internal or external interface in installed
1415              routes. The internal interface is the one where the  IP  address
1416              contained in the local traffic selector is located, the external
1417              interface is the one over which the destination address  of  the
1418              IPsec tunnel can be reached. This is not relevant if virtual IPs
1419              are used, for which a TUN device is created that's used  in  the
1420              routes.
1421
1422
1423       charon.plugins.kernel-pfroute.mtu [1400]
1424              MTU to set on TUN devices created for virtual IPs.
1425
1426
1427       charon.plugins.kernel-pfroute.vip_wait [1000]
1428              Time  in  ms to wait until virtual IP addresses appear/disappear
1429              before failing.
1430
1431
1432       charon.plugins.led.activity_led []
1433
1434       charon.plugins.led.blink_time [50]
1435
1436       charon.plugins.load-tester
1437              Section to configure the load-tester plugin, see LOAD  TESTS  in
1438              strongswan.conf(5) for details.
1439
1440
1441       charon.plugins.load-tester.addrs
1442              Section  that  contains  key/value  pairs with address pools (in
1443              CIDR notation) to use for a specific network interface e.g. eth0
1444              = 10.10.0.0/16.
1445
1446
1447       charon.plugins.load-tester.addrs_keep [no]
1448              Whether  to  keep dynamic addresses even after the associated SA
1449              got terminated.
1450
1451
1452       charon.plugins.load-tester.addrs_prefix [16]
1453              Network prefix length to use when installing dynamic  addresses.
1454              If set to -1 the full address is used (i.e. 32 or 128).
1455
1456
1457       charon.plugins.load-tester.ca_dir []
1458              Directory to load (intermediate) CA certificates from.
1459
1460
1461       charon.plugins.load-tester.child_rekey [600]
1462              Seconds to start CHILD_SA rekeying after setup.
1463
1464
1465       charon.plugins.load-tester.crl []
1466              URI  to  a  CRL  to include as certificate distribution point in
1467              generated certificates.
1468
1469
1470       charon.plugins.load-tester.delay [0]
1471              Delay between initiations for each thread.
1472
1473
1474       charon.plugins.load-tester.delete_after_established [no]
1475              Delete an IKE_SA as soon as it has been established.
1476
1477
1478       charon.plugins.load-tester.digest [sha1]
1479              Digest algorithm used when issuing certificates.
1480
1481
1482       charon.plugins.load-tester.dpd_delay [0]
1483              DPD delay to use in load test.
1484
1485
1486       charon.plugins.load-tester.dynamic_port [0]
1487              Base port to be used for requests (each client uses a  different
1488              port).
1489
1490
1491       charon.plugins.load-tester.eap_password [default-pwd]
1492              EAP secret to use in load test.
1493
1494
1495       charon.plugins.load-tester.enable [no]
1496              Enable  the  load  testing  plugin.   WARNING: Never enable this
1497              plugin on productive systems. It provides preconfigured  creden‐
1498              tials and allows an attacker to authenticate as any user.
1499
1500
1501       charon.plugins.load-tester.esp [aes128-sha1]
1502              CHILD_SA proposal to use for load tests.
1503
1504
1505       charon.plugins.load-tester.fake_kernel [no]
1506              Fake the kernel interface to allow load-testing against self.
1507
1508
1509       charon.plugins.load-tester.ike_rekey [0]
1510              Seconds to start IKE_SA rekeying after setup.
1511
1512
1513       charon.plugins.load-tester.init_limit [0]
1514              Global limit of concurrently established SAs during load test.
1515
1516
1517       charon.plugins.load-tester.initiator [0.0.0.0]
1518              Address to initiate from.
1519
1520
1521       charon.plugins.load-tester.initiator_auth [pubkey]
1522              Authentication method(s) the initiator uses.
1523
1524
1525       charon.plugins.load-tester.initiator_id []
1526              Initiator ID used in load test.
1527
1528
1529       charon.plugins.load-tester.initiator_match []
1530              Initiator ID to match against as responder.
1531
1532
1533       charon.plugins.load-tester.initiator_tsi []
1534              Traffic selector on initiator side, as proposed by initiator.
1535
1536
1537       charon.plugins.load-tester.initiator_tsr []
1538              Traffic selector on responder side, as proposed by initiator.
1539
1540
1541       charon.plugins.load-tester.initiators [0]
1542              Number of concurrent initiator threads to use in load test.
1543
1544
1545       charon.plugins.load-tester.issuer_cert []
1546              Path  to  the issuer certificate (if not configured a hard-coded
1547              default value is used).
1548
1549
1550       charon.plugins.load-tester.issuer_key []
1551              Path to private key that is used to issue certificates  (if  not
1552              configured a hard-coded default value is used).
1553
1554
1555       charon.plugins.load-tester.iterations [1]
1556              Number of IKE_SAs to initiate by each initiator in load test.
1557
1558
1559       charon.plugins.load-tester.mode [tunnel]
1560              IPsec mode to use, one of tunnel, transport, or beet.
1561
1562
1563
1564       charon.plugins.load-tester.pool []
1565              Provide INTERNAL_IPV4_ADDRs from a named pool.
1566
1567
1568       charon.plugins.load-tester.preshared_key [<default-psk>]
1569              Preshared key to use in load test.
1570
1571
1572       charon.plugins.load-tester.proposal [aes128-sha1-modp768]
1573              IKE proposal to use in load test.
1574
1575
1576       charon.plugins.load-tester.request_virtual_ip [no]
1577              Request  an  INTERNAL_IPV4_ADDR  and INTERNAL_IPV6_ADDR from the
1578              server.
1579
1580
1581       charon.plugins.load-tester.responder [127.0.0.1]
1582              Address to initiation connections to.
1583
1584
1585       charon.plugins.load-tester.responder_auth [pubkey]
1586              Authentication method(s) the responder uses.
1587
1588
1589       charon.plugins.load-tester.responder_id []
1590              Responder ID used in load test.
1591
1592
1593       charon.plugins.load-tester.responder_tsi [initiator_tsi]
1594              Traffic selector on initiator side, as narrowed by responder.
1595
1596
1597       charon.plugins.load-tester.responder_tsr [initiator_tsr]
1598              Traffic selector on responder side, as narrowed by responder.
1599
1600
1601       charon.plugins.load-tester.shutdown_when_complete [no]
1602              Shutdown the daemon after all IKE_SAs have been established.
1603
1604
1605       charon.plugins.load-tester.socket [unix://${piddir}/charon.ldt]
1606              Socket provided by the load-tester plugin.
1607
1608
1609       charon.plugins.load-tester.version [0]
1610              IKE version to use (0 means use IKEv2 as  initiator  and  accept
1611              any version as responder).
1612
1613
1614       charon.plugins.lookip.socket [unix://${piddir}/charon.lkp]
1615              Socket provided by the lookip plugin.
1616
1617
1618       charon.plugins.ntru.parameter_set [optimum]
1619              The   following   parameter  sets  are  available:  x9_98_speed,
1620              x9_98_bandwidth, x9_98_balance and optimum, the last set not be‐
1621              ing part of the X9.98 standard but having the best performance.
1622
1623
1624       charon.plugins.openssl.engine_id [pkcs11]
1625              ENGINE ID to use in the OpenSSL plugin.
1626
1627
1628       charon.plugins.openssl.fips_mode [0]
1629              Set  OpenSSL  FIPS mode.  With OpenSSL before 3.0, the supported
1630              values are disabled(0), enabled(1) and Suite B enabled(2).  With
1631              OpenSSL 3+, any value other than 0 will explicitly load the fips
1632              and base providers (load_legacy will  be  ignored).  The  latter
1633              still  requires the config in fipsmodule.cnf (e.g.  for the mod‐
1634              ule's MAC), but allows explicitly loading the provider  if  it's
1635              not activated in that config.
1636
1637
1638       charon.plugins.openssl.load_legacy [yes]
1639              Load  the legacy provider in OpenSSL 3+ for algorithms like MD4,
1640              DES, or Blowfish (the first two are required for  EAP-MSCHAPv2).
1641              If disabled, the default provider is loaded, or those configured
1642              in the OpenSSL config (e.g. the fips provider).
1643
1644
1645       charon.plugins.osx-attr.append [yes]
1646              Whether DNS servers are appended to existing entries, instead of
1647              replacing them.
1648
1649
1650       charon.plugins.p-cscf.enable
1651              Section  to  enable requesting P-CSCF server addresses for indi‐
1652              vidual connections.
1653
1654
1655       charon.plugins.p-cscf.enable.<conn> [no]
1656              <conn> is the name of a connection with an ePDG  from  which  to
1657              request  P-CSCF server addresses.  Requests will be sent for ad‐
1658              dresses of the same families for  which  internal  IPs  are  re‐
1659              quested.
1660
1661
1662       charon.plugins.pkcs11.modules
1663              List of available PKCS#11 modules.
1664
1665
1666       charon.plugins.pkcs11.modules.<name>.load_certs [yes]
1667              Whether to automatically load certificates from tokens.
1668
1669
1670       charon.plugins.pkcs11.modules.<name>.os_locking [no]
1671              Whether OS locking should be enabled for this module.
1672
1673
1674       charon.plugins.pkcs11.modules.<name>.path []
1675              Full path to the shared object file of this PKCS#11 module.
1676
1677
1678       charon.plugins.pkcs11.reload_certs [no]
1679              Reload certificates from all tokens if charon receives a SIGHUP.
1680
1681
1682       charon.plugins.pkcs11.use_dh [no]
1683              Whether  the PKCS#11 modules should be used for DH and ECDH (see
1684              use_ecc option).
1685
1686
1687       charon.plugins.pkcs11.use_ecc [no]
1688              Whether the PKCS#11 modules should be used for  ECDH  and  ECDSA
1689              public key operations. ECDSA private keys can be used regardless
1690              of this option.
1691
1692
1693       charon.plugins.pkcs11.use_hasher [no]
1694              Whether the PKCS#11 modules should be used to hash data.
1695
1696
1697       charon.plugins.pkcs11.use_pubkey [no]
1698              Whether the PKCS#11 modules should be used for public key opera‐
1699              tions, even for keys not stored on tokens.
1700
1701
1702       charon.plugins.pkcs11.use_rng [no]
1703              Whether the PKCS#11 modules should be used as RNG.
1704
1705
1706       charon.plugins.radattr.dir []
1707              Directory  where  RADIUS attributes are stored in client-ID spe‐
1708              cific files.
1709
1710
1711       charon.plugins.radattr.message_id [-1]
1712              Attributes are added to all IKE_AUTH messages by  default  (-1),
1713              or only to the IKE_AUTH message with the given IKEv2 message ID.
1714
1715
1716       charon.plugins.random.random [${random_device}]
1717              File to read random bytes from.
1718
1719
1720       charon.plugins.random.strong_equals_true [no]
1721              If  set  to yes the RNG_STRONG class reads random bytes from the
1722              same source as the RNG_TRUE class.
1723
1724
1725       charon.plugins.random.urandom [${urandom_device}]
1726              File to read pseudo random bytes from.
1727
1728
1729       charon.plugins.resolve.file [/etc/resolv.conf]
1730              File where to add DNS server entries if not using resolvconf(8).
1731
1732
1733       charon.plugins.resolve.resolvconf.iface [lo.ipsec]
1734              The interface name and protocol sent to resolvconf(8).  This has
1735              to  be  a valid interface name according to the rules defined by
1736              resolvconf.  Also, it should have a high priority  according  to
1737              the  order defined in interface-order(5) if relevant on the sys‐
1738              tem.
1739
1740
1741       charon.plugins.resolve.resolvconf.path [/sbin/resolvconf]
1742              Path/command for resolvconf(8).  The command is  executed  by  a
1743              shell, so "resolvconf" will work if it's in $PATH of the daemon.
1744
1745              If  not  configured,  resolvconf(8) will be used if found at the
1746              default location.  Otherwise,  the  file  in  charon.plugins.re‐
1747              solve.file will be modified directly.
1748
1749
1750       charon.plugins.revocation.enable_crl [yes]
1751              Whether CRL validation should be enabled.
1752
1753
1754       charon.plugins.revocation.enable_ocsp [yes]
1755              Whether OCSP validation should be enabled.
1756
1757
1758       charon.plugins.revocation.timeout [10s]
1759              Timeout used when fetching OCSP/CRL.
1760
1761
1762       charon.plugins.save-keys.esp [no]
1763              Whether to save ESP keys.
1764
1765
1766       charon.plugins.save-keys.ike [no]
1767              Whether to save IKE keys.
1768
1769
1770       charon.plugins.save-keys.load [no]
1771              Whether to load the plugin.
1772
1773
1774       charon.plugins.save-keys.wireshark_keys []
1775              Directory  where  the keys are stored in the format supported by
1776              Wireshark. IKEv1 keys are stored in  the  ikev1_decryption_table
1777              file.  IKEv2 keys are stored in the ikev2_decryption_table file.
1778              Keys for ESP CHILD_SAs are stored in the esp_sa file.
1779
1780
1781       charon.plugins.socket-default.fwmark []
1782              Firewall mark to set on outbound packets.
1783
1784
1785       charon.plugins.socket-default.set_source [yes]
1786              Set source address on outbound packets, if possible.
1787
1788
1789       charon.plugins.socket-default.set_sourceif [no]
1790              Force sending interface on outbound packets, if  possible.  This
1791              allows using IPv6 link-local addresses as tunnel endpoints.
1792
1793
1794       charon.plugins.socket-default.use_ipv4 [yes]
1795              Listen on IPv4, if possible.
1796
1797
1798       charon.plugins.socket-default.use_ipv6 [yes]
1799              Listen on IPv6, if possible.
1800
1801
1802       charon.plugins.sql.database []
1803              Database URI for charon's SQL plugin. If it contains a password,
1804              make sure to adjust the permissions of the config  file  accord‐
1805              ingly.
1806
1807
1808       charon.plugins.sql.loglevel [-1]
1809              Loglevel for logging to SQL database.
1810
1811
1812       charon.plugins.stroke.allow_swap [yes]
1813              Analyze  addresses/hostnames  in left|right to detect which side
1814              is local and swap configuration options if  necessary.  If  dis‐
1815              abled left is always local.
1816
1817
1818
1819       charon.plugins.stroke.ignore_missing_ca_basic_constraint [no]
1820              Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections
1821              as CA certificates even if they don't contain a  CA  basic  con‐
1822              straint.
1823
1824
1825       charon.plugins.stroke.max_concurrent [4]
1826              Maximum number of stroke messages handled concurrently.
1827
1828
1829       charon.plugins.stroke.prevent_loglevel_changes [no]
1830              If enabled log level changes via stroke socket are not allowed.
1831
1832
1833       charon.plugins.stroke.secrets_file [${sysconfdir}/ipsec.secrets]
1834              Location of the ipsec.secrets file
1835
1836
1837       charon.plugins.stroke.socket [unix://${piddir}/charon.ctl]
1838              Socket provided by the stroke plugin.
1839
1840
1841       charon.plugins.stroke.timeout [0]
1842              Timeout in ms for any stroke command. Use 0 to disable the time‐
1843              out.
1844
1845
1846       charon.plugins.systime-fix.interval [0]
1847              Interval in seconds to check system time for  validity.  0  dis‐
1848              ables the check.
1849
1850
1851       charon.plugins.systime-fix.reauth [no]
1852              Whether  to  use reauth or delete if an invalid cert lifetime is
1853              detected.
1854
1855
1856       charon.plugins.systime-fix.threshold []
1857              Threshold date where system time is considered  valid.  Disabled
1858              if not specified.
1859
1860
1861       charon.plugins.systime-fix.threshold_format [%Y]
1862              strptime(3) format used to parse threshold option.
1863
1864
1865       charon.plugins.systime-fix.timeout [0s]
1866              How  long to wait for a valid system time if an interval is con‐
1867              figured. 0 to recheck indefinitely.
1868
1869
1870       charon.plugins.tnc-ifmap.client_cert []
1871              Path to X.509 certificate file of IF-MAP client.
1872
1873
1874       charon.plugins.tnc-ifmap.client_key []
1875              Path to private key file of IF-MAP client.
1876
1877
1878       charon.plugins.tnc-ifmap.device_name []
1879              Unique name of strongSwan server as a PEP and/or PDP device.
1880
1881
1882       charon.plugins.tnc-ifmap.renew_session_interval [150]
1883              Interval in seconds between  periodic  IF-MAP  RenewSession  re‐
1884              quests.
1885
1886
1887       charon.plugins.tnc-ifmap.server_cert []
1888              Path to X.509 certificate file of IF-MAP server.
1889
1890
1891       charon.plugins.tnc-ifmap.server_uri [https://localhost:8444/imap]
1892              URI of the form [https://]servername[:port][/path].
1893
1894
1895       charon.plugins.tnc-ifmap.username_password []
1896              Credentials  of  IF-MAP client of the form username:password. If
1897              set, make sure to adjust the permissions of the config file  ac‐
1898              cordingly.
1899
1900
1901       charon.plugins.tnc-imc.dlclose [yes]
1902              Unload IMC after use.
1903
1904
1905       charon.plugins.tnc-imc.preferred_language [en]
1906              Preferred language for TNC recommendations.
1907
1908
1909       charon.plugins.tnc-imv.dlclose [yes]
1910              Unload IMV after use.
1911
1912
1913       charon.plugins.tnc-imv.recommendation_policy [default]
1914              TNC recommendation policy, one of default, any, or all.
1915
1916
1917
1918       charon.plugins.tnc-pdp.pt_tls.enable [yes]
1919              Enable PT-TLS protocol on the strongSwan PDP.
1920
1921
1922       charon.plugins.tnc-pdp.pt_tls.port [271]
1923              PT-TLS server port the strongSwan PDP is listening on.
1924
1925
1926       charon.plugins.tnc-pdp.radius.enable [yes]
1927              Enable RADIUS protocol on the strongSwan PDP.
1928
1929
1930       charon.plugins.tnc-pdp.radius.method [ttls]
1931              EAP tunnel method to be used.
1932
1933
1934       charon.plugins.tnc-pdp.radius.port [1812]
1935              RADIUS server port the strongSwan PDP is listening on.
1936
1937
1938       charon.plugins.tnc-pdp.radius.secret []
1939              Shared  RADIUS  secret  between  strongSwan PDP and NAS. If set,
1940              make sure to adjust the permissions of the config  file  accord‐
1941              ingly.
1942
1943
1944       charon.plugins.tnc-pdp.server []
1945              Name of the strongSwan PDP as contained in the AAA certificate.
1946
1947
1948       charon.plugins.tnc-pdp.timeout []
1949              Timeout in seconds before closing incomplete connections.
1950
1951
1952       charon.plugins.tnccs-11.max_message_size [45000]
1953              Maximum size of a PA-TNC message (XML & Base64 encoding).
1954
1955
1956       charon.plugins.tnccs-20.max_batch_size [65522]
1957              Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529).
1958
1959
1960       charon.plugins.tnccs-20.max_message_size [65490]
1961              Maximum  size  of  a  PA-TNC  message  (upper limit via PT-EAP =
1962              65497).
1963
1964
1965       charon.plugins.tnccs-20.mutual [no]
1966              Enable PB-TNC mutual protocol.
1967
1968
1969       charon.plugins.tnccs-20.tests.pb_tnc_noskip [no]
1970              Send an unsupported PB-TNC message type  with  the  NOSKIP  flag
1971              set.
1972
1973
1974       charon.plugins.tnccs-20.tests.pb_tnc_version [2]
1975              Send a PB-TNC batch with a modified PB-TNC version.
1976
1977
1978       charon.plugins.tpm.ek_handle []
1979              Handle  of the RSA or ECC Endorsement Key (EK) to be used to set
1980              up an authenticated session with a TPM 2.0 (e.g. 0x81010001).
1981
1982
1983       charon.plugins.tpm.fips_186_4 [no]
1984              Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the
1985              default  salt  length instead of maximum salt length with RSAPSS
1986              padding.
1987
1988
1989       charon.plugins.tpm.tcti.name [device|tabrmd]
1990              Name of TPM 2.0 TCTI library. Valid values:  tabrmd,  device  or
1991              mssim.  Defaults are device if the /dev/tpmrm0 in-kernel TPM 2.0
1992              resource manager device exists, and tabrmd otherwise,  requiring
1993              the d-bus based TPM 2.0 access broker and resource manager to be
1994              available.
1995
1996
1997       charon.plugins.tpm.tcti.opts [/dev/tpmrm0|<none>]
1998              Options for the TPM 2.0 TCTI library. Defaults  are  /dev/tpmrm0
1999              if the TCTI library name is device and no options otherwise.
2000
2001
2002       charon.plugins.tpm.use_rng [no]
2003              Whether  the TPM should be used as RNG. For security reasons en‐
2004              able only if an authenticated session can be set up (see ek_han‐
2005              dle option).
2006
2007
2008       charon.plugins.unbound.dlv_anchors []
2009              File  to read trusted keys for DLV (DNSSEC Lookaside Validation)
2010              from. It uses the same format as trust_anchors.   Only  one  DLV
2011              can  be  configured,  which  is then used as a root trusted DLV,
2012              this means that it is a lookaside for the root.
2013
2014
2015       charon.plugins.unbound.resolv_conf [/etc/resolv.conf]
2016              File to read DNS resolver configuration from.
2017
2018
2019       charon.plugins.unbound.trust_anchors
2020       [${sysconfdir}/ipsec.d/dnssec.keys]
2021              File  to read DNSSEC trust anchors from (usually root zone KSK).
2022              The format of the file is the standard DNS Zone file format, an‐
2023              chors can be stored as DS or DNSKEY entries in the file.
2024
2025
2026       charon.plugins.updown.dns_handler [no]
2027              Whether the updown script should handle DNS servers assigned via
2028              IKEv1 Mode Config or IKEv2  Config  Payloads  (if  enabled  they
2029              can't be handled by other plugins, like resolve)
2030
2031
2032       charon.plugins.vici.socket [unix://${piddir}/charon.vici]
2033              Socket the vici plugin serves clients.
2034
2035
2036       charon.plugins.whitelist.enable [yes]
2037              Enable loaded whitelist plugin.
2038
2039
2040       charon.plugins.whitelist.socket [unix://${piddir}/charon.wlst]
2041              Socket provided by the whitelist plugin.
2042
2043
2044       charon.plugins.wolfssl.fips_mode [no]
2045              Enable  to  prevent loading the plugin if wolfSSL is not in FIPS
2046              mode.
2047
2048
2049       charon.plugins.xauth-eap.backend [radius]
2050              EAP plugin to be used as backend for XAuth credential  verifica‐
2051              tion.
2052
2053
2054       charon.plugins.xauth-pam.pam_service [login]
2055              PAM service to be used for authentication.
2056
2057
2058       charon.plugins.xauth-pam.session [no]
2059              Open/close a PAM session for each active IKE_SA.
2060
2061
2062       charon.plugins.xauth-pam.trim_email [yes]
2063              If an email address is received as an XAuth username, trim it to
2064              just the username part.
2065
2066
2067       charon.port [500]
2068              UDP port used locally. If set to 0 a random port will  be  allo‐
2069              cated.
2070
2071
2072       charon.port_nat_t [4500]
2073              UDP  port  used  locally  in case of NAT-T. If set to 0 a random
2074              port will be allocated.  Has to be different  from  charon.port,
2075              otherwise a random port will be allocated.
2076
2077
2078       charon.prefer_best_path [no]
2079              By  default, charon keeps SAs on the routing path with addresses
2080              it previously used if that path is still usable. By setting this
2081              option to yes, it tries more aggressively to update SAs with MO‐
2082              BIKE on routing priority changes using the cheapest  path.  This
2083              adds  more noise, but allows to dynamically adapt SAs to routing
2084              priority changes. This option has no effect  if  MOBIKE  is  not
2085              supported or disabled.
2086
2087
2088       charon.prefer_configured_proposals [yes]
2089              Prefer  locally configured proposals for IKE/IPsec over supplied
2090              ones as responder (disabling this can avoid keying  retries  due
2091              to INVALID_KE_PAYLOAD notifies).
2092
2093
2094       charon.prefer_temporary_addrs [no]
2095              By  default,  permanent IPv6 source addresses are preferred over
2096              temporary ones (RFC 4941), to make connections more stable.  En‐
2097              able this option to reverse this.
2098
2099              It also affects which IPv6 addresses are announced as additional
2100              addresses if MOBIKE is used.  If the option  is  disabled,  only
2101              permanent  addresses  are sent, and only temporary ones if it is
2102              enabled.
2103
2104
2105       charon.process_route [yes]
2106              Process RTM_NEWROUTE and RTM_DELROUTE events.
2107
2108
2109       charon.processor.priority_threads
2110              Section to configure the number of reserved threads per priority
2111              class see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
2112
2113
2114
2115       charon.rdn_matching [strict]
2116              How RDNs in subject DNs of certificates are matched against con‐
2117              figured identities. Possible values are  strict  (the  default),
2118              reordered,  and relaxed.  With strict the number, type and order
2119              of all RDNs has to match, wildcards (*) for the values  of  RDNs
2120              are  allowed (that's the case for all three variants). Using re‐
2121              ordered also matches DNs if the RDNs appear in a  different  or‐
2122              der,  the  number  and type still has to match. Finally, relaxed
2123              also allows matches of DNs that contain more RDNs than the  con‐
2124              figured  identity  (missing  RDNs  are  treated  like a wildcard
2125              match).
2126
2127              Note that reordered and relaxed impose a  considerable  overhead
2128              on memory usage and runtime, in particular, for mismatches, com‐
2129              pared to strict.
2130
2131
2132
2133       charon.receive_delay [0]
2134              Delay in ms for receiving packets, to simulate larger RTT.
2135
2136
2137       charon.receive_delay_request [yes]
2138              Delay request messages.
2139
2140
2141       charon.receive_delay_response [yes]
2142              Delay response messages.
2143
2144
2145       charon.receive_delay_type [0]
2146              Specific IKEv2 message type to delay, 0 for any.
2147
2148
2149       charon.replay_window [32]
2150              Size of the AH/ESP replay window, in packets.
2151
2152
2153       charon.reqid_base [1]
2154              Value of the first reqid  to  be  automatically  assigned  to  a
2155              CHILD_SA.
2156
2157
2158       charon.retransmit_base [1.8]
2159              Base  to use for calculating exponential back off, see IKEv2 RE‐
2160              TRANSMISSION in strongswan.conf(5).
2161
2162
2163
2164       charon.retransmit_jitter [0]
2165              Maximum jitter in percent to apply randomly  to  calculated  re‐
2166              transmission timeout (0 to disable).
2167
2168
2169       charon.retransmit_limit [0]
2170              Upper  limit in seconds for calculated retransmission timeout (0
2171              to disable).
2172
2173
2174       charon.retransmit_timeout [4.0]
2175              Timeout in seconds before sending first retransmit.
2176
2177
2178       charon.retransmit_tries [5]
2179              Number of times to retransmit a packet before giving up.
2180
2181
2182       charon.retry_initiate_interval [0s]
2183              Interval in seconds to use when retrying to initiate  an  IKE_SA
2184              (e.g. if DNS resolution failed), 0 to disable retries.
2185
2186
2187       charon.reuse_ikesa [yes]
2188              Initiate  CHILD_SA  within  existing IKE_SAs (always enabled for
2189              IKEv1).
2190
2191
2192       charon.routing_table []
2193              Numerical routing table to install routes to.
2194
2195
2196       charon.routing_table_prio []
2197              Priority of the routing table.
2198
2199
2200       charon.rsa_pss [no]
2201              Whether to use RSA with PSS padding instead of PKCS#1 padding by
2202              default.
2203
2204
2205       charon.rsa_pss_trailerfield [no]
2206              Whether  to encode an explicit trailerField value of 0x01 in the
2207              RSA-PSS algorithmIdentifier  (CONTEXT3)  or  using  the  DEFAULT
2208              value by omitting it.
2209
2210
2211       charon.send_delay [0]
2212              Delay in ms for sending packets, to simulate larger RTT.
2213
2214
2215       charon.send_delay_request [yes]
2216              Delay request messages.
2217
2218
2219       charon.send_delay_response [yes]
2220              Delay response messages.
2221
2222
2223       charon.send_delay_type [0]
2224              Specific IKEv2 message type to delay, 0 for any.
2225
2226
2227       charon.send_vendor_id [no]
2228              Send strongSwan vendor ID payload
2229
2230
2231       charon.signature_authentication [yes]
2232              Whether to enable Signature Authentication as per RFC 7427.
2233
2234
2235       charon.signature_authentication_constraints [yes]
2236              If  enabled, signature schemes configured in rightauth, in addi‐
2237              tion to getting used as constraints  against  signature  schemes
2238              employed  in the certificate chain, are also used as constraints
2239              against the signature scheme used by peers during IKEv2.
2240
2241
2242       charon.spi_label [0x0000000000000000]
2243              Value mixed into the local IKE SPIs after applying spi_mask.
2244
2245
2246
2247       charon.spi_mask [0x0000000000000000]
2248              Mask applied to local IKE SPIs before mixing in spi_label  (bits
2249              set will be replaced with spi_label).
2250
2251
2252
2253       charon.spi_max [0xcfffffff]
2254              The  upper  limit  for  SPIs requested from the kernel for IPsec
2255              SAs.
2256
2257
2258       charon.spi_min [0xc0000000]
2259              The lower limit for SPIs requested from  the  kernel  for  IPsec
2260              SAs.  Should not be set lower than 0x00000100 (256), as SPIs be‐
2261              tween 1 and 255 are reserved by IANA.
2262
2263
2264       charon.start-scripts
2265              Section containing a list of scripts (name = path) that are exe‐
2266              cuted when the daemon is started.
2267
2268
2269       charon.stop-scripts
2270              Section containing a list of scripts (name = path) that are exe‐
2271              cuted when the daemon is terminated.
2272
2273
2274       charon.syslog
2275              Section to define syslog loggers, see  LOGGER  CONFIGURATION  in
2276              strongswan.conf(5).
2277
2278
2279
2280       charon.syslog.<facility>
2281              <facility> is one of the supported syslog facilities, see LOGGER
2282              CONFIGURATION in strongswan.conf(5).
2283
2284
2285
2286       charon.syslog.<facility>.<subsystem> [<default>]
2287              Loglevel for a specific subsystem.
2288
2289
2290       charon.syslog.<facility>.default [1]
2291              Specifies the default loglevel to be  used  for  subsystems  for
2292              which no specific loglevel is defined.
2293
2294
2295       charon.syslog.<facility>.ike_name [no]
2296              Prefix  each log entry with the connection name and a unique nu‐
2297              merical identifier for each IKE_SA.
2298
2299
2300       charon.syslog.<facility>.log_level [no]
2301              Add the log level of each  message  after  the  subsystem  (e.g.
2302              [IKE2]).
2303
2304
2305       charon.syslog.<facility>.map_level [-1]
2306              The  default setting of -1 passes all messages to syslog using a
2307              log level of LOG_INFO. A non-negative value maps the  strongSwan
2308              specific  loglevels  (0..4)  to the syslog level starting at the
2309              specified number. For example, a value of  5  (LOG_NOTICE)  maps
2310              strongSwan  loglevel  0  to LOG_NOTICE, level 1 to LOG_INFO, and
2311              levels 2, 3 and 4 to LOG_DEBUG. This allows (additional) filter‐
2312              ing of log messages on the syslog server.
2313
2314
2315       charon.syslog.identifier []
2316              Global identifier used for an openlog(3) call, prepended to each
2317              log message by syslog.  If not  configured,  openlog(3)  is  not
2318              called,  so  the value will depend on system defaults (often the
2319              program name).
2320
2321
2322       charon.threads [16]
2323              Number of worker threads in charon. Several  of  these  are  re‐
2324              served  for  long running tasks in internal modules and plugins.
2325              Therefore, make sure you don't set this value too low. The  num‐
2326              ber  of  idle  worker threads listed in ipsec statusall might be
2327              used as indicator on the number of reserved threads.
2328
2329
2330       charon.tls.cipher []
2331              List of TLS encryption ciphers.
2332
2333
2334       charon.tls.ke_group []
2335              List of TLS key exchange groups.
2336
2337
2338       charon.tls.key_exchange []
2339              List of TLS key exchange methods.
2340
2341
2342       charon.tls.mac []
2343              List of TLS MAC algorithms.
2344
2345
2346       charon.tls.send_certreq_authorities [yes]
2347              Whether to include CAs in a server's CertificateRequest message.
2348              May be disabled if clients can't handle a long list of CAs.
2349
2350
2351       charon.tls.signature []
2352              List of TLS signature schemes.
2353
2354
2355       charon.tls.suites []
2356              List of TLS cipher suites.
2357
2358
2359       charon.tls.version_max [1.2]
2360              Maximum TLS version to negotiate.
2361
2362
2363       charon.tls.version_min [1.2]
2364              Minimum TLS version to negotiate.
2365
2366
2367       charon.tnc.tnc_config [/etc/tnc_config]
2368              TNC IMC/IMV configuration file.
2369
2370
2371       charon.user []
2372              Name of the user the daemon changes to after startup.
2373
2374
2375       charon.x509.enforce_critical [yes]
2376              Discard certificates with unsupported or unknown critical exten‐
2377              sions.
2378
2379
2380       charon-nm.ca_dir [<default>]
2381              Directory from which to load CA certificates if  no  certificate
2382              is configured.
2383
2384
2385       charon-nm.mtu [1400]
2386              MTU for XFRM interfaces created by the NM plugin.
2387
2388
2389       charon-systemd.journal
2390              Section to configure native systemd journal logger, very similar
2391              to the syslog logger as described  in  LOGGER  CONFIGURATION  in
2392              strongswan.conf(5).
2393
2394
2395
2396       charon-systemd.journal.<subsystem> [<default>]
2397              Loglevel for a specific subsystem.
2398
2399
2400       charon-systemd.journal.default [1]
2401              Specifies  the  default  loglevel  to be used for subsystems for
2402              which no specific loglevel is defined.
2403
2404
2405       imv_policy_manager.command_allow []
2406              Shell command to be executed with recommendation allow.
2407
2408
2409       imv_policy_manager.command_block []
2410              Shell command to be executed with all other recommendations.
2411
2412
2413       imv_policy_manager.database []
2414              Database URI for the database that stores the  package  informa‐
2415              tion. If it contains a password, make sure to adjust the permis‐
2416              sions of the config file accordingly.
2417
2418
2419       imv_policy_manager.load [sqlite]
2420              Plugins to load in IMV policy manager.
2421
2422
2423       libimcv.debug_level [1]
2424              Debug level for a stand-alone libimcv library.
2425
2426
2427       libimcv.load [random nonce gmp pubkey x509]
2428              Plugins to load in IMC/IMVs with stand-alone libimcv library.
2429
2430
2431       libimcv.plugins.imc-attestation.aik_blob []
2432              AIK encrypted private key blob file.
2433
2434
2435       libimcv.plugins.imc-attestation.aik_cert []
2436              AIK certificate file.
2437
2438
2439       libimcv.plugins.imc-attestation.aik_handle []
2440              AIK object handle.
2441
2442
2443       libimcv.plugins.imc-attestation.aik_pubkey []
2444              AIK public key file.
2445
2446
2447       libimcv.plugins.imc-attestation.hash_algorithm [sha384]
2448              Preferred measurement hash algorithm.
2449
2450
2451       libimcv.plugins.imc-attestation.mandatory_dh_groups [yes]
2452              Enforce mandatory Diffie-Hellman groups.
2453
2454
2455       libimcv.plugins.imc-attestation.nonce_len [20]
2456              DH nonce length.
2457
2458
2459       libimcv.plugins.imc-attestation.pcr17_after []
2460              PCR17 value after measurement.
2461
2462
2463       libimcv.plugins.imc-attestation.pcr17_before []
2464              PCR17 value before measurement.
2465
2466
2467       libimcv.plugins.imc-attestation.pcr17_meas []
2468              Dummy measurement value extended into PCR17 if the TBOOT log  is
2469              not available.
2470
2471
2472       libimcv.plugins.imc-attestation.pcr18_after []
2473              PCR18 value after measurement.
2474
2475
2476       libimcv.plugins.imc-attestation.pcr18_before []
2477              PCR18 value before measurement.
2478
2479
2480       libimcv.plugins.imc-attestation.pcr18_meas []
2481              Dummy  measurement value extended into PCR17 if the TBOOT log is
2482              not available.
2483
2484
2485       libimcv.plugins.imc-attestation.pcr_info [no]
2486              Whether to send pcr_before and pcr_after info.
2487
2488
2489       libimcv.plugins.imc-attestation.pcr_padding [no]
2490              Whether to pad IMA SHA1 measurements values when extending  into
2491              SHA256 PCR bank.
2492
2493
2494       libimcv.plugins.imc-attestation.use_quote2 [yes]
2495              Use Quote2 AIK signature instead of Quote signature.
2496
2497
2498       libimcv.plugins.imc-attestation.use_version_info [no]
2499              Version Info is included in Quote2 signature.
2500
2501
2502       libimcv.plugins.imc-hcd.push_info [yes]
2503              Send quadruple info without being prompted.
2504
2505
2506       libimcv.plugins.imc-hcd.subtypes []
2507              Section to define PWG HCD PA subtypes.
2508
2509
2510       libimcv.plugins.imc-hcd.subtypes.<section> []
2511              Defines a PWG HCD PA subtype section. Recognized subtype section
2512              names are system, control, marker, finisher, interface and scan‐
2513              ner.
2514
2515
2516
2517       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> []
2518              Defines  a  software type section. Recognized software type sec‐
2519              tion names are firmware, resident_application and  user_applica‐
2520              tion.
2521
2522
2523
2524       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> []
2525              Defines a software section having an arbitrary name.
2526
2527
2528       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name []
2529              Name of the software installed on the hardcopy device.
2530
2531
2532       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches
2533       []
2534              String describing all patches applied to the given  software  on
2535              this  hardcopy device. The individual patches are separated by a
2536              newline character '\n'.
2537
2538
2539       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<soft‐
2540       ware>.string_version []
2541              String  describing  the  version  of  the given software on this
2542              hardcopy device.
2543
2544
2545       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version
2546       []
2547              Hex-encoded version string with a length of 16 octets consisting
2548              of the fields major version number  (4  octets),  minor  version
2549              number  (4  octets), build number (4 octets), service pack major
2550              number (2 octets) and service pack minor number (2 octets).
2551
2552
2553       libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language
2554       [en]
2555              Variable  length  natural  language  tag  conforming to RFC 5646
2556              specifies the language to be used in the health assessment  mes‐
2557              sage of a given subtype.
2558
2559
2560       libimcv.plugins.imc-hcd.subtypes.system.certification_state []
2561              Hex-encoded certification state.
2562
2563
2564       libimcv.plugins.imc-hcd.subtypes.system.configuration_state []
2565              Hex-encoded configuration state.
2566
2567
2568       libimcv.plugins.imc-hcd.subtypes.system.machine_type_model []
2569              String specifying the machine type and model of the hardcopy de‐
2570              vice.
2571
2572
2573       libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled [no]
2574              Specifies if a PSTN facsimile interface is installed and enabled
2575              on the hardcopy device.
2576
2577
2578       libimcv.plugins.imc-hcd.subtypes.system.time_source []
2579              String  specifying  the hostname of the network time server used
2580              by the hardcopy device.
2581
2582
2583       libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled [no]
2584              Specifies if users can dynamically download and execute applica‐
2585              tions on the hardcopy device.
2586
2587
2588       libimcv.plugins.imc-hcd.subtypes.system.user_application_persis‐
2589       tence_enabled [no]
2590              Specifies if user dynamically downloaded applications  can  per‐
2591              sist  outside the boundaries of a single job on the hardcopy de‐
2592              vice.
2593
2594
2595       libimcv.plugins.imc-hcd.subtypes.system.vendor_name []
2596              String specifying the manufacturer of the hardcopy device.
2597
2598
2599       libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code []
2600              Integer specifying the globally unique 24-bit SMI code  assigned
2601              to the manufacturer of the hardcopy device.
2602
2603
2604       libimcv.plugins.imc-os.device_cert []
2605              Manually  set  the  path  to the client device certificate (e.g.
2606              /etc/pts/aikCert.der)
2607
2608
2609       libimcv.plugins.imc-os.device_handle []
2610              Manually set handle to a private key bound to a smartcard or TPM
2611              (e.g.  0x81010004)
2612
2613
2614       libimcv.plugins.imc-os.device_id []
2615              Manually  set  the  client device ID in hexadecimal format (e.g.
2616              1083f03988c9762703b1c1080c2e46f72b99cc31)
2617
2618
2619       libimcv.plugins.imc-os.device_pubkey []
2620              Manually set the path to the  client  device  public  key  (e.g.
2621              /etc/pts/aikPub.der)
2622
2623
2624       libimcv.plugins.imc-os.push_info [yes]
2625              Send operating system info without being prompted.
2626
2627
2628       libimcv.plugins.imc-scanner.push_info [yes]
2629              Send open listening ports without being prompted.
2630
2631
2632       libimcv.plugins.imc-swima.eid_epoch [0x11223344]
2633              Set  32  bit epoch value for event IDs manually if software col‐
2634              lector database is not available.
2635
2636
2637       libimcv.plugins.imc-swima.subscriptions [no]
2638              Accept SW Inventory or SW Events subscriptions.
2639
2640
2641       libimcv.plugins.imc-swima.swid_database []
2642              URI to software collector database containing event  timestamps,
2643              software  creation  and  deletion  events and collected software
2644              identifiers. If it contains a password, make sure to adjust  the
2645              permissions of the config file accordingly.
2646
2647
2648       libimcv.plugins.imc-swima.swid_directory [${prefix}/share]
2649              Directory where SWID tags are located.
2650
2651
2652       libimcv.plugins.imc-swima.swid_full [no]
2653              Include file information in the XML-encoded SWID tags.
2654
2655
2656       libimcv.plugins.imc-swima.swid_pretty [no]
2657              Generate XML-encoded SWID tags with pretty indentation.
2658
2659
2660       libimcv.plugins.imc-test.additional_ids [0]
2661              Number of additional IMC IDs.
2662
2663
2664       libimcv.plugins.imc-test.command [none]
2665              Command to be sent to the Test IMV.
2666
2667
2668       libimcv.plugins.imc-test.dummy_size [0]
2669              Size  of  dummy  attribute  to be sent to the Test IMV (0 = dis‐
2670              abled).
2671
2672
2673       libimcv.plugins.imc-test.retry [no]
2674              Do a handshake retry.
2675
2676
2677       libimcv.plugins.imc-test.retry_command []
2678              Command to be sent to the Test IMV in the handshake retry.
2679
2680
2681       libimcv.plugins.imv-attestation.cadir []
2682              Path to directory with AIK cacerts.
2683
2684
2685       libimcv.plugins.imv-attestation.dh_group [ecp256]
2686              Preferred Diffie-Hellman group.
2687
2688
2689       libimcv.plugins.imv-attestation.hash_algorithm [sha384]
2690              Preferred measurement hash algorithm.
2691
2692
2693       libimcv.plugins.imv-attestation.mandatory_dh_groups [yes]
2694              Enforce mandatory Diffie-Hellman groups.
2695
2696
2697       libimcv.plugins.imv-attestation.min_nonce_len [0]
2698              DH minimum nonce length.
2699
2700
2701       libimcv.plugins.imv-os.remediation_uri []
2702              URI pointing to operating system remediation instructions.
2703
2704
2705       libimcv.plugins.imv-scanner.remediation_uri []
2706              URI pointing to scanner remediation instructions.
2707
2708
2709       libimcv.plugins.imv-swima.rest_api.timeout [120]
2710              Timeout of SWID REST API HTTP POST transaction.
2711
2712
2713       libimcv.plugins.imv-swima.rest_api.uri []
2714              HTTP URI of the SWID REST API.
2715
2716
2717       libimcv.plugins.imv-test.rounds [0]
2718              Number of IMC-IMV retry rounds.
2719
2720
2721       libimcv.stderr_quiet [no]
2722              Disable output to stderr with a stand-alone libimcv library.
2723
2724
2725       libimcv.swid_gen.command [/usr/local/bin/swid_generator]
2726              SWID generator command to be executed.
2727
2728
2729       libimcv.swid_gen.tag_creator.name [strongSwan Project]
2730              Name of the tagCreator entity.
2731
2732
2733       libimcv.swid_gen.tag_creator.regid [strongswan.org]
2734              regid of the tagCreator entity.
2735
2736
2737       manager.database []
2738              Credential database URI for manager. If it contains a  password,
2739              make  sure  to adjust the permissions of the config file accord‐
2740              ingly.
2741
2742
2743       manager.debug [no]
2744              Enable debugging in manager.
2745
2746
2747       manager.load []
2748              Plugins to load in manager.
2749
2750
2751       manager.socket []
2752              FastCGI socket of manager, to run it statically.
2753
2754
2755       manager.threads [10]
2756              Threads to use for request handling.
2757
2758
2759       manager.timeout [15m]
2760              Session timeout for manager.
2761
2762
2763       medsrv.database []
2764              Mediation server database URI. If it contains a  password,  make
2765              sure to adjust the permissions of the config file accordingly.
2766
2767
2768       medsrv.debug [no]
2769              Debugging in mediation server web application.
2770
2771
2772       medsrv.dpd [5m]
2773              DPD timeout to use in mediation server plugin.
2774
2775
2776       medsrv.load []
2777              Plugins to load in mediation server plugin.
2778
2779
2780       medsrv.password_length [6]
2781              Minimum  password  length required for mediation server user ac‐
2782              counts.
2783
2784
2785       medsrv.rekey [20m]
2786              Rekeying time  on  mediation  connections  in  mediation  server
2787              plugin.
2788
2789
2790       medsrv.socket []
2791              Run Mediation server web application statically on socket.
2792
2793
2794       medsrv.threads [5]
2795              Number of thread for mediation service web application.
2796
2797
2798       medsrv.timeout [15m]
2799              Session timeout for mediation service.
2800
2801
2802       pki.load []
2803              Plugins to load in the pki tool.
2804
2805
2806       pki.scep.http_bind []
2807              Source IP address to bind for HTTP operations.
2808
2809
2810       pki.scep.http_timeout [30s]
2811              Timeout for HTTP operations.
2812
2813
2814       pki.scep.renewal_via_pkcs_req [no]
2815              Some SCEP servers (e.g. openxpki) are incorrectly doing certifi‐
2816              cate renewal via messageType PKCSReq (19) instead of  RenewalReq
2817              (17).
2818
2819
2820       pool.database []
2821              Database  URI for the database that stores IP pools and configu‐
2822              ration attributes.  If it contains a password, make         sure
2823              to adjust the permissions of the config file accordingly.
2824
2825
2826       pool.load []
2827              Plugins to load in ipsec pool tool.
2828
2829
2830       sec-updater
2831              Options for the sec-updater tool.
2832
2833
2834       sec-updater.database []
2835              Global  IMV policy database URI. If it contains a password, make
2836              sure to adjust the permissions of the config file accordingly.
2837
2838
2839       sec-updater.load []
2840              Plugins to load in sec-updater tool.
2841
2842
2843       sec-updater.swid_gen.command [/usr/local/bin/swid_generator]
2844              SWID generator command to be executed.
2845
2846
2847       sec-updater.swid_gen.tag_creator.name [strongSwan Project]
2848              Name of the tagCreator entity.
2849
2850
2851       sec-updater.swid_gen.tag_creator.regid [strongswan.org]
2852              regid of the tagCreator entity.
2853
2854
2855       sec-updater.tmp.deb_file [/tmp/sec-updater.deb]
2856              Temporary storage for downloaded deb package file.
2857
2858
2859       sec-updater.tmp.tag_file [/tmp/sec-updater.tag]
2860              Temporary storage for generated SWID tags.
2861
2862
2863       sec-updater.tnc_manage_command [/var/www/tnc/manage.py]
2864              strongTNC manage.py command used to import SWID tags.
2865
2866
2867       starter.config_file [${sysconfdir}/ipsec.conf]
2868              Location of the ipsec.conf file
2869
2870
2871       starter.load_warning [yes]
2872              Disable charon plugin load option warning.
2873
2874
2875       sw-collector
2876              Options for the sw-collector tool.
2877
2878
2879       sw-collector.database []
2880              URI to software collector database containing event  timestamps,
2881              software  creation  and  deletion  events and collected software
2882              identifiers. If it contains a password, make sure to adjust  the
2883              permissions of the config file accordingly.
2884
2885
2886       sw-collector.first_file [/var/log/bootstrap.log]
2887              Path pointing to file created when the Linux OS was installed.
2888
2889
2890       sw-collector.first_time [0000-00-00T00:00:00Z]
2891              Time in UTC when the Linux OS was installed.
2892
2893
2894       sw-collector.history []
2895              Path pointing to apt history.log file.
2896
2897
2898       sw-collector.load []
2899              Plugins to load in sw-collector tool.
2900
2901
2902       sw-collector.rest_api.timeout [120]
2903              Timeout of REST API HTTP POST transaction.
2904
2905
2906       sw-collector.rest_api.uri []
2907              HTTP URI of the central collector's REST API.
2908
2909
2910       swanctl.load []
2911              Plugins to load in swanctl.
2912
2913
2914       swanctl.socket [unix://${piddir}/charon.vici]
2915              VICI socket to connect to by default.
2916
2917

LOGGER CONFIGURATION

2919       Options  in strongswan.conf(5) provide a much more flexible way to con‐
2920       figure loggers for the IKE daemon charon than using the charondebug op‐
2921       tion in ipsec.conf(5).
2922
2923       Note: If any loggers are specified in strongswan.conf, charondebug does
2924       not have any effect.
2925
2926       There are currently two types of loggers:
2927
2928       File loggers
2929              Log directly to a file and are defined by  specifying  an  arbi‐
2930              trarily named subsection in the charon.filelog section. The full
2931              path to the file is configured in the path setting of that  sub‐
2932              section,  however,  if  it only contains characters permitted in
2933              section names, the setting may also  be  omitted  and  the  path
2934              specified  as  name of the subsection. To log to the console the
2935              two special filenames stdout and stderr may be used.
2936
2937       Syslog loggers
2938              Log into a syslog facility and are defined by specifying the fa‐
2939              cility  to log to as the name of a subsection in the charon.sys‐
2940              log section. The following facilities are  currently  supported:
2941              daemon and auth.
2942
2943       Multiple  loggers  can be defined for each type with different log ver‐
2944       bosity for the different subsystems of the daemon.
2945
2946
2947   Subsystems
2948       dmn    Main daemon setup/cleanup/signal handling
2949
2950       mgr    IKE_SA manager, handling synchronization for IKE_SA access
2951
2952       ike    IKE_SA
2953
2954       chd    CHILD_SA
2955
2956       job    Jobs queueing/processing and thread pool management
2957
2958       cfg    Configuration management and plugins
2959
2960       knl    IPsec/Networking kernel interface
2961
2962       net    IKE network communication
2963
2964       asn    Low-level encoding/decoding (ASN.1, X.509 etc.)
2965
2966       enc    Packet encoding/decoding encryption/decryption operations
2967
2968       tls    libtls library messages
2969
2970       esp    libipsec library messages
2971
2972       lib    libstrongswan library messages
2973
2974       tnc    Trusted Network Connect
2975
2976       imc    Integrity Measurement Collector
2977
2978       imv    Integrity Measurement Verifier
2979
2980       pts    Platform Trust Service
2981
2982   Loglevels
2983       -1     Absolutely silent
2984
2985       0      Very basic auditing logs, (e.g. SA up/SA down)
2986
2987       1      Generic control flow with errors, a good default to  see  what's
2988              going on
2989
2990       2      More detailed debugging control flow
2991
2992       3      Including RAW data dumps in Hex
2993
2994       4      Also include sensitive material in dumps, e.g. keys
2995
2996   Example
2997            charon {
2998                 filelog {
2999                      charon {
3000                           path = /var/log/charon.log
3001                           time_format = %b %e %T
3002                           append = no
3003                           default = 1
3004                      }
3005                      stderr {
3006                           ike = 2
3007                           knl = 3
3008                           ike_name = yes
3009                      }
3010                 }
3011                 syslog {
3012                      # enable logging to LOG_DAEMON, use defaults
3013                      daemon {
3014                      }
3015                      # minimalistic IKE auditing logging to LOG_AUTHPRIV
3016                      auth {
3017                           default = -1
3018                           ike = 0
3019                      }
3020                 }
3021            }
3022
3023

JOB PRIORITY MANAGEMENT

3025       Some  operations  in  the IKEv2 daemon charon are currently implemented
3026       synchronously and blocking. Two examples for such operations are commu‐
3027       nication  with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP in‐
3028       formation during certificate chain verification. Under high load condi‐
3029       tions,  the thread pool may run out of available threads, and some more
3030       important jobs, such as liveness checking,  may  not  get  executed  in
3031       time.
3032
3033       To prevent thread starvation in such situations job priorities were in‐
3034       troduced.  The job processor will reserve some threads for higher  pri‐
3035       ority jobs, these threads are not available for lower priority, locking
3036       jobs.
3037
3038   Implementation
3039       Currently 4 priorities have been defined, and they are used  in  charon
3040       as follows:
3041
3042       CRITICAL
3043              Priority for long-running dispatcher jobs.
3044
3045       HIGH   INFORMATIONAL exchanges, as used by liveness checking (DPD).
3046
3047       MEDIUM Everything not HIGH/LOW, including IKE_SA_INIT processing.
3048
3049       LOW    IKE_AUTH message processing. RADIUS and CRL fetching block here
3050
3051       Although IKE_SA_INIT processing is computationally expensive, it is ex‐
3052       plicitly assigned to the MEDIUM class. This allows charon to do the  DH
3053       exchange  while  other  threads are blocked in IKE_AUTH. To prevent the
3054       daemon from accepting more IKE_SA_INIT requests than it can handle, use
3055       IKE_SA_INIT DROPPING.
3056
3057       The  thread  pool  processes jobs strictly by priority, meaning it will
3058       consume all higher priority jobs before looking  for  ones  with  lower
3059       priority. Further, it reserves threads for certain priorities. A prior‐
3060       ity class having reserved n threads will always have n  threads  avail‐
3061       able  for this class (either currently processing a job, or waiting for
3062       one).
3063
3064   Configuration
3065       To ensure that there are always enough  threads  available  for  higher
3066       priority tasks, threads must be reserved for each priority class.
3067
3068       charon.processor.priority_threads.critical [0]
3069              Threads reserved for CRITICAL priority class jobs
3070
3071       charon.processor.priority_threads.high [0]
3072              Threads reserved for HIGH priority class jobs
3073
3074       charon.processor.priority_threads.medium [0]
3075              Threads reserved for MEDIUM priority class jobs
3076
3077       charon.processor.priority_threads.low [0]
3078              Threads reserved for LOW priority class jobs
3079
3080       Let's consider the following configuration:
3081
3082            charon {
3083                 processor {
3084                      priority_threads {
3085                           high = 1
3086                           medium = 4
3087                      }
3088                 }
3089            }
3090
3091       With  this  configuration,  one  thread  is  reserved for HIGH priority
3092       tasks. As currently only liveness checking and stroke message  process‐
3093       ing  is  done  with  high priority, one or two threads should be suffi‐
3094       cient.
3095
3096       The MEDIUM class mostly processes non-blocking jobs. Unless your  setup
3097       is  experiencing many blocks in locks while accessing shared resources,
3098       threads for one or two times the number of CPU cores is fine.
3099
3100       It is usually not required to reserve threads for CRITICAL  jobs.  Jobs
3101       in  this  class  rarely  return  and do not release their thread to the
3102       pool.
3103
3104       The remaining threads are available for LOW  priority  jobs.  Reserving
3105       threads does not make sense (until we have an even lower priority).
3106
3107   Monitoring
3108       To  see  what  the  threads are actually doing, invoke ipsec statusall.
3109       Under high load, something like this will show up:
3110
3111            worker threads: 2 or 32 idle, 5/1/2/22 working,
3112                 job queue: 0/0/1/149, scheduled: 198
3113
3114       From 32 worker threads,
3115
3116       2      are currently idle.
3117
3118       5      are running CRITICAL priority jobs  (dispatching  from  sockets,
3119              etc.).
3120
3121       1      is  currently handling a HIGH priority job. This is actually the
3122              thread currently providing this information via stroke.
3123
3124       2      are handling MEDIUM priority jobs, likely  IKE_SA_INIT  or  CRE‐
3125              ATE_CHILD_SA messages.
3126
3127       22     are  handling LOW priority jobs, probably waiting for an EAP-RA‐
3128              DIUS response while processing IKE_AUTH messages.
3129
3130       The job queue load shows how many jobs are queued  for  each  priority,
3131       ready  for  execution. The single MEDIUM priority job will get executed
3132       immediately, as we have two spare threads  reserved  for  MEDIUM  class
3133       jobs.
3134
3135

IKE_SA_INIT DROPPING

3137       If  a  responder  receives more connection requests per seconds than it
3138       can handle, it does not make sense to accept more IKE_SA_INIT messages.
3139       And if they are queued but can't get processed in time, an answer might
3140       be sent after the client has already given up and restarted its connec‐
3141       tion setup. This additionally increases the load on the responder.
3142
3143       To limit the responder load resulting from new connection attempts, the
3144       daemon can drop IKE_SA_INIT messages just after  reception.  There  are
3145       two  mechanisms  to  decide  if this should happen, configured with the
3146       following options:
3147
3148       charon.init_limit_half_open [0]
3149              Limit based on the  number  of  half  open  IKE_SAs.  Half  open
3150              IKE_SAs are SAs in connecting state, but not yet established.
3151
3152       charon.init_limit_job_load [0]
3153              Limit  based on the number of jobs currently queued for process‐
3154              ing (sum over all job priorities).
3155
3156       The second limit includes load  from  other  jobs,  such  as  rekeying.
3157       Choosing  a good value is difficult and depends on the hardware and ex‐
3158       pected load.
3159
3160       The first limit is simpler to calculate, but includes the load from new
3161       connections  only. If your responder is capable of negotiating 100 tun‐
3162       nels/s, you might set this limit to 1000. The daemon will then drop new
3163       connection attempts if generating a response would require more than 10
3164       seconds. If you are allowing for a maximum response time of  more  than
3165       30  seconds,  consider  adjusting  the  timeout  for connecting IKE_SAs
3166       (charon.half_open_timeout).  A responder, by default, deletes an IKE_SA
3167       if  the  initiator  does not establish it within 30 seconds. Under high
3168       load, a higher value might be required.
3169
3170

LOAD TESTS

3172       To do stability testing and performance optimizations, the  IKE  daemon
3173       charon provides the load-tester plugin. This plugin allows one to setup
3174       thousands of tunnels concurrently against the daemon itself or a remote
3175       host.
3176
3177       WARNING: Never enable the load-testing plugin on productive systems. It
3178       provides preconfigured credentials and allows an attacker to  authenti‐
3179       cate as any user.
3180
3181   Configuration details
3182       For public key authentication, the responder uses the "CN=srv, OU=load-
3183       test, O=strongSwan" identity. For the initiator,  each  connection  at‐
3184       tempt  uses  a  different identity in the form "CN=c1-r1, OU=load-test,
3185       O=strongSwan", where the first number indicates the client number,  the
3186       second  the authentication round (if multiple authentication rounds are
3187       used).
3188
3189       For PSK authentication, FQDN  identities  are  used.  The  server  uses
3190       srv.strongswan.org,   the   client   uses   an  identity  in  the  form
3191       c1-r1.strongswan.org.
3192
3193       For  EAP  authentication,  the  client  uses  a   NAI   in   the   form
3194       100000000010001@strongswan.org.
3195
3196       To configure multiple authentication rounds, concatenate multiple meth‐
3197       ods using, e.g.
3198            initiator_auth = pubkey|psk|eap-md5|eap-aka
3199
3200       The responder uses a hardcoded certificate based on a 1024-bit RSA key.
3201       This certificate additionally serves as CA certificate. A peer uses the
3202       same private key, but generates client certificates on demand signed by
3203       the  CA certificate. Install the Responder/CA certificate on the remote
3204       host to authenticate all clients.
3205
3206       To speed up testing,  the  load  tester  plugin  implements  a  special
3207       Diffie-Hellman implementation called modpnull. By setting
3208            proposal = aes128-sha1-modpnull
3209       this wicked fast DH implementation is used. It does not provide any se‐
3210       curity at all, but allows one to run tests without DH calculation over‐
3211       head.
3212
3213   Examples
3214       In the simplest case, the daemon initiates IKE_SAs against itself using
3215       the loopback interface. This will actually establish double the  number
3216       of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at
3217       the same time.  Installation of IPsec SAs would fail, as each  SA  gets
3218       installed twice. To simulate the correct behavior, a fake kernel inter‐
3219       face can be enabled which does not install the IPsec SAs at the  kernel
3220       level.
3221
3222       A simple loopback configuration might look like this:
3223
3224            charon {
3225                 # create new IKE_SAs for each CHILD_SA to simulate
3226                 # different clients
3227                 reuse_ikesa = no
3228                 # turn off denial of service protection
3229                 dos_protection = no
3230
3231                 plugins {
3232                      load-tester {
3233                           # enable the plugin
3234                           enable = yes
3235                           # use 4 threads to initiate connections
3236                           # simultaneously
3237                           initiators = 4
3238                           # each thread initiates 1000 connections
3239                           iterations = 1000
3240                           # delay each initiation in each thread by 20ms
3241                           delay = 20
3242                           # enable the fake kernel interface to
3243                           # avoid SA conflicts
3244                           fake_kernel = yes
3245                      }
3246                 }
3247            }
3248
3249       This will initiate 4000 IKE_SAs within 20 seconds. You may increase the
3250       delay value if your box can not handle that much load, or  decrease  it
3251       to  put  more  load on it. If the daemon starts retransmitting messages
3252       your box probably can not handle all connection attempts.
3253
3254       The plugin also allows one to test against a remote  host.  This  might
3255       help  to test against a real world configuration. A connection setup to
3256       do stress testing of a gateway might look like this:
3257
3258            charon {
3259                 reuse_ikesa = no
3260                 threads = 32
3261
3262                 plugins {
3263                      load-tester {
3264                           enable = yes
3265                           # 10000 connections, ten in parallel
3266                           initiators = 10
3267                           iterations = 1000
3268                           # use a delay of 100ms, overall time is:
3269                           # iterations * delay = 100s
3270                           delay = 100
3271                           # address of the gateway
3272                           remote = 1.2.3.4
3273                           # IKE-proposal to use
3274                           proposal = aes128-sha1-modp1024
3275                           # use faster PSK authentication instead
3276                           # of 1024bit RSA
3277                           initiator_auth = psk
3278                           responder_auth = psk
3279                           # request a virtual IP using configuration
3280                           # payloads
3281                           request_virtual_ip = yes
3282                           # enable CHILD_SA every 60s
3283                           child_rekey = 60
3284                      }
3285                 }
3286            }
3287
3288

IKEv2 RETRANSMISSION

3290       Retransmission timeouts in the IKEv2 daemon charon  can  be  configured
3291       globally using the three keys listed below:
3292
3293              charon.retransmit_base [1.8]
3294              charon.retransmit_timeout [4.0]
3295              charon.retransmit_tries [5]
3296              charon.retransmit_jitter [0]
3297              charon.retransmit_limit [0]
3298
3299       The following algorithm is used to calculate the timeout:
3300
3301            relative timeout = retransmit_timeout * retransmit_base ^ (n-1)
3302
3303       Where  n  is  the  current retransmission count. The calculated timeout
3304       can't exceed the configured retransmit_limit (if any), which is  useful
3305       if the number of retries is high.
3306
3307       If  a  jitter in percent is configured, the timeout is modified as fol‐
3308       lows:
3309
3310            relative timeout -= random(0, retransmit_jitter * relative timeout)
3311
3312       Using the default values, packets are retransmitted in:
3313
3314
3315       Retransmission   Relative Timeout   Absolute Timeout
3316       ─────────────────────────────────────────────────────
3317       1                              4s                 4s
3318       2                              7s                11s
3319       3                             13s                24s
3320       4                             23s                47s
3321       5                             42s                89s
3322       giving up                     76s               165s
3323

VARIABLES

3325       The variables used above are configured as follows:
3326
3327       ${piddir}               /run/strongswan
3328       ${prefix}               /usr
3329       ${sysconfdir}           /etc/strongswan
3330       ${random_device}        /dev/random
3331       ${urandom_device}       /dev/urandom
3332

FILES

3334       /etc/strongswan/strongswan.conf       configuration file
3335       /etc/strongswan/strongswan.d/         directory containing included config snippets
3336       /etc/strongswan/strongswan.d/charon/  plugin specific config snippets
3337

SEE ALSO

3339       swanctl.conf(5), swanctl(8), ipsec.conf(5), ipsec.secrets(5), ipsec(8),
3340       charon-cmd(8)
3341
3342

HISTORY

3344       Written  for the strongSwan project ⟨https://www.strongswan.org⟩ by To‐
3345       bias Brunner, Andreas Steffen and Martin Willi.
3346
3347
3348
33495.9.11                                                      STRONGSWAN.CONF(5)
Impressum