]>
Commit | Line | Data |
---|---|---|
dea158f2 MT |
1 | # Options for the charon IKE daemon. |
2 | charon { | |
3 | # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. | |
4 | accept_unencrypted_mainmode_messages = yes | |
5 | ||
6 | # Maximum number of half-open IKE_SAs for a single peer IP. | |
7 | # block_threshold = 5 | |
8 | ||
9 | # Whether relations in validated certificate chains should be cached in | |
10 | # memory. | |
11 | # cert_cache = yes | |
12 | ||
13 | # Send Cisco Unity vendor ID payload (IKEv1 only). | |
14 | cisco_unity = yes | |
15 | ||
16 | # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. | |
17 | # close_ike_on_child_failure = no | |
18 | ||
19 | # Number of half-open IKE_SAs that activate the cookie mechanism. | |
20 | # cookie_threshold = 10 | |
21 | ||
22 | # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic | |
23 | # strength. | |
24 | # dh_exponent_ansi_x9_42 = yes | |
25 | ||
26 | # DNS server assigned to peer via configuration payload (CP). | |
27 | # dns1 = | |
28 | ||
29 | # DNS server assigned to peer via configuration payload (CP). | |
30 | # dns2 = | |
31 | ||
32 | # Enable Denial of Service protection using cookies and aggressiveness | |
33 | # checks. | |
34 | # dos_protection = yes | |
35 | ||
36 | # Compliance with the errata for RFC 4753. | |
37 | # ecp_x_coordinate_only = yes | |
38 | ||
39 | # Free objects during authentication (might conflict with plugins). | |
40 | # flush_auth_cfg = no | |
41 | ||
42 | # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment | |
43 | # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for | |
44 | # address family specific default values). If specified this limit is | |
45 | # used for both IPv4 and IPv6. | |
46 | # fragment_size = 0 | |
47 | ||
48 | # Name of the group the daemon changes to after startup. | |
49 | # group = | |
50 | ||
51 | # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). | |
52 | # half_open_timeout = 30 | |
53 | ||
54 | # Enable hash and URL support. | |
55 | # hash_and_url = no | |
56 | ||
57 | # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. | |
58 | # i_dont_care_about_security_and_use_aggressive_mode_psk = no | |
59 | ||
60 | # A space-separated list of routing tables to be excluded from route | |
61 | # lookups. | |
62 | # ignore_routing_tables = | |
63 | ||
64 | # Maximum number of IKE_SAs that can be established at the same time before | |
65 | # new connection attempts are blocked. | |
66 | # ikesa_limit = 0 | |
67 | ||
68 | # Number of exclusively locked segments in the hash table. | |
69 | ikesa_table_segments = 4 | |
70 | ||
71 | # Size of the IKE_SA hash table. | |
72 | ikesa_table_size = 32 | |
73 | ||
74 | # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. | |
75 | # inactivity_close_ike = no | |
76 | ||
77 | # Limit new connections based on the current number of half open IKE_SAs, | |
78 | # see IKE_SA_INIT DROPPING in strongswan.conf(5). | |
79 | init_limit_half_open = 1000 | |
80 | ||
81 | # Limit new connections based on the number of queued jobs. | |
82 | # init_limit_job_load = 0 | |
83 | ||
84 | # Causes charon daemon to ignore IKE initiation requests. | |
85 | # initiator_only = no | |
86 | ||
87 | # Install routes into a separate routing table for established IPsec | |
88 | # tunnels. | |
89 | # install_routes = yes | |
90 | ||
91 | # Install virtual IP addresses. | |
92 | # install_virtual_ip = yes | |
93 | ||
94 | # The name of the interface on which virtual IP addresses should be | |
95 | # installed. | |
96 | # install_virtual_ip_on = | |
97 | ||
98 | # Check daemon, libstrongswan and plugin integrity at startup. | |
99 | # integrity_test = no | |
100 | ||
101 | # A comma-separated list of network interfaces that should be ignored, if | |
102 | # interfaces_use is specified this option has no effect. | |
103 | # interfaces_ignore = | |
104 | ||
105 | # A comma-separated list of network interfaces that should be used by | |
106 | # charon. All other interfaces are ignored. | |
107 | # interfaces_use = | |
108 | ||
109 | # NAT keep alive interval. | |
110 | # keep_alive = 20s | |
111 | ||
112 | # Plugins to load in the IKE daemon charon. | |
113 | # load = | |
114 | ||
115 | # Determine plugins to load via each plugin's load option. | |
116 | # load_modular = no | |
117 | ||
118 | # Maximum packet size accepted by charon. | |
119 | # max_packet = 10000 | |
120 | ||
121 | # Enable multiple authentication exchanges (RFC 4739). | |
122 | # multiple_authentication = yes | |
123 | ||
124 | # WINS servers assigned to peer via configuration payload (CP). | |
125 | # nbns1 = | |
126 | ||
127 | # WINS servers assigned to peer via configuration payload (CP). | |
128 | # nbns2 = | |
129 | ||
130 | # UDP port used locally. If set to 0 a random port will be allocated. | |
131 | # port = 500 | |
132 | ||
133 | # UDP port used locally in case of NAT-T. If set to 0 a random port will be | |
134 | # allocated. Has to be different from charon.port, otherwise a random port | |
135 | # will be allocated. | |
136 | # port_nat_t = 4500 | |
137 | ||
138 | # By default public IPv6 addresses are preferred over temporary ones (RFC | |
139 | # 4941), to make connections more stable. Enable this option to reverse | |
140 | # this. | |
141 | # prefer_temporary_addrs = no | |
142 | ||
143 | # Process RTM_NEWROUTE and RTM_DELROUTE events. | |
144 | # process_route = yes | |
145 | ||
146 | # Delay in ms for receiving packets, to simulate larger RTT. | |
147 | # receive_delay = 0 | |
148 | ||
149 | # Delay request messages. | |
150 | # receive_delay_request = yes | |
151 | ||
152 | # Delay response messages. | |
153 | # receive_delay_response = yes | |
154 | ||
155 | # Specific IKEv2 message type to delay, 0 for any. | |
156 | # receive_delay_type = 0 | |
157 | ||
158 | # Size of the AH/ESP replay window, in packets. | |
159 | # replay_window = 32 | |
160 | ||
161 | # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION | |
162 | # in strongswan.conf(5). | |
163 | # retransmit_base = 1.8 | |
164 | ||
165 | # Timeout in seconds before sending first retransmit. | |
166 | # retransmit_timeout = 4.0 | |
167 | ||
168 | # Number of times to retransmit a packet before giving up. | |
169 | # retransmit_tries = 5 | |
170 | ||
171 | # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS | |
172 | # resolution failed), 0 to disable retries. | |
173 | # retry_initiate_interval = 0 | |
174 | ||
175 | # Initiate CHILD_SA within existing IKE_SAs. | |
176 | # reuse_ikesa = yes | |
177 | ||
178 | # Numerical routing table to install routes to. | |
179 | # routing_table = | |
180 | ||
181 | # Priority of the routing table. | |
182 | # routing_table_prio = | |
183 | ||
184 | # Delay in ms for sending packets, to simulate larger RTT. | |
185 | # send_delay = 0 | |
186 | ||
187 | # Delay request messages. | |
188 | # send_delay_request = yes | |
189 | ||
190 | # Delay response messages. | |
191 | # send_delay_response = yes | |
192 | ||
193 | # Specific IKEv2 message type to delay, 0 for any. | |
194 | # send_delay_type = 0 | |
195 | ||
196 | # Send strongSwan vendor ID payload | |
197 | # send_vendor_id = no | |
198 | ||
199 | # Number of worker threads in charon. | |
200 | # threads = 16 | |
201 | ||
202 | # Name of the user the daemon changes to after startup. | |
203 | # user = | |
204 | ||
205 | crypto_test { | |
206 | ||
207 | # Benchmark crypto algorithms and order them by efficiency. | |
208 | # bench = no | |
209 | ||
210 | # Buffer size used for crypto benchmark. | |
211 | # bench_size = 1024 | |
212 | ||
213 | # Number of iterations to test each algorithm. | |
214 | # bench_time = 50 | |
215 | ||
216 | # Test crypto algorithms during registration (requires test vectors | |
217 | # provided by the test-vectors plugin). | |
218 | # on_add = no | |
219 | ||
220 | # Test crypto algorithms on each crypto primitive instantiation. | |
221 | # on_create = no | |
222 | ||
223 | # Strictly require at least one test vector to enable an algorithm. | |
224 | # required = no | |
225 | ||
226 | # Whether to test RNG with TRUE quality; requires a lot of entropy. | |
227 | # rng_true = no | |
228 | ||
229 | } | |
230 | ||
231 | host_resolver { | |
232 | ||
233 | # Maximum number of concurrent resolver threads (they are terminated if | |
234 | # unused). | |
235 | # max_threads = 3 | |
236 | ||
237 | # Minimum number of resolver threads to keep around. | |
238 | # min_threads = 0 | |
239 | ||
240 | } | |
241 | ||
242 | leak_detective { | |
243 | ||
244 | # Includes source file names and line numbers in leak detective output. | |
245 | # detailed = yes | |
246 | ||
247 | # Threshold in bytes for leaks to be reported (0 to report all). | |
248 | # usage_threshold = 10240 | |
249 | ||
250 | # Threshold in number of allocations for leaks to be reported (0 to | |
251 | # report all). | |
252 | # usage_threshold_count = 0 | |
253 | ||
254 | } | |
255 | ||
256 | processor { | |
257 | ||
258 | # Section to configure the number of reserved threads per priority class | |
259 | # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). | |
260 | priority_threads { | |
261 | ||
262 | } | |
263 | ||
264 | } | |
265 | ||
266 | # Section containing a list of scripts (name = path) that are executed when | |
267 | # the daemon is started. | |
268 | start-scripts { | |
269 | ||
270 | } | |
271 | ||
272 | # Section containing a list of scripts (name = path) that are executed when | |
273 | # the daemon is terminated. | |
274 | stop-scripts { | |
275 | ||
276 | } | |
277 | ||
278 | tls { | |
279 | ||
280 | # List of TLS encryption ciphers. | |
281 | # cipher = | |
282 | ||
283 | # List of TLS key exchange methods. | |
284 | # key_exchange = | |
285 | ||
286 | # List of TLS MAC algorithms. | |
287 | # mac = | |
288 | ||
289 | # List of TLS cipher suites. | |
290 | # suites = | |
291 | ||
292 | } | |
293 | ||
294 | x509 { | |
295 | ||
296 | # Discard certificates with unsupported or unknown critical extensions. | |
297 | # enforce_critical = yes | |
298 | ||
299 | } | |
300 | ||
301 | } | |
302 |