]>
Commit | Line | Data |
---|---|---|
bb49dfb0 | 1 | .TH STRONGSWAN.CONF 5 "2013-10-29" "@PACKAGE_VERSION@" "strongSwan" |
483c1feb TB |
2 | .SH NAME |
3 | strongswan.conf \- strongSwan configuration file | |
4 | .SH DESCRIPTION | |
5 | While the | |
6 | .IR ipsec.conf (5) | |
7 | configuration file is well suited to define IPsec related configuration | |
8 | parameters, it is not useful for other strongSwan applications to read options | |
9 | from this file. | |
10 | The file is hard to parse and only | |
11 | .I ipsec starter | |
12 | is capable of doing so. As the number of components of the strongSwan project | |
320cecd2 | 13 | is continually growing, a more flexible configuration file was needed, one that |
483c1feb TB |
14 | is easy to extend and can be used by all components. With strongSwan 4.2.1 |
15 | .IR strongswan.conf (5) | |
16 | was introduced which meets these requirements. | |
17 | ||
320cecd2 TB |
18 | .SH SYNTAX |
19 | The format of the strongswan.conf file consists of hierarchical | |
20 | .B sections | |
21 | and a list of | |
22 | .B key/value pairs | |
23 | in each section. Each section has a name, followed by C-Style curly brackets | |
24 | defining the section body. Each section body contains a set of subsections | |
25 | and key/value pairs: | |
26 | .PP | |
27 | .EX | |
28 | settings := (section|keyvalue)* | |
29 | section := name { settings } | |
30 | keyvalue := key = value\\n | |
31 | .EE | |
32 | .PP | |
33 | Values must be terminated by a newline. | |
34 | .PP | |
35 | Comments are possible using the \fB#\fP-character, but be careful: The parser | |
36 | implementation is currently limited and does not like brackets in comments. | |
37 | .PP | |
38 | Section names and keys may contain any printable character except: | |
39 | .PP | |
40 | .EX | |
41 | . { } # \\n \\t space | |
42 | .EE | |
43 | .PP | |
44 | An example file in this format might look like this: | |
45 | .PP | |
46 | .EX | |
47 | a = b | |
48 | section-one { | |
49 | somevalue = asdf | |
50 | subsection { | |
51 | othervalue = xxx | |
52 | } | |
53 | # yei, a comment | |
54 | yetanother = zz | |
55 | } | |
56 | section-two { | |
57 | x = 12 | |
58 | } | |
59 | .EE | |
60 | .PP | |
61 | Indentation is optional, you may use tabs or spaces. | |
62 | ||
9a1e5261 TB |
63 | .SH INCLUDING FILES |
64 | Using the | |
65 | .B include | |
66 | statement it is possible to include other files into strongswan.conf, e.g. | |
67 | .PP | |
68 | .EX | |
69 | include /some/path/*.conf | |
70 | .EE | |
71 | .PP | |
72 | If the file name is not an absolute path, it is considered to be relative | |
73 | to the directory of the file containing the include statement. The file name | |
74 | may include shell wildcards (see | |
75 | .IR sh (1)). | |
76 | Also, such inclusions can be nested. | |
77 | .PP | |
78 | Sections loaded from included files | |
79 | .I extend | |
80 | previously loaded sections; already existing values are | |
81 | .IR replaced . | |
82 | It is important to note that settings are added relative to the section the | |
5889e864 | 83 | include statement is in. |
9a1e5261 TB |
84 | .PP |
85 | As an example, the following three files result in the same final | |
86 | config as the one given above: | |
87 | .PP | |
88 | .EX | |
89 | a = b | |
90 | section-one { | |
91 | somevalue = before include | |
92 | include include.conf | |
93 | } | |
94 | include other.conf | |
95 | ||
96 | include.conf: | |
97 | # settings loaded from this file are added to section-one | |
98 | # the following replaces the previous value | |
99 | somevalue = asdf | |
100 | subsection { | |
101 | othervalue = yyy | |
102 | } | |
103 | yetanother = zz | |
104 | ||
105 | other.conf: | |
106 | # this extends section-one and subsection | |
107 | section-one { | |
108 | subsection { | |
109 | # this replaces the previous value | |
110 | othervalue = xxx | |
111 | } | |
112 | } | |
113 | section-two { | |
114 | x = 12 | |
115 | } | |
116 | .EE | |
117 | ||
5889e864 TB |
118 | .SH READING VALUES |
119 | Values are accessed using a dot-separated section list and a key. | |
120 | With reference to the example above, accessing | |
121 | .B section-one.subsection.othervalue | |
122 | will return | |
123 | .BR xxx . | |
124 | ||
320cecd2 | 125 | .SH DEFINED KEYS |
3f71c5d9 | 126 | The following keys are currently defined (using dot notation). The default |
320cecd2 TB |
127 | value (if any) is listed in brackets after the key. |
128 | ||
e0175103 AS |
129 | .SS attest section |
130 | .TP | |
131 | .BR attest.database | |
132 | Path to database with file measurement information | |
133 | .TP | |
134 | .BR attest.load | |
135 | Plugins to load in ipsec attest tool | |
4d62ad75 | 136 | |
320cecd2 TB |
137 | .SS charon section |
138 | .TP | |
4d62ad75 TB |
139 | .BR Note : |
140 | Many of these options also apply to \fBcharon\-cmd\fR and other | |
141 | \fBcharon\fR derivatives. Just use their respective name (e.g. | |
8dc6e716 TB |
142 | \fIcharon\-cmd\fR) instead of \fIcharon\fR. For many options defaults |
143 | can be defined in the \fIlibstrongswan\fR section. | |
4d62ad75 | 144 | .TP |
320cecd2 TB |
145 | .BR charon.block_threshold " [5]" |
146 | Maximum number of half-open IKE_SAs for a single peer IP | |
147 | .TP | |
8dc6e716 TB |
148 | .BR charon.cert_cache " [yes]" |
149 | Whether relations in validated certificate chains should be cached in memory | |
150 | .TP | |
c38d6905 AS |
151 | .BR charon.cisco_unity " [no] |
152 | Send Cisco Unity vendor ID payload (IKEv1 only) | |
153 | .TP | |
320cecd2 TB |
154 | .BR charon.close_ike_on_child_failure " [no]" |
155 | Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed | |
156 | .TP | |
157 | .BR charon.cookie_threshold " [10]" | |
158 | Number of half-open IKE_SAs that activate the cookie mechanism | |
159 | .TP | |
8dc6e716 TB |
160 | .BR charon.crypto_test.bench " [no]" |
161 | ||
162 | .TP | |
163 | .BR charon.crypto_test.bench_size " [1024]" | |
164 | ||
165 | .TP | |
166 | .BR charon.crypto_test.bench_time " [50]" | |
167 | ||
168 | .TP | |
169 | .BR charon.crypto_test.on_add " [no]" | |
170 | Test crypto algorithms during registration | |
171 | .TP | |
172 | .BR charon.crypto_test.on_create " [no]" | |
173 | Test crypto algorithms on each crypto primitive instantiation | |
174 | .TP | |
175 | .BR charon.crypto_test.required " [no]" | |
176 | Strictly require at least one test vector to enable an algorithm | |
177 | .TP | |
178 | .BR charon.crypto_test.rng_true " [no]" | |
179 | Whether to test RNG with TRUE quality; requires a lot of entropy | |
180 | .TP | |
181 | .BR charon.dh_exponent_ansi_x9_42 " [yes]" | |
182 | Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical | |
183 | strength | |
184 | .TP | |
320cecd2 TB |
185 | .BR charon.dns1 |
186 | .TQ | |
187 | .BR charon.dns2 | |
188 | DNS servers assigned to peer via configuration payload (CP) | |
189 | .TP | |
190 | .BR charon.dos_protection " [yes]" | |
191 | Enable Denial of Service protection using cookies and aggressiveness checks | |
192 | .TP | |
8dc6e716 TB |
193 | .BR charon.ecp_x_coordinate_only " [yes]" |
194 | Compliance with the errata for RFC 4753 | |
195 | .TP | |
b2bcc577 | 196 | .BR charon.filelog |
3f71c5d9 | 197 | Section to define file loggers, see LOGGER CONFIGURATION |
41f525be TB |
198 | .TP |
199 | .BR charon.flush_auth_cfg " [no]" | |
358104a4 TB |
200 | If enabled objects used during authentication (certificates, identities etc.) |
201 | are released to free memory once an IKE_SA is established. | |
202 | Enabling this might conflict with plugins that later need access to e.g. the | |
203 | used certificates. | |
4f3ca916 | 204 | .TP |
ee6902ef TB |
205 | .BR charon.fragment_size " [512]" |
206 | Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 | |
207 | fragmentation extension. | |
208 | .TP | |
68b7448e TB |
209 | .BR charon.group |
210 | Name of the group the daemon changes to after startup | |
211 | .TP | |
4f3ca916 TB |
212 | .BR charon.half_open_timeout " [30]" |
213 | Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). | |
b2bcc577 | 214 | .TP |
320cecd2 TB |
215 | .BR charon.hash_and_url " [no]" |
216 | Enable hash and URL support | |
217 | .TP | |
8dc6e716 TB |
218 | .BR charon.host_resolver.max_threads " [3]" |
219 | Maximum number of concurrent resolver threads (they are terminated if unused) | |
220 | .TP | |
221 | .BR charon.host_resolver.min_threads " [0]" | |
222 | Minimum number of resolver threads to keep around | |
223 | .TP | |
629cdca8 TB |
224 | .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" |
225 | If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared | |
226 | keys, which is discouraged due to security concerns (offline attacks on the | |
227 | openly transmitted hash of the PSK) | |
228 | .TP | |
41f525be | 229 | .BR charon.ignore_routing_tables |
9513225e | 230 | A space-separated list of routing tables to be excluded from route lookups |
41f525be | 231 | .TP |
c186b394 TB |
232 | .BR charon.ikesa_limit " [0]" |
233 | Maximum number of IKE_SAs that can be established at the same time before new | |
234 | connection attempts are blocked | |
235 | .TP | |
320cecd2 TB |
236 | .BR charon.ikesa_table_segments " [1]" |
237 | Number of exclusively locked segments in the hash table | |
238 | .TP | |
239 | .BR charon.ikesa_table_size " [1]" | |
240 | Size of the IKE_SA hash table | |
241 | .TP | |
242 | .BR charon.inactivity_close_ike " [no]" | |
243 | Whether to close IKE_SA if the only CHILD_SA closed due to inactivity | |
244 | .TP | |
4f3ca916 TB |
245 | .BR charon.init_limit_half_open " [0]" |
246 | Limit new connections based on the current number of half open IKE_SAs (see | |
247 | IKE_SA_INIT DROPPING). | |
248 | .TP | |
249 | .BR charon.init_limit_job_load " [0]" | |
250 | Limit new connections based on the number of jobs currently queued for | |
251 | processing (see IKE_SA_INIT DROPPING). | |
252 | .TP | |
654c88bc AS |
253 | .BR charon.initiator_only " [no]" |
254 | Causes charon daemon to ignore IKE initiation requests. | |
255 | .TP | |
320cecd2 TB |
256 | .BR charon.install_routes " [yes]" |
257 | Install routes into a separate routing table for established IPsec tunnels | |
258 | .TP | |
41f525be TB |
259 | .BR charon.install_virtual_ip " [yes]" |
260 | Install virtual IP addresses | |
261 | .TP | |
e8e9048f TB |
262 | .BR charon.install_virtual_ip_on |
263 | The name of the interface on which virtual IP addresses should be installed. | |
264 | If not specified the addresses will be installed on the outbound interface. | |
265 | .TP | |
8dc6e716 TB |
266 | .BR charon.integrity_test " [no]" |
267 | Check daemon, libstrongswan and plugin integrity at startup | |
268 | .TP | |
9513225e TB |
269 | .BR charon.interfaces_ignore |
270 | A comma-separated list of network interfaces that should be ignored, if | |
358104a4 TB |
271 | .B charon.interfaces_use |
272 | is specified this option has no effect. | |
9513225e TB |
273 | .TP |
274 | .BR charon.interfaces_use | |
358104a4 | 275 | A comma-separated list of network interfaces that should be used by charon. |
9513225e TB |
276 | All other interfaces are ignored. |
277 | .TP | |
320cecd2 TB |
278 | .BR charon.keep_alive " [20s]" |
279 | NAT keep alive interval | |
280 | .TP | |
8dc6e716 TB |
281 | .BR charon.leak_detective.detailed " [yes]" |
282 | Includes source file names and line numbers in leak detective output | |
283 | .TP | |
284 | .BR charon.leak_detective.usage_threshold " [10240]" | |
285 | Threshold in bytes for leaks to be reported (0 to report all) | |
286 | .TP | |
287 | .BR charon.leak_detective.usage_threshold_count " [0]" | |
288 | Threshold in number of allocations for leaks to be reported (0 to report all) | |
289 | .TP | |
320cecd2 | 290 | .BR charon.load |
41f525be TB |
291 | Plugins to load in the IKEv2 daemon charon |
292 | .TP | |
190a2788 TB |
293 | .BR charon.load_modular " [no]" |
294 | If enabled, the list of plugins to load is determined via the value of the | |
295 | charon.plugins.<name>.load options. In addition to a simple boolean flag that | |
296 | option may take an integer value indicating the priority of a plugin, which | |
297 | would influence the order of a plugin in the plugin list (the default is 1). | |
298 | If two plugins have the same priority their order in the default plugin list | |
299 | is preserved. Enabled plugins not found in that list are ordered alphabetically | |
300 | before other plugins with the same priority. | |
301 | .TP | |
41f525be TB |
302 | .BR charon.max_packet " [10000]" |
303 | Maximum packet size accepted by charon | |
320cecd2 TB |
304 | .TP |
305 | .BR charon.multiple_authentication " [yes]" | |
306 | Enable multiple authentication exchanges (RFC 4739) | |
307 | .TP | |
308 | .BR charon.nbns1 | |
309 | .TQ | |
310 | .BR charon.nbns2 | |
311 | WINS servers assigned to peer via configuration payload (CP) | |
312 | .TP | |
224ab4c5 TB |
313 | .BR charon.port " [500]" |
314 | UDP port used locally. If set to 0 a random port will be allocated. | |
315 | .TP | |
316 | .BR charon.port_nat_t " [4500]" | |
317 | UDP port used locally in case of NAT-T. If set to 0 a random port will be | |
318 | allocated. Has to be different from | |
319 | .BR charon.port , | |
320 | otherwise a random port will be allocated. | |
321 | .TP | |
320cecd2 TB |
322 | .BR charon.process_route " [yes]" |
323 | Process RTM_NEWROUTE and RTM_DELROUTE events | |
324 | .TP | |
8dc6e716 TB |
325 | .BR charon.processor.priority_threads |
326 | Subsection to configure the number of reserved threads per priority class | |
327 | see JOB PRIORITY MANAGEMENT | |
328 | .TP | |
41f525be | 329 | .BR charon.receive_delay " [0]" |
31990a19 | 330 | Delay in ms for receiving packets, to simulate larger RTT |
41f525be TB |
331 | .TP |
332 | .BR charon.receive_delay_response " [yes]" | |
333 | Delay response messages | |
334 | .TP | |
335 | .BR charon.receive_delay_request " [yes]" | |
336 | Delay request messages | |
337 | .TP | |
338 | .BR charon.receive_delay_type " [0]" | |
339 | Specific IKEv2 message type to delay, 0 for any | |
340 | .TP | |
94c0e834 MW |
341 | .BR charon.replay_window " [32]" |
342 | Size of the AH/ESP replay window, in packets. | |
343 | .TP | |
320cecd2 | 344 | .BR charon.retransmit_base " [1.8]" |
3f71c5d9 | 345 | Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION |
320cecd2 TB |
346 | .TP |
347 | .BR charon.retransmit_timeout " [4.0] | |
348 | Timeout in seconds before sending first retransmit | |
349 | .TP | |
350 | .BR charon.retransmit_tries " [5]" | |
351 | Number of times to retransmit a packet before giving up | |
352 | .TP | |
60c82591 TB |
353 | .BR charon.retry_initiate_interval " [0]" |
354 | Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution | |
355 | failed), 0 to disable retries. | |
356 | .TP | |
320cecd2 TB |
357 | .BR charon.reuse_ikesa " [yes] |
358 | Initiate CHILD_SA within existing IKE_SAs | |
359 | .TP | |
360 | .BR charon.routing_table | |
361 | Numerical routing table to install routes to | |
362 | .TP | |
363 | .BR charon.routing_table_prio | |
364 | Priority of the routing table | |
365 | .TP | |
41f525be | 366 | .BR charon.send_delay " [0]" |
31990a19 | 367 | Delay in ms for sending packets, to simulate larger RTT |
41f525be TB |
368 | .TP |
369 | .BR charon.send_delay_response " [yes]" | |
370 | Delay response messages | |
371 | .TP | |
372 | .BR charon.send_delay_request " [yes]" | |
373 | Delay request messages | |
374 | .TP | |
375 | .BR charon.send_delay_type " [0]" | |
376 | Specific IKEv2 message type to delay, 0 for any | |
377 | .TP | |
320cecd2 TB |
378 | .BR charon.send_vendor_id " [no] |
379 | Send strongSwan vendor ID payload | |
380 | .TP | |
b2bcc577 | 381 | .BR charon.syslog |
3f71c5d9 | 382 | Section to define syslog loggers, see LOGGER CONFIGURATION |
b2bcc577 | 383 | .TP |
320cecd2 | 384 | .BR charon.threads " [16]" |
e99cfe5f TB |
385 | Number of worker threads in charon. Several of these are reserved for long |
386 | running tasks in internal modules and plugins. Therefore, make sure you don't | |
387 | set this value too low. The number of idle worker threads listed in | |
388 | .I ipsec statusall | |
389 | might be used as indicator on the number of reserved threads. | |
68b7448e | 390 | .TP |
409adef4 TB |
391 | .BR charon.tls.cipher |
392 | List of TLS encryption ciphers | |
393 | .TP | |
394 | .BR charon.tls.key_exchange | |
395 | List of TLS key exchange methods | |
396 | .TP | |
397 | .BR charon.tls.mac | |
398 | List of TLS MAC algorithms | |
399 | .TP | |
400 | .BR charon.tls.suites | |
401 | List of TLS cipher suites | |
402 | .TP | |
68b7448e TB |
403 | .BR charon.user |
404 | Name of the user the daemon changes to after startup | |
8dc6e716 TB |
405 | .TP |
406 | .BR charon.x509.enforce_critical " [yes]" | |
407 | Discard certificates with unsupported or unknown critical extensions | |
408 | . | |
320cecd2 TB |
409 | .SS charon.plugins subsection |
410 | .TP | |
162621ed | 411 | .BR charon.plugins.android_log.loglevel " [1]" |
41f525be TB |
412 | Loglevel for logging to Android specific logger |
413 | .TP | |
414 | .BR charon.plugins.attr | |
415 | Section to specify arbitrary attributes that are assigned to a peer via | |
416 | configuration payload (CP) | |
417 | .TP | |
8dc6e716 TB |
418 | .BR charon.plugins.attr-sql.database |
419 | Database URI for attr-sql plugin used by charon | |
420 | .TP | |
421 | .BR charon.plugins.attr-sql.lease_history " [yes]" | |
422 | Enable logging of SQL IP pool leases | |
423 | .TP | |
629cdca8 TB |
424 | .BR charon.plugins.certexpire.csv.cron |
425 | Cron style string specifying CSV export times | |
426 | .TP | |
2ed8b36a TB |
427 | .BR charon.plugins.certexpire.csv.empty_string |
428 | String to use in empty intermediate CA fields | |
429 | .TP | |
430 | .BR charon.plugins.certexpire.csv.fixed_fields " [yes]" | |
431 | Use a fixed intermediate CA field count | |
432 | .TP | |
433 | .BR charon.plugins.certexpire.csv.force " [yes]" | |
434 | Force export of all trustchains we have a private key for | |
435 | .TP | |
436 | .BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" | |
437 | strftime(3) format string to export expiration dates as | |
438 | .TP | |
629cdca8 TB |
439 | .BR charon.plugins.certexpire.csv.local |
440 | strftime(3) format string for the CSV file name to export local certificates to | |
441 | .TP | |
442 | .BR charon.plugins.certexpire.csv.remote | |
443 | strftime(3) format string for the CSV file name to export remote certificates to | |
444 | .TP | |
445 | .BR charon.plugins.certexpire.csv.separator " [,]" | |
446 | CSV field separator | |
447 | .TP | |
629cdca8 TB |
448 | .BR charon.plugins.coupling.file |
449 | File to store coupling list to | |
450 | .TP | |
451 | .BR charon.plugins.coupling.hash " [sha1]" | |
452 | Hashing algorithm to fingerprint coupled certificates | |
453 | .TP | |
454 | .BR charon.plugins.coupling.max " [1]" | |
455 | Maximum number of coupling entries to create | |
456 | .TP | |
bc6ec4de TB |
457 | .BR charon.plugins.dhcp.force_server_address " [no]" |
458 | Always use the configured server address. This might be helpful if the DHCP | |
459 | server runs on the same host as strongSwan, and the DHCP daemon does not listen | |
460 | on the loopback interface. In that case the server cannot be reached via | |
461 | unicast (or even 255.255.255.255) as that would be routed via loopback. | |
462 | Setting this option to yes and configuring the local broadcast address (e.g. | |
463 | 192.168.0.255) as server address might work. | |
464 | .TP | |
320cecd2 TB |
465 | .BR charon.plugins.dhcp.identity_lease " [no]" |
466 | Derive user-defined MAC address from hash of IKEv2 identity | |
467 | .TP | |
468 | .BR charon.plugins.dhcp.server " [255.255.255.255]" | |
469 | DHCP server unicast or broadcast IP address | |
470 | .TP | |
50d292d7 TE |
471 | .BR charon.plugins.dhcp.interface " []" |
472 | Interface name the plugin uses for address allocation. The default is to bind | |
473 | to any (0.0.0.0) and let the system decide which way to route the packets to | |
474 | the DHCP server. | |
475 | .TP | |
bb49dfb0 TB |
476 | .BR charon.plugins.dnscert.enable " [no]" |
477 | Enable fetching of CERT RRs via DNS | |
478 | .TP | |
e236ed1e | 479 | .BR charon.plugins.duplicheck.enable " [yes]" |
629cdca8 | 480 | Enable duplicheck plugin (if loaded) |
e236ed1e | 481 | .TP |
b07aee49 | 482 | .BR charon.plugins.duplicheck.socket " [unix://@piddir@/charon.dck]" |
2ed8b36a TB |
483 | Socket provided by the duplicheck plugin |
484 | .TP | |
320cecd2 | 485 | .BR charon.plugins.eap-aka.request_identity " [yes]" |
41f525be | 486 | |
320cecd2 TB |
487 | .TP |
488 | .BR charon.plugins.eap-aka-3ggp2.seq_check | |
41f525be | 489 | |
5f6ef5d5 TB |
490 | .TP |
491 | .BR charon.plugins.eap-dynamic.preferred | |
492 | The preferred EAP method(s) to be used. If it is not given the first | |
493 | registered method will be used initially. If a comma separated list is given | |
494 | the methods are tried in the given order before trying the rest of the | |
495 | registered methods. | |
496 | .TP | |
497 | .BR charon.plugins.eap-dynamic.prefer_user " [no]" | |
498 | If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are | |
499 | preferred over the methods registered locally. | |
320cecd2 | 500 | .TP |
9ede42e1 TB |
501 | .BR charon.plugins.eap-gtc.backend " [pam]" |
502 | XAuth backend to be used for credential verification | |
01b39fe9 AS |
503 | .TP |
504 | .BR charon.plugins.eap-peap.fragment_size " [1024]" | |
505 | Maximum size of an EAP-PEAP packet | |
506 | .TP | |
507 | .BR charon.plugins.eap-peap.max_message_count " [32]" | |
3bd452f8 | 508 | Maximum number of processed EAP-PEAP packets (0 = no limit) |
01b39fe9 | 509 | .TP |
2778b664 AS |
510 | .BR charon.plugins.eap-peap.include_length " [no]" |
511 | Include length in non-fragmented EAP-PEAP packets | |
512 | .TP | |
01b39fe9 AS |
513 | .BR charon.plugins.eap-peap.phase2_method " [mschapv2]" |
514 | Phase2 EAP client authentication method | |
515 | .TP | |
516 | .BR charon.plugins.eap-peap.phase2_piggyback " [no]" | |
517 | Phase2 EAP Identity request piggybacked by server onto TLS Finished message | |
518 | .TP | |
519 | .BR charon.plugins.eap-peap.phase2_tnc " [no]" | |
520 | Start phase2 EAP TNC protocol after successful client authentication | |
521 | .TP | |
522 | .BR charon.plugins.eap-peap.request_peer_auth " [no]" | |
523 | Request peer authentication based on a client certificate | |
503dee4d MW |
524 | .TP |
525 | .BR charon.plugins.eap-radius.accounting " [no]" | |
526 | Send RADIUS accounting information to RADIUS servers. | |
320cecd2 | 527 | .TP |
2ed8b36a TB |
528 | .BR charon.plugins.eap-radius.accounting_requires_vip " [no]" |
529 | If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP | |
530 | .TP | |
41f525be TB |
531 | .BR charon.plugins.eap-radius.class_group " [no]" |
532 | Use the | |
533 | .I class | |
534 | attribute sent in the RADIUS-Accept message as group membership information that | |
535 | is compared to the groups specified in the | |
536 | .B rightgroups | |
537 | option in | |
538 | .B ipsec.conf (5). | |
539 | .TP | |
96ad2b17 TB |
540 | .BR charon.plugins.eap-radius.close_all_on_timeout " [no]" |
541 | Closes all IKE_SAs if communication with the RADIUS server times out. If it is | |
542 | not set only the current IKE_SA is closed. | |
543 | .TP | |
629cdca8 TB |
544 | .BR charon.plugins.eap-radius.dae.enable " [no]" |
545 | Enables support for the Dynamic Authorization Extension (RFC 5176) | |
546 | .TP | |
547 | .BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" | |
548 | Address to listen for DAE messages from the RADIUS server | |
549 | .TP | |
550 | .BR charon.plugins.eap-radius.dae.port " [3799]" | |
551 | Port to listen for DAE requests | |
552 | .TP | |
553 | .BR charon.plugins.eap-radius.dae.secret | |
554 | Shared secret used to verify/sign DAE messages | |
555 | .TP | |
41f525be TB |
556 | .BR charon.plugins.eap-radius.eap_start " [no]" |
557 | Send EAP-Start instead of EAP-Identity to start RADIUS conversation | |
558 | .TP | |
f2b1aa49 AS |
559 | .BR charon.plugins.eap-radius.filter_id " [no]" |
560 | If the RADIUS | |
561 | .I tunnel_type | |
562 | attribute with value | |
563 | .B ESP | |
564 | is received, use the | |
94c0e834 | 565 | .I filter_id |
f2b1aa49 AS |
566 | attribute sent in the RADIUS-Accept message as group membership information that |
567 | is compared to the groups specified in the | |
568 | .B rightgroups | |
569 | option in | |
570 | .B ipsec.conf (5). | |
571 | .TP | |
629cdca8 TB |
572 | .BR charon.plugins.eap-radius.forward.ike_to_radius |
573 | RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by | |
574 | name or attribute number, a colon can be used to specify vendor-specific | |
575 | attributes, e.g. Reply-Message, or 11, or 36906:12). | |
576 | .TP | |
577 | .BR charon.plugins.eap-radius.forward.radius_to_ike | |
358104a4 TB |
578 | Same as |
579 | .B charon.plugins.eap-radius.forward.ike_to_radius | |
580 | but from RADIUS to | |
629cdca8 TB |
581 | IKEv2, a strongSwan specific private notify (40969) is used to transmit the |
582 | attributes. | |
583 | .TP | |
41f525be TB |
584 | .BR charon.plugins.eap-radius.id_prefix |
585 | Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the | |
586 | EAP method | |
587 | .TP | |
588 | .BR charon.plugins.eap-radius.nas_identifier " [strongSwan]" | |
589 | NAS-Identifier to include in RADIUS messages | |
590 | .TP | |
591 | .BR charon.plugins.eap-radius.port " [1812]" | |
592 | Port of RADIUS server (authentication) | |
593 | .TP | |
320cecd2 TB |
594 | .BR charon.plugins.eap-radius.secret |
595 | Shared secret between RADIUS and NAS | |
596 | .TP | |
597 | .BR charon.plugins.eap-radius.server | |
598 | IP/Hostname of RADIUS server | |
599 | .TP | |
41f525be TB |
600 | .BR charon.plugins.eap-radius.servers |
601 | Section to specify multiple RADIUS servers. The | |
602 | .BR nas_identifier , | |
603 | .BR secret , | |
604 | .B sockets | |
605 | and | |
606 | .B port | |
358104a4 TB |
607 | (or |
608 | .BR auth_port ) | |
41f525be TB |
609 | options can be specified for each server. A server's IP/Hostname can be |
610 | configured using the | |
611 | .B address | |
358104a4 TB |
612 | option. The |
613 | .BR acct_port " [1813]" | |
614 | option can be used to specify the port used for RADIUS accounting. | |
615 | For each RADIUS server a priority can be specified using the | |
41f525be TB |
616 | .BR preference " [0]" |
617 | option. | |
618 | .TP | |
619 | .BR charon.plugins.eap-radius.sockets " [1]" | |
320cecd2 TB |
620 | Number of sockets (ports) to use, increase for high load |
621 | .TP | |
bb49dfb0 TB |
622 | .BR charon.plugins.eap-radius.xauth |
623 | Section to configure multiple XAuth authentication rounds via RADIUS. The subsections define so called | |
624 | authentication profiles with arbitrary names. In each profile section one or more XAuth types can be | |
625 | configured, with an assigned message. For each type a separate XAuth exchange will be initiated and all | |
626 | replies get concatenated into the User-Password attribute, which then gets verified over RADIUS. | |
627 | ||
628 | Available XAuth types are \fBpassword\fR, \fBpasscode\fR, \fBnextpin\fR, and \fBanswer\fR. This type is | |
629 | not relevant to strongSwan or the AAA server, but the client may show a different dialog (along with the | |
630 | configured message). | |
631 | ||
632 | To use the configured profiles, they have to be configured in the respective connection in | |
633 | .IR ipsec.conf (5) | |
634 | by appending the profile name, separated by a colon, to the | |
635 | .B xauth-radius | |
636 | XAauth backend configuration in | |
637 | .I rightauth | |
638 | or | |
639 | .IR rightauth2 , | |
640 | for instance, | |
641 | .IR rightauth2=xauth-radius:profile . | |
642 | .TP | |
41f525be TB |
643 | .BR charon.plugins.eap-sim.request_identity " [yes]" |
644 | ||
320cecd2 | 645 | .TP |
41f525be TB |
646 | .BR charon.plugins.eap-simaka-sql.database |
647 | ||
320cecd2 | 648 | .TP |
629cdca8 | 649 | .BR charon.plugins.eap-simaka-sql.remove_used " [no]" |
320cecd2 TB |
650 | |
651 | .TP | |
652 | .BR charon.plugins.eap-tls.fragment_size " [1024]" | |
653 | Maximum size of an EAP-TLS packet | |
654 | .TP | |
655 | .BR charon.plugins.eap-tls.max_message_count " [32]" | |
3bd452f8 | 656 | Maximum number of processed EAP-TLS packets (0 = no limit) |
320cecd2 | 657 | .TP |
2778b664 AS |
658 | .BR charon.plugins.eap-tls.include_length " [yes]" |
659 | Include length in non-fragmented EAP-TLS packets | |
660 | .TP | |
aff81d3b | 661 | .BR charon.plugins.eap-tnc.max_message_count " [10]" |
3bd452f8 | 662 | Maximum number of processed EAP-TNC packets (0 = no limit) |
41f525be | 663 | .TP |
c8aabefd AS |
664 | .BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]" |
665 | IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic) | |
666 | .TP | |
320cecd2 TB |
667 | .BR charon.plugins.eap-ttls.fragment_size " [1024]" |
668 | Maximum size of an EAP-TTLS packet | |
669 | .TP | |
670 | .BR charon.plugins.eap-ttls.max_message_count " [32]" | |
3bd452f8 | 671 | Maximum number of processed EAP-TTLS packets (0 = no limit) |
320cecd2 | 672 | .TP |
2778b664 AS |
673 | .BR charon.plugins.eap-ttls.include_length " [yes]" |
674 | Include length in non-fragmented EAP-TTLS packets | |
675 | .TP | |
320cecd2 TB |
676 | .BR charon.plugins.eap-ttls.phase2_method " [md5]" |
677 | Phase2 EAP client authentication method | |
678 | .TP | |
679 | .BR charon.plugins.eap-ttls.phase2_piggyback " [no]" | |
680 | Phase2 EAP Identity request piggybacked by server onto TLS Finished message | |
681 | .TP | |
aff81d3b AS |
682 | .BR charon.plugins.eap-ttls.phase2_tnc " [no]" |
683 | Start phase2 EAP TNC protocol after successful client authentication | |
684 | .TP | |
320cecd2 TB |
685 | .BR charon.plugins.eap-ttls.request_peer_auth " [no]" |
686 | Request peer authentication based on a client certificate | |
687 | .TP | |
b07aee49 | 688 | .BR charon.plugins.error-notify.socket " [unix://@piddir@/charon.enfy]" |
2ed8b36a TB |
689 | Socket provided by the error-notify plugin |
690 | .TP | |
8dc6e716 TB |
691 | .BR charon.plugins.gcrypt.quick_random " [no]" |
692 | Use faster random numbers in gcrypt; for testing only, produces weak keys! | |
693 | .TP | |
96ad2b17 TB |
694 | .BR charon.plugins.ha.autobalance " [0]" |
695 | Interval in seconds to automatically balance handled segments between nodes. | |
696 | Set to 0 to disable. | |
697 | .TP | |
320cecd2 TB |
698 | .BR charon.plugins.ha.fifo_interface " [yes]" |
699 | ||
41f525be TB |
700 | .TP |
701 | .BR charon.plugins.ha.heartbeat_delay " [1000]" | |
702 | ||
703 | .TP | |
704 | .BR charon.plugins.ha.heartbeat_timeout " [2100]" | |
705 | ||
320cecd2 TB |
706 | .TP |
707 | .BR charon.plugins.ha.local | |
708 | ||
709 | .TP | |
710 | .BR charon.plugins.ha.monitor " [yes]" | |
711 | ||
41f525be TB |
712 | .TP |
713 | .BR charon.plugins.ha.pools | |
714 | ||
320cecd2 TB |
715 | .TP |
716 | .BR charon.plugins.ha.remote | |
94c0e834 | 717 | |
320cecd2 TB |
718 | .TP |
719 | .BR charon.plugins.ha.resync " [yes]" | |
720 | ||
721 | .TP | |
722 | .BR charon.plugins.ha.secret | |
723 | ||
724 | .TP | |
725 | .BR charon.plugins.ha.segment_count " [1]" | |
726 | ||
932717fb RG |
727 | .TP |
728 | .BR charon.plugins.ipseckey.enable " [no]" | |
bb49dfb0 | 729 | Enable fetching of IPSECKEY RRs via DNS |
41f525be TB |
730 | .TP |
731 | .BR charon.plugins.led.activity_led | |
732 | ||
733 | .TP | |
734 | .BR charon.plugins.led.blink_time " [50]" | |
735 | ||
736 | .TP | |
737 | .BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" | |
738 | Number of ipsecN devices | |
320cecd2 TB |
739 | .TP |
740 | .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" | |
741 | Set MTU of ipsecN device | |
742 | .TP | |
eeb34af0 TB |
743 | .BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]" |
744 | Allow that the remote traffic selector equals the IKE peer. The route installed | |
745 | for such traffic (via TUN device) usually prevents further IKE traffic. The | |
746 | fwmark options for the \fIkernel-netlink\fR and \fIsocket-default\fR plugins can | |
747 | be used to circumvent that problem. | |
eeb34af0 | 748 | .TP |
51fefe46 TB |
749 | .BR charon.plugins.kernel-netlink.fwmark |
750 | Firewall mark to set on the routing rule that directs traffic to our own routing | |
751 | table. The format is [!]mark[/mask], where the optional exclamation mark inverts | |
752 | the meaning (i.e. the rule only applies to packets that don't match the mark). | |
753 | .TP | |
37873f99 TB |
754 | .BR charon.plugins.kernel-netlink.roam_events " [yes]" |
755 | Whether to trigger roam events when interfaces, addresses or routes change | |
756 | .TP | |
255b9dac | 757 | .BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" |
bb49dfb0 TB |
758 | Lifetime of XFRM acquire state in kernel. The value gets written to |
759 | /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM | |
255b9dac AA |
760 | acquire messages sent. |
761 | .TP | |
baa6419e TB |
762 | .BR charon.plugins.kernel-pfroute.vip_wait " [1000]" |
763 | Time in ms to wait until virtual IP addresses appear/disappear before failing. | |
764 | .TP | |
3f71c5d9 TB |
765 | .BR charon.plugins.load-tester |
766 | Section to configure the load-tester plugin, see LOAD TESTS | |
320cecd2 | 767 | .TP |
b07aee49 | 768 | .BR charon.plugins.lookip.socket " [unix://@piddir@/charon.lkp]" |
3021139f TB |
769 | Socket provided by the lookip plugin |
770 | .TP | |
8dc6e716 TB |
771 | .BR charon.plugins.ntru.max_drbg_requests " [4294967294]" |
772 | Number of pseudo-random bit requests from the DRBG before an automatic | |
773 | reseeding occurs. | |
774 | .TP | |
775 | .BR charon.plugins.ntru.parameter_set " [optimum]" | |
776 | The following parameter sets are available: | |
777 | .BR x9_98_speed , | |
778 | .BR x9_98_bandwidth , | |
779 | .B x9_98_balance | |
780 | and | |
781 | .BR optimum , | |
782 | the last set not being part of the X9.98 standard but having the best performance. | |
783 | .TP | |
784 | .BR charon.plugins.openssl.engine_id " [pkcs11]" | |
785 | ENGINE ID to use in the OpenSSL plugin | |
786 | .TP | |
787 | .BR charon.plugins.openssl.fips_mode " [0]" | |
788 | Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2) | |
789 | .TP | |
790 | .BR charon.plugins.pkcs11.modules | |
791 | List of available PKCS#11 modules | |
792 | .TP | |
793 | .BR charon.plugins.pkcs11.load_certs " [yes]" | |
794 | Whether to load certificates from tokens | |
795 | .TP | |
796 | .BR charon.plugins.pkcs11.reload_certs " [no]" | |
797 | Reload certificates from all tokens if charon receives a SIGHUP | |
798 | .TP | |
799 | .BR charon.plugins.pkcs11.use_dh " [no]" | |
800 | Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option) | |
801 | .TP | |
802 | .BR charon.plugins.pkcs11.use_ecc " [no]" | |
803 | Whether the PKCS#11 modules should be used for ECDH and ECDSA public key | |
804 | operations. ECDSA private keys can be used regardless of this option | |
805 | .TP | |
806 | .BR charon.plugins.pkcs11.use_hasher " [no]" | |
807 | Whether the PKCS#11 modules should be used to hash data | |
808 | .TP | |
809 | .BR charon.plugins.pkcs11.use_pubkey " [no]" | |
810 | Whether the PKCS#11 modules should be used for public key operations, even for | |
811 | keys not stored on tokens | |
812 | .TP | |
813 | .BR charon.plugins.pkcs11.use_rng " [no]" | |
814 | Whether the PKCS#11 modules should be used as RNG | |
815 | .TP | |
13de38e3 TB |
816 | .BR charon.plugins.radattr.dir |
817 | Directory where RADIUS attributes are stored in client-ID specific files. | |
818 | .TP | |
819 | .BR charon.plugins.radattr.message_id " [-1]" | |
820 | Attributes are added to all IKE_AUTH messages by default (-1), or only to the | |
821 | IKE_AUTH message with the given IKEv2 message ID. | |
822 | .TP | |
8dc6e716 TB |
823 | .BR charon.plugins.random.random " [@random_device@]" |
824 | File to read random bytes from, instead of @random_device@ | |
825 | .TP | |
826 | .BR charon.plugins.random.urandom " [@urandom_device@]" | |
827 | File to read pseudo random bytes from, instead of @urandom_device@ | |
828 | .TP | |
829 | .BR charon.plugins.random.strong_equals_true " [no]" | |
830 | If set to yes the RNG_STRONG class reads random bytes from the same source as | |
831 | the RNG_TRUE class. | |
832 | .TP | |
320cecd2 TB |
833 | .BR charon.plugins.resolve.file " [/etc/resolv.conf]" |
834 | File where to add DNS server entries | |
835 | .TP | |
ed2cab08 TB |
836 | .BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]" |
837 | Prefix used for interface names sent to resolvconf(8). The nameserver address | |
838 | is appended to this prefix to make it unique. The result has to be a valid | |
839 | interface name according to the rules defined by resolvconf. Also, it should | |
840 | have a high priority according to the order defined in interface-order(5). | |
841 | .TP | |
80f8b3a6 TB |
842 | .BR charon.plugins.socket-default.fwmark |
843 | Firewall mark to set on outbound packets. | |
844 | .TP | |
6fbf4472 TB |
845 | .BR charon.plugins.socket-default.set_source " [yes]" |
846 | Set source address on outbound packets, if possible. | |
847 | .TP | |
598bec78 TB |
848 | .BR charon.plugins.socket-default.use_ipv4 " [yes]" |
849 | Listen on IPv4, if possible. | |
850 | .TP | |
851 | .BR charon.plugins.socket-default.use_ipv6 " [yes]" | |
852 | Listen on IPv6, if possible. | |
853 | .TP | |
320cecd2 TB |
854 | .BR charon.plugins.sql.database |
855 | Database URI for charons SQL plugin | |
856 | .TP | |
857 | .BR charon.plugins.sql.loglevel " [-1]" | |
858 | Loglevel for logging to SQL database | |
68de7267 | 859 | .TP |
9ec66bc1 TB |
860 | .BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]" |
861 | Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA | |
862 | certificates even if they don't contain a CA basic constraint. | |
863 | .TP | |
7c0c2349 TB |
864 | .BR charon.plugins.stroke.max_concurrent " [4]" |
865 | Maximum number of stroke messages handled concurrently | |
866 | .TP | |
5ab03863 TB |
867 | .BR charon.plugins.stroke.prevent_loglevel_changes " [no]" |
868 | If enabled log level changes via stroke socket are not allowed. | |
869 | .TP | |
b07aee49 | 870 | .BR charon.plugins.stroke.socket " [unix://@piddir@/charon.ctl]" |
2ed8b36a TB |
871 | Socket provided by the stroke plugin |
872 | .TP | |
96ad2b17 TB |
873 | .BR charon.plugins.stroke.timeout " [0]" |
874 | Timeout in ms for any stroke command. Use 0 to disable the timeout | |
875 | .TP | |
876 | .BR charon.plugins.systime-fix.interval " [0]" | |
877 | Interval in seconds to check system time for validity. 0 disables the check | |
878 | .TP | |
879 | .BR charon.plugins.systime-fix.reauth " [no]" | |
880 | Whether to use reauth or delete if an invalid cert lifetime is detected | |
881 | .TP | |
882 | .BR charon.plugins.systime-fix.threshold | |
883 | Threshold date where system time is considered valid. Disabled if not specified | |
884 | .TP | |
885 | .BR charon.plugins.systime-fix.threshold_format " [%Y]" | |
886 | strptime(3) format used to parse threshold option | |
887 | .TP | |
0cf4dc53 AS |
888 | .BR charon.plugins.tnc-ifmap.client_cert |
889 | Path to X.509 certificate file of IF-MAP client | |
535798cf | 890 | .TP |
0cf4dc53 AS |
891 | .BR charon.plugins.tnc-ifmap.client_key |
892 | Path to private key file of IF-MAP client | |
535798cf | 893 | .TP |
0cf4dc53 AS |
894 | .BR charon.plugins.tnc-ifmap.device_name |
895 | Unique name of strongSwan server as a PEP and/or PDP device | |
535798cf | 896 | .TP |
1044710b AS |
897 | .BR charon.plugins.tnc-ifmap.renew_session_interval " [150]" |
898 | Interval in seconds between periodic IF-MAP RenewSession requests | |
899 | .TP | |
900 | .BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]" | |
96ad2b17 TB |
901 | URI of the form [https://]servername[:port][/path] |
902 | .TP | |
903 | .BR charon.plugins.tnc-ifmap.server_cert | |
904 | Path to X.509 certificate file of IF-MAP server | |
905 | .TP | |
906 | .BR charon.plugins.tnc-ifmap.username_password | |
907 | Credentials of IF-MAP client of the form username:password | |
908 | .TP | |
0d9e3751 AS |
909 | .BR charon.plugins.tnc-pdp.pt_tls.enable " [yes]" |
910 | Enable PT-TLS protocol on the strongSwan PDP | |
911 | .TP | |
f5b5d262 AS |
912 | .BR charon.plugins.tnc-pdp.pt_tls.port " [271]" |
913 | PT-TLS server port the strongSwan PDP is listening on | |
914 | .TP | |
0d9e3751 AS |
915 | .BR charon.plugins.tnc-pdp.radius.enable " [yes]" |
916 | Enable RADIUS protocol on the strongSwan PDP | |
917 | .TP | |
f5b5d262 | 918 | .BR charon.plugins.tnc-pdp.radius.method " [ttls]" |
f673958e AS |
919 | EAP tunnel method to be used |
920 | .TP | |
f5b5d262 | 921 | .BR charon.plugins.tnc-pdp.radius.port " [1812]" |
f673958e AS |
922 | RADIUS server port the strongSwan PDP is listening on |
923 | .TP | |
f5b5d262 | 924 | .BR charon.plugins.tnc-pdp.radius.secret |
f673958e AS |
925 | Shared RADIUS secret between strongSwan PDP and NAS |
926 | .TP | |
927 | .BR charon.plugins.tnc-pdp.server | |
629cdca8 TB |
928 | Name of the strongSwan PDP as contained in the AAA certificate |
929 | .TP | |
96ad2b17 TB |
930 | .BR charon.plugins.tnc-pdp.timeout |
931 | Timeout in seconds before closing incomplete connections | |
932 | .TP | |
8dc6e716 TB |
933 | .BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]" |
934 | File to read DNS resolver configuration from | |
935 | .TP | |
936 | .BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" | |
937 | File to read DNSSEC trust anchors from (usually root zone KSK). The format of | |
938 | the file is the standard DNS Zone file format, anchors can be stored as DS or | |
939 | DNSKEY entries in the file. | |
940 | .TP | |
941 | .BR charon.plugins.unbound.dlv_anchors | |
942 | File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses | |
943 | the same format as \fItrust_anchors\fR. Only one DLV can be configured, which | |
944 | is then used as a root trusted DLV, this means that it is a lookaside for | |
945 | the root. | |
946 | .TP | |
629cdca8 TB |
947 | .BR charon.plugins.updown.dns_handler " [no]" |
948 | Whether the updown script should handle DNS serves assigned via IKEv1 Mode | |
949 | Config or IKEv2 Config Payloads (if enabled they can't be handled by other | |
950 | plugins, like resolve) | |
f673958e | 951 | .TP |
e236ed1e | 952 | .BR charon.plugins.whitelist.enable " [yes]" |
629cdca8 TB |
953 | Enable loaded whitelist plugin |
954 | .TP | |
b07aee49 | 955 | .BR charon.plugins.whitelist.socket " [unix://@piddir@/charon.wlst]" |
2ed8b36a TB |
956 | Socket provided by the whitelist plugin |
957 | .TP | |
629cdca8 TB |
958 | .BR charon.plugins.xauth-eap.backend " [radius]" |
959 | EAP plugin to be used as backend for XAuth credential verification | |
9ede42e1 TB |
960 | .TP |
961 | .BR charon.plugins.xauth-pam.pam_service " [login]" | |
962 | PAM service to be used for authentication | |
3e3db374 | 963 | .TP |
c5dc94dc MW |
964 | .BR charon.plugins.xauth-pam.session " [no]" |
965 | Open/close a PAM session for each active IKE_SA | |
966 | .TP | |
3e3db374 TB |
967 | .BR charon.plugins.xauth-pam.trim_email " [yes]" |
968 | If an email address is given as an XAuth username, trim it to just the | |
969 | username part. | |
f0a8bf47 AS |
970 | .SS libtnccs section |
971 | .TP | |
972 | .BR libtnccs.tnc_config " [/etc/tnc_config]" | |
973 | TNC IMC/IMV configuration directory | |
9d8c28e2 AS |
974 | .PP |
975 | .SS libtnccs plugins section | |
976 | .TP | |
12b3db50 | 977 | .BR libtnccs.plugins.tnccs-11.max_message_size " [45000]" |
9d8c28e2 AS |
978 | Maximum size of a PA-TNC message (XML & Base64 encoding) |
979 | .TP | |
12b3db50 | 980 | .BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]" |
9d8c28e2 AS |
981 | Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) |
982 | .TP | |
12b3db50 | 983 | .BR libtnccs.plugins.tnccs-20.max_message_size " [65490]" |
9d8c28e2 AS |
984 | Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) |
985 | .TP | |
12b3db50 | 986 | .BR libtnccs.plugins.tnc-imc.dlclose " [yes]" |
9d8c28e2 AS |
987 | Unload IMC after use |
988 | .TP | |
12b3db50 | 989 | .BR libtnccs.plugins.tnc-imc.preferred_language " [en]" |
9d8c28e2 | 990 | Preferred language for TNC recommendations |
12b3db50 AS |
991 | .TP |
992 | .BR libtnccs.plugins.tnc-imv.dlclose " [yes]" | |
993 | Unload IMV after use | |
c8eb2dea AS |
994 | .SS libimcv section |
995 | .TP | |
3b51f340 AS |
996 | .BR libimcv.assessment_result " [yes]" |
997 | Whether IMVs send a standard IETF Assessment Result attribute | |
998 | .TP | |
2ed8b36a TB |
999 | .BR libimcv.database |
1000 | Global IMV policy database URI | |
1001 | .TP | |
c8eb2dea AS |
1002 | .BR libimcv.debug_level " [1]" |
1003 | Debug level for a stand-alone libimcv library | |
1004 | .TP | |
2ed8b36a TB |
1005 | .BR libimcv.load " [random nonce gmp pubkey x509]" |
1006 | Plugins to load in IMC/IMVs | |
1007 | .TP | |
6ab15025 AS |
1008 | .BR libimcv.os_info.name |
1009 | Manually set the name of the client OS (e.g. Ubuntu) | |
1010 | .TP | |
1011 | .BR libimcv.os_info.version | |
1012 | Manually set the version of the client OS (e.g. 12.04 i686) | |
2ed8b36a TB |
1013 | .TP |
1014 | .BR libimcv.policy_script " [ipsec _imv_policy]" | |
1015 | Script called for each TNC connection to generate IMV policies | |
3021139f TB |
1016 | .TP |
1017 | .BR libimcv.stderr_quiet " [no]" | |
1018 | isable output to stderr with a stand-alone libimcv library | |
1019 | .PP | |
6ab15025 | 1020 | .SS libimcv plugins section |
c8eb2dea | 1021 | .TP |
15b3dc5b AS |
1022 | .BR libimcv.plugins.imc-attestation.aik_blob |
1023 | AIK encrypted private key blob file | |
1024 | .TP | |
f7a98122 AS |
1025 | .BR libimcv.plugins.imc-attestation.aik_cert |
1026 | AIK certificate file | |
c8eb2dea | 1027 | .TP |
f7a98122 AS |
1028 | .BR libimcv.plugins.imc-attestation.aik_key |
1029 | AIK public key file | |
c8eb2dea | 1030 | .TP |
e0175103 AS |
1031 | .BR libimcv.plugins.imv-attestation.nonce_len " [20]" |
1032 | DH nonce length | |
1033 | .TP | |
1034 | .BR libimcv.plugins.imv-attestation.use_quote2 " [yes]" | |
1035 | Use Quote2 AIK signature instead of Quote signature | |
1036 | .TP | |
f7a98122 AS |
1037 | .BR libimcv.plugins.imv-attestation.cadir |
1038 | Path to directory with AIK cacerts | |
e65a5053 | 1039 | .TP |
e0175103 AS |
1040 | .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" |
1041 | Preferred Diffie-Hellman group | |
1042 | .TP | |
1043 | .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" | |
f7a98122 AS |
1044 | Preferred measurement hash algorithm |
1045 | .TP | |
e0175103 AS |
1046 | .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" |
1047 | DH minimum nonce length | |
1048 | .TP | |
742722e2 AS |
1049 | .BR libimcv.plugins.imv-attestation.remediation_uri |
1050 | URI pointing to attestation remediation instructions | |
1051 | .TP | |
1052 | .BR libimcv.plugins.imc-os.push_info " [yes]" | |
ffd3556b AS |
1053 | Send operating system info without being prompted |
1054 | .TP | |
742722e2 AS |
1055 | .BR libimcv.plugins.imv-os.remediation_uri |
1056 | URI pointing to operating system remediation instructions | |
1057 | .TP | |
1058 | .BR libimcv.plugins.imc-scanner.push_info " [yes]" | |
ffd3556b AS |
1059 | Send open listening ports without being prompted |
1060 | .TP | |
742722e2 AS |
1061 | .BR libimcv.plugins.imv-scanner.remediation_uri |
1062 | URI pointing to scanner remediation instructions | |
1063 | .TP | |
8250fc10 | 1064 | .BR libimcv.plugins.imc-swid.swid_directory " [@prefix@/share]" |
ae321726 AS |
1065 | Directory where SWID tags are located |
1066 | .TP | |
63179fd4 AS |
1067 | .BR libimcv.plugins.imc-test.additional_ids " [0]" |
1068 | Number of additional IMC IDs | |
1069 | .TP | |
f7a98122 AS |
1070 | .BR libimcv.plugins.imc-test.command " [none]" |
1071 | Command to be sent to the Test IMV | |
1072 | .TP | |
87efdef3 AS |
1073 | .BR libimcv.plugins.imc-test.dummy_size " [0]" |
1074 | Size of dummy attribute to be sent to the Test IMV (0 = disabled) | |
1075 | .TP | |
3021139f TB |
1076 | .BR libimcv.plugins.imv-test.remediation_uri |
1077 | URI pointing to test remediation instructions | |
1078 | .TP | |
f7a98122 AS |
1079 | .BR libimcv.plugins.imc-test.retry " [no]" |
1080 | Do a handshake retry | |
1081 | .TP | |
1082 | .BR libimcv.plugins.imc-test.retry_command | |
1083 | Command to be sent to the Test IMV in the handshake retry | |
1084 | .TP | |
1085 | .BR libimcv.plugins.imv-test.rounds " [0]" | |
1086 | Number of IMC-IMV retry rounds | |
320cecd2 TB |
1087 | .SS manager section |
1088 | .TP | |
1089 | .BR manager.database | |
1090 | Credential database URI for manager | |
1091 | .TP | |
1092 | .BR manager.debug " [no]" | |
1093 | Enable debugging in manager | |
1094 | .TP | |
1095 | .BR manager.load | |
1096 | Plugins to load in manager | |
1097 | .TP | |
1098 | .BR manager.socket | |
1099 | FastCGI socket of manager, to run it statically | |
1100 | .TP | |
1101 | .BR manager.threads " [10]" | |
1102 | Threads to use for request handling | |
1103 | .TP | |
1104 | .BR manager.timeout " [15m]" | |
1105 | Session timeout for manager | |
1106 | .SS mediation client section | |
1107 | .TP | |
1108 | .BR medcli.database | |
1109 | Mediation client database URI | |
1110 | .TP | |
1111 | .BR medcli.dpd " [5m]" | |
1112 | DPD timeout to use in mediation client plugin | |
1113 | .TP | |
1114 | .BR medcli.rekey " [20m]" | |
1115 | Rekeying time on mediation connections in mediation client plugin | |
1116 | .SS mediation server section | |
1117 | .TP | |
1118 | .BR medsrv.database | |
1119 | Mediation server database URI | |
1120 | .TP | |
1121 | .BR medsrv.debug " [no]" | |
1122 | Debugging in mediation server web application | |
1123 | .TP | |
1124 | .BR medsrv.dpd " [5m]" | |
1125 | DPD timeout to use in mediation server plugin | |
1126 | .TP | |
1127 | .BR medsrv.load | |
1128 | Plugins to load in mediation server plugin | |
1129 | .TP | |
1130 | .BR medsrv.password_length " [6]" | |
1131 | Minimum password length required for mediation server user accounts | |
1132 | .TP | |
1133 | .BR medsrv.rekey " [20m]" | |
1134 | Rekeying time on mediation connections in mediation server plugin | |
1135 | .TP | |
1136 | .BR medsrv.socket | |
1137 | Run Mediation server web application statically on socket | |
1138 | .TP | |
1139 | .BR medsrv.threads " [5]" | |
1140 | Number of thread for mediation service web application | |
1141 | .TP | |
1142 | .BR medsrv.timeout " [15m]" | |
1143 | Session timeout for mediation service | |
1144 | .SS openac section | |
1145 | .TP | |
1146 | .BR openac.load | |
1147 | Plugins to load in ipsec openac tool | |
c186b394 TB |
1148 | .SS pacman section |
1149 | .TP | |
1150 | .BR pacman.database | |
1151 | Database URI for the database that stores the package information | |
320cecd2 TB |
1152 | .SS pki section |
1153 | .TP | |
1154 | .BR pki.load | |
1155 | Plugins to load in ipsec pki tool | |
320cecd2 TB |
1156 | .SS pool section |
1157 | .TP | |
1158 | .BR pool.load | |
1159 | Plugins to load in ipsec pool tool | |
bb49dfb0 TB |
1160 | .SS pt-tls-client section |
1161 | .TP | |
1162 | .BR pt-tls-client.load | |
1163 | Plugins to load in ipsec pt-tls-client tool | |
320cecd2 TB |
1164 | .SS scepclient section |
1165 | .TP | |
1166 | .BR scepclient.load | |
1167 | Plugins to load in ipsec scepclient tool | |
1168 | .SS starter section | |
1169 | .TP | |
848a36fe TB |
1170 | .BR starter.load |
1171 | Plugins to load in starter | |
1172 | .TP | |
320cecd2 | 1173 | .BR starter.load_warning " [yes]" |
629cdca8 | 1174 | Disable charon plugin load option warning |
320cecd2 | 1175 | |
b2bcc577 TB |
1176 | .SH LOGGER CONFIGURATION |
1177 | The options described below provide a much more flexible way to configure | |
1178 | loggers for the IKEv2 daemon charon than using the | |
1179 | .B charondebug | |
1180 | option in | |
1181 | .BR ipsec.conf (5). | |
1182 | .PP | |
1183 | .B Please note | |
1184 | that if any loggers are specified in strongswan.conf, | |
1185 | .B charondebug | |
1186 | does not have any effect. | |
1187 | .PP | |
1188 | There are currently two types of loggers defined: | |
1189 | .TP | |
1190 | .B File loggers | |
1191 | Log directly to a file and are defined by specifying the full path to the | |
1192 | file as subsection in the | |
1193 | .B charon.filelog | |
1194 | section. To log to the console the two special filenames | |
1195 | .BR stdout " and " stderr | |
1196 | can be used. | |
1197 | .TP | |
1198 | .B Syslog loggers | |
1199 | Log into a syslog facility and are defined by specifying the facility to log to | |
1200 | as the name of a subsection in the | |
1201 | .B charon.syslog | |
1202 | section. The following facilities are currently supported: | |
1203 | .BR daemon " and " auth . | |
1204 | .PP | |
1205 | Multiple loggers can be defined for each type with different log verbosity for | |
1206 | the different subsystems of the daemon. | |
1207 | .SS Options | |
1208 | .TP | |
1209 | .BR charon.filelog.<filename>.default " [1]" | |
1210 | .TQ | |
1211 | .BR charon.syslog.<facility>.default | |
1212 | Specifies the default loglevel to be used for subsystems for which no specific | |
1213 | loglevel is defined. | |
1214 | .TP | |
1215 | .BR charon.filelog.<filename>.<subsystem> " [<default>]" | |
1216 | .TQ | |
1217 | .BR charon.syslog.<facility>.<subsystem> | |
41f525be | 1218 | Specifies the loglevel for the given subsystem. |
b2bcc577 TB |
1219 | .TP |
1220 | .BR charon.filelog.<filename>.append " [yes]" | |
41f525be | 1221 | If this option is enabled log entries are appended to the existing file. |
b2bcc577 TB |
1222 | .TP |
1223 | .BR charon.filelog.<filename>.flush_line " [no]" | |
1224 | Enabling this option disables block buffering and enables line buffering. | |
1225 | .TP | |
1226 | .BR charon.filelog.<filename>.ike_name " [no]" | |
1227 | .TQ | |
1228 | .BR charon.syslog.<facility>.ike_name | |
1229 | Prefix each log entry with the connection name and a unique numerical | |
1230 | identifier for each IKE_SA. | |
1231 | .TP | |
1232 | .BR charon.filelog.<filename>.time_format | |
1233 | Prefix each log entry with a timestamp. The option accepts a format string as | |
1234 | passed to | |
1235 | .BR strftime (3). | |
5895c2e9 TB |
1236 | .TP |
1237 | .BR charon.syslog.identifier | |
1238 | Global identifier used for an | |
1239 | .BR openlog (3) | |
1240 | call, prepended to each log message by syslog. If not configured, | |
1241 | .BR openlog (3) | |
1242 | is not called, so the value will depend on system defaults (often the program | |
1243 | name). | |
b2bcc577 TB |
1244 | |
1245 | .SS Subsystems | |
1246 | .TP | |
1247 | .B dmn | |
1248 | Main daemon setup/cleanup/signal handling | |
1249 | .TP | |
1250 | .B mgr | |
1251 | IKE_SA manager, handling synchronization for IKE_SA access | |
1252 | .TP | |
1253 | .B ike | |
1254 | IKE_SA | |
1255 | .TP | |
1256 | .B chd | |
1257 | CHILD_SA | |
1258 | .TP | |
1259 | .B job | |
1260 | Jobs queueing/processing and thread pool management | |
1261 | .TP | |
1262 | .B cfg | |
1263 | Configuration management and plugins | |
1264 | .TP | |
1265 | .B knl | |
1266 | IPsec/Networking kernel interface | |
1267 | .TP | |
1268 | .B net | |
1269 | IKE network communication | |
1270 | .TP | |
54d096a7 TB |
1271 | .B asn |
1272 | Low-level encoding/decoding (ASN.1, X.509 etc.) | |
1273 | .TP | |
b2bcc577 TB |
1274 | .B enc |
1275 | Packet encoding/decoding encryption/decryption operations | |
1276 | .TP | |
1277 | .B tls | |
1278 | libtls library messages | |
1279 | .TP | |
56d07af3 TB |
1280 | .B esp |
1281 | libipsec library messages | |
1282 | .TP | |
b2bcc577 TB |
1283 | .B lib |
1284 | libstrongwan library messages | |
45945fa1 TB |
1285 | .TP |
1286 | .B tnc | |
1287 | Trusted Network Connect | |
1288 | .TP | |
1289 | .B imc | |
1290 | Integrity Measurement Collector | |
1291 | .TP | |
1292 | .B imv | |
1293 | Integrity Measurement Verifier | |
7213abcb TB |
1294 | .TP |
1295 | .B pts | |
1296 | Platform Trust Service | |
b2bcc577 TB |
1297 | .SS Loglevels |
1298 | .TP | |
1299 | .B -1 | |
1300 | Absolutely silent | |
1301 | .TP | |
1302 | .B 0 | |
1303 | Very basic auditing logs, (e.g. SA up/SA down) | |
1304 | .TP | |
1305 | .B 1 | |
1306 | Generic control flow with errors, a good default to see whats going on | |
1307 | .TP | |
1308 | .B 2 | |
1309 | More detailed debugging control flow | |
1310 | .TP | |
1311 | .B 3 | |
1312 | Including RAW data dumps in Hex | |
1313 | .TP | |
1314 | .B 4 | |
1315 | Also include sensitive material in dumps, e.g. keys | |
1316 | .SS Example | |
1317 | .PP | |
1318 | .EX | |
1319 | charon { | |
1320 | filelog { | |
1321 | /var/log/charon.log { | |
1322 | time_format = %b %e %T | |
1323 | append = no | |
1324 | default = 1 | |
1325 | } | |
1326 | stderr { | |
1327 | ike = 2 | |
1328 | knl = 3 | |
1329 | ike_name = yes | |
1330 | } | |
1331 | } | |
1332 | syslog { | |
1333 | # enable logging to LOG_DAEMON, use defaults | |
1334 | daemon { | |
1335 | } | |
1336 | # minimalistic IKE auditing logging to LOG_AUTHPRIV | |
1337 | auth { | |
1338 | default = -1 | |
1339 | ike = 0 | |
1340 | } | |
1341 | } | |
1342 | } | |
1343 | .EE | |
1344 | ||
4f3ca916 TB |
1345 | .SH JOB PRIORITY MANAGEMENT |
1346 | Some operations in the IKEv2 daemon charon are currently implemented | |
1347 | synchronously and blocking. Two examples for such operations are communication | |
1348 | with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during | |
1349 | certificate chain verification. Under high load conditions, the thread pool may | |
1350 | run out of available threads, and some more important jobs, such as liveness | |
1351 | checking, may not get executed in time. | |
1352 | .PP | |
1353 | To prevent thread starvation in such situations job priorities were introduced. | |
1354 | The job processor will reserve some threads for higher priority jobs, these | |
1355 | threads are not available for lower priority, locking jobs. | |
1356 | .SS Implementation | |
1357 | Currently 4 priorities have been defined, and they are used in charon as | |
1358 | follows: | |
1359 | .TP | |
1360 | .B CRITICAL | |
1361 | Priority for long-running dispatcher jobs. | |
1362 | .TP | |
1363 | .B HIGH | |
1364 | INFORMATIONAL exchanges, as used by liveness checking (DPD). | |
1365 | .TP | |
1366 | .B MEDIUM | |
1367 | Everything not HIGH/LOW, including IKE_SA_INIT processing. | |
1368 | .TP | |
1369 | .B LOW | |
1370 | IKE_AUTH message processing. RADIUS and CRL fetching block here | |
1371 | .PP | |
1372 | Although IKE_SA_INIT processing is computationally expensive, it is explicitly | |
1373 | assigned to the MEDIUM class. This allows charon to do the DH exchange while | |
1374 | other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more | |
1375 | IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING. | |
1376 | .PP | |
1377 | The thread pool processes jobs strictly by priority, meaning it will consume all | |
1378 | higher priority jobs before looking for ones with lower priority. Further, it | |
1379 | reserves threads for certain priorities. A priority class having reserved | |
1380 | .I n | |
1381 | threads will always have | |
1382 | .I n | |
1383 | threads available for this class (either currently processing a job, or waiting | |
1384 | for one). | |
1385 | .SS Configuration | |
1386 | To ensure that there are always enough threads available for higher priority | |
1387 | tasks, threads must be reserved for each priority class. | |
1388 | .TP | |
8dc6e716 | 1389 | .BR charon.processor.priority_threads.critical " [0]" |
4f3ca916 TB |
1390 | Threads reserved for CRITICAL priority class jobs |
1391 | .TP | |
8dc6e716 | 1392 | .BR charon.processor.priority_threads.high " [0]" |
4f3ca916 TB |
1393 | Threads reserved for HIGH priority class jobs |
1394 | .TP | |
8dc6e716 | 1395 | .BR charon.processor.priority_threads.medium " [0]" |
4f3ca916 TB |
1396 | Threads reserved for MEDIUM priority class jobs |
1397 | .TP | |
8dc6e716 | 1398 | .BR charon.processor.priority_threads.low " [0]" |
4f3ca916 TB |
1399 | Threads reserved for LOW priority class jobs |
1400 | .PP | |
1401 | Let's consider the following configuration: | |
1402 | .PP | |
1403 | .EX | |
8dc6e716 | 1404 | charon { |
4f3ca916 TB |
1405 | processor { |
1406 | priority_threads { | |
1407 | high = 1 | |
1408 | medium = 4 | |
1409 | } | |
1410 | } | |
1411 | } | |
1412 | .EE | |
1413 | .PP | |
1414 | With this configuration, one thread is reserved for HIGH priority tasks. As | |
1415 | currently only liveness checking and stroke message processing is done with | |
1416 | high priority, one or two threads should be sufficient. | |
1417 | .PP | |
1418 | The MEDIUM class mostly processes non-blocking jobs. Unless your setup is | |
1419 | experiencing many blocks in locks while accessing shared resources, threads for | |
1420 | one or two times the number of CPU cores is fine. | |
1421 | .PP | |
1422 | It is usually not required to reserve threads for CRITICAL jobs. Jobs in this | |
1423 | class rarely return and do not release their thread to the pool. | |
1424 | .PP | |
1425 | The remaining threads are available for LOW priority jobs. Reserving threads | |
1426 | does not make sense (until we have an even lower priority). | |
1427 | .SS Monitoring | |
1428 | To see what the threads are actually doing, invoke | |
1429 | .IR "ipsec statusall" . | |
1430 | Under high load, something like this will show up: | |
1431 | .PP | |
1432 | .EX | |
1433 | worker threads: 2 or 32 idle, 5/1/2/22 working, | |
1434 | job queue: 0/0/1/149, scheduled: 198 | |
1435 | .EE | |
1436 | .PP | |
1437 | From 32 worker threads, | |
1438 | .IP 2 | |
1439 | are currently idle. | |
1440 | .IP 5 | |
1441 | are running CRITICAL priority jobs (dispatching from sockets, etc.). | |
1442 | .IP 1 | |
1443 | is currently handling a HIGH priority job. This is actually the thread currently | |
1444 | providing this information via stroke. | |
1445 | .IP 2 | |
1446 | are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA | |
1447 | messages. | |
1448 | .IP 22 | |
1449 | are handling LOW priority jobs, probably waiting for an EAP-RADIUS response | |
1450 | while processing IKE_AUTH messages. | |
1451 | .PP | |
1452 | The job queue load shows how many jobs are queued for each priority, ready for | |
1453 | execution. The single MEDIUM priority job will get executed immediately, as | |
1454 | we have two spare threads reserved for MEDIUM class jobs. | |
1455 | ||
1456 | .SH IKE_SA_INIT DROPPING | |
1457 | If a responder receives more connection requests per seconds than it can handle, | |
1458 | it does not make sense to accept more IKE_SA_INIT messages. And if they are | |
1459 | queued but can't get processed in time, an answer might be sent after the | |
1460 | client has already given up and restarted its connection setup. This | |
1461 | additionally increases the load on the responder. | |
1462 | .PP | |
1463 | To limit the responder load resulting from new connection attempts, the daemon | |
1464 | can drop IKE_SA_INIT messages just after reception. There are two mechanisms to | |
1465 | decide if this should happen, configured with the following options: | |
1466 | .TP | |
1467 | .BR charon.init_limit_half_open " [0]" | |
1468 | Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in | |
1469 | connecting state, but not yet established. | |
1470 | .TP | |
1471 | .BR charon.init_limit_job_load " [0]" | |
1472 | Limit based on the number of jobs currently queued for processing (sum over all | |
1473 | job priorities). | |
1474 | .PP | |
1475 | The second limit includes load from other jobs, such as rekeying. Choosing a | |
1476 | good value is difficult and depends on the hardware and expected load. | |
1477 | .PP | |
1478 | The first limit is simpler to calculate, but includes the load from new | |
1479 | connections only. If your responder is capable of negotiating 100 tunnels/s, you | |
1480 | might set this limit to 1000. The daemon will then drop new connection attempts | |
1481 | if generating a response would require more than 10 seconds. If you are | |
1482 | allowing for a maximum response time of more than 30 seconds, consider adjusting | |
1483 | the timeout for connecting IKE_SAs | |
1484 | .RB ( charon.half_open_timeout ). | |
1485 | A responder, by default, deletes an IKE_SA if the initiator does not establish | |
1486 | it within 30 seconds. Under high load, a higher value might be required. | |
1487 | ||
3f71c5d9 TB |
1488 | .SH LOAD TESTS |
1489 | To do stability testing and performance optimizations, the IKEv2 daemon charon | |
629cdca8 | 1490 | provides the load-tester plugin. This plugin allows one to setup thousands of |
3f71c5d9 TB |
1491 | tunnels concurrently against the daemon itself or a remote host. |
1492 | .PP | |
1493 | .B WARNING: | |
1494 | Never enable the load-testing plugin on productive systems. It provides | |
1495 | preconfigured credentials and allows an attacker to authenticate as any user. | |
1496 | .SS Options | |
1497 | .TP | |
c186b394 TB |
1498 | .BR charon.plugins.load-tester.addrs |
1499 | Subsection that contains key/value pairs with address pools (in CIDR notation) | |
1500 | to use for a specific network interface e.g. eth0 = 10.10.0.0/16 | |
1501 | .TP | |
96ad2b17 TB |
1502 | .BR charon.plugins.load-tester.addrs_keep " [no]" |
1503 | Whether to keep dynamic addresses even after the associated SA got terminated | |
1504 | .TP | |
c186b394 TB |
1505 | .BR charon.plugins.load-tester.addrs_prefix " [16]" |
1506 | Network prefix length to use when installing dynamic addresses. If set to -1 the | |
1507 | full address is used (i.e. 32 or 128) | |
1508 | .TP | |
1509 | .BR charon.plugins.load-tester.ca_dir | |
1510 | Directory to load (intermediate) CA certificates from | |
1511 | .TP | |
3f71c5d9 TB |
1512 | .BR charon.plugins.load-tester.child_rekey " [600]" |
1513 | Seconds to start CHILD_SA rekeying after setup | |
1514 | .TP | |
1515 | .BR charon.plugins.load-tester.delay " [0]" | |
1516 | Delay between initiatons for each thread | |
1517 | .TP | |
1518 | .BR charon.plugins.load-tester.delete_after_established " [no]" | |
1519 | Delete an IKE_SA as soon as it has been established | |
1520 | .TP | |
c186b394 TB |
1521 | .BR charon.plugins.load-tester.digest " [sha1]" |
1522 | Digest algorithm used when issuing certificates | |
1523 | .TP | |
35572811 TB |
1524 | .BR charon.plugins.load-tester.dpd_delay " [0]" |
1525 | DPD delay to use in load test | |
1526 | .TP | |
41f525be TB |
1527 | .BR charon.plugins.load-tester.dynamic_port " [0]" |
1528 | Base port to be used for requests (each client uses a different port) | |
1529 | .TP | |
35572811 TB |
1530 | .BR charon.plugins.load-tester.eap_password " [default-pwd]" |
1531 | EAP secret to use in load test | |
1532 | .TP | |
3f71c5d9 TB |
1533 | .BR charon.plugins.load-tester.enable " [no]" |
1534 | Enable the load testing plugin | |
1535 | .TP | |
96ad2b17 TB |
1536 | .BR charon.plugins.load-tester.esp " [aes128-sha1]" |
1537 | CHILD_SA proposal to use for load tests | |
1538 | .TP | |
3f71c5d9 TB |
1539 | .BR charon.plugins.load-tester.fake_kernel " [no]" |
1540 | Fake the kernel interface to allow load-testing against self | |
1541 | .TP | |
1542 | .BR charon.plugins.load-tester.ike_rekey " [0]" | |
1543 | Seconds to start IKE_SA rekeying after setup | |
1544 | .TP | |
35572811 TB |
1545 | .BR charon.plugins.load-tester.init_limit " [0]" |
1546 | Global limit of concurrently established SAs during load test | |
1547 | .TP | |
c186b394 TB |
1548 | .BR charon.plugins.load-tester.initiator " [0.0.0.0]" |
1549 | Address to initiate from | |
1550 | .TP | |
3f71c5d9 TB |
1551 | .BR charon.plugins.load-tester.initiators " [0]" |
1552 | Number of concurrent initiator threads to use in load test | |
1553 | .TP | |
1554 | .BR charon.plugins.load-tester.initiator_auth " [pubkey]" | |
1555 | Authentication method(s) the intiator uses | |
1556 | .TP | |
35572811 TB |
1557 | .BR charon.plugins.load-tester.initiator_id |
1558 | Initiator ID used in load test | |
1559 | .TP | |
c186b394 | 1560 | .BR charon.plugins.load-tester.initiator_match |
9d9410e7 | 1561 | Initiator ID to match against as responder |
c186b394 TB |
1562 | .TP |
1563 | .BR charon.plugins.load-tester.initiator_tsi | |
1564 | Traffic selector on initiator side, as proposed by initiator | |
1565 | .TP | |
1566 | .BR charon.plugins.load-tester.initiator_tsr | |
1567 | Traffic selector on responder side, as proposed by initiator | |
1568 | .TP | |
3f71c5d9 | 1569 | .BR charon.plugins.load-tester.iterations " [1]" |
c186b394 TB |
1570 | Number of IKE_SAs to initiate by each initiator in load test |
1571 | .TP | |
1572 | .BR charon.plugins.load-tester.issuer_cert | |
1573 | Path to the issuer certificate (if not configured a hard-coded value is used) | |
1574 | .TP | |
1575 | .BR charon.plugins.load-tester.issuer_key | |
1576 | Path to private key that is used to issue certificates (if not configured a | |
1577 | hard-coded value is used) | |
3f71c5d9 | 1578 | .TP |
bb49dfb0 TB |
1579 | .BR charon.plugins.load-tester.mode " [tunnel]" |
1580 | IPsec mode to use, one of \fBtunnel\fR, \fBtransport\fR, or \fBbeet\fR. | |
1581 | .TP | |
3f71c5d9 TB |
1582 | .BR charon.plugins.load-tester.pool |
1583 | Provide INTERNAL_IPV4_ADDRs from a named pool | |
1584 | .TP | |
35572811 TB |
1585 | .BR charon.plugins.load-tester.preshared_key " [default-psk]" |
1586 | Preshared key to use in load test | |
1587 | .TP | |
41f525be | 1588 | .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" |
3f71c5d9 TB |
1589 | IKE proposal to use in load test |
1590 | .TP | |
c186b394 | 1591 | .BR charon.plugins.load-tester.responder " [127.0.0.1]" |
3f71c5d9 TB |
1592 | Address to initiation connections to |
1593 | .TP | |
1594 | .BR charon.plugins.load-tester.responder_auth " [pubkey]" | |
1595 | Authentication method(s) the responder uses | |
1596 | .TP | |
35572811 TB |
1597 | .BR charon.plugins.load-tester.responder_id |
1598 | Responder ID used in load test | |
1599 | .TP | |
c186b394 TB |
1600 | .BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]" |
1601 | Traffic selector on initiator side, as narrowed by responder | |
1602 | .TP | |
1603 | .BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]" | |
1604 | Traffic selector on responder side, as narrowed by responder | |
1605 | .TP | |
3f71c5d9 TB |
1606 | .BR charon.plugins.load-tester.request_virtual_ip " [no]" |
1607 | Request an INTERNAL_IPV4_ADDR from the server | |
1608 | .TP | |
1609 | .BR charon.plugins.load-tester.shutdown_when_complete " [no]" | |
41f525be | 1610 | Shutdown the daemon after all IKE_SAs have been established |
c186b394 | 1611 | .TP |
b07aee49 | 1612 | .BR charon.plugins.load-tester.socket " [unix://@piddir@/charon.ldt]" |
2ed8b36a TB |
1613 | Socket provided by the load-tester plugin |
1614 | .TP | |
c186b394 TB |
1615 | .BR charon.plugins.load-tester.version " [0]" |
1616 | IKE version to use (0 means use IKEv2 as initiator and accept any version as | |
1617 | responder) | |
2ed8b36a | 1618 | .PP |
3f71c5d9 TB |
1619 | .SS Configuration details |
1620 | For public key authentication, the responder uses the | |
1621 | .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq | |
1622 | identity. For the initiator, each connection attempt uses a different identity | |
1623 | in the form | |
1624 | .BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , | |
1625 | where the first number inidicates the client number, the second the | |
1626 | authentication round (if multiple authentication is used). | |
1627 | .PP | |
1628 | For PSK authentication, FQDN identities are used. The server uses | |
1629 | .BR srv.strongswan.org , | |
1630 | the client uses an identity in the form | |
1631 | .BR c1-r1.strongswan.org . | |
1632 | .PP | |
1633 | For EAP authentication, the client uses a NAI in the form | |
1634 | .BR 100000000010001@strongswan.org . | |
1635 | .PP | |
1636 | To configure multiple authentication, concatenate multiple methods using, e.g. | |
1637 | .EX | |
1638 | initiator_auth = pubkey|psk|eap-md5|eap-aka | |
1639 | .EE | |
1640 | .PP | |
1641 | The responder uses a hardcoded certificate based on a 1024-bit RSA key. | |
1642 | This certificate additionally serves as CA certificate. A peer uses the same | |
1643 | private key, but generates client certificates on demand signed by the CA | |
1644 | certificate. Install the Responder/CA certificate on the remote host to | |
1645 | authenticate all clients. | |
1646 | .PP | |
1647 | To speed up testing, the load tester plugin implements a special Diffie-Hellman | |
1648 | implementation called modpnull. By setting | |
1649 | .EX | |
1650 | proposal = aes128-sha1-modpnull | |
1651 | .EE | |
1652 | this wicked fast DH implementation is used. It does not provide any security | |
629cdca8 | 1653 | at all, but allows one to run tests without DH calculation overhead. |
3f71c5d9 TB |
1654 | .SS Examples |
1655 | .PP | |
1656 | In the simplest case, the daemon initiates IKE_SAs against itself using the | |
1657 | loopback interface. This will actually establish double the number of IKE_SAs, | |
1658 | as the daemon is initiator and responder for each IKE_SA at the same time. | |
1659 | Installation of IPsec SAs would fails, as each SA gets installed twice. To | |
1660 | simulate the correct behavior, a fake kernel interface can be enabled which does | |
1661 | not install the IPsec SAs at the kernel level. | |
1662 | .PP | |
1663 | A simple loopback configuration might look like this: | |
1664 | .PP | |
1665 | .EX | |
1666 | charon { | |
1667 | # create new IKE_SAs for each CHILD_SA to simulate | |
1668 | # different clients | |
1669 | reuse_ikesa = no | |
1670 | # turn off denial of service protection | |
1671 | dos_protection = no | |
1672 | ||
1673 | plugins { | |
1674 | load-tester { | |
1675 | # enable the plugin | |
1676 | enable = yes | |
1677 | # use 4 threads to initiate connections | |
1678 | # simultaneously | |
1679 | initiators = 4 | |
1680 | # each thread initiates 1000 connections | |
1681 | iterations = 1000 | |
1682 | # delay each initiation in each thread by 20ms | |
1683 | delay = 20 | |
1684 | # enable the fake kernel interface to | |
1685 | # avoid SA conflicts | |
1686 | fake_kernel = yes | |
1687 | } | |
1688 | } | |
1689 | } | |
1690 | .EE | |
1691 | .PP | |
1692 | This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay | |
1693 | value if your box can not handle that much load, or decrease it to put more | |
1694 | load on it. If the daemon starts retransmitting messages your box probably can | |
1695 | not handle all connection attempts. | |
1696 | .PP | |
629cdca8 TB |
1697 | The plugin also allows one to test against a remote host. This might help to |
1698 | test against a real world configuration. A connection setup to do stress | |
1699 | testing of a gateway might look like this: | |
3f71c5d9 TB |
1700 | .PP |
1701 | .EX | |
1702 | charon { | |
1703 | reuse_ikesa = no | |
1704 | threads = 32 | |
1705 | ||
1706 | plugins { | |
1707 | load-tester { | |
1708 | enable = yes | |
1709 | # 10000 connections, ten in parallel | |
1710 | initiators = 10 | |
1711 | iterations = 1000 | |
1712 | # use a delay of 100ms, overall time is: | |
1713 | # iterations * delay = 100s | |
1714 | delay = 100 | |
1715 | # address of the gateway | |
1716 | remote = 1.2.3.4 | |
1717 | # IKE-proposal to use | |
1718 | proposal = aes128-sha1-modp1024 | |
1719 | # use faster PSK authentication instead | |
1720 | # of 1024bit RSA | |
1721 | initiator_auth = psk | |
1722 | responder_auth = psk | |
1723 | # request a virtual IP using configuration | |
1724 | # payloads | |
1725 | request_virtual_ip = yes | |
1726 | # enable CHILD_SA every 60s | |
1727 | child_rekey = 60 | |
1728 | } | |
1729 | } | |
1730 | } | |
1731 | .EE | |
1732 | ||
fa8c0690 TB |
1733 | .SH IKEv2 RETRANSMISSION |
1734 | Retransmission timeouts in the IKEv2 daemon charon can be configured globally | |
1735 | using the three keys listed below: | |
1736 | .PP | |
1737 | .RS | |
1738 | .nf | |
1739 | .BR charon.retransmit_base " [1.8]" | |
1740 | .BR charon.retransmit_timeout " [4.0]" | |
1741 | .BR charon.retransmit_tries " [5]" | |
1742 | .fi | |
1743 | .RE | |
1744 | .PP | |
1745 | The following algorithm is used to calculate the timeout: | |
1746 | .PP | |
1747 | .EX | |
1748 | relative timeout = retransmit_timeout * retransmit_base ^ (n-1) | |
1749 | .EE | |
1750 | .PP | |
1751 | Where | |
1752 | .I n | |
1753 | is the current retransmission count. | |
1754 | .PP | |
1755 | Using the default values, packets are retransmitted in: | |
1756 | ||
1757 | .TS | |
1758 | l r r | |
1759 | --- | |
1760 | lB r r. | |
1761 | Retransmission Relative Timeout Absolute Timeout | |
1762 | 1 4s 4s | |
1763 | 2 7s 11s | |
1764 | 3 13s 24s | |
1765 | 4 23s 47s | |
1766 | 5 42s 89s | |
1767 | giving up 76s 165s | |
1768 | .TE | |
1769 | ||
483c1feb | 1770 | .SH FILES |
483c1feb TB |
1771 | /etc/strongswan.conf |
1772 | ||
1773 | .SH SEE ALSO | |
4d62ad75 TB |
1774 | \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) |
1775 | ||
483c1feb | 1776 | .SH HISTORY |
320cecd2 TB |
1777 | Written for the |
1778 | .UR http://www.strongswan.org | |
1779 | strongSwan project | |
1780 | .UE | |
1781 | by Tobias Brunner, Andreas Steffen and Martin Willi. |