]>
Commit | Line | Data |
---|---|---|
2ed8b36a | 1 | .TH STRONGSWAN.CONF 5 "2013-07-22" "@IPSEC_VERSION@" "strongSwan" |
483c1feb TB |
2 | .SH NAME |
3 | strongswan.conf \- strongSwan configuration file | |
4 | .SH DESCRIPTION | |
5 | While the | |
6 | .IR ipsec.conf (5) | |
7 | configuration file is well suited to define IPsec related configuration | |
8 | parameters, it is not useful for other strongSwan applications to read options | |
9 | from this file. | |
10 | The file is hard to parse and only | |
11 | .I ipsec starter | |
12 | is capable of doing so. As the number of components of the strongSwan project | |
320cecd2 | 13 | is continually growing, a more flexible configuration file was needed, one that |
483c1feb TB |
14 | is easy to extend and can be used by all components. With strongSwan 4.2.1 |
15 | .IR strongswan.conf (5) | |
16 | was introduced which meets these requirements. | |
17 | ||
320cecd2 TB |
18 | .SH SYNTAX |
19 | The format of the strongswan.conf file consists of hierarchical | |
20 | .B sections | |
21 | and a list of | |
22 | .B key/value pairs | |
23 | in each section. Each section has a name, followed by C-Style curly brackets | |
24 | defining the section body. Each section body contains a set of subsections | |
25 | and key/value pairs: | |
26 | .PP | |
27 | .EX | |
28 | settings := (section|keyvalue)* | |
29 | section := name { settings } | |
30 | keyvalue := key = value\\n | |
31 | .EE | |
32 | .PP | |
33 | Values must be terminated by a newline. | |
34 | .PP | |
35 | Comments are possible using the \fB#\fP-character, but be careful: The parser | |
36 | implementation is currently limited and does not like brackets in comments. | |
37 | .PP | |
38 | Section names and keys may contain any printable character except: | |
39 | .PP | |
40 | .EX | |
41 | . { } # \\n \\t space | |
42 | .EE | |
43 | .PP | |
44 | An example file in this format might look like this: | |
45 | .PP | |
46 | .EX | |
47 | a = b | |
48 | section-one { | |
49 | somevalue = asdf | |
50 | subsection { | |
51 | othervalue = xxx | |
52 | } | |
53 | # yei, a comment | |
54 | yetanother = zz | |
55 | } | |
56 | section-two { | |
57 | x = 12 | |
58 | } | |
59 | .EE | |
60 | .PP | |
61 | Indentation is optional, you may use tabs or spaces. | |
62 | ||
9a1e5261 TB |
63 | .SH INCLUDING FILES |
64 | Using the | |
65 | .B include | |
66 | statement it is possible to include other files into strongswan.conf, e.g. | |
67 | .PP | |
68 | .EX | |
69 | include /some/path/*.conf | |
70 | .EE | |
71 | .PP | |
72 | If the file name is not an absolute path, it is considered to be relative | |
73 | to the directory of the file containing the include statement. The file name | |
74 | may include shell wildcards (see | |
75 | .IR sh (1)). | |
76 | Also, such inclusions can be nested. | |
77 | .PP | |
78 | Sections loaded from included files | |
79 | .I extend | |
80 | previously loaded sections; already existing values are | |
81 | .IR replaced . | |
82 | It is important to note that settings are added relative to the section the | |
5889e864 | 83 | include statement is in. |
9a1e5261 TB |
84 | .PP |
85 | As an example, the following three files result in the same final | |
86 | config as the one given above: | |
87 | .PP | |
88 | .EX | |
89 | a = b | |
90 | section-one { | |
91 | somevalue = before include | |
92 | include include.conf | |
93 | } | |
94 | include other.conf | |
95 | ||
96 | include.conf: | |
97 | # settings loaded from this file are added to section-one | |
98 | # the following replaces the previous value | |
99 | somevalue = asdf | |
100 | subsection { | |
101 | othervalue = yyy | |
102 | } | |
103 | yetanother = zz | |
104 | ||
105 | other.conf: | |
106 | # this extends section-one and subsection | |
107 | section-one { | |
108 | subsection { | |
109 | # this replaces the previous value | |
110 | othervalue = xxx | |
111 | } | |
112 | } | |
113 | section-two { | |
114 | x = 12 | |
115 | } | |
116 | .EE | |
117 | ||
5889e864 TB |
118 | .SH READING VALUES |
119 | Values are accessed using a dot-separated section list and a key. | |
120 | With reference to the example above, accessing | |
121 | .B section-one.subsection.othervalue | |
122 | will return | |
123 | .BR xxx . | |
124 | ||
320cecd2 | 125 | .SH DEFINED KEYS |
3f71c5d9 | 126 | The following keys are currently defined (using dot notation). The default |
320cecd2 TB |
127 | value (if any) is listed in brackets after the key. |
128 | ||
e0175103 AS |
129 | .SS attest section |
130 | .TP | |
131 | .BR attest.database | |
132 | Path to database with file measurement information | |
133 | .TP | |
134 | .BR attest.load | |
135 | Plugins to load in ipsec attest tool | |
4d62ad75 | 136 | |
320cecd2 TB |
137 | .SS charon section |
138 | .TP | |
4d62ad75 TB |
139 | .BR Note : |
140 | Many of these options also apply to \fBcharon\-cmd\fR and other | |
141 | \fBcharon\fR derivatives. Just use their respective name (e.g. | |
142 | \fIcharon\-cmd\fR) instead of \fIcharon\fR. | |
143 | .TP | |
320cecd2 TB |
144 | .BR charon.block_threshold " [5]" |
145 | Maximum number of half-open IKE_SAs for a single peer IP | |
146 | .TP | |
c38d6905 AS |
147 | .BR charon.cisco_unity " [no] |
148 | Send Cisco Unity vendor ID payload (IKEv1 only) | |
149 | .TP | |
320cecd2 TB |
150 | .BR charon.close_ike_on_child_failure " [no]" |
151 | Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed | |
152 | .TP | |
153 | .BR charon.cookie_threshold " [10]" | |
154 | Number of half-open IKE_SAs that activate the cookie mechanism | |
155 | .TP | |
156 | .BR charon.dns1 | |
157 | .TQ | |
158 | .BR charon.dns2 | |
159 | DNS servers assigned to peer via configuration payload (CP) | |
160 | .TP | |
161 | .BR charon.dos_protection " [yes]" | |
162 | Enable Denial of Service protection using cookies and aggressiveness checks | |
163 | .TP | |
b2bcc577 | 164 | .BR charon.filelog |
3f71c5d9 | 165 | Section to define file loggers, see LOGGER CONFIGURATION |
41f525be TB |
166 | .TP |
167 | .BR charon.flush_auth_cfg " [no]" | |
358104a4 TB |
168 | If enabled objects used during authentication (certificates, identities etc.) |
169 | are released to free memory once an IKE_SA is established. | |
170 | Enabling this might conflict with plugins that later need access to e.g. the | |
171 | used certificates. | |
4f3ca916 | 172 | .TP |
ee6902ef TB |
173 | .BR charon.fragment_size " [512]" |
174 | Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 | |
175 | fragmentation extension. | |
176 | .TP | |
68b7448e TB |
177 | .BR charon.group |
178 | Name of the group the daemon changes to after startup | |
179 | .TP | |
4f3ca916 TB |
180 | .BR charon.half_open_timeout " [30]" |
181 | Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). | |
b2bcc577 | 182 | .TP |
320cecd2 TB |
183 | .BR charon.hash_and_url " [no]" |
184 | Enable hash and URL support | |
185 | .TP | |
629cdca8 TB |
186 | .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" |
187 | If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared | |
188 | keys, which is discouraged due to security concerns (offline attacks on the | |
189 | openly transmitted hash of the PSK) | |
190 | .TP | |
41f525be | 191 | .BR charon.ignore_routing_tables |
9513225e | 192 | A space-separated list of routing tables to be excluded from route lookups |
41f525be | 193 | .TP |
c186b394 TB |
194 | .BR charon.ikesa_limit " [0]" |
195 | Maximum number of IKE_SAs that can be established at the same time before new | |
196 | connection attempts are blocked | |
197 | .TP | |
320cecd2 TB |
198 | .BR charon.ikesa_table_segments " [1]" |
199 | Number of exclusively locked segments in the hash table | |
200 | .TP | |
201 | .BR charon.ikesa_table_size " [1]" | |
202 | Size of the IKE_SA hash table | |
203 | .TP | |
204 | .BR charon.inactivity_close_ike " [no]" | |
205 | Whether to close IKE_SA if the only CHILD_SA closed due to inactivity | |
206 | .TP | |
4f3ca916 TB |
207 | .BR charon.init_limit_half_open " [0]" |
208 | Limit new connections based on the current number of half open IKE_SAs (see | |
209 | IKE_SA_INIT DROPPING). | |
210 | .TP | |
211 | .BR charon.init_limit_job_load " [0]" | |
212 | Limit new connections based on the number of jobs currently queued for | |
213 | processing (see IKE_SA_INIT DROPPING). | |
214 | .TP | |
654c88bc AS |
215 | .BR charon.initiator_only " [no]" |
216 | Causes charon daemon to ignore IKE initiation requests. | |
217 | .TP | |
320cecd2 TB |
218 | .BR charon.install_routes " [yes]" |
219 | Install routes into a separate routing table for established IPsec tunnels | |
220 | .TP | |
41f525be TB |
221 | .BR charon.install_virtual_ip " [yes]" |
222 | Install virtual IP addresses | |
223 | .TP | |
e8e9048f TB |
224 | .BR charon.install_virtual_ip_on |
225 | The name of the interface on which virtual IP addresses should be installed. | |
226 | If not specified the addresses will be installed on the outbound interface. | |
227 | .TP | |
9513225e TB |
228 | .BR charon.interfaces_ignore |
229 | A comma-separated list of network interfaces that should be ignored, if | |
358104a4 TB |
230 | .B charon.interfaces_use |
231 | is specified this option has no effect. | |
9513225e TB |
232 | .TP |
233 | .BR charon.interfaces_use | |
358104a4 | 234 | A comma-separated list of network interfaces that should be used by charon. |
9513225e TB |
235 | All other interfaces are ignored. |
236 | .TP | |
320cecd2 TB |
237 | .BR charon.keep_alive " [20s]" |
238 | NAT keep alive interval | |
239 | .TP | |
240 | .BR charon.load | |
41f525be TB |
241 | Plugins to load in the IKEv2 daemon charon |
242 | .TP | |
243 | .BR charon.max_packet " [10000]" | |
244 | Maximum packet size accepted by charon | |
320cecd2 TB |
245 | .TP |
246 | .BR charon.multiple_authentication " [yes]" | |
247 | Enable multiple authentication exchanges (RFC 4739) | |
248 | .TP | |
249 | .BR charon.nbns1 | |
250 | .TQ | |
251 | .BR charon.nbns2 | |
252 | WINS servers assigned to peer via configuration payload (CP) | |
253 | .TP | |
224ab4c5 TB |
254 | .BR charon.port " [500]" |
255 | UDP port used locally. If set to 0 a random port will be allocated. | |
256 | .TP | |
257 | .BR charon.port_nat_t " [4500]" | |
258 | UDP port used locally in case of NAT-T. If set to 0 a random port will be | |
259 | allocated. Has to be different from | |
260 | .BR charon.port , | |
261 | otherwise a random port will be allocated. | |
262 | .TP | |
320cecd2 TB |
263 | .BR charon.process_route " [yes]" |
264 | Process RTM_NEWROUTE and RTM_DELROUTE events | |
265 | .TP | |
41f525be | 266 | .BR charon.receive_delay " [0]" |
31990a19 | 267 | Delay in ms for receiving packets, to simulate larger RTT |
41f525be TB |
268 | .TP |
269 | .BR charon.receive_delay_response " [yes]" | |
270 | Delay response messages | |
271 | .TP | |
272 | .BR charon.receive_delay_request " [yes]" | |
273 | Delay request messages | |
274 | .TP | |
275 | .BR charon.receive_delay_type " [0]" | |
276 | Specific IKEv2 message type to delay, 0 for any | |
277 | .TP | |
94c0e834 MW |
278 | .BR charon.replay_window " [32]" |
279 | Size of the AH/ESP replay window, in packets. | |
280 | .TP | |
320cecd2 | 281 | .BR charon.retransmit_base " [1.8]" |
3f71c5d9 | 282 | Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION |
320cecd2 TB |
283 | .TP |
284 | .BR charon.retransmit_timeout " [4.0] | |
285 | Timeout in seconds before sending first retransmit | |
286 | .TP | |
287 | .BR charon.retransmit_tries " [5]" | |
288 | Number of times to retransmit a packet before giving up | |
289 | .TP | |
60c82591 TB |
290 | .BR charon.retry_initiate_interval " [0]" |
291 | Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution | |
292 | failed), 0 to disable retries. | |
293 | .TP | |
320cecd2 TB |
294 | .BR charon.reuse_ikesa " [yes] |
295 | Initiate CHILD_SA within existing IKE_SAs | |
296 | .TP | |
297 | .BR charon.routing_table | |
298 | Numerical routing table to install routes to | |
299 | .TP | |
300 | .BR charon.routing_table_prio | |
301 | Priority of the routing table | |
302 | .TP | |
41f525be | 303 | .BR charon.send_delay " [0]" |
31990a19 | 304 | Delay in ms for sending packets, to simulate larger RTT |
41f525be TB |
305 | .TP |
306 | .BR charon.send_delay_response " [yes]" | |
307 | Delay response messages | |
308 | .TP | |
309 | .BR charon.send_delay_request " [yes]" | |
310 | Delay request messages | |
311 | .TP | |
312 | .BR charon.send_delay_type " [0]" | |
313 | Specific IKEv2 message type to delay, 0 for any | |
314 | .TP | |
320cecd2 TB |
315 | .BR charon.send_vendor_id " [no] |
316 | Send strongSwan vendor ID payload | |
317 | .TP | |
b2bcc577 | 318 | .BR charon.syslog |
3f71c5d9 | 319 | Section to define syslog loggers, see LOGGER CONFIGURATION |
b2bcc577 | 320 | .TP |
320cecd2 | 321 | .BR charon.threads " [16]" |
e99cfe5f TB |
322 | Number of worker threads in charon. Several of these are reserved for long |
323 | running tasks in internal modules and plugins. Therefore, make sure you don't | |
324 | set this value too low. The number of idle worker threads listed in | |
325 | .I ipsec statusall | |
326 | might be used as indicator on the number of reserved threads. | |
68b7448e TB |
327 | .TP |
328 | .BR charon.user | |
329 | Name of the user the daemon changes to after startup | |
320cecd2 TB |
330 | .SS charon.plugins subsection |
331 | .TP | |
162621ed | 332 | .BR charon.plugins.android_log.loglevel " [1]" |
41f525be TB |
333 | Loglevel for logging to Android specific logger |
334 | .TP | |
335 | .BR charon.plugins.attr | |
336 | Section to specify arbitrary attributes that are assigned to a peer via | |
337 | configuration payload (CP) | |
338 | .TP | |
629cdca8 TB |
339 | .BR charon.plugins.certexpire.csv.cron |
340 | Cron style string specifying CSV export times | |
341 | .TP | |
2ed8b36a TB |
342 | .BR charon.plugins.certexpire.csv.empty_string |
343 | String to use in empty intermediate CA fields | |
344 | .TP | |
345 | .BR charon.plugins.certexpire.csv.fixed_fields " [yes]" | |
346 | Use a fixed intermediate CA field count | |
347 | .TP | |
348 | .BR charon.plugins.certexpire.csv.force " [yes]" | |
349 | Force export of all trustchains we have a private key for | |
350 | .TP | |
351 | .BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" | |
352 | strftime(3) format string to export expiration dates as | |
353 | .TP | |
629cdca8 TB |
354 | .BR charon.plugins.certexpire.csv.local |
355 | strftime(3) format string for the CSV file name to export local certificates to | |
356 | .TP | |
357 | .BR charon.plugins.certexpire.csv.remote | |
358 | strftime(3) format string for the CSV file name to export remote certificates to | |
359 | .TP | |
360 | .BR charon.plugins.certexpire.csv.separator " [,]" | |
361 | CSV field separator | |
362 | .TP | |
629cdca8 TB |
363 | .BR charon.plugins.coupling.file |
364 | File to store coupling list to | |
365 | .TP | |
366 | .BR charon.plugins.coupling.hash " [sha1]" | |
367 | Hashing algorithm to fingerprint coupled certificates | |
368 | .TP | |
369 | .BR charon.plugins.coupling.max " [1]" | |
370 | Maximum number of coupling entries to create | |
371 | .TP | |
bc6ec4de TB |
372 | .BR charon.plugins.dhcp.force_server_address " [no]" |
373 | Always use the configured server address. This might be helpful if the DHCP | |
374 | server runs on the same host as strongSwan, and the DHCP daemon does not listen | |
375 | on the loopback interface. In that case the server cannot be reached via | |
376 | unicast (or even 255.255.255.255) as that would be routed via loopback. | |
377 | Setting this option to yes and configuring the local broadcast address (e.g. | |
378 | 192.168.0.255) as server address might work. | |
379 | .TP | |
320cecd2 TB |
380 | .BR charon.plugins.dhcp.identity_lease " [no]" |
381 | Derive user-defined MAC address from hash of IKEv2 identity | |
382 | .TP | |
383 | .BR charon.plugins.dhcp.server " [255.255.255.255]" | |
384 | DHCP server unicast or broadcast IP address | |
385 | .TP | |
e236ed1e | 386 | .BR charon.plugins.duplicheck.enable " [yes]" |
629cdca8 | 387 | Enable duplicheck plugin (if loaded) |
e236ed1e | 388 | .TP |
2ed8b36a TB |
389 | .BR charon.plugins.duplicheck.socket " [unix://${piddir}/charon.dck]" |
390 | Socket provided by the duplicheck plugin | |
391 | .TP | |
320cecd2 | 392 | .BR charon.plugins.eap-aka.request_identity " [yes]" |
41f525be | 393 | |
320cecd2 TB |
394 | .TP |
395 | .BR charon.plugins.eap-aka-3ggp2.seq_check | |
41f525be | 396 | |
5f6ef5d5 TB |
397 | .TP |
398 | .BR charon.plugins.eap-dynamic.preferred | |
399 | The preferred EAP method(s) to be used. If it is not given the first | |
400 | registered method will be used initially. If a comma separated list is given | |
401 | the methods are tried in the given order before trying the rest of the | |
402 | registered methods. | |
403 | .TP | |
404 | .BR charon.plugins.eap-dynamic.prefer_user " [no]" | |
405 | If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are | |
406 | preferred over the methods registered locally. | |
320cecd2 | 407 | .TP |
9ede42e1 TB |
408 | .BR charon.plugins.eap-gtc.backend " [pam]" |
409 | XAuth backend to be used for credential verification | |
01b39fe9 AS |
410 | .TP |
411 | .BR charon.plugins.eap-peap.fragment_size " [1024]" | |
412 | Maximum size of an EAP-PEAP packet | |
413 | .TP | |
414 | .BR charon.plugins.eap-peap.max_message_count " [32]" | |
3bd452f8 | 415 | Maximum number of processed EAP-PEAP packets (0 = no limit) |
01b39fe9 | 416 | .TP |
2778b664 AS |
417 | .BR charon.plugins.eap-peap.include_length " [no]" |
418 | Include length in non-fragmented EAP-PEAP packets | |
419 | .TP | |
01b39fe9 AS |
420 | .BR charon.plugins.eap-peap.phase2_method " [mschapv2]" |
421 | Phase2 EAP client authentication method | |
422 | .TP | |
423 | .BR charon.plugins.eap-peap.phase2_piggyback " [no]" | |
424 | Phase2 EAP Identity request piggybacked by server onto TLS Finished message | |
425 | .TP | |
426 | .BR charon.plugins.eap-peap.phase2_tnc " [no]" | |
427 | Start phase2 EAP TNC protocol after successful client authentication | |
428 | .TP | |
429 | .BR charon.plugins.eap-peap.request_peer_auth " [no]" | |
430 | Request peer authentication based on a client certificate | |
503dee4d MW |
431 | .TP |
432 | .BR charon.plugins.eap-radius.accounting " [no]" | |
433 | Send RADIUS accounting information to RADIUS servers. | |
320cecd2 | 434 | .TP |
2ed8b36a TB |
435 | .BR charon.plugins.eap-radius.accounting_requires_vip " [no]" |
436 | If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP | |
437 | .TP | |
41f525be TB |
438 | .BR charon.plugins.eap-radius.class_group " [no]" |
439 | Use the | |
440 | .I class | |
441 | attribute sent in the RADIUS-Accept message as group membership information that | |
442 | is compared to the groups specified in the | |
443 | .B rightgroups | |
444 | option in | |
445 | .B ipsec.conf (5). | |
446 | .TP | |
96ad2b17 TB |
447 | .BR charon.plugins.eap-radius.close_all_on_timeout " [no]" |
448 | Closes all IKE_SAs if communication with the RADIUS server times out. If it is | |
449 | not set only the current IKE_SA is closed. | |
450 | .TP | |
629cdca8 TB |
451 | .BR charon.plugins.eap-radius.dae.enable " [no]" |
452 | Enables support for the Dynamic Authorization Extension (RFC 5176) | |
453 | .TP | |
454 | .BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" | |
455 | Address to listen for DAE messages from the RADIUS server | |
456 | .TP | |
457 | .BR charon.plugins.eap-radius.dae.port " [3799]" | |
458 | Port to listen for DAE requests | |
459 | .TP | |
460 | .BR charon.plugins.eap-radius.dae.secret | |
461 | Shared secret used to verify/sign DAE messages | |
462 | .TP | |
41f525be TB |
463 | .BR charon.plugins.eap-radius.eap_start " [no]" |
464 | Send EAP-Start instead of EAP-Identity to start RADIUS conversation | |
465 | .TP | |
f2b1aa49 AS |
466 | .BR charon.plugins.eap-radius.filter_id " [no]" |
467 | If the RADIUS | |
468 | .I tunnel_type | |
469 | attribute with value | |
470 | .B ESP | |
471 | is received, use the | |
94c0e834 | 472 | .I filter_id |
f2b1aa49 AS |
473 | attribute sent in the RADIUS-Accept message as group membership information that |
474 | is compared to the groups specified in the | |
475 | .B rightgroups | |
476 | option in | |
477 | .B ipsec.conf (5). | |
478 | .TP | |
629cdca8 TB |
479 | .BR charon.plugins.eap-radius.forward.ike_to_radius |
480 | RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by | |
481 | name or attribute number, a colon can be used to specify vendor-specific | |
482 | attributes, e.g. Reply-Message, or 11, or 36906:12). | |
483 | .TP | |
484 | .BR charon.plugins.eap-radius.forward.radius_to_ike | |
358104a4 TB |
485 | Same as |
486 | .B charon.plugins.eap-radius.forward.ike_to_radius | |
487 | but from RADIUS to | |
629cdca8 TB |
488 | IKEv2, a strongSwan specific private notify (40969) is used to transmit the |
489 | attributes. | |
490 | .TP | |
41f525be TB |
491 | .BR charon.plugins.eap-radius.id_prefix |
492 | Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the | |
493 | EAP method | |
494 | .TP | |
495 | .BR charon.plugins.eap-radius.nas_identifier " [strongSwan]" | |
496 | NAS-Identifier to include in RADIUS messages | |
497 | .TP | |
498 | .BR charon.plugins.eap-radius.port " [1812]" | |
499 | Port of RADIUS server (authentication) | |
500 | .TP | |
320cecd2 TB |
501 | .BR charon.plugins.eap-radius.secret |
502 | Shared secret between RADIUS and NAS | |
503 | .TP | |
504 | .BR charon.plugins.eap-radius.server | |
505 | IP/Hostname of RADIUS server | |
506 | .TP | |
41f525be TB |
507 | .BR charon.plugins.eap-radius.servers |
508 | Section to specify multiple RADIUS servers. The | |
509 | .BR nas_identifier , | |
510 | .BR secret , | |
511 | .B sockets | |
512 | and | |
513 | .B port | |
358104a4 TB |
514 | (or |
515 | .BR auth_port ) | |
41f525be TB |
516 | options can be specified for each server. A server's IP/Hostname can be |
517 | configured using the | |
518 | .B address | |
358104a4 TB |
519 | option. The |
520 | .BR acct_port " [1813]" | |
521 | option can be used to specify the port used for RADIUS accounting. | |
522 | For each RADIUS server a priority can be specified using the | |
41f525be TB |
523 | .BR preference " [0]" |
524 | option. | |
525 | .TP | |
526 | .BR charon.plugins.eap-radius.sockets " [1]" | |
320cecd2 TB |
527 | Number of sockets (ports) to use, increase for high load |
528 | .TP | |
41f525be TB |
529 | .BR charon.plugins.eap-sim.request_identity " [yes]" |
530 | ||
320cecd2 | 531 | .TP |
41f525be TB |
532 | .BR charon.plugins.eap-simaka-sql.database |
533 | ||
320cecd2 | 534 | .TP |
629cdca8 | 535 | .BR charon.plugins.eap-simaka-sql.remove_used " [no]" |
320cecd2 TB |
536 | |
537 | .TP | |
538 | .BR charon.plugins.eap-tls.fragment_size " [1024]" | |
539 | Maximum size of an EAP-TLS packet | |
540 | .TP | |
541 | .BR charon.plugins.eap-tls.max_message_count " [32]" | |
3bd452f8 | 542 | Maximum number of processed EAP-TLS packets (0 = no limit) |
320cecd2 | 543 | .TP |
2778b664 AS |
544 | .BR charon.plugins.eap-tls.include_length " [yes]" |
545 | Include length in non-fragmented EAP-TLS packets | |
546 | .TP | |
aff81d3b | 547 | .BR charon.plugins.eap-tnc.max_message_count " [10]" |
3bd452f8 | 548 | Maximum number of processed EAP-TNC packets (0 = no limit) |
41f525be | 549 | .TP |
c8aabefd AS |
550 | .BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]" |
551 | IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic) | |
552 | .TP | |
320cecd2 TB |
553 | .BR charon.plugins.eap-ttls.fragment_size " [1024]" |
554 | Maximum size of an EAP-TTLS packet | |
555 | .TP | |
556 | .BR charon.plugins.eap-ttls.max_message_count " [32]" | |
3bd452f8 | 557 | Maximum number of processed EAP-TTLS packets (0 = no limit) |
320cecd2 | 558 | .TP |
2778b664 AS |
559 | .BR charon.plugins.eap-ttls.include_length " [yes]" |
560 | Include length in non-fragmented EAP-TTLS packets | |
561 | .TP | |
320cecd2 TB |
562 | .BR charon.plugins.eap-ttls.phase2_method " [md5]" |
563 | Phase2 EAP client authentication method | |
564 | .TP | |
565 | .BR charon.plugins.eap-ttls.phase2_piggyback " [no]" | |
566 | Phase2 EAP Identity request piggybacked by server onto TLS Finished message | |
567 | .TP | |
aff81d3b AS |
568 | .BR charon.plugins.eap-ttls.phase2_tnc " [no]" |
569 | Start phase2 EAP TNC protocol after successful client authentication | |
570 | .TP | |
320cecd2 TB |
571 | .BR charon.plugins.eap-ttls.request_peer_auth " [no]" |
572 | Request peer authentication based on a client certificate | |
573 | .TP | |
2ed8b36a TB |
574 | .BR charon.plugins.error-notify.socket " [unix://${piddir}/charon.enfy]" |
575 | Socket provided by the error-notify plugin | |
576 | .TP | |
96ad2b17 TB |
577 | .BR charon.plugins.ha.autobalance " [0]" |
578 | Interval in seconds to automatically balance handled segments between nodes. | |
579 | Set to 0 to disable. | |
580 | .TP | |
320cecd2 TB |
581 | .BR charon.plugins.ha.fifo_interface " [yes]" |
582 | ||
41f525be TB |
583 | .TP |
584 | .BR charon.plugins.ha.heartbeat_delay " [1000]" | |
585 | ||
586 | .TP | |
587 | .BR charon.plugins.ha.heartbeat_timeout " [2100]" | |
588 | ||
320cecd2 TB |
589 | .TP |
590 | .BR charon.plugins.ha.local | |
591 | ||
592 | .TP | |
593 | .BR charon.plugins.ha.monitor " [yes]" | |
594 | ||
41f525be TB |
595 | .TP |
596 | .BR charon.plugins.ha.pools | |
597 | ||
320cecd2 TB |
598 | .TP |
599 | .BR charon.plugins.ha.remote | |
94c0e834 | 600 | |
320cecd2 TB |
601 | .TP |
602 | .BR charon.plugins.ha.resync " [yes]" | |
603 | ||
604 | .TP | |
605 | .BR charon.plugins.ha.secret | |
606 | ||
607 | .TP | |
608 | .BR charon.plugins.ha.segment_count " [1]" | |
609 | ||
932717fb RG |
610 | .TP |
611 | .BR charon.plugins.ipseckey.enable " [no]" | |
3021139f | 612 | Enable the fetching of IPSECKEY RRs via DNS |
41f525be TB |
613 | .TP |
614 | .BR charon.plugins.led.activity_led | |
615 | ||
616 | .TP | |
617 | .BR charon.plugins.led.blink_time " [50]" | |
618 | ||
619 | .TP | |
620 | .BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" | |
621 | Number of ipsecN devices | |
320cecd2 TB |
622 | .TP |
623 | .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" | |
624 | Set MTU of ipsecN device | |
625 | .TP | |
37873f99 TB |
626 | .BR charon.plugins.kernel-netlink.roam_events " [yes]" |
627 | Whether to trigger roam events when interfaces, addresses or routes change | |
628 | .TP | |
baa6419e TB |
629 | .BR charon.plugins.kernel-pfroute.vip_wait " [1000]" |
630 | Time in ms to wait until virtual IP addresses appear/disappear before failing. | |
631 | .TP | |
3f71c5d9 TB |
632 | .BR charon.plugins.load-tester |
633 | Section to configure the load-tester plugin, see LOAD TESTS | |
320cecd2 | 634 | .TP |
3021139f TB |
635 | .BR charon.plugins.lookip.socket " [unix://${piddir}/charon.lkp]" |
636 | Socket provided by the lookip plugin | |
637 | .TP | |
13de38e3 TB |
638 | .BR charon.plugins.radattr.dir |
639 | Directory where RADIUS attributes are stored in client-ID specific files. | |
640 | .TP | |
641 | .BR charon.plugins.radattr.message_id " [-1]" | |
642 | Attributes are added to all IKE_AUTH messages by default (-1), or only to the | |
643 | IKE_AUTH message with the given IKEv2 message ID. | |
644 | .TP | |
320cecd2 TB |
645 | .BR charon.plugins.resolve.file " [/etc/resolv.conf]" |
646 | File where to add DNS server entries | |
647 | .TP | |
ed2cab08 TB |
648 | .BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]" |
649 | Prefix used for interface names sent to resolvconf(8). The nameserver address | |
650 | is appended to this prefix to make it unique. The result has to be a valid | |
651 | interface name according to the rules defined by resolvconf. Also, it should | |
652 | have a high priority according to the order defined in interface-order(5). | |
653 | .TP | |
6fbf4472 TB |
654 | .BR charon.plugins.socket-default.set_source " [yes]" |
655 | Set source address on outbound packets, if possible. | |
656 | .TP | |
598bec78 TB |
657 | .BR charon.plugins.socket-default.use_ipv4 " [yes]" |
658 | Listen on IPv4, if possible. | |
659 | .TP | |
660 | .BR charon.plugins.socket-default.use_ipv6 " [yes]" | |
661 | Listen on IPv6, if possible. | |
662 | .TP | |
320cecd2 TB |
663 | .BR charon.plugins.sql.database |
664 | Database URI for charons SQL plugin | |
665 | .TP | |
666 | .BR charon.plugins.sql.loglevel " [-1]" | |
667 | Loglevel for logging to SQL database | |
68de7267 | 668 | .TP |
9ec66bc1 TB |
669 | .BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]" |
670 | Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA | |
671 | certificates even if they don't contain a CA basic constraint. | |
672 | .TP | |
7c0c2349 TB |
673 | .BR charon.plugins.stroke.max_concurrent " [4]" |
674 | Maximum number of stroke messages handled concurrently | |
675 | .TP | |
2ed8b36a TB |
676 | .BR charon.plugins.stroke.socket " [unix://${piddir}/charon.ctl]" |
677 | Socket provided by the stroke plugin | |
678 | .TP | |
96ad2b17 TB |
679 | .BR charon.plugins.stroke.timeout " [0]" |
680 | Timeout in ms for any stroke command. Use 0 to disable the timeout | |
681 | .TP | |
682 | .BR charon.plugins.systime-fix.interval " [0]" | |
683 | Interval in seconds to check system time for validity. 0 disables the check | |
684 | .TP | |
685 | .BR charon.plugins.systime-fix.reauth " [no]" | |
686 | Whether to use reauth or delete if an invalid cert lifetime is detected | |
687 | .TP | |
688 | .BR charon.plugins.systime-fix.threshold | |
689 | Threshold date where system time is considered valid. Disabled if not specified | |
690 | .TP | |
691 | .BR charon.plugins.systime-fix.threshold_format " [%Y]" | |
692 | strptime(3) format used to parse threshold option | |
693 | .TP | |
0cf4dc53 AS |
694 | .BR charon.plugins.tnc-ifmap.client_cert |
695 | Path to X.509 certificate file of IF-MAP client | |
535798cf | 696 | .TP |
0cf4dc53 AS |
697 | .BR charon.plugins.tnc-ifmap.client_key |
698 | Path to private key file of IF-MAP client | |
535798cf | 699 | .TP |
0cf4dc53 AS |
700 | .BR charon.plugins.tnc-ifmap.device_name |
701 | Unique name of strongSwan server as a PEP and/or PDP device | |
535798cf | 702 | .TP |
1044710b AS |
703 | .BR charon.plugins.tnc-ifmap.renew_session_interval " [150]" |
704 | Interval in seconds between periodic IF-MAP RenewSession requests | |
705 | .TP | |
706 | .BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]" | |
96ad2b17 TB |
707 | URI of the form [https://]servername[:port][/path] |
708 | .TP | |
709 | .BR charon.plugins.tnc-ifmap.server_cert | |
710 | Path to X.509 certificate file of IF-MAP server | |
711 | .TP | |
712 | .BR charon.plugins.tnc-ifmap.username_password | |
713 | Credentials of IF-MAP client of the form username:password | |
714 | .TP | |
f5b5d262 AS |
715 | .BR charon.plugins.tnc-pdp.pt_tls.port " [271]" |
716 | PT-TLS server port the strongSwan PDP is listening on | |
717 | .TP | |
718 | .BR charon.plugins.tnc-pdp.radius.method " [ttls]" | |
f673958e AS |
719 | EAP tunnel method to be used |
720 | .TP | |
f5b5d262 | 721 | .BR charon.plugins.tnc-pdp.radius.port " [1812]" |
f673958e AS |
722 | RADIUS server port the strongSwan PDP is listening on |
723 | .TP | |
f5b5d262 | 724 | .BR charon.plugins.tnc-pdp.radius.secret |
f673958e AS |
725 | Shared RADIUS secret between strongSwan PDP and NAS |
726 | .TP | |
727 | .BR charon.plugins.tnc-pdp.server | |
629cdca8 TB |
728 | Name of the strongSwan PDP as contained in the AAA certificate |
729 | .TP | |
96ad2b17 TB |
730 | .BR charon.plugins.tnc-pdp.timeout |
731 | Timeout in seconds before closing incomplete connections | |
732 | .TP | |
629cdca8 TB |
733 | .BR charon.plugins.updown.dns_handler " [no]" |
734 | Whether the updown script should handle DNS serves assigned via IKEv1 Mode | |
735 | Config or IKEv2 Config Payloads (if enabled they can't be handled by other | |
736 | plugins, like resolve) | |
f673958e | 737 | .TP |
e236ed1e | 738 | .BR charon.plugins.whitelist.enable " [yes]" |
629cdca8 TB |
739 | Enable loaded whitelist plugin |
740 | .TP | |
2ed8b36a TB |
741 | .BR charon.plugins.whitelist.socket " [unix://${piddir}/charon.wlst]" |
742 | Socket provided by the whitelist plugin | |
743 | .TP | |
629cdca8 TB |
744 | .BR charon.plugins.xauth-eap.backend " [radius]" |
745 | EAP plugin to be used as backend for XAuth credential verification | |
9ede42e1 TB |
746 | .TP |
747 | .BR charon.plugins.xauth-pam.pam_service " [login]" | |
748 | PAM service to be used for authentication | |
320cecd2 TB |
749 | .SS libstrongswan section |
750 | .TP | |
629cdca8 TB |
751 | .BR libstrongswan.cert_cache " [yes]" |
752 | Whether relations in validated certificate chains should be cached in memory | |
753 | .TP | |
41f525be TB |
754 | .BR libstrongswan.crypto_test.bench " [no]" |
755 | ||
756 | .TP | |
757 | .BR libstrongswan.crypto_test.bench_size " [1024]" | |
758 | ||
759 | .TP | |
760 | .BR libstrongswan.crypto_test.bench_time " [50]" | |
761 | ||
320cecd2 TB |
762 | .TP |
763 | .BR libstrongswan.crypto_test.on_add " [no]" | |
764 | Test crypto algorithms during registration | |
765 | .TP | |
766 | .BR libstrongswan.crypto_test.on_create " [no]" | |
767 | Test crypto algorithms on each crypto primitive instantiation | |
768 | .TP | |
769 | .BR libstrongswan.crypto_test.required " [no]" | |
770 | Strictly require at least one test vector to enable an algorithm | |
771 | .TP | |
772 | .BR libstrongswan.crypto_test.rng_true " [no]" | |
773 | Whether to test RNG with TRUE quality; requires a lot of entropy | |
774 | .TP | |
41f525be TB |
775 | .BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]" |
776 | Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical | |
777 | strength | |
778 | .TP | |
320cecd2 TB |
779 | .BR libstrongswan.ecp_x_coordinate_only " [yes]" |
780 | Compliance with the errata for RFC 4753 | |
781 | .TP | |
b4f6c39e TB |
782 | .BR libstrongswan.host_resolver.max_threads " [3]" |
783 | Maximum number of concurrent resolver threads (they are terminated if unused) | |
784 | .TP | |
785 | .BR libstrongswan.host_resolver.min_threads " [0]" | |
786 | Minimum number of resolver threads to keep around | |
787 | .TP | |
320cecd2 TB |
788 | .BR libstrongswan.integrity_test " [no]" |
789 | Check daemon, libstrongswan and plugin integrity at startup | |
41f525be TB |
790 | .TP |
791 | .BR libstrongswan.leak_detective.detailed " [yes]" | |
792 | Includes source file names and line numbers in leak detective output | |
c4fd3b2f | 793 | .TP |
629cdca8 TB |
794 | .BR libstrongswan.leak_detective.usage_threshold " [10240]" |
795 | Threshold in bytes for leaks to be reported (0 to report all) | |
796 | .TP | |
2ed8b36a TB |
797 | .BR libstrongswan.leak_detective.usage_threshold_count " [0]" |
798 | Threshold in number of allocations for leaks to be reported (0 to report all) | |
799 | .TP | |
4f3ca916 TB |
800 | .BR libstrongswan.processor.priority_threads |
801 | Subsection to configure the number of reserved threads per priority class | |
802 | see JOB PRIORITY MANAGEMENT | |
803 | .TP | |
c4fd3b2f AS |
804 | .BR libstrongswan.x509.enforce_critical " [yes]" |
805 | Discard certificates with unsupported or unknown critical extensions | |
320cecd2 TB |
806 | .SS libstrongswan.plugins subsection |
807 | .TP | |
808 | .BR libstrongswan.plugins.attr-sql.database | |
629cdca8 | 809 | Database URI for attr-sql plugin used by charon |
320cecd2 TB |
810 | .TP |
811 | .BR libstrongswan.plugins.attr-sql.lease_history " [yes]" | |
812 | Enable logging of SQL IP pool leases | |
813 | .TP | |
814 | .BR libstrongswan.plugins.gcrypt.quick_random " [no]" | |
815 | Use faster random numbers in gcrypt; for testing only, produces weak keys! | |
816 | .TP | |
817 | .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]" | |
818 | ENGINE ID to use in the OpenSSL plugin | |
41f525be | 819 | .TP |
6b99da02 AS |
820 | .BR libstrongswan.plugins.openssl.fips_mode " [0]" |
821 | Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2) | |
822 | .TP | |
41f525be | 823 | .BR libstrongswan.plugins.pkcs11.modules |
c8eb2dea | 824 | List of available PKCS#11 modules |
41f525be | 825 | .TP |
c186b394 TB |
826 | .BR libstrongswan.plugins.pkcs11.load_certs " [yes]" |
827 | Whether to load certificates from tokens | |
828 | .TP | |
3c4d3834 TB |
829 | .BR libstrongswan.plugins.pkcs11.reload_certs " [no]" |
830 | Reload certificates from all tokens if charon receives a SIGHUP | |
831 | .TP | |
1a9e3e01 | 832 | .BR libstrongswan.plugins.pkcs11.use_dh " [no]" |
53e2fc69 | 833 | Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option) |
1a9e3e01 TB |
834 | .TP |
835 | .BR libstrongswan.plugins.pkcs11.use_ecc " [no]" | |
53e2fc69 TB |
836 | Whether the PKCS#11 modules should be used for ECDH and ECDSA public key |
837 | operations. ECDSA private keys can be used regardless of this option | |
1a9e3e01 | 838 | .TP |
41f525be | 839 | .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" |
c8eb2dea | 840 | Whether the PKCS#11 modules should be used to hash data |
1a9e3e01 | 841 | .TP |
53e2fc69 TB |
842 | .BR libstrongswan.plugins.pkcs11.use_pubkey " [no]" |
843 | Whether the PKCS#11 modules should be used for public key operations, even for | |
844 | keys not stored on tokens | |
845 | .TP | |
1a9e3e01 TB |
846 | .BR libstrongswan.plugins.pkcs11.use_rng " [no]" |
847 | Whether the PKCS#11 modules should be used as RNG | |
c51af950 MW |
848 | .TP |
849 | .BR libstrongswan.plugins.random.random " [@DEV_RANDOM@]" | |
850 | File to read random bytes from, instead of @DEV_RANDOM@ | |
851 | .TP | |
852 | .BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]" | |
853 | File to read pseudo random bytes from, instead of @DEV_URANDOM@ | |
f2145c8d AS |
854 | .TP |
855 | .BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]" | |
856 | File to read DNS resolver configuration from | |
857 | .TP | |
858 | .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" | |
859 | File to read DNSSEC trust anchors from (usually root zone KSK) | |
3021139f TB |
860 | .SS libtls section |
861 | .TP | |
862 | .BR libtls.cipher | |
863 | List of TLS encryption ciphers | |
864 | .TP | |
865 | .BR libtls.key_exchange | |
866 | List of TLS key exchange methods | |
867 | .TP | |
868 | .BR libtls.mac | |
869 | List of TLS MAC algorithms | |
870 | .TP | |
871 | .BR libtls.suites | |
872 | List of TLS cipher suites | |
f0a8bf47 AS |
873 | .SS libtnccs section |
874 | .TP | |
875 | .BR libtnccs.tnc_config " [/etc/tnc_config]" | |
876 | TNC IMC/IMV configuration directory | |
9d8c28e2 AS |
877 | .PP |
878 | .SS libtnccs plugins section | |
879 | .TP | |
12b3db50 | 880 | .BR libtnccs.plugins.tnccs-11.max_message_size " [45000]" |
9d8c28e2 AS |
881 | Maximum size of a PA-TNC message (XML & Base64 encoding) |
882 | .TP | |
12b3db50 | 883 | .BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]" |
9d8c28e2 AS |
884 | Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) |
885 | .TP | |
12b3db50 | 886 | .BR libtnccs.plugins.tnccs-20.max_message_size " [65490]" |
9d8c28e2 AS |
887 | Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) |
888 | .TP | |
12b3db50 | 889 | .BR libtnccs.plugins.tnc-imc.dlclose " [yes]" |
9d8c28e2 AS |
890 | Unload IMC after use |
891 | .TP | |
12b3db50 | 892 | .BR libtnccs.plugins.tnc-imc.preferred_language " [en]" |
9d8c28e2 | 893 | Preferred language for TNC recommendations |
12b3db50 AS |
894 | .TP |
895 | .BR libtnccs.plugins.tnc-imv.dlclose " [yes]" | |
896 | Unload IMV after use | |
c8eb2dea AS |
897 | .SS libimcv section |
898 | .TP | |
3b51f340 AS |
899 | .BR libimcv.assessment_result " [yes]" |
900 | Whether IMVs send a standard IETF Assessment Result attribute | |
901 | .TP | |
2ed8b36a TB |
902 | .BR libimcv.database |
903 | Global IMV policy database URI | |
904 | .TP | |
c8eb2dea AS |
905 | .BR libimcv.debug_level " [1]" |
906 | Debug level for a stand-alone libimcv library | |
907 | .TP | |
2ed8b36a TB |
908 | .BR libimcv.load " [random nonce gmp pubkey x509]" |
909 | Plugins to load in IMC/IMVs | |
910 | .TP | |
6ab15025 AS |
911 | .BR libimcv.os_info.name |
912 | Manually set the name of the client OS (e.g. Ubuntu) | |
913 | .TP | |
914 | .BR libimcv.os_info.version | |
915 | Manually set the version of the client OS (e.g. 12.04 i686) | |
2ed8b36a TB |
916 | .TP |
917 | .BR libimcv.policy_script " [ipsec _imv_policy]" | |
918 | Script called for each TNC connection to generate IMV policies | |
3021139f TB |
919 | .TP |
920 | .BR libimcv.stderr_quiet " [no]" | |
921 | isable output to stderr with a stand-alone libimcv library | |
922 | .PP | |
6ab15025 | 923 | .SS libimcv plugins section |
c8eb2dea | 924 | .TP |
15b3dc5b AS |
925 | .BR libimcv.plugins.imc-attestation.aik_blob |
926 | AIK encrypted private key blob file | |
927 | .TP | |
f7a98122 AS |
928 | .BR libimcv.plugins.imc-attestation.aik_cert |
929 | AIK certificate file | |
c8eb2dea | 930 | .TP |
f7a98122 AS |
931 | .BR libimcv.plugins.imc-attestation.aik_key |
932 | AIK public key file | |
c8eb2dea | 933 | .TP |
e0175103 AS |
934 | .BR libimcv.plugins.imv-attestation.nonce_len " [20]" |
935 | DH nonce length | |
936 | .TP | |
937 | .BR libimcv.plugins.imv-attestation.use_quote2 " [yes]" | |
938 | Use Quote2 AIK signature instead of Quote signature | |
939 | .TP | |
f7a98122 AS |
940 | .BR libimcv.plugins.imv-attestation.cadir |
941 | Path to directory with AIK cacerts | |
e65a5053 | 942 | .TP |
e0175103 AS |
943 | .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" |
944 | Preferred Diffie-Hellman group | |
945 | .TP | |
946 | .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" | |
f7a98122 AS |
947 | Preferred measurement hash algorithm |
948 | .TP | |
e0175103 AS |
949 | .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" |
950 | DH minimum nonce length | |
951 | .TP | |
742722e2 AS |
952 | .BR libimcv.plugins.imv-attestation.remediation_uri |
953 | URI pointing to attestation remediation instructions | |
954 | .TP | |
955 | .BR libimcv.plugins.imc-os.push_info " [yes]" | |
ffd3556b AS |
956 | Send operating system info without being prompted |
957 | .TP | |
742722e2 AS |
958 | .BR libimcv.plugins.imv-os.remediation_uri |
959 | URI pointing to operating system remediation instructions | |
960 | .TP | |
961 | .BR libimcv.plugins.imc-scanner.push_info " [yes]" | |
ffd3556b AS |
962 | Send open listening ports without being prompted |
963 | .TP | |
742722e2 AS |
964 | .BR libimcv.plugins.imv-scanner.remediation_uri |
965 | URI pointing to scanner remediation instructions | |
966 | .TP | |
63179fd4 AS |
967 | .BR libimcv.plugins.imc-test.additional_ids " [0]" |
968 | Number of additional IMC IDs | |
969 | .TP | |
f7a98122 AS |
970 | .BR libimcv.plugins.imc-test.command " [none]" |
971 | Command to be sent to the Test IMV | |
972 | .TP | |
87efdef3 AS |
973 | .BR libimcv.plugins.imc-test.dummy_size " [0]" |
974 | Size of dummy attribute to be sent to the Test IMV (0 = disabled) | |
975 | .TP | |
3021139f TB |
976 | .BR libimcv.plugins.imv-test.remediation_uri |
977 | URI pointing to test remediation instructions | |
978 | .TP | |
f7a98122 AS |
979 | .BR libimcv.plugins.imc-test.retry " [no]" |
980 | Do a handshake retry | |
981 | .TP | |
982 | .BR libimcv.plugins.imc-test.retry_command | |
983 | Command to be sent to the Test IMV in the handshake retry | |
984 | .TP | |
985 | .BR libimcv.plugins.imv-test.rounds " [0]" | |
986 | Number of IMC-IMV retry rounds | |
320cecd2 TB |
987 | .SS manager section |
988 | .TP | |
989 | .BR manager.database | |
990 | Credential database URI for manager | |
991 | .TP | |
992 | .BR manager.debug " [no]" | |
993 | Enable debugging in manager | |
994 | .TP | |
995 | .BR manager.load | |
996 | Plugins to load in manager | |
997 | .TP | |
998 | .BR manager.socket | |
999 | FastCGI socket of manager, to run it statically | |
1000 | .TP | |
1001 | .BR manager.threads " [10]" | |
1002 | Threads to use for request handling | |
1003 | .TP | |
1004 | .BR manager.timeout " [15m]" | |
1005 | Session timeout for manager | |
1006 | .SS mediation client section | |
1007 | .TP | |
1008 | .BR medcli.database | |
1009 | Mediation client database URI | |
1010 | .TP | |
1011 | .BR medcli.dpd " [5m]" | |
1012 | DPD timeout to use in mediation client plugin | |
1013 | .TP | |
1014 | .BR medcli.rekey " [20m]" | |
1015 | Rekeying time on mediation connections in mediation client plugin | |
1016 | .SS mediation server section | |
1017 | .TP | |
1018 | .BR medsrv.database | |
1019 | Mediation server database URI | |
1020 | .TP | |
1021 | .BR medsrv.debug " [no]" | |
1022 | Debugging in mediation server web application | |
1023 | .TP | |
1024 | .BR medsrv.dpd " [5m]" | |
1025 | DPD timeout to use in mediation server plugin | |
1026 | .TP | |
1027 | .BR medsrv.load | |
1028 | Plugins to load in mediation server plugin | |
1029 | .TP | |
1030 | .BR medsrv.password_length " [6]" | |
1031 | Minimum password length required for mediation server user accounts | |
1032 | .TP | |
1033 | .BR medsrv.rekey " [20m]" | |
1034 | Rekeying time on mediation connections in mediation server plugin | |
1035 | .TP | |
1036 | .BR medsrv.socket | |
1037 | Run Mediation server web application statically on socket | |
1038 | .TP | |
1039 | .BR medsrv.threads " [5]" | |
1040 | Number of thread for mediation service web application | |
1041 | .TP | |
1042 | .BR medsrv.timeout " [15m]" | |
1043 | Session timeout for mediation service | |
1044 | .SS openac section | |
1045 | .TP | |
1046 | .BR openac.load | |
1047 | Plugins to load in ipsec openac tool | |
c186b394 TB |
1048 | .SS pacman section |
1049 | .TP | |
1050 | .BR pacman.database | |
1051 | Database URI for the database that stores the package information | |
320cecd2 TB |
1052 | .SS pki section |
1053 | .TP | |
1054 | .BR pki.load | |
1055 | Plugins to load in ipsec pki tool | |
320cecd2 TB |
1056 | .SS pool section |
1057 | .TP | |
1058 | .BR pool.load | |
1059 | Plugins to load in ipsec pool tool | |
1060 | .SS scepclient section | |
1061 | .TP | |
1062 | .BR scepclient.load | |
1063 | Plugins to load in ipsec scepclient tool | |
1064 | .SS starter section | |
1065 | .TP | |
848a36fe TB |
1066 | .BR starter.load |
1067 | Plugins to load in starter | |
1068 | .TP | |
320cecd2 | 1069 | .BR starter.load_warning " [yes]" |
629cdca8 | 1070 | Disable charon plugin load option warning |
320cecd2 | 1071 | |
b2bcc577 TB |
1072 | .SH LOGGER CONFIGURATION |
1073 | The options described below provide a much more flexible way to configure | |
1074 | loggers for the IKEv2 daemon charon than using the | |
1075 | .B charondebug | |
1076 | option in | |
1077 | .BR ipsec.conf (5). | |
1078 | .PP | |
1079 | .B Please note | |
1080 | that if any loggers are specified in strongswan.conf, | |
1081 | .B charondebug | |
1082 | does not have any effect. | |
1083 | .PP | |
1084 | There are currently two types of loggers defined: | |
1085 | .TP | |
1086 | .B File loggers | |
1087 | Log directly to a file and are defined by specifying the full path to the | |
1088 | file as subsection in the | |
1089 | .B charon.filelog | |
1090 | section. To log to the console the two special filenames | |
1091 | .BR stdout " and " stderr | |
1092 | can be used. | |
1093 | .TP | |
1094 | .B Syslog loggers | |
1095 | Log into a syslog facility and are defined by specifying the facility to log to | |
1096 | as the name of a subsection in the | |
1097 | .B charon.syslog | |
1098 | section. The following facilities are currently supported: | |
1099 | .BR daemon " and " auth . | |
1100 | .PP | |
1101 | Multiple loggers can be defined for each type with different log verbosity for | |
1102 | the different subsystems of the daemon. | |
1103 | .SS Options | |
1104 | .TP | |
1105 | .BR charon.filelog.<filename>.default " [1]" | |
1106 | .TQ | |
1107 | .BR charon.syslog.<facility>.default | |
1108 | Specifies the default loglevel to be used for subsystems for which no specific | |
1109 | loglevel is defined. | |
1110 | .TP | |
1111 | .BR charon.filelog.<filename>.<subsystem> " [<default>]" | |
1112 | .TQ | |
1113 | .BR charon.syslog.<facility>.<subsystem> | |
41f525be | 1114 | Specifies the loglevel for the given subsystem. |
b2bcc577 TB |
1115 | .TP |
1116 | .BR charon.filelog.<filename>.append " [yes]" | |
41f525be | 1117 | If this option is enabled log entries are appended to the existing file. |
b2bcc577 TB |
1118 | .TP |
1119 | .BR charon.filelog.<filename>.flush_line " [no]" | |
1120 | Enabling this option disables block buffering and enables line buffering. | |
1121 | .TP | |
1122 | .BR charon.filelog.<filename>.ike_name " [no]" | |
1123 | .TQ | |
1124 | .BR charon.syslog.<facility>.ike_name | |
1125 | Prefix each log entry with the connection name and a unique numerical | |
1126 | identifier for each IKE_SA. | |
1127 | .TP | |
1128 | .BR charon.filelog.<filename>.time_format | |
1129 | Prefix each log entry with a timestamp. The option accepts a format string as | |
1130 | passed to | |
1131 | .BR strftime (3). | |
5895c2e9 TB |
1132 | .TP |
1133 | .BR charon.syslog.identifier | |
1134 | Global identifier used for an | |
1135 | .BR openlog (3) | |
1136 | call, prepended to each log message by syslog. If not configured, | |
1137 | .BR openlog (3) | |
1138 | is not called, so the value will depend on system defaults (often the program | |
1139 | name). | |
b2bcc577 TB |
1140 | |
1141 | .SS Subsystems | |
1142 | .TP | |
1143 | .B dmn | |
1144 | Main daemon setup/cleanup/signal handling | |
1145 | .TP | |
1146 | .B mgr | |
1147 | IKE_SA manager, handling synchronization for IKE_SA access | |
1148 | .TP | |
1149 | .B ike | |
1150 | IKE_SA | |
1151 | .TP | |
1152 | .B chd | |
1153 | CHILD_SA | |
1154 | .TP | |
1155 | .B job | |
1156 | Jobs queueing/processing and thread pool management | |
1157 | .TP | |
1158 | .B cfg | |
1159 | Configuration management and plugins | |
1160 | .TP | |
1161 | .B knl | |
1162 | IPsec/Networking kernel interface | |
1163 | .TP | |
1164 | .B net | |
1165 | IKE network communication | |
1166 | .TP | |
54d096a7 TB |
1167 | .B asn |
1168 | Low-level encoding/decoding (ASN.1, X.509 etc.) | |
1169 | .TP | |
b2bcc577 TB |
1170 | .B enc |
1171 | Packet encoding/decoding encryption/decryption operations | |
1172 | .TP | |
1173 | .B tls | |
1174 | libtls library messages | |
1175 | .TP | |
56d07af3 TB |
1176 | .B esp |
1177 | libipsec library messages | |
1178 | .TP | |
b2bcc577 TB |
1179 | .B lib |
1180 | libstrongwan library messages | |
45945fa1 TB |
1181 | .TP |
1182 | .B tnc | |
1183 | Trusted Network Connect | |
1184 | .TP | |
1185 | .B imc | |
1186 | Integrity Measurement Collector | |
1187 | .TP | |
1188 | .B imv | |
1189 | Integrity Measurement Verifier | |
7213abcb TB |
1190 | .TP |
1191 | .B pts | |
1192 | Platform Trust Service | |
b2bcc577 TB |
1193 | .SS Loglevels |
1194 | .TP | |
1195 | .B -1 | |
1196 | Absolutely silent | |
1197 | .TP | |
1198 | .B 0 | |
1199 | Very basic auditing logs, (e.g. SA up/SA down) | |
1200 | .TP | |
1201 | .B 1 | |
1202 | Generic control flow with errors, a good default to see whats going on | |
1203 | .TP | |
1204 | .B 2 | |
1205 | More detailed debugging control flow | |
1206 | .TP | |
1207 | .B 3 | |
1208 | Including RAW data dumps in Hex | |
1209 | .TP | |
1210 | .B 4 | |
1211 | Also include sensitive material in dumps, e.g. keys | |
1212 | .SS Example | |
1213 | .PP | |
1214 | .EX | |
1215 | charon { | |
1216 | filelog { | |
1217 | /var/log/charon.log { | |
1218 | time_format = %b %e %T | |
1219 | append = no | |
1220 | default = 1 | |
1221 | } | |
1222 | stderr { | |
1223 | ike = 2 | |
1224 | knl = 3 | |
1225 | ike_name = yes | |
1226 | } | |
1227 | } | |
1228 | syslog { | |
1229 | # enable logging to LOG_DAEMON, use defaults | |
1230 | daemon { | |
1231 | } | |
1232 | # minimalistic IKE auditing logging to LOG_AUTHPRIV | |
1233 | auth { | |
1234 | default = -1 | |
1235 | ike = 0 | |
1236 | } | |
1237 | } | |
1238 | } | |
1239 | .EE | |
1240 | ||
4f3ca916 TB |
1241 | .SH JOB PRIORITY MANAGEMENT |
1242 | Some operations in the IKEv2 daemon charon are currently implemented | |
1243 | synchronously and blocking. Two examples for such operations are communication | |
1244 | with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during | |
1245 | certificate chain verification. Under high load conditions, the thread pool may | |
1246 | run out of available threads, and some more important jobs, such as liveness | |
1247 | checking, may not get executed in time. | |
1248 | .PP | |
1249 | To prevent thread starvation in such situations job priorities were introduced. | |
1250 | The job processor will reserve some threads for higher priority jobs, these | |
1251 | threads are not available for lower priority, locking jobs. | |
1252 | .SS Implementation | |
1253 | Currently 4 priorities have been defined, and they are used in charon as | |
1254 | follows: | |
1255 | .TP | |
1256 | .B CRITICAL | |
1257 | Priority for long-running dispatcher jobs. | |
1258 | .TP | |
1259 | .B HIGH | |
1260 | INFORMATIONAL exchanges, as used by liveness checking (DPD). | |
1261 | .TP | |
1262 | .B MEDIUM | |
1263 | Everything not HIGH/LOW, including IKE_SA_INIT processing. | |
1264 | .TP | |
1265 | .B LOW | |
1266 | IKE_AUTH message processing. RADIUS and CRL fetching block here | |
1267 | .PP | |
1268 | Although IKE_SA_INIT processing is computationally expensive, it is explicitly | |
1269 | assigned to the MEDIUM class. This allows charon to do the DH exchange while | |
1270 | other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more | |
1271 | IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING. | |
1272 | .PP | |
1273 | The thread pool processes jobs strictly by priority, meaning it will consume all | |
1274 | higher priority jobs before looking for ones with lower priority. Further, it | |
1275 | reserves threads for certain priorities. A priority class having reserved | |
1276 | .I n | |
1277 | threads will always have | |
1278 | .I n | |
1279 | threads available for this class (either currently processing a job, or waiting | |
1280 | for one). | |
1281 | .SS Configuration | |
1282 | To ensure that there are always enough threads available for higher priority | |
1283 | tasks, threads must be reserved for each priority class. | |
1284 | .TP | |
1285 | .BR libstrongswan.processor.priority_threads.critical " [0]" | |
1286 | Threads reserved for CRITICAL priority class jobs | |
1287 | .TP | |
1288 | .BR libstrongswan.processor.priority_threads.high " [0]" | |
1289 | Threads reserved for HIGH priority class jobs | |
1290 | .TP | |
1291 | .BR libstrongswan.processor.priority_threads.medium " [0]" | |
1292 | Threads reserved for MEDIUM priority class jobs | |
1293 | .TP | |
1294 | .BR libstrongswan.processor.priority_threads.low " [0]" | |
1295 | Threads reserved for LOW priority class jobs | |
1296 | .PP | |
1297 | Let's consider the following configuration: | |
1298 | .PP | |
1299 | .EX | |
1300 | libstrongswan { | |
1301 | processor { | |
1302 | priority_threads { | |
1303 | high = 1 | |
1304 | medium = 4 | |
1305 | } | |
1306 | } | |
1307 | } | |
1308 | .EE | |
1309 | .PP | |
1310 | With this configuration, one thread is reserved for HIGH priority tasks. As | |
1311 | currently only liveness checking and stroke message processing is done with | |
1312 | high priority, one or two threads should be sufficient. | |
1313 | .PP | |
1314 | The MEDIUM class mostly processes non-blocking jobs. Unless your setup is | |
1315 | experiencing many blocks in locks while accessing shared resources, threads for | |
1316 | one or two times the number of CPU cores is fine. | |
1317 | .PP | |
1318 | It is usually not required to reserve threads for CRITICAL jobs. Jobs in this | |
1319 | class rarely return and do not release their thread to the pool. | |
1320 | .PP | |
1321 | The remaining threads are available for LOW priority jobs. Reserving threads | |
1322 | does not make sense (until we have an even lower priority). | |
1323 | .SS Monitoring | |
1324 | To see what the threads are actually doing, invoke | |
1325 | .IR "ipsec statusall" . | |
1326 | Under high load, something like this will show up: | |
1327 | .PP | |
1328 | .EX | |
1329 | worker threads: 2 or 32 idle, 5/1/2/22 working, | |
1330 | job queue: 0/0/1/149, scheduled: 198 | |
1331 | .EE | |
1332 | .PP | |
1333 | From 32 worker threads, | |
1334 | .IP 2 | |
1335 | are currently idle. | |
1336 | .IP 5 | |
1337 | are running CRITICAL priority jobs (dispatching from sockets, etc.). | |
1338 | .IP 1 | |
1339 | is currently handling a HIGH priority job. This is actually the thread currently | |
1340 | providing this information via stroke. | |
1341 | .IP 2 | |
1342 | are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA | |
1343 | messages. | |
1344 | .IP 22 | |
1345 | are handling LOW priority jobs, probably waiting for an EAP-RADIUS response | |
1346 | while processing IKE_AUTH messages. | |
1347 | .PP | |
1348 | The job queue load shows how many jobs are queued for each priority, ready for | |
1349 | execution. The single MEDIUM priority job will get executed immediately, as | |
1350 | we have two spare threads reserved for MEDIUM class jobs. | |
1351 | ||
1352 | .SH IKE_SA_INIT DROPPING | |
1353 | If a responder receives more connection requests per seconds than it can handle, | |
1354 | it does not make sense to accept more IKE_SA_INIT messages. And if they are | |
1355 | queued but can't get processed in time, an answer might be sent after the | |
1356 | client has already given up and restarted its connection setup. This | |
1357 | additionally increases the load on the responder. | |
1358 | .PP | |
1359 | To limit the responder load resulting from new connection attempts, the daemon | |
1360 | can drop IKE_SA_INIT messages just after reception. There are two mechanisms to | |
1361 | decide if this should happen, configured with the following options: | |
1362 | .TP | |
1363 | .BR charon.init_limit_half_open " [0]" | |
1364 | Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in | |
1365 | connecting state, but not yet established. | |
1366 | .TP | |
1367 | .BR charon.init_limit_job_load " [0]" | |
1368 | Limit based on the number of jobs currently queued for processing (sum over all | |
1369 | job priorities). | |
1370 | .PP | |
1371 | The second limit includes load from other jobs, such as rekeying. Choosing a | |
1372 | good value is difficult and depends on the hardware and expected load. | |
1373 | .PP | |
1374 | The first limit is simpler to calculate, but includes the load from new | |
1375 | connections only. If your responder is capable of negotiating 100 tunnels/s, you | |
1376 | might set this limit to 1000. The daemon will then drop new connection attempts | |
1377 | if generating a response would require more than 10 seconds. If you are | |
1378 | allowing for a maximum response time of more than 30 seconds, consider adjusting | |
1379 | the timeout for connecting IKE_SAs | |
1380 | .RB ( charon.half_open_timeout ). | |
1381 | A responder, by default, deletes an IKE_SA if the initiator does not establish | |
1382 | it within 30 seconds. Under high load, a higher value might be required. | |
1383 | ||
3f71c5d9 TB |
1384 | .SH LOAD TESTS |
1385 | To do stability testing and performance optimizations, the IKEv2 daemon charon | |
629cdca8 | 1386 | provides the load-tester plugin. This plugin allows one to setup thousands of |
3f71c5d9 TB |
1387 | tunnels concurrently against the daemon itself or a remote host. |
1388 | .PP | |
1389 | .B WARNING: | |
1390 | Never enable the load-testing plugin on productive systems. It provides | |
1391 | preconfigured credentials and allows an attacker to authenticate as any user. | |
1392 | .SS Options | |
1393 | .TP | |
c186b394 TB |
1394 | .BR charon.plugins.load-tester.addrs |
1395 | Subsection that contains key/value pairs with address pools (in CIDR notation) | |
1396 | to use for a specific network interface e.g. eth0 = 10.10.0.0/16 | |
1397 | .TP | |
96ad2b17 TB |
1398 | .BR charon.plugins.load-tester.addrs_keep " [no]" |
1399 | Whether to keep dynamic addresses even after the associated SA got terminated | |
1400 | .TP | |
c186b394 TB |
1401 | .BR charon.plugins.load-tester.addrs_prefix " [16]" |
1402 | Network prefix length to use when installing dynamic addresses. If set to -1 the | |
1403 | full address is used (i.e. 32 or 128) | |
1404 | .TP | |
1405 | .BR charon.plugins.load-tester.ca_dir | |
1406 | Directory to load (intermediate) CA certificates from | |
1407 | .TP | |
3f71c5d9 TB |
1408 | .BR charon.plugins.load-tester.child_rekey " [600]" |
1409 | Seconds to start CHILD_SA rekeying after setup | |
1410 | .TP | |
1411 | .BR charon.plugins.load-tester.delay " [0]" | |
1412 | Delay between initiatons for each thread | |
1413 | .TP | |
1414 | .BR charon.plugins.load-tester.delete_after_established " [no]" | |
1415 | Delete an IKE_SA as soon as it has been established | |
1416 | .TP | |
c186b394 TB |
1417 | .BR charon.plugins.load-tester.digest " [sha1]" |
1418 | Digest algorithm used when issuing certificates | |
1419 | .TP | |
35572811 TB |
1420 | .BR charon.plugins.load-tester.dpd_delay " [0]" |
1421 | DPD delay to use in load test | |
1422 | .TP | |
41f525be TB |
1423 | .BR charon.plugins.load-tester.dynamic_port " [0]" |
1424 | Base port to be used for requests (each client uses a different port) | |
1425 | .TP | |
35572811 TB |
1426 | .BR charon.plugins.load-tester.eap_password " [default-pwd]" |
1427 | EAP secret to use in load test | |
1428 | .TP | |
3f71c5d9 TB |
1429 | .BR charon.plugins.load-tester.enable " [no]" |
1430 | Enable the load testing plugin | |
1431 | .TP | |
96ad2b17 TB |
1432 | .BR charon.plugins.load-tester.esp " [aes128-sha1]" |
1433 | CHILD_SA proposal to use for load tests | |
1434 | .TP | |
3f71c5d9 TB |
1435 | .BR charon.plugins.load-tester.fake_kernel " [no]" |
1436 | Fake the kernel interface to allow load-testing against self | |
1437 | .TP | |
1438 | .BR charon.plugins.load-tester.ike_rekey " [0]" | |
1439 | Seconds to start IKE_SA rekeying after setup | |
1440 | .TP | |
35572811 TB |
1441 | .BR charon.plugins.load-tester.init_limit " [0]" |
1442 | Global limit of concurrently established SAs during load test | |
1443 | .TP | |
c186b394 TB |
1444 | .BR charon.plugins.load-tester.initiator " [0.0.0.0]" |
1445 | Address to initiate from | |
1446 | .TP | |
3f71c5d9 TB |
1447 | .BR charon.plugins.load-tester.initiators " [0]" |
1448 | Number of concurrent initiator threads to use in load test | |
1449 | .TP | |
1450 | .BR charon.plugins.load-tester.initiator_auth " [pubkey]" | |
1451 | Authentication method(s) the intiator uses | |
1452 | .TP | |
35572811 TB |
1453 | .BR charon.plugins.load-tester.initiator_id |
1454 | Initiator ID used in load test | |
1455 | .TP | |
c186b394 | 1456 | .BR charon.plugins.load-tester.initiator_match |
9d9410e7 | 1457 | Initiator ID to match against as responder |
c186b394 TB |
1458 | .TP |
1459 | .BR charon.plugins.load-tester.initiator_tsi | |
1460 | Traffic selector on initiator side, as proposed by initiator | |
1461 | .TP | |
1462 | .BR charon.plugins.load-tester.initiator_tsr | |
1463 | Traffic selector on responder side, as proposed by initiator | |
1464 | .TP | |
3f71c5d9 | 1465 | .BR charon.plugins.load-tester.iterations " [1]" |
c186b394 TB |
1466 | Number of IKE_SAs to initiate by each initiator in load test |
1467 | .TP | |
1468 | .BR charon.plugins.load-tester.issuer_cert | |
1469 | Path to the issuer certificate (if not configured a hard-coded value is used) | |
1470 | .TP | |
1471 | .BR charon.plugins.load-tester.issuer_key | |
1472 | Path to private key that is used to issue certificates (if not configured a | |
1473 | hard-coded value is used) | |
3f71c5d9 TB |
1474 | .TP |
1475 | .BR charon.plugins.load-tester.pool | |
1476 | Provide INTERNAL_IPV4_ADDRs from a named pool | |
1477 | .TP | |
35572811 TB |
1478 | .BR charon.plugins.load-tester.preshared_key " [default-psk]" |
1479 | Preshared key to use in load test | |
1480 | .TP | |
41f525be | 1481 | .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" |
3f71c5d9 TB |
1482 | IKE proposal to use in load test |
1483 | .TP | |
c186b394 | 1484 | .BR charon.plugins.load-tester.responder " [127.0.0.1]" |
3f71c5d9 TB |
1485 | Address to initiation connections to |
1486 | .TP | |
1487 | .BR charon.plugins.load-tester.responder_auth " [pubkey]" | |
1488 | Authentication method(s) the responder uses | |
1489 | .TP | |
35572811 TB |
1490 | .BR charon.plugins.load-tester.responder_id |
1491 | Responder ID used in load test | |
1492 | .TP | |
c186b394 TB |
1493 | .BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]" |
1494 | Traffic selector on initiator side, as narrowed by responder | |
1495 | .TP | |
1496 | .BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]" | |
1497 | Traffic selector on responder side, as narrowed by responder | |
1498 | .TP | |
3f71c5d9 TB |
1499 | .BR charon.plugins.load-tester.request_virtual_ip " [no]" |
1500 | Request an INTERNAL_IPV4_ADDR from the server | |
1501 | .TP | |
1502 | .BR charon.plugins.load-tester.shutdown_when_complete " [no]" | |
41f525be | 1503 | Shutdown the daemon after all IKE_SAs have been established |
c186b394 | 1504 | .TP |
2ed8b36a TB |
1505 | .BR charon.plugins.load-tester.socket " [unix://${piddir}/charon.ldt]" |
1506 | Socket provided by the load-tester plugin | |
1507 | .TP | |
c186b394 TB |
1508 | .BR charon.plugins.load-tester.version " [0]" |
1509 | IKE version to use (0 means use IKEv2 as initiator and accept any version as | |
1510 | responder) | |
2ed8b36a | 1511 | .PP |
3f71c5d9 TB |
1512 | .SS Configuration details |
1513 | For public key authentication, the responder uses the | |
1514 | .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq | |
1515 | identity. For the initiator, each connection attempt uses a different identity | |
1516 | in the form | |
1517 | .BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , | |
1518 | where the first number inidicates the client number, the second the | |
1519 | authentication round (if multiple authentication is used). | |
1520 | .PP | |
1521 | For PSK authentication, FQDN identities are used. The server uses | |
1522 | .BR srv.strongswan.org , | |
1523 | the client uses an identity in the form | |
1524 | .BR c1-r1.strongswan.org . | |
1525 | .PP | |
1526 | For EAP authentication, the client uses a NAI in the form | |
1527 | .BR 100000000010001@strongswan.org . | |
1528 | .PP | |
1529 | To configure multiple authentication, concatenate multiple methods using, e.g. | |
1530 | .EX | |
1531 | initiator_auth = pubkey|psk|eap-md5|eap-aka | |
1532 | .EE | |
1533 | .PP | |
1534 | The responder uses a hardcoded certificate based on a 1024-bit RSA key. | |
1535 | This certificate additionally serves as CA certificate. A peer uses the same | |
1536 | private key, but generates client certificates on demand signed by the CA | |
1537 | certificate. Install the Responder/CA certificate on the remote host to | |
1538 | authenticate all clients. | |
1539 | .PP | |
1540 | To speed up testing, the load tester plugin implements a special Diffie-Hellman | |
1541 | implementation called modpnull. By setting | |
1542 | .EX | |
1543 | proposal = aes128-sha1-modpnull | |
1544 | .EE | |
1545 | this wicked fast DH implementation is used. It does not provide any security | |
629cdca8 | 1546 | at all, but allows one to run tests without DH calculation overhead. |
3f71c5d9 TB |
1547 | .SS Examples |
1548 | .PP | |
1549 | In the simplest case, the daemon initiates IKE_SAs against itself using the | |
1550 | loopback interface. This will actually establish double the number of IKE_SAs, | |
1551 | as the daemon is initiator and responder for each IKE_SA at the same time. | |
1552 | Installation of IPsec SAs would fails, as each SA gets installed twice. To | |
1553 | simulate the correct behavior, a fake kernel interface can be enabled which does | |
1554 | not install the IPsec SAs at the kernel level. | |
1555 | .PP | |
1556 | A simple loopback configuration might look like this: | |
1557 | .PP | |
1558 | .EX | |
1559 | charon { | |
1560 | # create new IKE_SAs for each CHILD_SA to simulate | |
1561 | # different clients | |
1562 | reuse_ikesa = no | |
1563 | # turn off denial of service protection | |
1564 | dos_protection = no | |
1565 | ||
1566 | plugins { | |
1567 | load-tester { | |
1568 | # enable the plugin | |
1569 | enable = yes | |
1570 | # use 4 threads to initiate connections | |
1571 | # simultaneously | |
1572 | initiators = 4 | |
1573 | # each thread initiates 1000 connections | |
1574 | iterations = 1000 | |
1575 | # delay each initiation in each thread by 20ms | |
1576 | delay = 20 | |
1577 | # enable the fake kernel interface to | |
1578 | # avoid SA conflicts | |
1579 | fake_kernel = yes | |
1580 | } | |
1581 | } | |
1582 | } | |
1583 | .EE | |
1584 | .PP | |
1585 | This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay | |
1586 | value if your box can not handle that much load, or decrease it to put more | |
1587 | load on it. If the daemon starts retransmitting messages your box probably can | |
1588 | not handle all connection attempts. | |
1589 | .PP | |
629cdca8 TB |
1590 | The plugin also allows one to test against a remote host. This might help to |
1591 | test against a real world configuration. A connection setup to do stress | |
1592 | testing of a gateway might look like this: | |
3f71c5d9 TB |
1593 | .PP |
1594 | .EX | |
1595 | charon { | |
1596 | reuse_ikesa = no | |
1597 | threads = 32 | |
1598 | ||
1599 | plugins { | |
1600 | load-tester { | |
1601 | enable = yes | |
1602 | # 10000 connections, ten in parallel | |
1603 | initiators = 10 | |
1604 | iterations = 1000 | |
1605 | # use a delay of 100ms, overall time is: | |
1606 | # iterations * delay = 100s | |
1607 | delay = 100 | |
1608 | # address of the gateway | |
1609 | remote = 1.2.3.4 | |
1610 | # IKE-proposal to use | |
1611 | proposal = aes128-sha1-modp1024 | |
1612 | # use faster PSK authentication instead | |
1613 | # of 1024bit RSA | |
1614 | initiator_auth = psk | |
1615 | responder_auth = psk | |
1616 | # request a virtual IP using configuration | |
1617 | # payloads | |
1618 | request_virtual_ip = yes | |
1619 | # enable CHILD_SA every 60s | |
1620 | child_rekey = 60 | |
1621 | } | |
1622 | } | |
1623 | } | |
1624 | .EE | |
1625 | ||
fa8c0690 TB |
1626 | .SH IKEv2 RETRANSMISSION |
1627 | Retransmission timeouts in the IKEv2 daemon charon can be configured globally | |
1628 | using the three keys listed below: | |
1629 | .PP | |
1630 | .RS | |
1631 | .nf | |
1632 | .BR charon.retransmit_base " [1.8]" | |
1633 | .BR charon.retransmit_timeout " [4.0]" | |
1634 | .BR charon.retransmit_tries " [5]" | |
1635 | .fi | |
1636 | .RE | |
1637 | .PP | |
1638 | The following algorithm is used to calculate the timeout: | |
1639 | .PP | |
1640 | .EX | |
1641 | relative timeout = retransmit_timeout * retransmit_base ^ (n-1) | |
1642 | .EE | |
1643 | .PP | |
1644 | Where | |
1645 | .I n | |
1646 | is the current retransmission count. | |
1647 | .PP | |
1648 | Using the default values, packets are retransmitted in: | |
1649 | ||
1650 | .TS | |
1651 | l r r | |
1652 | --- | |
1653 | lB r r. | |
1654 | Retransmission Relative Timeout Absolute Timeout | |
1655 | 1 4s 4s | |
1656 | 2 7s 11s | |
1657 | 3 13s 24s | |
1658 | 4 23s 47s | |
1659 | 5 42s 89s | |
1660 | giving up 76s 165s | |
1661 | .TE | |
1662 | ||
483c1feb | 1663 | .SH FILES |
483c1feb TB |
1664 | /etc/strongswan.conf |
1665 | ||
1666 | .SH SEE ALSO | |
4d62ad75 TB |
1667 | \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) |
1668 | ||
483c1feb | 1669 | .SH HISTORY |
320cecd2 TB |
1670 | Written for the |
1671 | .UR http://www.strongswan.org | |
1672 | strongSwan project | |
1673 | .UE | |
1674 | by Tobias Brunner, Andreas Steffen and Martin Willi. |