]>
Commit | Line | Data |
---|---|---|
4d62ad75 | 1 | .TH STRONGSWAN.CONF 5 "2013-06-21" "@IPSEC_VERSION@" "strongSwan" |
483c1feb TB |
2 | .SH NAME |
3 | strongswan.conf \- strongSwan configuration file | |
4 | .SH DESCRIPTION | |
5 | While the | |
6 | .IR ipsec.conf (5) | |
7 | configuration file is well suited to define IPsec related configuration | |
8 | parameters, it is not useful for other strongSwan applications to read options | |
9 | from this file. | |
10 | The file is hard to parse and only | |
11 | .I ipsec starter | |
12 | is capable of doing so. As the number of components of the strongSwan project | |
320cecd2 | 13 | is continually growing, a more flexible configuration file was needed, one that |
483c1feb TB |
14 | is easy to extend and can be used by all components. With strongSwan 4.2.1 |
15 | .IR strongswan.conf (5) | |
16 | was introduced which meets these requirements. | |
17 | ||
320cecd2 TB |
18 | .SH SYNTAX |
19 | The format of the strongswan.conf file consists of hierarchical | |
20 | .B sections | |
21 | and a list of | |
22 | .B key/value pairs | |
23 | in each section. Each section has a name, followed by C-Style curly brackets | |
24 | defining the section body. Each section body contains a set of subsections | |
25 | and key/value pairs: | |
26 | .PP | |
27 | .EX | |
28 | settings := (section|keyvalue)* | |
29 | section := name { settings } | |
30 | keyvalue := key = value\\n | |
31 | .EE | |
32 | .PP | |
33 | Values must be terminated by a newline. | |
34 | .PP | |
35 | Comments are possible using the \fB#\fP-character, but be careful: The parser | |
36 | implementation is currently limited and does not like brackets in comments. | |
37 | .PP | |
38 | Section names and keys may contain any printable character except: | |
39 | .PP | |
40 | .EX | |
41 | . { } # \\n \\t space | |
42 | .EE | |
43 | .PP | |
44 | An example file in this format might look like this: | |
45 | .PP | |
46 | .EX | |
47 | a = b | |
48 | section-one { | |
49 | somevalue = asdf | |
50 | subsection { | |
51 | othervalue = xxx | |
52 | } | |
53 | # yei, a comment | |
54 | yetanother = zz | |
55 | } | |
56 | section-two { | |
57 | x = 12 | |
58 | } | |
59 | .EE | |
60 | .PP | |
61 | Indentation is optional, you may use tabs or spaces. | |
62 | ||
9a1e5261 TB |
63 | .SH INCLUDING FILES |
64 | Using the | |
65 | .B include | |
66 | statement it is possible to include other files into strongswan.conf, e.g. | |
67 | .PP | |
68 | .EX | |
69 | include /some/path/*.conf | |
70 | .EE | |
71 | .PP | |
72 | If the file name is not an absolute path, it is considered to be relative | |
73 | to the directory of the file containing the include statement. The file name | |
74 | may include shell wildcards (see | |
75 | .IR sh (1)). | |
76 | Also, such inclusions can be nested. | |
77 | .PP | |
78 | Sections loaded from included files | |
79 | .I extend | |
80 | previously loaded sections; already existing values are | |
81 | .IR replaced . | |
82 | It is important to note that settings are added relative to the section the | |
5889e864 | 83 | include statement is in. |
9a1e5261 TB |
84 | .PP |
85 | As an example, the following three files result in the same final | |
86 | config as the one given above: | |
87 | .PP | |
88 | .EX | |
89 | a = b | |
90 | section-one { | |
91 | somevalue = before include | |
92 | include include.conf | |
93 | } | |
94 | include other.conf | |
95 | ||
96 | include.conf: | |
97 | # settings loaded from this file are added to section-one | |
98 | # the following replaces the previous value | |
99 | somevalue = asdf | |
100 | subsection { | |
101 | othervalue = yyy | |
102 | } | |
103 | yetanother = zz | |
104 | ||
105 | other.conf: | |
106 | # this extends section-one and subsection | |
107 | section-one { | |
108 | subsection { | |
109 | # this replaces the previous value | |
110 | othervalue = xxx | |
111 | } | |
112 | } | |
113 | section-two { | |
114 | x = 12 | |
115 | } | |
116 | .EE | |
117 | ||
5889e864 TB |
118 | .SH READING VALUES |
119 | Values are accessed using a dot-separated section list and a key. | |
120 | With reference to the example above, accessing | |
121 | .B section-one.subsection.othervalue | |
122 | will return | |
123 | .BR xxx . | |
124 | ||
320cecd2 | 125 | .SH DEFINED KEYS |
3f71c5d9 | 126 | The following keys are currently defined (using dot notation). The default |
320cecd2 TB |
127 | value (if any) is listed in brackets after the key. |
128 | ||
e0175103 AS |
129 | .SS attest section |
130 | .TP | |
131 | .BR attest.database | |
132 | Path to database with file measurement information | |
133 | .TP | |
134 | .BR attest.load | |
135 | Plugins to load in ipsec attest tool | |
4d62ad75 | 136 | |
320cecd2 TB |
137 | .SS charon section |
138 | .TP | |
4d62ad75 TB |
139 | .BR Note : |
140 | Many of these options also apply to \fBcharon\-cmd\fR and other | |
141 | \fBcharon\fR derivatives. Just use their respective name (e.g. | |
142 | \fIcharon\-cmd\fR) instead of \fIcharon\fR. | |
143 | .TP | |
320cecd2 TB |
144 | .BR charon.block_threshold " [5]" |
145 | Maximum number of half-open IKE_SAs for a single peer IP | |
146 | .TP | |
c38d6905 AS |
147 | .BR charon.cisco_unity " [no] |
148 | Send Cisco Unity vendor ID payload (IKEv1 only) | |
149 | .TP | |
320cecd2 TB |
150 | .BR charon.close_ike_on_child_failure " [no]" |
151 | Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed | |
152 | .TP | |
153 | .BR charon.cookie_threshold " [10]" | |
154 | Number of half-open IKE_SAs that activate the cookie mechanism | |
155 | .TP | |
156 | .BR charon.dns1 | |
157 | .TQ | |
158 | .BR charon.dns2 | |
159 | DNS servers assigned to peer via configuration payload (CP) | |
160 | .TP | |
161 | .BR charon.dos_protection " [yes]" | |
162 | Enable Denial of Service protection using cookies and aggressiveness checks | |
163 | .TP | |
b2bcc577 | 164 | .BR charon.filelog |
3f71c5d9 | 165 | Section to define file loggers, see LOGGER CONFIGURATION |
41f525be TB |
166 | .TP |
167 | .BR charon.flush_auth_cfg " [no]" | |
358104a4 TB |
168 | If enabled objects used during authentication (certificates, identities etc.) |
169 | are released to free memory once an IKE_SA is established. | |
170 | Enabling this might conflict with plugins that later need access to e.g. the | |
171 | used certificates. | |
4f3ca916 | 172 | .TP |
ee6902ef TB |
173 | .BR charon.fragment_size " [512]" |
174 | Maximum size (in bytes) of a sent fragment when using the proprietary IKEv1 | |
175 | fragmentation extension. | |
176 | .TP | |
4f3ca916 TB |
177 | .BR charon.half_open_timeout " [30]" |
178 | Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). | |
b2bcc577 | 179 | .TP |
320cecd2 TB |
180 | .BR charon.hash_and_url " [no]" |
181 | Enable hash and URL support | |
182 | .TP | |
629cdca8 TB |
183 | .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]" |
184 | If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared | |
185 | keys, which is discouraged due to security concerns (offline attacks on the | |
186 | openly transmitted hash of the PSK) | |
187 | .TP | |
41f525be | 188 | .BR charon.ignore_routing_tables |
9513225e | 189 | A space-separated list of routing tables to be excluded from route lookups |
41f525be | 190 | .TP |
c186b394 TB |
191 | .BR charon.ikesa_limit " [0]" |
192 | Maximum number of IKE_SAs that can be established at the same time before new | |
193 | connection attempts are blocked | |
194 | .TP | |
320cecd2 TB |
195 | .BR charon.ikesa_table_segments " [1]" |
196 | Number of exclusively locked segments in the hash table | |
197 | .TP | |
198 | .BR charon.ikesa_table_size " [1]" | |
199 | Size of the IKE_SA hash table | |
200 | .TP | |
201 | .BR charon.inactivity_close_ike " [no]" | |
202 | Whether to close IKE_SA if the only CHILD_SA closed due to inactivity | |
203 | .TP | |
4f3ca916 TB |
204 | .BR charon.init_limit_half_open " [0]" |
205 | Limit new connections based on the current number of half open IKE_SAs (see | |
206 | IKE_SA_INIT DROPPING). | |
207 | .TP | |
208 | .BR charon.init_limit_job_load " [0]" | |
209 | Limit new connections based on the number of jobs currently queued for | |
210 | processing (see IKE_SA_INIT DROPPING). | |
211 | .TP | |
654c88bc AS |
212 | .BR charon.initiator_only " [no]" |
213 | Causes charon daemon to ignore IKE initiation requests. | |
214 | .TP | |
320cecd2 TB |
215 | .BR charon.install_routes " [yes]" |
216 | Install routes into a separate routing table for established IPsec tunnels | |
217 | .TP | |
41f525be TB |
218 | .BR charon.install_virtual_ip " [yes]" |
219 | Install virtual IP addresses | |
220 | .TP | |
e8e9048f TB |
221 | .BR charon.install_virtual_ip_on |
222 | The name of the interface on which virtual IP addresses should be installed. | |
223 | If not specified the addresses will be installed on the outbound interface. | |
224 | .TP | |
9513225e TB |
225 | .BR charon.interfaces_ignore |
226 | A comma-separated list of network interfaces that should be ignored, if | |
358104a4 TB |
227 | .B charon.interfaces_use |
228 | is specified this option has no effect. | |
9513225e TB |
229 | .TP |
230 | .BR charon.interfaces_use | |
358104a4 | 231 | A comma-separated list of network interfaces that should be used by charon. |
9513225e TB |
232 | All other interfaces are ignored. |
233 | .TP | |
320cecd2 TB |
234 | .BR charon.keep_alive " [20s]" |
235 | NAT keep alive interval | |
236 | .TP | |
237 | .BR charon.load | |
41f525be TB |
238 | Plugins to load in the IKEv2 daemon charon |
239 | .TP | |
240 | .BR charon.max_packet " [10000]" | |
241 | Maximum packet size accepted by charon | |
320cecd2 TB |
242 | .TP |
243 | .BR charon.multiple_authentication " [yes]" | |
244 | Enable multiple authentication exchanges (RFC 4739) | |
245 | .TP | |
246 | .BR charon.nbns1 | |
247 | .TQ | |
248 | .BR charon.nbns2 | |
249 | WINS servers assigned to peer via configuration payload (CP) | |
250 | .TP | |
224ab4c5 TB |
251 | .BR charon.port " [500]" |
252 | UDP port used locally. If set to 0 a random port will be allocated. | |
253 | .TP | |
254 | .BR charon.port_nat_t " [4500]" | |
255 | UDP port used locally in case of NAT-T. If set to 0 a random port will be | |
256 | allocated. Has to be different from | |
257 | .BR charon.port , | |
258 | otherwise a random port will be allocated. | |
259 | .TP | |
320cecd2 TB |
260 | .BR charon.process_route " [yes]" |
261 | Process RTM_NEWROUTE and RTM_DELROUTE events | |
262 | .TP | |
41f525be | 263 | .BR charon.receive_delay " [0]" |
31990a19 | 264 | Delay in ms for receiving packets, to simulate larger RTT |
41f525be TB |
265 | .TP |
266 | .BR charon.receive_delay_response " [yes]" | |
267 | Delay response messages | |
268 | .TP | |
269 | .BR charon.receive_delay_request " [yes]" | |
270 | Delay request messages | |
271 | .TP | |
272 | .BR charon.receive_delay_type " [0]" | |
273 | Specific IKEv2 message type to delay, 0 for any | |
274 | .TP | |
94c0e834 MW |
275 | .BR charon.replay_window " [32]" |
276 | Size of the AH/ESP replay window, in packets. | |
277 | .TP | |
320cecd2 | 278 | .BR charon.retransmit_base " [1.8]" |
3f71c5d9 | 279 | Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION |
320cecd2 TB |
280 | .TP |
281 | .BR charon.retransmit_timeout " [4.0] | |
282 | Timeout in seconds before sending first retransmit | |
283 | .TP | |
284 | .BR charon.retransmit_tries " [5]" | |
285 | Number of times to retransmit a packet before giving up | |
286 | .TP | |
60c82591 TB |
287 | .BR charon.retry_initiate_interval " [0]" |
288 | Interval to use when retrying to initiate an IKE_SA (e.g. if DNS resolution | |
289 | failed), 0 to disable retries. | |
290 | .TP | |
320cecd2 TB |
291 | .BR charon.reuse_ikesa " [yes] |
292 | Initiate CHILD_SA within existing IKE_SAs | |
293 | .TP | |
294 | .BR charon.routing_table | |
295 | Numerical routing table to install routes to | |
296 | .TP | |
297 | .BR charon.routing_table_prio | |
298 | Priority of the routing table | |
299 | .TP | |
41f525be | 300 | .BR charon.send_delay " [0]" |
31990a19 | 301 | Delay in ms for sending packets, to simulate larger RTT |
41f525be TB |
302 | .TP |
303 | .BR charon.send_delay_response " [yes]" | |
304 | Delay response messages | |
305 | .TP | |
306 | .BR charon.send_delay_request " [yes]" | |
307 | Delay request messages | |
308 | .TP | |
309 | .BR charon.send_delay_type " [0]" | |
310 | Specific IKEv2 message type to delay, 0 for any | |
311 | .TP | |
320cecd2 TB |
312 | .BR charon.send_vendor_id " [no] |
313 | Send strongSwan vendor ID payload | |
314 | .TP | |
b2bcc577 | 315 | .BR charon.syslog |
3f71c5d9 | 316 | Section to define syslog loggers, see LOGGER CONFIGURATION |
b2bcc577 | 317 | .TP |
320cecd2 TB |
318 | .BR charon.threads " [16]" |
319 | Number of worker threads in charon | |
320 | .SS charon.plugins subsection | |
321 | .TP | |
162621ed | 322 | .BR charon.plugins.android_log.loglevel " [1]" |
41f525be TB |
323 | Loglevel for logging to Android specific logger |
324 | .TP | |
325 | .BR charon.plugins.attr | |
326 | Section to specify arbitrary attributes that are assigned to a peer via | |
327 | configuration payload (CP) | |
328 | .TP | |
629cdca8 TB |
329 | .BR charon.plugins.certexpire.csv.cron |
330 | Cron style string specifying CSV export times | |
331 | .TP | |
332 | .BR charon.plugins.certexpire.csv.local | |
333 | strftime(3) format string for the CSV file name to export local certificates to | |
334 | .TP | |
335 | .BR charon.plugins.certexpire.csv.remote | |
336 | strftime(3) format string for the CSV file name to export remote certificates to | |
337 | .TP | |
338 | .BR charon.plugins.certexpire.csv.separator " [,]" | |
339 | CSV field separator | |
340 | .TP | |
341 | .BR charon.plugins.certexpire.csv.empty_string | |
342 | String to use in empty intermediate CA fields | |
343 | .TP | |
344 | .BR charon.plugins.certexpire.csv.format " [%d:%m:%Y]" | |
345 | strftime(3) format string to export expiration dates as | |
346 | .TP | |
347 | .BR charon.plugins.certexpire.csv.fixed_fields " [yes]" | |
348 | Use a fixed intermediate CA field count | |
349 | .TP | |
350 | .BR charon.plugins.coupling.file | |
351 | File to store coupling list to | |
352 | .TP | |
353 | .BR charon.plugins.coupling.hash " [sha1]" | |
354 | Hashing algorithm to fingerprint coupled certificates | |
355 | .TP | |
356 | .BR charon.plugins.coupling.max " [1]" | |
357 | Maximum number of coupling entries to create | |
358 | .TP | |
bc6ec4de TB |
359 | .BR charon.plugins.dhcp.force_server_address " [no]" |
360 | Always use the configured server address. This might be helpful if the DHCP | |
361 | server runs on the same host as strongSwan, and the DHCP daemon does not listen | |
362 | on the loopback interface. In that case the server cannot be reached via | |
363 | unicast (or even 255.255.255.255) as that would be routed via loopback. | |
364 | Setting this option to yes and configuring the local broadcast address (e.g. | |
365 | 192.168.0.255) as server address might work. | |
366 | .TP | |
320cecd2 TB |
367 | .BR charon.plugins.dhcp.identity_lease " [no]" |
368 | Derive user-defined MAC address from hash of IKEv2 identity | |
369 | .TP | |
370 | .BR charon.plugins.dhcp.server " [255.255.255.255]" | |
371 | DHCP server unicast or broadcast IP address | |
372 | .TP | |
e236ed1e | 373 | .BR charon.plugins.duplicheck.enable " [yes]" |
629cdca8 | 374 | Enable duplicheck plugin (if loaded) |
e236ed1e | 375 | .TP |
320cecd2 | 376 | .BR charon.plugins.eap-aka.request_identity " [yes]" |
41f525be | 377 | |
320cecd2 TB |
378 | .TP |
379 | .BR charon.plugins.eap-aka-3ggp2.seq_check | |
41f525be | 380 | |
5f6ef5d5 TB |
381 | .TP |
382 | .BR charon.plugins.eap-dynamic.preferred | |
383 | The preferred EAP method(s) to be used. If it is not given the first | |
384 | registered method will be used initially. If a comma separated list is given | |
385 | the methods are tried in the given order before trying the rest of the | |
386 | registered methods. | |
387 | .TP | |
388 | .BR charon.plugins.eap-dynamic.prefer_user " [no]" | |
389 | If enabled the EAP methods proposed in an EAP-Nak message sent by the peer are | |
390 | preferred over the methods registered locally. | |
320cecd2 | 391 | .TP |
9ede42e1 TB |
392 | .BR charon.plugins.eap-gtc.backend " [pam]" |
393 | XAuth backend to be used for credential verification | |
01b39fe9 AS |
394 | .TP |
395 | .BR charon.plugins.eap-peap.fragment_size " [1024]" | |
396 | Maximum size of an EAP-PEAP packet | |
397 | .TP | |
398 | .BR charon.plugins.eap-peap.max_message_count " [32]" | |
3bd452f8 | 399 | Maximum number of processed EAP-PEAP packets (0 = no limit) |
01b39fe9 | 400 | .TP |
2778b664 AS |
401 | .BR charon.plugins.eap-peap.include_length " [no]" |
402 | Include length in non-fragmented EAP-PEAP packets | |
403 | .TP | |
01b39fe9 AS |
404 | .BR charon.plugins.eap-peap.phase2_method " [mschapv2]" |
405 | Phase2 EAP client authentication method | |
406 | .TP | |
407 | .BR charon.plugins.eap-peap.phase2_piggyback " [no]" | |
408 | Phase2 EAP Identity request piggybacked by server onto TLS Finished message | |
409 | .TP | |
410 | .BR charon.plugins.eap-peap.phase2_tnc " [no]" | |
411 | Start phase2 EAP TNC protocol after successful client authentication | |
412 | .TP | |
413 | .BR charon.plugins.eap-peap.request_peer_auth " [no]" | |
414 | Request peer authentication based on a client certificate | |
503dee4d MW |
415 | .TP |
416 | .BR charon.plugins.eap-radius.accounting " [no]" | |
417 | Send RADIUS accounting information to RADIUS servers. | |
320cecd2 | 418 | .TP |
41f525be TB |
419 | .BR charon.plugins.eap-radius.class_group " [no]" |
420 | Use the | |
421 | .I class | |
422 | attribute sent in the RADIUS-Accept message as group membership information that | |
423 | is compared to the groups specified in the | |
424 | .B rightgroups | |
425 | option in | |
426 | .B ipsec.conf (5). | |
427 | .TP | |
96ad2b17 TB |
428 | .BR charon.plugins.eap-radius.close_all_on_timeout " [no]" |
429 | Closes all IKE_SAs if communication with the RADIUS server times out. If it is | |
430 | not set only the current IKE_SA is closed. | |
431 | .TP | |
629cdca8 TB |
432 | .BR charon.plugins.eap-radius.dae.enable " [no]" |
433 | Enables support for the Dynamic Authorization Extension (RFC 5176) | |
434 | .TP | |
435 | .BR charon.plugins.eap-radius.dae.listen " [0.0.0.0]" | |
436 | Address to listen for DAE messages from the RADIUS server | |
437 | .TP | |
438 | .BR charon.plugins.eap-radius.dae.port " [3799]" | |
439 | Port to listen for DAE requests | |
440 | .TP | |
441 | .BR charon.plugins.eap-radius.dae.secret | |
442 | Shared secret used to verify/sign DAE messages | |
443 | .TP | |
41f525be TB |
444 | .BR charon.plugins.eap-radius.eap_start " [no]" |
445 | Send EAP-Start instead of EAP-Identity to start RADIUS conversation | |
446 | .TP | |
f2b1aa49 AS |
447 | .BR charon.plugins.eap-radius.filter_id " [no]" |
448 | If the RADIUS | |
449 | .I tunnel_type | |
450 | attribute with value | |
451 | .B ESP | |
452 | is received, use the | |
94c0e834 | 453 | .I filter_id |
f2b1aa49 AS |
454 | attribute sent in the RADIUS-Accept message as group membership information that |
455 | is compared to the groups specified in the | |
456 | .B rightgroups | |
457 | option in | |
458 | .B ipsec.conf (5). | |
459 | .TP | |
629cdca8 TB |
460 | .BR charon.plugins.eap-radius.forward.ike_to_radius |
461 | RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by | |
462 | name or attribute number, a colon can be used to specify vendor-specific | |
463 | attributes, e.g. Reply-Message, or 11, or 36906:12). | |
464 | .TP | |
465 | .BR charon.plugins.eap-radius.forward.radius_to_ike | |
358104a4 TB |
466 | Same as |
467 | .B charon.plugins.eap-radius.forward.ike_to_radius | |
468 | but from RADIUS to | |
629cdca8 TB |
469 | IKEv2, a strongSwan specific private notify (40969) is used to transmit the |
470 | attributes. | |
471 | .TP | |
41f525be TB |
472 | .BR charon.plugins.eap-radius.id_prefix |
473 | Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the | |
474 | EAP method | |
475 | .TP | |
476 | .BR charon.plugins.eap-radius.nas_identifier " [strongSwan]" | |
477 | NAS-Identifier to include in RADIUS messages | |
478 | .TP | |
479 | .BR charon.plugins.eap-radius.port " [1812]" | |
480 | Port of RADIUS server (authentication) | |
481 | .TP | |
320cecd2 TB |
482 | .BR charon.plugins.eap-radius.secret |
483 | Shared secret between RADIUS and NAS | |
484 | .TP | |
485 | .BR charon.plugins.eap-radius.server | |
486 | IP/Hostname of RADIUS server | |
487 | .TP | |
41f525be TB |
488 | .BR charon.plugins.eap-radius.servers |
489 | Section to specify multiple RADIUS servers. The | |
490 | .BR nas_identifier , | |
491 | .BR secret , | |
492 | .B sockets | |
493 | and | |
494 | .B port | |
358104a4 TB |
495 | (or |
496 | .BR auth_port ) | |
41f525be TB |
497 | options can be specified for each server. A server's IP/Hostname can be |
498 | configured using the | |
499 | .B address | |
358104a4 TB |
500 | option. The |
501 | .BR acct_port " [1813]" | |
502 | option can be used to specify the port used for RADIUS accounting. | |
503 | For each RADIUS server a priority can be specified using the | |
41f525be TB |
504 | .BR preference " [0]" |
505 | option. | |
506 | .TP | |
507 | .BR charon.plugins.eap-radius.sockets " [1]" | |
320cecd2 TB |
508 | Number of sockets (ports) to use, increase for high load |
509 | .TP | |
41f525be TB |
510 | .BR charon.plugins.eap-sim.request_identity " [yes]" |
511 | ||
320cecd2 | 512 | .TP |
41f525be TB |
513 | .BR charon.plugins.eap-simaka-sql.database |
514 | ||
320cecd2 | 515 | .TP |
629cdca8 | 516 | .BR charon.plugins.eap-simaka-sql.remove_used " [no]" |
320cecd2 TB |
517 | |
518 | .TP | |
519 | .BR charon.plugins.eap-tls.fragment_size " [1024]" | |
520 | Maximum size of an EAP-TLS packet | |
521 | .TP | |
522 | .BR charon.plugins.eap-tls.max_message_count " [32]" | |
3bd452f8 | 523 | Maximum number of processed EAP-TLS packets (0 = no limit) |
320cecd2 | 524 | .TP |
2778b664 AS |
525 | .BR charon.plugins.eap-tls.include_length " [yes]" |
526 | Include length in non-fragmented EAP-TLS packets | |
527 | .TP | |
aff81d3b | 528 | .BR charon.plugins.eap-tnc.max_message_count " [10]" |
3bd452f8 | 529 | Maximum number of processed EAP-TNC packets (0 = no limit) |
41f525be | 530 | .TP |
c8aabefd AS |
531 | .BR charon.plugins.eap-tnc.protocol " [tnccs-1.1]" |
532 | IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic) | |
533 | .TP | |
320cecd2 TB |
534 | .BR charon.plugins.eap-ttls.fragment_size " [1024]" |
535 | Maximum size of an EAP-TTLS packet | |
536 | .TP | |
537 | .BR charon.plugins.eap-ttls.max_message_count " [32]" | |
3bd452f8 | 538 | Maximum number of processed EAP-TTLS packets (0 = no limit) |
320cecd2 | 539 | .TP |
2778b664 AS |
540 | .BR charon.plugins.eap-ttls.include_length " [yes]" |
541 | Include length in non-fragmented EAP-TTLS packets | |
542 | .TP | |
320cecd2 TB |
543 | .BR charon.plugins.eap-ttls.phase2_method " [md5]" |
544 | Phase2 EAP client authentication method | |
545 | .TP | |
546 | .BR charon.plugins.eap-ttls.phase2_piggyback " [no]" | |
547 | Phase2 EAP Identity request piggybacked by server onto TLS Finished message | |
548 | .TP | |
aff81d3b AS |
549 | .BR charon.plugins.eap-ttls.phase2_tnc " [no]" |
550 | Start phase2 EAP TNC protocol after successful client authentication | |
551 | .TP | |
320cecd2 TB |
552 | .BR charon.plugins.eap-ttls.request_peer_auth " [no]" |
553 | Request peer authentication based on a client certificate | |
554 | .TP | |
96ad2b17 TB |
555 | .BR charon.plugins.ha.autobalance " [0]" |
556 | Interval in seconds to automatically balance handled segments between nodes. | |
557 | Set to 0 to disable. | |
558 | .TP | |
320cecd2 TB |
559 | .BR charon.plugins.ha.fifo_interface " [yes]" |
560 | ||
41f525be TB |
561 | .TP |
562 | .BR charon.plugins.ha.heartbeat_delay " [1000]" | |
563 | ||
564 | .TP | |
565 | .BR charon.plugins.ha.heartbeat_timeout " [2100]" | |
566 | ||
320cecd2 TB |
567 | .TP |
568 | .BR charon.plugins.ha.local | |
569 | ||
570 | .TP | |
571 | .BR charon.plugins.ha.monitor " [yes]" | |
572 | ||
41f525be TB |
573 | .TP |
574 | .BR charon.plugins.ha.pools | |
575 | ||
320cecd2 TB |
576 | .TP |
577 | .BR charon.plugins.ha.remote | |
94c0e834 | 578 | |
320cecd2 TB |
579 | .TP |
580 | .BR charon.plugins.ha.resync " [yes]" | |
581 | ||
582 | .TP | |
583 | .BR charon.plugins.ha.secret | |
584 | ||
585 | .TP | |
586 | .BR charon.plugins.ha.segment_count " [1]" | |
587 | ||
932717fb RG |
588 | .TP |
589 | .BR charon.plugins.ipseckey.enable " [no]" | |
590 | Enable the fetching of IPSECKEY RRs from the DNS | |
41f525be TB |
591 | .TP |
592 | .BR charon.plugins.led.activity_led | |
593 | ||
594 | .TP | |
595 | .BR charon.plugins.led.blink_time " [50]" | |
596 | ||
597 | .TP | |
598 | .BR charon.plugins.kernel-klips.ipsec_dev_count " [4]" | |
599 | Number of ipsecN devices | |
320cecd2 TB |
600 | .TP |
601 | .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" | |
602 | Set MTU of ipsecN device | |
603 | .TP | |
37873f99 TB |
604 | .BR charon.plugins.kernel-netlink.roam_events " [yes]" |
605 | Whether to trigger roam events when interfaces, addresses or routes change | |
606 | .TP | |
3f71c5d9 TB |
607 | .BR charon.plugins.load-tester |
608 | Section to configure the load-tester plugin, see LOAD TESTS | |
320cecd2 | 609 | .TP |
13de38e3 TB |
610 | .BR charon.plugins.radattr.dir |
611 | Directory where RADIUS attributes are stored in client-ID specific files. | |
612 | .TP | |
613 | .BR charon.plugins.radattr.message_id " [-1]" | |
614 | Attributes are added to all IKE_AUTH messages by default (-1), or only to the | |
615 | IKE_AUTH message with the given IKEv2 message ID. | |
616 | .TP | |
320cecd2 TB |
617 | .BR charon.plugins.resolve.file " [/etc/resolv.conf]" |
618 | File where to add DNS server entries | |
619 | .TP | |
ed2cab08 TB |
620 | .BR charon.plugins.resolve.resolvconf.iface_prefix " [lo.inet.ipsec.]" |
621 | Prefix used for interface names sent to resolvconf(8). The nameserver address | |
622 | is appended to this prefix to make it unique. The result has to be a valid | |
623 | interface name according to the rules defined by resolvconf. Also, it should | |
624 | have a high priority according to the order defined in interface-order(5). | |
625 | .TP | |
6fbf4472 TB |
626 | .BR charon.plugins.socket-default.set_source " [yes]" |
627 | Set source address on outbound packets, if possible. | |
628 | .TP | |
320cecd2 TB |
629 | .BR charon.plugins.sql.database |
630 | Database URI for charons SQL plugin | |
631 | .TP | |
632 | .BR charon.plugins.sql.loglevel " [-1]" | |
633 | Loglevel for logging to SQL database | |
68de7267 | 634 | .TP |
9ec66bc1 TB |
635 | .BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]" |
636 | Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA | |
637 | certificates even if they don't contain a CA basic constraint. | |
638 | .TP | |
7c0c2349 TB |
639 | .BR charon.plugins.stroke.max_concurrent " [4]" |
640 | Maximum number of stroke messages handled concurrently | |
641 | .TP | |
96ad2b17 TB |
642 | .BR charon.plugins.stroke.timeout " [0]" |
643 | Timeout in ms for any stroke command. Use 0 to disable the timeout | |
644 | .TP | |
645 | .BR charon.plugins.systime-fix.interval " [0]" | |
646 | Interval in seconds to check system time for validity. 0 disables the check | |
647 | .TP | |
648 | .BR charon.plugins.systime-fix.reauth " [no]" | |
649 | Whether to use reauth or delete if an invalid cert lifetime is detected | |
650 | .TP | |
651 | .BR charon.plugins.systime-fix.threshold | |
652 | Threshold date where system time is considered valid. Disabled if not specified | |
653 | .TP | |
654 | .BR charon.plugins.systime-fix.threshold_format " [%Y]" | |
655 | strptime(3) format used to parse threshold option | |
656 | .TP | |
da217936 | 657 | .BR charon.plugins.tnccs-11.max_message_size " [45000]" |
be735f01 AS |
658 | Maximum size of a PA-TNC message (XML & Base64 encoding) |
659 | .TP | |
d7dcbc95 AS |
660 | .BR charon.plugins.tnccs-20.max_batch_size " [65522]" |
661 | Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) | |
662 | .TP | |
da217936 | 663 | .BR charon.plugins.tnccs-20.max_message_size " [65490]" |
be735f01 AS |
664 | Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) |
665 | .TP | |
0cf4dc53 AS |
666 | .BR charon.plugins.tnc-ifmap.client_cert |
667 | Path to X.509 certificate file of IF-MAP client | |
535798cf | 668 | .TP |
0cf4dc53 AS |
669 | .BR charon.plugins.tnc-ifmap.client_key |
670 | Path to private key file of IF-MAP client | |
535798cf | 671 | .TP |
0cf4dc53 AS |
672 | .BR charon.plugins.tnc-ifmap.device_name |
673 | Unique name of strongSwan server as a PEP and/or PDP device | |
535798cf | 674 | .TP |
1044710b AS |
675 | .BR charon.plugins.tnc-ifmap.renew_session_interval " [150]" |
676 | Interval in seconds between periodic IF-MAP RenewSession requests | |
677 | .TP | |
678 | .BR charon.plugins.tnc-ifmap.server_uri " [https://localhost:8444/imap]" | |
96ad2b17 TB |
679 | URI of the form [https://]servername[:port][/path] |
680 | .TP | |
681 | .BR charon.plugins.tnc-ifmap.server_cert | |
682 | Path to X.509 certificate file of IF-MAP server | |
683 | .TP | |
684 | .BR charon.plugins.tnc-ifmap.username_password | |
685 | Credentials of IF-MAP client of the form username:password | |
686 | .TP | |
133fb748 AS |
687 | .BR charon.plugins.tnc-imc.dlclose " [yes]" |
688 | Unload IMC after use | |
689 | .TP | |
aff81d3b | 690 | .BR charon.plugins.tnc-imc.preferred_language " [en]" |
68de7267 AS |
691 | Preferred language for TNC recommendations |
692 | .TP | |
133fb748 AS |
693 | .BR charon.plugins.tnc-imv.dlclose " [yes]" |
694 | Unload IMV after use | |
695 | .TP | |
f673958e AS |
696 | .BR charon.plugins.tnc-pdp.method " [ttls]" |
697 | EAP tunnel method to be used | |
698 | .TP | |
699 | .BR charon.plugins.tnc-pdp.port " [1812]" | |
700 | RADIUS server port the strongSwan PDP is listening on | |
701 | .TP | |
702 | .BR charon.plugins.tnc-pdp.secret | |
703 | Shared RADIUS secret between strongSwan PDP and NAS | |
704 | .TP | |
705 | .BR charon.plugins.tnc-pdp.server | |
629cdca8 TB |
706 | Name of the strongSwan PDP as contained in the AAA certificate |
707 | .TP | |
96ad2b17 TB |
708 | .BR charon.plugins.tnc-pdp.timeout |
709 | Timeout in seconds before closing incomplete connections | |
710 | .TP | |
629cdca8 TB |
711 | .BR charon.plugins.updown.dns_handler " [no]" |
712 | Whether the updown script should handle DNS serves assigned via IKEv1 Mode | |
713 | Config or IKEv2 Config Payloads (if enabled they can't be handled by other | |
714 | plugins, like resolve) | |
f673958e | 715 | .TP |
e236ed1e | 716 | .BR charon.plugins.whitelist.enable " [yes]" |
629cdca8 TB |
717 | Enable loaded whitelist plugin |
718 | .TP | |
719 | .BR charon.plugins.xauth-eap.backend " [radius]" | |
720 | EAP plugin to be used as backend for XAuth credential verification | |
9ede42e1 TB |
721 | .TP |
722 | .BR charon.plugins.xauth-pam.pam_service " [login]" | |
723 | PAM service to be used for authentication | |
320cecd2 TB |
724 | .SS libstrongswan section |
725 | .TP | |
629cdca8 TB |
726 | .BR libstrongswan.cert_cache " [yes]" |
727 | Whether relations in validated certificate chains should be cached in memory | |
728 | .TP | |
41f525be TB |
729 | .BR libstrongswan.crypto_test.bench " [no]" |
730 | ||
731 | .TP | |
732 | .BR libstrongswan.crypto_test.bench_size " [1024]" | |
733 | ||
734 | .TP | |
735 | .BR libstrongswan.crypto_test.bench_time " [50]" | |
736 | ||
320cecd2 TB |
737 | .TP |
738 | .BR libstrongswan.crypto_test.on_add " [no]" | |
739 | Test crypto algorithms during registration | |
740 | .TP | |
741 | .BR libstrongswan.crypto_test.on_create " [no]" | |
742 | Test crypto algorithms on each crypto primitive instantiation | |
743 | .TP | |
744 | .BR libstrongswan.crypto_test.required " [no]" | |
745 | Strictly require at least one test vector to enable an algorithm | |
746 | .TP | |
747 | .BR libstrongswan.crypto_test.rng_true " [no]" | |
748 | Whether to test RNG with TRUE quality; requires a lot of entropy | |
749 | .TP | |
41f525be TB |
750 | .BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]" |
751 | Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical | |
752 | strength | |
753 | .TP | |
320cecd2 TB |
754 | .BR libstrongswan.ecp_x_coordinate_only " [yes]" |
755 | Compliance with the errata for RFC 4753 | |
756 | .TP | |
b4f6c39e TB |
757 | .BR libstrongswan.host_resolver.max_threads " [3]" |
758 | Maximum number of concurrent resolver threads (they are terminated if unused) | |
759 | .TP | |
760 | .BR libstrongswan.host_resolver.min_threads " [0]" | |
761 | Minimum number of resolver threads to keep around | |
762 | .TP | |
320cecd2 TB |
763 | .BR libstrongswan.integrity_test " [no]" |
764 | Check daemon, libstrongswan and plugin integrity at startup | |
41f525be TB |
765 | .TP |
766 | .BR libstrongswan.leak_detective.detailed " [yes]" | |
767 | Includes source file names and line numbers in leak detective output | |
c4fd3b2f | 768 | .TP |
629cdca8 TB |
769 | .BR libstrongswan.leak_detective.usage_threshold " [10240]" |
770 | Threshold in bytes for leaks to be reported (0 to report all) | |
771 | .TP | |
4f3ca916 TB |
772 | .BR libstrongswan.processor.priority_threads |
773 | Subsection to configure the number of reserved threads per priority class | |
774 | see JOB PRIORITY MANAGEMENT | |
775 | .TP | |
c4fd3b2f AS |
776 | .BR libstrongswan.x509.enforce_critical " [yes]" |
777 | Discard certificates with unsupported or unknown critical extensions | |
320cecd2 TB |
778 | .SS libstrongswan.plugins subsection |
779 | .TP | |
780 | .BR libstrongswan.plugins.attr-sql.database | |
629cdca8 | 781 | Database URI for attr-sql plugin used by charon |
320cecd2 TB |
782 | .TP |
783 | .BR libstrongswan.plugins.attr-sql.lease_history " [yes]" | |
784 | Enable logging of SQL IP pool leases | |
785 | .TP | |
786 | .BR libstrongswan.plugins.gcrypt.quick_random " [no]" | |
787 | Use faster random numbers in gcrypt; for testing only, produces weak keys! | |
788 | .TP | |
789 | .BR libstrongswan.plugins.openssl.engine_id " [pkcs11]" | |
790 | ENGINE ID to use in the OpenSSL plugin | |
41f525be | 791 | .TP |
6b99da02 AS |
792 | .BR libstrongswan.plugins.openssl.fips_mode " [0]" |
793 | Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2) | |
794 | .TP | |
41f525be | 795 | .BR libstrongswan.plugins.pkcs11.modules |
c8eb2dea | 796 | List of available PKCS#11 modules |
41f525be | 797 | .TP |
c186b394 TB |
798 | .BR libstrongswan.plugins.pkcs11.load_certs " [yes]" |
799 | Whether to load certificates from tokens | |
800 | .TP | |
3c4d3834 TB |
801 | .BR libstrongswan.plugins.pkcs11.reload_certs " [no]" |
802 | Reload certificates from all tokens if charon receives a SIGHUP | |
803 | .TP | |
1a9e3e01 | 804 | .BR libstrongswan.plugins.pkcs11.use_dh " [no]" |
53e2fc69 | 805 | Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option) |
1a9e3e01 TB |
806 | .TP |
807 | .BR libstrongswan.plugins.pkcs11.use_ecc " [no]" | |
53e2fc69 TB |
808 | Whether the PKCS#11 modules should be used for ECDH and ECDSA public key |
809 | operations. ECDSA private keys can be used regardless of this option | |
1a9e3e01 | 810 | .TP |
41f525be | 811 | .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" |
c8eb2dea | 812 | Whether the PKCS#11 modules should be used to hash data |
1a9e3e01 | 813 | .TP |
53e2fc69 TB |
814 | .BR libstrongswan.plugins.pkcs11.use_pubkey " [no]" |
815 | Whether the PKCS#11 modules should be used for public key operations, even for | |
816 | keys not stored on tokens | |
817 | .TP | |
1a9e3e01 TB |
818 | .BR libstrongswan.plugins.pkcs11.use_rng " [no]" |
819 | Whether the PKCS#11 modules should be used as RNG | |
c51af950 MW |
820 | .TP |
821 | .BR libstrongswan.plugins.random.random " [@DEV_RANDOM@]" | |
822 | File to read random bytes from, instead of @DEV_RANDOM@ | |
823 | .TP | |
824 | .BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]" | |
825 | File to read pseudo random bytes from, instead of @DEV_URANDOM@ | |
f2145c8d AS |
826 | .TP |
827 | .BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]" | |
828 | File to read DNS resolver configuration from | |
829 | .TP | |
830 | .BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]" | |
831 | File to read DNSSEC trust anchors from (usually root zone KSK) | |
f0a8bf47 AS |
832 | .SS libtnccs section |
833 | .TP | |
834 | .BR libtnccs.tnc_config " [/etc/tnc_config]" | |
835 | TNC IMC/IMV configuration directory | |
c8eb2dea AS |
836 | .SS libimcv section |
837 | .TP | |
3b51f340 AS |
838 | .BR libimcv.assessment_result " [yes]" |
839 | Whether IMVs send a standard IETF Assessment Result attribute | |
840 | .TP | |
c8eb2dea AS |
841 | .BR libimcv.debug_level " [1]" |
842 | Debug level for a stand-alone libimcv library | |
843 | .TP | |
844 | .BR libimcv.stderr_quiet " [no]" | |
845 | Disable output to stderr with a stand-alone libimcv library | |
c8eb2dea | 846 | .TP |
6ab15025 AS |
847 | .BR libimcv.os_info.name |
848 | Manually set the name of the client OS (e.g. Ubuntu) | |
849 | .TP | |
850 | .BR libimcv.os_info.version | |
851 | Manually set the version of the client OS (e.g. 12.04 i686) | |
852 | .SS libimcv plugins section | |
c8eb2dea | 853 | .TP |
15b3dc5b AS |
854 | .BR libimcv.plugins.imc-attestation.aik_blob |
855 | AIK encrypted private key blob file | |
856 | .TP | |
f7a98122 AS |
857 | .BR libimcv.plugins.imc-attestation.aik_cert |
858 | AIK certificate file | |
c8eb2dea | 859 | .TP |
f7a98122 AS |
860 | .BR libimcv.plugins.imc-attestation.aik_key |
861 | AIK public key file | |
c8eb2dea | 862 | .TP |
e0175103 AS |
863 | .BR libimcv.plugins.imv-attestation.nonce_len " [20]" |
864 | DH nonce length | |
865 | .TP | |
866 | .BR libimcv.plugins.imv-attestation.use_quote2 " [yes]" | |
867 | Use Quote2 AIK signature instead of Quote signature | |
868 | .TP | |
f7a98122 AS |
869 | .BR libimcv.plugins.imv-attestation.cadir |
870 | Path to directory with AIK cacerts | |
e65a5053 | 871 | .TP |
f7a98122 AS |
872 | .BR libimcv.plugins.imv-attestation.database |
873 | Path to database with file measurement information | |
874 | .TP | |
e0175103 AS |
875 | .BR libimcv.plugins.imv-attestation.dh_group " [ecp256]" |
876 | Preferred Diffie-Hellman group | |
877 | .TP | |
878 | .BR libimcv.plugins.imv-attestation.hash_algorithm " [sha256]" | |
f7a98122 AS |
879 | Preferred measurement hash algorithm |
880 | .TP | |
e0175103 AS |
881 | .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" |
882 | DH minimum nonce length | |
883 | .TP | |
742722e2 AS |
884 | .BR libimcv.plugins.imv-attestation.remediation_uri |
885 | URI pointing to attestation remediation instructions | |
886 | .TP | |
887 | .BR libimcv.plugins.imc-os.push_info " [yes]" | |
ffd3556b AS |
888 | Send operating system info without being prompted |
889 | .TP | |
c186b394 TB |
890 | .BR libimcv.plugins.imv-os.database |
891 | Database URI for the database that stores operating system information | |
892 | .TP | |
742722e2 AS |
893 | .BR libimcv.plugins.imv-os.remediation_uri |
894 | URI pointing to operating system remediation instructions | |
895 | .TP | |
896 | .BR libimcv.plugins.imc-scanner.push_info " [yes]" | |
ffd3556b AS |
897 | Send open listening ports without being prompted |
898 | .TP | |
f7a98122 | 899 | .BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]" |
e65a5053 AS |
900 | By default all ports must be closed (yes) or can be open (no) |
901 | .TP | |
742722e2 AS |
902 | .BR libimcv.plugins.imv-scanner.remediation_uri |
903 | URI pointing to scanner remediation instructions | |
904 | .TP | |
f7a98122 | 905 | .BR libimcv.plugins.imv-scanner.tcp_ports |
e65a5053 AS |
906 | List of TCP ports that can be open or must be closed |
907 | .TP | |
f7a98122 | 908 | .BR libimcv.plugins.imv-scanner.udp_ports |
e65a5053 | 909 | List of UDP ports that can be open or must be closed |
f7a98122 | 910 | .TP |
63179fd4 AS |
911 | .BR libimcv.plugins.imc-test.additional_ids " [0]" |
912 | Number of additional IMC IDs | |
913 | .TP | |
f7a98122 AS |
914 | .BR libimcv.plugins.imc-test.command " [none]" |
915 | Command to be sent to the Test IMV | |
916 | .TP | |
87efdef3 AS |
917 | .BR libimcv.plugins.imc-test.dummy_size " [0]" |
918 | Size of dummy attribute to be sent to the Test IMV (0 = disabled) | |
919 | .TP | |
f7a98122 AS |
920 | .BR libimcv.plugins.imc-test.retry " [no]" |
921 | Do a handshake retry | |
922 | .TP | |
923 | .BR libimcv.plugins.imc-test.retry_command | |
924 | Command to be sent to the Test IMV in the handshake retry | |
925 | .TP | |
742722e2 AS |
926 | .BR libimcv.plugins.imv-test.remediation_uri |
927 | URI pointing to test remediation instructions | |
928 | .TP | |
f7a98122 AS |
929 | .BR libimcv.plugins.imv-test.rounds " [0]" |
930 | Number of IMC-IMV retry rounds | |
320cecd2 TB |
931 | .SS libtls section |
932 | .TP | |
933 | .BR libtls.cipher | |
934 | List of TLS encryption ciphers | |
935 | .TP | |
936 | .BR libtls.key_exchange | |
937 | List of TLS key exchange methods | |
938 | .TP | |
939 | .BR libtls.mac | |
940 | List of TLS MAC algorithms | |
41f525be TB |
941 | .TP |
942 | .BR libtls.suites | |
943 | List of TLS cipher suites | |
320cecd2 TB |
944 | .SS manager section |
945 | .TP | |
946 | .BR manager.database | |
947 | Credential database URI for manager | |
948 | .TP | |
949 | .BR manager.debug " [no]" | |
950 | Enable debugging in manager | |
951 | .TP | |
952 | .BR manager.load | |
953 | Plugins to load in manager | |
954 | .TP | |
955 | .BR manager.socket | |
956 | FastCGI socket of manager, to run it statically | |
957 | .TP | |
958 | .BR manager.threads " [10]" | |
959 | Threads to use for request handling | |
960 | .TP | |
961 | .BR manager.timeout " [15m]" | |
962 | Session timeout for manager | |
963 | .SS mediation client section | |
964 | .TP | |
965 | .BR medcli.database | |
966 | Mediation client database URI | |
967 | .TP | |
968 | .BR medcli.dpd " [5m]" | |
969 | DPD timeout to use in mediation client plugin | |
970 | .TP | |
971 | .BR medcli.rekey " [20m]" | |
972 | Rekeying time on mediation connections in mediation client plugin | |
973 | .SS mediation server section | |
974 | .TP | |
975 | .BR medsrv.database | |
976 | Mediation server database URI | |
977 | .TP | |
978 | .BR medsrv.debug " [no]" | |
979 | Debugging in mediation server web application | |
980 | .TP | |
981 | .BR medsrv.dpd " [5m]" | |
982 | DPD timeout to use in mediation server plugin | |
983 | .TP | |
984 | .BR medsrv.load | |
985 | Plugins to load in mediation server plugin | |
986 | .TP | |
987 | .BR medsrv.password_length " [6]" | |
988 | Minimum password length required for mediation server user accounts | |
989 | .TP | |
990 | .BR medsrv.rekey " [20m]" | |
991 | Rekeying time on mediation connections in mediation server plugin | |
992 | .TP | |
993 | .BR medsrv.socket | |
994 | Run Mediation server web application statically on socket | |
995 | .TP | |
996 | .BR medsrv.threads " [5]" | |
997 | Number of thread for mediation service web application | |
998 | .TP | |
999 | .BR medsrv.timeout " [15m]" | |
1000 | Session timeout for mediation service | |
1001 | .SS openac section | |
1002 | .TP | |
1003 | .BR openac.load | |
1004 | Plugins to load in ipsec openac tool | |
c186b394 TB |
1005 | .SS pacman section |
1006 | .TP | |
1007 | .BR pacman.database | |
1008 | Database URI for the database that stores the package information | |
320cecd2 TB |
1009 | .SS pki section |
1010 | .TP | |
1011 | .BR pki.load | |
1012 | Plugins to load in ipsec pki tool | |
320cecd2 TB |
1013 | .SS pool section |
1014 | .TP | |
1015 | .BR pool.load | |
1016 | Plugins to load in ipsec pool tool | |
1017 | .SS scepclient section | |
1018 | .TP | |
1019 | .BR scepclient.load | |
1020 | Plugins to load in ipsec scepclient tool | |
1021 | .SS starter section | |
1022 | .TP | |
848a36fe TB |
1023 | .BR starter.load |
1024 | Plugins to load in starter | |
1025 | .TP | |
320cecd2 | 1026 | .BR starter.load_warning " [yes]" |
629cdca8 | 1027 | Disable charon plugin load option warning |
320cecd2 | 1028 | |
b2bcc577 TB |
1029 | .SH LOGGER CONFIGURATION |
1030 | The options described below provide a much more flexible way to configure | |
1031 | loggers for the IKEv2 daemon charon than using the | |
1032 | .B charondebug | |
1033 | option in | |
1034 | .BR ipsec.conf (5). | |
1035 | .PP | |
1036 | .B Please note | |
1037 | that if any loggers are specified in strongswan.conf, | |
1038 | .B charondebug | |
1039 | does not have any effect. | |
1040 | .PP | |
1041 | There are currently two types of loggers defined: | |
1042 | .TP | |
1043 | .B File loggers | |
1044 | Log directly to a file and are defined by specifying the full path to the | |
1045 | file as subsection in the | |
1046 | .B charon.filelog | |
1047 | section. To log to the console the two special filenames | |
1048 | .BR stdout " and " stderr | |
1049 | can be used. | |
1050 | .TP | |
1051 | .B Syslog loggers | |
1052 | Log into a syslog facility and are defined by specifying the facility to log to | |
1053 | as the name of a subsection in the | |
1054 | .B charon.syslog | |
1055 | section. The following facilities are currently supported: | |
1056 | .BR daemon " and " auth . | |
1057 | .PP | |
1058 | Multiple loggers can be defined for each type with different log verbosity for | |
1059 | the different subsystems of the daemon. | |
1060 | .SS Options | |
1061 | .TP | |
1062 | .BR charon.filelog.<filename>.default " [1]" | |
1063 | .TQ | |
1064 | .BR charon.syslog.<facility>.default | |
1065 | Specifies the default loglevel to be used for subsystems for which no specific | |
1066 | loglevel is defined. | |
1067 | .TP | |
1068 | .BR charon.filelog.<filename>.<subsystem> " [<default>]" | |
1069 | .TQ | |
1070 | .BR charon.syslog.<facility>.<subsystem> | |
41f525be | 1071 | Specifies the loglevel for the given subsystem. |
b2bcc577 TB |
1072 | .TP |
1073 | .BR charon.filelog.<filename>.append " [yes]" | |
41f525be | 1074 | If this option is enabled log entries are appended to the existing file. |
b2bcc577 TB |
1075 | .TP |
1076 | .BR charon.filelog.<filename>.flush_line " [no]" | |
1077 | Enabling this option disables block buffering and enables line buffering. | |
1078 | .TP | |
1079 | .BR charon.filelog.<filename>.ike_name " [no]" | |
1080 | .TQ | |
1081 | .BR charon.syslog.<facility>.ike_name | |
1082 | Prefix each log entry with the connection name and a unique numerical | |
1083 | identifier for each IKE_SA. | |
1084 | .TP | |
1085 | .BR charon.filelog.<filename>.time_format | |
1086 | Prefix each log entry with a timestamp. The option accepts a format string as | |
1087 | passed to | |
1088 | .BR strftime (3). | |
5895c2e9 TB |
1089 | .TP |
1090 | .BR charon.syslog.identifier | |
1091 | Global identifier used for an | |
1092 | .BR openlog (3) | |
1093 | call, prepended to each log message by syslog. If not configured, | |
1094 | .BR openlog (3) | |
1095 | is not called, so the value will depend on system defaults (often the program | |
1096 | name). | |
b2bcc577 TB |
1097 | |
1098 | .SS Subsystems | |
1099 | .TP | |
1100 | .B dmn | |
1101 | Main daemon setup/cleanup/signal handling | |
1102 | .TP | |
1103 | .B mgr | |
1104 | IKE_SA manager, handling synchronization for IKE_SA access | |
1105 | .TP | |
1106 | .B ike | |
1107 | IKE_SA | |
1108 | .TP | |
1109 | .B chd | |
1110 | CHILD_SA | |
1111 | .TP | |
1112 | .B job | |
1113 | Jobs queueing/processing and thread pool management | |
1114 | .TP | |
1115 | .B cfg | |
1116 | Configuration management and plugins | |
1117 | .TP | |
1118 | .B knl | |
1119 | IPsec/Networking kernel interface | |
1120 | .TP | |
1121 | .B net | |
1122 | IKE network communication | |
1123 | .TP | |
54d096a7 TB |
1124 | .B asn |
1125 | Low-level encoding/decoding (ASN.1, X.509 etc.) | |
1126 | .TP | |
b2bcc577 TB |
1127 | .B enc |
1128 | Packet encoding/decoding encryption/decryption operations | |
1129 | .TP | |
1130 | .B tls | |
1131 | libtls library messages | |
1132 | .TP | |
56d07af3 TB |
1133 | .B esp |
1134 | libipsec library messages | |
1135 | .TP | |
b2bcc577 TB |
1136 | .B lib |
1137 | libstrongwan library messages | |
45945fa1 TB |
1138 | .TP |
1139 | .B tnc | |
1140 | Trusted Network Connect | |
1141 | .TP | |
1142 | .B imc | |
1143 | Integrity Measurement Collector | |
1144 | .TP | |
1145 | .B imv | |
1146 | Integrity Measurement Verifier | |
7213abcb TB |
1147 | .TP |
1148 | .B pts | |
1149 | Platform Trust Service | |
b2bcc577 TB |
1150 | .SS Loglevels |
1151 | .TP | |
1152 | .B -1 | |
1153 | Absolutely silent | |
1154 | .TP | |
1155 | .B 0 | |
1156 | Very basic auditing logs, (e.g. SA up/SA down) | |
1157 | .TP | |
1158 | .B 1 | |
1159 | Generic control flow with errors, a good default to see whats going on | |
1160 | .TP | |
1161 | .B 2 | |
1162 | More detailed debugging control flow | |
1163 | .TP | |
1164 | .B 3 | |
1165 | Including RAW data dumps in Hex | |
1166 | .TP | |
1167 | .B 4 | |
1168 | Also include sensitive material in dumps, e.g. keys | |
1169 | .SS Example | |
1170 | .PP | |
1171 | .EX | |
1172 | charon { | |
1173 | filelog { | |
1174 | /var/log/charon.log { | |
1175 | time_format = %b %e %T | |
1176 | append = no | |
1177 | default = 1 | |
1178 | } | |
1179 | stderr { | |
1180 | ike = 2 | |
1181 | knl = 3 | |
1182 | ike_name = yes | |
1183 | } | |
1184 | } | |
1185 | syslog { | |
1186 | # enable logging to LOG_DAEMON, use defaults | |
1187 | daemon { | |
1188 | } | |
1189 | # minimalistic IKE auditing logging to LOG_AUTHPRIV | |
1190 | auth { | |
1191 | default = -1 | |
1192 | ike = 0 | |
1193 | } | |
1194 | } | |
1195 | } | |
1196 | .EE | |
1197 | ||
4f3ca916 TB |
1198 | .SH JOB PRIORITY MANAGEMENT |
1199 | Some operations in the IKEv2 daemon charon are currently implemented | |
1200 | synchronously and blocking. Two examples for such operations are communication | |
1201 | with a RADIUS server via EAP-RADIUS, or fetching CRL/OCSP information during | |
1202 | certificate chain verification. Under high load conditions, the thread pool may | |
1203 | run out of available threads, and some more important jobs, such as liveness | |
1204 | checking, may not get executed in time. | |
1205 | .PP | |
1206 | To prevent thread starvation in such situations job priorities were introduced. | |
1207 | The job processor will reserve some threads for higher priority jobs, these | |
1208 | threads are not available for lower priority, locking jobs. | |
1209 | .SS Implementation | |
1210 | Currently 4 priorities have been defined, and they are used in charon as | |
1211 | follows: | |
1212 | .TP | |
1213 | .B CRITICAL | |
1214 | Priority for long-running dispatcher jobs. | |
1215 | .TP | |
1216 | .B HIGH | |
1217 | INFORMATIONAL exchanges, as used by liveness checking (DPD). | |
1218 | .TP | |
1219 | .B MEDIUM | |
1220 | Everything not HIGH/LOW, including IKE_SA_INIT processing. | |
1221 | .TP | |
1222 | .B LOW | |
1223 | IKE_AUTH message processing. RADIUS and CRL fetching block here | |
1224 | .PP | |
1225 | Although IKE_SA_INIT processing is computationally expensive, it is explicitly | |
1226 | assigned to the MEDIUM class. This allows charon to do the DH exchange while | |
1227 | other threads are blocked in IKE_AUTH. To prevent the daemon from accepting more | |
1228 | IKE_SA_INIT requests than it can handle, use IKE_SA_INIT DROPPING. | |
1229 | .PP | |
1230 | The thread pool processes jobs strictly by priority, meaning it will consume all | |
1231 | higher priority jobs before looking for ones with lower priority. Further, it | |
1232 | reserves threads for certain priorities. A priority class having reserved | |
1233 | .I n | |
1234 | threads will always have | |
1235 | .I n | |
1236 | threads available for this class (either currently processing a job, or waiting | |
1237 | for one). | |
1238 | .SS Configuration | |
1239 | To ensure that there are always enough threads available for higher priority | |
1240 | tasks, threads must be reserved for each priority class. | |
1241 | .TP | |
1242 | .BR libstrongswan.processor.priority_threads.critical " [0]" | |
1243 | Threads reserved for CRITICAL priority class jobs | |
1244 | .TP | |
1245 | .BR libstrongswan.processor.priority_threads.high " [0]" | |
1246 | Threads reserved for HIGH priority class jobs | |
1247 | .TP | |
1248 | .BR libstrongswan.processor.priority_threads.medium " [0]" | |
1249 | Threads reserved for MEDIUM priority class jobs | |
1250 | .TP | |
1251 | .BR libstrongswan.processor.priority_threads.low " [0]" | |
1252 | Threads reserved for LOW priority class jobs | |
1253 | .PP | |
1254 | Let's consider the following configuration: | |
1255 | .PP | |
1256 | .EX | |
1257 | libstrongswan { | |
1258 | processor { | |
1259 | priority_threads { | |
1260 | high = 1 | |
1261 | medium = 4 | |
1262 | } | |
1263 | } | |
1264 | } | |
1265 | .EE | |
1266 | .PP | |
1267 | With this configuration, one thread is reserved for HIGH priority tasks. As | |
1268 | currently only liveness checking and stroke message processing is done with | |
1269 | high priority, one or two threads should be sufficient. | |
1270 | .PP | |
1271 | The MEDIUM class mostly processes non-blocking jobs. Unless your setup is | |
1272 | experiencing many blocks in locks while accessing shared resources, threads for | |
1273 | one or two times the number of CPU cores is fine. | |
1274 | .PP | |
1275 | It is usually not required to reserve threads for CRITICAL jobs. Jobs in this | |
1276 | class rarely return and do not release their thread to the pool. | |
1277 | .PP | |
1278 | The remaining threads are available for LOW priority jobs. Reserving threads | |
1279 | does not make sense (until we have an even lower priority). | |
1280 | .SS Monitoring | |
1281 | To see what the threads are actually doing, invoke | |
1282 | .IR "ipsec statusall" . | |
1283 | Under high load, something like this will show up: | |
1284 | .PP | |
1285 | .EX | |
1286 | worker threads: 2 or 32 idle, 5/1/2/22 working, | |
1287 | job queue: 0/0/1/149, scheduled: 198 | |
1288 | .EE | |
1289 | .PP | |
1290 | From 32 worker threads, | |
1291 | .IP 2 | |
1292 | are currently idle. | |
1293 | .IP 5 | |
1294 | are running CRITICAL priority jobs (dispatching from sockets, etc.). | |
1295 | .IP 1 | |
1296 | is currently handling a HIGH priority job. This is actually the thread currently | |
1297 | providing this information via stroke. | |
1298 | .IP 2 | |
1299 | are handling MEDIUM priority jobs, likely IKE_SA_INIT or CREATE_CHILD_SA | |
1300 | messages. | |
1301 | .IP 22 | |
1302 | are handling LOW priority jobs, probably waiting for an EAP-RADIUS response | |
1303 | while processing IKE_AUTH messages. | |
1304 | .PP | |
1305 | The job queue load shows how many jobs are queued for each priority, ready for | |
1306 | execution. The single MEDIUM priority job will get executed immediately, as | |
1307 | we have two spare threads reserved for MEDIUM class jobs. | |
1308 | ||
1309 | .SH IKE_SA_INIT DROPPING | |
1310 | If a responder receives more connection requests per seconds than it can handle, | |
1311 | it does not make sense to accept more IKE_SA_INIT messages. And if they are | |
1312 | queued but can't get processed in time, an answer might be sent after the | |
1313 | client has already given up and restarted its connection setup. This | |
1314 | additionally increases the load on the responder. | |
1315 | .PP | |
1316 | To limit the responder load resulting from new connection attempts, the daemon | |
1317 | can drop IKE_SA_INIT messages just after reception. There are two mechanisms to | |
1318 | decide if this should happen, configured with the following options: | |
1319 | .TP | |
1320 | .BR charon.init_limit_half_open " [0]" | |
1321 | Limit based on the number of half open IKE_SAs. Half open IKE_SAs are SAs in | |
1322 | connecting state, but not yet established. | |
1323 | .TP | |
1324 | .BR charon.init_limit_job_load " [0]" | |
1325 | Limit based on the number of jobs currently queued for processing (sum over all | |
1326 | job priorities). | |
1327 | .PP | |
1328 | The second limit includes load from other jobs, such as rekeying. Choosing a | |
1329 | good value is difficult and depends on the hardware and expected load. | |
1330 | .PP | |
1331 | The first limit is simpler to calculate, but includes the load from new | |
1332 | connections only. If your responder is capable of negotiating 100 tunnels/s, you | |
1333 | might set this limit to 1000. The daemon will then drop new connection attempts | |
1334 | if generating a response would require more than 10 seconds. If you are | |
1335 | allowing for a maximum response time of more than 30 seconds, consider adjusting | |
1336 | the timeout for connecting IKE_SAs | |
1337 | .RB ( charon.half_open_timeout ). | |
1338 | A responder, by default, deletes an IKE_SA if the initiator does not establish | |
1339 | it within 30 seconds. Under high load, a higher value might be required. | |
1340 | ||
3f71c5d9 TB |
1341 | .SH LOAD TESTS |
1342 | To do stability testing and performance optimizations, the IKEv2 daemon charon | |
629cdca8 | 1343 | provides the load-tester plugin. This plugin allows one to setup thousands of |
3f71c5d9 TB |
1344 | tunnels concurrently against the daemon itself or a remote host. |
1345 | .PP | |
1346 | .B WARNING: | |
1347 | Never enable the load-testing plugin on productive systems. It provides | |
1348 | preconfigured credentials and allows an attacker to authenticate as any user. | |
1349 | .SS Options | |
1350 | .TP | |
c186b394 TB |
1351 | .BR charon.plugins.load-tester.addrs |
1352 | Subsection that contains key/value pairs with address pools (in CIDR notation) | |
1353 | to use for a specific network interface e.g. eth0 = 10.10.0.0/16 | |
1354 | .TP | |
96ad2b17 TB |
1355 | .BR charon.plugins.load-tester.addrs_keep " [no]" |
1356 | Whether to keep dynamic addresses even after the associated SA got terminated | |
1357 | .TP | |
c186b394 TB |
1358 | .BR charon.plugins.load-tester.addrs_prefix " [16]" |
1359 | Network prefix length to use when installing dynamic addresses. If set to -1 the | |
1360 | full address is used (i.e. 32 or 128) | |
1361 | .TP | |
1362 | .BR charon.plugins.load-tester.ca_dir | |
1363 | Directory to load (intermediate) CA certificates from | |
1364 | .TP | |
3f71c5d9 TB |
1365 | .BR charon.plugins.load-tester.child_rekey " [600]" |
1366 | Seconds to start CHILD_SA rekeying after setup | |
1367 | .TP | |
1368 | .BR charon.plugins.load-tester.delay " [0]" | |
1369 | Delay between initiatons for each thread | |
1370 | .TP | |
1371 | .BR charon.plugins.load-tester.delete_after_established " [no]" | |
1372 | Delete an IKE_SA as soon as it has been established | |
1373 | .TP | |
c186b394 TB |
1374 | .BR charon.plugins.load-tester.digest " [sha1]" |
1375 | Digest algorithm used when issuing certificates | |
1376 | .TP | |
35572811 TB |
1377 | .BR charon.plugins.load-tester.dpd_delay " [0]" |
1378 | DPD delay to use in load test | |
1379 | .TP | |
41f525be TB |
1380 | .BR charon.plugins.load-tester.dynamic_port " [0]" |
1381 | Base port to be used for requests (each client uses a different port) | |
1382 | .TP | |
35572811 TB |
1383 | .BR charon.plugins.load-tester.eap_password " [default-pwd]" |
1384 | EAP secret to use in load test | |
1385 | .TP | |
3f71c5d9 TB |
1386 | .BR charon.plugins.load-tester.enable " [no]" |
1387 | Enable the load testing plugin | |
1388 | .TP | |
96ad2b17 TB |
1389 | .BR charon.plugins.load-tester.esp " [aes128-sha1]" |
1390 | CHILD_SA proposal to use for load tests | |
1391 | .TP | |
3f71c5d9 TB |
1392 | .BR charon.plugins.load-tester.fake_kernel " [no]" |
1393 | Fake the kernel interface to allow load-testing against self | |
1394 | .TP | |
1395 | .BR charon.plugins.load-tester.ike_rekey " [0]" | |
1396 | Seconds to start IKE_SA rekeying after setup | |
1397 | .TP | |
35572811 TB |
1398 | .BR charon.plugins.load-tester.init_limit " [0]" |
1399 | Global limit of concurrently established SAs during load test | |
1400 | .TP | |
c186b394 TB |
1401 | .BR charon.plugins.load-tester.initiator " [0.0.0.0]" |
1402 | Address to initiate from | |
1403 | .TP | |
3f71c5d9 TB |
1404 | .BR charon.plugins.load-tester.initiators " [0]" |
1405 | Number of concurrent initiator threads to use in load test | |
1406 | .TP | |
1407 | .BR charon.plugins.load-tester.initiator_auth " [pubkey]" | |
1408 | Authentication method(s) the intiator uses | |
1409 | .TP | |
35572811 TB |
1410 | .BR charon.plugins.load-tester.initiator_id |
1411 | Initiator ID used in load test | |
1412 | .TP | |
c186b394 | 1413 | .BR charon.plugins.load-tester.initiator_match |
9d9410e7 | 1414 | Initiator ID to match against as responder |
c186b394 TB |
1415 | .TP |
1416 | .BR charon.plugins.load-tester.initiator_tsi | |
1417 | Traffic selector on initiator side, as proposed by initiator | |
1418 | .TP | |
1419 | .BR charon.plugins.load-tester.initiator_tsr | |
1420 | Traffic selector on responder side, as proposed by initiator | |
1421 | .TP | |
3f71c5d9 | 1422 | .BR charon.plugins.load-tester.iterations " [1]" |
c186b394 TB |
1423 | Number of IKE_SAs to initiate by each initiator in load test |
1424 | .TP | |
1425 | .BR charon.plugins.load-tester.issuer_cert | |
1426 | Path to the issuer certificate (if not configured a hard-coded value is used) | |
1427 | .TP | |
1428 | .BR charon.plugins.load-tester.issuer_key | |
1429 | Path to private key that is used to issue certificates (if not configured a | |
1430 | hard-coded value is used) | |
3f71c5d9 TB |
1431 | .TP |
1432 | .BR charon.plugins.load-tester.pool | |
1433 | Provide INTERNAL_IPV4_ADDRs from a named pool | |
1434 | .TP | |
35572811 TB |
1435 | .BR charon.plugins.load-tester.preshared_key " [default-psk]" |
1436 | Preshared key to use in load test | |
1437 | .TP | |
41f525be | 1438 | .BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" |
3f71c5d9 TB |
1439 | IKE proposal to use in load test |
1440 | .TP | |
c186b394 | 1441 | .BR charon.plugins.load-tester.responder " [127.0.0.1]" |
3f71c5d9 TB |
1442 | Address to initiation connections to |
1443 | .TP | |
1444 | .BR charon.plugins.load-tester.responder_auth " [pubkey]" | |
1445 | Authentication method(s) the responder uses | |
1446 | .TP | |
35572811 TB |
1447 | .BR charon.plugins.load-tester.responder_id |
1448 | Responder ID used in load test | |
1449 | .TP | |
c186b394 TB |
1450 | .BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]" |
1451 | Traffic selector on initiator side, as narrowed by responder | |
1452 | .TP | |
1453 | .BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]" | |
1454 | Traffic selector on responder side, as narrowed by responder | |
1455 | .TP | |
3f71c5d9 TB |
1456 | .BR charon.plugins.load-tester.request_virtual_ip " [no]" |
1457 | Request an INTERNAL_IPV4_ADDR from the server | |
1458 | .TP | |
1459 | .BR charon.plugins.load-tester.shutdown_when_complete " [no]" | |
41f525be | 1460 | Shutdown the daemon after all IKE_SAs have been established |
c186b394 TB |
1461 | .TP |
1462 | .BR charon.plugins.load-tester.version " [0]" | |
1463 | IKE version to use (0 means use IKEv2 as initiator and accept any version as | |
1464 | responder) | |
3f71c5d9 TB |
1465 | .SS Configuration details |
1466 | For public key authentication, the responder uses the | |
1467 | .B \(dqCN=srv, OU=load-test, O=strongSwan\(dq | |
1468 | identity. For the initiator, each connection attempt uses a different identity | |
1469 | in the form | |
1470 | .BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , | |
1471 | where the first number inidicates the client number, the second the | |
1472 | authentication round (if multiple authentication is used). | |
1473 | .PP | |
1474 | For PSK authentication, FQDN identities are used. The server uses | |
1475 | .BR srv.strongswan.org , | |
1476 | the client uses an identity in the form | |
1477 | .BR c1-r1.strongswan.org . | |
1478 | .PP | |
1479 | For EAP authentication, the client uses a NAI in the form | |
1480 | .BR 100000000010001@strongswan.org . | |
1481 | .PP | |
1482 | To configure multiple authentication, concatenate multiple methods using, e.g. | |
1483 | .EX | |
1484 | initiator_auth = pubkey|psk|eap-md5|eap-aka | |
1485 | .EE | |
1486 | .PP | |
1487 | The responder uses a hardcoded certificate based on a 1024-bit RSA key. | |
1488 | This certificate additionally serves as CA certificate. A peer uses the same | |
1489 | private key, but generates client certificates on demand signed by the CA | |
1490 | certificate. Install the Responder/CA certificate on the remote host to | |
1491 | authenticate all clients. | |
1492 | .PP | |
1493 | To speed up testing, the load tester plugin implements a special Diffie-Hellman | |
1494 | implementation called modpnull. By setting | |
1495 | .EX | |
1496 | proposal = aes128-sha1-modpnull | |
1497 | .EE | |
1498 | this wicked fast DH implementation is used. It does not provide any security | |
629cdca8 | 1499 | at all, but allows one to run tests without DH calculation overhead. |
3f71c5d9 TB |
1500 | .SS Examples |
1501 | .PP | |
1502 | In the simplest case, the daemon initiates IKE_SAs against itself using the | |
1503 | loopback interface. This will actually establish double the number of IKE_SAs, | |
1504 | as the daemon is initiator and responder for each IKE_SA at the same time. | |
1505 | Installation of IPsec SAs would fails, as each SA gets installed twice. To | |
1506 | simulate the correct behavior, a fake kernel interface can be enabled which does | |
1507 | not install the IPsec SAs at the kernel level. | |
1508 | .PP | |
1509 | A simple loopback configuration might look like this: | |
1510 | .PP | |
1511 | .EX | |
1512 | charon { | |
1513 | # create new IKE_SAs for each CHILD_SA to simulate | |
1514 | # different clients | |
1515 | reuse_ikesa = no | |
1516 | # turn off denial of service protection | |
1517 | dos_protection = no | |
1518 | ||
1519 | plugins { | |
1520 | load-tester { | |
1521 | # enable the plugin | |
1522 | enable = yes | |
1523 | # use 4 threads to initiate connections | |
1524 | # simultaneously | |
1525 | initiators = 4 | |
1526 | # each thread initiates 1000 connections | |
1527 | iterations = 1000 | |
1528 | # delay each initiation in each thread by 20ms | |
1529 | delay = 20 | |
1530 | # enable the fake kernel interface to | |
1531 | # avoid SA conflicts | |
1532 | fake_kernel = yes | |
1533 | } | |
1534 | } | |
1535 | } | |
1536 | .EE | |
1537 | .PP | |
1538 | This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay | |
1539 | value if your box can not handle that much load, or decrease it to put more | |
1540 | load on it. If the daemon starts retransmitting messages your box probably can | |
1541 | not handle all connection attempts. | |
1542 | .PP | |
629cdca8 TB |
1543 | The plugin also allows one to test against a remote host. This might help to |
1544 | test against a real world configuration. A connection setup to do stress | |
1545 | testing of a gateway might look like this: | |
3f71c5d9 TB |
1546 | .PP |
1547 | .EX | |
1548 | charon { | |
1549 | reuse_ikesa = no | |
1550 | threads = 32 | |
1551 | ||
1552 | plugins { | |
1553 | load-tester { | |
1554 | enable = yes | |
1555 | # 10000 connections, ten in parallel | |
1556 | initiators = 10 | |
1557 | iterations = 1000 | |
1558 | # use a delay of 100ms, overall time is: | |
1559 | # iterations * delay = 100s | |
1560 | delay = 100 | |
1561 | # address of the gateway | |
1562 | remote = 1.2.3.4 | |
1563 | # IKE-proposal to use | |
1564 | proposal = aes128-sha1-modp1024 | |
1565 | # use faster PSK authentication instead | |
1566 | # of 1024bit RSA | |
1567 | initiator_auth = psk | |
1568 | responder_auth = psk | |
1569 | # request a virtual IP using configuration | |
1570 | # payloads | |
1571 | request_virtual_ip = yes | |
1572 | # enable CHILD_SA every 60s | |
1573 | child_rekey = 60 | |
1574 | } | |
1575 | } | |
1576 | } | |
1577 | .EE | |
1578 | ||
fa8c0690 TB |
1579 | .SH IKEv2 RETRANSMISSION |
1580 | Retransmission timeouts in the IKEv2 daemon charon can be configured globally | |
1581 | using the three keys listed below: | |
1582 | .PP | |
1583 | .RS | |
1584 | .nf | |
1585 | .BR charon.retransmit_base " [1.8]" | |
1586 | .BR charon.retransmit_timeout " [4.0]" | |
1587 | .BR charon.retransmit_tries " [5]" | |
1588 | .fi | |
1589 | .RE | |
1590 | .PP | |
1591 | The following algorithm is used to calculate the timeout: | |
1592 | .PP | |
1593 | .EX | |
1594 | relative timeout = retransmit_timeout * retransmit_base ^ (n-1) | |
1595 | .EE | |
1596 | .PP | |
1597 | Where | |
1598 | .I n | |
1599 | is the current retransmission count. | |
1600 | .PP | |
1601 | Using the default values, packets are retransmitted in: | |
1602 | ||
1603 | .TS | |
1604 | l r r | |
1605 | --- | |
1606 | lB r r. | |
1607 | Retransmission Relative Timeout Absolute Timeout | |
1608 | 1 4s 4s | |
1609 | 2 7s 11s | |
1610 | 3 13s 24s | |
1611 | 4 23s 47s | |
1612 | 5 42s 89s | |
1613 | giving up 76s 165s | |
1614 | .TE | |
1615 | ||
483c1feb | 1616 | .SH FILES |
483c1feb TB |
1617 | /etc/strongswan.conf |
1618 | ||
1619 | .SH SEE ALSO | |
4d62ad75 TB |
1620 | \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) |
1621 | ||
483c1feb | 1622 | .SH HISTORY |
320cecd2 TB |
1623 | Written for the |
1624 | .UR http://www.strongswan.org | |
1625 | strongSwan project | |
1626 | .UE | |
1627 | by Tobias Brunner, Andreas Steffen and Martin Willi. |