1 # Options for the charon IKE daemon.
3 # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
4 accept_unencrypted_mainmode_messages = yes
6 # Maximum number of half-open IKE_SAs for a single peer IP.
9 # Whether relations in validated certificate chains should be cached in
13 # Send Cisco Unity vendor ID payload (IKEv1 only).
16 # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
17 # close_ike_on_child_failure = no
19 # Number of half-open IKE_SAs that activate the cookie mechanism.
20 # cookie_threshold = 10
22 # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
24 # dh_exponent_ansi_x9_42 = yes
26 # DNS server assigned to peer via configuration payload (CP).
29 # DNS server assigned to peer via configuration payload (CP).
32 # Enable Denial of Service protection using cookies and aggressiveness
34 # dos_protection = yes
36 # Compliance with the errata for RFC 4753.
37 # ecp_x_coordinate_only = yes
39 # Free objects during authentication (might conflict with plugins).
42 # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
43 # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
44 # address family specific default values). If specified this limit is
45 # used for both IPv4 and IPv6.
48 # Name of the group the daemon changes to after startup.
51 # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
52 # half_open_timeout = 30
54 # Enable hash and URL support.
57 # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
58 # i_dont_care_about_security_and_use_aggressive_mode_psk = no
60 # A space-separated list of routing tables to be excluded from route
62 # ignore_routing_tables =
64 # Maximum number of IKE_SAs that can be established at the same time before
65 # new connection attempts are blocked.
68 # Number of exclusively locked segments in the hash table.
69 ikesa_table_segments = 4
71 # Size of the IKE_SA hash table.
74 # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
75 # inactivity_close_ike = no
77 # Limit new connections based on the current number of half open IKE_SAs,
78 # see IKE_SA_INIT DROPPING in strongswan.conf(5).
79 init_limit_half_open = 1000
81 # Limit new connections based on the number of queued jobs.
82 # init_limit_job_load = 0
84 # Causes charon daemon to ignore IKE initiation requests.
87 # Install routes into a separate routing table for established IPsec
91 # Install virtual IP addresses.
92 # install_virtual_ip = yes
94 # The name of the interface on which virtual IP addresses should be
96 # install_virtual_ip_on =
98 # Check daemon, libstrongswan and plugin integrity at startup.
101 # A comma-separated list of network interfaces that should be ignored, if
102 # interfaces_use is specified this option has no effect.
103 # interfaces_ignore =
105 # A comma-separated list of network interfaces that should be used by
106 # charon. All other interfaces are ignored.
109 # NAT keep alive interval.
112 # Plugins to load in the IKE daemon charon.
115 # Determine plugins to load via each plugin's load option.
118 # Maximum packet size accepted by charon.
121 # Enable multiple authentication exchanges (RFC 4739).
122 # multiple_authentication = yes
124 # WINS servers assigned to peer via configuration payload (CP).
127 # WINS servers assigned to peer via configuration payload (CP).
130 # UDP port used locally. If set to 0 a random port will be allocated.
133 # UDP port used locally in case of NAT-T. If set to 0 a random port will be
134 # allocated. Has to be different from charon.port, otherwise a random port
138 # By default public IPv6 addresses are preferred over temporary ones (RFC
139 # 4941), to make connections more stable. Enable this option to reverse
141 # prefer_temporary_addrs = no
143 # Process RTM_NEWROUTE and RTM_DELROUTE events.
144 # process_route = yes
146 # Delay in ms for receiving packets, to simulate larger RTT.
149 # Delay request messages.
150 # receive_delay_request = yes
152 # Delay response messages.
153 # receive_delay_response = yes
155 # Specific IKEv2 message type to delay, 0 for any.
156 # receive_delay_type = 0
158 # Size of the AH/ESP replay window, in packets.
161 # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
162 # in strongswan.conf(5).
163 # retransmit_base = 1.8
165 # Timeout in seconds before sending first retransmit.
166 # retransmit_timeout = 4.0
168 # Number of times to retransmit a packet before giving up.
169 # retransmit_tries = 5
171 # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
172 # resolution failed), 0 to disable retries.
173 # retry_initiate_interval = 0
175 # Initiate CHILD_SA within existing IKE_SAs.
178 # Numerical routing table to install routes to.
181 # Priority of the routing table.
182 # routing_table_prio =
184 # Delay in ms for sending packets, to simulate larger RTT.
187 # Delay request messages.
188 # send_delay_request = yes
190 # Delay response messages.
191 # send_delay_response = yes
193 # Specific IKEv2 message type to delay, 0 for any.
194 # send_delay_type = 0
196 # Send strongSwan vendor ID payload
197 # send_vendor_id = no
199 # Number of worker threads in charon.
202 # Name of the user the daemon changes to after startup.
207 # Benchmark crypto algorithms and order them by efficiency.
210 # Buffer size used for crypto benchmark.
213 # Number of iterations to test each algorithm.
216 # Test crypto algorithms during registration (requires test vectors
217 # provided by the test-vectors plugin).
220 # Test crypto algorithms on each crypto primitive instantiation.
223 # Strictly require at least one test vector to enable an algorithm.
226 # Whether to test RNG with TRUE quality; requires a lot of entropy.
233 # Maximum number of concurrent resolver threads (they are terminated if
237 # Minimum number of resolver threads to keep around.
244 # Includes source file names and line numbers in leak detective output.
247 # Threshold in bytes for leaks to be reported (0 to report all).
248 # usage_threshold = 10240
250 # Threshold in number of allocations for leaks to be reported (0 to
252 # usage_threshold_count = 0
258 # Section to configure the number of reserved threads per priority class
259 # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
266 # Section containing a list of scripts (name = path) that are executed when
267 # the daemon is started.
272 # Section containing a list of scripts (name = path) that are executed when
273 # the daemon is terminated.
280 # List of TLS encryption ciphers.
283 # List of TLS key exchange methods.
286 # List of TLS MAC algorithms.
289 # List of TLS cipher suites.
296 # Discard certificates with unsupported or unknown critical extensions.
297 # enforce_critical = yes