config/strongswan/charon.conf

   1 # Options for the charon IKE daemon.
   2 charon {
   3     # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
   4     accept_unencrypted_mainmode_messages = yes
   5
   6     # Maximum number of half-open IKE_SAs for a single peer IP.
   7     # block_threshold = 5
   8
   9     # Whether relations in validated certificate chains should be cached in
  10     # memory.
  11     # cert_cache = yes
  12
  13     # Send Cisco Unity vendor ID payload (IKEv1 only).
  14     cisco_unity = yes
  15
  16     # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
  17     # close_ike_on_child_failure = no
  18
  19     # Number of half-open IKE_SAs that activate the cookie mechanism.
  20     # cookie_threshold = 10
  21
  22     # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
  23     # strength.
  24     # dh_exponent_ansi_x9_42 = yes
  25
  26     # DNS server assigned to peer via configuration payload (CP).
  27     # dns1 =
  28
  29     # DNS server assigned to peer via configuration payload (CP).
  30     # dns2 =
  31
  32     # Enable Denial of Service protection using cookies and aggressiveness
  33     # checks.
  34     # dos_protection = yes
  35
  36     # Compliance with the errata for RFC 4753.
  37     # ecp_x_coordinate_only = yes
  38
  39     # Free objects during authentication (might conflict with plugins).
  40     # flush_auth_cfg = no
  41
  42     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
  43     # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
  44     # address family specific        default values). If specified this limit is
  45     # used for both IPv4 and IPv6.
  46     # fragment_size = 0
  47
  48     # Name of the group the daemon changes to after startup.
  49     # group =
  50
  51     # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
  52     # half_open_timeout = 30
  53
  54     # Enable hash and URL support.
  55     # hash_and_url = no
  56
  57     # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
  58     # i_dont_care_about_security_and_use_aggressive_mode_psk = no
  59
  60     # A space-separated list of routing tables to be excluded from route
  61     # lookups.
  62     # ignore_routing_tables =
  63
  64     # Maximum number of IKE_SAs that can be established at the same time before
  65     # new connection attempts are blocked.
  66     # ikesa_limit = 0
  67
  68     # Number of exclusively locked segments in the hash table.
  69     ikesa_table_segments = 4
  70
  71     # Size of the IKE_SA hash table.
  72     ikesa_table_size = 32
  73
  74     # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
  75     # inactivity_close_ike = no
  76
  77     # Limit new connections based on the current number of half open IKE_SAs,
  78     # see IKE_SA_INIT DROPPING in strongswan.conf(5).
  79     init_limit_half_open = 1000
  80
  81     # Limit new connections based on the number of queued jobs.
  82     # init_limit_job_load = 0
  83
  84     # Causes charon daemon to ignore IKE initiation requests.
  85     # initiator_only = no
  86
  87     # Install routes into a separate routing table for established IPsec
  88     # tunnels.
  89     # install_routes = yes
  90
  91     # Install virtual IP addresses.
  92     # install_virtual_ip = yes
  93
  94     # The name of the interface on which virtual IP addresses should be
  95     # installed.
  96     # install_virtual_ip_on =
  97
  98     # Check daemon, libstrongswan and plugin integrity at startup.
  99     # integrity_test = no
 100
 101     # A comma-separated list of network interfaces that should be ignored, if
 102     # interfaces_use is specified this option has no effect.
 103     # interfaces_ignore =
 104
 105     # A comma-separated list of network interfaces that should be used by
 106     # charon. All other interfaces are ignored.
 107     # interfaces_use =
 108
 109     # NAT keep alive interval.
 110     # keep_alive = 20s
 111
 112     # Plugins to load in the IKE daemon charon.
 113     # load =
 114
 115     # Determine plugins to load via each plugin's load option.
 116     # load_modular = no
 117
 118     # Maximum packet size accepted by charon.
 119     # max_packet = 10000
 120
 121     # Enable multiple authentication exchanges (RFC 4739).
 122     # multiple_authentication = yes
 123
 124     # WINS servers assigned to peer via configuration payload (CP).
 125     # nbns1 =
 126
 127     # WINS servers assigned to peer via configuration payload (CP).
 128     # nbns2 =
 129
 130     # UDP port used locally. If set to 0 a random port will be allocated.
 131     # port = 500
 132
 133     # UDP port used locally in case of NAT-T. If set to 0 a random port will be
 134     # allocated.  Has to be different from charon.port, otherwise a random port
 135     # will be allocated.
 136     # port_nat_t = 4500
 137
 138     # By default public IPv6 addresses are preferred over temporary ones (RFC
 139     # 4941), to make connections more stable. Enable this option to reverse
 140     # this.
 141     # prefer_temporary_addrs = no
 142
 143     # Process RTM_NEWROUTE and RTM_DELROUTE events.
 144     # process_route = yes
 145
 146     # Delay in ms for receiving packets, to simulate larger RTT.
 147     # receive_delay = 0
 148
 149     # Delay request messages.
 150     # receive_delay_request = yes
 151
 152     # Delay response messages.
 153     # receive_delay_response = yes
 154
 155     # Specific IKEv2 message type to delay, 0 for any.
 156     # receive_delay_type = 0
 157
 158     # Size of the AH/ESP replay window, in packets.
 159     # replay_window = 32
 160
 161     # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
 162     # in strongswan.conf(5).
 163     # retransmit_base = 1.8
 164
 165     # Timeout in seconds before sending first retransmit.
 166     # retransmit_timeout = 4.0
 167
 168     # Number of times to retransmit a packet before giving up.
 169     # retransmit_tries = 5
 170
 171     # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
 172     # resolution failed), 0 to disable retries.
 173     # retry_initiate_interval = 0
 174
 175     # Initiate CHILD_SA within existing IKE_SAs.
 176     # reuse_ikesa = yes
 177
 178     # Numerical routing table to install routes to.
 179     # routing_table =
 180
 181     # Priority of the routing table.
 182     # routing_table_prio =
 183
 184     # Delay in ms for sending packets, to simulate larger RTT.
 185     # send_delay = 0
 186
 187     # Delay request messages.
 188     # send_delay_request = yes
 189
 190     # Delay response messages.
 191     # send_delay_response = yes
 192
 193     # Specific IKEv2 message type to delay, 0 for any.
 194     # send_delay_type = 0
 195
 196     # Send strongSwan vendor ID payload
 197     # send_vendor_id = no
 198
 199     # Number of worker threads in charon.
 200     # threads = 16
 201
 202     # Name of the user the daemon changes to after startup.
 203     # user =
 204
 205     crypto_test {
 206
 207         # Benchmark crypto algorithms and order them by efficiency.
 208         # bench = no
 209
 210         # Buffer size used for crypto benchmark.
 211         # bench_size = 1024
 212
 213         # Number of iterations to test each algorithm.
 214         # bench_time = 50
 215
 216         # Test crypto algorithms during registration (requires test vectors
 217         # provided by the test-vectors plugin).
 218         # on_add = no
 219
 220         # Test crypto algorithms on each crypto primitive instantiation.
 221         # on_create = no
 222
 223         # Strictly require at least one test vector to enable an algorithm.
 224         # required = no
 225
 226         # Whether to test RNG with TRUE quality; requires a lot of entropy.
 227         # rng_true = no
 228
 229     }
 230
 231     host_resolver {
 232
 233         # Maximum number of concurrent resolver threads (they are terminated if
 234         # unused).
 235         # max_threads = 3
 236
 237         # Minimum number of resolver threads to keep around.
 238         # min_threads = 0
 239
 240     }
 241
 242     leak_detective {
 243
 244         # Includes source file names and line numbers in leak detective output.
 245         # detailed = yes
 246
 247         # Threshold in bytes for leaks to be reported (0 to report all).
 248         # usage_threshold = 10240
 249
 250         # Threshold in number of allocations for leaks to be reported (0 to
 251         # report all).
 252         # usage_threshold_count = 0
 253
 254     }
 255
 256     processor {
 257
 258         # Section to configure the number of reserved threads per priority class
 259         # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
 260         priority_threads {
 261
 262         }
 263
 264     }
 265
 266     # Section containing a list of scripts (name = path) that are executed when
 267     # the daemon is started.
 268     start-scripts {
 269
 270     }
 271
 272     # Section containing a list of scripts (name = path) that are executed when
 273     # the daemon is terminated.
 274     stop-scripts {
 275
 276     }
 277
 278     tls {
 279
 280         # List of TLS encryption ciphers.
 281         # cipher =
 282
 283         # List of TLS key exchange methods.
 284         # key_exchange =
 285
 286         # List of TLS MAC algorithms.
 287         # mac =
 288
 289         # List of TLS cipher suites.
 290         # suites =
 291
 292     }
 293
 294     x509 {
 295
 296         # Discard certificates with unsupported or unknown critical extensions.
 297         # enforce_critical = yes
 298
 299     }
 300
 301 }
 302