2 Options for the charon IKE daemon.
4 Options for the charon IKE daemon.
6 **Note**: Many of the options in this section also apply to **charon-cmd**
7 and other **charon** derivatives. Just use their respective name (e.g.
8 **charon-cmd** instead of **charon**). For many options defaults can be
9 defined in the **libstrongswan** section.
11 charon.accept_unencrypted_mainmode_messages = no
12 Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
14 Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
16 Some implementations send the third Main Mode message unencrypted, probably
17 to find the PSKs for the specified ID for authentication. This is very
18 similar to Aggressive Mode, and has the same security implications: A
19 passive attacker can sniff the negotiated Identity, and start brute forcing
20 the PSK using the HASH payload.
22 It is recommended to keep this option to no, unless you know exactly
23 what the implications are and require compatibility to such devices (for
24 example, some SonicWall boxes).
26 charon.block_threshold = 5
27 Maximum number of half-open IKE_SAs for a single peer IP.
29 charon.cert_cache = yes
30 Whether relations in validated certificate chains should be cached in
33 charon.cache_crls = no
34 Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
35 be saved under a unique file name derived from the public key of the
36 Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
37 **/etc/swanctl/x509crl** (vici), respectively.
39 charon.cisco_unity = no
40 Send Cisco Unity vendor ID payload (IKEv1 only).
42 charon.close_ike_on_child_failure = no
43 Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
45 charon.cookie_threshold = 10
46 Number of half-open IKE_SAs that activate the cookie mechanism.
48 charon.crypto_test.bench = no
49 Benchmark crypto algorithms and order them by efficiency.
51 charon.crypto_test.bench_size = 1024
52 Buffer size used for crypto benchmark.
54 charon.crypto_test.bench_time = 50
55 Number of iterations to test each algorithm.
57 charon.crypto_test.on_add = no
58 Test crypto algorithms during registration (requires test vectors provided
59 by the _test-vectors_ plugin).
61 charon.crypto_test.on_create = no
62 Test crypto algorithms on each crypto primitive instantiation.
64 charon.crypto_test.required = no
65 Strictly require at least one test vector to enable an algorithm.
67 charon.crypto_test.rng_true = no
68 Whether to test RNG with TRUE quality; requires a lot of entropy.
70 charon.delete_rekeyed = no
71 Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
73 Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
74 Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
75 However, this might cause problems with implementations that continue to
76 use rekeyed SAs until they expire.
78 charon.dh_exponent_ansi_x9_42 = yes
79 Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
82 charon.dlopen_use_rtld_now = no
83 Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
87 DNS server assigned to peer via configuration payload (CP).
90 DNS server assigned to peer via configuration payload (CP).
92 charon.dos_protection = yes
93 Enable Denial of Service protection using cookies and aggressiveness checks.
95 charon.ecp_x_coordinate_only = yes
96 Compliance with the errata for RFC 4753.
98 charon.flush_auth_cfg = no
99 Free objects during authentication (might conflict with plugins).
101 If enabled objects used during authentication (certificates, identities
102 etc.) are released to free memory once an IKE_SA is established. Enabling
103 this might conflict with plugins that later need access to e.g. the used
106 charon.follow_redirects = yes
107 Whether to follow IKEv2 redirects (RFC 5685).
109 charon.fragment_size = 1280
110 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
111 when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
112 to 1280 (use 0 for address family specific default values, which uses a
113 lower value for IPv4). If specified this limit is used for both IPv4 and
117 Name of the group the daemon changes to after startup.
119 charon.half_open_timeout = 30
120 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
122 charon.hash_and_url = no
123 Enable hash and URL support.
125 charon.host_resolver.max_threads = 3
126 Maximum number of concurrent resolver threads (they are terminated if
129 charon.host_resolver.min_threads = 0
130 Minimum number of resolver threads to keep around.
132 charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
133 Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
135 If enabled responders are allowed to use IKEv1 Aggressive Mode with
136 pre-shared keys, which is discouraged due to security concerns (offline
137 attacks on the openly transmitted hash of the PSK).
139 charon.ignore_routing_tables
140 A space-separated list of routing tables to be excluded from route lookups.
142 charon.ignore_acquire_ts = no
143 Whether to ignore the traffic selectors from the kernel's acquire events for
144 IKEv2 connections (they are not used for IKEv1).
146 If this is disabled the traffic selectors from the kernel's acquire events,
147 which are derived from the triggering packet, are prepended to the traffic
148 selectors from the configuration for IKEv2 connection. By enabling this,
149 such specific traffic selectors will be ignored and only the ones in the
150 config will be sent. This always happens for IKEv1 connections as the
151 protocol only supports one set of traffic selectors per CHILD_SA.
153 charon.ikesa_limit = 0
154 Maximum number of IKE_SAs that can be established at the same time before
155 new connection attempts are blocked.
157 charon.ikesa_table_segments = 1
158 Number of exclusively locked segments in the hash table.
160 charon.ikesa_table_size = 1
161 Size of the IKE_SA hash table.
163 charon.inactivity_close_ike = no
164 Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
166 charon.init_limit_half_open = 0
167 Limit new connections based on the current number of half open IKE_SAs, see
168 IKE_SA_INIT DROPPING in **strongswan.conf**(5).
170 charon.init_limit_job_load = 0
171 Limit new connections based on the number of queued jobs.
173 Limit new connections based on the number of jobs currently queued for
174 processing (see IKE_SA_INIT DROPPING).
176 charon.initiator_only = no
177 Causes charon daemon to ignore IKE initiation requests.
179 charon.install_routes = yes
180 Install routes into a separate routing table for established IPsec tunnels.
182 charon.install_virtual_ip = yes
183 Install virtual IP addresses.
185 charon.install_virtual_ip_on
186 The name of the interface on which virtual IP addresses should be installed.
188 The name of the interface on which virtual IP addresses should be installed.
189 If not specified the addresses will be installed on the outbound interface.
191 charon.integrity_test = no
192 Check daemon, libstrongswan and plugin integrity at startup.
194 charon.interfaces_ignore
195 A comma-separated list of network interfaces that should be ignored, if
196 **interfaces_use** is specified this option has no effect.
198 charon.interfaces_use
199 A comma-separated list of network interfaces that should be used by charon.
200 All other interfaces are ignored.
202 charon.keep_alive = 20s
203 NAT keep alive interval.
205 charon.leak_detective.detailed = yes
206 Includes source file names and line numbers in leak detective output.
208 charon.leak_detective.usage_threshold = 10240
209 Threshold in bytes for leaks to be reported (0 to report all).
211 charon.leak_detective.usage_threshold_count = 0
212 Threshold in number of allocations for leaks to be reported (0 to report
216 Plugins to load in the IKE daemon charon.
218 charon.load_modular = no
219 Determine plugins to load via each plugin's load option.
221 If enabled, the list of plugins to load is determined via the value of the
222 _charon.plugins.<name>.load_ options. In addition to a simple boolean flag
223 that option may take an integer value indicating the priority of a plugin,
224 which would influence the order of a plugin in the plugin list (the default
225 is 1). If two plugins have the same priority their order in the default
226 plugin list is preserved. Enabled plugins not found in that list are ordered
227 alphabetically before other plugins with the same priority.
229 charon.max_ikev1_exchanges = 3
230 Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
233 charon.max_packet = 10000
234 Maximum packet size accepted by charon.
236 charon.make_before_break = no
237 Initiate IKEv2 reauthentication with a make-before-break scheme.
239 Initiate IKEv2 reauthentication with a make-before-break instead of a
240 break-before-make scheme. Make-before-break uses overlapping IKE and
241 CHILD_SA during reauthentication by first recreating all new SAs before
242 deleting the old ones. This behavior can be beneficial to avoid connectivity
243 gaps during reauthentication, but requires support for overlapping SAs by
244 the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
246 charon.multiple_authentication = yes
247 Enable multiple authentication exchanges (RFC 4739).
250 WINS servers assigned to peer via configuration payload (CP).
253 WINS servers assigned to peer via configuration payload (CP).
256 UDP port used locally. If set to 0 a random port will be allocated.
258 charon.port_nat_t = 4500
259 UDP port used locally in case of NAT-T. If set to 0 a random port will be
260 allocated. Has to be different from **charon.port**, otherwise a random
261 port will be allocated.
263 charon.prefer_best_path = no
264 Wether to prefer updating SAs to the path with the best route.
266 By default, charon keeps SAs on the routing path with addresses it
267 previously used if that path is still usable. By setting this option to
268 yes, it tries more aggressively to update SAs with MOBIKE on routing
269 priority changes using the cheapest path. This adds more noise, but allows
270 to dynamically adapt SAs to routing priority changes. This option has no
271 effect if MOBIKE is not supported or disabled.
273 charon.prefer_configured_proposals = yes
274 Prefer locally configured proposals for IKE/IPsec over supplied ones as
275 responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
278 charon.prefer_temporary_addrs = no
279 By default public IPv6 addresses are preferred over temporary ones (RFC
280 4941), to make connections more stable. Enable this option to reverse this.
282 charon.process_route = yes
283 Process RTM_NEWROUTE and RTM_DELROUTE events.
285 charon.processor.priority_threads {}
286 Section to configure the number of reserved threads per priority class
287 see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
289 charon.receive_delay = 0
290 Delay in ms for receiving packets, to simulate larger RTT.
292 charon.receive_delay_response = yes
293 Delay response messages.
295 charon.receive_delay_request = yes
296 Delay request messages.
298 charon.receive_delay_type = 0
299 Specific IKEv2 message type to delay, 0 for any.
301 charon.replay_window = 32
302 Size of the AH/ESP replay window, in packets.
304 charon.retransmit_base = 1.8
305 Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
306 in **strongswan.conf**(5).
308 charon.retransmit_timeout = 4.0
309 Timeout in seconds before sending first retransmit.
311 charon.retransmit_tries = 5
312 Number of times to retransmit a packet before giving up.
314 charon.retry_initiate_interval = 0
315 Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
316 resolution failed), 0 to disable retries.
318 charon.reuse_ikesa = yes
319 Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
322 Numerical routing table to install routes to.
324 charon.routing_table_prio
325 Priority of the routing table.
327 charon.send_delay = 0
328 Delay in ms for sending packets, to simulate larger RTT.
330 charon.send_delay_response = yes
331 Delay response messages.
333 charon.send_delay_request = yes
334 Delay request messages.
336 charon.send_delay_type = 0
337 Specific IKEv2 message type to delay, 0 for any.
339 charon.send_vendor_id = no
340 Send strongSwan vendor ID payload
342 charon.signature_authentication = yes
343 Whether to enable Signature Authentication as per RFC 7427.
345 charon.signature_authentication_constraints = yes
346 Whether to enable constraints against IKEv2 signature schemes.
348 If enabled, signature schemes configured in _rightauth_, in addition to
349 getting used as constraints against signature schemes employed in the
350 certificate chain, are also used as constraints against the signature scheme
351 used by peers during IKEv2.
353 charon.start-scripts {}
354 Section containing a list of scripts (name = path) that are executed when
355 the daemon is started.
357 charon.stop-scripts {}
358 Section containing a list of scripts (name = path) that are executed when
359 the daemon is terminated.
362 Number of worker threads in charon.
364 Number of worker threads in charon. Several of these are reserved for long
365 running tasks in internal modules and plugins. Therefore, make sure you
366 don't set this value too low. The number of idle worker threads listed in
367 _ipsec statusall_ might be used as indicator on the number of reserved
371 List of TLS encryption ciphers.
373 charon.tls.key_exchange
374 List of TLS key exchange methods.
377 List of TLS MAC algorithms.
380 List of TLS cipher suites.
383 Name of the user the daemon changes to after startup.
385 charon.x509.enforce_critical = yes
386 Discard certificates with unsupported or unknown critical extensions.