From: Tobias Brunner Date: Wed, 26 Feb 2025 14:06:29 +0000 (+0100) Subject: conf: Document some global options for charon-nm X-Git-Tag: 6.0.1rc1~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af0535894c452e9f27f0ec3ad498d0ab20bc48d0;p=thirdparty%2Fstrongswan.git conf: Document some global options for charon-nm These have specific values for charon-nm's use case but might have to be changed for special setups or because of conflicts. References strongswan/strongswan#2683 --- diff --git a/conf/options/charon-nm.opt b/conf/options/charon-nm.opt index 623969512a..d9991e6c71 100644 --- a/conf/options/charon-nm.opt +++ b/conf/options/charon-nm.opt @@ -1,6 +1,44 @@ +charon-nm {} + Section with settings specific to the NetworkManager backend `charon-nm`. + Settings from the `charon` section are not inherited, but many can be used + here as well. Defaults for some settings are chosen very deliberately and + should only be changed in case of conflicts. + charon-nm.ca_dir = Directory from which to load CA certificates if no certificate is configured. +charon-nm.install_virtual_ip_on = lo + Interface on which virtual IP addresses are installed. Note that NM + also installs the virtual IPs on the XFRM interface. + charon-nm.mtu = 1400 MTU for XFRM interfaces created by the NM plugin. + +charon-nm.port = 0 + Source port when sending packets to port 500. Defaults to an ephemeral + port. May be set to 500 if firewall rules require a static port. + +charon-nm.port_nat_t = 0 + Source port when sending packets to port 4500 or a custom server port. + Defaults to an ephemeral port. May be set to e.g. 4500 if firewall rules + require a static port. + +charon-nm.routing_table = 210 + Table where routes via XFRM interface are installed. Should be different + than the table used for the regular IKE daemon due to the mark. + +charon-nm.routing_table_prio = 210 + Priority of the routing table. Higher than the default priority used for the + regular IKE daemon. + +charon-nm.plugins.kernel-netlink.fwmark = !210 + Make packets with this mark ignore the routing table. Must be the same mark + set in charon-nm.plugins.socket-default.fwmark. + +charon-nm.plugins.socket-default.fwmark = 210 + Mark applied to IKE and ESP packets to ignore the routing table and avoid + routing loops when using XFRM interfaces. + +charon-nm.syslog.daemon.default = 1 + Default to logging via syslog's daemon facility on level 1.