diff options
49 files changed, 574 insertions, 31 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am index 32a6a1da3..977eb1242 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -8,7 +8,53 @@ options = \ options/charon-logging.opt plugins = \ - plugins/test.opt + plugins/android_log.opt \ + plugins/attr.opt \ + plugins/attr-sql.opt \ + plugins/certexpire.opt \ + plugins/coupling.opt \ + plugins/dhcp.opt \ + plugins/dnscert.opt \ + plugins/duplicheck.opt \ + plugins/eap-aka.opt \ + plugins/eap-aka-3ggp2.opt \ + plugins/eap-dynamic.opt \ + plugins/eap-gtc.opt \ + plugins/eap-peap.opt \ + plugins/eap-radius.opt \ + plugins/eap-sim.opt \ + plugins/eap-simaka-sql.opt \ + plugins/eap-tls.opt \ + plugins/eap-tnc.opt \ + plugins/eap-ttls.opt \ + plugins/error-notify.opt \ + plugins/gcrypt.opt \ + plugins/ha.opt \ + plugins/ipseckey.opt \ + plugins/led.opt \ + plugins/kernel-klips.opt \ + plugins/kernel-libipsec.opt \ + plugins/kernel-netlink.opt \ + plugins/kernel-pfroute.opt \ + plugins/load-tester.opt \ + plugins/lookip.opt \ + plugins/ntru.opt \ + plugins/openssl.opt \ + plugins/pkcs11.opt \ + plugins/radattr.opt \ + plugins/random.opt \ + plugins/resolve.opt \ + plugins/socket-default.opt \ + plugins/sql.opt \ + plugins/stroke.opt \ + plugins/systime-fix.opt \ + plugins/tnc-ifmap.opt \ + plugins/tnc-pdp.opt \ + plugins/unbound.opt \ + plugins/updown.opt \ + plugins/whitelist.opt \ + plugins/xauth-eap.opt \ + plugins/xauth-pam.opt alloptions = $(options) $(plugins) diff --git a/conf/plugins/android_log.opt b/conf/plugins/android_log.opt new file mode 100644 index 000000000..801b8bf19 --- /dev/null +++ b/conf/plugins/android_log.opt @@ -0,0 +1,2 @@ +charon.plugins.android_log.loglevel = 1 + Loglevel for logging to Android specific logger. diff --git a/conf/plugins/attr-sql.opt b/conf/plugins/attr-sql.opt new file mode 100644 index 000000000..6f02c1cfb --- /dev/null +++ b/conf/plugins/attr-sql.opt @@ -0,0 +1,5 @@ +charon.plugins.attr-sql.database + Database URI for attr-sql plugin used by charon. + +charon.plugins.attr-sql.lease_history = yes + Enable logging of SQL IP pool leases. diff --git a/conf/plugins/attr.opt b/conf/plugins/attr.opt new file mode 100644 index 000000000..f3c187c7b --- /dev/null +++ b/conf/plugins/attr.opt @@ -0,0 +1,14 @@ +charon.plugins.attr {} + Section to specify arbitrary attributes that are assigned to a peer via + configuration payload (CP). + +charon.plugins.attr.<attr> + <attr> is an attribute name or an integer, values can be an IP address, + subnet or arbitrary value. + + **<attr>** can be either _address_, _netmask_, _dns_, _nbns_, _dhcp_, + _subnet_, _split-include_, _split-exclude_ or the numeric identifier of the + attribute type. The assigned value can be an IPv4/IPv6 address, a subnet in + CIDR notation or an arbitrary value depending on the attribute type. For + some attribute types multiple values may be specified as a comma separated + list. diff --git a/conf/plugins/certexpire.opt b/conf/plugins/certexpire.opt new file mode 100644 index 000000000..7c165383a --- /dev/null +++ b/conf/plugins/certexpire.opt @@ -0,0 +1,25 @@ +charon.plugins.certexpire.csv.cron + Cron style string specifying CSV export times. + +charon.plugins.certexpire.csv.empty_string = + String to use in empty intermediate CA fields. + +charon.plugins.certexpire.csv.fixed_fields = yes + Use a fixed intermediate CA field count. + +charon.plugins.certexpire.csv.force = yes + Force export of all trustchains we have a private key for. + +charon.plugins.certexpire.csv.format = %d:%m:%Y + **strftime**(3) format string to export expiration dates as. + +charon.plugins.certexpire.csv.local + **strftime**(3) format string for the CSV file name to export local + certificates to. + +charon.plugins.certexpire.csv.remote + **strftime**(3) format string for the CSV file name to export remote + certificates to. + +charon.plugins.certexpire.csv.separator = , + CSV field separator. diff --git a/conf/plugins/coupling.opt b/conf/plugins/coupling.opt new file mode 100644 index 000000000..179579d47 --- /dev/null +++ b/conf/plugins/coupling.opt @@ -0,0 +1,8 @@ +charon.plugins.coupling.file + File to store coupling list to. + +charon.plugins.coupling.hash = sha1 + Hashing algorithm to fingerprint coupled certificates. + +charon.plugins.coupling.max = 1 + Maximum number of coupling entries to create. diff --git a/conf/plugins/dhcp.opt b/conf/plugins/dhcp.opt new file mode 100644 index 000000000..9c7b86091 --- /dev/null +++ b/conf/plugins/dhcp.opt @@ -0,0 +1,22 @@ +charon.plugins.dhcp.force_server_address = no + Always use the configured server address. + + Always use the configured server address. This might be helpful if the DHCP + server runs on the same host as strongSwan, and the DHCP daemon does not + listen on the loopback interface. In that case the server cannot be reached + via unicast (or even 255.255.255.255) as that would be routed via loopback. + Setting this option to yes and configuring the local broadcast address (e.g. + 192.168.0.255) as server address might work. + +charon.plugins.dhcp.identity_lease = no + Derive user-defined MAC address from hash of IKE identity. + +charon.plugins.dhcp.server = 255.255.255.255 + DHCP server unicast or broadcast IP address. + +charon.plugins.dhcp.interface + Interface name the plugin uses for address allocation. + + Interface name the plugin uses for address allocation. The default is to + bind to any (0.0.0.0) and let the system decide which way to route the + packets to the DHCP server. diff --git a/conf/plugins/dnscert.opt b/conf/plugins/dnscert.opt new file mode 100644 index 000000000..fd5a8d819 --- /dev/null +++ b/conf/plugins/dnscert.opt @@ -0,0 +1,2 @@ +charon.plugins.dnscert.enable = no + Enable fetching of CERT RRs via DNS. diff --git a/conf/plugins/duplicheck.opt b/conf/plugins/duplicheck.opt new file mode 100644 index 000000000..ff54fe3a8 --- /dev/null +++ b/conf/plugins/duplicheck.opt @@ -0,0 +1,5 @@ +charon.plugins.duplicheck.enable = yes + Enable duplicheck plugin (if loaded). + +charon.plugins.duplicheck.socket = unix://${piddir}/charon.dck + Socket provided by the duplicheck plugin. diff --git a/conf/plugins/eap-aka-3ggp2.opt b/conf/plugins/eap-aka-3ggp2.opt new file mode 100644 index 000000000..9e2a42b3f --- /dev/null +++ b/conf/plugins/eap-aka-3ggp2.opt @@ -0,0 +1 @@ +charon.plugins.eap-aka-3ggp2.seq_check = diff --git a/conf/plugins/eap-aka.opt b/conf/plugins/eap-aka.opt new file mode 100644 index 000000000..e8d166db9 --- /dev/null +++ b/conf/plugins/eap-aka.opt @@ -0,0 +1 @@ +charon.plugins.eap-aka.request_identity = yes diff --git a/conf/plugins/eap-dynamic.opt b/conf/plugins/eap-dynamic.opt new file mode 100644 index 000000000..2d50a0aab --- /dev/null +++ b/conf/plugins/eap-dynamic.opt @@ -0,0 +1,13 @@ +charon.plugins.eap-dynamic.preferred = + The preferred EAP method(s) to be used. + + The preferred EAP method(s) to be used. If it is not given the first + registered method will be used initially. If a comma separated list is + given the methods are tried in the given order before trying the rest of + the registered methods. + +charon.plugins.eap-dynamic.prefer_user = no + Prefer peer's proposed EAP methods. + + If enabled the EAP methods proposed in an EAP-Nak message sent by the peer + are preferred over the methods registered locally. diff --git a/conf/plugins/eap-gtc.opt b/conf/plugins/eap-gtc.opt new file mode 100644 index 000000000..3fe8b7d68 --- /dev/null +++ b/conf/plugins/eap-gtc.opt @@ -0,0 +1,2 @@ +charon.plugins.eap-gtc.backend = pam + XAuth backend to be used for credential verification. diff --git a/conf/plugins/eap-peap.opt b/conf/plugins/eap-peap.opt new file mode 100644 index 000000000..6fe88606d --- /dev/null +++ b/conf/plugins/eap-peap.opt @@ -0,0 +1,20 @@ +charon.plugins.eap-peap.fragment_size = 1024 + Maximum size of an EAP-PEAP packet. + +charon.plugins.eap-peap.max_message_count = 32 + Maximum number of processed EAP-PEAP packets (0 = no limit). + +charon.plugins.eap-peap.include_length = no + Include length in non-fragmented EAP-PEAP packets. + +charon.plugins.eap-peap.phase2_method = mschapv2 + Phase2 EAP client authentication method. + +charon.plugins.eap-peap.phase2_piggyback = no + Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +charon.plugins.eap-peap.phase2_tnc = no + Start phase2 EAP TNC protocol after successful client authentication. + +charon.plugins.eap-peap.request_peer_auth = no + Request peer authentication based on a client certificate. diff --git a/conf/plugins/eap-radius.opt b/conf/plugins/eap-radius.opt new file mode 100644 index 000000000..be1d99f9d --- /dev/null +++ b/conf/plugins/eap-radius.opt @@ -0,0 +1,103 @@ +charon.plugins.eap-radius.accounting = no + Send RADIUS accounting information to RADIUS servers. + +charon.plugins.eap-radius.accounting_requires_vip = no + If enabled, accounting is disabled unless an IKE_SA has at least one + virtual IP. + +charon.plugins.eap-radius.class_group = no + Use class attributes in RADIUS-Accept messages as group membership + information. + + Use the _class_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.close_all_on_timeout = no + Closes all IKE_SAs if communication with the RADIUS server times out. If it + is not set only the current IKE_SA is closed. + +charon.plugins.eap-radius.dae.enable = no + Enables support for the Dynamic Authorization Extension (RFC 5176). + +charon.plugins.eap-radius.dae.listen = 0.0.0.0 + Address to listen for DAE messages from the RADIUS server. + +charon.plugins.eap-radius.dae.port = 3799 + Port to listen for DAE requests. + +charon.plugins.eap-radius.dae.secret + Shared secret used to verify/sign DAE messages. + +charon.plugins.eap-radius.eap_start = no + Send EAP-Start instead of EAP-Identity to start RADIUS conversation. + +charon.plugins.eap-radius.filter_id = no + Use filter_id attribute as group membership information. + + If the RADIUS _tunnel_type_ attribute with value **ESP** is received, use + the _filter_id_ attribute sent in the RADIUS-Accept message as group + membership information that is compared to the groups specified in the + **rightgroups** option in **ipsec.conf**(5). + +charon.plugins.eap-radius.forward.ike_to_radius + RADIUS attributes to be forwarded from IKEv2 to RADIUS. + + RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by + name or attribute number, a colon can be used to specify vendor-specific + attributes, e.g. Reply-Message, or 11, or 36906:12). + +charon.plugins.eap-radius.forward.radius_to_ike = + Same as ike_to_radius but from RADIUS to IKEv2. + + Same as _charon.plugins.eap-radius.forward.ike_to_radius_ but from RADIUS to + IKEv2, a strongSwan specific private notify (40969) is used to transmit the + attributes. + +charon.plugins.eap-radius.id_prefix + Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the + EAP method. + +charon.plugins.eap-radius.nas_identifier = strongSwan + NAS-Identifier to include in RADIUS messages. + +charon.plugins.eap-radius.port = 1812 + Port of RADIUS server (authentication). + +charon.plugins.eap-radius.secret = + Shared secret between RADIUS and NAS. + +charon.plugins.eap-radius.server = + IP/Hostname of RADIUS server. + +charon.plugins.eap-radius.servers {} + Section to specify multiple RADIUS servers. + + Section to specify multiple RADIUS servers. The **nas_identifier**, + **secret**, **sockets** and **port** (or **auth_port**) options can be + specified for each server. A server's IP/Hostname can be configured using + the **address** option. The **acct_port** [1813] option can be used to + specify the port used for RADIUS accounting. For each RADIUS server a + priority can be specified using the **preference** [0] option. + +charon.plugins.eap-radius.sockets = 1 + Number of sockets (ports) to use, increase for high load. + +charon.plugins.eap-radius.xauth {} + Section to configure multiple XAuth authentication rounds via RADIUS. + + Section to configure multiple XAuth authentication rounds via RADIUS. + The subsections define so called authentication profiles with arbitrary + names. In each profile section one or more XAuth types can be configured, + with an assigned message. For each type a separate XAuth exchange will be + initiated and all replies get concatenated into the User-Password attribute, + which then gets verified over RADIUS. + + Available XAuth types are **password**, **passcode**, **nextpin**, and + **answer**. This type is not relevant to strongSwan or the AAA server, but + the client may show a different dialog (along with the configured message). + + To use the configured profiles, they have to be configured in the respective + connection in **ipsec.conf**(5) by appending the profile name, separated by + a colon, to the **xauth-radius** XAauth backend configuration in _rightauth_ + or _rightauth2_, for instance, _rightauth2=xauth-radius:profile_. diff --git a/conf/plugins/eap-sim.opt b/conf/plugins/eap-sim.opt new file mode 100644 index 000000000..052454c0e --- /dev/null +++ b/conf/plugins/eap-sim.opt @@ -0,0 +1 @@ +charon.plugins.eap-sim.request_identity = yes diff --git a/conf/plugins/eap-simaka-sql.opt b/conf/plugins/eap-simaka-sql.opt new file mode 100644 index 000000000..6b87a7e94 --- /dev/null +++ b/conf/plugins/eap-simaka-sql.opt @@ -0,0 +1,3 @@ +charon.plugins.eap-simaka-sql.database = + +charon.plugins.eap-simaka-sql.remove_used = no diff --git a/conf/plugins/eap-tls.opt b/conf/plugins/eap-tls.opt new file mode 100644 index 000000000..e7b96523a --- /dev/null +++ b/conf/plugins/eap-tls.opt @@ -0,0 +1,8 @@ +charon.plugins.eap-tls.fragment_size = 1024 + Maximum size of an EAP-TLS packet. + +charon.plugins.eap-tls.max_message_count = 32 + Maximum number of processed EAP-TLS packets (0 = no limit). + +charon.plugins.eap-tls.include_length = yes + Include length in non-fragmented EAP-TLS packets. diff --git a/conf/plugins/eap-tnc.opt b/conf/plugins/eap-tnc.opt new file mode 100644 index 000000000..8e060ceda --- /dev/null +++ b/conf/plugins/eap-tnc.opt @@ -0,0 +1,6 @@ +charon.plugins.eap-tnc.max_message_count = 10 + Maximum number of processed EAP-TNC packets (0 = no limit). + +charon.plugins.eap-tnc.protocol = tnccs-1.1 + IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_, + _tnccs-dynamic_). diff --git a/conf/plugins/eap-ttls.opt b/conf/plugins/eap-ttls.opt new file mode 100644 index 000000000..21a6cb674 --- /dev/null +++ b/conf/plugins/eap-ttls.opt @@ -0,0 +1,20 @@ +charon.plugins.eap-ttls.fragment_size = 1024 + Maximum size of an EAP-TTLS packet. + +charon.plugins.eap-ttls.max_message_count = 32 + Maximum number of processed EAP-TTLS packets (0 = no limit). + +charon.plugins.eap-ttls.include_length = yes + Include length in non-fragmented EAP-TTLS packets. + +charon.plugins.eap-ttls.phase2_method = md5 + Phase2 EAP client authentication method. + +charon.plugins.eap-ttls.phase2_piggyback = no + Phase2 EAP Identity request piggybacked by server onto TLS Finished message. + +charon.plugins.eap-ttls.phase2_tnc = no + Start phase2 EAP TNC protocol after successful client authentication. + +charon.plugins.eap-ttls.request_peer_auth = no + Request peer authentication based on a client certificate. diff --git a/conf/plugins/error-notify.opt b/conf/plugins/error-notify.opt new file mode 100644 index 000000000..44ea0551e --- /dev/null +++ b/conf/plugins/error-notify.opt @@ -0,0 +1,2 @@ +charon.plugins.error-notify.socket = unix://${piddir}/charon.enfy + Socket provided by the error-notify plugin. diff --git a/conf/plugins/gcrypt.opt b/conf/plugins/gcrypt.opt new file mode 100644 index 000000000..c6b0505d7 --- /dev/null +++ b/conf/plugins/gcrypt.opt @@ -0,0 +1,2 @@ +charon.plugins.gcrypt.quick_random = no + Use faster random numbers in gcrypt; for testing only, produces weak keys! diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt new file mode 100644 index 000000000..77d5b7888 --- /dev/null +++ b/conf/plugins/ha.opt @@ -0,0 +1,23 @@ +charon.plugins.ha.autobalance = 0 + Interval in seconds to automatically balance handled segments between nodes. + Set to 0 to disable. + +charon.plugins.ha.fifo_interface = yes + +charon.plugins.ha.heartbeat_delay = 1000 + +charon.plugins.ha.heartbeat_timeout = 2100 + +charon.plugins.ha.local = + +charon.plugins.ha.monitor = yes + +charon.plugins.ha.pools = + +charon.plugins.ha.remote = + +charon.plugins.ha.resync = yes + +charon.plugins.ha.secret = + +charon.plugins.ha.segment_count = 1 diff --git a/conf/plugins/ipseckey.opt b/conf/plugins/ipseckey.opt new file mode 100644 index 000000000..d4cff26dd --- /dev/null +++ b/conf/plugins/ipseckey.opt @@ -0,0 +1,2 @@ +charon.plugins.ipseckey.enable = no + Enable fetching of IPSECKEY RRs via DNS. diff --git a/conf/plugins/kernel-klips.opt b/conf/plugins/kernel-klips.opt new file mode 100644 index 000000000..ad9806e71 --- /dev/null +++ b/conf/plugins/kernel-klips.opt @@ -0,0 +1,5 @@ +charon.plugins.kernel-klips.ipsec_dev_count = 4 + Number of ipsecN devices. + +charon.plugins.kernel-klips.ipsec_dev_mtu = 0 + Set MTU of ipsecN device. diff --git a/conf/plugins/kernel-libipsec.opt b/conf/plugins/kernel-libipsec.opt new file mode 100644 index 000000000..e76db63d9 --- /dev/null +++ b/conf/plugins/kernel-libipsec.opt @@ -0,0 +1,7 @@ +charon.plugins.kernel-libipsec.allow_peer_ts = no + Allow that the remote traffic selector equals the IKE peer. + + Allow that the remote traffic selector equals the IKE peer. The route + installed for such traffic (via TUN device) usually prevents further IKE + traffic. The fwmark options for the _kernel-netlink_ and _socket-default_ + plugins can be used to circumvent that problem. diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt new file mode 100644 index 000000000..a8e421b6e --- /dev/null +++ b/conf/plugins/kernel-netlink.opt @@ -0,0 +1,18 @@ +charon.plugins.kernel-netlink.fwmark = + Firewall mark to set on the routing rule that directs traffic to our routing + table. + + Firewall mark to set on the routing rule that directs traffic to our routing + table. The format is [!]mark[/mask], where the optional exclamation mark + inverts the meaning (i.e. the rule only applies to packets that don't match + the mark). + +charon.plugins.kernel-netlink.roam_events = yes + Whether to trigger roam events when interfaces, addresses or routes change. + +charon.plugins.kernel-netlink.xfrm_acq_expires = 165 + Lifetime of XFRM acquire state in kernel. + + Lifetime of XFRM acquire state in kernel. The value gets written to + /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM + acquire messages sent. diff --git a/conf/plugins/kernel-pfroute.opt b/conf/plugins/kernel-pfroute.opt new file mode 100644 index 000000000..8b9bb9169 --- /dev/null +++ b/conf/plugins/kernel-pfroute.opt @@ -0,0 +1,3 @@ +charon.plugins.kernel-pfroute.vip_wait = 1000 + Time in ms to wait until virtual IP addresses appear/disappear before + failing. diff --git a/conf/plugins/led.opt b/conf/plugins/led.opt new file mode 100644 index 000000000..9e2f1ac61 --- /dev/null +++ b/conf/plugins/led.opt @@ -0,0 +1,3 @@ +charon.plugins.led.activity_led = + +charon.plugins.led.blink_time = 50 diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt new file mode 100644 index 000000000..6f6cbafc3 --- /dev/null +++ b/conf/plugins/load-tester.opt @@ -0,0 +1,4 @@ +charon.plugins.load-tester {} + Section to configure the load-tester plugin, see LOAD TESTS in + **strongswan.conf**(5) + diff --git a/conf/plugins/lookip.opt b/conf/plugins/lookip.opt new file mode 100644 index 000000000..443eb34bb --- /dev/null +++ b/conf/plugins/lookip.opt @@ -0,0 +1,2 @@ +charon.plugins.lookip.socket = unix://${piddir}/charon.lkp + Socket provided by the lookip plugin. diff --git a/conf/plugins/ntru.opt b/conf/plugins/ntru.opt new file mode 100644 index 000000000..8e1bebd87 --- /dev/null +++ b/conf/plugins/ntru.opt @@ -0,0 +1,8 @@ +charon.plugins.ntru.max_drbg_requests = 4294967294 + Number of pseudo-random bit requests from the DRBG before an automatic + reseeding occurs. + +charon.plugins.ntru.parameter_set = optimum + The following parameter sets are available: **x9_98_speed**, + **x9_98_bandwidth**, **x9_98_balance** and **optimum**, the last set not + being part of the X9.98 standard but having the best performance. diff --git a/conf/plugins/openssl.opt b/conf/plugins/openssl.opt new file mode 100644 index 000000000..55d8dcaa1 --- /dev/null +++ b/conf/plugins/openssl.opt @@ -0,0 +1,5 @@ +charon.plugins.openssl.engine_id = pkcs11 + ENGINE ID to use in the OpenSSL plugin. + +charon.plugins.openssl.fips_mode = 0 + Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt new file mode 100644 index 000000000..f5a202844 --- /dev/null +++ b/conf/plugins/pkcs11.opt @@ -0,0 +1,26 @@ +charon.plugins.pkcs11.modules {} + List of available PKCS#11 modules. + +charon.plugins.pkcs11.load_certs = yes + Whether to load certificates from tokens. + +charon.plugins.pkcs11.reload_certs = no + Reload certificates from all tokens if charon receives a SIGHUP. + +charon.plugins.pkcs11.use_dh = no + Whether the PKCS#11 modules should be used for DH and ECDH (see _use_ecc_ + option). + +charon.plugins.pkcs11.use_ecc = no + Whether the PKCS#11 modules should be used for ECDH and ECDSA public key + operations. ECDSA private keys can be used regardless of this option. + +charon.plugins.pkcs11.use_hasher = no + Whether the PKCS#11 modules should be used to hash data. + +charon.plugins.pkcs11.use_pubkey = no + Whether the PKCS#11 modules should be used for public key operations, even + for keys not stored on tokens. + +charon.plugins.pkcs11.use_rng = no + Whether the PKCS#11 modules should be used as RNG. diff --git a/conf/plugins/radattr.opt b/conf/plugins/radattr.opt new file mode 100644 index 000000000..dcc1bf2f7 --- /dev/null +++ b/conf/plugins/radattr.opt @@ -0,0 +1,9 @@ +charon.plugins.radattr.dir = + Directory where RADIUS attributes are stored in client-ID specific files. + +charon.plugins.radattr.message_id = -1 + Add attributes to all IKE_AUTH messages (-1) or only to the one with the + given message ID. + + Attributes are added to all IKE_AUTH messages by default (-1), or only to + the IKE_AUTH message with the given IKEv2 message ID. diff --git a/conf/plugins/random.opt b/conf/plugins/random.opt new file mode 100644 index 000000000..1cbde288b --- /dev/null +++ b/conf/plugins/random.opt @@ -0,0 +1,9 @@ +charon.plugins.random.random = ${random_device} + File to read random bytes from. + +charon.plugins.random.urandom = ${urandom_device} + File to read pseudo random bytes from. + +charon.plugins.random.strong_equals_true = no + If set to yes the RNG_STRONG class reads random bytes from the same source + as the RNG_TRUE class. diff --git a/conf/plugins/resolve.opt b/conf/plugins/resolve.opt new file mode 100644 index 000000000..ce65eff9e --- /dev/null +++ b/conf/plugins/resolve.opt @@ -0,0 +1,11 @@ +charon.plugins.resolve.file = /etc/resolv.conf + File where to add DNS server entries. + +charon.plugins.resolve.resolvconf.iface_prefix = lo.inet.ipsec. + Prefix used for interface names sent to resolvconf(8). + + Prefix used for interface names sent to **resolvconf**(8). The nameserver + address is appended to this prefix to make it unique. The result has to be + a valid interface name according to the rules defined by resolvconf. Also, + it should have a high priority according to the order defined in + **interface-order**(5). diff --git a/conf/plugins/socket-default.opt b/conf/plugins/socket-default.opt new file mode 100644 index 000000000..483a0f03d --- /dev/null +++ b/conf/plugins/socket-default.opt @@ -0,0 +1,11 @@ +charon.plugins.socket-default.fwmark = + Firewall mark to set on outbound packets. + +charon.plugins.socket-default.set_source = yes + Set source address on outbound packets, if possible. + +charon.plugins.socket-default.use_ipv4 = yes + Listen on IPv4, if possible. + +charon.plugins.socket-default.use_ipv6 = yes + Listen on IPv6, if possible. diff --git a/conf/plugins/sql.opt b/conf/plugins/sql.opt new file mode 100644 index 000000000..5f5f4136b --- /dev/null +++ b/conf/plugins/sql.opt @@ -0,0 +1,5 @@ +charon.plugins.sql.database = + Database URI for charons SQL plugin. + +charon.plugins.sql.loglevel = -1 + Loglevel for logging to SQL database. diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt new file mode 100644 index 000000000..2cfc2c6fa --- /dev/null +++ b/conf/plugins/stroke.opt @@ -0,0 +1,15 @@ +charon.plugins.stroke.ignore_missing_ca_basic_constraint = no + Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA + certificates even if they don't contain a CA basic constraint. + +charon.plugins.stroke.max_concurrent = 4 + Maximum number of stroke messages handled concurrently. + +charon.plugins.stroke.prevent_loglevel_changes = no + If enabled log level changes via stroke socket are not allowed. + +charon.plugins.stroke.socket = unix://${piddir}/charon.ctl + Socket provided by the stroke plugin. + +charon.plugins.stroke.timeout = 0 + Timeout in ms for any stroke command. Use 0 to disable the timeout. diff --git a/conf/plugins/systime-fix.opt b/conf/plugins/systime-fix.opt new file mode 100644 index 000000000..7abd03627 --- /dev/null +++ b/conf/plugins/systime-fix.opt @@ -0,0 +1,12 @@ +charon.plugins.systime-fix.interval = 0 + Interval in seconds to check system time for validity. 0 disables the check. + +charon.plugins.systime-fix.reauth = no + Whether to use reauth or delete if an invalid cert lifetime is detected. + +charon.plugins.systime-fix.threshold = + Threshold date where system time is considered valid. Disabled if not + specified. + +charon.plugins.systime-fix.threshold_format = %Y + **strptime**(3) format used to parse threshold option. diff --git a/conf/plugins/test.opt b/conf/plugins/test.opt deleted file mode 100644 index 9d962e30d..000000000 --- a/conf/plugins/test.opt +++ /dev/null @@ -1,30 +0,0 @@ -charon.plugins.test.opt - This is a normal option without default - -charon.plugins.test.noncomment := set this - This will not be commented out - -charon.plugins.test.def = default - Option with default - -charon.plugins.test.sectionnocomment.opt = val - The section this is in has no description - -charon.plugins.test.sub {} - This section has comments - -charon.plugins.test.sub.opt = option in sub - Section option - -charon.plugins.test.<commented> { # } - Commented example section - -charon.plugins.test.<commented>.val = value - This is commented anyway - -charon.plugins.test.<commented>.assign := value - This is commented too because of the commented section - -charon.plugins.test.sub = value - Sections can also be options with values - Longer description with **bold** and _italic_. diff --git a/conf/plugins/tnc-ifmap.opt b/conf/plugins/tnc-ifmap.opt new file mode 100644 index 000000000..251c41d16 --- /dev/null +++ b/conf/plugins/tnc-ifmap.opt @@ -0,0 +1,20 @@ +charon.plugins.tnc-ifmap.client_cert = + Path to X.509 certificate file of IF-MAP client. + +charon.plugins.tnc-ifmap.client_key = + Path to private key file of IF-MAP client. + +charon.plugins.tnc-ifmap.device_name = + Unique name of strongSwan server as a PEP and/or PDP device. + +charon.plugins.tnc-ifmap.renew_session_interval = 150 + Interval in seconds between periodic IF-MAP RenewSession requests. + +charon.plugins.tnc-ifmap.server_uri = https://localhost:8444/imap + URI of the form [https://]servername[:port][/path]. + +charon.plugins.tnc-ifmap.server_cert = + Path to X.509 certificate file of IF-MAP server. + +charon.plugins.tnc-ifmap.username_password = + Credentials of IF-MAP client of the form username:password. diff --git a/conf/plugins/tnc-pdp.opt b/conf/plugins/tnc-pdp.opt new file mode 100644 index 000000000..10b9cff9d --- /dev/null +++ b/conf/plugins/tnc-pdp.opt @@ -0,0 +1,23 @@ +charon.plugins.tnc-pdp.pt_tls.enable = yes + Enable PT-TLS protocol on the strongSwan PDP. + +charon.plugins.tnc-pdp.pt_tls.port = 271 + PT-TLS server port the strongSwan PDP is listening on. + +charon.plugins.tnc-pdp.radius.enable = yes + Enable RADIUS protocol on the strongSwan PDP. + +charon.plugins.tnc-pdp.radius.method = ttls + EAP tunnel method to be used. + +charon.plugins.tnc-pdp.radius.port = 1812 + RADIUS server port the strongSwan PDP is listening on. + +charon.plugins.tnc-pdp.radius.secret = + Shared RADIUS secret between strongSwan PDP and NAS. + +charon.plugins.tnc-pdp.server = + Name of the strongSwan PDP as contained in the AAA certificate. + +charon.plugins.tnc-pdp.timeout = + Timeout in seconds before closing incomplete connections. diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt new file mode 100644 index 000000000..f8ca9ca12 --- /dev/null +++ b/conf/plugins/unbound.opt @@ -0,0 +1,17 @@ +charon.plugins.unbound.resolv_conf = /etc/resolv.conf + File to read DNS resolver configuration from. + +charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys + File to read DNSSEC trust anchors from (usually root zone KSK). + + File to read DNSSEC trust anchors from (usually root zone KSK). The format + of the file is the standard DNS Zone file format, anchors can be stored as + DS or DNSKEY entries in the file. + +charon.plugins.unbound.dlv_anchors = + File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. + + File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It + uses the same format as _trust_anchors_. Only one DLV can be configured, + which is then used as a root trusted DLV, this means that it is a lookaside + for the root. diff --git a/conf/plugins/updown.opt b/conf/plugins/updown.opt new file mode 100644 index 000000000..d8bcc82ab --- /dev/null +++ b/conf/plugins/updown.opt @@ -0,0 +1,7 @@ +charon.plugins.updown.dns_handler = no + Whether the updown script should handle assigned DNS servers (if enabled + they can't be handled by other plugins, like resolve). + + Whether the updown script should handle DNS servers assigned via IKEv1 Mode + Config or IKEv2 Config Payloads (if enabled they can't be handled by other + plugins, like resolve) diff --git a/conf/plugins/whitelist.opt b/conf/plugins/whitelist.opt new file mode 100644 index 000000000..023f7e235 --- /dev/null +++ b/conf/plugins/whitelist.opt @@ -0,0 +1,6 @@ +charon.plugins.whitelist.enable = yes + Enable loaded whitelist plugin. + +charon.plugins.whitelist.socket = unix://${piddir}/charon.wlst + Socket provided by the whitelist plugin. + diff --git a/conf/plugins/xauth-eap.opt b/conf/plugins/xauth-eap.opt new file mode 100644 index 000000000..1663f935c --- /dev/null +++ b/conf/plugins/xauth-eap.opt @@ -0,0 +1,2 @@ +charon.plugins.xauth-eap.backend = radius + EAP plugin to be used as backend for XAuth credential verification. diff --git a/conf/plugins/xauth-pam.opt b/conf/plugins/xauth-pam.opt new file mode 100644 index 000000000..637dea6a6 --- /dev/null +++ b/conf/plugins/xauth-pam.opt @@ -0,0 +1,9 @@ +charon.plugins.xauth-pam.pam_service = login + PAM service to be used for authentication. + +charon.plugins.xauth-pam.session = no + Open/close a PAM session for each active IKE_SA. + +charon.plugins.xauth-pam.trim_email = yes + If an email address is received as an XAuth username, trim it to just the + username part. |