diff options
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/options/charon.opt | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt index c6f4f1e9e..aaf4fdc14 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -8,6 +8,21 @@ charon {} **charon-cmd** instead of **charon**). For many options defaults can be defined in the **libstrongswan** section. +charon.accept_unencrypted_mainmode_messages = no + Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + + Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + + Some implementations send the third Main Mode message unencrypted, probably + to find the PSKs for the specified ID for authentication. This is very + similar to Aggressive Mode, and has the same security implications: A + passive attacker can sniff the negotiated Identity, and start brute forcing + the PSK using the HASH payload. + + It is recommended to keep this option to no, unless you know exactly + what the implications are and require compatibility to such devices (for + example, some SonicWall boxes). + charon.block_threshold = 5 Maximum number of half-open IKE_SAs for a single peer IP. |