aboutsummaryrefslogtreecommitdiffstats
path: root/man
diff options
context:
space:
mode:
Diffstat (limited to 'man')
-rw-r--r--man/ipsec.conf.5.in13
-rw-r--r--man/strongswan.conf.5.in11
2 files changed, 23 insertions, 1 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 2766cc4ed..3c0071694 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -452,6 +452,11 @@ suites, the strict flag
exclamation mark) can be used, e.g:
.BR aes256-sha512-modp4096!
.TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)
should last before being renegotiated. Also see EXPIRY/REKEY below.
@@ -737,6 +742,14 @@ can be used to the same effect, e.g.
.B leftprotoport=udp/%any
or
.BR leftprotoport=%any/53 .
+
+The port value can alternatively take the value
+.B %opaque
+for RFC 4301 OPAQUE selectors, or a numerical range in the form
+.BR 1024-65535 .
+None of the kernel backends currently supports opaque or port ranges and uses
+.B %any
+for policy installation instead.
.TP
.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
the left participant's public key for RSA signature authentication, in RFC 2537
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 2fafed62d..3d80d7602 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -569,6 +569,9 @@ Request peer authentication based on a client certificate
.BR charon.plugins.ha.segment_count " [1]"
.TP
+.BR charon.plugins.ipseckey.enable " [no]"
+Enable the fetching of IPSECKEY RRs from the DNS
+.TP
.BR charon.plugins.led.activity_led
.TP
@@ -776,6 +779,12 @@ File to read random bytes from, instead of @DEV_RANDOM@
.TP
.BR libstrongswan.plugins.random.urandom " [@DEV_URANDOM@]"
File to read pseudo random bytes from, instead of @DEV_URANDOM@
+.TP
+.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK)
.SS libtnccs section
.TP
.BR libtnccs.tnc_config " [/etc/tnc_config]"
@@ -1352,7 +1361,7 @@ Authentication method(s) the intiator uses
Initiator ID used in load test
.TP
.BR charon.plugins.load-tester.initiator_match
-Initiator ID to to match against as responder
+Initiator ID to match against as responder
.TP
.BR charon.plugins.load-tester.initiator_tsi
Traffic selector on initiator side, as proposed by initiator
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-14 08:13:13 +0000