diff options
Diffstat (limited to 'src/swanctl/swanctl.opt')
-rw-r--r-- | src/swanctl/swanctl.opt | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index a3e3cd4eb..b053fe32a 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -309,6 +309,19 @@ connections.<conn>.local<suffix>.auth = pubkey An EAP module implementing the appropriate method is selected to perform the EAP conversation. + If both peers support RFC 7427 ("Signature Authentication in IKEv2") + specific hash algorithms to be used during IKEv2 authentication may be + configured. To do so use _ike:_ followed by a trust chain signature scheme + constraint (see description of the **remote** section's **auth** keyword). + For example, with _ike:pubkey-sha384-sha256_ a public key signature scheme + with either SHA-384 or SHA-256 would get used for authentication, in that + order and depending on the hash algorithms supported by the peer. If no + specific hash algorithms are configured, the default is to prefer an + algorithm that matches or exceeds the strength of the signature key. + If no constraints with _ike:_ prefix are configured any signature scheme + constraint (without _ike:_ prefix) will also apply to IKEv2 authentication, + unless this is disabled in **strongswan.conf**(5). + connections.<conn>.local<suffix>.id = IKE identity to use for authentication round. @@ -415,9 +428,25 @@ connections.<conn>.remote<suffix>.auth = pubkey Authentication to expect from remote (_pubkey_, _psk_, _xauth[-backend]_ or _eap[-method]_). - Authentication to expect from remote. See the **local** sections **auth** + Authentication to expect from remote. See the **local** section's **auth** keyword description about the details of supported mechanisms. + To require a trustchain public key strength for the remote side, specify the + key type followed by the minimum strength in bits (for example _ecdsa-384_ + or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms + for trustchain validation, append hash algorithms to _pubkey_ or a key + strength definition (for example _pubkey-sha1-sha256_ or + _rsa-2048-ecdsa-256-sha256-sha384-sha512_). + Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature + constraints are configured (refer to the description of the **local** + section's **auth** keyword for details), such key types and hash algorithms + are also applied as constraints against IKEv2 signature authentication + schemes used by the remote side. + + To specify trust chain constraints for EAP-(T)TLS, append a colon to the + EAP method, followed by the key type/size and hash algorithm as discussed + above (e.g. _eap-tls:ecdsa-384-sha384_). + connections.<conn>.children.<child> {} CHILD_SA configuration sub-section. |