aboutsummaryrefslogtreecommitdiffstats
path: root/conf/options
Commit message (Collapse)AuthorAgeFilesLines
* child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAsTobias Brunner2017-05-231-0/+10
| | | | | | | | After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed.
* ike: Use optional jitter to calculate retransmission timeoutsTobias Brunner2017-05-231-0/+7
| | | | | Also adds an optional limit to avoid very high retransmission timeouts with high numbers of retries.
* conf: Document recommended lower limit for SPIsTobias Brunner2017-03-231-0/+4
|
* conf: Remove snippet for aikpub2Tobias Brunner2017-03-231-2/+0
|
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-021-0/+6
|
* ike-sa: Optionally try to migrate to the best path on routing priority changesMartin Willi2017-02-171-0/+10
| | | | | | | | | | | | | | When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable.
* vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-111-0/+6
|
* nm: Make global CA directory configurableTobias Brunner2016-10-041-0/+3
|
* ike: Set default IKE fragment size to 1280Tobias Brunner2016-10-041-4/+5
| | | | | | This is the minimum size an IPv6 implementation must support. This makes it the default for IPv4 too, which presumably is also generally routable (otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
* Created libtpmtss library handling access to v1.2 and v2.0 TPMsAndreas Steffen2016-06-222-2/+2
|
* aikpub2: Convert TSS 2.0 AIK public key blob into PKCS#1 formatAndreas Steffen2016-06-221-0/+2
|
* ike: Add configuration option to switch to preferring supplied proposals ↵Tobias Brunner2016-06-171-0/+5
| | | | over local ones
* ikev2: Add option to disable following redirects as clientTobias Brunner2016-03-041-0/+3
|
* ikev1: Allow immediate deletion of rekeyed CHILD_SAsTobias Brunner2016-03-031-0/+8
| | | | | | | | | | | | | | | When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
* ikev1: Always enable charon.reuse_ikesaTobias Brunner2016-02-011-1/+1
| | | | | | | | | With IKEv1 we have to reuse IKE_SAs as otherwise the responder might detect the new SA as reauthentication and will "adopt" the CHILD_SAs of the original IKE_SA, while the initiator will not do so. This could cause CHILD_SA rekeying to fail later. Fixes #1236.
* file-logger: Add option to print milliseconds within the current second ↵Tobias Brunner2015-11-091-0/+4
| | | | | | | | after timestamp For this to look right time_format should end with %S or %T. Closes strongswan/strongswan#18.
* libtnccs: Optionally use RTLD_NOW to load IMC/IMVs with dlopen()Tobias Brunner2015-11-091-2/+2
|
* plugin-loader: Optionally use RTLD_NOW with dlopen()Tobias Brunner2015-11-091-0/+4
| | | | | | | | | This can be useful when writing custom plugins as typos or missing linker flags that result in unresolved symbols in the shared object could otherwise cause late crashes. In particular, if such a symbol is used in a code path that is rarely executed. During development and testing using RTLD_NOW instead of RTLD_LAZY will prevent the plugin from getting loaded and makes the error visible immediately.
* ikev1: Make maximum number of IKEv1 phase 2 exchanges we keep state about ↵Tobias Brunner2015-10-301-0/+4
| | | | | | configurable Fixes #1128.
* starter: Remove documentation for starter.load optionTobias Brunner2015-08-271-3/+0
|
* Added imc-hcd attributes to strongswan.confAndreas Steffen2015-08-181-0/+3
|
* conf: Clarify resolution for two time settingsTobias Brunner2015-08-101-2/+2
| | | | Fixes #1061.
* imv_policy_manager: Added capability to execute an allow or block shell ↵Andreas Steffen2015-04-261-0/+13
| | | | command string
* trap-manager: Add option to ignore traffic selectors from acquire eventsTobias Brunner2015-03-231-0/+11
| | | | | | | | The specific traffic selectors from the acquire events, which are derived from the triggering packet, are usually prepended to those from the config. Some implementations might not be able to handle these properly. References #860.
* ikev2: Add an option to disable constraints against signature schemesTobias Brunner2015-03-041-0/+8
| | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains.
* ikev2: Add a global option to disable RFC 7427 signature authenticationTobias Brunner2015-03-041-0/+3
| | | | This is mostly for testing.
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-4/+0
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* ikev2: Trigger make-before-break reauthentication instead of reauth taskMartin Willi2015-02-201-0/+10
|
* mem-pool: Document reassign_online optionTobias Brunner2015-02-121-0/+4
|
* ike: Add IKEv2 in description of fragment_size option in strongswan.confTobias Brunner2014-10-141-3/+4
|
* ikev1: Move fragment generation to message_tTobias Brunner2014-10-101-3/+4
|
* starter: Allow specifying the ipsec.conf location in strongswan.confShea Levy2014-10-021-0/+3
|
* systemd: Add a native systemd journal loggerMartin Willi2014-09-221-0/+13
|
* conf: Document charon.*-scripts optionsTobias Brunner2014-06-301-0/+8
|
* conf: Document swanctl optionsTobias Brunner2014-06-301-0/+2
|
* conf: Document aikgen optionsTobias Brunner2014-06-301-0/+2
|
* autoconf: Replace --disable-tools option with --disable-scepclientTobias Brunner2014-06-301-0/+0
| | | | | Since using a separate option for pki this was the only tool that was still enabled by that option.
* kernel-netlink: Follow RFC 6724 when selecting IPv6 source addressesTobias Brunner2014-06-191-0/+4
| | | | | | | | Instead of using the first address we find on an interface we should consider properties like an address' scope or whether it is temporary or public. Fixes #543.
* configure: Separate pki from --disable-toolsMartin Willi2014-06-042-3/+2
| | | | While pki builds and runs just fine on Windows, this is not true for scepclient.
* ikev1: Add an option to accept unencrypted ID/HASH payloadsMartin Willi2014-04-171-0/+15
| | | | | | | | | Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in unencrypted form, probably to allow PSK lookup based on the ID payloads. We by default reject that, but accept it if the charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf. Initial patch courtesy of Paul Stewart.
* openac: Remove obsolete openac utilityMartin Willi2014-03-311-3/+0
| | | | The same functionality is now provided by the pki --acert subcommand.
* conf: Install config files world-readable but warn about permissions for ↵Tobias Brunner2014-02-126-6/+13
| | | | certain options
* conf: Document options of other programsTobias Brunner2014-02-125-0/+62
|
* conf: Document options of plugins in libptsTobias Brunner2014-02-121-0/+5
|
* conf: Document libimcv optionsTobias Brunner2014-02-122-0/+32
|
* conf: Document libtnccs optionsTobias Brunner2014-02-121-0/+2
|
* conf: Add logger example configTobias Brunner2014-02-122-7/+57
|
* conf: Converted charon optionsTobias Brunner2014-02-121-1/+290
|
* conf: Generate and install config sippets for option descriptionsTobias Brunner2014-02-121-0/+2
The strongswan.d directory is also created relative to the configured location of strongswan.conf.
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-05 15:58:18 +0000