aboutsummaryrefslogtreecommitdiffstats
path: root/conf/options
Commit message (Collapse)AuthorAgeFilesLines
* The pacman tool got replaced by the sec-updater toolTobias Brunner2017-11-151-7/+0
|
* sec-updater: Fix typo in documentationTobias Brunner2017-11-151-1/+1
|
* ikev2: Enumerate RSA/PSS schemes and use them if enabledTobias Brunner2017-11-081-0/+3
|
* sec-updater: Import SWID tags of updated packagesAndreas Steffen2017-09-091-0/+29
| | | | | | | sec-updater downloads the deb package files from security updates from a given linux repository and uses the swid_generator command to derive a SWID tag. The SWID tag is then imported into strongTNC using the manage.py importswid command.
* sw-collector: Moved info class to libimcvAndreas Steffen2017-08-091-3/+0
|
* conf: Descriptions of several settings updatedTobias Brunner2017-08-081-4/+12
|
* Fixed some typos, courtesy of codespellTobias Brunner2017-08-071-1/+1
|
* swid-gen: Share SWID generator between sw-collector, imc-swima and imc-swidAndreas Steffen2017-08-042-9/+9
|
* sw-collector: Added --full optionAndreas Steffen2017-08-031-0/+3
|
* swanctl: Read default socket from swanctl.socket optionTobias Brunner2017-07-271-1/+4
| | | | | | | Also read from swanctl.plugins.vici.socket so we get libstrongswan.plugins.vici.socket if it is defined. Fixes #2372.
* sw-collector: sw-collector.first_file setting retrieves creation date from ↵Andreas Steffen2017-07-261-0/+3
| | | | file stats
* sw-collector: Query central collector databaseAndreas Steffen2017-07-081-0/+12
|
* sw-collector: Collects endpoint software eventsAndreas Steffen2017-07-081-0/+17
|
* child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAsTobias Brunner2017-05-231-0/+10
| | | | | | | | After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed.
* ike: Use optional jitter to calculate retransmission timeoutsTobias Brunner2017-05-231-0/+7
| | | | | Also adds an optional limit to avoid very high retransmission timeouts with high numbers of retries.
* conf: Document recommended lower limit for SPIsTobias Brunner2017-03-231-0/+4
|
* conf: Remove snippet for aikpub2Tobias Brunner2017-03-231-2/+0
|
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-021-0/+6
|
* ike-sa: Optionally try to migrate to the best path on routing priority changesMartin Willi2017-02-171-0/+10
| | | | | | | | | | | | | | When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable.
* vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-111-0/+6
|
* nm: Make global CA directory configurableTobias Brunner2016-10-041-0/+3
|
* ike: Set default IKE fragment size to 1280Tobias Brunner2016-10-041-4/+5
| | | | | | This is the minimum size an IPv6 implementation must support. This makes it the default for IPv4 too, which presumably is also generally routable (otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
* Created libtpmtss library handling access to v1.2 and v2.0 TPMsAndreas Steffen2016-06-222-2/+2
|
* aikpub2: Convert TSS 2.0 AIK public key blob into PKCS#1 formatAndreas Steffen2016-06-221-0/+2
|
* ike: Add configuration option to switch to preferring supplied proposals ↵Tobias Brunner2016-06-171-0/+5
| | | | over local ones
* ikev2: Add option to disable following redirects as clientTobias Brunner2016-03-041-0/+3
|
* ikev1: Allow immediate deletion of rekeyed CHILD_SAsTobias Brunner2016-03-031-0/+8
| | | | | | | | | | | | | | | When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
* ikev1: Always enable charon.reuse_ikesaTobias Brunner2016-02-011-1/+1
| | | | | | | | | With IKEv1 we have to reuse IKE_SAs as otherwise the responder might detect the new SA as reauthentication and will "adopt" the CHILD_SAs of the original IKE_SA, while the initiator will not do so. This could cause CHILD_SA rekeying to fail later. Fixes #1236.
* file-logger: Add option to print milliseconds within the current second ↵Tobias Brunner2015-11-091-0/+4
| | | | | | | | after timestamp For this to look right time_format should end with %S or %T. Closes strongswan/strongswan#18.
* libtnccs: Optionally use RTLD_NOW to load IMC/IMVs with dlopen()Tobias Brunner2015-11-091-2/+2
|
* plugin-loader: Optionally use RTLD_NOW with dlopen()Tobias Brunner2015-11-091-0/+4
| | | | | | | | | This can be useful when writing custom plugins as typos or missing linker flags that result in unresolved symbols in the shared object could otherwise cause late crashes. In particular, if such a symbol is used in a code path that is rarely executed. During development and testing using RTLD_NOW instead of RTLD_LAZY will prevent the plugin from getting loaded and makes the error visible immediately.
* ikev1: Make maximum number of IKEv1 phase 2 exchanges we keep state about ↵Tobias Brunner2015-10-301-0/+4
| | | | | | configurable Fixes #1128.
* starter: Remove documentation for starter.load optionTobias Brunner2015-08-271-3/+0
|
* Added imc-hcd attributes to strongswan.confAndreas Steffen2015-08-181-0/+3
|
* conf: Clarify resolution for two time settingsTobias Brunner2015-08-101-2/+2
| | | | Fixes #1061.
* imv_policy_manager: Added capability to execute an allow or block shell ↵Andreas Steffen2015-04-261-0/+13
| | | | command string
* trap-manager: Add option to ignore traffic selectors from acquire eventsTobias Brunner2015-03-231-0/+11
| | | | | | | | The specific traffic selectors from the acquire events, which are derived from the triggering packet, are usually prepended to those from the config. Some implementations might not be able to handle these properly. References #860.
* ikev2: Add an option to disable constraints against signature schemesTobias Brunner2015-03-041-0/+8
| | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains.
* ikev2: Add a global option to disable RFC 7427 signature authenticationTobias Brunner2015-03-041-0/+3
| | | | This is mostly for testing.
* mem-pool: Pass the remote IKE address, to re-acquire() an address during reauthMartin Willi2015-02-201-4/+0
| | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port.
* ikev2: Trigger make-before-break reauthentication instead of reauth taskMartin Willi2015-02-201-0/+10
|
* mem-pool: Document reassign_online optionTobias Brunner2015-02-121-0/+4
|
* ike: Add IKEv2 in description of fragment_size option in strongswan.confTobias Brunner2014-10-141-3/+4
|
* ikev1: Move fragment generation to message_tTobias Brunner2014-10-101-3/+4
|
* starter: Allow specifying the ipsec.conf location in strongswan.confShea Levy2014-10-021-0/+3
|
* systemd: Add a native systemd journal loggerMartin Willi2014-09-221-0/+13
|
* conf: Document charon.*-scripts optionsTobias Brunner2014-06-301-0/+8
|
* conf: Document swanctl optionsTobias Brunner2014-06-301-0/+2
|
* conf: Document aikgen optionsTobias Brunner2014-06-301-0/+2
|
* autoconf: Replace --disable-tools option with --disable-scepclientTobias Brunner2014-06-301-0/+0
| | | | | Since using a separate option for pki this was the only tool that was still enabled by that option.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 01:53:59 +0000