aboutsummaryrefslogtreecommitdiffstats
path: root/conf
Commit message (Collapse)AuthorAgeFilesLines
* conf: Document recommended lower limit for SPIsTobias Brunner2017-03-231-0/+4
|
* conf: Remove snippet for aikpub2Tobias Brunner2017-03-232-3/+0
|
* The tpm plugin offers random number generationAndreas Steffen2017-03-202-0/+3
| | | | | | The tpm plugin can be used to derive true random numbers from a TPM 2.0 device. The get_random method must be explicitly enabled in strongswan.conf with the plugin.tpm.use_rng = yes option.
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-021-0/+6
|
* addrblock: Support an optional non-strict mode accepting certs without addrblockMartin Willi2017-03-022-0/+9
| | | | | | | This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration.
* ike-sa: Optionally try to migrate to the best path on routing priority changesMartin Willi2017-02-171-0/+10
| | | | | | | | | | | | | | When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable.
* revocation: More accurately describe the flags to disable OCSP/CRL validationTobias Brunner2017-02-151-2/+2
| | | | | | These options disable validation as such, e.g. even from cached CRLs, not only the fetching. Also made the plugin's validate() implementation a no-op if both options are disabled.
* bypass-lan: Allow ignoring or only considering subnets of specific interfacesTobias Brunner2017-02-082-0/+9
| | | | The config can also be reloaded by sending a SIGHUP to charon.
* pkcs11: Fix documentation of load_certs optionTobias Brunner2017-02-061-2/+8
| | | | This option is actually module-specific.
* kernel-netlink: Allow change of Netlink socket receive buffer sizeThomas Egerer2017-01-251-0/+17
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* revocation: OCSP and/or CRL fetching can be disabledAndreas Steffen2016-12-302-0/+8
|
* vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-111-0/+6
|
* nm: Make global CA directory configurableTobias Brunner2016-10-042-0/+4
|
* ike: Set default IKE fragment size to 1280Tobias Brunner2016-10-041-4/+5
| | | | | | This is the minimum size an IPv6 implementation must support. This makes it the default for IPv4 too, which presumably is also generally routable (otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
* kernel-netlink: Support configuring XFRM policy hashing thresholdsTobias Brunner2016-09-301-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | If the number of flows over a gateway exceeds the flow cache size of the Linux kernel, policy lookup gets very expensive. Policies covering more than a single address don't get hash-indexed by default, which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use. Starting with several hundred policies the overhead gets inacceptable. Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet to perform indexed lookup. With correctly chosen netbits, this can completely eliminate the performance impact of policy lookups, freeing the resources for ESP crypto. WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a NULL pointer dereference if a socket policy is installed while hash thresholds are changed. And because the hashtable rebuild triggered by the threshold change that causes this is scheduled it might also happen if the socket policies are seemingly installed after setting the thresholds. The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when rebuilding hash tables") - is included since 4.8 (and might get backported). As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled to replace the socket policies that allow IKE traffic with port specific bypass policies.
* conf: Extend description of charon.plugins.kernel-netlink.xfrm_acq_expiresTobias Brunner2016-08-291-5/+9
|
* conf: aikpub2.opt added to Makefile.amAndreas Steffen2016-08-251-0/+1
|
* libtpmtss: Implemented TSS2 quote() methodAndreas Steffen2016-06-261-0/+3
|
* libimcv: migrate pts to tpm_tssAndreas Steffen2016-06-221-0/+3
|
* Created libtpmtss library handling access to v1.2 and v2.0 TPMsAndreas Steffen2016-06-222-2/+2
|
* aikpub2: Convert TSS 2.0 AIK public key blob into PKCS#1 formatAndreas Steffen2016-06-221-0/+2
|
* ike: Add configuration option to switch to preferring supplied proposals ↵Tobias Brunner2016-06-171-0/+5
| | | | over local ones
* p-cscf: Make sending requests configurable and disable it by defaultTobias Brunner2016-03-102-0/+12
|
* ikev2: Add option to disable following redirects as clientTobias Brunner2016-03-041-0/+3
|
* ikev1: Allow immediate deletion of rekeyed CHILD_SAsTobias Brunner2016-03-031-0/+8
| | | | | | | | | | | | | | | When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
* ikev1: Always enable charon.reuse_ikesaTobias Brunner2016-02-011-1/+1
| | | | | | | | | With IKEv1 we have to reuse IKE_SAs as otherwise the responder might detect the new SA as reauthentication and will "adopt" the CHILD_SAs of the original IKE_SA, while the initiator will not do so. This could cause CHILD_SA rekeying to fail later. Fixes #1236.
* conf: Add support for escaping dots in section/option namesTobias Brunner2015-12-041-15/+27
|
* eap-radius: Add ability to configure RADIUS retransmission behaviorThom Troy2015-11-171-1/+12
| | | | Closes strongswan/strongswan#19.
* file-logger: Add option to print milliseconds within the current second ↵Tobias Brunner2015-11-091-0/+4
| | | | | | | | after timestamp For this to look right time_format should end with %S or %T. Closes strongswan/strongswan#18.
* libtnccs: Optionally use RTLD_NOW to load IMC/IMVs with dlopen()Tobias Brunner2015-11-091-2/+2
|
* plugin-loader: Optionally use RTLD_NOW with dlopen()Tobias Brunner2015-11-091-0/+4
| | | | | | | | | This can be useful when writing custom plugins as typos or missing linker flags that result in unresolved symbols in the shared object could otherwise cause late crashes. In particular, if such a symbol is used in a code path that is rarely executed. During development and testing using RTLD_NOW instead of RTLD_LAZY will prevent the plugin from getting loaded and makes the error visible immediately.
* ikev1: Make maximum number of IKEv1 phase 2 exchanges we keep state about ↵Tobias Brunner2015-10-301-0/+4
| | | | | | configurable Fixes #1128.
* conf: Add documentation for new osx-attr optionTobias Brunner2015-08-282-0/+4
|
* conf: Fix declaration of default values for imc-hcd optionsTobias Brunner2015-08-271-5/+5
|
* starter: Remove documentation for starter.load optionTobias Brunner2015-08-271-3/+0
|
* stroke: Add an option to disable side-swapping of configuration optionsTobias Brunner2015-08-211-0/+5
| | | | | In some scenarios it might be preferred to ensure left is always local and no unintended swaps occur.
* Added imc-hcd attributes to strongswan.confAndreas Steffen2015-08-183-0/+75
|
* conf: Clarify resolution for two time settingsTobias Brunner2015-08-102-4/+4
| | | | Fixes #1061.
* eap-radius: Change trigger for Accounting Start messages for IKEv1Tobias Brunner2015-08-061-1/+1
| | | | | | | | | | | | | | | | | | | | | Some clients won't do Mode Config or XAuth during reauthentication. Because Start messages previously were triggered by TRANSACTION exchanges none were sent for new SAs of such clients, while Stop messages were still sent for the old SAs when they were destroyed. This resulted in an incorrect state on the RADIUS server. Since 31be582399 the assign_vips() event is also triggered during reauthentication if the client does not do a Mode Config exchange. So instead of waiting for a TRANSACTION exchange we trigger the Start message when a virtual IP is assigned to a client. With this the charon.plugins.eap-radius.accounting_requires_vip option would not have any effect for IKEv1 anymore. However, it previously also only worked if the client did an XAuth exchange, which is probably rarely used without virtual IPs, so this might not be much of a regression. Fixes #937.
* kernel-netlink: Use PAGE_SIZE as default size for the netlink receive bufferTobias Brunner2015-08-041-1/+1
| | | | | | | | The kernel uses NLMSG_GOODSIZE as default buffer size, which defaults to the PAGE_SIZE if it is lower than 8192 or to that value otherwise. In some cases (e.g. for dump messages) the kernel might use up to 16k for messages, which might require increasing this value.
* kernel-netlink: Make buffer size for received Netlink messages configurableTobias Brunner2015-05-211-0/+3
|
* imv_policy_manager: Added capability to execute an allow or block shell ↵Andreas Steffen2015-04-262-0/+14
| | | | command string
* Added PB-TNC test options to strongswan.conf man pageAndreas Steffen2015-03-271-0/+6
|
* Fixed strongswan.conf man page entry of imc-attestationAndreas Steffen2015-03-272-18/+18
|
* Optionally announce PB-TNC mutual protocol capabilityAndreas Steffen2015-03-231-0/+3
|
* trap-manager: Add option to ignore traffic selectors from acquire eventsTobias Brunner2015-03-231-0/+11
| | | | | | | | The specific traffic selectors from the acquire events, which are derived from the triggering packet, are usually prepended to those from the config. Some implementations might not be able to handle these properly. References #860.
* kernel-pfkey: Add option to set receive buffer size of event socketTobias Brunner2015-03-062-0/+8
| | | | | | | | If many requests are sent to the kernel the events generated by these requests may fill the receive buffer before the daemon is able to read these messages. Fixes #783.
* ikev2: Add an option to disable constraints against signature schemesTobias Brunner2015-03-041-0/+8
| | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains.
* ikev2: Add a global option to disable RFC 7427 signature authenticationTobias Brunner2015-03-041-0/+3
| | | | This is mostly for testing.
* Implemented improved BLISS-B signature algorithmAndreas Steffen2015-02-252-0/+3
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 22:01:41 +0000