aboutsummaryrefslogtreecommitdiffstats
path: root/man
Commit message (Collapse)AuthorAgeFilesLines
* auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.confTobias Brunner2017-11-081-0/+6
| | | | Also document the rsa/pss prefix.
* man: Fix documentation of inbound mark behavior in ipsec.conf(5)Tobias Brunner2017-11-021-5/+5
|
* child-sa: Allow requesting different unique marks for in/outEyal Birger2017-08-071-1/+4
| | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78.
* stroke: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-261-0/+7
|
* Add an option to announce support for IKE fragmentation but not sending ↵Tobias Brunner2017-05-231-6/+15
| | | | fragments
* man: Describe the tunneling of several subnets with IKEv1 in more detailNoel Kuntze2017-03-231-1/+3
|
* man: Add note about modeconfig having to matchNoel Kuntze2017-03-231-0/+1
|
* man: Describe what happens when a FQDN is specified in left or rightNoel Kuntze2017-03-201-0/+5
|
* starter: Enable IKE fragmentation by defaultTobias Brunner2016-10-041-4/+5
|
* man: Update description of the esp keywordTobias Brunner2016-08-311-8/+19
| | | | | | | Clarifies how DH groups are applied, updates the proposal selection description and ESN can now also be configured for IKEv1. References #1039.
* man: Updated default proposals in ipsec.conf(5)Tobias Brunner2016-03-111-4/+4
|
* auth-cfg: Make IKE signature schemes configurableTobias Brunner2016-03-041-4/+9
| | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints.
* man: Update description of the actions performed for different dpdaction valuesTobias Brunner2015-11-181-7/+8
| | | | | For instance, charon does not unroute `auto=route` connections with `dpdaction=clear`.
* man: Clarify identity parsing and identity type prefixesTobias Brunner2015-08-171-6/+58
| | | | References #1028.
* man: Clarification of ah keyword descriptionAdrian-Ken Rueegsegger2015-05-191-1/+1
|
* man: More accurately describe features of the new parser in ipsec.conf(5)Tobias Brunner2015-03-201-46/+34
|
* man: Add documentation about IKEv2 signature schemesTobias Brunner2015-03-041-0/+15
|
* man: Describe trust chain constraints configuration for EAP methodsMartin Willi2015-03-031-1/+3
|
* ipsec-types: Support the %unique mark valueMartin Willi2015-02-201-1/+3
|
* man: Document IKEv2 fragmentation in ipsec.conf(5)Tobias Brunner2015-02-101-4/+5
|
* stroke: Add support for address range definitions of in-memory poolsTobias Brunner2014-10-301-1/+3
|
* man: Document identification type prefixes in ipsec.conf(5)Martin Willi2014-10-301-2/+27
|
* man: Skip installation of ipsec.conf/secrets manpages when not building starterMartin Willi2014-09-221-1/+5
|
* man: Document where left|rightsigkey searches for public key filesTobias Brunner2014-07-141-2/+3
|
* man: Document replay_window ipsec.conf optionTobias Brunner2014-06-301-0/+9
|
* conf: Generate strongswan.conf(5) man page in different directoryTobias Brunner2014-02-122-1783/+1
|
* plugin-loader: Optionally use load option in each plugin section to load pluginsTobias Brunner2014-02-121-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This now works because all plugins use the same config namespace. If <ns>.load_modular is true, the list of plugins to load is determined via the value of the <ns>.plugins.<name>.load options. Using includes the following is possible: charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } charon-cmd { load_modular = yes plugins { include strongswan.d/charon-cmd/*.conf } } Where each .conf file would contain something like: <name> { load = yes <option> = <value> } To increase the priority of individual plugins load = <priority> can be used (the default is 1). For instance, to use openssl instead of the built-in crypto plugins set in strongswan.d/charon/openssl.conf: openssl { load = 10 } If two plugins have the same priority their order in the default plugin list is preserved. Plugins not found in that list are ordered alphabetically before other plugins with the same priority.
* libtls: Move settings to <ns>.tls with fallback to libtlsTobias Brunner2014-02-121-13/+12
|
* lib: All settings use configured namespaceTobias Brunner2014-02-121-142/+142
|
* ike: Restart inactivity counter after doing a CHILD_SA rekeyMartin Willi2014-01-231-1/+3
| | | | | | | | | | | | When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect.
* man: Document xauth-pam session optionMartin Willi2014-01-231-0/+3
|
* stroke: Add an option to prevent log level changes via stroke socketTobias Brunner2014-01-231-0/+3
|
* man: Add documentation of the dhcp interface optionThomas Egerer2014-01-201-0/+5
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Fixed formatting in strongswan.confAndreas Steffen2013-12-031-3/+7
|
* Added DRBG automatic reseeding testsAndreas Steffen2013-11-271-0/+4
|
* Any of the four NTRU parameter sets can be selectedAndreas Steffen2013-11-271-2/+2
|
* Make the NTRU parameter set configurableAndreas Steffen2013-11-271-0/+5
|
* Implemented libstrongswan.plugins.random.strong_equals_true optionAndreas Steffen2013-11-161-0/+4
|
* man: strongswan.conf(5) updatedTobias Brunner2013-10-291-5/+35
|
* ipsec.conf.5: Note about ICMP[v6] message type/code addedTobias Brunner2013-10-171-0/+8
|
* unbound: Add support for DLV (DNSSEC Lookaside Validation)Tobias Brunner2013-10-111-1/+9
| | | | Fixes #392.
* kernel-libipsec: Add an option to allow remote TS to match the IKE peerTobias Brunner2013-10-111-0/+7
| | | | | | | | Setting the fwmark options for the kernel-netlink and socket-default plugins allow this kind of setup. It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make it work.
* socket-default: Allow setting firewall mark on outbound packetsTobias Brunner2013-10-111-0/+3
|
* kernel-netlink: Allow setting firewall marks on routing ruleTobias Brunner2013-10-111-0/+5
|
* ipsec.conf: Add a description for the new 'ah' keyword.Martin Willi2013-10-111-0/+41
|
* xauth-pam: Make trimming of email addresses optional5.1.1dr4Tobias Brunner2013-10-041-0/+4
| | | | Fixes #430.
* kernel-netlink: Allow to override xfrm_acq_expires valueAnsis Atteka2013-09-231-0/+5
| | | | | | | | | | | | | | | | When using auto=route, current xfrm_acq_expires default value implies that tunnel can be down for up to 165 seconds, if other peer rejected first IKE request with an AUTH_FAILED or NO_PROPOSAL_CHOSEN error message. These error messages are completely normal in setups where another application pushes configuration to both strongSwans without waiting for acknowledgment that they have updated their configurations. This patch allows strongswan to override xfrm_acq_expires default value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in strongswan.conf. Signed-off-by: Ansis Atteka <aatteka@nicira.com>
* strongswan.conf: Use configured piddir for UNIX socketsTobias Brunner2013-09-131-6/+6
|
* Build generated man pages via configure scriptTobias Brunner2013-09-135-23/+14
|
* Make SWID directory where tags are stored configurableAndreas Steffen2013-09-051-0/+3
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-26 18:37:28 +0000