charon.conf

1. # Options for the charon IKE daemon.
2. charon {
3.  
4. # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
5. # accept_unencrypted_mainmode_messages = no
6.  
7. # Maximum number of half-open IKE_SAs for a single peer IP.
8. # block_threshold = 5
9.  
10. # Whether relations in validated certificate chains should be cached in
11. # memory.
12. # cert_cache = yes
13.  
14. # Send Cisco Unity vendor ID payload (IKEv1 only).
15. # cisco_unity = yes
16.  
17. # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
18. # close_ike_on_child_failure = no
19.  
20. # Number of half-open IKE_SAs that activate the cookie mechanism.
21. # cookie_threshold = 10
22.  
23. # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
24. # strength.
25. # dh_exponent_ansi_x9_42 = yes
26.  
27. # DNS server assigned to peer via configuration payload (CP).
28. # dns1 =
29.  
30. # DNS server assigned to peer via configuration payload (CP).
31. # dns2 =
32.  
33. # Enable Denial of Service protection using cookies and aggressiveness
34. # checks.
35. # dos_protection = yes
36.  
37. # Compliance with the errata for RFC 4753.
38. # ecp_x_coordinate_only = yes
39.  
40. # Free objects during authentication (might conflict with plugins).
41. # flush_auth_cfg = no
42.  
43. # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
44. # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
45. # address family specific default values). If specified this limit is
46. # used for both IPv4 and IPv6.
47. # fragment_size = 0
48.  
49. # Name of the group the daemon changes to after startup.
50. # group =
51.  
52. # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
53. # half_open_timeout = 30
54.  
55. # Enable hash and URL support.
56. # hash_and_url = no
57.  
58. # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
59. # i_dont_care_about_security_and_use_aggressive_mode_psk = no
60.  
61. # Whether to ignore the traffic selectors from the kernel's acquire events
62. # for IKEv2 connections (they are not used for IKEv1).
63. # ignore_acquire_ts = no
64.  
65. # A space-separated list of routing tables to be excluded from route
66. # lookups.
67. # ignore_routing_tables =
68.  
69. # Maximum number of IKE_SAs that can be established at the same time before
70. # new connection attempts are blocked.
71. # ikesa_limit = 0
72.  
73. # Number of exclusively locked segments in the hash table.
74. # ikesa_table_segments = 1
75.  
76. # Size of the IKE_SA hash table.
77. # ikesa_table_size = 1
78.  
79. # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
80. # inactivity_close_ike = no
81.  
82. # Limit new connections based on the current number of half open IKE_SAs,
83. # see IKE_SA_INIT DROPPING in strongswan.conf(5).
84. # init_limit_half_open = 0
85.  
86. # Limit new connections based on the number of queued jobs.
87. # init_limit_job_load = 0
88.  
89. # Causes charon daemon to ignore IKE initiation requests.
90. # initiator_only = no
91.  
92. # Install routes into a separate routing table for established IPsec
93. # tunnels.
94. install_routes = no
95.  
96. # Install virtual IP addresses.
97. # install_virtual_ip = yes
98.  
99. # The name of the interface on which virtual IP addresses should be
100. # installed.
101. install_virtual_ip_on = dummy0
102.  
103. # Check daemon, libstrongswan and plugin integrity at startup.
104. # integrity_test = no
105.  
106. # A comma-separated list of network interfaces that should be ignored, if
107. # interfaces_use is specified this option has no effect.
108. # interfaces_ignore =
109.  
110. # A comma-separated list of network interfaces that should be used by
111. # charon. All other interfaces are ignored.
112. interfaces_use = usb1
113.  
114. # NAT keep alive interval.
115. # keep_alive = 20s
116.  
117. # Plugins to load in the IKE daemon charon.
118. # load =
119.  
120. # Determine plugins to load via each plugin's load option.
121. # load_modular = no
122.  
123. # Initiate IKEv2 reauthentication with a make-before-break scheme.
124. # make_before_break = no
125.  
126. # Maximum packet size accepted by charon.
127. # max_packet = 10000
128.  
129. # Enable multiple authentication exchanges (RFC 4739).
130. # multiple_authentication = yes
131.  
132. # WINS servers assigned to peer via configuration payload (CP).
133. # nbns1 =
134.  
135. # WINS servers assigned to peer via configuration payload (CP).
136. # nbns2 =
137.  
138. # UDP port used locally. If set to 0 a random port will be allocated.
139. # port = 500
140.  
141. # UDP port used locally in case of NAT-T. If set to 0 a random port will be
142. # allocated. Has to be different from charon.port, otherwise a random port
143. # will be allocated.
144. # port_nat_t = 4500
145.  
146. # By default public IPv6 addresses are preferred over temporary ones (RFC
147. # 4941), to make connections more stable. Enable this option to reverse
148. # this.
149. # prefer_temporary_addrs = no
150.  
151. # Process RTM_NEWROUTE and RTM_DELROUTE events.
152. # process_route = yes
153.  
154. # Delay in ms for receiving packets, to simulate larger RTT.
155. # receive_delay = 0
156.  
157. # Delay request messages.
158. # receive_delay_request = yes
159.  
160. # Delay response messages.
161. # receive_delay_response = yes
162.  
163. # Specific IKEv2 message type to delay, 0 for any.
164. # receive_delay_type = 0
165.  
166. # Size of the AH/ESP replay window, in packets.
167. # replay_window = 32
168.  
169. # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
170. # in strongswan.conf(5).
171. # retransmit_base = 1.8
172.  
173. # Timeout in seconds before sending first retransmit.
174. # retransmit_timeout = 4.0
175.  
176. # Number of times to retransmit a packet before giving up.
177. # retransmit_tries = 5
178.  
179. # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
180. # resolution failed), 0 to disable retries.
181. # retry_initiate_interval = 0
182.  
183. # Initiate CHILD_SA within existing IKE_SAs.
184. # reuse_ikesa = yes
185.  
186. # Numerical routing table to install routes to.
187. # routing_table = 0
188.  
189. # Priority of the routing table.
190. # routing_table_prio =
191.  
192. # Delay in ms for sending packets, to simulate larger RTT.
193. # send_delay = 0
194.  
195. # Delay request messages.
196. # send_delay_request = yes
197.  
198. # Delay response messages.
199. # send_delay_response = yes
200.  
201. # Specific IKEv2 message type to delay, 0 for any.
202. # send_delay_type = 0
203.  
204. # Send strongSwan vendor ID payload
205. # send_vendor_id = no
206.  
207. # Whether to enable Signature Authentication as per RFC 7427.
208. # signature_authentication = yes
209.  
210. # Whether to enable constraints against IKEv2 signature schemes.
211. # signature_authentication_constraints = yes
212.  
213. # Number of worker threads in charon.
214. # threads = 16
215.  
216. # Name of the user the daemon changes to after startup.
217. # user =
218.  
219. crypto_test {
220.  
221. # Benchmark crypto algorithms and order them by efficiency.
222. # bench = no
223.  
224. # Buffer size used for crypto benchmark.
225. # bench_size = 1024
226.  
227. # Number of iterations to test each algorithm.
228. # bench_time = 50
229.  
230. # Test crypto algorithms during registration (requires test vectors
231. # provided by the test-vectors plugin).
232. # on_add = no
233.  
234. # Test crypto algorithms on each crypto primitive instantiation.
235. # on_create = no
236.  
237. # Strictly require at least one test vector to enable an algorithm.
238. # required = no
239.  
240. # Whether to test RNG with TRUE quality; requires a lot of entropy.
241. # rng_true = no
242.  
243. }
244.  
245. host_resolver {
246.  
247. # Maximum number of concurrent resolver threads (they are terminated if
248. # unused).
249. # max_threads = 3
250.  
251. # Minimum number of resolver threads to keep around.
252. # min_threads = 0
253.  
254. }
255.  
256. leak_detective {
257.  
258. # Includes source file names and line numbers in leak detective output.
259. # detailed = yes
260.  
261. # Threshold in bytes for leaks to be reported (0 to report all).
262. # usage_threshold = 10240
263.  
264. # Threshold in number of allocations for leaks to be reported (0 to
265. # report all).
266. # usage_threshold_count = 0
267.  
268. }
269.  
270. processor {
271.  
272. # Section to configure the number of reserved threads per priority class
273. # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
274. priority_threads {
275.  
276. }
277.  
278. }
279.  
280. # Section containing a list of scripts (name = path) that are executed when
281. # the daemon is started.
282. start-scripts {
283.  
284. }
285.  
286. # Section containing a list of scripts (name = path) that are executed when
287. # the daemon is terminated.
288. stop-scripts {
289.  
290. }
291.  
292. tls {
293.  
294. # List of TLS encryption ciphers.
295. # cipher =
296.  
297. # List of TLS key exchange methods.
298. # key_exchange =
299.  
300. # List of TLS MAC algorithms.
301. # mac =
302.  
303. # List of TLS cipher suites.
304. # suites =
305.  
306. }
307.  
308. x509 {
309.  
310. # Discard certificates with unsupported or unknown critical extensions.
311. # enforce_critical = yes
312.  
313. }
314.  
315. }