charon.conf

1. # Options for the charon IKE daemon.
2. charon {
3.  
4. # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
5. # accept_unencrypted_mainmode_messages = no
6.  
7. # Maximum number of half-open IKE_SAs for a single peer IP.
8. # block_threshold = 5
9.  
10. # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
11. # should be saved under a unique file name derived from the public key of
12. # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
13. # /etc/swanctl/x509crl (vici), respectively.
14. # cache_crls = no
15.  
16. # Whether relations in validated certificate chains should be cached in
17. # memory.
18. # cert_cache = yes
19.  
20. # Send Cisco Unity vendor ID payload (IKEv1 only).
21. # cisco_unity = no
22.  
23. # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
24. # close_ike_on_child_failure = no
25.  
26. # Number of half-open IKE_SAs that activate the cookie mechanism.
27. # cookie_threshold = 10
28.  
29. # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
30. # delete_rekeyed = no
31.  
32. # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
33. # (IKEv2 only).
34. # delete_rekeyed_delay = 5
35.  
36. # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
37. # strength.
38. # dh_exponent_ansi_x9_42 = yes
39.  
40. # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
41. # missing symbols immediately.
42. # dlopen_use_rtld_now = no
43.  
44. # DNS server assigned to peer via configuration payload (CP).
45. # dns1 =
46.  
47. # DNS server assigned to peer via configuration payload (CP).
48. # dns2 =
49.  
50. # Enable Denial of Service protection using cookies and aggressiveness
51. # checks.
52. # dos_protection = yes
53.  
54. # Compliance with the errata for RFC 4753.
55. # ecp_x_coordinate_only = yes
56.  
57. # Free objects during authentication (might conflict with plugins).
58. # flush_auth_cfg = no
59.  
60. # Whether to follow IKEv2 redirects (RFC 5685).
61. # follow_redirects = yes
62.  
63. # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
64. # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
65. # to 1280 (use 0 for address family specific default values, which uses a
66. # lower value for IPv4). If specified this limit is used for both IPv4 and
67. # IPv6.
68. # fragment_size = 1280
69.  
70. # Name of the group the daemon changes to after startup.
71. # group =
72.  
73. # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
74. # half_open_timeout = 30
75.  
76. # Enable hash and URL support.
77. # hash_and_url = no
78.  
79. # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
80. # i_dont_care_about_security_and_use_aggressive_mode_psk = no
81.  
82. # Whether to ignore the traffic selectors from the kernel's acquire events
83. # for IKEv2 connections (they are not used for IKEv1).
84. # ignore_acquire_ts = no
85.  
86. # A space-separated list of routing tables to be excluded from route
87. # lookups.
88. # ignore_routing_tables =
89.  
90. # Maximum number of IKE_SAs that can be established at the same time before
91. # new connection attempts are blocked.
92. # ikesa_limit = 0
93.  
94. # Number of exclusively locked segments in the hash table.
95. # ikesa_table_segments = 1
96.  
97. # Size of the IKE_SA hash table.
98. # ikesa_table_size = 1
99.  
100. # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
101. # inactivity_close_ike = no
102.  
103. # Limit new connections based on the current number of half open IKE_SAs,
104. # see IKE_SA_INIT DROPPING in strongswan.conf(5).
105. # init_limit_half_open = 0
106.  
107. # Limit new connections based on the number of queued jobs.
108. # init_limit_job_load = 0
109.  
110. # Causes charon daemon to ignore IKE initiation requests.
111. # initiator_only = no
112.  
113. # Install routes into a separate routing table for established IPsec
114. # tunnels.
115. # install_routes = yes
116.  
117. # Install virtual IP addresses.
118. # install_virtual_ip = yes
119.  
120. # The name of the interface on which virtual IP addresses should be
121. # installed.
122. # install_virtual_ip_on =
123.  
124. # Check daemon, libstrongswan and plugin integrity at startup.
125. # integrity_test = no
126.  
127. # A comma-separated list of network interfaces that should be ignored, if
128. # interfaces_use is specified this option has no effect.
129. # interfaces_ignore =
130.  
131. # A comma-separated list of network interfaces that should be used by
132. # charon. All other interfaces are ignored.
133. # interfaces_use =
134.  
135. # NAT keep alive interval.
136. # keep_alive = 20s
137.  
138. # Plugins to load in the IKE daemon charon.
139. # load =
140.  
141. # Determine plugins to load via each plugin's load option.
142. # load_modular = no
143.  
144. # Initiate IKEv2 reauthentication with a make-before-break scheme.
145. # make_before_break = no
146.  
147. # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
148. # and track concurrently.
149. # max_ikev1_exchanges = 3
150.  
151. # Maximum packet size accepted by charon.
152. # max_packet = 10000
153.  
154. # Enable multiple authentication exchanges (RFC 4739).
155. # multiple_authentication = yes
156.  
157. # WINS servers assigned to peer via configuration payload (CP).
158. # nbns1 =
159.  
160. # WINS servers assigned to peer via configuration payload (CP).
161. # nbns2 =
162.  
163. # UDP port used locally. If set to 0 a random port will be allocated.
164. # port = 500
165.  
166. # UDP port used locally in case of NAT-T. If set to 0 a random port will be
167. # allocated. Has to be different from charon.port, otherwise a random port
168. # will be allocated.
169. # port_nat_t = 4500
170.  
171. # Whether to prefer updating SAs to the path with the best route.
172. # prefer_best_path = no
173.  
174. # Prefer locally configured proposals for IKE/IPsec over supplied ones as
175. # responder (disabling this can avoid keying retries due to
176. # INVALID_KE_PAYLOAD notifies).
177. # prefer_configured_proposals = yes
178.  
179. # By default public IPv6 addresses are preferred over temporary ones (RFC
180. # 4941), to make connections more stable. Enable this option to reverse
181. # this.
182. # prefer_temporary_addrs = no
183.  
184. # Process RTM_NEWROUTE and RTM_DELROUTE events.
185. # process_route = yes
186.  
187. # Delay in ms for receiving packets, to simulate larger RTT.
188. # receive_delay = 0
189.  
190. # Delay request messages.
191. # receive_delay_request = yes
192.  
193. # Delay response messages.
194. # receive_delay_response = yes
195.  
196. # Specific IKEv2 message type to delay, 0 for any.
197. # receive_delay_type = 0
198.  
199. # Size of the AH/ESP replay window, in packets.
200. # replay_window = 32
201.  
202. # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
203. # in strongswan.conf(5).
204. # retransmit_base = 1.8
205.  
206. # Maximum jitter in percent to apply randomly to calculated retransmission
207. # timeout (0 to disable).
208. # retransmit_jitter = 0
209.  
210. # Upper limit in seconds for calculated retransmission timeout (0 to
211. # disable).
212. # retransmit_limit = 0
213.  
214. # Timeout in seconds before sending first retransmit.
215. # retransmit_timeout = 4.0
216.  
217. # Number of times to retransmit a packet before giving up.
218. # retransmit_tries = 5
219.  
220. # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
221. # DNS resolution failed), 0 to disable retries.
222. # retry_initiate_interval = 0
223.  
224. # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
225. # reuse_ikesa = yes
226.  
227. # Numerical routing table to install routes to.
228. # routing_table =
229.  
230. # Priority of the routing table.
231. # routing_table_prio =
232.  
233. # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
234. # rsa_pss = no
235.  
236. # Delay in ms for sending packets, to simulate larger RTT.
237. # send_delay = 0
238.  
239. # Delay request messages.
240. # send_delay_request = yes
241.  
242. # Delay response messages.
243. # send_delay_response = yes
244.  
245. # Specific IKEv2 message type to delay, 0 for any.
246. # send_delay_type = 0
247.  
248. # Send strongSwan vendor ID payload
249. # send_vendor_id = no
250.  
251. # Whether to enable Signature Authentication as per RFC 7427.
252. # signature_authentication = yes
253.  
254. # Whether to enable constraints against IKEv2 signature schemes.
255. # signature_authentication_constraints = yes
256.  
257. # The upper limit for SPIs requested from the kernel for IPsec SAs.
258. # spi_max = 0xcfffffff
259.  
260. # The lower limit for SPIs requested from the kernel for IPsec SAs.
261. # spi_min = 0xc0000000
262.  
263. # Number of worker threads in charon.
264. # threads = 16
265.  
266. # Name of the user the daemon changes to after startup.
267. # user =
268.  
269. crypto_test {
270.  
271. # Benchmark crypto algorithms and order them by efficiency.
272. # bench = no
273.  
274. # Buffer size used for crypto benchmark.
275. # bench_size = 1024
276.  
277. # Number of iterations to test each algorithm.
278. # bench_time = 50
279.  
280. # Test crypto algorithms during registration (requires test vectors
281. # provided by the test-vectors plugin).
282. # on_add = no
283.  
284. # Test crypto algorithms on each crypto primitive instantiation.
285. # on_create = no
286.  
287. # Strictly require at least one test vector to enable an algorithm.
288. # required = no
289.  
290. # Whether to test RNG with TRUE quality; requires a lot of entropy.
291. # rng_true = no
292.  
293. }
294.  
295. host_resolver {
296.  
297. # Maximum number of concurrent resolver threads (they are terminated if
298. # unused).
299. # max_threads = 3
300.  
301. # Minimum number of resolver threads to keep around.
302. # min_threads = 0
303.  
304. }
305.  
306. leak_detective {
307.  
308. # Includes source file names and line numbers in leak detective output.
309. # detailed = yes
310.  
311. # Threshold in bytes for leaks to be reported (0 to report all).
312. # usage_threshold = 10240
313.  
314. # Threshold in number of allocations for leaks to be reported (0 to
315. # report all).
316. # usage_threshold_count = 0
317.  
318. }
319.  
320. processor {
321.  
322. # Section to configure the number of reserved threads per priority class
323. # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
324. priority_threads {
325.  
326. }
327.  
328. }
329.  
330. # Section containing a list of scripts (name = path) that are executed when
331. # the daemon is started.
332. start-scripts {
333.  
334. }
335.  
336. # Section containing a list of scripts (name = path) that are executed when
337. # the daemon is terminated.
338. stop-scripts {
339.  
340. }
341.  
342. tls {
343.  
344. # List of TLS encryption ciphers.
345. # cipher =
346.  
347. # List of TLS key exchange methods.
348. # key_exchange =
349.  
350. # List of TLS MAC algorithms.
351. # mac =
352.  
353. # List of TLS cipher suites.
354. # suites =
355.  
356. }
357.  
358. x509 {
359.  
360. # Discard certificates with unsupported or unknown critical extensions.
361. # enforce_critical = yes
362.  
363. }
364.  
365. }