jonaskoperdraat

charon.conf

Oct 16th, 2018
36
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Options for the charon IKE daemon.
  2. charon {
  3.  
  4. # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
  5. # accept_unencrypted_mainmode_messages = no
  6.  
  7. # Maximum number of half-open IKE_SAs for a single peer IP.
  8. # block_threshold = 5
  9.  
  10. # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
  11. # should be saved under a unique file name derived from the public key of
  12. # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
  13. # /etc/swanctl/x509crl (vici), respectively.
  14. # cache_crls = no
  15.  
  16. # Whether relations in validated certificate chains should be cached in
  17. # memory.
  18. # cert_cache = yes
  19.  
  20. # Send Cisco Unity vendor ID payload (IKEv1 only).
  21. # cisco_unity = no
  22.  
  23. # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
  24. # close_ike_on_child_failure = no
  25.  
  26. # Number of half-open IKE_SAs that activate the cookie mechanism.
  27. # cookie_threshold = 10
  28.  
  29. # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
  30. # delete_rekeyed = no
  31.  
  32. # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
  33. # (IKEv2 only).
  34. # delete_rekeyed_delay = 5
  35.  
  36. # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
  37. # strength.
  38. # dh_exponent_ansi_x9_42 = yes
  39.  
  40. # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
  41. # missing symbols immediately.
  42. # dlopen_use_rtld_now = no
  43.  
  44. # DNS server assigned to peer via configuration payload (CP).
  45. # dns1 =
  46.  
  47. # DNS server assigned to peer via configuration payload (CP).
  48. # dns2 =
  49.  
  50. # Enable Denial of Service protection using cookies and aggressiveness
  51. # checks.
  52. # dos_protection = yes
  53.  
  54. # Compliance with the errata for RFC 4753.
  55. # ecp_x_coordinate_only = yes
  56.  
  57. # Free objects during authentication (might conflict with plugins).
  58. # flush_auth_cfg = no
  59.  
  60. # Whether to follow IKEv2 redirects (RFC 5685).
  61. # follow_redirects = yes
  62.  
  63. # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
  64. # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
  65. # to 1280 (use 0 for address family specific default values, which uses a
  66. # lower value for IPv4). If specified this limit is used for both IPv4 and
  67. # IPv6.
  68. # fragment_size = 1280
  69.  
  70. # Name of the group the daemon changes to after startup.
  71. # group =
  72.  
  73. # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
  74. # half_open_timeout = 30
  75.  
  76. # Enable hash and URL support.
  77. # hash_and_url = no
  78.  
  79. # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
  80. # i_dont_care_about_security_and_use_aggressive_mode_psk = no
  81.  
  82. # Whether to ignore the traffic selectors from the kernel's acquire events
  83. # for IKEv2 connections (they are not used for IKEv1).
  84. # ignore_acquire_ts = no
  85.  
  86. # A space-separated list of routing tables to be excluded from route
  87. # lookups.
  88. # ignore_routing_tables =
  89.  
  90. # Maximum number of IKE_SAs that can be established at the same time before
  91. # new connection attempts are blocked.
  92. # ikesa_limit = 0
  93.  
  94. # Number of exclusively locked segments in the hash table.
  95. # ikesa_table_segments = 1
  96.  
  97. # Size of the IKE_SA hash table.
  98. # ikesa_table_size = 1
  99.  
  100. # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
  101. # inactivity_close_ike = no
  102.  
  103. # Limit new connections based on the current number of half open IKE_SAs,
  104. # see IKE_SA_INIT DROPPING in strongswan.conf(5).
  105. # init_limit_half_open = 0
  106.  
  107. # Limit new connections based on the number of queued jobs.
  108. # init_limit_job_load = 0
  109.  
  110. # Causes charon daemon to ignore IKE initiation requests.
  111. # initiator_only = no
  112.  
  113. # Install routes into a separate routing table for established IPsec
  114. # tunnels.
  115. # install_routes = yes
  116.  
  117. # Install virtual IP addresses.
  118. # install_virtual_ip = yes
  119.  
  120. # The name of the interface on which virtual IP addresses should be
  121. # installed.
  122. # install_virtual_ip_on =
  123.  
  124. # Check daemon, libstrongswan and plugin integrity at startup.
  125. # integrity_test = no
  126.  
  127. # A comma-separated list of network interfaces that should be ignored, if
  128. # interfaces_use is specified this option has no effect.
  129. # interfaces_ignore =
  130.  
  131. # A comma-separated list of network interfaces that should be used by
  132. # charon. All other interfaces are ignored.
  133. # interfaces_use =
  134.  
  135. # NAT keep alive interval.
  136. # keep_alive = 20s
  137.  
  138. # Plugins to load in the IKE daemon charon.
  139. # load =
  140.  
  141. # Determine plugins to load via each plugin's load option.
  142. # load_modular = no
  143.  
  144. # Initiate IKEv2 reauthentication with a make-before-break scheme.
  145. # make_before_break = no
  146.  
  147. # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
  148. # and track concurrently.
  149. # max_ikev1_exchanges = 3
  150.  
  151. # Maximum packet size accepted by charon.
  152. # max_packet = 10000
  153.  
  154. # Enable multiple authentication exchanges (RFC 4739).
  155. # multiple_authentication = yes
  156.  
  157. # WINS servers assigned to peer via configuration payload (CP).
  158. # nbns1 =
  159.  
  160. # WINS servers assigned to peer via configuration payload (CP).
  161. # nbns2 =
  162.  
  163. # UDP port used locally. If set to 0 a random port will be allocated.
  164. # port = 500
  165.  
  166. # UDP port used locally in case of NAT-T. If set to 0 a random port will be
  167. # allocated. Has to be different from charon.port, otherwise a random port
  168. # will be allocated.
  169. # port_nat_t = 4500
  170.  
  171. # Whether to prefer updating SAs to the path with the best route.
  172. # prefer_best_path = no
  173.  
  174. # Prefer locally configured proposals for IKE/IPsec over supplied ones as
  175. # responder (disabling this can avoid keying retries due to
  176. # INVALID_KE_PAYLOAD notifies).
  177. # prefer_configured_proposals = yes
  178.  
  179. # By default public IPv6 addresses are preferred over temporary ones (RFC
  180. # 4941), to make connections more stable. Enable this option to reverse
  181. # this.
  182. # prefer_temporary_addrs = no
  183.  
  184. # Process RTM_NEWROUTE and RTM_DELROUTE events.
  185. # process_route = yes
  186.  
  187. # Delay in ms for receiving packets, to simulate larger RTT.
  188. # receive_delay = 0
  189.  
  190. # Delay request messages.
  191. # receive_delay_request = yes
  192.  
  193. # Delay response messages.
  194. # receive_delay_response = yes
  195.  
  196. # Specific IKEv2 message type to delay, 0 for any.
  197. # receive_delay_type = 0
  198.  
  199. # Size of the AH/ESP replay window, in packets.
  200. # replay_window = 32
  201.  
  202. # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
  203. # in strongswan.conf(5).
  204. # retransmit_base = 1.8
  205.  
  206. # Maximum jitter in percent to apply randomly to calculated retransmission
  207. # timeout (0 to disable).
  208. # retransmit_jitter = 0
  209.  
  210. # Upper limit in seconds for calculated retransmission timeout (0 to
  211. # disable).
  212. # retransmit_limit = 0
  213.  
  214. # Timeout in seconds before sending first retransmit.
  215. # retransmit_timeout = 4.0
  216.  
  217. # Number of times to retransmit a packet before giving up.
  218. # retransmit_tries = 5
  219.  
  220. # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
  221. # DNS resolution failed), 0 to disable retries.
  222. # retry_initiate_interval = 0
  223.  
  224. # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
  225. # reuse_ikesa = yes
  226.  
  227. # Numerical routing table to install routes to.
  228. # routing_table =
  229.  
  230. # Priority of the routing table.
  231. # routing_table_prio =
  232.  
  233. # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
  234. # rsa_pss = no
  235.  
  236. # Delay in ms for sending packets, to simulate larger RTT.
  237. # send_delay = 0
  238.  
  239. # Delay request messages.
  240. # send_delay_request = yes
  241.  
  242. # Delay response messages.
  243. # send_delay_response = yes
  244.  
  245. # Specific IKEv2 message type to delay, 0 for any.
  246. # send_delay_type = 0
  247.  
  248. # Send strongSwan vendor ID payload
  249. # send_vendor_id = no
  250.  
  251. # Whether to enable Signature Authentication as per RFC 7427.
  252. # signature_authentication = yes
  253.  
  254. # Whether to enable constraints against IKEv2 signature schemes.
  255. # signature_authentication_constraints = yes
  256.  
  257. # The upper limit for SPIs requested from the kernel for IPsec SAs.
  258. # spi_max = 0xcfffffff
  259.  
  260. # The lower limit for SPIs requested from the kernel for IPsec SAs.
  261. # spi_min = 0xc0000000
  262.  
  263. # Number of worker threads in charon.
  264. # threads = 16
  265.  
  266. # Name of the user the daemon changes to after startup.
  267. # user =
  268.  
  269. crypto_test {
  270.  
  271. # Benchmark crypto algorithms and order them by efficiency.
  272. # bench = no
  273.  
  274. # Buffer size used for crypto benchmark.
  275. # bench_size = 1024
  276.  
  277. # Number of iterations to test each algorithm.
  278. # bench_time = 50
  279.  
  280. # Test crypto algorithms during registration (requires test vectors
  281. # provided by the test-vectors plugin).
  282. # on_add = no
  283.  
  284. # Test crypto algorithms on each crypto primitive instantiation.
  285. # on_create = no
  286.  
  287. # Strictly require at least one test vector to enable an algorithm.
  288. # required = no
  289.  
  290. # Whether to test RNG with TRUE quality; requires a lot of entropy.
  291. # rng_true = no
  292.  
  293. }
  294.  
  295. host_resolver {
  296.  
  297. # Maximum number of concurrent resolver threads (they are terminated if
  298. # unused).
  299. # max_threads = 3
  300.  
  301. # Minimum number of resolver threads to keep around.
  302. # min_threads = 0
  303.  
  304. }
  305.  
  306. leak_detective {
  307.  
  308. # Includes source file names and line numbers in leak detective output.
  309. # detailed = yes
  310.  
  311. # Threshold in bytes for leaks to be reported (0 to report all).
  312. # usage_threshold = 10240
  313.  
  314. # Threshold in number of allocations for leaks to be reported (0 to
  315. # report all).
  316. # usage_threshold_count = 0
  317.  
  318. }
  319.  
  320. processor {
  321.  
  322. # Section to configure the number of reserved threads per priority class
  323. # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
  324. priority_threads {
  325.  
  326. }
  327.  
  328. }
  329.  
  330. # Section containing a list of scripts (name = path) that are executed when
  331. # the daemon is started.
  332. start-scripts {
  333.  
  334. }
  335.  
  336. # Section containing a list of scripts (name = path) that are executed when
  337. # the daemon is terminated.
  338. stop-scripts {
  339.  
  340. }
  341.  
  342. tls {
  343.  
  344. # List of TLS encryption ciphers.
  345. # cipher =
  346.  
  347. # List of TLS key exchange methods.
  348. # key_exchange =
  349.  
  350. # List of TLS MAC algorithms.
  351. # mac =
  352.  
  353. # List of TLS cipher suites.
  354. # suites =
  355.  
  356. }
  357.  
  358. x509 {
  359.  
  360. # Discard certificates with unsupported or unknown critical extensions.
  361. # enforce_critical = yes
  362.  
  363. }
  364.  
  365. }
RAW Paste Data