strongswan.conf Reference » History » Version 48
Martin Willi, 12.01.2010 10:30
| 1 | 29 | Andreas Steffen | h1. strongswan.conf |
|---|---|---|---|
| 2 | 1 | Martin Willi | |
| 3 | 1 | Martin Willi | h2. Overview |
| 4 | 1 | Martin Willi | |
| 5 | 30 | Martin Willi | While the [[IpsecConf|ipsec.conf]] configuration file is well suited to define |
| 6 | 30 | Martin Willi | IPsec related configuration parameters, it is not useful for other strongSwan |
| 7 | 30 | Martin Willi | applications to read options from this file. The file is hard to parse and |
| 8 | 30 | Martin Willi | only starter is capable of doing so. |
| 9 | 1 | Martin Willi | |
| 10 | 30 | Martin Willi | As the number of components of the strongSwan project is growing, we need a |
| 11 | 30 | Martin Willi | more flexible configuration file, easy to extend and useable by all components. |
| 12 | 30 | Martin Willi | The configuration format uses hierarchal sections and a list of key/value |
| 13 | 30 | Martin Willi | pairs in each section. |
| 14 | 1 | Martin Willi | |
| 15 | 30 | Martin Willi | Since 4.2.1, a default strongswan.conf gets installed in your |
| 16 | 30 | Martin Willi | sysconfdir, e.g. _/etc/strongswan.conf_. |
| 17 | 1 | Martin Willi | |
| 18 | 1 | Martin Willi | h2. Syntax |
| 19 | 1 | Martin Willi | |
| 20 | 30 | Martin Willi | Each section has a name, followed by C-Style curly brackets defining the |
| 21 | 30 | Martin Willi | sections body. Each section body contains a set of subsections and key/value |
| 22 | 30 | Martin Willi | pairs: |
| 23 | 29 | Andreas Steffen | |
| 24 | 29 | Andreas Steffen | <pre> |
| 25 | 29 | Andreas Steffen | settings := (section|keyvalue)* |
| 26 | 1 | Martin Willi | section := name { settings } |
| 27 | 29 | Andreas Steffen | keyvalue := key = value\n |
| 28 | 1 | Martin Willi | </pre> |
| 29 | 30 | Martin Willi | Values must be terminated by a newline. Comments are possible using the |
| 30 | 30 | Martin Willi | #-character, but be careful: The parser implementation is currently limited |
| 31 | 30 | Martin Willi | and does not like brackets in comments. Section names and keys may contain |
| 32 | 30 | Martin Willi | any printable character except: |
| 33 | 29 | Andreas Steffen | <pre> |
| 34 | 1 | Martin Willi | . { } # \n \t space |
| 35 | 29 | Andreas Steffen | </pre> |
| 36 | 1 | Martin Willi | An example might look like this: |
| 37 | 29 | Andreas Steffen | <pre> |
| 38 | 1 | Martin Willi | a = b |
| 39 | 1 | Martin Willi | section-one { |
| 40 | 1 | Martin Willi | somevalue = asdf |
| 41 | 1 | Martin Willi | subsection { |
| 42 | 1 | Martin Willi | othervalue = xxx |
| 43 | 1 | Martin Willi | } |
| 44 | 1 | Martin Willi | # yei, a comment |
| 45 | 1 | Martin Willi | yetanother = zz |
| 46 | 1 | Martin Willi | } |
| 47 | 1 | Martin Willi | section-two { |
| 48 | 1 | Martin Willi | x = 12 |
| 49 | 1 | Martin Willi | } |
| 50 | 1 | Martin Willi | </pre> |
| 51 | 30 | Martin Willi | |
| 52 | 1 | Martin Willi | Indentation is optional, you may use tabs or spaces. |
| 53 | 1 | Martin Willi | |
| 54 | 1 | Martin Willi | |
| 55 | 29 | Andreas Steffen | h2. Reading values |
| 56 | 1 | Martin Willi | |
| 57 | 30 | Martin Willi | The config file is read by libstrongswan during library initialization. Values |
| 58 | 30 | Martin Willi | are accessed using a dot-separated section list and a key: |
| 59 | 30 | Martin Willi | Accessing *section-one.subsection.othervalue* will return *xxx*. |
| 60 | 29 | Andreas Steffen | |
| 61 | 30 | Martin Willi | Have a look at the [source:trunk/src/libstrongswan/settings.h settings interface] |
| 62 | 30 | Martin Willi | how to query values. |
| 63 | 27 | Andreas Steffen | |
| 64 | 29 | Andreas Steffen | h2. Defined keys |
| 65 | 1 | Martin Willi | |
| 66 | 1 | Martin Willi | The following keys are currently defined (using dot notation). |
| 67 | 1 | Martin Willi | |
| 68 | 30 | Martin Willi | |Key |Default |Description| |
| 69 | 40 | Tobias Brunner | |\3. *charon section* | |
| 70 | 44 | Andreas Steffen | |charon.block_threshold |5 |Maximum number of half-open IKE_SAs for a single peer IP| |
| 71 | 30 | Martin Willi | |charon.close_ike_on_child_failure |no |Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed| |
| 72 | 44 | Andreas Steffen | |charon.cookie_threshold |10 |Number of half-open IKE_SAs that activate the cookie mechanism| |
| 73 | 30 | Martin Willi | |charon.dns1 | |DNS server 1 assigned to peer via configuration payload (CP)| |
| 74 | 30 | Martin Willi | |charon.dns2 | |DNS server 2 assigned to peer via configuration payload (CP)| |
| 75 | 30 | Martin Willi | |charon.dos_protection |yes |Enable Denial of Service protection using cookies and aggressiveness checks| |
| 76 | 30 | Martin Willi | |charon.hash_and_url |no |Enable hash and URL support| |
| 77 | 30 | Martin Willi | |charon.install_routes |yes |Install routes into a separate routing table for established IPsec tunnels| |
| 78 | 30 | Martin Willi | |charon.keep_alive |20s |NAT keep alive interval| |
| 79 | 30 | Martin Willi | |charon.load | |Plugins to load in charon| |
| 80 | 30 | Martin Willi | |charon.multiple_authentication |yes |Enable multiple authentication exchanges (RFC 4739)| |
| 81 | 30 | Martin Willi | |charon.process_route |yes |Process RTM_NEWROUTE and RTM_DELROUTE events| |
| 82 | 30 | Martin Willi | |charon.reuse_ikesa |yes |Initiate CHILD_SA within existing IKE_SAs| |
| 83 | 30 | Martin Willi | |charon.routing_table | |Numerical routing table to install routes to| |
| 84 | 30 | Martin Willi | |charon.routing_table_prio | |Priority of the routing table| |
| 85 | 46 | Andreas Steffen | |charon.send_vendor_id |no |Send strongSwan vendor ID payload| |
| 86 | 30 | Martin Willi | |charon.threads |16 |Number of worker threads in charon| |
| 87 | 30 | Martin Willi | |charon.ikesa_table_size |1 |Size of the IKE_SA hash table| |
| 88 | 30 | Martin Willi | |charon.ikesa_table_segments |1 |Number of exclusively locked segments in the hash table| |
| 89 | 30 | Martin Willi | |charon.nbns1 | |WINS server 1 assigned to peer via configuration payload (CP)| |
| 90 | 30 | Martin Willi | |charon.nbns2 | |WINS server 2 assigned to peer via configuration payload (CP)| |
| 91 | 47 | Martin Willi | |charon.retransmit_tries |5 |Number of times to retransmit a packet before giving up| |
| 92 | 47 | Martin Willi | |charon.retransmit_timeout |4.0 |Timeout in seconds before sending first retransmit| |
| 93 | 47 | Martin Willi | |charon.retransmit_base |1.8 |Base to use for calculating exponential back off, see [[Retransmission]]| |
| 94 | 48 | Martin Willi | |charon.inactivity_timeout |0 |Timeout before closing inactive CHILD_SAs| |
| 95 | 48 | Martin Willi | |charon.inactivity_close_ike |no |Whether to close IKE_SA if the only CHILD_SA was inactive| |
| 96 | 30 | Martin Willi | |charon.plugins.sql.database | |Database URI for charons [[SQL]] plugin| |
| 97 | 1 | Martin Willi | |charon.plugins.sql.loglevel |-1 |Loglevel for logging to [[SQL]] database| |
| 98 | 41 | Martin Willi | |charon.plugins.load-tester.enable |no |Enable the load testing plugin. Read [[LoadTests]] first!| |
| 99 | 41 | Martin Willi | |charon.plugins.load-tester.initiators |0 |Number of concurrent initiator threads to use in load test| |
| 100 | 41 | Martin Willi | |charon.plugins.load-tester.iterations |1 |Number of IKE_SAs to initate to self by each initiator in load test| |
| 101 | 41 | Martin Willi | |charon.plugins.load-tester.delay |0 |Delay between initiatons for each thread| |
| 102 | 41 | Martin Willi | |charon.plugins.load-tester.proposal |aes128-sha1-modp1024|IKE proposal to use in load test| |
| 103 | 42 | Martin Willi | |charon.plugins.load-tester.initiator_auth |pubkey |Authentication method(s) the intiator uses| |
| 104 | 42 | Martin Willi | |charon.plugins.load-tester.responder_auth |pubkey |Authentication method(s) the responder uses| |
| 105 | 41 | Martin Willi | |charon.plugins.load-tester.fake_kernel |no |Fake the kernel interface to allow load-testing against self| |
| 106 | 41 | Martin Willi | |charon.plugins.load-tester.delete_after_established|no |Delete an IKE_SA as soon as it has been established| |
| 107 | 41 | Martin Willi | |charon.plugins.load-tester.request_virtual_ip |no |Request an INTERNAL_IPV4_ADDR from the server| |
| 108 | 41 | Martin Willi | |charon.plugins.load-tester.pool |NULL |Provide INTERNAL_IPV4_ADDRs from a named pool| |
| 109 | 41 | Martin Willi | |charon.plugins.load-tester.remote |127.0.0.1 |Address to initiation connections to| |
| 110 | 41 | Martin Willi | |charon.plugins.load-tester.ike_rekey |0 |Seconds to start IKE_SA rekeying after setup| |
| 111 | 41 | Martin Willi | |charon.plugins.load-tester.child_rekey |600 |Seconds to start CHILD_SA rekeying after setup| |
| 112 | 41 | Martin Willi | |charon.plugins.eap-radius.secret | |Shared secret between RADIUS and NAS| |
| 113 | 41 | Martin Willi | |charon.plugins.eap-radius.server | |IP/Hostname of RADIUS server| |
| 114 | 41 | Martin Willi | |charon.plugins.eap-radius.port |1812 |Port of RADIUS server (authentication)| |
| 115 | 41 | Martin Willi | |charon.plugins.eap-radius.sockets |5 |Number of sockets (ports) to use, increase for high load| |
| 116 | 41 | Martin Willi | |charon.plugins.eap-radius.nas_identifier |strongSwan|NAS-Identifier to include in RADIUS messages| |
| 117 | 41 | Martin Willi | |charon.plugins.eap-radius.eap_start |no |Send EAP-Start instead of EAP-Identity to start RADIUS conversation| |
| 118 | 41 | Martin Willi | |charon.plugins.eap-radius.id_prefix | |Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the EAP method| |
| 119 | 39 | Martin Willi | |Flexible logger configuration | |see [[LoggerConfiguration]]| |
| 120 | 39 | Martin Willi | |\3. *libstrongswan section* | |
| 121 | 1 | Martin Willi | |libstrongswan.dh_exponent_ansi_x9_42 |yes |Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical strength| |
| 122 | 40 | Tobias Brunner | |libstrongswan.crypto_test.on_add |no |Test crypto algorithms during registration| |
| 123 | 32 | Andreas Steffen | |libstrongswan.crypto_test.on_create |no |Test crypto algorithms on each crypto primitive instantiation| |
| 124 | 36 | Martin Willi | |libstrongswan.crypto_test.required |no |Strictly require at least one test vector to enable an algorithm| |
| 125 | 36 | Martin Willi | |libstrongswan.crypto_test.rng_true |no |Whether to test RNG with TRUE quality; requires a lot of entropy| |
| 126 | 36 | Martin Willi | |libstrongswan.ecp_x_coordinate_only |yes |Compliance with the errata for RFC 4753 | |
| 127 | 36 | Martin Willi | |libstrongswan.integrity_test |no |Check daemon, libstrongswan and plugin integrity at startup| |
| 128 | 38 | Andreas Steffen | |libstrongswan.plugins.gcrypt.quick_random |no |Use faster random numbers in gcrypt; for testing only, produces weak keys!| |
| 129 | 41 | Martin Willi | |libstrongswan.plugins.attr-sql.database | |Database URI for attr-sql plugin used by charon and pluto | |
| 130 | 41 | Martin Willi | |libstrongswan.plugins.attr-sql.lease_history |yes |Enable logging of [[SQL]] IP pool leases| |
| 131 | 45 | Andreas Steffen | |libstrongswan.plugins.x509.enforce_critical |no |Discard certificates with unsupported or unknown critical extensions| |
| 132 | 40 | Tobias Brunner | |\3. *manager section* | |
| 133 | 30 | Martin Willi | |manager.database | |Credential database URI for manager| |
| 134 | 30 | Martin Willi | |manager.debug |no |Enable debugging in manager| |
| 135 | 30 | Martin Willi | |manager.load | |Plugins to load in manager| |
| 136 | 30 | Martin Willi | |manager.socket | |FastCGI socket of manager, to run it statically| |
| 137 | 30 | Martin Willi | |manager.threads |10 |Threads to use for request handling| |
| 138 | 30 | Martin Willi | |manager.timeout |15m |Session timeout for manager| |
| 139 | 40 | Tobias Brunner | |\3. *mediation client section* | |
| 140 | 30 | Martin Willi | |medcli.database | |Mediation client database URI| |
| 141 | 30 | Martin Willi | |medcli.dpd |5m |DPD timeout to use in mediation client plugin| |
| 142 | 30 | Martin Willi | |medcli.rekey |20m |Rekeying time on mediation connections in mediation client plugin| |
| 143 | 40 | Tobias Brunner | |\3. *mediation server section* | |
| 144 | 30 | Martin Willi | |medsrv.database | |Mediation server database URI| |
| 145 | 30 | Martin Willi | |medsrv.debug |no |Debugging in mediation server web application| |
| 146 | 30 | Martin Willi | |medsrv.dpd |5m |DPD timeout to use in mediation server plugin| |
| 147 | 30 | Martin Willi | |medsrv.load | |Plugins to load in mediation server plugin| |
| 148 | 30 | Martin Willi | |medsrv.password_length |6 |Minimum password length required for mediation server user accounts| |
| 149 | 30 | Martin Willi | |medsrv.rekey |20m |Rekeying time on mediation connections in mediation server plugin| |
| 150 | 30 | Martin Willi | |medsrv.socket | |Run Mediation server web application statically on socket| |
| 151 | 30 | Martin Willi | |medsrv.threads |5 |Number of thread for mediation service web application| |
| 152 | 30 | Martin Willi | |medsrv.timeout |15m |Session timeout for mediation service| |
| 153 | 40 | Tobias Brunner | |\3. *openac section* | |
| 154 | 30 | Martin Willi | |openac.load | |Plugins to load in ipsec openac tool| |
| 155 | 40 | Tobias Brunner | |\3. *pluto section* | |
| 156 | 30 | Martin Willi | |pluto.dns1 | |DNS server 1 assigned to peer via configuration payload (CP)| |
| 157 | 30 | Martin Willi | |pluto.dns2 | |DNS server 2 assigned to peer via configuration payload (CP)| |
| 158 | 30 | Martin Willi | |pluto.load | |Plugins to load in ipsec pluto daemon| |
| 159 | 30 | Martin Willi | |pluto.nbns1 | |WINS server 1 assigned to peer via configuration payload (CP)| |
| 160 | 30 | Martin Willi | |pluto.nbns2 | |WINS server 2 assigned to peer via configu+ration payload (CP)| |
| 161 | 40 | Tobias Brunner | |\3. *pool section* | |
| 162 | 30 | Martin Willi | |pool.load | |Plugins to load in ipsec pool tool| |
| 163 | 40 | Tobias Brunner | |\3. *scepclient section* | |
| 164 | 30 | Martin Willi | |scepclient.load | |Plugins to load in ipsec scepclient tool| |