Version 42 - History - strongswan.conf Reference - strongSwan

strongswan.conf Reference » History » Version 42

Martin Willi, 20.10.2009 16:20

-Andreas Steffen
+h1. strongswan.conf
 Martin Willi
-Martin Willi
+h2. Overview
 Martin Willi
-Martin Willi
+While the [[IpsecConf|ipsec.conf]] configuration file is well suited to define
-Martin Willi
+IPsec related configuration parameters, it is not useful for other strongSwan
-Martin Willi
+applications to read options from this file. The file is hard to parse and
-Martin Willi
+only starter is capable of doing so.
 Martin Willi
-Martin Willi
+As the number of components of the strongSwan project is growing, we need a
-Martin Willi
+more flexible configuration file, easy to extend and useable by all components.
-Martin Willi
+The configuration format uses hierarchal sections and a list of key/value
-Martin Willi
+pairs in each section.
 Martin Willi
-Martin Willi
+Since 4.2.1, a default strongswan.conf gets installed in your
-Martin Willi
+sysconfdir, e.g. _/etc/strongswan.conf_.
 Martin Willi
-Martin Willi
+h2. Syntax
 Martin Willi
-Martin Willi
+Each section has a name, followed by C-Style curly brackets defining the
-Martin Willi
+sections body. Each section body contains a set of subsections and key/value
-Martin Willi
+pairs:
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+settings := (section|keyvalue)*
-Martin Willi
+section  := name { settings }
-Andreas Steffen
+keyvalue := key = value\n
-Martin Willi
+</pre>
-Martin Willi
+Values must be terminated by a newline. Comments are possible using the
-Martin Willi
+#-character, but be careful: The parser implementation is currently limited
-Martin Willi
+and does not like brackets in comments. Section names and keys may contain
-Martin Willi
+any printable character except:
-Andreas Steffen
+<pre>
-Martin Willi
+. { } # \n \t space
-Andreas Steffen
+</pre>
-Martin Willi
+An example might look like this:
-Andreas Steffen
+<pre>
-Martin Willi
+a = b
-Martin Willi
+section-one {
-Martin Willi
+  somevalue = asdf
-Martin Willi
+  subsection {
-Martin Willi
+    othervalue = xxx
 Martin Willi
-Martin Willi
+  # yei, a comment
-Martin Willi
+  yetanother = zz
 Martin Willi
-Martin Willi
+section-two {
-Martin Willi
+  x = 12
 Martin Willi
-Martin Willi
+</pre>
 Martin Willi
-Martin Willi
+Indentation is optional, you may use tabs or spaces.
 Martin Willi
 Martin Willi
-Andreas Steffen
+h2. Reading values
 Martin Willi
-Martin Willi
+The config file is read by libstrongswan during library initialization. Values
-Martin Willi
+are accessed using a dot-separated section list and a key:
-Martin Willi
+Accessing *section-one.subsection.othervalue* will return *xxx*.
 Andreas Steffen
-Martin Willi
+Have a look at the [source:trunk/src/libstrongswan/settings.h settings interface]
-Martin Willi
+how to query values.
 Andreas Steffen
-Andreas Steffen
+h2. Defined keys
 Martin Willi
-Martin Willi
+The following keys are currently defined (using dot notation).
 Martin Willi
-Martin Willi
+|Key                                                |Default   |Description|
-Tobias Brunner
+|\3. *charon section*                               |
-Martin Willi
+|charon.close_ike_on_child_failure                  |no        |Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed|
-Andreas Steffen
+|charon.dh_exponent_ansi_x9_42 (< version 4.3.2)    |yes       |Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical strength|
-Martin Willi
+|charon.dns1                                        |          |DNS server 1 assigned to peer via configuration payload (CP)|
-Martin Willi
+|charon.dns2                                        |          |DNS server 2 assigned to peer via configuration payload (CP)|
-Martin Willi
+|charon.dos_protection                              |yes       |Enable Denial of Service protection using cookies and aggressiveness checks|
-Martin Willi
+|charon.hash_and_url                                |no        |Enable hash and URL support|
-Martin Willi
+|charon.install_routes                              |yes       |Install routes into a separate routing table for established IPsec tunnels|
-Martin Willi
+|charon.keep_alive                                  |20s       |NAT keep alive interval|
-Martin Willi
+|charon.load                                        |          |Plugins to load in charon|
-Martin Willi
+|charon.multiple_authentication                     |yes       |Enable multiple authentication exchanges (RFC 4739)|
-Martin Willi
+|charon.process_route                               |yes       |Process RTM_NEWROUTE and RTM_DELROUTE events|
-Martin Willi
+|charon.reuse_ikesa                                 |yes       |Initiate CHILD_SA within existing IKE_SAs|
-Martin Willi
+|charon.routing_table                               |          |Numerical routing table to install routes to|
-Martin Willi
+|charon.routing_table_prio                          |          |Priority of the routing table|
-Martin Willi
+|charon.threads                                     |16        |Number of worker threads in charon|
-Martin Willi
+|charon.ikesa_table_size                            |1         |Size of the IKE_SA hash table|
-Martin Willi
+|charon.ikesa_table_segments                        |1         |Number of exclusively locked segments in the hash table|
-Martin Willi
+|charon.nbns1                                       |          |WINS server 1 assigned to peer via configuration payload (CP)|
-Martin Willi
+|charon.nbns2                                       |          |WINS server 2 assigned to peer via configuration payload (CP)|
-Martin Willi
+|charon.plugins.sql.database                        |          |Database URI for charons [[SQL]] plugin|
-Martin Willi
+|charon.plugins.sql.loglevel                        |-1        |Loglevel for logging to [[SQL]] database|
-Martin Willi
+|charon.plugins.load-tester.enable                  |no        |Enable the load testing plugin. Read [[LoadTests]] first!|
-Martin Willi
+|charon.plugins.load-tester.initiators              |0         |Number of concurrent initiator threads to use in load test|
-Martin Willi
+|charon.plugins.load-tester.iterations              |1         |Number of IKE_SAs to initate to self by each initiator in load test|
-Martin Willi
+|charon.plugins.load-tester.delay                   |0         |Delay between initiatons for each thread|
-Martin Willi
+|charon.plugins.load-tester.proposal                |aes128-sha1-modp1024|IKE proposal to use in load test|
-Martin Willi
+|charon.plugins.load-tester.initiator_auth          |pubkey    |Authentication method(s) the intiator uses|
-Martin Willi
+|charon.plugins.load-tester.responder_auth          |pubkey    |Authentication method(s) the responder uses|
-Martin Willi
+|charon.plugins.load-tester.fake_kernel             |no        |Fake the kernel interface to allow load-testing against self|
-Martin Willi
+|charon.plugins.load-tester.delete_after_established|no        |Delete an IKE_SA as soon as it has been established|
-Martin Willi
+|charon.plugins.load-tester.request_virtual_ip      |no        |Request an INTERNAL_IPV4_ADDR from the server|
-Martin Willi
+|charon.plugins.load-tester.pool                    |NULL      |Provide INTERNAL_IPV4_ADDRs from a named pool|
-Martin Willi
+|charon.plugins.load-tester.remote                  |127.0.0.1 |Address to initiation connections to|
-Martin Willi
+|charon.plugins.load-tester.ike_rekey               |0         |Seconds to start IKE_SA rekeying after setup|
-Martin Willi
+|charon.plugins.load-tester.child_rekey             |600       |Seconds to start CHILD_SA rekeying after setup|
-Martin Willi
+|charon.plugins.eap-radius.secret                   |          |Shared secret between RADIUS and NAS|
-Martin Willi
+|charon.plugins.eap-radius.server                   |          |IP/Hostname of RADIUS server|
-Martin Willi
+|charon.plugins.eap-radius.port                     |1812      |Port of RADIUS server (authentication)|
-Martin Willi
+|charon.plugins.eap-radius.sockets                  |5         |Number of sockets (ports) to use, increase for high load|
-Martin Willi
+|charon.plugins.eap-radius.nas_identifier           |strongSwan|NAS-Identifier to include in RADIUS messages|
-Martin Willi
+|charon.plugins.eap-radius.eap_start                |no        |Send EAP-Start instead of EAP-Identity to start RADIUS conversation|
-Martin Willi
+|charon.plugins.eap-radius.id_prefix                |          |Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the EAP method|
-Martin Willi
+|Flexible logger configuration                      |          |see [[LoggerConfiguration]]|
-Martin Willi
+|\3. *libstrongswan section*                        |
-Martin Willi
+|libstrongswan.dh_exponent_ansi_x9_42               |yes       |Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical strength|
-Tobias Brunner
+|libstrongswan.crypto_test.on_add                   |no        |Test crypto algorithms during registration|
-Andreas Steffen
+|libstrongswan.crypto_test.on_create                |no        |Test crypto algorithms on each crypto primitive instantiation|
-Martin Willi
+|libstrongswan.crypto_test.required                 |no        |Strictly require at least one test vector to enable an algorithm|
-Martin Willi
+|libstrongswan.crypto_test.rng_true                 |no        |Whether to test RNG with TRUE quality; requires a lot of entropy|
-Martin Willi
+|libstrongswan.ecp_x_coordinate_only                |yes       |Compliance with the errata for RFC 4753 |
-Martin Willi
+|libstrongswan.integrity_test                       |no        |Check daemon, libstrongswan and plugin integrity at startup|
-Andreas Steffen
+|libstrongswan.plugins.gcrypt.quick_random          |no        |Use faster random numbers in gcrypt; for testing only, produces weak keys!|
-Martin Willi
+|libstrongswan.plugins.attr-sql.database            |          |Database URI for attr-sql plugin used by charon and pluto |
-Martin Willi
+|libstrongswan.plugins.attr-sql.lease_history       |yes       |Enable logging of [[SQL]] IP pool leases|
-Tobias Brunner
+|\3. *manager section*                              |
-Martin Willi
+|manager.database                                   |          |Credential database URI for manager|
-Martin Willi
+|manager.debug                                      |no        |Enable debugging in manager|
-Martin Willi
+|manager.load                                       |          |Plugins to load in manager|
-Martin Willi
+|manager.socket                                     |          |FastCGI socket of manager, to run it statically|
-Martin Willi
+|manager.threads                                    |10        |Threads to use for request handling|
-Martin Willi
+|manager.timeout                                    |15m       |Session timeout for manager|
-Tobias Brunner
+|\3. *mediation client section*                     |
-Martin Willi
+|medcli.database                                    |          |Mediation client database URI|
-Martin Willi
+|medcli.dpd                                         |5m        |DPD timeout to use in mediation client plugin|
-Martin Willi
+|medcli.rekey                                       |20m       |Rekeying time on mediation connections in mediation client plugin|
-Tobias Brunner
+|\3. *mediation server section*                     |
-Martin Willi
+|medsrv.database                                    |          |Mediation server database URI|
-Martin Willi
+|medsrv.debug                                       |no        |Debugging in mediation server web application|
-Martin Willi
+|medsrv.dpd                                         |5m        |DPD timeout to use in mediation server plugin|
-Martin Willi
+|medsrv.load                                        |          |Plugins to load in mediation server plugin|
-Martin Willi
+|medsrv.password_length                             |6         |Minimum password length required for mediation server user accounts|
-Martin Willi
+|medsrv.rekey                                       |20m       |Rekeying time on mediation connections in mediation server plugin|
-Martin Willi
+|medsrv.socket                                      |          |Run Mediation server web application statically on socket|
-Martin Willi
+|medsrv.threads                                     |5         |Number of thread for mediation service web application|
-Martin Willi
+|medsrv.timeout                                     |15m       |Session timeout for mediation service|
-Tobias Brunner
+|\3. *openac section*                               |
-Martin Willi
+|openac.load                                        |          |Plugins to load in ipsec openac tool|
-Tobias Brunner
+|\3. *pluto section*                                |
-Martin Willi
+|pluto.dns1                                         |          |DNS server 1 assigned to peer via configuration payload (CP)|
-Martin Willi
+|pluto.dns2                                         |          |DNS server 2 assigned to peer via configuration payload (CP)|
-Martin Willi
+|pluto.load                                         |          |Plugins to load in ipsec pluto daemon|
-Martin Willi
+|pluto.nbns1                                        |          |WINS server 1 assigned to peer via configuration payload (CP)|
-Martin Willi
+|pluto.nbns2                                        |          |WINS server 2 assigned to peer via configu+ration payload (CP)|
-Tobias Brunner
+|\3. *pool section*                                 |
-Martin Willi
+|pool.load                                          |          |Plugins to load in ipsec pool tool|
-Tobias Brunner
+|\3. *scepclient section*                           |
-Martin Willi
+|scepclient.load                                    |          |Plugins to load in ipsec scepclient tool|

Project

General

Profile

strongSwan

strongswan.conf Reference » History » Version 42