Please note: This page documents the configuration options of the most current release. Therefore, you should always consult the strongswan.conf(5) man page that comes with the release you are using to confirm which options are actually available.


While the ipsec.conf configuration file is well suited to define IPsec related configuration parameters, it is not useful for other strongSwan applications to read options from this file. The file is hard to parse and only ipsec starter is capable of doing so. As the number of components of the strongSwan project is continually growing, we needed a more flexible configuration file that is easy to extend and can be used by all components. The new configuration format consists of hierarchical sections and a list of key/value pairs in each section. Starting with the strongSwan 4.2.1 release, a default strongswan.conf file is installed in your sysconfdir, e.g. /etc/strongswan.conf.

Since 5.1.2 the default config file is split up and separate files are placed in the /etc/strongswan.d directory.

The IKE daemon charon reloads strongswan.conf if it receives a SIGHUP (this has to be sent manually, ipsec update/reload don't send it). This reloads the logger settings and some plugins also support reloading their configuration (e.g. the attr, the pkcs11 or the eap-radius plugins), and many settings are always read directly from the latest config (some at least for new connections).


Each section has a name, followed by C-Style curly brackets defining the sections body. Each section body contains a set of subsections and key/value pairs:

settings := (section|keyvalue)*
section  := name { settings }
keyvalue := key = value\n

Values must be terminated by a newline. Comments are possible using the #-character, but be careful: The parser implementation is currently limited and does not like braces in comments. Section names and keys may contain any printable character except:

. { } # \n \t space

An example might look like this:

a = b
section-one {
  somevalue = asdf
  subsection {
    othervalue = xxx
  # yei, a comment 
  yetanother = zz
section-two {
  x = 12

Indentation is optional, you may use tabs or spaces.

Including files

Version 4.5.1 introduced the include statement which allows to include other files into strongswan.conf, e.g.

include /some/path/*.conf

If the file name is not an absolute path, it is considered to be relative to the directory of the file containing the
include statement. The file name may include shell wildcards. Also, such inclusions can be nested.

Sections loaded from the included files extend previously loaded sections; already existing values are replaced.
It is important to note that settings are added relative to the section the include statement is in.

As an example, the following three files result in the same final config as the one given above:

a = b
section-one {
    somevalue = before include
    include include.conf
include other.conf

# settings loaded from this file are added to section-one
# the following replaces the previous value
somevalue = asdf
subsection {
    othervalue = yyy
yetanother = zz

# this extends section-one and subsection
section-one {
    subsection {
        # this replaces the previous value
        othervalue = xxx
section-two {
    x = 12

Reading values

The config file is read by libstrongswan during library initialization. Values are accessed using a dot-separated section list and a key:
Accessing section-one.subsection.othervalue will return xxx.

Have a look at the settings interface (source:src/libstrongswan/utils/settings.h) to learn about the details.

Defined keys

The following keys are currently defined (using dot notation).

${sysconfdir} refers to the directory that can be configured with the --sysconfdir option (defaults to ${prefix}/etc).
${piddir} refers to the directory that can be configured with the --with-piddir option (defaults to /var/run).

Key Default Description
aikgen section
aikgen.load Plugins to load in ipsec aikgen tool.
attest section
attest.database File measurement information database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly.
attest.load Plugins to load in ipsec attest tool.
charon section
Note: Many of the options in this section also apply to charon-cmd, charon-systemd and other charon derivatives. Just use their respective name (e.g. charon-cmd instead of charon).
Defaults for options in this section can be configured in the libstrongswan section.
charon.accept_unencrypted_mainmode_messages no Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. Some implementations send the third Main Mode message unencrypted, probably to find the PSKs for the specified ID for authentication. This is very similar to Aggressive Mode, and has the same security implications: A passive attacker can sniff the negotiated Identity, and start brute forcing the PSK using the HASH payload. It is recommended to keep this option to no, unless you know exactly what the implications are and require compatibility to such devices (for example, some SonicWall boxes).
charon.block_threshold 5 Maximum number of half-open IKE_SAs for a single peer IP.
charon.cache_crls no Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or /etc/swanctl/x509crl (vici), respectively.
charon.cert_cache yes Whether relations in validated certificate chains should be cached in memory.
charon.cisco_unity no Send Cisco Unity vendor ID payload (IKEv1 only), see unity plugin.
charon.close_ike_on_child_failure no Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
charon.cookie_threshold 10 Number of half-open IKE_SAs that activate the cookie mechanism.
charon.crypto_test.bench no Benchmark crypto algorithms and order them by efficiency.
charon.crypto_test.bench_size 1024 Buffer size used for crypto benchmark.
charon.crypto_test.bench_time 50 Number of iterations to test each algorithm.
charon.crypto_test.on_add no Test crypto algorithms during registration (requires test vectors provided by the test-vectors plugin).
charon.crypto_test.on_create no Test crypto algorithms on each crypto primitive instantiation.
charon.crypto_test.required no Strictly require at least one test vector to enable an algorithm.
charon.crypto_test.rng_true no Whether to test RNG with TRUE quality; requires a lot of entropy.
charon.delete_rekeyed no Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However, this might cause problems with implementations that continue to use rekeyed SAs until they expire.
charon.delete_rekeyed_delay 5 Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 only). To process delayed packets the inbound part of a CHILD_SA is kept installed up to the configured number of seconds after it got replaced during a rekeying. If set to 0 the CHILD_SA will be kept installed until it expires (if no lifetime is set it will be destroyed immediately).
charon.dh_exponent_ansi_x9_42 yes Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical strength.
charon.dlopen_use_rtld_now no Use RTLD_NOW with dlopen() when loading plugins and IMV/IMCs to reveal missing symbols immediately. Useful during development of custom plugins.
charon.dns1 DNS server assigned to peer via configuration payload (CP), see attr plugin.
charon.dns2 DNS server assigned to peer via configuration payload (CP).
charon.dos_protection yes Enable Denial of Service protection using cookies and aggressiveness checks.
charon.ecp_x_coordinate_only yes Compliance with the errata for RFC 4753.
charon.filelog Section to define file loggers, see LoggerConfiguration.
charon.flush_auth_cfg no If enabled objects used during authentication (certificates, identities etc.) are released to free memory once an IKE_SA is established. Enabling this might conflict with plugins that later need access to e.g. the used certificates.
charon.follow_redirects yes Whether to follow IKEv2 redirects (RFC 5685).
charon.fragment_size 1280 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults to 1280 (use 0 for address family specific default values, which uses a lower value for IPv4). If specified this limit is used for both IPv4 and IPv6. Name of the group the daemon changes to after startup.
charon.half_open_timeout 30 Timeout in seconds for connecting IKE_SAs, also see IKE_SA_INIT dropping.
charon.hash_and_url no Enable hash and URL support.
charon.host_resolver.max_threads 3 Maximum number of concurrent resolver threads (they are terminated if unused).
charon.host_resolver.min_threads 0 Minimum number of resolver threads to keep around.
charon.i_dont_care_about_security_and_use_aggressive_mode_psk no If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared keys, which is discouraged due to security concerns (offline attacks on the openly transmitted hash of the PSK).
charon.ignore_acquire_ts no If this is disabled the traffic selectors from the kernel's acquire events, which are derived from the triggering packet, are prepended to the traffic selectors from the configuration for IKEv2 connection. By enabling this, such specific traffic selectors will be ignored and only the ones in the config will be sent. This always happens for IKEv1 connections as the protocol only supports one set of traffic selectors per CHILD_SA.
charon.ignore_routing_tables A space-separated list of routing tables to be excluded from route lookup.
charon.ikesa_limit 0 Maximum number of IKE_SAs that can be established at the same time before new connection attempts are blocked.
charon.ikesa_table_segments 1 Number of exclusively locked segments in the hash table, see IKE_SA lookup tuning.
charon.ikesa_table_size 1 Size of the IKE_SA hash table, see IKE_SA lookup tuning.
charon.inactivity_close_ike no Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
charon.init_limit_half_open 0 Limit new connections based on the current number of half open IKE_SAs, see IKE_SA_INIT dropping.
charon.init_limit_job_load 0 Limit new connections based on the number of jobs currently queued for processing, see IKE_SA_INIT dropping.
charon.initiator_only no Causes charon daemon to ignore IKE initiation requests.
charon.install_routes yes Install routes into a separate routing table for established IPsec tunnels. If disabled a more efficient lookup for source and next-hop addresses is used since 5.5.2.
charon.install_virtual_ip yes Install virtual IP addresses.
charon.install_virtual_ip_on The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface.
charon.integrity_test no Check daemon, libstrongswan and plugin integrity at startup.
charon.interfaces_ignore A comma-separated list of network interfaces that should be ignored, if charon.interfaces_use is specified this option has no effect.
charon.interfaces_use A comma-separated list of network interfaces that should be used by charon. All other interfaces are ignored.
charon.keep_alive 20s NAT keep alive interval in seconds.
charon.leak_detective.detailed yes Includes source file names and line numbers in leak detective output.
charon.leak_detective.usage_threshold 10240 Threshold in bytes for leaks to be reported (0 to report all).
charon.leak_detective.usage_threshold_count 0 Threshold in number of allocations for leaks to be reported (0 to report all).
charon.load Plugins to load in IKEv2 charon daemon, see PluginLoad.
charon.load_modular no If enabled the list of plugins to load is determined by individual load settings for each plugin, see PluginLoad.
charon.make_before_break no Initiate IKEv2 reauthentication with a make-before-break instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD_SA during reauthentication by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps during reauthentication, but requires support for overlapping SAs by the peer. strongSwan can handle such overlapping SAs since 5.3.0.
charon.max_ikev1_exchanges 3 Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and track concurrently.
charon.max_packet 10000 Maximum packet size accepted by charon.
charon.multiple_authentication yes Enable multiple authentication exchanges (RFC 4739).
charon.nbns1 WINS server assigned to peer via configuration payload (CP), see attr plugin.
charon.nbns2 WINS server assigned to peer via configuration payload (CP).
charon.port 500 UDP port used locally. If set to 0 a random port will be allocated.
charon.port_nat_t 4500 UDP port used locally in case of NAT-T. If set to 0 a random port will be allocated. Has to be different from charon.port, otherwise a random port will be allocated.
charon.prefer_best_path no By default, charon keeps SAs on the routing path with addresses it previously used if that path is still usable. By enabling this option, it tries more aggressively to update SAs with MOBIKE on routing priority changes using the cheapest path. This adds more noise, but allows to dynamically adapt SAs to routing priority changes. This option has no effect if MOBIKE is not supported or disabled.
charon.prefer_configured_proposals yes Prefer locally configured proposals for IKE/IPsec over supplied ones as responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD notifies).
charon.prefer_temporary_addrs no By default public IPv6 addresses are preferred over temporary ones (according to RFC 4941), to make connections more stable. Enable this option to reverse this.
charon.process_route yes Process RTM_NEWROUTE and RTM_DELROUTE events.
charon.processor.priority_threads Subsection to configure the number of reserved threads per priority class (see JobPriority).
charon.receive_delay 0 Delay in ms for receiving packets, to simulate larger RTT.
charon.receive_delay_response yes Delay response messages.
charon.receive_delay_request yes Delay request messages.
charon.receive_delay_type 0 Specific IKEv2 message type to delay, 0 for any.
charon.replay_window 32 Size of the AH/ESP replay window, in packets.
charon.retransmit_base 1.8 Base to use for calculating exponential back off, see Retransmission.
charon.retransmit_jitter 0 Maximum jitter in percent to apply randomly to calculated retransmission timeout (0 to disable).
charon.retransmit_limit 0 Upper limit in seconds for calculated retransmission timeout (0 to disable).
charon.retransmit_timeout 4.0 Timeout in seconds before sending first retransmit.
charon.retransmit_tries 5 Number of times to retransmit a packet before giving up.
charon.retry_initiate_interval 0 Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS resolution failed), 0 to disable retries.
charon.reuse_ikesa yes Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
charon.routing_table 220 Numerical routing table to install routes to.
charon.routing_table_prio 220 Priority of the routing table.
charon.send_delay 0 Delay in ms for sending packets, to simulate larger RTT.
charon.send_delay_request yes Delay request messages.
charon.send_delay_response yes Delay response messages.
charon.send_delay_type 0 Specific IKEv2 message type to delay, 0 for any.
charon.send_vendor_id no Send strongSwan vendor ID payload.
charon.signature_authentication yes Whether to enable Signature Authentication as per RFC 7427.
charon.signature_authentication_constraints yes If enabled, signature schemes configured in rightauth, in addition to getting used as constraints against signature schemes employed in the certificate chain, are also used as constraints against the signature scheme used by peers during IKEv2.
charon.spi_min 0xc0000000 The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved by IANA.
charon.spi_max 0xcfffffff The upper limit for SPIs requested from the kernel for IPsec SAs.
charon.start-scripts Section containing a list of scripts (name = path) that are executed when the daemon is started.
charon.stop-scripts Section containing a list of scripts (name = path) that are executed when the daemon is terminated.
charon.syslog Section to define syslog loggers, see LoggerConfiguration.
charon.threads 16 Number of worker threads in charon. Several of these are reserved for long running tasks in internal modules and plugins. Therefore, make sure you don't set this value too low. The number of idle worker threads listed in ipsec statusall might be used as indicator on the number of reserved threads (JobPriority has more on this).
charon.user Name of the user the daemon changes to after startup.
charon.x509.enforce_critical yes Discard certificates with unsupported or unknown critical extensions.
charon.plugins subsection
charon.plugins.addrblock.strict yes If enabled, a subject certificate without an RFC 3779 address block extension is rejected if the issuer certificate has such an addrblock extension. If disabled, subject certificates issued without addrblock extension are accepted without any traffic selector checks and no policy is enforced by the plugin.
charon.plugins.android_log.loglevel 1 Loglevel for logging to Android specific logger.
charon.plugins.attr Section to specify arbitrary attributes that are assigned to a peer via configuration payload, see attr plugin.
charon.plugins.attr-sql.crash_recovery yes Release all online leases during startup. Disable this to share the DB between multiple VPN gateways.
charon.plugins.attr-sql.database Database URI for attr-sql plugin used by charon. If it contains a password, make sure to adjust the permissions of the config file accordingly.
charon.plugins.attr-sql.lease_history yes Enable logging of SQL IP pool leases.
charon.plugins.bliss.use_bliss_b yes Use the enhanced BLISS-B key generation and signature algorithm.
charon.plugins.bypass-lan.interfaces_ignore A comma-separated list of network interfaces for which connected subnets should be ignored, if interfaces_use is specified this option has no effect.
charon.plugins.bypass-lan.interfaces_use A comma-separated list of network interfaces for which connected subnets should be considered. All other interfaces are ignored.
charon.plugins.certexpire.csv.cron Cron style string specifying CSV export times, see certexpire for details.
charon.plugins.certexpire.csv.empty_string String to use in empty intermediate CA fields.
charon.plugins.certexpire.csv.fixed_fields yes Use a fixed intermediate CA field count.
charon.plugins.certexpire.csv.force yes Force export of all trustchains we have a private key for.
charon.plugins.certexpire.csv.format %d:%m:%Y strftime(3) format string to export expiration dates as.
charon.plugins.certexpire.csv.local strftime(3) format string for the CSV file name to export local certificates to.
charon.plugins.certexpire.csv.remote strftime(3) format string for the CSV file name to export remote certificates to.
charon.plugins.certexpire.csv.separator , CSV field separator.
charon.plugins.coupling.file File to store coupling list to, see certcoupling plugin for details.
charon.plugins.coupling.hash sha1 Hashing algorithm to fingerprint coupled certificates.
charon.plugins.coupling.max 1 Maximum number of coupling entries to create.
charon.plugins.curl.redir -1 Maximum number of redirects followed by the plugin, set to 0 to disable following redirects, set to -1 for no limit.
charon.plugins.dhcp.force_server_address no Always use the configured server address, see DHCP plugin for details.
charon.plugins.dhcp.identity_lease no Derive user-defined MAC address from hash of IKEv2 identity.
charon.plugins.dhcp.interface Interface name the plugin uses for address allocation. The default is to bind to any and let the system decide which way to route the packets to the DHCP server.
charon.plugins.dhcp.server DHCP server unicast or broadcast IP address.
charon.plugins.dnscert.enable no Enable fetching of CERT RRs via DNS.
charon.plugins.duplicheck.enable yes Enable duplicheck plugin (if loaded).
charon.plugins.duplicheck.socket unix://${piddir}/charon.dck Socket provided by the duplicheck plugin.
charon.plugins.eap-aka.request_identity yes
charon.plugins.eap-aka-3gpp.seq_check Enable to activate sequence check of the AKA SQN values in order to trigger resync cycles.
charon.plugins.eap-aka-3gpp2.seq_check Enable to activate sequence check of the AKA SQN values in order to trigger resync cycles.
charon.plugins.eap-dynamic.prefer_user no If enabled, the eap-dynamic plugin will prefer the order of the EAP methods in an EAP-Nak message sent by a client over the one configured locally.
charon.plugins.eap-dynamic.preferred The preferred EAP method(s) to be used by the eap-dynamic plugin. If it is not set, the first registered method will be used initially. If a comma separated list is specified, the methods are tried in the given order before trying the rest of the registered methods.
charon.plugins.eap-gtc.backend pam XAuth backend to be used for credential verification, see EAP-GTC.
charon.plugins.eap-peap.fragment_size 1024 Maximum size of an EAP-PEAP packet.
charon.plugins.eap-peap.max_message_count 32 Maximum number of processed EAP-PEAP packets.
charon.plugins.eap-peap.include_length no Include length in non-fragmented EAP-PEAP packets.
charon.plugins.eap-peap.phase2_method mschapv2 Phase2 EAP client authentication method.
charon.plugins.eap-peap.phase2_piggyback no Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
charon.plugins.eap-peap.phase2_tnc no Start phase2 EAP-TNC protocol after successful client authentication.
charon.plugins.eap-peap.request_peer_auth no Request peer authentication based on a client certificate.
charon.plugins.eap-radius.accounting no Enable EAP-RADIUS accounting.
charon.plugins.eap-radius.accounting_close_on_timeout yes Close the IKE_SA if there is a timeout during interim RADIUS accounting updates.
charon.plugins.eap-radius.accounting_interval 0 Interval in seconds for interim RADIUS accounting updates, if not specified by the RADIUS server in the Access-Accept message.
charon.plugins.eap-radius.accounting_requires_vip no If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP.
charon.plugins.eap-radius.class_group no Use the class attribute sent in the Access-Accept message as group membership information, see EapRadius.
charon.plugins.eap-radius.close_all_on_timeout no Closes all IKE_SAs if communication with the RADIUS server times out. If it is not set only the current IKE_SA is closed.
charon.plugins.eap-radius.dae.enable no Enables support for the Dynamic Authorization Extension (RFC 5176).
charon.plugins.eap-radius.dae.listen Address to listen for DAE messages from the RADIUS server.
charon.plugins.eap-radius.dae.port 3799 Port to listen for DAE requests.
charon.plugins.eap-radius.dae.secret Shared secret used to verify/sign DAE messages.If set, make sure to adjust the permissions of the config file accordingly.
charon.plugins.eap-radius.eap_start no Send EAP-Start instead of EAP-Identity to start RADIUS conversation.
charon.plugins.eap-radius.filter_id no Use the filter_id attribute sent in the RADIUS-Accept message as group membership if the RADIUS tunnel_type attribute is set to ESP.
charon.plugins.eap-radius.forward.ike_to_radius RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name or attribute number, a colon can be used to specify vendor-specific attributes, e.g. Reply-Message, or 11, or 36906:12).
charon.plugins.eap-radius.forward.radius_to_ike Same as above but from RADIUS to IKEv2, a strongSwan specific private notify (40969) is used to transmit the attributes.
charon.plugins.eap-radius.id_prefix Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the EAP method.
charon.plugins.eap-radius.nas_identifier strongSwan NAS-Identifier to include in RADIUS messages.
charon.plugins.eap-radius.port 1812 Port of RADIUS server (authentication).
charon.plugins.eap-radius.retransmit_base 1.4 Base to use for calculating exponential back off.
charon.plugins.eap-radius.retransmit_timeout 2.0 Timeout in seconds before sending first retransmit.
charon.plugins.eap-radius.retransmit_tries 4 Number of times to retransmit a packet before giving up.
charon.plugins.eap-radius.secret Shared secret between RADIUS and NAS. If set, make sure to adjust the permissions of the config file accordingly.
charon.plugins.eap-radius.server IP/Hostname of RADIUS server.
charon.plugins.eap-radius.servers Section to specify multiple RADIUS servers, see EapRadius. The nas_identifier, secret, sockets and port (or auth_port) options can be specified for each server. The retransmit settings can also be changed for each server. A server's IP/Hostname can be configured using the address option. The acct_port [1813] option can be used to specify the port used for RADIUS accounting. For each server a priority can be specified using the preference [0] option.
charon.plugins.eap-radius.sockets 1 Number of sockets (ports) to use, increase for high load.
charon.plugins.eap-radius.xauth Section to configure multiple XAuth authentication rounds via RADIUS.
charon.plugins.eap-sim.request_identity yes
charon.plugins.eap-tls.fragment_size 1024 Maximum size of an EAP-TLS packet.
charon.plugins.eap-tls.include_length yes Include length in non-fragmented EAP-TLS packets.
charon.plugins.eap-tls.max_message_count 32 Maximum number of processed EAP-TLS packets (0 = no limit).
charon.plugins.eap-tnc.max_message_count 10 Maximum number of processed EAP-TNC packets (0 = no limit).
charon.plugins.eap-tnc.protocol tnccs-2.0 IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, tnccs-dynamic).
charon.plugins.eap-ttls.fragment_size 1024 Maximum size of an EAP-TTLS packet.
charon.plugins.eap-ttls.include_length yes Include length in non-fragmented EAP-TTLS packets.
charon.plugins.eap-ttls.max_message_count 32 Maximum number of processed EAP-TTLS packets (0 = no limit).
charon.plugins.eap-ttls.phase2_method md5 Phase2 EAP client authentication method.
charon.plugins.eap-ttls.phase2_piggyback no Phase2 EAP Identity request piggybacked by server onto TLS Finished message.
charon.plugins.eap-ttls.phase2_tnc no Start phase2 EAP TNC protocol after successful client authentication.
charon.plugins.eap-ttls-phase2_tnc_method pt Phase2 EAP TNC transport protocol (pt as IETF standard or legacy tnc)
charon.plugins.eap-ttls.request_peer_auth no Request peer authentication based on a client certificate.
charon.plugins.error-notify.socket unix://${piddir}/charon.enfy Socket provided by the error-notify plugin.
charon.plugins.ext-auth.script Shell script to invoke for peer authorization (see ext-auth).
charon.plugins.gcrypt.quick_random no Use faster random numbers in gcrypt. For testing only, produces weak keys!
charon.plugins.ha.autobalance 0 Interval in seconds to automatically balance handled segments between nodes. Set to 0 to disable.
charon.plugins.ha.fifo_interface yes
charon.plugins.ha.heartbeat_delay 1000
charon.plugins.ha.heartbeat_timeout 2100
charon.plugins.ha.monitor yes
charon.plugins.ha.resync yes
charon.plugins.ha.segment_count 1
charon.plugins.ipseckey.enable no Enable fetching of IPSECKEY RRs via DNS.
charon.plugins.kernel-libipsec.allow_peer_ts no Allow that the remote traffic selector equals the IKE peer (see kernel-libipsec for details).
charon.plugins.kernel-netlink.buflen min(PAGE_SIZE, 8192) Buffer size for received Netlink messages.
charon.plugins.kernel-netlink.force_receive_buffer_size no If the maximum Netlink socket receive buffer in bytes set by receive_buffer_size exceeds the system-wide maximum from /proc/sys/net/core/rmem_max, this option can be used to override the limit. Enabling this option requires special priviliges (CAP_NET_ADMIN).
charon.plugins.kernel-netlink.fwmark Firewall mark to set on the routing rule that directs traffic to our own routing table. The format is [!]mark[/mask], where the optional exclamation mark inverts the meaning (i.e. the rule only applies to packets that don't match the mark). A possible use case are host-to-host tunnels with kernel-libipsec. When set to !<mark> a more efficient lookup for source and next-hop addresses may also be used since 5.3.3.
charon.plugins.kernel-netlink.mss 0 MSS to set on installed routes, 0 to disable.
charon.plugins.kernel-netlink.mtu 0 MTU to set on installed routes, 0 to disable.
charon.plugins.kernel-netlink.receive_buffer_size 0 Maximum Netlink socket receive buffer in bytes. This value controls how many bytes of Netlink messages can be received on a Netlink socket. The default value is set by /proc/sys/net/core/rmem_default. The specified value cannot exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless force_receive_buffer_size is enabled.
charon.plugins.kernel-netlink.roam_events yes Whether to trigger roam events when interfaces, addresses or routes change.
charon.plugins.kernel-netlink.set_proto_port_transport_sa no Whether to set protocol and ports in the selector installed on transport mode IPsec SAs in the kernel. While doing so enforces policies for inbound traffic, it also prevents the use of a single IPsec SA by more than one traffic selector.
charon.plugins.kernel-netlink.spdh_thresh Subsection to configure XFRM policy hashing thresholds for IPv4 and IPv6. The section defines hashing thresholds to configure in the kernel during daemon startup. Each address family takes a threshold for the local subnet of an IPsec policy (src in out-policies, dst in in- and forward-policies) and the remote subnet (dst in out-policies, src in in- and forward-policies).
If the subnet has more or equal net bits than the threshold, the first threshold bits are used to calculate a hash to lookup the policy.
Policy hashing thresholds are not supported before Linux 3.18 and might conflict with socket policies before Linux 4.8.
charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits 32 Local subnet XFRM policy hashing threshold for IPv4.
charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits 32 Remote subnet XFRM policy hashing threshold for IPv4.
charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits 128 Local subnet XFRM policy hashing threshold for IPv6.
charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits 128 Remote subnet XFRM policy hashing threshold for IPv6.
charon.plugins.kernel-netlink.xfrm_acq_expires 165 Lifetime of XFRM acquire state created by the kernel when traffic matches a trap policy. The value gets written to /proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay between XFRM acquire messages triggered by the kernel for a trap policy. The same value is used as timeout for SPIs allocated by the kernel. The default value equals the default total retransmission timeout for IKE messages (since 5.5.3 this value is determined dynamically based on the configuration).
charon.plugins.kernel-pfkey.events_buffer_size 0 Size of the receive buffer for the event socket (0 for default size). Because events are received asynchronously installing e.g. lots of policies may require a larger buffer than the default on certain platforms in order to receive all messages.
charon.plugins.kernel-pfroute.vip_wait 1000 Time in ms to wait until virtual IP addresses appear/disappear before failing.
charon.plugins.led.blink_time 50
charon.plugins.load-tester Subsection to configure load tests using the load-tester plugin.
charon.plugins.lookip.socket unix://${piddir}/charon.lkp Socket provided by the lookip plugin.
charon.plugins.ntru.max_drbg_requests 4294967294 Number of pseudo-random bit requests from the DRBG before an automatic reseeding occurs.
charon.plugins.ntru.parameter_set optimum The following parameter sets are available: x9_98_speed, x9_98_bandwidth, x9_98_balance and optimum, the last set not being part of the X9.98 standard but having the best performance.
charon.plugins.openssl.engine_id pkcs11 ENGINE ID to use in the OpenSSL plugin.
charon.plugins.openssl.fips_mode 0 Set OpenSSL FIPS mode: disabled (0), enabled (1), Suite B enabled (2). Defaults to the value configured with the --with-fips-mode option.
charon.plugins.osx-attr.append yes Whether DNS servers are appended to existing entries, instead of replacing them.
charon.plugins.pkcs11.load_certs yes Whether to load certificates from tokens.
charon.plugins.pkcs11.modules List of available PKCS#11 modules, see SmartCardsIKEv2.
charon.plugins.pkcs11.reload_certs no Reload certificates from all tokens if charon receives a SIGHUP.
charon.plugins.pkcs11.use_dh no Whether the PKCS#11 modules should be used for DH and ECDH.
charon.plugins.pkcs11.use_ecc no Whether the PKCS#11 modules should be used for ECDH and ECDSA public key operations. ECDSA private keys are used regardless of this option.
charon.plugins.pkcs11.use_hasher no Whether the PKCS#11 modules should be used to hash data.
charon.plugins.pkcs11.use_pubkey no Whether the PKCS#11 modules should be used for public key operations, even for keys not stored on tokens.
charon.plugins.pkcs11.use_rng no Whether the PKCS#11 modules should be used as RNG.
charon.plugins.radattr.dir Directory where RADIUS attributes are stored in client-ID specific files, see radattr.
charon.plugins.radattr.message_id -1 RADIUS attributes are added to all IKE_AUTH messages by default (-1), or only to the IKE_AUTH message with the given IKEv2 message ID.
charon.plugins.random.random /dev/random File to read random bytes from.
charon.plugins.random.urandom /dev/urandom File to read pseudo random bytes from.
charon.plugins.random.strong_equals_true no If enabled the RNG_STRONG class reads random bytes from the same source as the RNG_TRUE class.
charon.plugins.resolve.file /etc/resolv.conf File used by the resolve plugin to write DNS server entries to.
charon.plugins.resolve.resolvconf.iface_prefix lo.inet.ipsec. Prefix used by the resolve plugin for interface names sent to resolvconf(8). The name server address is appended to this prefix to make it unique. The result has to be a valid interface name according to the rules defined by resolvconf. Also, it should have a high priority according to the order defined in interface-order(5).
charon.plugins.revocation.enable_crl yes Whether CRL validation should be enabled.
charon.plugins.revocation.enable_ocsp yes Whether OCSP validation should be enabled.
charon.plugins.socket-default.fwmark Firewall mark to set on outbound packets (a possible use case are host-to-host tunnels with kernel-libipsec).
charon.plugins.socket-default.set_source yes Set source address on outbound packets, if possible.
charon.plugins.socket-default.set_sourceif no Force sending interface on outbound packets, if possible. This allows using IPv6 link-local addresses as tunnel endpoints.
charon.plugins.socket-default.use_ipv4 yes Listen on IPv4, if possible.
charon.plugins.socket-default.use_ipv6 yes Listen on IPv6, if possible.
charon.plugins.sql.database Database URI for charon's SQL plugin. If it contains a password, make sure to adjust the permissions of the config file accordingly.
charon.plugins.sql.loglevel -1 Loglevel for logging to SQL database.
charon.plugins.stroke.allow_swap yes Analyze addresses/hostnames in left/right to detect which side is local and swap configuration options if necessary. If disabled left is always local.
charon.plugins.stroke.ignore_missing_ca_basic_constraint no Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA certificates even if they don't contain a CA basic constraint.
charon.plugins.stroke.max_concurrent 4 Maximum number of stroke messages handled concurrently.
charon.plugins.stroke.secrets_file ${sysconfdir}/ipsec.secrets Location of the ipsec.secrets file.
charon.plugins.stroke.socket unix://${piddir}/charon.ctl Socket provided by the stroke plugin.
charon.plugins.stroke.timeout 0 Timeout in ms for any stroke command. Use 0 to disable the timeout.
charon.plugins.systime-fix.interval 0 Interval in seconds to check system time for validity. 0 disables the check. See systime-fix plugin.
charon.plugins.systime-fix.reauth no Whether to use reauth or delete if an invalid cert lifetime is detected.
charon.plugins.systime-fix.threshold Threshold date where system time is considered valid. Disabled if not specified.
charon.plugins.systime-fix.threshold_format %Y strptime(3) format used to parse threshold option.
charon.plugins.tnc-ifmap.client_cert Path to X.509 certificate file of IF-MAP client.
charon.plugins.tnc-ifmap.client_key Path to private key file of IF-MAP client.
charon.plugins.tnc-ifmap.device_name Unique name of strongSwan server as a PEP and/or PDP device.
charon.plugins.tnc-ifmap.renew_session_interval 150 Interval in seconds between periodic IF-MAP RenewSession requests.
charon.plugins.tnc-ifmap.server_cert Path to X.509 certificate file of IF-MAP server.
charon.plugins.tnc-ifmap.server_uri https://localhost:8444/imap URI of the form [https://]servername[:port][/path].
charon.plugins.tnc-ifmap.username_password Credentials of IF-MAP client of the form username:password. If set, make sure to adjust the permissions of the config file accordingly.
charon.plugins.tnc-imc.dlcose yes Unload IMC after use.
charon.plugins.tnc-imc.preferred_language en Preferred language for TNC recommendations.
charon.plugins.tnc-imv.dlcose yes Unload IMV after use.
charon.plugins.tnc-imv.recommendation_policy default TNC recommendation policy, one of default, any, or all.
charon.plugins.tnc-pdp.pt_tls.enable yes Enable PT-TLS protocol on the strongSwan PDP.
charon.plugins.tnc-pdp.pt_tls.port 271 PT-TLS server port the strongSwan PDP is listening on.
charon.plugins.tnc-pdp.radius.enable yes Enable RADIUS protocol on the strongSwan PDP.
charon.plugins.tnc-pdp.radius.method ttls EAP tunnel method to be used.
charon.plugins.tnc-pdp.radius.port 1812 RADIUS server port the strongSwan PDP is listening on.
charon.plugins.tnc-pdp.radius.secret Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust the permissions of the config file accordingly.
charon.plugins.tnc-pdp.server Name of the strongSwan PDP as contained in the AAA certificate.
charon.plugins.tnc-pdp.timeout Timeout in seconds before closing incomplete connections.
charon.plugins.tnccs-11.max_message_size 45000 Maximum size of a PA-TNC message (XML & Base64 encoding).
charon.plugins.tnccs-20.max_batch_size 65522 Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529).
charon.plugins.tnccs-20.max_message_size 65490 Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). no Enable PB-TNC mutual protocol.
charon.plugins.tpm.use_rng no Whether the TPM should be used as RNG.
charon.plugins.unbound.dlv_anchors File to read trusted keys for DLV from. It uses the same format as trust_anchors. Only one DLV can be configured, which is then used as a root trusted DLV, this means that it is a lookaside for the root.
charon.plugins.unbound.resolv_conf /etc/resolv.conf File to read DNS resolver configuration from.
charon.plugins.unbound.trust_anchors /etc/ipsec.d/dnssec.keys File to read DNSSEC trust anchors from (usually root zone KSK). The format of the file is the standard DNS Zone file format, anchors can be stored as DS or DNSKEY entries in the file.
charon.plugins.updown.dns_handler no Whether the updown script should handle DNS servers assigned via IKEv1 Mode Config or IKEv2 Config Payloads (if enabled they can't be handled by other plugins, like resolve).
charon.plugins.vici.socket unix://${piddir}/charon.vici Socket the vici plugin serves clients.
charon.plugins.whitelist.enable yes Enable loaded whitelist plugin.
charon.plugins.whitelist.socket unix://${piddir}/charon.wlst Socket provided by the whitelist plugin.
charon.plugins.xauth-eap.backend radius EAP plugin to be used as backend for XAuth credential verification, see XAuthEAP.
charon.plugins.xauth-pam.pam_service login PAM service to be used for authentication, see XAuthPAM.
charon.plugins.xauth-pam.session no Open/close a PAM session for each active IKE_SA.
charon.plugins.xauth-pam.trim_email yes If an email address is given as an XAuth username, trim it to just the username part.
charon.imcv subsection
Defaults for options in this section can be configured in the libimcv section.
charon.imcv.assessment_result yes Whether IMVs send a standard IETF Assessment Result attribute.
charon.imcv.database Global IMV policy database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly.
charon.imcv.os_info.default_password_enabled no Manually set whether a default password is enabled. Manually set the name of the client OS (e.g. Ubuntu).
charon.imcv.os_info.version Manually set the version of the client OS (e.g. 12.04 i686).
charon.imcv.policy_script ipsec _imv_policy Script called for each TNC connection to generate IMV policies.
charon.tls subsection
Defaults for options in this section can be configured in the libtls section.
charon.tls.cipher List of TLS encryption ciphers.
charon.tls.key_exchange List of TLS key exchange methods.
charon.tls.mac List of TLS MAC algorithms.
charon.tls.suites List of TLS cipher suites.
charon.tnc subsection
Defaults for options in this section can be configured in the libtnccs section.
libtnccs.tnc_config /etc/tnc_config TNC IMC/IMV configuration file.
charon-nm section
charon-nm.ca_dir <default> Directory from which to load CA certificates if no certificate is configured.
charon-systemd section
charon-systemd.journal Section to configure native systemd journal logger, very similar to the syslog logger as described in LoggerConfiguration.
imv_policy_manager section
imv_policy_manager.command_allow Shell command to be executed with recommendation allow.
imv_policy_manager.command_block Shell command to be executed with all other recommendations.
imv_policy_manager.database Database URI for the database that stores the package information. If it contains a password, make sure to adjust permissions of the config file accordingly.
imv_policy_manager.load sqlite Plugins to load in IMV policy manager.
libimcv section
libimcv.debug_level 1 Debug level for a stand-alone libimcv library.
libimcv.load random nonce gmp pubkey x509 Plugins to load in IMC/IMVs with stand-alone libimcv library.
libimcv.stderr_quiet no Disable the output to stderr with a stand-alone libimcv library.
libimcv.swid_gen.command /usr/local/bin/swid_generator SWID generator command to be executed. strongSwan Project Name of the tagCreator entity.
libimcv.swid_gen.tag_creator.reqid regid of the tagCreator entity.
libimcv plugins subsection
libimcv.plugins.imc-attestation.aik_blob AIK encrypted private key blob file.
libimcv.plugins.imc-attestation.aik_cert AIK certificate file.
libimcv.plugins.imc-attestation.aik_handle AIK object handle, e.g. 0x81010003.
libimcv.plugins.imc-attestation.aik_pubkey AIK public key file.
libimcv.plugins.imc-attestation.mandatory_dh_groups yes Enforce mandatory Diffie-Hellman groups
libimcv.plugins.imc-attestation.nonce_len 20 DH nonce length.
libimcv.plugins.imc-attestation.pcr_info no Whether to send pcr_before and pcr_after info.
libimcv.plugins.imc-attestation.use_quote2 yes Use Quote2 AIK signature instead of Quote signature.
libimcv.plugins.imc-attestation.use_version_info no Version Info is included in Quote2 signature.
libimcv.plugins.imc-hcd.push_info yes Send quadruple info without being prompted.
libimcv.plugins.imc-hcd.subtypes Section to define PWG HCD PA subtypes (see HCD-IMC).
libimcv.plugins.imc-hcd.subtypes.<section> Defines a PWG HCD PA subtype section. Recognized subtype section names are system, control, marker, finisher, interface and scanner.
libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> Defines a software type section. Recognized software type section names are firmware, resident_application and user_application.
libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> Defines a software section having an arbitrary name.
libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name Name of the software installed on the hardcopy device.
libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches String describing all patches applied to the given software on this hardcopy device. The individual patches are separated by a newline character '\n'.
libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.string_version String describing the version of the given software on this hardcopy device.
libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version Hex-encoded version string with a length of 16 octets consisting of the fields major version number (4 octets), minor version number (4 octets), build number (4 octets), service pack major number (2 octets) and service pack minor number (2 octets).
libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language en Variable length natural language tag conforming to RFC 5646 specifies the language to be used in the health assessment message of a given subtype.
libimcv.plugins.imc-hcd.subtypes.system.certification_state Hex-encoded certification state.
libimcv.plugins.imc-hcd.subtypes.system.configuration_state Hex-encoded configuration state.
libimcv.plugins.imc-hcd.subtypes.system.machine_type_model String specifying the machine type and model of the hardcopy device.
libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled no Specifies if a PSTN facsimile interface is installed and enabled on the hardcopy device.
libimcv.plugins.imc-hcd.subtypes.system.time_source String specifying the hostname of the network time server used by the hardcopy device.
libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled no Specifies if users can dynamically download and execute applications on the hardcopy device.
libimcv.plugins.imc-hcd.subtypes.system.user_application_persistence_enabled no Specifies if user dynamically downloaded applications can persist outside the boundaries of a single job on the hardcopy device.
libimcv.plugins.imc-hcd.subtypes.system.vendor_name String specifying the manufacturer of the hardcopy device.
libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code Integer specifying the globally unique 24-bit SMI code assigned to the manufacturer of the hardcopy device.
libimcv.plugins.imc-os.device_cert Manually set the path to the client device certificate (e.g. /etc/pts/aikCert.der)
libimcv.plugins.imc-os.device_id Manually set the client device ID in hexadecimal format (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
libimcv.plugins.imc-os.device_pubkey Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der)
libimcv.plugins.imc-os.push_info yes Send operating system info without being prompted.
libimcv.plugins.imc-scanner.push_info yes Send open listening ports without being prompted.
libimcv.plugins.imc-swid.full no include files in SWID tags
libimcv.plugins.imc-swid.pretty no output XML descriptions of SWID tags in pretty print
libimcv.plugins.imc-swid.swid_directory ${prefix}/share Directory where SWID tags are located.
libimcv.plugins.imc-swima.swid_database URI to software collector database containing event timestamps, software creation and deletion events and collected software identifiers. If it contains a password, make sure to adjust the permissions of the config file accordingly.
libimcv.plugins.imc-swima.swid_directory ${prefix}/share Directory where SWID tags are located.
libimcv.plugins.imc-swima.swid_epoch 0x11223344 Set 32 bit epoch value for event IDs manually if software collector database is not available.
libimcv.plugins.imc-swima.swid_full no Include file information in the XML-encoded SWID tags.
libimcv.plugins.imc-swima.swid_pretty no Generate XML-encoded SWID tags with pretty indentation.
libimcv.plugins.imc-test.additional_ids 0 Number of additional IMC IDs.
libimcv.plugins.imc-test.command none Command to be sent to the Test IMV.
libimcv.plugins.imc-test.dummy_size 0 Size of dummy attribute to be sent to the Test IMV (0 = disabled).
libimcv.plugins.imc-test.retry no Do a handshake retry.
libimcv.plugins.imc-test.retry_command Command to be sent to the IMV Test in the handshake retry.
libimcv.plugins.imv-attestation.cadir Path to directory with AIK cacerts.
libimcv.plugins.imv-attestation.dh_group ecp256 Preferred Diffie-Hellman group.
libimcv.plugins.imv-attestation.hash_algorithm sha256 Preferred measurement hash algorithm.
libimcv.plugins.imv-attestation.min_nonce_len 0 DH minimum nonce length.
libimcv.plugins.imv-attestation.remediation_uri URI pointing to attestation remediation instructions.
libimcv.plugins.imv-os.remediation_uri URI pointing to operating system remediation instructions.
libimcv.plugins.imv-scanner.remediation_uri URI pointing to scanner remediation instructions.
libimcv.plugins.imv-swima.rest_api.timeout 120 Timeout of SWID REST API HTTP POST transaction.
libimcv.plugins.imv-swima.rest_api.uri HTTP URI of the SWID REST API.
libimcv.plugins.imv-test.rounds 0 Number of IMC-IMV retry rounds.
manager section
manager.database Credential database URI for manager. If it contains a password, make sure to adjust the permissions of the config file accordingly.
manager.debug no Enable debugging in manager.
manager.load Plugins to load in manager.
manager.socket FastCGI socket of manager, to run it statically.
manager.threads 10 Threads to use for request handling.
manager.timeout 15m Session timeout for manager.
mediation client section
medcli.database Mediation client database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly.
medcli.dpd 5m DPD timeout to use in mediation client plugin.
medcli.rekey 20m Rekeying time on mediation connections in mediation client plugin.
mediation server section
medsrv.database Mediation server database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly.
medsrv.debug no Debugging in mediation server web application.
medsrv.dpd 5m DPD timeout to use in mediation server plugin.
medsrv.load Plugins to load in mediation server plugin.
medsrv.password_length 6 Minimum password length required for mediation server user accounts.
medsrv.rekey 20m Rekeying time on mediation connections in mediation server plugin.
medsrv.socket Run Mediation server web application statically on socket.
medsrv.threads 5 Number of thread for mediation service web application.
medsrv.timeout 15m Session timeout for mediation service.
pacman section
pacman.database Database URI for the database that stores the package information. If it contains a password, make sure to adjust the permissions of the config file accordingly.
pki section
pki.load Plugins to load in ipsec pki tool.
pool section
pool.database Database URI for the database that stores IP pools and configuration attributes. If it contains a password, make sure to adjust the permissions of the config file accordingly.
pool.load Plugins to load in ipsec pool tool.
pt-tls-client section
pt-tls-client.load Plugins to load in ipsec pt-tls-client tool.
scepclient section
scepclient.load Plugins to load in ipsec scepclient tool.
starter section
starter.config_file ${sysconfdir}/ipsec.conf Location of the ipsec.conf file.
starter.load_warning yes Show charon.load setting warning, see PluginLoad.
sw-collector section
sw-collector.database URI to software collector database containing event timestamps, software creation and deletion events and collected software identifiers. If it contains a password, make sure to adjust the permissions of the config file accordingly.
sw-collector.first_file /var/log/bootstrap.log Path pointing to file created when the Linux OS was installed.
sw-collector.first_time 0000-00-00T00:00:00Z Time in UTC when the Linux OS was installed.
sw-collector.history Path pointing to apt history.log file.
sw-collector.load Plugins to load in sw-collector tool.
sw-collector.rest_api.timeout 120 Timeout of REST API HTTP POST transaction.
sw-collector.rest_api.uri HTTP URI of the central collector's REST API.
swanctl section
swanctl.load Plugins to load in swanctl.
swanctl.socket unix://${piddir}/charon.vici VICI socket to connect to by default.