2 Options for the charon IKE daemon.
4 Options for the charon IKE daemon.
6 **Note**: Many of the options in this section also apply to **charon-cmd**
7 and other **charon** derivatives. Just use their respective name (e.g.
8 **charon-cmd** instead of **charon**). For many options defaults can be
9 defined in the **libstrongswan** section.
11 charon.accept_unencrypted_mainmode_messages = no
12 Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
14 Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
16 Some implementations send the third Main Mode message unencrypted, probably
17 to find the PSKs for the specified ID for authentication. This is very
18 similar to Aggressive Mode, and has the same security implications: A
19 passive attacker can sniff the negotiated Identity, and start brute forcing
20 the PSK using the HASH payload.
22 It is recommended to keep this option to no, unless you know exactly
23 what the implications are and require compatibility to such devices (for
24 example, some SonicWall boxes).
26 charon.block_threshold = 5
27 Maximum number of half-open IKE_SAs for a single peer IP.
29 charon.cert_cache = yes
30 Whether relations in validated certificate chains should be cached in
33 charon.cisco_unity = no
34 Send Cisco Unity vendor ID payload (IKEv1 only).
36 charon.close_ike_on_child_failure = no
37 Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
39 charon.cookie_threshold = 10
40 Number of half-open IKE_SAs that activate the cookie mechanism.
42 charon.crypto_test.bench = no
43 Benchmark crypto algorithms and order them by efficiency.
45 charon.crypto_test.bench_size = 1024
46 Buffer size used for crypto benchmark.
48 charon.crypto_test.bench_time = 50
49 Number of iterations to test each algorithm.
51 charon.crypto_test.on_add = no
52 Test crypto algorithms during registration (requires test vectors provided
53 by the _test-vectors_ plugin).
55 charon.crypto_test.on_create = no
56 Test crypto algorithms on each crypto primitive instantiation.
58 charon.crypto_test.required = no
59 Strictly require at least one test vector to enable an algorithm.
61 charon.crypto_test.rng_true = no
62 Whether to test RNG with TRUE quality; requires a lot of entropy.
64 charon.delete_rekeyed = no
65 Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
67 Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
68 Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
69 However, this might cause problems with implementations that continue to
70 use rekeyed SAs until they expire.
72 charon.dh_exponent_ansi_x9_42 = yes
73 Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
76 charon.dlopen_use_rtld_now = no
77 Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal missing
81 DNS server assigned to peer via configuration payload (CP).
84 DNS server assigned to peer via configuration payload (CP).
86 charon.dos_protection = yes
87 Enable Denial of Service protection using cookies and aggressiveness checks.
89 charon.ecp_x_coordinate_only = yes
90 Compliance with the errata for RFC 4753.
92 charon.flush_auth_cfg = no
93 Free objects during authentication (might conflict with plugins).
95 If enabled objects used during authentication (certificates, identities
96 etc.) are released to free memory once an IKE_SA is established. Enabling
97 this might conflict with plugins that later need access to e.g. the used
100 charon.follow_redirects = yes
101 Whether to follow IKEv2 redirects (RFC 5685).
103 charon.fragment_size = 0
104 Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
105 when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
106 address family specific default values). If specified this limit is used
107 for both IPv4 and IPv6.
110 Name of the group the daemon changes to after startup.
112 charon.half_open_timeout = 30
113 Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
115 charon.hash_and_url = no
116 Enable hash and URL support.
118 charon.host_resolver.max_threads = 3
119 Maximum number of concurrent resolver threads (they are terminated if
122 charon.host_resolver.min_threads = 0
123 Minimum number of resolver threads to keep around.
125 charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
126 Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
128 If enabled responders are allowed to use IKEv1 Aggressive Mode with
129 pre-shared keys, which is discouraged due to security concerns (offline
130 attacks on the openly transmitted hash of the PSK).
132 charon.ignore_routing_tables
133 A space-separated list of routing tables to be excluded from route lookups.
135 charon.ignore_acquire_ts = no
136 Whether to ignore the traffic selectors from the kernel's acquire events for
137 IKEv2 connections (they are not used for IKEv1).
139 If this is disabled the traffic selectors from the kernel's acquire events,
140 which are derived from the triggering packet, are prepended to the traffic
141 selectors from the configuration for IKEv2 connection. By enabling this,
142 such specific traffic selectors will be ignored and only the ones in the
143 config will be sent. This always happens for IKEv1 connections as the
144 protocol only supports one set of traffic selectors per CHILD_SA.
146 charon.ikesa_limit = 0
147 Maximum number of IKE_SAs that can be established at the same time before
148 new connection attempts are blocked.
150 charon.ikesa_table_segments = 1
151 Number of exclusively locked segments in the hash table.
153 charon.ikesa_table_size = 1
154 Size of the IKE_SA hash table.
156 charon.inactivity_close_ike = no
157 Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
159 charon.init_limit_half_open = 0
160 Limit new connections based on the current number of half open IKE_SAs, see
161 IKE_SA_INIT DROPPING in **strongswan.conf**(5).
163 charon.init_limit_job_load = 0
164 Limit new connections based on the number of queued jobs.
166 Limit new connections based on the number of jobs currently queued for
167 processing (see IKE_SA_INIT DROPPING).
169 charon.initiator_only = no
170 Causes charon daemon to ignore IKE initiation requests.
172 charon.install_routes = yes
173 Install routes into a separate routing table for established IPsec tunnels.
175 charon.install_virtual_ip = yes
176 Install virtual IP addresses.
178 charon.install_virtual_ip_on
179 The name of the interface on which virtual IP addresses should be installed.
181 The name of the interface on which virtual IP addresses should be installed.
182 If not specified the addresses will be installed on the outbound interface.
184 charon.integrity_test = no
185 Check daemon, libstrongswan and plugin integrity at startup.
187 charon.interfaces_ignore
188 A comma-separated list of network interfaces that should be ignored, if
189 **interfaces_use** is specified this option has no effect.
191 charon.interfaces_use
192 A comma-separated list of network interfaces that should be used by charon.
193 All other interfaces are ignored.
195 charon.keep_alive = 20s
196 NAT keep alive interval.
198 charon.leak_detective.detailed = yes
199 Includes source file names and line numbers in leak detective output.
201 charon.leak_detective.usage_threshold = 10240
202 Threshold in bytes for leaks to be reported (0 to report all).
204 charon.leak_detective.usage_threshold_count = 0
205 Threshold in number of allocations for leaks to be reported (0 to report
209 Plugins to load in the IKE daemon charon.
211 charon.load_modular = no
212 Determine plugins to load via each plugin's load option.
214 If enabled, the list of plugins to load is determined via the value of the
215 _charon.plugins.<name>.load_ options. In addition to a simple boolean flag
216 that option may take an integer value indicating the priority of a plugin,
217 which would influence the order of a plugin in the plugin list (the default
218 is 1). If two plugins have the same priority their order in the default
219 plugin list is preserved. Enabled plugins not found in that list are ordered
220 alphabetically before other plugins with the same priority.
222 charon.max_ikev1_exchanges = 3
223 Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and
226 charon.max_packet = 10000
227 Maximum packet size accepted by charon.
229 charon.make_before_break = no
230 Initiate IKEv2 reauthentication with a make-before-break scheme.
232 Initiate IKEv2 reauthentication with a make-before-break instead of a
233 break-before-make scheme. Make-before-break uses overlapping IKE and
234 CHILD_SA during reauthentication by first recreating all new SAs before
235 deleting the old ones. This behavior can be beneficial to avoid connectivity
236 gaps during reauthentication, but requires support for overlapping SAs by
237 the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
239 charon.multiple_authentication = yes
240 Enable multiple authentication exchanges (RFC 4739).
243 WINS servers assigned to peer via configuration payload (CP).
246 WINS servers assigned to peer via configuration payload (CP).
249 UDP port used locally. If set to 0 a random port will be allocated.
251 charon.port_nat_t = 4500
252 UDP port used locally in case of NAT-T. If set to 0 a random port will be
253 allocated. Has to be different from **charon.port**, otherwise a random
254 port will be allocated.
256 charon.prefer_temporary_addrs = no
257 By default public IPv6 addresses are preferred over temporary ones (RFC
258 4941), to make connections more stable. Enable this option to reverse this.
260 charon.process_route = yes
261 Process RTM_NEWROUTE and RTM_DELROUTE events.
263 charon.processor.priority_threads {}
264 Section to configure the number of reserved threads per priority class
265 see JOB PRIORITY MANAGEMENT in **strongswan.conf**(5).
267 charon.receive_delay = 0
268 Delay in ms for receiving packets, to simulate larger RTT.
270 charon.receive_delay_response = yes
271 Delay response messages.
273 charon.receive_delay_request = yes
274 Delay request messages.
276 charon.receive_delay_type = 0
277 Specific IKEv2 message type to delay, 0 for any.
279 charon.replay_window = 32
280 Size of the AH/ESP replay window, in packets.
282 charon.retransmit_base = 1.8
283 Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
284 in **strongswan.conf**(5).
286 charon.retransmit_timeout = 4.0
287 Timeout in seconds before sending first retransmit.
289 charon.retransmit_tries = 5
290 Number of times to retransmit a packet before giving up.
292 charon.retry_initiate_interval = 0
293 Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if DNS
294 resolution failed), 0 to disable retries.
296 charon.reuse_ikesa = yes
297 Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
300 Numerical routing table to install routes to.
302 charon.routing_table_prio
303 Priority of the routing table.
305 charon.send_delay = 0
306 Delay in ms for sending packets, to simulate larger RTT.
308 charon.send_delay_response = yes
309 Delay response messages.
311 charon.send_delay_request = yes
312 Delay request messages.
314 charon.send_delay_type = 0
315 Specific IKEv2 message type to delay, 0 for any.
317 charon.send_vendor_id = no
318 Send strongSwan vendor ID payload
320 charon.signature_authentication = yes
321 Whether to enable Signature Authentication as per RFC 7427.
323 charon.signature_authentication_constraints = yes
324 Whether to enable constraints against IKEv2 signature schemes.
326 If enabled, signature schemes configured in _rightauth_, in addition to
327 getting used as constraints against signature schemes employed in the
328 certificate chain, are also used as constraints against the signature scheme
329 used by peers during IKEv2.
331 charon.start-scripts {}
332 Section containing a list of scripts (name = path) that are executed when
333 the daemon is started.
335 charon.stop-scripts {}
336 Section containing a list of scripts (name = path) that are executed when
337 the daemon is terminated.
340 Number of worker threads in charon.
342 Number of worker threads in charon. Several of these are reserved for long
343 running tasks in internal modules and plugins. Therefore, make sure you
344 don't set this value too low. The number of idle worker threads listed in
345 _ipsec statusall_ might be used as indicator on the number of reserved
349 List of TLS encryption ciphers.
351 charon.tls.key_exchange
352 List of TLS key exchange methods.
355 List of TLS MAC algorithms.
358 List of TLS cipher suites.
361 Name of the user the daemon changes to after startup.
363 charon.x509.enforce_critical = yes
364 Discard certificates with unsupported or unknown critical extensions.