Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
STRONGSWAN.CONF(5)		  strongSwan		    STRONGSWAN.CONF(5)

NAME
       strongswan.conf - strongSwan configuration file

DESCRIPTION
       While  the  ipsec.conf(5)  configuration	 file is well suited to	define
       IPsec related configuration parameters, it  is  not  useful  for	 other
       strongSwan  applications	 to  read options from this file.  The file is
       hard to parse and only ipsec starter is capable of  doing  so.  As  the
       number  of components of	the strongSwan project is continually growing,
       a more flexible configuration file was needed, one that is easy to  ex-
       tend  and  can  be  used	 by  all  components.  With  strongSwan	 4.2.1
       strongswan.conf(5) was introduced which meets these requirements.

SYNTAX
       The format of the strongswan.conf file consists	of  hierarchical  sec-
       tions and a list	of key/value pairs in each section. Each section has a
       name, followed by C-Style curly brackets	 defining  the	section	 body.
       Each section body contains a set	of subsections and key/value pairs:

	    settings :=	(section|keyvalue)*
	    section  :=	name { settings	}
	    keyvalue :=	key = value\n

       Values must be terminated by a newline.

       Comments	are possible using the #-character, but	be careful: The	parser
       implementation is currently limited and does not	like brackets in  com-
       ments.

       Section names and keys may contain any printable	character except:

	    . {	} # \n \t space

       An example file in this format might look like this:

	    a =	b
	    section-one	{
		 somevalue = asdf
		 subsection {
		      othervalue = xxx
		 }
		 # yei,	a comment
		 yetanother = zz
	    }
	    section-two	{
		 x = 12
	    }

       Indentation is optional,	you may	use tabs or spaces.

INCLUDING FILES
       Using  the include statement it is possible to include other files into
       strongswan.conf,	e.g.

	    include /some/path/*.conf

       If the file name	is not an absolute path, it is considered to be	 rela-
       tive to the directory of	the file containing the	include	statement. The
       file name may include shell wildcards (see sh(1)).  Also,  such	inclu-
       sions can be nested.

       Sections	 loaded	from included files extend previously loaded sections;
       already existing	values are replaced.  It is  important	to  note  that
       settings	are added relative to the section the include statement	is in.

       As  an example, the following three files result	in the same final con-
       fig as the one given above:

	    a =	b
	    section-one	{
		 somevalue = before include
		 include include.conf
	    }
	    include other.conf

       include.conf:
	    # settings loaded from this	file are added to section-one
	    # the following replaces the previous value
	    somevalue =	asdf
	    subsection {
		 othervalue = yyy
	    }
	    yetanother = zz

       other.conf:
	    # this extends section-one and subsection
	    section-one	{
		 subsection {
		      #	this replaces the previous value
		      othervalue = xxx
		 }
	    }
	    section-two	{
		 x = 12
	    }

READING	VALUES
       Values are accessed using a dot-separated section list and a key.  With
       reference to the	example	above, accessing section-one.subsection.other-
       value will return xxx.

DEFINED	KEYS
       The following keys are currently	defined	(using dot notation). The  de-
       fault value (if any) is listed in brackets after	the key.

       aikgen.load []
	      Plugins to load in ipsec aikgen tool.

       attest.database []
	      File  measurement	 information  database	URI.  If it contains a
	      password,	make sure to adjust the	permissions of the config file
	      accordingly.

       attest.load []
	      Plugins to load in ipsec attest tool.

       charon
	      Options for the charon IKE daemon.

	      Note:  Many  of  the  options  in	 this  section	also  apply to
	      charon-cmd and other charon derivatives.	Just use their respec-
	      tive  name  (e.g.	  charon-cmd instead of	charon).  For many op-
	      tions defaults can be defined in the libstrongswan section.

       charon.accept_unencrypted_mainmode_messages [no]
	      Accept unencrypted ID and	HASH payloads in IKEv1 Main Mode.

	      Some implementations send	the  third  Main  Mode	message	 unen-
	      crypted,	probably to find the PSKs for the specified ID for au-
	      thentication. This is very similar to Aggressive Mode,  and  has
	      the same security	implications: A	passive	attacker can sniff the
	      negotiated Identity, and start brute forcing the PSK  using  the
	      HASH payload.

	      It is recommended	to keep	this option to no, unless you know ex-
	      actly what the implications are  and  require  compatibility  to
	      such devices (for	example, some SonicWall	boxes).

       charon.block_threshold [5]
	      Maximum number of	half-open IKE_SAs for a	single peer IP.

       charon.cache_crls [no]
	      Whether  Certicate  Revocation  Lists (CRLs) fetched via HTTP or
	      LDAP should be saved under a unique file name derived  from  the
	      public	key   of   the	 Certification	 Authority   (CA)   to
	      /etc/ipsec.d/crls	(stroke) or /etc/swanctl/x509crl  (vici),  re-
	      spectively.

       charon.cert_cache [yes]
	      Whether  relations  in  validated	 certificate  chains should be
	      cached in	memory.

       charon.cisco_unity [no]
	      Send Cisco Unity vendor ID payload (IKEv1	only).

       charon.close_ike_on_child_failure [no]
	      Close the	IKE_SA if setup	of the CHILD_SA	 along	with  IKE_AUTH
	      failed.

       charon.cookie_threshold [10]
	      Number of	half-open IKE_SAs that activate	the cookie mechanism.

       charon.crypto_test.bench	[no]
	      Benchmark	crypto algorithms and order them by efficiency.

       charon.crypto_test.bench_size [1024]
	      Buffer size used for crypto benchmark.

       charon.crypto_test.bench_time [50]
	      Number of	iterations to test each	algorithm.

       charon.crypto_test.on_add [no]
	      Test  crypto  algorithms during registration (requires test vec-
	      tors provided by the test-vectors	plugin).

       charon.crypto_test.on_create [no]
	      Test crypto algorithms on	each crypto primitive instantiation.

       charon.crypto_test.required [no]
	      Strictly require at least	one test vector	 to  enable  an	 algo-
	      rithm.

       charon.crypto_test.rng_true [no]
	      Whether  to  test	 RNG  with TRUE	quality; requires a lot	of en-
	      tropy.

       charon.delete_rekeyed [no]
	      Delete CHILD_SAs	right  after  they  got	 successfully  rekeyed
	      (IKEv1 only). Reduces the	number of stale	CHILD_SAs in scenarios
	      with a lot of rekeyings. However,	this might cause problems with
	      implementations  that continue to	use rekeyed SAs	until they ex-
	      pire.

       charon.dh_exponent_ansi_x9_42 [yes]
	      Use ANSI X9.42 DH	exponent size or optimum size matched to cryp-
	      tographic	strength.

       charon.dlopen_use_rtld_now [no]
	      Use  RTLD_NOW  with  dlopen when loading plugins and IMV/IMCs to
	      reveal missing symbols immediately.

       charon.dns1 []
	      DNS server assigned to peer via configuration payload (CP).

       charon.dns2 []
	      DNS server assigned to peer via configuration payload (CP).

       charon.dos_protection [yes]
	      Enable Denial of Service protection using	 cookies  and  aggres-
	      siveness checks.

       charon.ecp_x_coordinate_only [yes]
	      Compliance with the errata for RFC 4753.

       charon.filelog
	      Section  to  define  file	 loggers,  see LOGGER CONFIGURATION in
	      strongswan.conf(5).

       charon.filelog.<filename>
	      <filename> is the	full path to the log file.

       charon.filelog.<filename>.<subsystem> [<default>]
	      Loglevel for a specific subsystem.

       charon.filelog.<filename>.append	[yes]
	      If this option is	enabled	log entries are	appended to the	exist-
	      ing file.

       charon.filelog.<filename>.default [1]
	      Specifies	 the  default  loglevel	 to be used for	subsystems for
	      which no specific	loglevel is defined.

       charon.filelog.<filename>.flush_line [no]
	      Enabling this option disables block buffering and	 enables  line
	      buffering.

       charon.filelog.<filename>.ike_name [no]
	      Prefix  each log entry with the connection name and a unique nu-
	      merical identifier for each IKE_SA.

       charon.filelog.<filename>.time_add_ms [no]
	      Adds the milliseconds within the current second after the	 time-
	      stamp  (separated	by a dot, so time_format should	end with %S or
	      %T).

       charon.filelog.<filename>.time_format []
	      Prefix each log entry with a timestamp.  The  option  accepts  a
	      format string as passed to strftime(3).

       charon.flush_auth_cfg [no]
	      If  enabled  objects  used  during authentication	(certificates,
	      identities etc.)	are released to	free memory once an IKE_SA  is
	      established.  Enabling  this  might  conflict  with plugins that
	      later need access	to e.g.	the used certificates.

       charon.follow_redirects [yes]
	      Whether to follow	IKEv2 redirects	(RFC 5685).

       charon.fragment_size [1280]
	      Maximum size (complete IP	datagram size in bytes)	of a sent  IKE
	      fragment	when  using  proprietary  IKEv1	 or standardized IKEv2
	      fragmentation, defaults to 1280 (use 0 for address  family  spe-
	      cific  default  values,  which uses a lower value	for IPv4).  If
	      specified	this limit is used for both IPv4 and IPv6.

       charon.group []
	      Name of the group	the daemon changes to after startup.

       charon.half_open_timeout	[30]
	      Timeout in seconds for connecting	IKE_SAs	(also see  IKE_SA_INIT
	      DROPPING).

       charon.hash_and_url [no]
	      Enable hash and URL support.

       charon.host_resolver.max_threads	[3]
	      Maximum  number  of concurrent resolver threads (they are	termi-
	      nated if unused).

       charon.host_resolver.min_threads	[0]
	      Minimum number of	resolver threads to keep around.

       charon.i_dont_care_about_security_and_use_aggressive_mode_psk [no]
	      If enabled responders are	allowed	to use IKEv1  Aggressive  Mode
	      with  pre-shared keys, which is discouraged due to security con-
	      cerns (offline attacks on	the openly  transmitted	 hash  of  the
	      PSK).

       charon.ignore_acquire_ts	[no]
	      If  this is disabled the traffic selectors from the kernel's ac-
	      quire events, which are derived from the triggering packet,  are
	      prepended	 to  the  traffic selectors from the configuration for
	      IKEv2 connection.	By enabling this, such specific	traffic	selec-
	      tors  will  be  ignored  and only	the ones in the	config will be
	      sent. This always	happens	for IKEv1 connections as the  protocol
	      only supports one	set of traffic selectors per CHILD_SA.

       charon.ignore_routing_tables []
	      A	 space-separated  list	of  routing tables to be excluded from
	      route lookups.

       charon.ikesa_limit [0]
	      Maximum number of	IKE_SAs	that can be established	 at  the  same
	      time before new connection attempts are blocked.

       charon.ikesa_table_segments [1]
	      Number of	exclusively locked segments in the hash	table.

       charon.ikesa_table_size [1]
	      Size of the IKE_SA hash table.

       charon.imcv
	      Defaults	for  options  in this section can be configured	in the
	      libimcv section.

       charon.imcv.assessment_result [yes]
	      Whether IMVs send	a standard IETF	Assessment Result attribute.

       charon.imcv.database []
	      Global IMV policy	database URI. If it contains a password,  make
	      sure to adjust the permissions of	the config file	accordingly.

       charon.imcv.os_info.default_password_enabled [no]
	      Manually set whether a default password is enabled

       charon.imcv.os_info.name	[]
	      Manually set the name of the client OS (e.g. Ubuntu).

       charon.imcv.os_info.version []
	      Manually set the version of the client OS	(e.g. 12.04 i686).

       charon.imcv.policy_script [ipsec	_imv_policy]
	      Script called for	each TNC connection to generate	IMV policies.

       charon.inactivity_close_ike [no]
	      Whether to close IKE_SA if the only CHILD_SA closed due to inac-
	      tivity.

       charon.init_limit_half_open [0]
	      Limit new	connections based on the current number	of  half  open
	      IKE_SAs, see IKE_SA_INIT DROPPING	in strongswan.conf(5).

       charon.init_limit_job_load [0]
	      Limit  new  connections  based  on  the number of	jobs currently
	      queued for processing (see IKE_SA_INIT DROPPING).

       charon.initiator_only [no]
	      Causes charon daemon to ignore IKE initiation requests.

       charon.install_routes [yes]
	      Install routes into a separate  routing  table  for  established
	      IPsec tunnels.

       charon.install_virtual_ip [yes]
	      Install virtual IP addresses.

       charon.install_virtual_ip_on []
	      The  name	 of the	interface on which virtual IP addresses	should
	      be installed. If not specified the addresses will	 be  installed
	      on the outbound interface.

       charon.integrity_test [no]
	      Check daemon, libstrongswan and plugin integrity at startup.

       charon.interfaces_ignore	[]
	      A	 comma-separated list of network interfaces that should	be ig-
	      nored, if	interfaces_use is specified this option	has no effect.

       charon.interfaces_use []
	      A	comma-separated	list of	network	interfaces that	should be used
	      by charon. All other interfaces are ignored.

       charon.keep_alive [20s]
	      NAT keep alive interval.

       charon.leak_detective.detailed [yes]
	      Includes	source	file  names and	line numbers in	leak detective
	      output.

       charon.leak_detective.usage_threshold [10240]
	      Threshold	in bytes for leaks to be reported (0 to	report all).

       charon.leak_detective.usage_threshold_count [0]
	      Threshold	in number of allocations for leaks to be  reported  (0
	      to report	all).

       charon.load []
	      Plugins to load in the IKE daemon	charon.

       charon.load_modular [no]
	      If  enabled,  the	 list of plugins to load is determined via the
	      value of the charon.plugins._name_.load options.	In addition to
	      a	 simple	boolean	flag that option may take an integer value in-
	      dicating the priority of a plugin, which would influence the or-
	      der  of  a  plugin in the	plugin list (the default is 1).	If two
	      plugins have the same priority their order in the	default	plugin
	      list  is	preserved.  Enabled plugins not	found in that list are
	      ordered alphabetically before other plugins with the same	prior-
	      ity.

       charon.make_before_break	[no]
	      Initiate IKEv2 reauthentication with a make-before-break instead
	      of a break-before-make scheme. Make-before-break	uses  overlap-
	      ping  IKE	and CHILD_SA during reauthentication by	first recreat-
	      ing all new SAs before deleting the old ones. This behavior  can
	      be  beneficial  to  avoid	connectivity gaps during reauthentica-
	      tion, but	requires support for  overlapping  SAs	by  the	 peer.
	      strongSwan can handle such overlapping SAs since version 5.3.0.

       charon.max_ikev1_exchanges [3]
	      Maximum  number  of  IKEv1  phase	2 exchanges per	IKE_SA to keep
	      state about and track concurrently.

       charon.max_packet [10000]
	      Maximum packet size accepted by charon.

       charon.multiple_authentication [yes]
	      Enable multiple authentication exchanges (RFC 4739).

       charon.nbns1 []
	      WINS servers assigned to peer via	configuration payload (CP).

       charon.nbns2 []
	      WINS servers assigned to peer via	configuration payload (CP).

       charon.plugins.addrblock.strict [yes]
	      If set to	yes, a subject certificate without an addrblock	exten-
	      sion is rejected if the issuer certificate has such an addrblock
	      extension. If set	to no, subject certificates issued without the
	      addrblock	 extension  are	 accepted without any traffic selector
	      checks and no policy is enforced by the plugin.

       charon.plugins.android_log.loglevel [1]
	      Loglevel for logging to Android specific logger.

       charon.plugins.attr
	      Section to specify arbitrary attributes that are assigned	 to  a
	      peer via configuration payload (CP).

       charon.plugins.attr.<attr> []
	      <attr>  can be either address, netmask, dns, nbns, dhcp, subnet,
	      split-include, split-exclude or the numeric  identifier  of  the
	      attribute	 type. The assigned value can be an IPv4/IPv6 address,
	      a	subnet in CIDR notation	or an arbitrary	value depending	on the
	      attribute	type.  For some	attribute types	multiple values	may be
	      specified	as a comma separated list.

       charon.plugins.attr-sql.database	[]
	      Database URI for attr-sql	plugin used by charon. If it  contains
	      a	 password,  make  sure to adjust the permissions of the	config
	      file accordingly.

       charon.plugins.attr-sql.lease_history [yes]
	      Enable logging of	SQL IP pool leases.

       charon.plugins.bliss.use_bliss_b	[yes]
	      Use the enhanced BLISS-B key generation and signature algorithm.

       charon.plugins.bypass-lan.interfaces_ignore []
	      A	comma-separated	list of	network	interfaces for which connected
	      subnets  should  be ignored, if interfaces_use is	specified this
	      option has no effect.

       charon.plugins.bypass-lan.interfaces_use	[]
	      A	comma-separated	list of	network	interfaces for which connected
	      subnets should be	considered. All	other interfaces are ignored.

       charon.plugins.certexpire.csv.cron []
	      Cron style string	specifying CSV export times.

       charon.plugins.certexpire.csv.empty_string []
	      String to	use in empty intermediate CA fields.

       charon.plugins.certexpire.csv.fixed_fields [yes]
	      Use a fixed intermediate CA field	count.

       charon.plugins.certexpire.csv.force [yes]
	      Force export of all trustchains we have a	private	key for.

       charon.plugins.certexpire.csv.format [%d:%m:%Y]
	      strftime(3) format string	to export expiration dates as.

       charon.plugins.certexpire.csv.local []
	      strftime(3)  format string for the CSV file name to export local
	      certificates to.

       charon.plugins.certexpire.csv.remote []
	      strftime(3) format string	for the	CSV file name to export	remote
	      certificates to.

       charon.plugins.certexpire.csv.separator [,]
	      CSV field	separator.

       charon.plugins.coupling.file []
	      File to store coupling list to.

       charon.plugins.coupling.hash [sha1]
	      Hashing algorithm	to fingerprint coupled certificates.

       charon.plugins.coupling.max [1]
	      Maximum number of	coupling entries to create.

       charon.plugins.dhcp.force_server_address	[no]
	      Always  use the configured server	address. This might be helpful
	      if the DHCP server runs on the same host as strongSwan, and  the
	      DHCP  daemon does	not listen on the loopback interface.  In that
	      case  the	 server	 cannot	 be  reached  via  unicast  (or	  even
	      255.255.255.255)	as  that would be routed via loopback. Setting
	      this option to yes and configuring the local  broadcast  address
	      (e.g.  192.168.0.255) as server address might work.

       charon.plugins.dhcp.identity_lease [no]
	      Derive user-defined MAC address from hash	of IKE identity.

       charon.plugins.dhcp.interface []
	      Interface	 name  the plugin uses for address allocation. The de-
	      fault is to bind to any (0.0.0.0)	 and  let  the	system	decide
	      which way	to route the packets to	the DHCP server.

       charon.plugins.dhcp.server [255.255.255.255]
	      DHCP server unicast or broadcast IP address.

       charon.plugins.dnscert.enable [no]
	      Enable fetching of CERT RRs via DNS.

       charon.plugins.duplicheck.enable	[yes]
	      Enable duplicheck	plugin (if loaded).

       charon.plugins.duplicheck.socket	[unix://${piddir}/charon.dck]
	      Socket provided by the duplicheck	plugin.

       charon.plugins.eap-aka.request_identity [yes]

       charon.plugins.eap-aka-3ggp2.seq_check []

       charon.plugins.eap-dynamic.prefer_user [no]
	      If  enabled  the EAP methods proposed in an EAP-Nak message sent
	      by the peer are preferred	over the methods registered locally.

       charon.plugins.eap-dynamic.preferred []
	      The preferred EAP	method(s) to be	used.  If it is	not given  the
	      first registered method will be used initially.  If a comma sep-
	      arated list is given the methods are tried in  the  given	 order
	      before trying the	rest of	the registered methods.

       charon.plugins.eap-gtc.backend [pam]
	      XAuth backend to be used for credential verification.

       charon.plugins.eap-peap.fragment_size [1024]
	      Maximum size of an EAP-PEAP packet.

       charon.plugins.eap-peap.include_length [no]
	      Include length in	non-fragmented EAP-PEAP	packets.

       charon.plugins.eap-peap.max_message_count [32]
	      Maximum number of	processed EAP-PEAP packets (0 =	no limit).

       charon.plugins.eap-peap.phase2_method [mschapv2]
	      Phase2 EAP client	authentication method.

       charon.plugins.eap-peap.phase2_piggyback	[no]
	      Phase2  EAP Identity request piggybacked by server onto TLS Fin-
	      ished message.

       charon.plugins.eap-peap.phase2_tnc [no]
	      Start phase2 EAP TNC protocol after successful client  authenti-
	      cation.

       charon.plugins.eap-peap.request_peer_auth [no]
	      Request peer authentication based	on a client certificate.

       charon.plugins.eap-radius.accounting [no]
	      Send RADIUS accounting information to RADIUS servers.

       charon.plugins.eap-radius.accounting_close_on_timeout [yes]
	      Close the	IKE_SA if there	is a timeout during interim RADIUS ac-
	      counting updates.

       charon.plugins.eap-radius.accounting_interval [0]
	      Interval in seconds for interim RADIUS  accounting  updates,  if
	      not specified by the RADIUS server in the	Access-Accept message.

       charon.plugins.eap-radius.accounting_requires_vip [no]
	      If enabled, accounting is	disabled unless	an IKE_SA has at least
	      one virtual IP.  Only for	IKEv2,	for  IKEv1  a  virtual	IP  is
	      strictly necessary.

       charon.plugins.eap-radius.class_group [no]
	      Use  the	class  attribute  sent in the RADIUS-Accept message as
	      group membership information that	 is  compared  to  the	groups
	      specified	in the rightgroups option in ipsec.conf(5).

       charon.plugins.eap-radius.close_all_on_timeout [no]
	      Closes all IKE_SAs if communication with the RADIUS server times
	      out. If it is not	set only the current IKE_SA is closed.

       charon.plugins.eap-radius.dae.enable [no]
	      Enables support for the  Dynamic	Authorization  Extension  (RFC
	      5176).

       charon.plugins.eap-radius.dae.listen [0.0.0.0]
	      Address to listen	for DAE	messages from the RADIUS server.

       charon.plugins.eap-radius.dae.port [3799]
	      Port to listen for DAE requests.

       charon.plugins.eap-radius.dae.secret []
	      Shared  secret  used  to	verify/sign DAE	messages. If set, make
	      sure to adjust the permissions of	the config file	accordingly.

       charon.plugins.eap-radius.eap_start [no]
	      Send EAP-Start instead of	EAP-Identity to	start RADIUS conversa-
	      tion.

       charon.plugins.eap-radius.filter_id [no]
	      If  the RADIUS tunnel_type attribute with	value ESP is received,
	      use the filter_id	attribute sent in the RADIUS-Accept message as
	      group  membership	 information  that  is	compared to the	groups
	      specified	in the rightgroups option in ipsec.conf(5).

       charon.plugins.eap-radius.forward.ike_to_radius []
	      RADIUS attributes	to be forwarded	from IKEv2 to RADIUS  (can  be
	      defined  by  name	 or  attribute	number,	a colon	can be used to
	      specify vendor-specific attributes, e.g. Reply-Message,  or  11,
	      or 36906:12).

       charon.plugins.eap-radius.forward.radius_to_ike []
	      Same as charon.plugins.eap-radius.forward.ike_to_radius but from
	      RADIUS to	IKEv2, a strongSwan specific private notify (40969) is
	      used to transmit the attributes.

       charon.plugins.eap-radius.id_prefix []
	      Prefix  to  EAP-Identity,	 some AAA servers use a	IMSI prefix to
	      select the EAP method.

       charon.plugins.eap-radius.nas_identifier	[strongSwan]
	      NAS-Identifier to	include	in RADIUS messages.

       charon.plugins.eap-radius.port [1812]
	      Port of RADIUS server (authentication).

       charon.plugins.eap-radius.retransmit_base [1.4]
	      Base to use for calculating exponential back off.

       charon.plugins.eap-radius.retransmit_timeout [2.0]
	      Timeout in seconds before	sending	first retransmit.

       charon.plugins.eap-radius.retransmit_tries [4]
	      Number of	times to retransmit a packet before giving up.

       charon.plugins.eap-radius.secret	[]
	      Shared secret between RADIUS and NAS. If set, make sure  to  ad-
	      just the permissions of the config file accordingly.

       charon.plugins.eap-radius.server	[]
	      IP/Hostname of RADIUS server.

       charon.plugins.eap-radius.servers
	      Section  to specify multiple RADIUS servers. The nas_identifier,
	      secret, sockets and port (or auth_port) options can be specified
	      for  each	server.	A server's IP/Hostname can be configured using
	      the address option.  The acct_port [1813]	option can be used  to
	      specify  the  port  used	for RADIUS accounting. For each	RADIUS
	      server a priority	can be specified using the preference [0]  op-
	      tion.  The retransmission	time for each server can set set using
	      retransmit_base, retransmit_timeout and retransmit_tries.

       charon.plugins.eap-radius.sockets [1]
	      Number of	sockets	(ports)	to use,	increase for high load.

       charon.plugins.eap-radius.xauth
	      Section to configure multiple XAuth  authentication  rounds  via
	      RADIUS. The subsections define so	called authentication profiles
	      with arbitrary names. In each profile section one	or more	 XAuth
	      types can	be configured, with an assigned	message. For each type
	      a	separate XAuth exchange	will be	initiated and all replies  get
	      concatenated  into  the User-Password attribute, which then gets
	      verified over RADIUS.

	      Available	XAuth types are	password, passcode, nextpin,  and  an-
	      swer.   This  type  is  not  relevant  to	 strongSwan or the AAA
	      server, but the client may show a	different dialog  (along  with
	      the configured message).

	      To  use  the  configured profiles, they have to be configured in
	      the respective connection	in ipsec.conf(5) by appending the pro-
	      file  name,  separated  by  a  colon, to the xauth-radius	XAauth
	      backend configuration in rightauth or rightauth2,	for  instance,
	      rightauth2=xauth-radius:profile.

       charon.plugins.eap-sim.request_identity [yes]

       charon.plugins.eap-simaka-sql.database []

       charon.plugins.eap-simaka-sql.remove_used [no]

       charon.plugins.eap-tls.fragment_size [1024]
	      Maximum size of an EAP-TLS packet.

       charon.plugins.eap-tls.include_length [yes]
	      Include length in	non-fragmented EAP-TLS packets.

       charon.plugins.eap-tls.max_message_count	[32]
	      Maximum number of	processed EAP-TLS packets (0 = no limit).

       charon.plugins.eap-tnc.max_message_count	[10]
	      Maximum number of	processed EAP-TNC packets (0 = no limit).

       charon.plugins.eap-tnc.protocol [tnccs-2.0]
	      IF-TNCCS	protocol  version  to  be  used	(tnccs-1.1, tnccs-2.0,
	      tnccs-dynamic).

       charon.plugins.eap-ttls.fragment_size [1024]
	      Maximum size of an EAP-TTLS packet.

       charon.plugins.eap-ttls.include_length [yes]
	      Include length in	non-fragmented EAP-TTLS	packets.

       charon.plugins.eap-ttls.max_message_count [32]
	      Maximum number of	processed EAP-TTLS packets (0 =	no limit).

       charon.plugins.eap-ttls.phase2_method [md5]
	      Phase2 EAP client	authentication method.

       charon.plugins.eap-ttls.phase2_piggyback	[no]
	      Phase2 EAP Identity request piggybacked by server	onto TLS  Fin-
	      ished message.

       charon.plugins.eap-ttls.phase2_tnc [no]
	      Start  phase2 EAP	TNC protocol after successful client authenti-
	      cation.

       charon.plugins.eap-ttls.phase2_tnc_method [pt]
	      Phase2 EAP TNC transport protocol	(pt as IETF standard or	legacy
	      tnc)

       charon.plugins.eap-ttls.request_peer_auth [no]
	      Request peer authentication based	on a client certificate.

       charon.plugins.error-notify.socket [unix://${piddir}/charon.enfy]
	      Socket provided by the error-notify plugin.

       charon.plugins.ext-auth.script []
	      Command  to pass to the system shell for peer authorization. Au-
	      thorization is considered	successful  if	the  command  executes
	      normally	with  an  exit	code of	zero. For all other exit codes
	      IKE_SA authorization is rejected.

	      The following environment	variables get passed  to  the  script:
	      IKE_UNIQUE_ID:   The   IKE_SA   numerical	  unique   identifier.
	      IKE_NAME:	 The  peer  configuration  connection  name.   IKE_LO-
	      CAL_HOST:	 Local IKE IP address.	IKE_REMOTE_HOST: Remote	IKE IP
	      address.	IKE_LOCAL_ID: Local IKE	identity.  IKE_REMOTE_ID:  Re-
	      mote IKE identity.  IKE_REMOTE_EAP_ID: Remote EAP	or XAuth iden-
	      tity, if used.

       charon.plugins.forecast.groups
       [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]
	      Comma  separated	list  of multicast groups to join locally. The
	      local host receives and forwards packets in the  local  LAN  for
	      joined multicast groups only.  Packets matching the list of mul-
	      ticast groups get	forwarded to connected	clients.  The  default
	      group   includes	 host	multicasts,   IGMP,  mDNS,  LLMNR  and
	      SSDP/WS-Discovery, and is	usually	 a  good  choice  for  Windows
	      clients.

       charon.plugins.forecast.interface []
	      Name of the local	interface to listen for	broadcasts messages to
	      forward. If no interface is configured, the first	usable	inter-
	      face is used, which is usually just fine for single-homed	hosts.
	      If your host has multiple	interfaces, set	this option to the lo-
	      cal LAN interface	you want to forward broadcasts from/to.

       charon.plugins.forecast.reinject	[]
	      Comma  separated	list of	CHILD_SA configuration names for which
	      to perform multi/broadcast reinjection. For  clients  connecting
	      over such	a configuration, any multi/broadcast received over the
	      tunnel gets reinjected to	all active  tunnels.  This  makes  the
	      broadcasts  visible  to  other  peers,  and  for examples	allows
	      clients to see others shares. If disabled, multi/broadcast  mes-
	      sages  received  over a tunnel are injected to the local network
	      only, but	not to other IPsec clients.

       charon.plugins.gcrypt.quick_random [no]
	      Use faster random	numbers	in gcrypt; for testing only,  produces
	      weak keys!

       charon.plugins.ha.autobalance [0]
	      Interval	in  seconds  to	automatically balance handled segments
	      between nodes. Set to 0 to disable.

       charon.plugins.ha.fifo_interface	[yes]

       charon.plugins.ha.heartbeat_delay [1000]

       charon.plugins.ha.heartbeat_timeout [2100]

       charon.plugins.ha.local []

       charon.plugins.ha.monitor [yes]

       charon.plugins.ha.pools []

       charon.plugins.ha.remote	[]

       charon.plugins.ha.resync	[yes]

       charon.plugins.ha.secret	[]

       charon.plugins.ha.segment_count [1]

       charon.plugins.ipseckey.enable [no]
	      Enable fetching of IPSECKEY RRs via DNS.

       charon.plugins.kernel-libipsec.allow_peer_ts [no]
	      Allow that the remote traffic selector equals the	IKE peer.  The
	      route  installed	for such traffic (via TUN device) usually pre-
	      vents further IKE	traffic.  The  fwmark  options	for  the  ker-
	      nel-netlink and socket-default plugins can be used to circumvent
	      that problem.

       charon.plugins.kernel-netlink.buflen [<min(PAGE_SIZE, 8192)>]
	      Buffer size for received Netlink messages.

       charon.plugins.kernel-netlink.force_receive_buffer_size [no]
	      If the maximum Netlink socket receive buffer in bytes set	by re-
	      ceive_buffer_size	  exceeds   the	  system-wide	maximum	  from
	      /proc/sys/net/core/rmem_max, this	option can be used to override
	      the  limit.   Enabling  this  option requires special priviliges
	      (CAP_NET_ADMIN).

       charon.plugins.kernel-netlink.fwmark []
	      Firewall mark to set on the routing rule that directs traffic to
	      our  routing  table. The format is [!]mark[/mask], where the op-
	      tional exclamation mark inverts the meaning (i.e.	the rule  only
	      applies to packets that don't match the mark).

       charon.plugins.kernel-netlink.ignore_retransmit_errors [no]
	      Whether  to  ignore errors potentially resulting from a retrans-
	      mission.

       charon.plugins.kernel-netlink.mss [0]
	      MSS to set on installed routes, 0	to disable.

       charon.plugins.kernel-netlink.mtu [0]
	      MTU to set on installed routes, 0	to disable.

       charon.plugins.kernel-netlink.parallel_route [no]
	      Whether to perform concurrent Netlink ROUTE queries on a	single
	      socket.  While  parallel	queries	can improve throughput,	it has
	      more overhead. On	vanilla	Linux, DUMP queries  fail  with	 EBUSY
	      and must be retried, further decreasing performance.

       charon.plugins.kernel-netlink.parallel_xfrm [no]
	      Whether  to  perform concurrent Netlink XFRM queries on a	single
	      socket.

       charon.plugins.kernel-netlink.policy_update [no]
	      Whether to always	use XFRM_MSG_UPDPOLICY to install policies.

       charon.plugins.kernel-netlink.port_bypass [no]
	      Whether to use port or socket based IKE  XFRM  bypass  policies.
	      IKE  bypass  policies  are  used to exempt IKE traffic from XFRM
	      processing. The default socket based policies are	directly  tied
	      to  the IKE UDP sockets, port based policies use global XFRM by-
	      pass policies for	the used IKE UDP ports.

       charon.plugins.kernel-netlink.receive_buffer_size [0]
	      Maximum Netlink socket receive buffer in bytes. This value  con-
	      trols  how  many	bytes of Netlink messages can be received on a
	      Netlink	 socket.    The	   default    value    is    set    by
	      /proc/sys/net/core/rmem_default.	The specified value cannot ex-
	      ceed the system-wide maximum  from  /proc/sys/net/core/rmem_max,
	      unless force_receive_buffer_size is enabled.

       charon.plugins.kernel-netlink.retries [0]
	      Number of	Netlink	message	retransmissions	to send	on timeout.

       charon.plugins.kernel-netlink.roam_events [yes]
	      Whether  to  trigger  roam  events when interfaces, addresses or
	      routes change.

       charon.plugins.kernel-netlink.set_proto_port_transport_sa [no]
	      Whether to set protocol and ports	in the selector	 installed  on
	      transport	 mode IPsec SAs	in the kernel. While doing so enforces
	      policies for inbound traffic, it also prevents the use of	a sin-
	      gle IPsec	SA by more than	one traffic selector.

       charon.plugins.kernel-netlink.spdh_thresh
	      XFRM policy hashing threshold configuration for IPv4 and IPv6.

	      The  section defines hashing thresholds to configure in the ker-
	      nel during daemon	startup. Each address family takes a threshold
	      for  the	local  subnet of an IPsec policy (src in out-policies,
	      dst in in- and forward-policies) and the remote subnet  (dst  in
	      out-policies, src	in in- and forward-policies).

	      If the subnet has	more or	equal net bits than the	threshold, the
	      first threshold bits are used to calculate a hash	to lookup  the
	      policy.

	      Policy  hashing  thresholds  are not supported before Linux 3.18
	      and might	conflict with socket policies before Linux 4.8.

       charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits [32]
	      Local subnet XFRM	policy hashing threshold for IPv4.

       charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits [32]
	      Remote subnet XFRM policy	hashing	threshold for IPv4.

       charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits [128]
	      Local subnet XFRM	policy hashing threshold for IPv6.

       charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits [128]
	      Remote subnet XFRM policy	hashing	threshold for IPv6.

       charon.plugins.kernel-netlink.timeout [0]
	      Netlink message retransmission timeout, 0	to disable retransmis-
	      sions.

       charon.plugins.kernel-netlink.xfrm_acq_expires [165]
	      Lifetime	of XFRM	acquire	state created by the kernel when traf-
	      fic  matches  a  trap  policy.  The  value   gets	  written   to
	      /proc/sys/net/core/xfrm_acq_expires.   Indirectly	 controls  the
	      delay between XFRM acquire messages triggered by the kernel  for
	      a	 trap policy. The same value is	used as	timeout	for SPIs allo-
	      cated by the kernel. The default value equals the	default	 total
	      retransmission  timeout  for IKE messages, see IKEv2 RETRANSMIS-
	      SION in strongswan.conf(5).

       charon.plugins.kernel-pfkey.events_buffer_size [0]
	      Size of the receive buffer for the event socket (0  for  default
	      size).  Because  events  are  received asynchronously installing
	      e.g. lots	of policies may	require	a larger buffer	than  the  de-
	      fault on certain platforms in order to receive all messages.

       charon.plugins.kernel-pfroute.vip_wait [1000]
	      Time  in	ms to wait until virtual IP addresses appear/disappear
	      before failing.

       charon.plugins.led.activity_led []

       charon.plugins.led.blink_time [50]

       charon.plugins.load-tester
	      Section to configure the load-tester plugin, see LOAD  TESTS  in
	      strongswan.conf(5) for details.

       charon.plugins.load-tester.addrs
	      Section  that  contains  key/value  pairs	with address pools (in
	      CIDR notation) to	use for	a specific network interface e.g. eth0
	      =	10.10.0.0/16.

       charon.plugins.load-tester.addrs_keep [no]
	      Whether  to  keep	dynamic	addresses even after the associated SA
	      got terminated.

       charon.plugins.load-tester.addrs_prefix [16]
	      Network prefix length to use when	installing dynamic  addresses.
	      If set to	-1 the full address is used (i.e. 32 or	128).

       charon.plugins.load-tester.ca_dir []
	      Directory	to load	(intermediate) CA certificates from.

       charon.plugins.load-tester.child_rekey [600]
	      Seconds to start CHILD_SA	rekeying after setup.

       charon.plugins.load-tester.crl []
	      URI  to  a  CRL  to include as certificate distribution point in
	      generated	certificates.

       charon.plugins.load-tester.delay	[0]
	      Delay between initiatons for each	thread.

       charon.plugins.load-tester.delete_after_established [no]
	      Delete an	IKE_SA as soon as it has been established.

       charon.plugins.load-tester.digest [sha1]
	      Digest algorithm used when issuing certificates.

       charon.plugins.load-tester.dpd_delay [0]
	      DPD delay	to use in load test.

       charon.plugins.load-tester.dynamic_port [0]
	      Base port	to be used for requests	(each client uses a  different
	      port).

       charon.plugins.load-tester.eap_password [default-pwd]
	      EAP secret to use	in load	test.

       charon.plugins.load-tester.enable [no]
	      Enable  the  load	 testing  plugin.   WARNING: Never enable this
	      plugin on	productive systems. It provides	preconfigured  creden-
	      tials and	allows an attacker to authenticate as any user.

       charon.plugins.load-tester.esp [aes128-sha1]
	      CHILD_SA proposal	to use for load	tests.

       charon.plugins.load-tester.fake_kernel [no]
	      Fake the kernel interface	to allow load-testing against self.

       charon.plugins.load-tester.ike_rekey [0]
	      Seconds to start IKE_SA rekeying after setup.

       charon.plugins.load-tester.init_limit [0]
	      Global limit of concurrently established SAs during load test.

       charon.plugins.load-tester.initiator [0.0.0.0]
	      Address to initiate from.

       charon.plugins.load-tester.initiator_auth [pubkey]
	      Authentication method(s) the intiator uses.

       charon.plugins.load-tester.initiator_id []
	      Initiator	ID used	in load	test.

       charon.plugins.load-tester.initiator_match []
	      Initiator	ID to match against as responder.

       charon.plugins.load-tester.initiator_tsi	[]
	      Traffic selector on initiator side, as proposed by initiator.

       charon.plugins.load-tester.initiator_tsr	[]
	      Traffic selector on responder side, as proposed by initiator.

       charon.plugins.load-tester.initiators [0]
	      Number of	concurrent initiator threads to	use in load test.

       charon.plugins.load-tester.issuer_cert []
	      Path  to	the issuer certificate (if not configured a hard-coded
	      default value is used).

       charon.plugins.load-tester.issuer_key []
	      Path to private key that is used to issue	certificates  (if  not
	      configured a hard-coded default value is used).

       charon.plugins.load-tester.iterations [1]
	      Number of	IKE_SAs	to initiate by each initiator in load test.

       charon.plugins.load-tester.mode [tunnel]
	      IPsec mode to use, one of	tunnel,	transport, or beet.

       charon.plugins.load-tester.pool []
	      Provide INTERNAL_IPV4_ADDRs from a named pool.

       charon.plugins.load-tester.preshared_key	[<default-psk>]
	      Preshared	key to use in load test.

       charon.plugins.load-tester.proposal [aes128-sha1-modp768]
	      IKE proposal to use in load test.

       charon.plugins.load-tester.request_virtual_ip [no]
	      Request an INTERNAL_IPV4_ADDR from the server.

       charon.plugins.load-tester.responder [127.0.0.1]
	      Address to initiation connections	to.

       charon.plugins.load-tester.responder_auth [pubkey]
	      Authentication method(s) the responder uses.

       charon.plugins.load-tester.responder_id []
	      Responder	ID used	in load	test.

       charon.plugins.load-tester.responder_tsi	[initiator_tsi]
	      Traffic selector on initiator side, as narrowed by responder.

       charon.plugins.load-tester.responder_tsr	[initiator_tsr]
	      Traffic selector on responder side, as narrowed by responder.

       charon.plugins.load-tester.shutdown_when_complete [no]
	      Shutdown the daemon after	all IKE_SAs have been established.

       charon.plugins.load-tester.socket [unix://${piddir}/charon.ldt]
	      Socket provided by the load-tester plugin.

       charon.plugins.load-tester.version [0]
	      IKE  version  to	use (0 means use IKEv2 as initiator and	accept
	      any version as responder).

       charon.plugins.lookip.socket [unix://${piddir}/charon.lkp]
	      Socket provided by the lookip plugin.

       charon.plugins.ntru.max_drbg_requests [4294967294]
	      Number of	pseudo-random bit requests from	the DRBG before	an au-
	      tomatic reseeding	occurs.

       charon.plugins.ntru.parameter_set [optimum]
	      The   following	parameter  sets	 are  available:  x9_98_speed,
	      x9_98_bandwidth, x9_98_balance and optimum, the last set not be-
	      ing part of the X9.98 standard but having	the best performance.

       charon.plugins.openssl.engine_id	[pkcs11]
	      ENGINE ID	to use in the OpenSSL plugin.

       charon.plugins.openssl.fips_mode	[0]
	      Set  OpenSSL  FIPS  mode:	 disabled(0),  enabled(1), Suite B en-
	      abled(2).

       charon.plugins.osx-attr.append [yes]
	      Whether DNS servers are appended to existing entries, instead of
	      replacing	them.

       charon.plugins.p-cscf.enable
	      Section  to  enable requesting P-CSCF server addresses for indi-
	      vidual connections.

       charon.plugins.p-cscf.enable.<conn> [no]
	      <conn> is	the name of a connection with an ePDG  from  which  to
	      request  P-CSCF server addresses.	 Requests will be sent for ad-
	      dresses of the same families for	which  internal	 IPs  are  re-
	      quested.

       charon.plugins.pkcs11.modules
	      List of available	PKCS#11	modules.

       charon.plugins.pkcs11.modules.<name>.load_certs [yes]
	      Whether to automatically load certificates from tokens.

       charon.plugins.pkcs11.modules.<name>.os_locking [no]
	      Whether OS locking should	be enabled for this module.

       charon.plugins.pkcs11.modules.<name>.path []
	      Full path	to the shared object file of this PKCS#11 module.

       charon.plugins.pkcs11.reload_certs [no]
	      Reload certificates from all tokens if charon receives a SIGHUP.

       charon.plugins.pkcs11.use_dh [no]
	      Whether  the PKCS#11 modules should be used for DH and ECDH (see
	      use_ecc option).

       charon.plugins.pkcs11.use_ecc [no]
	      Whether the PKCS#11 modules should be used for  ECDH  and	 ECDSA
	      public key operations. ECDSA private keys	can be used regardless
	      of this option.

       charon.plugins.pkcs11.use_hasher	[no]
	      Whether the PKCS#11 modules should be used to hash data.

       charon.plugins.pkcs11.use_pubkey	[no]
	      Whether the PKCS#11 modules should be used for public key	opera-
	      tions, even for keys not stored on tokens.

       charon.plugins.pkcs11.use_rng [no]
	      Whether the PKCS#11 modules should be used as RNG.

       charon.plugins.radattr.dir []
	      Directory	 where	RADIUS attributes are stored in	client-ID spe-
	      cific files.

       charon.plugins.radattr.message_id [-1]
	      Attributes are added to all IKE_AUTH messages by	default	 (-1),
	      or only to the IKE_AUTH message with the given IKEv2 message ID.

       charon.plugins.random.random [${random_device}]
	      File to read random bytes	from.

       charon.plugins.random.strong_equals_true	[no]
	      If  set  to yes the RNG_STRONG class reads random	bytes from the
	      same source as the RNG_TRUE class.

       charon.plugins.random.urandom [${urandom_device}]
	      File to read pseudo random bytes from.

       charon.plugins.resolve.file [/etc/resolv.conf]
	      File where to add	DNS server entries.

       charon.plugins.resolve.resolvconf.iface_prefix [lo.inet.ipsec.]
	      Prefix used for interface	 names	sent  to  resolvconf(8).   The
	      nameserver address is appended to	this prefix to make it unique.
	      The result has to	be a valid interface  name  according  to  the
	      rules defined by resolvconf.  Also, it should have a high	prior-
	      ity according to the order defined in interface-order(5).

       charon.plugins.revocation.enable_crl [yes]
	      Whether CRL validation should be enabled.

       charon.plugins.revocation.enable_ocsp [yes]
	      Whether OCSP validation should be	enabled.

       charon.plugins.socket-default.fwmark []
	      Firewall mark to set on outbound packets.

       charon.plugins.socket-default.set_source	[yes]
	      Set source address on outbound packets, if possible.

       charon.plugins.socket-default.use_ipv4 [yes]
	      Listen on	IPv4, if possible.

       charon.plugins.socket-default.use_ipv6 [yes]
	      Listen on	IPv6, if possible.

       charon.plugins.sql.database []
	      Database URI for charon's	SQL plugin. If it contains a password,
	      make  sure  to adjust the	permissions of the config file accord-
	      ingly.

       charon.plugins.sql.loglevel [-1]
	      Loglevel for logging to SQL database.

       charon.plugins.stroke.allow_swap	[yes]
	      Analyze addresses/hostnames in left|right	to detect  which  side
	      is  local	 and  swap configuration options if necessary. If dis-
	      abled left is always local.

       charon.plugins.stroke.ignore_missing_ca_basic_constraint	[no]
	      Treat certificates in ipsec.d/cacerts and	ipsec.conf ca sections
	      as  CA  certificates  even if they don't contain a CA basic con-
	      straint.

       charon.plugins.stroke.max_concurrent [4]
	      Maximum number of	stroke messages	handled	concurrently.

       charon.plugins.stroke.prevent_loglevel_changes [no]
	      If enabled log level changes via stroke socket are not allowed.

       charon.plugins.stroke.secrets_file [${sysconfdir}/ipsec.secrets]
	      Location of the ipsec.secrets file

       charon.plugins.stroke.socket [unix://${piddir}/charon.ctl]
	      Socket provided by the stroke plugin.

       charon.plugins.stroke.timeout [0]
	      Timeout in ms for	any stroke command. Use	0 to disable the time-
	      out.

       charon.plugins.systime-fix.interval [0]
	      Interval	in  seconds  to	check system time for validity.	0 dis-
	      ables the	check.

       charon.plugins.systime-fix.reauth [no]
	      Whether to use reauth or delete if an invalid cert  lifetime  is
	      detected.

       charon.plugins.systime-fix.threshold []
	      Threshold	 date  where system time is considered valid. Disabled
	      if not specified.

       charon.plugins.systime-fix.threshold_format [%Y]
	      strptime(3) format used to parse threshold option.

       charon.plugins.tnc-ifmap.client_cert []
	      Path to X.509 certificate	file of	IF-MAP client.

       charon.plugins.tnc-ifmap.client_key []
	      Path to private key file of IF-MAP client.

       charon.plugins.tnc-ifmap.device_name []
	      Unique name of strongSwan	server as a PEP	and/or PDP device.

       charon.plugins.tnc-ifmap.renew_session_interval [150]
	      Interval in seconds between  periodic  IF-MAP  RenewSession  re-
	      quests.

       charon.plugins.tnc-ifmap.server_cert []
	      Path to X.509 certificate	file of	IF-MAP server.

       charon.plugins.tnc-ifmap.server_uri [https://localhost:8444/imap]
	      URI of the form [https://]servername[:port][/path].

       charon.plugins.tnc-ifmap.username_password []
	      Credentials  of  IF-MAP client of	the form username:password. If
	      set, make	sure to	adjust the permissions of the config file  ac-
	      cordingly.

       charon.plugins.tnc-imc.dlclose [yes]
	      Unload IMC after use.

       charon.plugins.tnc-imc.preferred_language [en]
	      Preferred	language for TNC recommendations.

       charon.plugins.tnc-imv.dlclose [yes]
	      Unload IMV after use.

       charon.plugins.tnc-imv.recommendation_policy [default]
	      TNC recommendation policy, one of	default, any, or all.

       charon.plugins.tnc-pdp.pt_tls.enable [yes]
	      Enable PT-TLS protocol on	the strongSwan PDP.

       charon.plugins.tnc-pdp.pt_tls.port [271]
	      PT-TLS server port the strongSwan	PDP is listening on.

       charon.plugins.tnc-pdp.radius.enable [yes]
	      Enable RADIUS protocol on	the strongSwan PDP.

       charon.plugins.tnc-pdp.radius.method [ttls]
	      EAP tunnel method	to be used.

       charon.plugins.tnc-pdp.radius.port [1812]
	      RADIUS server port the strongSwan	PDP is listening on.

       charon.plugins.tnc-pdp.radius.secret []
	      Shared  RADIUS  secret  between  strongSwan PDP and NAS. If set,
	      make sure	to adjust the permissions of the config	 file  accord-
	      ingly.

       charon.plugins.tnc-pdp.server []
	      Name of the strongSwan PDP as contained in the AAA certificate.

       charon.plugins.tnc-pdp.timeout []
	      Timeout in seconds before	closing	incomplete connections.

       charon.plugins.tnccs-11.max_message_size	[45000]
	      Maximum size of a	PA-TNC message (XML & Base64 encoding).

       charon.plugins.tnccs-20.max_batch_size [65522]
	      Maximum size of a	PB-TNC batch (upper limit via PT-EAP = 65529).

       charon.plugins.tnccs-20.max_message_size	[65490]
	      Maximum  size  of	 a  PA-TNC  message  (upper limit via PT-EAP =
	      65497).

       charon.plugins.tnccs-20.mutual [no]
	      Enable PB-TNC mutual protocol.

       charon.plugins.tnccs-20.tests.pb_tnc_noskip [no]
	      Send an unsupported PB-TNC message type  with  the  NOSKIP  flag
	      set.

       charon.plugins.tnccs-20.tests.pb_tnc_version [2]
	      Send a PB-TNC batch with a modified PB-TNC version.

       charon.plugins.tpm.use_rng [no]
	      Whether the TPM should be	used as	RNG.

       charon.plugins.unbound.dlv_anchors []
	      File  to read trusted keys for DLV (DNSSEC Lookaside Validation)
	      from. It uses the	same format as trust_anchors.	Only  one  DLV
	      can  be  configured,  which  is then used	as a root trusted DLV,
	      this means that it is a lookaside	for the	root.

       charon.plugins.unbound.resolv_conf [/etc/resolv.conf]
	      File to read DNS resolver	configuration from.

       charon.plugins.unbound.trust_anchors [/etc/ipsec.d/dnssec.keys]
	      File to read DNSSEC trust	anchors	from (usually root zone	 KSK).
	      The format of the	file is	the standard DNS Zone file format, an-
	      chors can	be stored as DS	or DNSKEY entries in the file.

       charon.plugins.updown.dns_handler [no]
	      Whether the updown script	should handle DNS servers assigned via
	      IKEv1  Mode  Config  or  IKEv2  Config Payloads (if enabled they
	      can't be handled by other	plugins, like resolve)

       charon.plugins.vici.socket [unix://${piddir}/charon.vici]
	      Socket the vici plugin serves clients.

       charon.plugins.whitelist.enable [yes]
	      Enable loaded whitelist plugin.

       charon.plugins.whitelist.socket [unix://${piddir}/charon.wlst]
	      Socket provided by the whitelist plugin.

       charon.plugins.xauth-eap.backend	[radius]
	      EAP plugin to be used as backend for XAuth credential  verifica-
	      tion.

       charon.plugins.xauth-pam.pam_service [login]
	      PAM service to be	used for authentication.

       charon.plugins.xauth-pam.session	[no]
	      Open/close a PAM session for each	active IKE_SA.

       charon.plugins.xauth-pam.trim_email [yes]
	      If an email address is received as an XAuth username, trim it to
	      just the username	part.

       charon.port [500]
	      UDP port used locally. If	set to 0 a random port will  be	 allo-
	      cated.

       charon.port_nat_t [4500]
	      UDP  port	 used  locally	in case	of NAT-T. If set to 0 a	random
	      port will	be allocated.  Has to be different  from  charon.port,
	      otherwise	a random port will be allocated.

       charon.prefer_best_path [no]
	      By  default, charon keeps	SAs on the routing path	with addresses
	      it previously used if that path is still usable. By setting this
	      option to	yes, it	tries more aggressively	to update SAs with MO-
	      BIKE on routing priority changes using the cheapest  path.  This
	      adds  more noise,	but allows to dynamically adapt	SAs to routing
	      priority changes.	This option has	no effect  if  MOBIKE  is  not
	      supported	or disabled.

       charon.prefer_configured_proposals [yes]
	      Prefer  locally configured proposals for IKE/IPsec over supplied
	      ones as responder	(disabling this	can avoid keying  retries  due
	      to INVALID_KE_PAYLOAD notifies).

       charon.prefer_temporary_addrs [no]
	      By  default  public  IPv6	addresses are preferred	over temporary
	      ones (RFC	4941), to make connections more	 stable.  Enable  this
	      option to	reverse	this.

       charon.process_route [yes]
	      Process RTM_NEWROUTE and RTM_DELROUTE events.

       charon.processor.priority_threads
	      Section to configure the number of reserved threads per priority
	      class see	JOB PRIORITY MANAGEMENT	in strongswan.conf(5).

       charon.receive_delay [0]
	      Delay in ms for receiving	packets, to simulate larger RTT.

       charon.receive_delay_request [yes]
	      Delay request messages.

       charon.receive_delay_response [yes]
	      Delay response messages.

       charon.receive_delay_type [0]
	      Specific IKEv2 message type to delay, 0 for any.

       charon.replay_window [32]
	      Size of the AH/ESP replay	window,	in packets.

       charon.retransmit_base [1.8]
	      Base to use for calculating exponential back off,	see IKEv2  RE-
	      TRANSMISSION in strongswan.conf(5).

       charon.retransmit_timeout [4.0]
	      Timeout in seconds before	sending	first retransmit.

       charon.retransmit_tries [5]
	      Number of	times to retransmit a packet before giving up.

       charon.retry_initiate_interval [0]
	      Interval	in  seconds to use when	retrying to initiate an	IKE_SA
	      (e.g. if DNS resolution failed), 0 to disable retries.

       charon.reuse_ikesa [yes]
	      Initiate CHILD_SA	within existing	IKE_SAs	 (always  enabled  for
	      IKEv1).

       charon.routing_table []
	      Numerical	routing	table to install routes	to.

       charon.routing_table_prio []
	      Priority of the routing table.

       charon.send_delay [0]
	      Delay in ms for sending packets, to simulate larger RTT.

       charon.send_delay_request [yes]
	      Delay request messages.

       charon.send_delay_response [yes]
	      Delay response messages.

       charon.send_delay_type [0]
	      Specific IKEv2 message type to delay, 0 for any.

       charon.send_vendor_id [no]
	      Send strongSwan vendor ID	payload

       charon.signature_authentication [yes]
	      Whether to enable	Signature Authentication as per	RFC 7427.

       charon.signature_authentication_constraints [yes]
	      If  enabled, signature schemes configured	in rightauth, in addi-
	      tion to getting used as constraints  against  signature  schemes
	      employed	in the certificate chain, are also used	as constraints
	      against the signature scheme used	by peers during	IKEv2.

       charon.spi_max [0xcfffffff]
	      The upper	limit for SPIs requested from  the  kernel  for	 IPsec
	      SAs.

       charon.spi_min [0xc0000000]
	      The  lower  limit	 for  SPIs requested from the kernel for IPsec
	      SAs. Should not be set lower than	0x00000100 (256), as SPIs  be-
	      tween 1 and 255 are reserved by IANA.

       charon.start-scripts
	      Section containing a list	of scripts (name = path) that are exe-
	      cuted when the daemon is started.

       charon.stop-scripts
	      Section containing a list	of scripts (name = path) that are exe-
	      cuted when the daemon is terminated.

       charon.syslog
	      Section  to  define  syslog loggers, see LOGGER CONFIGURATION in
	      strongswan.conf(5).

       charon.syslog.<facility>
	      <facility> is one	of the supported syslog	facilities, see	LOGGER
	      CONFIGURATION in strongswan.conf(5).

       charon.syslog.<facility>.<subsystem> [<default>]
	      Loglevel for a specific subsystem.

       charon.syslog.<facility>.default	[1]
	      Specifies	 the  default  loglevel	 to be used for	subsystems for
	      which no specific	loglevel is defined.

       charon.syslog.<facility>.ike_name [no]
	      Prefix each log entry with the connection	name and a unique  nu-
	      merical identifier for each IKE_SA.

       charon.syslog.identifier	[]
	      Global identifier	used for an openlog(3) call, prepended to each
	      log message by syslog.  If not  configured,  openlog(3)  is  not
	      called,  so  the value will depend on system defaults (often the
	      program name).

       charon.threads [16]
	      Number of	worker threads in charon. Several  of  these  are  re-
	      served  for  long	running	tasks in internal modules and plugins.
	      Therefore, make sure you don't set this value too	low. The  num-
	      ber  of  idle  worker threads listed in ipsec statusall might be
	      used as indicator	on the number of reserved threads.

       charon.tls.cipher []
	      List of TLS encryption ciphers.

       charon.tls.key_exchange []
	      List of TLS key exchange methods.

       charon.tls.mac []
	      List of TLS MAC algorithms.

       charon.tls.suites []
	      List of TLS cipher suites.

       charon.tnc.tnc_config [/etc/tnc_config]
	      TNC IMC/IMV configuration	file.

       charon.user []
	      Name of the user the daemon changes to after startup.

       charon.x509.enforce_critical [yes]
	      Discard certificates with	unsupported or unknown critical	exten-
	      sions.

       charon-nm.ca_dir	[<default>]
	      Directory	 from  which to	load CA	certificates if	no certificate
	      is configured.

       charon-systemd.journal
	      Section to configure native systemd journal logger, very similar
	      to  the  syslog  logger  as described in LOGGER CONFIGURATION in
	      strongswan.conf(5).

       charon-systemd.journal.<subsystem> [<default>]
	      Loglevel for a specific subsystem.

       charon-systemd.journal.default [1]
	      Specifies	the default loglevel to	be  used  for  subsystems  for
	      which no specific	loglevel is defined.

       imv_policy_manager.command_allow	[]
	      Shell command to be executed with	recommendation allow.

       imv_policy_manager.command_block	[]
	      Shell command to be executed with	all other recommendations.

       imv_policy_manager.database []
	      Database	URI  for the database that stores the package informa-
	      tion. If it contains a password, make sure to adjust the permis-
	      sions of the config file accordingly.

       imv_policy_manager.load [sqlite]
	      Plugins to load in IMV policy manager.

       libimcv.debug_level [1]
	      Debug level for a	stand-alone libimcv library.

       libimcv.load [random nonce gmp pubkey x509]
	      Plugins to load in IMC/IMVs with stand-alone libimcv library.

       libimcv.plugins.imc-attestation.aik_blob	[]
	      AIK encrypted private key	blob file.

       libimcv.plugins.imc-attestation.aik_cert	[]
	      AIK certificate file.

       libimcv.plugins.imc-attestation.aik_handle []
	      AIK object handle.

       libimcv.plugins.imc-attestation.aik_pubkey []
	      AIK public key file.

       libimcv.plugins.imc-attestation.mandatory_dh_groups [yes]
	      Enforce mandatory	Diffie-Hellman groups.

       libimcv.plugins.imc-attestation.nonce_len [20]
	      DH nonce length.

       libimcv.plugins.imc-attestation.pcr17_after []
	      PCR17 value after	measurement.

       libimcv.plugins.imc-attestation.pcr17_before []
	      PCR17 value before measurement.

       libimcv.plugins.imc-attestation.pcr17_meas []
	      Dummy  measurement value extended	into PCR17 if the TBOOT	log is
	      not available.

       libimcv.plugins.imc-attestation.pcr18_after []
	      PCR18 value after	measurement.

       libimcv.plugins.imc-attestation.pcr18_before []
	      PCR18 value before measurement.

       libimcv.plugins.imc-attestation.pcr18_meas []
	      Dummy measurement	value extended into PCR17 if the TBOOT log  is
	      not available.

       libimcv.plugins.imc-attestation.pcr_info	[no]
	      Whether to send pcr_before and pcr_after info.

       libimcv.plugins.imc-attestation.use_quote2 [yes]
	      Use Quote2 AIK signature instead of Quote	signature.

       libimcv.plugins.imc-attestation.use_version_info	[no]
	      Version Info is included in Quote2 signature.

       libimcv.plugins.imc-hcd.push_info [yes]
	      Send quadruple info without being	prompted.

       libimcv.plugins.imc-hcd.subtypes	[]
	      Section to define	PWG HCD	PA subtypes.

       libimcv.plugins.imc-hcd.subtypes.<section> []
	      Defines a	PWG HCD	PA subtype section. Recognized subtype section
	      names are	system,	control, marker, finisher, interface and scan-
	      ner.

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> []
	      Defines  a  software type	section. Recognized software type sec-
	      tion names are firmware, resident_application and	 user_applica-
	      tion.

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> []
	      Defines a	software section having	an arbitrary name.

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name []
	      Name of the software installed on	the hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.patches
       []
	      String describing	all patches applied to the given  software  on
	      this  hardcopy device. The individual patches are	separated by a
	      newline character	'\n'.

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<soft-
       ware>.string_version []
	      String  describing  the  version	of  the	given software on this
	      hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.version
       []
	      Hex-encoded version string with a	length of 16 octets consisting
	      of the fields major version number  (4  octets),	minor  version
	      number  (4  octets), build number	(4 octets), service pack major
	      number (2	octets)	and service pack minor number (2 octets).

       libimcv.plugins.imc-hcd.subtypes.<section>.attributes_natural_language
       [en]
	      Variable	length	natural	 language  tag	conforming to RFC 5646
	      specifies	the language to	be used	in the health assessment  mes-
	      sage of a	given subtype.

       libimcv.plugins.imc-hcd.subtypes.system.certification_state []
	      Hex-encoded certification	state.

       libimcv.plugins.imc-hcd.subtypes.system.configuration_state []
	      Hex-encoded configuration	state.

       libimcv.plugins.imc-hcd.subtypes.system.machine_type_model []
	      String specifying	the machine type and model of the hardcopy de-
	      vice.

       libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled	[no]
	      Specifies	if a PSTN facsimile interface is installed and enabled
	      on the hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.system.time_source []
	      String  specifying  the hostname of the network time server used
	      by the hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled	[no]
	      Specifies	if users can dynamically download and execute applica-
	      tions on the hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.system.user_application_persis-
       tence_enabled [no]
	      Specifies	if user	dynamically downloaded applications  can  per-
	      sist  outside the	boundaries of a	single job on the hardcopy de-
	      vice.

       libimcv.plugins.imc-hcd.subtypes.system.vendor_name []
	      String specifying	the manufacturer of the	hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code []
	      Integer specifying the globally unique 24-bit SMI	code  assigned
	      to the manufacturer of the hardcopy device.

       libimcv.plugins.imc-os.device_cert []
	      Manually	set  the  path	to the client device certificate (e.g.
	      /etc/pts/aikCert.der)

       libimcv.plugins.imc-os.device_id	[]
	      Manually set the client device ID	in  hexadecimal	 format	 (e.g.
	      1083f03988c9762703b1c1080c2e46f72b99cc31)

       libimcv.plugins.imc-os.device_pubkey []
	      Manually	set  the  path	to  the	client device public key (e.g.
	      /etc/pts/aikPub.der)

       libimcv.plugins.imc-os.push_info	[yes]
	      Send operating system info without being prompted.

       libimcv.plugins.imc-scanner.push_info [yes]
	      Send open	listening ports	without	being prompted.

       libimcv.plugins.imc-swid.swid_directory [${prefix}/share]
	      Directory	where SWID tags	are located.

       libimcv.plugins.imc-swid.swid_full [FALSE]
	      Include file information in the XML-encoded SWID tags.

       libimcv.plugins.imc-swid.swid_generator [/usr/local/bin/swid_generator]
	      SWID generator command to	be executed.

       libimcv.plugins.imc-swid.swid_pretty [FALSE]
	      Generate XML-encoded SWID	tags with pretty indentation.

       libimcv.plugins.imc-test.additional_ids [0]
	      Number of	additional IMC IDs.

       libimcv.plugins.imc-test.command	[none]
	      Command to be sent to the	Test IMV.

       libimcv.plugins.imc-test.dummy_size [0]
	      Size of dummy attribute to be sent to the	Test  IMV  (0  =  dis-
	      abled).

       libimcv.plugins.imc-test.retry [no]
	      Do a handshake retry.

       libimcv.plugins.imc-test.retry_command []
	      Command to be sent to the	Test IMV in the	handshake retry.

       libimcv.plugins.imv-attestation.cadir []
	      Path to directory	with AIK cacerts.

       libimcv.plugins.imv-attestation.dh_group	[ecp256]
	      Preferred	Diffie-Hellman group.

       libimcv.plugins.imv-attestation.hash_algorithm [sha256]
	      Preferred	measurement hash algorithm.

       libimcv.plugins.imv-attestation.mandatory_dh_groups [yes]
	      Enforce mandatory	Diffie-Hellman groups.

       libimcv.plugins.imv-attestation.min_nonce_len [0]
	      DH minimum nonce length.

       libimcv.plugins.imv-os.remediation_uri []
	      URI pointing to operating	system remediation instructions.

       libimcv.plugins.imv-scanner.remediation_uri []
	      URI pointing to scanner remediation instructions.

       libimcv.plugins.imv-swid.rest_api_timeout [120]
	      Timeout of SWID REST API HTTP POST transaction.

       libimcv.plugins.imv-swid.rest_api_uri []
	      HTTP URI of the SWID REST	API.

       libimcv.plugins.imv-test.rounds [0]
	      Number of	IMC-IMV	retry rounds.

       libimcv.stderr_quiet [no]
	      Disable output to	stderr with a stand-alone libimcv library.

       manager.database	[]
	      Credential  database URI for manager. If it contains a password,
	      make sure	to adjust the permissions of the config	 file  accord-
	      ingly.

       manager.debug [no]
	      Enable debugging in manager.

       manager.load []
	      Plugins to load in manager.

       manager.socket []
	      FastCGI socket of	manager, to run	it statically.

       manager.threads [10]
	      Threads to use for request handling.

       manager.timeout [15m]
	      Session timeout for manager.

       medsrv.database []
	      Mediation	 server	 database URI. If it contains a	password, make
	      sure to adjust the permissions of	the config file	accordingly.

       medsrv.debug [no]
	      Debugging	in mediation server web	application.

       medsrv.dpd [5m]
	      DPD timeout to use in mediation server plugin.

       medsrv.load []
	      Plugins to load in mediation server plugin.

       medsrv.password_length [6]
	      Minimum password length required for mediation server  user  ac-
	      counts.

       medsrv.rekey [20m]
	      Rekeying	time  on  mediation  connections  in  mediation	server
	      plugin.

       medsrv.socket []
	      Run Mediation server web application statically on socket.

       medsrv.threads [5]
	      Number of	thread for mediation service web application.

       medsrv.timeout [15m]
	      Session timeout for mediation service.

       pacman.database []
	      Database URI for the database that stores	the  package  informa-
	      tion. If it contains a password, make sure to adjust the permis-
	      sions of the config file accordingly.

       pacman.load []
	      Plugins to load in package manager.

       pki.load	[]
	      Plugins to load in ipsec pki tool.

       pool.database []
	      Database URI for the database that stores	IP pools and  configu-
	      ration  attributes.  If it contains a password, make	  sure
	      to adjust	the permissions	of the config file accordingly.

       pool.load []
	      Plugins to load in ipsec pool tool.

       scepclient.load []
	      Plugins to load in ipsec scepclient tool.

       starter.config_file [${sysconfdir}/ipsec.conf]
	      Location of the ipsec.conf file

       starter.load_warning [yes]
	      Disable charon plugin load option	warning.

       swanctl.load []
	      Plugins to load in swanctl.

LOGGER CONFIGURATION
       Options in strongswan.conf(5) provide a much more flexible way to  con-
       figure loggers for the IKE daemon charon	than using the charondebug op-
       tion in ipsec.conf(5).

       Note: If	any loggers are	specified in strongswan.conf, charondebug does
       not have	any effect.

       There are currently two types of	loggers:

       File loggers
	      Log  directly  to	 a file	and are	defined	by specifying the full
	      path to the file as subsection in	the charon.filelog section. To
	      log  to  the console the two special filenames stdout and	stderr
	      can be used.

       Syslog loggers
	      Log into a syslog	facility and are defined by specifying the fa-
	      cility  to log to	as the name of a subsection in the charon.sys-
	      log section. The following facilities are	 currently  supported:
	      daemon and auth.

       Multiple	 loggers  can be defined for each type with different log ver-
       bosity for the different	subsystems of the daemon.

   Subsystems
       dmn    Main daemon setup/cleanup/signal handling

       mgr    IKE_SA manager, handling synchronization for IKE_SA access

       ike    IKE_SA

       chd    CHILD_SA

       job    Jobs queueing/processing and thread pool management

       cfg    Configuration management and plugins

       knl    IPsec/Networking kernel interface

       net    IKE network communication

       asn    Low-level	encoding/decoding (ASN.1, X.509	etc.)

       enc    Packet encoding/decoding encryption/decryption operations

       tls    libtls library messages

       esp    libipsec library messages

       lib    libstrongwan library messages

       tnc    Trusted Network Connect

       imc    Integrity	Measurement Collector

       imv    Integrity	Measurement Verifier

       pts    Platform Trust Service

   Loglevels
       -1     Absolutely silent

       0      Very basic auditing logs,	(e.g. SA up/SA down)

       1      Generic control flow with	errors,	a good default	to  see	 whats
	      going on

       2      More detailed debugging control flow

       3      Including	RAW data dumps in Hex

       4      Also include sensitive material in dumps,	e.g. keys

   Example
	    charon {
		 filelog {
		      /var/log/charon.log {
			   time_format = %b %e %T
			   append = no
			   default = 1
		      }
		      stderr {
			   ike = 2
			   knl = 3
			   ike_name = yes
		      }
		 }
		 syslog	{
		      #	enable logging to LOG_DAEMON, use defaults
		      daemon {
		      }
		      #	minimalistic IKE auditing logging to LOG_AUTHPRIV
		      auth {
			   default = -1
			   ike = 0
		      }
		 }
	    }

JOB PRIORITY MANAGEMENT
       Some  operations	 in  the IKEv2 daemon charon are currently implemented
       synchronously and blocking. Two examples	for such operations are	commu-
       nication	 with a	RADIUS server via EAP-RADIUS, or fetching CRL/OCSP in-
       formation during	certificate chain verification.	Under high load	condi-
       tions,  the thread pool may run out of available	threads, and some more
       important jobs, such as liveness	checking,  may	not  get  executed  in
       time.

       To prevent thread starvation in such situations job priorities were in-
       troduced.  The job processor will reserve some threads for higher  pri-
       ority jobs, these threads are not available for lower priority, locking
       jobs.

   Implementation
       Currently 4 priorities have been	defined, and they are used  in	charon
       as follows:

       CRITICAL
	      Priority for long-running	dispatcher jobs.

       HIGH   INFORMATIONAL exchanges, as used by liveness checking (DPD).

       MEDIUM Everything not HIGH/LOW, including IKE_SA_INIT processing.

       LOW    IKE_AUTH message processing. RADIUS and CRL fetching block here

       Although	IKE_SA_INIT processing is computationally expensive, it	is ex-
       plicitly	assigned to the	MEDIUM class. This allows charon to do the  DH
       exchange	 while	other  threads are blocked in IKE_AUTH.	To prevent the
       daemon from accepting more IKE_SA_INIT requests than it can handle, use
       IKE_SA_INIT DROPPING.

       The  thread  pool  processes jobs strictly by priority, meaning it will
       consume all higher priority jobs	before looking	for  ones  with	 lower
       priority. Further, it reserves threads for certain priorities. A	prior-
       ity class having	reserved n threads will	always have n  threads	avail-
       able  for this class (either currently processing a job,	or waiting for
       one).

   Configuration
       To ensure that there are	always enough  threads	available  for	higher
       priority	tasks, threads must be reserved	for each priority class.

       charon.processor.priority_threads.critical [0]
	      Threads reserved for CRITICAL priority class jobs

       charon.processor.priority_threads.high [0]
	      Threads reserved for HIGH	priority class jobs

       charon.processor.priority_threads.medium	[0]
	      Threads reserved for MEDIUM priority class jobs

       charon.processor.priority_threads.low [0]
	      Threads reserved for LOW priority	class jobs

       Let's consider the following configuration:

	    charon {
		 processor {
		      priority_threads {
			   high	= 1
			   medium = 4
		      }
		 }
	    }

       With  this  configuration,  one	thread	is  reserved for HIGH priority
       tasks. As currently only	liveness checking and stroke message  process-
       ing  is	done  with  high priority, one or two threads should be	suffi-
       cient.

       The MEDIUM class	mostly processes non-blocking jobs. Unless your	 setup
       is  experiencing	many blocks in locks while accessing shared resources,
       threads for one or two times the	number of CPU cores is fine.

       It is usually not required to reserve threads for CRITICAL  jobs.  Jobs
       in  this	 class	rarely	return	and do not release their thread	to the
       pool.

       The remaining threads are available for LOW  priority  jobs.  Reserving
       threads does not	make sense (until we have an even lower	priority).

   Monitoring
       To  see	what  the  threads are actually	doing, invoke ipsec statusall.
       Under high load,	something like this will show up:

	    worker threads: 2 or 32 idle, 5/1/2/22 working,
		 job queue: 0/0/1/149, scheduled: 198

       From 32 worker threads,

       2      are currently idle.

       5      are running CRITICAL priority jobs  (dispatching	from  sockets,
	      etc.).

       1      is  currently handling a HIGH priority job. This is actually the
	      thread currently providing this information via stroke.

       2      are handling MEDIUM priority jobs, likely	 IKE_SA_INIT  or  CRE-
	      ATE_CHILD_SA messages.

       22     are  handling LOW	priority jobs, probably	waiting	for an EAP-RA-
	      DIUS response while processing IKE_AUTH messages.

       The job queue load shows	how many jobs are queued  for  each  priority,
       ready  for  execution. The single MEDIUM	priority job will get executed
       immediately, as we have two spare threads  reserved  for	 MEDIUM	 class
       jobs.

IKE_SA_INIT DROPPING
       If  a  responder	 receives more connection requests per seconds than it
       can handle, it does not make sense to accept more IKE_SA_INIT messages.
       And if they are queued but can't	get processed in time, an answer might
       be sent after the client	has already given up and restarted its connec-
       tion setup. This	additionally increases the load	on the responder.

       To limit	the responder load resulting from new connection attempts, the
       daemon can drop IKE_SA_INIT messages just after	reception.  There  are
       two  mechanisms	to  decide  if this should happen, configured with the
       following options:

       charon.init_limit_half_open [0]
	      Limit based on the  number  of  half  open  IKE_SAs.  Half  open
	      IKE_SAs are SAs in connecting state, but not yet established.

       charon.init_limit_job_load [0]
	      Limit  based on the number of jobs currently queued for process-
	      ing (sum over all	job priorities).

       The second limit	includes load  from  other  jobs,  such	 as  rekeying.
       Choosing	 a good	value is difficult and depends on the hardware and ex-
       pected load.

       The first limit is simpler to calculate,	but includes the load from new
       connections  only. If your responder is capable of negotiating 100 tun-
       nels/s, you might set this limit	to 1000. The daemon will then drop new
       connection attempts if generating a response would require more than 10
       seconds.	If you are allowing for	a maximum response time	of  more  than
       30  seconds,  consider  adjusting  the  timeout	for connecting IKE_SAs
       (charon.half_open_timeout).  A responder, by default, deletes an	IKE_SA
       if  the	initiator  does	not establish it within	30 seconds. Under high
       load, a higher value might be required.

LOAD TESTS
       To do stability testing and performance optimizations, the  IKE	daemon
       charon provides the load-tester plugin. This plugin allows one to setup
       thousands of tunnels concurrently against the daemon itself or a	remote
       host.

       WARNING:	Never enable the load-testing plugin on	productive systems. It
       provides	preconfigured credentials and allows an	attacker to  authenti-
       cate as any user.

   Configuration details
       For public key authentication, the responder uses the "CN=srv, OU=load-
       test, O=strongSwan" identity. For the initiator,	 each  connection  at-
       tempt  uses  a  different identity in the form "CN=c1-r1, OU=load-test,
       O=strongSwan", where the	first number inidicates	the client number, the
       second  the authentication round	(if multiple authentication rounds are
       used).

       For PSK authentication, FQDN  identities	 are  used.  The  server  uses
       srv.strongswan.org,   the   client   uses   an  identity	 in  the  form
       c1-r1.strongswan.org.

       For  EAP	 authentication,  the  client  uses  a	 NAI   in   the	  form
       100000000010001@strongswan.org.

       To configure multiple authentication rounds, concatenate	multiple meth-
       ods using, e.g.
	    initiator_auth = pubkey|psk|eap-md5|eap-aka

       The responder uses a hardcoded certificate based	on a 1024-bit RSA key.
       This certificate	additionally serves as CA certificate. A peer uses the
       same private key, but generates client certificates on demand signed by
       the  CA certificate. Install the	Responder/CA certificate on the	remote
       host to authenticate all	clients.

       To speed	up testing,  the  load	tester	plugin	implements  a  special
       Diffie-Hellman implementation called modpnull. By setting
	    proposal = aes128-sha1-modpnull
       this wicked fast	DH implementation is used. It does not provide any se-
       curity at all, but allows one to	run tests without DH calculation over-
       head.

   Examples
       In the simplest case, the daemon	initiates IKE_SAs against itself using
       the loopback interface. This will actually establish double the	number
       of IKE_SAs, as the daemon is initiator and responder for	each IKE_SA at
       the same	time.  Installation of IPsec SAs would fail, as	each  SA  gets
       installed twice.	To simulate the	correct	behavior, a fake kernel	inter-
       face can	be enabled which does not install the IPsec SAs	at the	kernel
       level.

       A simple	loopback configuration might look like this:

	    charon {
		 # create new IKE_SAs for each CHILD_SA	to simulate
		 # different clients
		 reuse_ikesa = no
		 # turn	off denial of service protection
		 dos_protection	= no

		 plugins {
		      load-tester {
			   # enable the	plugin
			   enable = yes
			   # use 4 threads to initiate connections
			   # simultaneously
			   initiators =	4
			   # each thread initiates 1000	connections
			   iterations =	1000
			   # delay each	initiation in each thread by 20ms
			   delay = 20
			   # enable the	fake kernel interface to
			   # avoid SA conflicts
			   fake_kernel = yes
		      }
		 }
	    }

       This will initiate 4000 IKE_SAs within 20 seconds. You may increase the
       delay value if your box can not handle that much	load, or  decrease  it
       to  put	more  load on it. If the daemon	starts retransmitting messages
       your box	probably can not handle	all connection attempts.

       The plugin also allows one to test against a remote  host.  This	 might
       help  to	test against a real world configuration. A connection setup to
       do stress testing of a gateway might look like this:

	    charon {
		 reuse_ikesa = no
		 threads = 32

		 plugins {
		      load-tester {
			   enable = yes
			   # 10000 connections,	ten in parallel
			   initiators =	10
			   iterations =	1000
			   # use a delay of 100ms, overall time	is:
			   # iterations	* delay	= 100s
			   delay = 100
			   # address of	the gateway
			   remote = 1.2.3.4
			   # IKE-proposal to use
			   proposal = aes128-sha1-modp1024
			   # use faster	PSK authentication instead
			   # of	1024bit	RSA
			   initiator_auth = psk
			   responder_auth = psk
			   # request a virtual IP using	configuration
			   # payloads
			   request_virtual_ip =	yes
			   # enable CHILD_SA every 60s
			   child_rekey = 60
		      }
		 }
	    }

IKEv2 RETRANSMISSION
       Retransmission timeouts in the IKEv2 daemon charon  can	be  configured
       globally	using the three	keys listed below:

	      charon.retransmit_base [1.8]
	      charon.retransmit_timeout	[4.0]
	      charon.retransmit_tries [5]

       The following algorithm is used to calculate the	timeout:

	    relative timeout = retransmit_timeout * retransmit_base ^ (n-1)

       Where n is the current retransmission count.

       Using the default values, packets are retransmitted in:

       Retransmission	Relative Timeout   Absolute Timeout
       -----------------------------------------------------
       1			      4s		 4s
       2			      7s		11s
       3			     13s		24s
       4			     23s		47s
       5			     42s		89s
       giving up		     76s	       165s

VARIABLES
       The variables used above	are configured as follows:

       ${piddir}	       /var/run
       ${prefix}	       /usr/local
       ${random_device}	       /dev/random
       ${urandom_device}       /dev/urandom

FILES
       /etc/strongswan.conf	  configuration	file
       /etc/strongswan.d/	  directory containing included	config snippets
       /etc/strongswan.d/charon/  plugin specific config snippets

SEE ALSO
       ipsec.conf(5), ipsec.secrets(5),	ipsec(8), charon-cmd(8)

HISTORY
       Written	for  the strongSwan project <http://www.strongswan.org>	by To-
       bias Brunner, Andreas Steffen and Martin	Willi.

5.5.2							    STRONGSWAN.CONF(5)

NAME | DESCRIPTION | SYNTAX | INCLUDING FILES | READING VALUES | DEFINED KEYS | LOGGER CONFIGURATION | JOB PRIORITY MANAGEMENT | IKE_SA_INIT DROPPING | LOAD TESTS | IKEv2 RETRANSMISSION | VARIABLES | FILES | SEE ALSO | HISTORY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=strongswan.conf&sektion=5&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help