Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help

       strongswan.conf - strongSwan configuration file

       While  the  ipsec.conf(5)  configuration	 file is well suited to	define
       IPsec related configuration parameters, it  is  not  useful  for	 other
       strongSwan  applications	 to  read options from this file.  The file is
       hard to parse and only ipsec starter is capable of  doing  so.  As  the
       number  of components of	the strongSwan project is continually growing,
       a more flexible configuration file was needed, one that is easy to  ex-
       tend  and  can  be  used	 by  all  components.  With  strongSwan	 4.2.1
       strongswan.conf(5) was introduced which meets these requirements.

       The format of the strongswan.conf file consists	of  hierarchical  sec-
       tions and a list	of key/value pairs in each section. Each section has a
       name, followed by C-Style curly brackets	 defining  the	section	 body.
       Each section body contains a set	of subsections and key/value pairs:

	    settings :=	(section|keyvalue)*
	    section  :=	name { settings	}
	    keyvalue :=	key = value\n

       Values must be terminated by a newline.

       Comments	are possible using the #-character.

       Section names and keys may contain any printable	character except:

	    . ,	: { } =	" # \n \t space

       An example file in this format might look like this:

	    a =	b
	    section-one	{
		 somevalue = asdf
		 subsection {
		      othervalue = xxx
		 # yei,	a comment
		 yetanother = zz
	    section-two	{
		 x = 12

       Indentation is optional,	you may	use tabs or spaces.

       It  is  possible	to inherit settings and	sections from another section.
       This feature is mainly useful in	swanctl.conf (which uses the same file
       format).	 The syntax is as follows:

	    section    := name : references { settings }
	    references := absname[, absname]*
	    absname    := name[.name]*

       All key/value pairs and all subsections of the referenced sections will
       be inherited by the section that	references  them  via  their  absolute
       name.  Values  may  be overridden in the	section	or any of its sub-sec-
       tions (use an empty assignment to clear a value so its  default	value,
       if  any,	 will apply). It is currently not possible to limit the	inclu-
       sion level or clear/remove inherited sub-sections.

       If the order is important (e.g. for auth	rounds	in  a  connection,  if
       round is	not used), it should be	noted that inherited settings/sections
       will follow those defined in the	current	section	(if multiple  sections
       are referenced, their settings are enumerated left to right).

       References  are	evaluated dynamically at runtime, so referring to sec-
       tions later in the config file or included via other files is no	 prob-

       Here is an example of how this might look like:

	    conn-defaults {
		 # default settings for	all conns (e.g.	a cert,	or IP pools)
	    eap-defaults {
		 # defaults if eap is used (e.g. a remote auth round)
	    child-defaults {
		 # defaults for	child configs (e.g. traffic selectors)
	    connections	{
		 conn-a	: conn-defaults, eap-defaults {
		      #	set/override stuff specific to this connection
		      children {
			   child-a : child-defaults {
				# set/override stuff specific to this child
		 conn-b	: conn-defaults	{
		      #	set/override stuff specific to this connection
		      children {
			   child-b : child-defaults {
				# set/override stuff specific to this child
		 conn-c	: connections.conn-a {
		      #	everything is inherited, including everything conn-a
		      #	already	inherits from the sections it and its
		      #	sub-section reference

       Using  the include statement it is possible to include other files into
       strongswan.conf,	e.g.

	    include /some/path/*.conf

       If the file name	is not an absolute path, it is considered to be	 rela-
       tive to the directory of	the file containing the	include	statement. The
       file name may include shell wildcards (see sh(1)).  Also,  such	inclu-
       sions can be nested.

       Sections	 loaded	from included files extend previously loaded sections;
       already existing	values are replaced.  It is  important	to  note  that
       settings	are added relative to the section the include statement	is in.

       As  an example, the following three files result	in the same final con-
       fig as the one given above:

	    a =	b
	    section-one	{
		 somevalue = before include
		 include include.conf
	    include other.conf

	    # settings loaded from this	file are added to section-one
	    # the following replaces the previous value
	    somevalue =	asdf
	    subsection {
		 othervalue = yyy
	    yetanother = zz

	    # this extends section-one and subsection
	    section-one	{
		 subsection {
		      #	this replaces the previous value
		      othervalue = xxx
	    section-two	{
		 x = 12

       Values are accessed using a dot-separated section list and a key.  With
       reference to the	example	above, accessing section-one.subsection.other-
       value will return xxx.

       The following keys are currently	defined	(using dot notation). The  de-
       fault value (if any) is listed in brackets after	the key.

       aikgen.load []
	      Plugins to load in ipsec aikgen tool.

       attest.database []
	      File  measurement	 information  database	URI.  If it contains a
	      password,	make sure to adjust the	permissions of the config file

       attest.load []
	      Plugins to load in ipsec attest tool.

	      Options for the charon IKE daemon.

	      Note:  Many  of  the  options  in	 this  section	also  apply to
	      charon-cmd and other charon derivatives.	Just use their respec-
	      tive  name  (e.g.	  charon-cmd instead of	charon).  For many op-
	      tions defaults can be defined in the libstrongswan section.

       charon.accept_private_algs [no]
	      Deliberately violate the IKE standard's  requirement  and	 allow
	      the  use	of private algorithm identifiers, even if the peer im-
	      plementation is unknown.

       charon.accept_unencrypted_mainmode_messages [no]
	      Accept unencrypted ID and	HASH payloads in IKEv1 Main Mode.

	      Some implementations send	the  third  Main  Mode	message	 unen-
	      crypted,	probably to find the PSKs for the specified ID for au-
	      thentication. This is very similar to Aggressive Mode,  and  has
	      the same security	implications: A	passive	attacker can sniff the
	      negotiated Identity, and start brute forcing the PSK  using  the
	      HASH payload.

	      It is recommended	to keep	this option to no, unless you know ex-
	      actly what the implications are  and  require  compatibility  to
	      such devices (for	example, some SonicWall	boxes).

       charon.block_threshold [5]
	      Maximum number of	half-open IKE_SAs for a	single peer IP.

       charon.cache_crls [no]
	      Whether  Certificate Revocation Lists (CRLs) fetched via HTTP or
	      LDAP should be saved under a unique file name derived  from  the
	      public	key   of   the	 Certification	 Authority   (CA)   to
	      /etc/ipsec.d/crls	(stroke) or /etc/swanctl/x509crl  (vici),  re-

       charon.cert_cache [yes]
	      Whether  relations  in  validated	 certificate  chains should be
	      cached in	memory.

       charon.cisco_unity [no]
	      Send Cisco Unity vendor ID payload (IKEv1	only).

       charon.close_ike_on_child_failure [no]
	      Close the	IKE_SA if setup	of the CHILD_SA	 along	with  IKE_AUTH

       charon.cookie_threshold [10]
	      Number of	half-open IKE_SAs that activate	the cookie mechanism.

       charon.crypto_test.bench	[no]
	      Benchmark	crypto algorithms and order them by efficiency.

       charon.crypto_test.bench_size [1024]
	      Buffer size used for crypto benchmark.

       charon.crypto_test.bench_time [50]
	      Time  in	ms  during  which crypto algorithm performance is mea-

       charon.crypto_test.on_add [no]
	      Test crypto algorithms during registration (requires  test  vec-
	      tors provided by the test-vectors	plugin).

       charon.crypto_test.on_create [no]
	      Test crypto algorithms on	each crypto primitive instantiation.

       charon.crypto_test.required [no]
	      Strictly	require	 at  least  one	test vector to enable an algo-

       charon.crypto_test.rng_true [no]
	      Whether to test RNG with TRUE quality; requires  a  lot  of  en-

       charon.delete_rekeyed [no]
	      Delete  CHILD_SAs	 right	after  they  got  successfully rekeyed
	      (IKEv1 only). Reduces the	number of stale	CHILD_SAs in scenarios
	      with a lot of rekeyings. However,	this might cause problems with
	      implementations that continue to use rekeyed SAs until they  ex-

       charon.delete_rekeyed_delay [5]
	      Delay  in	 seconds  until	 inbound  IPsec	 SAs are deleted after
	      rekeyings	(IKEv2 only). To process delayed packets  the  inbound
	      part of a	CHILD_SA is kept installed up to the configured	number
	      of seconds after it got replaced during a	rekeying. If set to  0
	      the  CHILD_SA  will  be  kept  installed until it	expires	(if no
	      lifetime is set it will be destroyed immediately).

       charon.dh_exponent_ansi_x9_42 [yes]
	      Use ANSI X9.42 DH	exponent size or optimum size matched to cryp-
	      tographic	strength.

       charon.dlopen_use_rtld_now [no]
	      Use  RTLD_NOW  with  dlopen when loading plugins and IMV/IMCs to
	      reveal missing symbols immediately.

       charon.dns1 []
	      DNS server assigned to peer via configuration payload (CP).

       charon.dns2 []
	      DNS server assigned to peer via configuration payload (CP).

       charon.dos_protection [yes]
	      Enable Denial of Service protection using	 cookies  and  aggres-
	      siveness checks.

       charon.ecp_x_coordinate_only [yes]
	      Compliance with the errata for RFC 4753.

	      Section  to  define  file	 loggers,  see LOGGER CONFIGURATION in

	      <name> may be the	full path to the log file if it	only  contains
	      characters  permitted  in	 section  names. Is ignored if path is

       charon.filelog.<name>.<subsystem> [<default>]
	      Loglevel for a specific subsystem.

       charon.filelog.<name>.append [yes]
	      If this option is	enabled	log entries are	appended to the	exist-
	      ing file.

       charon.filelog.<name>.default [1]
	      Specifies	 the  default  loglevel	 to be used for	subsystems for
	      which no specific	loglevel is defined.

       charon.filelog.<name>.flush_line	[no]
	      Enabling this option disables block buffering and	 enables  line

       charon.filelog.<name>.ike_name [no]
	      Prefix  each log entry with the connection name and a unique nu-
	      merical identifier for each IKE_SA.

       charon.filelog.<name>.path []
	      Optional path to the log file. Overrides the section name.  Must
	      be  used	if the path contains characters	that aren't allowed in
	      section names.

       charon.filelog.<name>.time_add_ms [no]
	      Adds the milliseconds within the current second after the	 time-
	      stamp  (separated	by a dot, so time_format should	end with %S or

       charon.filelog.<name>.time_format []
	      Prefix each log entry with a timestamp.  The  option  accepts  a
	      format string as passed to strftime(3).

       charon.flush_auth_cfg [no]
	      If  enabled  objects  used  during authentication	(certificates,
	      identities etc.)	are released to	free memory once an IKE_SA  is
	      established.  Enabling  this  might  conflict  with plugins that
	      later need access	to e.g.	the used certificates.

       charon.follow_redirects [yes]
	      Whether to follow	IKEv2 redirects	(RFC 5685).

       charon.fragment_size [1280]
	      Maximum size (complete IP	datagram size in bytes)	of a sent  IKE
	      fragment	when  using  proprietary  IKEv1	 or standardized IKEv2
	      fragmentation, defaults to 1280 (use 0 for address  family  spe-
	      cific  default  values,  which uses a lower value	for IPv4).  If
	      specified	this limit is used for both IPv4 and IPv6. []
	      Name of the group	the daemon changes to after startup.

       charon.half_open_timeout	[30]
	      Timeout in seconds for connecting	IKE_SAs	(also see  IKE_SA_INIT

       charon.hash_and_url [no]
	      Enable hash and URL support.

       charon.host_resolver.max_threads	[3]
	      Maximum  number  of concurrent resolver threads (they are	termi-
	      nated if unused).

       charon.host_resolver.min_threads	[0]
	      Minimum number of	resolver threads to keep around.

       charon.i_dont_care_about_security_and_use_aggressive_mode_psk [no]
	      If enabled responders are	allowed	to use IKEv1  Aggressive  Mode
	      with  pre-shared keys, which is discouraged due to security con-
	      cerns (offline attacks on	the openly  transmitted	 hash  of  the

       charon.ignore_acquire_ts	[no]
	      If  this is disabled the traffic selectors from the kernel's ac-
	      quire events, which are derived from the triggering packet,  are
	      prepended	 to  the  traffic selectors from the configuration for
	      IKEv2 connection.	By enabling this, such specific	traffic	selec-
	      tors  will  be  ignored  and only	the ones in the	config will be
	      sent. This always	happens	for IKEv1 connections as the  protocol
	      only supports one	set of traffic selectors per CHILD_SA.

       charon.ignore_routing_tables []
	      A	 space-separated  list	of  routing tables to be excluded from
	      route lookups.

       charon.ikesa_limit [0]
	      Maximum number of	IKE_SAs	that can be established	 at  the  same
	      time before new connection attempts are blocked.

       charon.ikesa_table_segments [1]
	      Number of	exclusively locked segments in the hash	table.

       charon.ikesa_table_size [1]
	      Size of the IKE_SA hash table.

	      Defaults	for  options  in this section can be configured	in the
	      libimcv section.

       charon.imcv.assessment_result [yes]
	      Whether IMVs send	a standard IETF	Assessment Result attribute.

       charon.imcv.database []
	      Global IMV policy	database URI. If it contains a password,  make
	      sure to adjust the permissions of	the config file	accordingly.

       charon.imcv.os_info.default_password_enabled [no]
	      Manually set whether a default password is enabled	[]
	      Manually set the name of the client OS (e.g. Ubuntu).

       charon.imcv.os_info.version []
	      Manually set the version of the client OS	(e.g. 12.04 i686).

       charon.imcv.policy_script [ipsec	_imv_policy]
	      Script called for	each TNC connection to generate	IMV policies.

       charon.inactivity_close_ike [no]
	      Whether to close IKE_SA if the only CHILD_SA closed due to inac-

       charon.init_limit_half_open [0]
	      Limit new	connections based on the current number	of  half  open
	      IKE_SAs, see IKE_SA_INIT DROPPING	in strongswan.conf(5).

       charon.init_limit_job_load [0]
	      Limit  new  connections  based  on  the number of	jobs currently
	      queued for processing (see IKE_SA_INIT DROPPING).

       charon.initiator_only [no]
	      Causes charon daemon to ignore IKE initiation requests.

       charon.install_routes [yes]
	      Install routes into a separate  routing  table  for  established
	      IPsec tunnels.

       charon.install_virtual_ip [yes]
	      Install virtual IP addresses.

       charon.install_virtual_ip_on []
	      The  name	 of the	interface on which virtual IP addresses	should
	      be installed. If not specified the addresses will	 be  installed
	      on the outbound interface.

       charon.integrity_test [no]
	      Check daemon, libstrongswan and plugin integrity at startup.

       charon.interfaces_ignore	[]
	      A	 comma-separated list of network interfaces that should	be ig-
	      nored, if	interfaces_use is specified this option	has no effect.

       charon.interfaces_use []
	      A	comma-separated	list of	network	interfaces that	should be used
	      by charon. All other interfaces are ignored.

       charon.keep_alive [20s]
	      NAT keep alive interval.

       charon.leak_detective.detailed [yes]
	      Includes	source	file  names and	line numbers in	leak detective

       charon.leak_detective.usage_threshold [10240]
	      Threshold	in bytes for leaks to be reported (0 to	report all).

       charon.leak_detective.usage_threshold_count [0]
	      Threshold	in number of allocations for leaks to be  reported  (0
	      to report	all).

       charon.load []
	      Plugins to load in the IKE daemon	charon.

       charon.load_modular [no]
	      If  enabled,  the	 list of plugins to load is determined via the
	      value of the charon.plugins._name_.load options.	In addition to
	      a	 simple	boolean	flag that option may take an integer value in-
	      dicating the priority of a plugin, which would influence the or-
	      der  of  a  plugin in the	plugin list (the default is 1).	If two
	      plugins have the same priority their order in the	default	plugin
	      list  is	preserved.  Enabled plugins not	found in that list are
	      ordered alphabetically before other plugins with the same	prior-

       charon.make_before_break	[no]
	      Initiate IKEv2 reauthentication with a make-before-break instead
	      of a break-before-make scheme. Make-before-break	uses  overlap-
	      ping  IKE	and CHILD_SA during reauthentication by	first recreat-
	      ing all new SAs before deleting the old ones. This behavior  can
	      be  beneficial  to  avoid	connectivity gaps during reauthentica-
	      tion, but	requires support for  overlapping  SAs	by  the	 peer.
	      strongSwan can handle such overlapping SAs since version 5.3.0.

       charon.max_ikev1_exchanges [3]
	      Maximum  number  of  IKEv1  phase	2 exchanges per	IKE_SA to keep
	      state about and track concurrently.

       charon.max_packet [10000]
	      Maximum packet size accepted by charon.

       charon.multiple_authentication [yes]
	      Enable multiple authentication exchanges (RFC 4739).

       charon.nbns1 []
	      WINS servers assigned to peer via	configuration payload (CP).

       charon.nbns2 []
	      WINS servers assigned to peer via	configuration payload (CP).

       charon.plugin.ha.buflen [2048]
	      Buffer size for received HA messages. For	IKEv1  the  public  DH
	      factors are also transmitted so depending	on the DH group	the HA
	      messages can get quite big (the default should  be  fine	up  to

       charon.plugins.addrblock.strict [yes]
	      If set to	yes, a subject certificate without an addrblock	exten-
	      sion is rejected if the issuer certificate has such an addrblock
	      extension. If set	to no, subject certificates issued without the
	      addrblock	extension are accepted without	any  traffic  selector
	      checks and no policy is enforced by the plugin.

       charon.plugins.android_log.loglevel [1]
	      Loglevel for logging to Android specific logger.

	      Section  to  specify arbitrary attributes	that are assigned to a
	      peer via configuration payload (CP).

       charon.plugins.attr.<attr> []
	      <attr> can be either address, netmask, dns, nbns,	dhcp,  subnet,
	      split-include,  split-exclude  or	 the numeric identifier	of the
	      attribute	type. The assigned value can be	an IPv4/IPv6  address,
	      a	subnet in CIDR notation	or an arbitrary	value depending	on the
	      attribute	type.  For some	attribute types	multiple values	may be
	      specified	as a comma separated list.

       charon.plugins.attr-sql.crash_recovery [yes]
	      Release all online leases	during startup.	 Disable this to share
	      the DB between multiple VPN gateways.

       charon.plugins.attr-sql.database	[]
	      Database URI for attr-sql	plugin used by charon. If it  contains
	      a	 password,  make  sure to adjust the permissions of the	config
	      file accordingly.

       charon.plugins.attr-sql.lease_history [yes]
	      Enable logging of	SQL IP pool leases.

       charon.plugins.bliss.use_bliss_b	[yes]
	      Use the enhanced BLISS-B key generation and signature algorithm.

       charon.plugins.bypass-lan.interfaces_ignore []
	      A	comma-separated	list of	network	interfaces for which connected
	      subnets  should  be ignored, if interfaces_use is	specified this
	      option has no effect.

       charon.plugins.bypass-lan.interfaces_use	[]
	      A	comma-separated	list of	network	interfaces for which connected
	      subnets should be	considered. All	other interfaces are ignored.

       charon.plugins.certexpire.csv.cron []
	      Cron style string	specifying CSV export times.

       charon.plugins.certexpire.csv.empty_string []
	      String to	use in empty intermediate CA fields.

       charon.plugins.certexpire.csv.fixed_fields [yes]
	      Use a fixed intermediate CA field	count.

       charon.plugins.certexpire.csv.force [yes]
	      Force export of all trustchains we have a	private	key for.

       charon.plugins.certexpire.csv.format [%d:%m:%Y]
	      strftime(3) format string	to export expiration dates as.

       charon.plugins.certexpire.csv.local []
	      strftime(3)  format string for the CSV file name to export local
	      certificates to.

       charon.plugins.certexpire.csv.remote []
	      strftime(3) format string	for the	CSV file name to export	remote
	      certificates to.

       charon.plugins.certexpire.csv.separator [,]
	      CSV field	separator.

       charon.plugins.coupling.file []
	      File to store coupling list to.

       charon.plugins.coupling.hash [sha1]
	      Hashing algorithm	to fingerprint coupled certificates.

       charon.plugins.coupling.max [1]
	      Maximum number of	coupling entries to create.

       charon.plugins.curl.redir [-1]
	      Maximum  number of redirects followed by the plugin, set to 0 to
	      disable following	redirects, set to -1 for no limit.

       charon.plugins.dhcp.force_server_address	[no]
	      Always use the configured	server address.	This might be  helpful
	      if  the DHCP server runs on the same host	as strongSwan, and the
	      DHCP daemon does not listen on the loopback interface.  In  that
	      case   the  server  cannot  be  reached  via  unicast  (or  even as that would be	routed via  loopback.  Setting
	      this  option  to yes and configuring the local broadcast address
	      (e.g. as server address might work.

       charon.plugins.dhcp.identity_lease [no]
	      Derive user-defined MAC address from hash	of  IKE	 identity  and
	      send client identity DHCP	option.

       charon.plugins.dhcp.interface []
	      Interface	 name  the plugin uses for address allocation. The de-
	      fault is to bind to any (	 and  let  the	system	decide
	      which way	to route the packets to	the DHCP server.

       charon.plugins.dhcp.server []
	      DHCP server unicast or broadcast IP address.

       charon.plugins.dhcp.use_server_port [no]
	      Use  the	DHCP  server  port (67)	as source port,	instead	of the
	      DHCP client port (68), when a unicast server address is  config-
	      ured  and	the plugin acts	as relay agent.	 When replying in this
	      mode the DHCP server will	always send packets to the DHCP	server
	      port and if no process binds that	port an	ICMP port unreachables
	      will be sent back, which might  be  problematic  for  some  DHCP
	      servers.	 To  avoid  that,  enabling this option	will cause the
	      plugin to	bind the DHCP server port to send  its	requests  when
	      acting as	relay agent. This is not necessary if a	DHCP server is
	      already running on the same host and might even cause  conflicts
	      (and since the server port is already bound, ICMPs should	not be
	      an issue).

       charon.plugins.dnscert.enable [no]
	      Enable fetching of CERT RRs via DNS.

       charon.plugins.drbg.max_drbg_requests [4294967294]
	      Number of	pseudo-random bit requests from	the DRBG before	an au-
	      tomatic reseeding	occurs.

       charon.plugins.duplicheck.enable	[yes]
	      Enable duplicheck	plugin (if loaded).

       charon.plugins.duplicheck.socket	[unix://${piddir}/charon.dck]
	      Socket provided by the duplicheck	plugin.

       charon.plugins.eap-aka.request_identity [yes]

       charon.plugins.eap-aka-3gpp.seq_check []
	      Enable to	activate sequence check	of the AKA SQN values in order
	      to trigger resync	cycles.

       charon.plugins.eap-aka-3gpp2.seq_check []
	      Enable to	activate sequence check	of the AKA SQN values in order
	      to trigger resync	cycles.

       charon.plugins.eap-dynamic.prefer_user [no]
	      If  enabled  the EAP methods proposed in an EAP-Nak message sent
	      by the peer are preferred	over the methods registered locally.

       charon.plugins.eap-dynamic.preferred []
	      The preferred EAP	method(s) to be	used.  If it is	not given  the
	      first registered method will be used initially.  If a comma sep-
	      arated list is given the methods are tried in  the  given	 order
	      before trying the	rest of	the registered methods.

       charon.plugins.eap-gtc.backend [pam]
	      XAuth backend to be used for credential verification.

       charon.plugins.eap-peap.fragment_size [1024]
	      Maximum size of an EAP-PEAP packet.

       charon.plugins.eap-peap.include_length [no]
	      Include length in	non-fragmented EAP-PEAP	packets.

       charon.plugins.eap-peap.max_message_count [32]
	      Maximum number of	processed EAP-PEAP packets (0 =	no limit).

       charon.plugins.eap-peap.phase2_method [mschapv2]
	      Phase2 EAP client	authentication method.

       charon.plugins.eap-peap.phase2_piggyback	[no]
	      Phase2  EAP Identity request piggybacked by server onto TLS Fin-
	      ished message.

       charon.plugins.eap-peap.phase2_tnc [no]
	      Start phase2 EAP TNC protocol after successful client  authenti-

       charon.plugins.eap-peap.request_peer_auth [no]
	      Request peer authentication based	on a client certificate.

       charon.plugins.eap-radius.accounting [no]
	      Send RADIUS accounting information to RADIUS servers.

       charon.plugins.eap-radius.accounting_close_on_timeout [yes]
	      Close the	IKE_SA if there	is a timeout during interim RADIUS ac-
	      counting updates.

       charon.plugins.eap-radius.accounting_interval [0]
	      Interval in seconds for interim RADIUS  accounting  updates,  if
	      not specified by the RADIUS server in the	Access-Accept message.

       charon.plugins.eap-radius.accounting_requires_vip [no]
	      If enabled, accounting is	disabled unless	an IKE_SA has at least
	      one virtual IP.  Only for	IKEv2,	for  IKEv1  a  virtual	IP  is
	      strictly necessary.

       charon.plugins.eap-radius.accounting_send_class [no]
	      If  enabled, adds	the Class attributes received in Access-Accept
	      message to the RADIUS accounting messages.

       charon.plugins.eap-radius.class_group [no]
	      Use the class attribute sent in  the  RADIUS-Accept  message  as
	      group  membership	 information  that  is	compared to the	groups
	      specified	in the rightgroups option in ipsec.conf(5).

       charon.plugins.eap-radius.close_all_on_timeout [no]
	      Closes all IKE_SAs if communication with the RADIUS server times
	      out. If it is not	set only the current IKE_SA is closed.

       charon.plugins.eap-radius.dae.enable [no]
	      Enables  support	for  the  Dynamic Authorization	Extension (RFC

       charon.plugins.eap-radius.dae.listen []
	      Address to listen	for DAE	messages from the RADIUS server.

       charon.plugins.eap-radius.dae.port [3799]
	      Port to listen for DAE requests.

       charon.plugins.eap-radius.dae.secret []
	      Shared secret used to verify/sign	DAE  messages.	If  set,  make
	      sure to adjust the permissions of	the config file	accordingly.

       charon.plugins.eap-radius.eap_start [no]
	      Send EAP-Start instead of	EAP-Identity to	start RADIUS conversa-

       charon.plugins.eap-radius.filter_id [no]
	      If the RADIUS tunnel_type	attribute with value ESP is  received,
	      use the filter_id	attribute sent in the RADIUS-Accept message as
	      group membership information that	 is  compared  to  the	groups
	      specified	in the rightgroups option in ipsec.conf(5).

       charon.plugins.eap-radius.forward.ike_to_radius []
	      RADIUS  attributes  to be	forwarded from IKEv2 to	RADIUS (can be
	      defined by name or attribute number, a  colon  can  be  used  to
	      specify  vendor-specific	attributes, e.g. Reply-Message,	or 11,
	      or 36906:12).

       charon.plugins.eap-radius.forward.radius_to_ike []
	      Same as charon.plugins.eap-radius.forward.ike_to_radius but from
	      RADIUS to	IKEv2, a strongSwan specific private notify (40969) is
	      used to transmit the attributes.

       charon.plugins.eap-radius.id_prefix []
	      Prefix to	EAP-Identity, some AAA servers use a  IMSI  prefix  to
	      select the EAP method.

       charon.plugins.eap-radius.nas_identifier	[strongSwan]
	      NAS-Identifier to	include	in RADIUS messages.

       charon.plugins.eap-radius.port [1812]
	      Port of RADIUS server (authentication).

       charon.plugins.eap-radius.retransmit_base [1.4]
	      Base to use for calculating exponential back off.

       charon.plugins.eap-radius.retransmit_timeout [2.0]
	      Timeout in seconds before	sending	first retransmit.

       charon.plugins.eap-radius.retransmit_tries [4]
	      Number of	times to retransmit a packet before giving up.

       charon.plugins.eap-radius.secret	[]
	      Shared  secret  between RADIUS and NAS. If set, make sure	to ad-
	      just the permissions of the config file accordingly.

       charon.plugins.eap-radius.server	[]
	      IP/Hostname of RADIUS server.

	      Section to specify multiple RADIUS servers. The  nas_identifier,
	      secret, sockets and port (or auth_port) options can be specified
	      for each server. A server's IP/Hostname can be configured	 using
	      the  address option.  The	acct_port [1813] option	can be used to
	      specify the port used for	RADIUS	accounting.  For  each	RADIUS
	      server  a	priority can be	specified using	the preference [0] op-
	      tion. The	retransmission time for	each server can	set set	 using
	      retransmit_base, retransmit_timeout and retransmit_tries.

       charon.plugins.eap-radius.sockets [1]
	      Number of	sockets	(ports)	to use,	increase for high load.

       charon.plugins.eap-radius.station_id_with_port [yes]
	      Whether  to include the UDP port in the Called- and Calling-Sta-
	      tion-Id RADIUS attributes.

	      Section to configure multiple XAuth  authentication  rounds  via
	      RADIUS. The subsections define so	called authentication profiles
	      with arbitrary names. In each profile section one	or more	 XAuth
	      types can	be configured, with an assigned	message. For each type
	      a	separate XAuth exchange	will be	initiated and all replies  get
	      concatenated  into  the User-Password attribute, which then gets
	      verified over RADIUS.

	      Available	XAuth types are	password, passcode, nextpin,  and  an-
	      swer.   This  type  is  not  relevant  to	 strongSwan or the AAA
	      server, but the client may show a	different dialog  (along  with
	      the configured message).

	      To  use  the  configured profiles, they have to be configured in
	      the respective connection	in ipsec.conf(5) by appending the pro-
	      file  name,  separated  by  a  colon, to the xauth-radius	XAauth
	      backend configuration in rightauth or rightauth2,	for  instance,

       charon.plugins.eap-sim.request_identity [yes]

       charon.plugins.eap-simaka-sql.database []

       charon.plugins.eap-simaka-sql.remove_used [no]

       charon.plugins.eap-tls.fragment_size [1024]
	      Maximum size of an EAP-TLS packet.

       charon.plugins.eap-tls.include_length [yes]
	      Include length in	non-fragmented EAP-TLS packets.

       charon.plugins.eap-tls.max_message_count	[32]
	      Maximum number of	processed EAP-TLS packets (0 = no limit).

       charon.plugins.eap-tnc.max_message_count	[10]
	      Maximum number of	processed EAP-TNC packets (0 = no limit).

       charon.plugins.eap-tnc.protocol [tnccs-2.0]
	      IF-TNCCS	protocol  version  to  be  used	(tnccs-1.1, tnccs-2.0,

       charon.plugins.eap-ttls.fragment_size [1024]
	      Maximum size of an EAP-TTLS packet.

       charon.plugins.eap-ttls.include_length [yes]
	      Include length in	non-fragmented EAP-TTLS	packets.

       charon.plugins.eap-ttls.max_message_count [32]
	      Maximum number of	processed EAP-TTLS packets (0 =	no limit).

       charon.plugins.eap-ttls.phase2_method [md5]
	      Phase2 EAP client	authentication method.

       charon.plugins.eap-ttls.phase2_piggyback	[no]
	      Phase2 EAP Identity request piggybacked by server	onto TLS  Fin-
	      ished message.

       charon.plugins.eap-ttls.phase2_tnc [no]
	      Start  phase2 EAP	TNC protocol after successful client authenti-

       charon.plugins.eap-ttls.phase2_tnc_method [pt]
	      Phase2 EAP TNC transport protocol	(pt as IETF standard or	legacy

       charon.plugins.eap-ttls.request_peer_auth [no]
	      Request peer authentication based	on a client certificate.

       charon.plugins.error-notify.socket [unix://${piddir}/charon.enfy]
	      Socket provided by the error-notify plugin.

       charon.plugins.ext-auth.script []
	      Command  to pass to the system shell for peer authorization. Au-
	      thorization is considered	successful  if	the  command  executes
	      normally	with  an  exit	code of	zero. For all other exit codes
	      IKE_SA authorization is rejected.

	      The following environment	variables get passed  to  the  script:
	      IKE_UNIQUE_ID:   The   IKE_SA   numerical	  unique   identifier.
	      IKE_NAME:	 The  peer  configuration  connection  name.   IKE_LO-
	      CAL_HOST:	 Local IKE IP address.	IKE_REMOTE_HOST: Remote	IKE IP
	      address.	IKE_LOCAL_ID: Local IKE	identity.  IKE_REMOTE_ID:  Re-
	      mote IKE identity.  IKE_REMOTE_EAP_ID: Remote EAP	or XAuth iden-
	      tity, if used.

	      Comma  separated	list  of multicast groups to join locally. The
	      local host receives and forwards packets in the  local  LAN  for
	      joined multicast groups only.  Packets matching the list of mul-
	      ticast groups get	forwarded to connected	clients.  The  default
	      group   includes	 host	multicasts,   IGMP,  mDNS,  LLMNR  and
	      SSDP/WS-Discovery, and is	usually	 a  good  choice  for  Windows

       charon.plugins.forecast.interface []
	      Name of the local	interface to listen for	broadcasts messages to
	      forward. If no interface is configured, the first	usable	inter-
	      face is used, which is usually just fine for single-homed	hosts.
	      If your host has multiple	interfaces, set	this option to the lo-
	      cal LAN interface	you want to forward broadcasts from/to.

       charon.plugins.forecast.reinject	[]
	      Comma  separated	list of	CHILD_SA configuration names for which
	      to perform multi/broadcast reinjection. For  clients  connecting
	      over such	a configuration, any multi/broadcast received over the
	      tunnel gets reinjected to	all active  tunnels.  This  makes  the
	      broadcasts  visible  to  other  peers,  and  for examples	allows
	      clients to see others shares. If disabled, multi/broadcast  mes-
	      sages  received  over a tunnel are injected to the local network
	      only, but	not to other IPsec clients.

       charon.plugins.gcrypt.quick_random [no]
	      Use faster random	numbers	in gcrypt; for testing only,  produces
	      weak keys!

       charon.plugins.ha.autobalance [0]
	      Interval	in  seconds  to	automatically balance handled segments
	      between nodes. Set to 0 to disable.

       charon.plugins.ha.fifo_interface	[yes]

       charon.plugins.ha.heartbeat_delay [1000]

       charon.plugins.ha.heartbeat_timeout [2100]

       charon.plugins.ha.local []

       charon.plugins.ha.monitor [yes]

       charon.plugins.ha.pools []

       charon.plugins.ha.remote	[]

       charon.plugins.ha.resync	[yes]

       charon.plugins.ha.secret	[]

       charon.plugins.ha.segment_count [1]

       charon.plugins.ipseckey.enable [no]
	      Enable fetching of IPSECKEY RRs via DNS.

       charon.plugins.kernel-libipsec.allow_peer_ts [no]
	      Allow that the remote traffic selector equals the	IKE peer.  The
	      route  installed	for such traffic (via TUN device) usually pre-
	      vents further IKE	traffic.  The  fwmark  options	for  the  ker-
	      nel-netlink and socket-default plugins can be used to circumvent
	      that problem.

       charon.plugins.kernel-netlink.buflen [<min(PAGE_SIZE, 8192)>]
	      Buffer size for received Netlink messages.

       charon.plugins.kernel-netlink.force_receive_buffer_size [no]
	      If the maximum Netlink socket receive buffer in bytes set	by re-
	      ceive_buffer_size	  exceeds   the	  system-wide	maximum	  from
	      /proc/sys/net/core/rmem_max, this	option can be used to override
	      the  limit.   Enabling  this  option requires special privileges

       charon.plugins.kernel-netlink.fwmark []
	      Firewall mark to set on the routing rule that directs traffic to
	      our  routing  table. The format is [!]mark[/mask], where the op-
	      tional exclamation mark inverts the meaning (i.e.	the rule  only
	      applies to packets that don't match the mark).

       charon.plugins.kernel-netlink.hw_offload_feature_interface [lo]
	      If  the kernel supports hardware offloading, the plugin needs to
	      find the feature flag which represents hardware offloading  sup-
	      port  for	 network  devices.  Using the loopback device for this
	      purpose is usually fine, since it	should always be present.  For
	      rare cases in which the loopback device cannot be	used to	obtain
	      the appropriate feature flag, this option	can be used to specify
	      an alternative interface for offload feature detection.

       charon.plugins.kernel-netlink.ignore_retransmit_errors [no]
	      Whether  to  ignore errors potentially resulting from a retrans-

       charon.plugins.kernel-netlink.mss [0]
	      MSS to set on installed routes, 0	to disable.

       charon.plugins.kernel-netlink.mtu [0]
	      MTU to set on installed routes, 0	to disable.

       charon.plugins.kernel-netlink.parallel_route [no]
	      Whether to perform concurrent Netlink ROUTE queries on a	single
	      socket.  While  parallel	queries	can improve throughput,	it has
	      more overhead. On	vanilla	Linux, DUMP queries  fail  with	 EBUSY
	      and must be retried, further decreasing performance.

       charon.plugins.kernel-netlink.parallel_xfrm [no]
	      Whether  to  perform concurrent Netlink XFRM queries on a	single

       charon.plugins.kernel-netlink.policy_update [no]
	      Whether to always	use XFRM_MSG_UPDPOLICY to install policies.

       charon.plugins.kernel-netlink.port_bypass [no]
	      Whether to use port or socket based IKE  XFRM  bypass  policies.
	      IKE  bypass  policies  are  used to exempt IKE traffic from XFRM
	      processing. The default socket based policies are	directly  tied
	      to  the IKE UDP sockets, port based policies use global XFRM by-
	      pass policies for	the used IKE UDP ports.

       charon.plugins.kernel-netlink.process_rules [no]
	      Whether to process changes in  routing  rules  to	 trigger  roam
	      events.  This is currently only useful if	the kernel based route
	      lookup is	used (i.e. if route installation is disabled or	an in-
	      verted fwmark match is configured).

       charon.plugins.kernel-netlink.receive_buffer_size [0]
	      Maximum  Netlink socket receive buffer in	bytes. This value con-
	      trols how	many bytes of Netlink messages can be  received	 on  a
	      Netlink	 socket.    The	   default    value    is    set    by
	      /proc/sys/net/core/rmem_default. The specified value cannot  ex-
	      ceed  the	 system-wide maximum from /proc/sys/net/core/rmem_max,
	      unless force_receive_buffer_size is enabled.

       charon.plugins.kernel-netlink.retries [0]
	      Number of	Netlink	message	retransmissions	to send	on timeout.

       charon.plugins.kernel-netlink.roam_events [yes]
	      Whether to trigger roam events  when  interfaces,	 addresses  or
	      routes change.

       charon.plugins.kernel-netlink.set_proto_port_transport_sa [no]
	      Whether  to  set protocol	and ports in the selector installed on
	      transport	mode IPsec SAs in the kernel. While doing so  enforces
	      policies for inbound traffic, it also prevents the use of	a sin-
	      gle IPsec	SA by more than	one traffic selector.

	      XFRM policy hashing threshold configuration for IPv4 and IPv6.

	      The section defines hashing thresholds to	configure in the  ker-
	      nel during daemon	startup. Each address family takes a threshold
	      for the local subnet of an IPsec policy  (src  in	 out-policies,
	      dst  in  in- and forward-policies) and the remote	subnet (dst in
	      out-policies, src	in in- and forward-policies).

	      If the subnet has	more or	equal net bits than the	threshold, the
	      first  threshold bits are	used to	calculate a hash to lookup the

	      Policy hashing thresholds	are not	supported  before  Linux  3.18
	      and might	conflict with socket policies before Linux 4.8.

       charon.plugins.kernel-netlink.spdh_thresh.ipv4.lbits [32]
	      Local subnet XFRM	policy hashing threshold for IPv4.

       charon.plugins.kernel-netlink.spdh_thresh.ipv4.rbits [32]
	      Remote subnet XFRM policy	hashing	threshold for IPv4.

       charon.plugins.kernel-netlink.spdh_thresh.ipv6.lbits [128]
	      Local subnet XFRM	policy hashing threshold for IPv6.

       charon.plugins.kernel-netlink.spdh_thresh.ipv6.rbits [128]
	      Remote subnet XFRM policy	hashing	threshold for IPv6.

       charon.plugins.kernel-netlink.timeout [0]
	      Netlink message retransmission timeout, 0	to disable retransmis-

       charon.plugins.kernel-netlink.xfrm_acq_expires [165]
	      Lifetime of XFRM acquire state created by	the kernel when	 traf-
	      fic   matches   a	  trap	policy.	 The  value  gets  written  to
	      /proc/sys/net/core/xfrm_acq_expires.   Indirectly	 controls  the
	      delay  between XFRM acquire messages triggered by	the kernel for
	      a	trap policy. The same value is used as timeout for SPIs	 allo-
	      cated  by	 the  kernel. The default value	equals the total   re-
	      transmission timeout for IKE messages, see IKEv2	RETRANSMISSION
	      in strongswan.conf(5).

       charon.plugins.kernel-pfkey.events_buffer_size [0]
	      Size  of	the receive buffer for the event socket	(0 for default
	      size). Because events  are  received  asynchronously  installing
	      e.g.  lots  of policies may require a larger buffer than the de-
	      fault on certain platforms in order to receive all messages.

       charon.plugins.kernel-pfkey.route_via_internal [no]
	      Whether to use the internal or external interface	 in  installed
	      routes.  The  internal interface is the one where	the IP address
	      contained	in the local traffic selector is located, the external
	      interface	 is  the one over which	the destination	address	of the
	      IPsec tunnel can be reached. This	is not relevant	if virtual IPs
	      are  used,  for which a TUN device is created that's used	in the

       charon.plugins.kernel-pfroute.vip_wait [1000]
	      Time in ms to wait until virtual IP  addresses  appear/disappear
	      before failing.

       charon.plugins.led.activity_led []

       charon.plugins.led.blink_time [50]

	      Section  to  configure the load-tester plugin, see LOAD TESTS in
	      strongswan.conf(5) for details.

	      Section that contains key/value pairs  with  address  pools  (in
	      CIDR notation) to	use for	a specific network interface e.g. eth0

       charon.plugins.load-tester.addrs_keep [no]
	      Whether to keep dynamic addresses	even after the	associated  SA
	      got terminated.

       charon.plugins.load-tester.addrs_prefix [16]
	      Network  prefix length to	use when installing dynamic addresses.
	      If set to	-1 the full address is used (i.e. 32 or	128).

       charon.plugins.load-tester.ca_dir []
	      Directory	to load	(intermediate) CA certificates from.

       charon.plugins.load-tester.child_rekey [600]
	      Seconds to start CHILD_SA	rekeying after setup.

       charon.plugins.load-tester.crl []
	      URI to a CRL to include as  certificate  distribution  point  in
	      generated	certificates.

       charon.plugins.load-tester.delay	[0]
	      Delay between initiations	for each thread.

       charon.plugins.load-tester.delete_after_established [no]
	      Delete an	IKE_SA as soon as it has been established.

       charon.plugins.load-tester.digest [sha1]
	      Digest algorithm used when issuing certificates.

       charon.plugins.load-tester.dpd_delay [0]
	      DPD delay	to use in load test.

       charon.plugins.load-tester.dynamic_port [0]
	      Base  port to be used for	requests (each client uses a different

       charon.plugins.load-tester.eap_password [default-pwd]
	      EAP secret to use	in load	test.

       charon.plugins.load-tester.enable [no]
	      Enable the load testing  plugin.	 WARNING:  Never  enable  this
	      plugin  on productive systems. It	provides preconfigured creden-
	      tials and	allows an attacker to authenticate as any user.

       charon.plugins.load-tester.esp [aes128-sha1]
	      CHILD_SA proposal	to use for load	tests.

       charon.plugins.load-tester.fake_kernel [no]
	      Fake the kernel interface	to allow load-testing against self.

       charon.plugins.load-tester.ike_rekey [0]
	      Seconds to start IKE_SA rekeying after setup.

       charon.plugins.load-tester.init_limit [0]
	      Global limit of concurrently established SAs during load test.

       charon.plugins.load-tester.initiator []
	      Address to initiate from.

       charon.plugins.load-tester.initiator_auth [pubkey]
	      Authentication method(s) the initiator uses.

       charon.plugins.load-tester.initiator_id []
	      Initiator	ID used	in load	test.

       charon.plugins.load-tester.initiator_match []
	      Initiator	ID to match against as responder.

       charon.plugins.load-tester.initiator_tsi	[]
	      Traffic selector on initiator side, as proposed by initiator.

       charon.plugins.load-tester.initiator_tsr	[]
	      Traffic selector on responder side, as proposed by initiator.

       charon.plugins.load-tester.initiators [0]
	      Number of	concurrent initiator threads to	use in load test.

       charon.plugins.load-tester.issuer_cert []
	      Path to the issuer certificate (if not configured	 a  hard-coded
	      default value is used).

       charon.plugins.load-tester.issuer_key []
	      Path  to	private	key that is used to issue certificates (if not
	      configured a hard-coded default value is used).

       charon.plugins.load-tester.iterations [1]
	      Number of	IKE_SAs	to initiate by each initiator in load test.

       charon.plugins.load-tester.mode [tunnel]
	      IPsec mode to use, one of	tunnel,	transport, or beet.

       charon.plugins.load-tester.pool []
	      Provide INTERNAL_IPV4_ADDRs from a named pool.

       charon.plugins.load-tester.preshared_key	[<default-psk>]
	      Preshared	key to use in load test.

       charon.plugins.load-tester.proposal [aes128-sha1-modp768]
	      IKE proposal to use in load test.

       charon.plugins.load-tester.request_virtual_ip [no]
	      Request an INTERNAL_IPV4_ADDR from the server.

       charon.plugins.load-tester.responder []
	      Address to initiation connections	to.

       charon.plugins.load-tester.responder_auth [pubkey]
	      Authentication method(s) the responder uses.

       charon.plugins.load-tester.responder_id []
	      Responder	ID used	in load	test.

       charon.plugins.load-tester.responder_tsi	[initiator_tsi]
	      Traffic selector on initiator side, as narrowed by responder.

       charon.plugins.load-tester.responder_tsr	[initiator_tsr]
	      Traffic selector on responder side, as narrowed by responder.

       charon.plugins.load-tester.shutdown_when_complete [no]
	      Shutdown the daemon after	all IKE_SAs have been established.

       charon.plugins.load-tester.socket [unix://${piddir}/charon.ldt]
	      Socket provided by the load-tester plugin.

       charon.plugins.load-tester.version [0]
	      IKE version to use (0 means use IKEv2 as	initiator  and	accept
	      any version as responder).

       charon.plugins.lookip.socket [unix://${piddir}/charon.lkp]
	      Socket provided by the lookip plugin.

       charon.plugins.ntru.parameter_set [optimum]
	      The   following	parameter  sets	 are  available:  x9_98_speed,
	      x9_98_bandwidth, x9_98_balance and optimum, the last set not be-
	      ing part of the X9.98 standard but having	the best performance.

       charon.plugins.openssl.engine_id	[pkcs11]
	      ENGINE ID	to use in the OpenSSL plugin.

       charon.plugins.openssl.fips_mode	[0]
	      Set  OpenSSL  FIPS  mode:	 disabled(0),  enabled(1), Suite B en-

       charon.plugins.osx-attr.append [yes]
	      Whether DNS servers are appended to existing entries, instead of
	      replacing	them.

	      Section  to  enable requesting P-CSCF server addresses for indi-
	      vidual connections.

       charon.plugins.p-cscf.enable.<conn> [no]
	      <conn> is	the name of a connection with an ePDG  from  which  to
	      request  P-CSCF server addresses.	 Requests will be sent for ad-
	      dresses of the same families for	which  internal	 IPs  are  re-

	      List of available	PKCS#11	modules.

       charon.plugins.pkcs11.modules.<name>.load_certs [yes]
	      Whether to automatically load certificates from tokens.

       charon.plugins.pkcs11.modules.<name>.os_locking [no]
	      Whether OS locking should	be enabled for this module.

       charon.plugins.pkcs11.modules.<name>.path []
	      Full path	to the shared object file of this PKCS#11 module.

       charon.plugins.pkcs11.reload_certs [no]
	      Reload certificates from all tokens if charon receives a SIGHUP.

       charon.plugins.pkcs11.use_dh [no]
	      Whether  the PKCS#11 modules should be used for DH and ECDH (see
	      use_ecc option).

       charon.plugins.pkcs11.use_ecc [no]
	      Whether the PKCS#11 modules should be used for  ECDH  and	 ECDSA
	      public key operations. ECDSA private keys	can be used regardless
	      of this option.

       charon.plugins.pkcs11.use_hasher	[no]
	      Whether the PKCS#11 modules should be used to hash data.

       charon.plugins.pkcs11.use_pubkey	[no]
	      Whether the PKCS#11 modules should be used for public key	opera-
	      tions, even for keys not stored on tokens.

       charon.plugins.pkcs11.use_rng [no]
	      Whether the PKCS#11 modules should be used as RNG.

       charon.plugins.radattr.dir []
	      Directory	 where	RADIUS attributes are stored in	client-ID spe-
	      cific files.

       charon.plugins.radattr.message_id [-1]
	      Attributes are added to all IKE_AUTH messages by	default	 (-1),
	      or only to the IKE_AUTH message with the given IKEv2 message ID.

       charon.plugins.random.random [${random_device}]
	      File to read random bytes	from.

       charon.plugins.random.strong_equals_true	[no]
	      If  set  to yes the RNG_STRONG class reads random	bytes from the
	      same source as the RNG_TRUE class.

       charon.plugins.random.urandom [${urandom_device}]
	      File to read pseudo random bytes from.

       charon.plugins.resolve.file [/etc/resolv.conf]
	      File where to add	DNS server entries.

       charon.plugins.resolve.resolvconf.iface_prefix [lo.inet.ipsec.]
	      Prefix used for interface	 names	sent  to  resolvconf(8).   The
	      nameserver address is appended to	this prefix to make it unique.
	      The result has to	be a valid interface  name  according  to  the
	      rules defined by resolvconf.  Also, it should have a high	prior-
	      ity according to the order defined in interface-order(5).

       charon.plugins.revocation.enable_crl [yes]
	      Whether CRL validation should be enabled.

       charon.plugins.revocation.enable_ocsp [yes]
	      Whether OCSP validation should be	enabled. [no]
	      Whether to save ESP keys. [no]
	      Whether to save IKE keys. [no]
	      Whether to load the plugin. []
	      Directory	where the keys are stored in the format	 supported  by
	      Wireshark.  IKEv1	 keys are stored in the	ikev1_decryption_table
	      file. IKEv2 keys are stored in the ikev2_decryption_table	 file.
	      Keys for ESP CHILD_SAs are stored	in the esp_sa file.

       charon.plugins.socket-default.fwmark []
	      Firewall mark to set on outbound packets.

       charon.plugins.socket-default.set_source	[yes]
	      Set source address on outbound packets, if possible.

       charon.plugins.socket-default.set_sourceif [no]
	      Force  sending  interface	on outbound packets, if	possible. This
	      allows using IPv6	link-local addresses as	tunnel endpoints.

       charon.plugins.socket-default.use_ipv4 [yes]
	      Listen on	IPv4, if possible.

       charon.plugins.socket-default.use_ipv6 [yes]
	      Listen on	IPv6, if possible.

       charon.plugins.sql.database []
	      Database URI for charon's	SQL plugin. If it contains a password,
	      make  sure  to adjust the	permissions of the config file accord-

       charon.plugins.sql.loglevel [-1]
	      Loglevel for logging to SQL database.

       charon.plugins.stroke.allow_swap	[yes]
	      Analyze addresses/hostnames in left|right	to detect  which  side
	      is  local	 and  swap configuration options if necessary. If dis-
	      abled left is always local.

       charon.plugins.stroke.ignore_missing_ca_basic_constraint	[no]
	      Treat certificates in ipsec.d/cacerts and	ipsec.conf ca sections
	      as  CA  certificates  even if they don't contain a CA basic con-

       charon.plugins.stroke.max_concurrent [4]
	      Maximum number of	stroke messages	handled	concurrently.

       charon.plugins.stroke.prevent_loglevel_changes [no]
	      If enabled log level changes via stroke socket are not allowed.

       charon.plugins.stroke.secrets_file [${sysconfdir}/ipsec.secrets]
	      Location of the ipsec.secrets file

       charon.plugins.stroke.socket [unix://${piddir}/charon.ctl]
	      Socket provided by the stroke plugin.

       charon.plugins.stroke.timeout [0]
	      Timeout in ms for	any stroke command. Use	0 to disable the time-

       charon.plugins.systime-fix.interval [0]
	      Interval	in  seconds  to	check system time for validity.	0 dis-
	      ables the	check.

       charon.plugins.systime-fix.reauth [no]
	      Whether to use reauth or delete if an invalid cert  lifetime  is

       charon.plugins.systime-fix.threshold []
	      Threshold	 date  where system time is considered valid. Disabled
	      if not specified.

       charon.plugins.systime-fix.threshold_format [%Y]
	      strptime(3) format used to parse threshold option.

       charon.plugins.systime-fix.timeout [0s]
	      How long to wait for a valid system time if an interval is  con-
	      figured. 0 to recheck indefinitely.

       charon.plugins.tnc-ifmap.client_cert []
	      Path to X.509 certificate	file of	IF-MAP client.

       charon.plugins.tnc-ifmap.client_key []
	      Path to private key file of IF-MAP client.

       charon.plugins.tnc-ifmap.device_name []
	      Unique name of strongSwan	server as a PEP	and/or PDP device.

       charon.plugins.tnc-ifmap.renew_session_interval [150]
	      Interval	in  seconds  between  periodic IF-MAP RenewSession re-

       charon.plugins.tnc-ifmap.server_cert []
	      Path to X.509 certificate	file of	IF-MAP server.

       charon.plugins.tnc-ifmap.server_uri [https://localhost:8444/imap]
	      URI of the form [https://]servername[:port][/path].

       charon.plugins.tnc-ifmap.username_password []
	      Credentials of IF-MAP client of the form	username:password.  If
	      set,  make sure to adjust	the permissions	of the config file ac-

       charon.plugins.tnc-imc.dlclose [yes]
	      Unload IMC after use.

       charon.plugins.tnc-imc.preferred_language [en]
	      Preferred	language for TNC recommendations.

       charon.plugins.tnc-imv.dlclose [yes]
	      Unload IMV after use.

       charon.plugins.tnc-imv.recommendation_policy [default]
	      TNC recommendation policy, one of	default, any, or all.

       charon.plugins.tnc-pdp.pt_tls.enable [yes]
	      Enable PT-TLS protocol on	the strongSwan PDP.

       charon.plugins.tnc-pdp.pt_tls.port [271]
	      PT-TLS server port the strongSwan	PDP is listening on.

       charon.plugins.tnc-pdp.radius.enable [yes]
	      Enable RADIUS protocol on	the strongSwan PDP.

       charon.plugins.tnc-pdp.radius.method [ttls]
	      EAP tunnel method	to be used.

       charon.plugins.tnc-pdp.radius.port [1812]
	      RADIUS server port the strongSwan	PDP is listening on.

       charon.plugins.tnc-pdp.radius.secret []
	      Shared RADIUS secret between strongSwan PDP  and	NAS.  If  set,
	      make  sure  to adjust the	permissions of the config file accord-

       charon.plugins.tnc-pdp.server []
	      Name of the strongSwan PDP as contained in the AAA certificate.

       charon.plugins.tnc-pdp.timeout []
	      Timeout in seconds before	closing	incomplete connections.

       charon.plugins.tnccs-11.max_message_size	[45000]
	      Maximum size of a	PA-TNC message (XML & Base64 encoding).

       charon.plugins.tnccs-20.max_batch_size [65522]
	      Maximum size of a	PB-TNC batch (upper limit via PT-EAP = 65529).

       charon.plugins.tnccs-20.max_message_size	[65490]
	      Maximum size of a	PA-TNC	message	 (upper	 limit	via  PT-EAP  =
	      65497). [no]
	      Enable PB-TNC mutual protocol.

       charon.plugins.tnccs-20.tests.pb_tnc_noskip [no]
	      Send  an	unsupported  PB-TNC  message type with the NOSKIP flag

       charon.plugins.tnccs-20.tests.pb_tnc_version [2]
	      Send a PB-TNC batch with a modified PB-TNC version.

       charon.plugins.tpm.fips_186_4 [no]
	      Is the TPM 2.0 FIPS-186-4	compliant, forcing e.g.	the use	of the
	      default  salt  length instead of maximum salt length with	RSAPSS
	      padding. [device|tabrmd]
	      Name of TPM 2.0 TCTI library. Valid values:  tabrmd,  device  or
	      mssim.  Defaults are device if the /dev/tpmrm0 in-kernel TPM 2.0
	      resource manager device exists, and tabrmd otherwise,  requiring
	      the d-bus	based TPM 2.0 access broker and	resource manager to be

       charon.plugins.tpm.tcti.opts [/dev/tpmrm0|<none>]
	      Options for the TPM 2.0 TCTI library. Defaults  are  /dev/tpmrm0
	      if the TCTI library name is device and no	options	otherwise.

       charon.plugins.tpm.use_rng [no]
	      Whether the TPM should be	used as	RNG.

       charon.plugins.unbound.dlv_anchors []
	      File  to read trusted keys for DLV (DNSSEC Lookaside Validation)
	      from. It uses the	same format as trust_anchors.	Only  one  DLV
	      can  be  configured,  which  is then used	as a root trusted DLV,
	      this means that it is a lookaside	for the	root.

       charon.plugins.unbound.resolv_conf [/etc/resolv.conf]
	      File to read DNS resolver	configuration from.

       charon.plugins.unbound.trust_anchors [/etc/ipsec.d/dnssec.keys]
	      File to read DNSSEC trust	anchors	from (usually root zone	 KSK).
	      The format of the	file is	the standard DNS Zone file format, an-
	      chors can	be stored as DS	or DNSKEY entries in the file.

       charon.plugins.updown.dns_handler [no]
	      Whether the updown script	should handle DNS servers assigned via
	      IKEv1  Mode  Config  or  IKEv2  Config Payloads (if enabled they
	      can't be handled by other	plugins, like resolve)

       charon.plugins.vici.socket [unix://${piddir}/charon.vici]
	      Socket the vici plugin serves clients.

       charon.plugins.whitelist.enable [yes]
	      Enable loaded whitelist plugin.

       charon.plugins.whitelist.socket [unix://${piddir}/charon.wlst]
	      Socket provided by the whitelist plugin.

       charon.plugins.wolfssl.fips_mode	[no]
	      Enable to	prevent	loading	the plugin if wolfSSL is not  in  FIPS

       charon.plugins.xauth-eap.backend	[radius]
	      EAP  plugin to be	used as	backend	for XAuth credential verifica-

       charon.plugins.xauth-pam.pam_service [login]
	      PAM service to be	used for authentication.

       charon.plugins.xauth-pam.session	[no]
	      Open/close a PAM session for each	active IKE_SA.

       charon.plugins.xauth-pam.trim_email [yes]
	      If an email address is received as an XAuth username, trim it to
	      just the username	part.

       charon.port [500]
	      UDP  port	 used locally. If set to 0 a random port will be allo-

       charon.port_nat_t [4500]
	      UDP port used locally in case of NAT-T. If set  to  0  a	random
	      port  will  be allocated.	 Has to	be different from charon.port,
	      otherwise	a random port will be allocated.

       charon.prefer_best_path [no]
	      By default, charon keeps SAs on the routing path with  addresses
	      it previously used if that path is still usable. By setting this
	      option to	yes, it	tries more aggressively	to update SAs with MO-
	      BIKE  on	routing	priority changes using the cheapest path. This
	      adds more	noise, but allows to dynamically adapt SAs to  routing
	      priority	changes.  This	option	has no effect if MOBIKE	is not
	      supported	or disabled.

       charon.prefer_configured_proposals [yes]
	      Prefer locally configured	proposals for IKE/IPsec	over  supplied
	      ones  as	responder (disabling this can avoid keying retries due
	      to INVALID_KE_PAYLOAD notifies).

       charon.prefer_temporary_addrs [no]
	      By default, permanent IPv6 source	addresses are  preferred  over
	      temporary	 ones (RFC 4941), to make connections more stable. En-
	      able this	option to reverse this.

	      It also affects which IPv6 addresses are announced as additional
	      addresses	 if  MOBIKE  is	used.  If the option is	disabled, only
	      permanent	addresses are sent, and	only temporary ones if	it  is

       charon.process_route [yes]
	      Process RTM_NEWROUTE and RTM_DELROUTE events.

	      Section to configure the number of reserved threads per priority
	      class see	JOB PRIORITY MANAGEMENT	in strongswan.conf(5).

       charon.rdn_matching [strict]
	      How RDNs in subject DNs of certificates are matched against con-
	      figured  identities.  Possible  values are strict	(the default),
	      reordered, and relaxed.  With strict the number, type and	 order
	      of  all  RDNs has	to match, wildcards (*)	for the	values of RDNs
	      are allowed (that's the case for all three variants). Using  re-
	      ordered  also  matches DNs if the	RDNs appear in a different or-
	      der, the number and type still has to  match.  Finally,  relaxed
	      also  allows matches of DNs that contain more RDNs than the con-
	      figured identity (missing	 RDNs  are  treated  like  a  wildcard

	      Note  that  reordered and	relaxed	impose a considerable overhead
	      on memory	usage and runtime, in particular, for mismatches, com-
	      pared to strict.

       charon.receive_delay [0]
	      Delay in ms for receiving	packets, to simulate larger RTT.

       charon.receive_delay_request [yes]
	      Delay request messages.

       charon.receive_delay_response [yes]
	      Delay response messages.

       charon.receive_delay_type [0]
	      Specific IKEv2 message type to delay, 0 for any.

       charon.replay_window [32]
	      Size of the AH/ESP replay	window,	in packets.

       charon.retransmit_base [1.8]
	      Base  to use for calculating exponential back off, see IKEv2 RE-
	      TRANSMISSION in strongswan.conf(5).

       charon.retransmit_jitter	[0]
	      Maximum jitter in	percent	to apply randomly  to  calculated  re-
	      transmission timeout (0 to disable).

       charon.retransmit_limit [0]
	      Upper  limit in seconds for calculated retransmission timeout (0
	      to disable).

       charon.retransmit_timeout [4.0]
	      Timeout in seconds before	sending	first retransmit.

       charon.retransmit_tries [5]
	      Number of	times to retransmit a packet before giving up.

       charon.retry_initiate_interval [0]
	      Interval in seconds to use when retrying to initiate  an	IKE_SA
	      (e.g. if DNS resolution failed), 0 to disable retries.

       charon.reuse_ikesa [yes]
	      Initiate	CHILD_SA  within  existing IKE_SAs (always enabled for

       charon.routing_table []
	      Numerical	routing	table to install routes	to.

       charon.routing_table_prio []
	      Priority of the routing table.

       charon.rsa_pss [no]
	      Whether to use RSA with PSS padding instead of PKCS#1 padding by

       charon.send_delay [0]
	      Delay in ms for sending packets, to simulate larger RTT.

       charon.send_delay_request [yes]
	      Delay request messages.

       charon.send_delay_response [yes]
	      Delay response messages.

       charon.send_delay_type [0]
	      Specific IKEv2 message type to delay, 0 for any.

       charon.send_vendor_id [no]
	      Send strongSwan vendor ID	payload

       charon.signature_authentication [yes]
	      Whether to enable	Signature Authentication as per	RFC 7427.

       charon.signature_authentication_constraints [yes]
	      If  enabled, signature schemes configured	in rightauth, in addi-
	      tion to getting used as constraints  against  signature  schemes
	      employed	in the certificate chain, are also used	as constraints
	      against the signature scheme used	by peers during	IKEv2.

       charon.spi_label	[0x0000000000000000]
	      Value mixed into the local IKE SPIs after	applying spi_mask.

       charon.spi_mask [0x0000000000000000]
	      Mask applied to local IKE	SPIs before mixing in spi_label	 (bits
	      set will be replaced with	spi_label).

       charon.spi_max [0xcfffffff]
	      The  upper  limit	 for  SPIs requested from the kernel for IPsec

       charon.spi_min [0xc0000000]
	      The lower	limit for SPIs requested from  the  kernel  for	 IPsec
	      SAs.  Should not be set lower than 0x00000100 (256), as SPIs be-
	      tween 1 and 255 are reserved by IANA.

	      Section containing a list	of scripts (name = path) that are exe-
	      cuted when the daemon is started.

	      Section containing a list	of scripts (name = path) that are exe-
	      cuted when the daemon is terminated.

	      Section to define	syslog loggers,	see  LOGGER  CONFIGURATION  in

	      <facility> is one	of the supported syslog	facilities, see	LOGGER
	      CONFIGURATION in strongswan.conf(5).

       charon.syslog.<facility>.<subsystem> [<default>]
	      Loglevel for a specific subsystem.

       charon.syslog.<facility>.default	[1]
	      Specifies	the default loglevel to	be  used  for  subsystems  for
	      which no specific	loglevel is defined.

       charon.syslog.<facility>.ike_name [no]
	      Prefix  each log entry with the connection name and a unique nu-
	      merical identifier for each IKE_SA.

       charon.syslog.identifier	[]
	      Global identifier	used for an openlog(3) call, prepended to each
	      log  message  by	syslog.	  If not configured, openlog(3)	is not
	      called, so the value will	depend on system defaults  (often  the
	      program name).

       charon.threads [16]
	      Number  of  worker  threads  in charon. Several of these are re-
	      served for long running tasks in internal	modules	 and  plugins.
	      Therefore,  make sure you	don't set this value too low. The num-
	      ber of idle worker threads listed	in ipsec  statusall  might  be
	      used as indicator	on the number of reserved threads.

       charon.tls.cipher []
	      List of TLS encryption ciphers.

       charon.tls.key_exchange []
	      List of TLS key exchange methods.

       charon.tls.mac []
	      List of TLS MAC algorithms.

       charon.tls.suites []
	      List of TLS cipher suites.

       charon.tnc.tnc_config [/etc/tnc_config]
	      TNC IMC/IMV configuration	file.

       charon.user []
	      Name of the user the daemon changes to after startup.

       charon.x509.enforce_critical [yes]
	      Discard certificates with	unsupported or unknown critical	exten-

       charon-nm.ca_dir	[<default>]
	      Directory	from which to load CA certificates if  no  certificate
	      is configured.

	      Section to configure native systemd journal logger, very similar
	      to the syslog logger as described	 in  LOGGER  CONFIGURATION  in

       charon-systemd.journal.<subsystem> [<default>]
	      Loglevel for a specific subsystem.

       charon-systemd.journal.default [1]
	      Specifies	 the  default  loglevel	 to be used for	subsystems for
	      which no specific	loglevel is defined.

       imv_policy_manager.command_allow	[]
	      Shell command to be executed with	recommendation allow.

       imv_policy_manager.command_block	[]
	      Shell command to be executed with	all other recommendations.

       imv_policy_manager.database []
	      Database URI for the database that stores	the  package  informa-
	      tion. If it contains a password, make sure to adjust the permis-
	      sions of the config file accordingly.

       imv_policy_manager.load [sqlite]
	      Plugins to load in IMV policy manager.

       libimcv.debug_level [1]
	      Debug level for a	stand-alone libimcv library.

       libimcv.load [random nonce gmp pubkey x509]
	      Plugins to load in IMC/IMVs with stand-alone libimcv library.

       libimcv.plugins.imc-attestation.aik_blob	[]
	      AIK encrypted private key	blob file.

       libimcv.plugins.imc-attestation.aik_cert	[]
	      AIK certificate file.

       libimcv.plugins.imc-attestation.aik_handle []
	      AIK object handle.

       libimcv.plugins.imc-attestation.aik_pubkey []
	      AIK public key file.

       libimcv.plugins.imc-attestation.mandatory_dh_groups [yes]
	      Enforce mandatory	Diffie-Hellman groups.

       libimcv.plugins.imc-attestation.nonce_len [20]
	      DH nonce length.

       libimcv.plugins.imc-attestation.pcr17_after []
	      PCR17 value after	measurement.

       libimcv.plugins.imc-attestation.pcr17_before []
	      PCR17 value before measurement.

       libimcv.plugins.imc-attestation.pcr17_meas []
	      Dummy measurement	value extended into PCR17 if the TBOOT log  is
	      not available.

       libimcv.plugins.imc-attestation.pcr18_after []
	      PCR18 value after	measurement.

       libimcv.plugins.imc-attestation.pcr18_before []
	      PCR18 value before measurement.

       libimcv.plugins.imc-attestation.pcr18_meas []
	      Dummy  measurement value extended	into PCR17 if the TBOOT	log is
	      not available.

       libimcv.plugins.imc-attestation.pcr_info	[no]
	      Whether to send pcr_before and pcr_after info.

       libimcv.plugins.imc-attestation.use_quote2 [yes]
	      Use Quote2 AIK signature instead of Quote	signature.

       libimcv.plugins.imc-attestation.use_version_info	[no]
	      Version Info is included in Quote2 signature.

       libimcv.plugins.imc-hcd.push_info [yes]
	      Send quadruple info without being	prompted.

       libimcv.plugins.imc-hcd.subtypes	[]
	      Section to define	PWG HCD	PA subtypes.

       libimcv.plugins.imc-hcd.subtypes.<section> []
	      Defines a	PWG HCD	PA subtype section. Recognized subtype section
	      names are	system,	control, marker, finisher, interface and scan-

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type> []
	      Defines a	software type section. Recognized software  type  sec-
	      tion  names are firmware,	resident_application and user_applica-

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software> []
	      Defines a	software section having	an arbitrary name.

       libimcv.plugins.imc-hcd.subtypes.<section>.<sw_type>.<software>.name []
	      Name of the software installed on	the hardcopy device.

	      String  describing  all patches applied to the given software on
	      this hardcopy device. The	individual patches are separated by  a
	      newline character	'\n'.

       ware>.string_version []
	      String describing	the version of	the  given  software  on  this
	      hardcopy device.

	      Hex-encoded version string with a	length of 16 octets consisting
	      of  the  fields  major  version number (4	octets), minor version
	      number (4	octets), build number (4 octets), service  pack	 major
	      number (2	octets)	and service pack minor number (2 octets).

	      Variable length natural language	tag  conforming	 to  RFC  5646
	      specifies	 the language to be used in the	health assessment mes-
	      sage of a	given subtype.

       libimcv.plugins.imc-hcd.subtypes.system.certification_state []
	      Hex-encoded certification	state.

       libimcv.plugins.imc-hcd.subtypes.system.configuration_state []
	      Hex-encoded configuration	state.

       libimcv.plugins.imc-hcd.subtypes.system.machine_type_model []
	      String specifying	the machine type and model of the hardcopy de-

       libimcv.plugins.imc-hcd.subtypes.system.pstn_fax_enabled	[no]
	      Specifies	if a PSTN facsimile interface is installed and enabled
	      on the hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.system.time_source []
	      String specifying	the hostname of	the network time  server  used
	      by the hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.system.user_application_enabled	[no]
	      Specifies	if users can dynamically download and execute applica-
	      tions on the hardcopy device.

       tence_enabled [no]
	      Specifies	 if  user dynamically downloaded applications can per-
	      sist outside the boundaries of a single job on the hardcopy  de-

       libimcv.plugins.imc-hcd.subtypes.system.vendor_name []
	      String specifying	the manufacturer of the	hardcopy device.

       libimcv.plugins.imc-hcd.subtypes.system.vendor_smi_code []
	      Integer  specifying the globally unique 24-bit SMI code assigned
	      to the manufacturer of the hardcopy device.

       libimcv.plugins.imc-os.device_cert []
	      Manually set the path to the  client  device  certificate	 (e.g.

       libimcv.plugins.imc-os.device_handle []
	      Manually set handle to a private key bound to a smartcard	or TPM
	      (e.g.  0x81010004)

       libimcv.plugins.imc-os.device_id	[]
	      Manually set the client device ID	in  hexadecimal	 format	 (e.g.

       libimcv.plugins.imc-os.device_pubkey []
	      Manually	set  the  path	to  the	client device public key (e.g.

       libimcv.plugins.imc-os.push_info	[yes]
	      Send operating system info without being prompted.

       libimcv.plugins.imc-scanner.push_info [yes]
	      Send open	listening ports	without	being prompted.

       libimcv.plugins.imc-swima.eid_epoch [0x11223344]
	      Set 32 bit epoch value for event IDs manually if	software  col-
	      lector database is not available.

       libimcv.plugins.imc-swima.subscriptions [no]
	      Accept SW	Inventory or SW	Events subscriptions.

       libimcv.plugins.imc-swima.swid_database []
	      URI  to software collector database containing event timestamps,
	      software creation	and deletion  events  and  collected  software
	      identifiers.  If it contains a password, make sure to adjust the
	      permissions of the config	file accordingly.

       libimcv.plugins.imc-swima.swid_directory	[${prefix}/share]
	      Directory	where SWID tags	are located.

       libimcv.plugins.imc-swima.swid_full [no]
	      Include file information in the XML-encoded SWID tags.

       libimcv.plugins.imc-swima.swid_pretty [no]
	      Generate XML-encoded SWID	tags with pretty indentation.

       libimcv.plugins.imc-test.additional_ids [0]
	      Number of	additional IMC IDs.

       libimcv.plugins.imc-test.command	[none]
	      Command to be sent to the	Test IMV.

       libimcv.plugins.imc-test.dummy_size [0]
	      Size of dummy attribute to be sent to the	Test  IMV  (0  =  dis-

       libimcv.plugins.imc-test.retry [no]
	      Do a handshake retry.

       libimcv.plugins.imc-test.retry_command []
	      Command to be sent to the	Test IMV in the	handshake retry.

       libimcv.plugins.imv-attestation.cadir []
	      Path to directory	with AIK cacerts.

       libimcv.plugins.imv-attestation.dh_group	[ecp256]
	      Preferred	Diffie-Hellman group.

       libimcv.plugins.imv-attestation.hash_algorithm [sha256]
	      Preferred	measurement hash algorithm.

       libimcv.plugins.imv-attestation.mandatory_dh_groups [yes]
	      Enforce mandatory	Diffie-Hellman groups.

       libimcv.plugins.imv-attestation.min_nonce_len [0]
	      DH minimum nonce length.

       libimcv.plugins.imv-os.remediation_uri []
	      URI pointing to operating	system remediation instructions.

       libimcv.plugins.imv-scanner.remediation_uri []
	      URI pointing to scanner remediation instructions.

       libimcv.plugins.imv-swima.rest_api.timeout [120]
	      Timeout of SWID REST API HTTP POST transaction.

       libimcv.plugins.imv-swima.rest_api.uri []
	      HTTP URI of the SWID REST	API.

       libimcv.plugins.imv-test.rounds [0]
	      Number of	IMC-IMV	retry rounds.

       libimcv.stderr_quiet [no]
	      Disable output to	stderr with a stand-alone libimcv library.

       libimcv.swid_gen.command	[/usr/local/bin/swid_generator]
	      SWID generator command to	be executed. [strongSwan Project]
	      Name of the tagCreator entity.

       libimcv.swid_gen.tag_creator.regid []
	      regid of the tagCreator entity.

       manager.database	[]
	      Credential  database URI for manager. If it contains a password,
	      make sure	to adjust the permissions of the config	 file  accord-

       manager.debug [no]
	      Enable debugging in manager.

       manager.load []
	      Plugins to load in manager.

       manager.socket []
	      FastCGI socket of	manager, to run	it statically.

       manager.threads [10]
	      Threads to use for request handling.

       manager.timeout [15m]
	      Session timeout for manager.

       medsrv.database []
	      Mediation	 server	 database URI. If it contains a	password, make
	      sure to adjust the permissions of	the config file	accordingly.

       medsrv.debug [no]
	      Debugging	in mediation server web	application.

       medsrv.dpd [5m]
	      DPD timeout to use in mediation server plugin.

       medsrv.load []
	      Plugins to load in mediation server plugin.

       medsrv.password_length [6]
	      Minimum password length required for mediation server  user  ac-

       medsrv.rekey [20m]
	      Rekeying	time  on  mediation  connections  in  mediation	server

       medsrv.socket []
	      Run Mediation server web application statically on socket.

       medsrv.threads [5]
	      Number of	thread for mediation service web application.

       medsrv.timeout [15m]
	      Session timeout for mediation service.

       pki.load	[]
	      Plugins to load in ipsec pki tool.

       pool.database []
	      Database URI for the database that stores	IP pools and  configu-
	      ration  attributes.  If it contains a password, make	  sure
	      to adjust	the permissions	of the config file accordingly.

       pool.load []
	      Plugins to load in ipsec pool tool.

       scepclient.load []
	      Plugins to load in ipsec scepclient tool.

	      Options for the sec-updater tool.

       sec-updater.database []
	      Global IMV policy	database URI. If it contains a password,  make
	      sure to adjust the permissions of	the config file	accordingly.

       sec-updater.load	[]
	      Plugins to load in sec-updater tool.

       sec-updater.swid_gen.command [/usr/local/bin/swid_generator]
	      SWID generator command to	be executed. [strongSwan Project]
	      Name of the tagCreator entity.

       sec-updater.swid_gen.tag_creator.regid []
	      regid of the tagCreator entity.

       sec-updater.tmp.deb_file	[/tmp/sec-updater.deb]
	      Temporary	storage	for downloaded deb package file.

       sec-updater.tmp.tag_file	[/tmp/sec-updater.tag]
	      Temporary	storage	for generated SWID tags.

       sec-updater.tnc_manage_command [/var/www/tnc/]
	      strongTNC command used to import SWID tags.

       starter.config_file [${sysconfdir}/ipsec.conf]
	      Location of the ipsec.conf file

       starter.load_warning [yes]
	      Disable charon plugin load option	warning.

	      Options for the sw-collector tool.

       sw-collector.database []
	      URI  to software collector database containing event timestamps,
	      software creation	and deletion  events  and  collected  software
	      identifiers.  If it contains a password, make sure to adjust the
	      permissions of the config	file accordingly.

       sw-collector.first_file [/var/log/bootstrap.log]
	      Path pointing to file created when the Linux OS was installed.

       sw-collector.first_time [0000-00-00T00:00:00Z]
	      Time in UTC when the Linux OS was	installed.

       sw-collector.history []
	      Path pointing to apt history.log file.

       sw-collector.load []
	      Plugins to load in sw-collector tool.

       sw-collector.rest_api.timeout [120]
	      Timeout of REST API HTTP POST transaction.

       sw-collector.rest_api.uri []
	      HTTP URI of the central collector's REST API.

       swanctl.load []
	      Plugins to load in swanctl.

       swanctl.socket [unix://${piddir}/charon.vici]
	      VICI socket to connect to	by default.

       Options in strongswan.conf(5) provide a much more flexible way to  con-
       figure loggers for the IKE daemon charon	than using the charondebug op-
       tion in ipsec.conf(5).

       Note: If	any loggers are	specified in strongswan.conf, charondebug does
       not have	any effect.

       There are currently two types of	loggers:

       File loggers
	      Log  directly  to	 a file	and are	defined	by specifying an arbi-
	      trarily named subsection in the charon.filelog section. The full
	      path  to the file	is configured in the path setting of that sub-
	      section, however,	if it only contains  characters	 permitted  in
	      section  names,  the  setting  may  also be omitted and the path
	      specified	as name	of the subsection. To log to the  console  the
	      two special filenames stdout and stderr may be used.

       Syslog loggers
	      Log into a syslog	facility and are defined by specifying the fa-
	      cility to	log to as the name of a	subsection in the  charon.sys-
	      log  section.  The following facilities are currently supported:
	      daemon and auth.

       Multiple	loggers	can be defined for each	type with different  log  ver-
       bosity for the different	subsystems of the daemon.

       dmn    Main daemon setup/cleanup/signal handling

       mgr    IKE_SA manager, handling synchronization for IKE_SA access

       ike    IKE_SA

       chd    CHILD_SA

       job    Jobs queueing/processing and thread pool management

       cfg    Configuration management and plugins

       knl    IPsec/Networking kernel interface

       net    IKE network communication

       asn    Low-level	encoding/decoding (ASN.1, X.509	etc.)

       enc    Packet encoding/decoding encryption/decryption operations

       tls    libtls library messages

       esp    libipsec library messages

       lib    libstrongswan library messages

       tnc    Trusted Network Connect

       imc    Integrity	Measurement Collector

       imv    Integrity	Measurement Verifier

       pts    Platform Trust Service

       -1     Absolutely silent

       0      Very basic auditing logs,	(e.g. SA up/SA down)

       1      Generic  control	flow with errors, a good default to see	what's
	      going on

       2      More detailed debugging control flow

       3      Including	RAW data dumps in Hex

       4      Also include sensitive material in dumps,	e.g. keys

	    charon {
		 filelog {
		      charon {
			   path	= /var/log/charon.log
			   time_format = %b %e %T
			   append = no
			   default = 1
		      stderr {
			   ike = 2
			   knl = 3
			   ike_name = yes
		 syslog	{
		      #	enable logging to LOG_DAEMON, use defaults
		      daemon {
		      #	minimalistic IKE auditing logging to LOG_AUTHPRIV
		      auth {
			   default = -1
			   ike = 0

       Some operations in the IKEv2 daemon charon  are	currently  implemented
       synchronously and blocking. Two examples	for such operations are	commu-
       nication	with a RADIUS server via EAP-RADIUS, or	fetching CRL/OCSP  in-
       formation during	certificate chain verification.	Under high load	condi-
       tions, the thread pool may run out of available threads,	and some  more
       important  jobs,	 such  as  liveness  checking, may not get executed in

       To prevent thread starvation in such situations job priorities were in-
       troduced.   The job processor will reserve some threads for higher pri-
       ority jobs, these threads are not available for lower priority, locking

       Currently  4  priorities	have been defined, and they are	used in	charon
       as follows:

	      Priority for long-running	dispatcher jobs.

       HIGH   INFORMATIONAL exchanges, as used by liveness checking (DPD).

       MEDIUM Everything not HIGH/LOW, including IKE_SA_INIT processing.

       LOW    IKE_AUTH message processing. RADIUS and CRL fetching block here

       Although	IKE_SA_INIT processing is computationally expensive, it	is ex-
       plicitly	 assigned to the MEDIUM	class. This allows charon to do	the DH
       exchange	while other threads are	blocked	in IKE_AUTH.  To  prevent  the
       daemon from accepting more IKE_SA_INIT requests than it can handle, use

       The thread pool processes jobs strictly by priority,  meaning  it  will
       consume	all  higher  priority  jobs before looking for ones with lower
       priority. Further, it reserves threads for certain priorities. A	prior-
       ity  class  having reserved n threads will always have n	threads	avail-
       able for	this class (either currently processing	a job, or waiting  for

       To  ensure  that	 there	are always enough threads available for	higher
       priority	tasks, threads must be reserved	for each priority class.

       charon.processor.priority_threads.critical [0]
	      Threads reserved for CRITICAL priority class jobs

       charon.processor.priority_threads.high [0]
	      Threads reserved for HIGH	priority class jobs

       charon.processor.priority_threads.medium	[0]
	      Threads reserved for MEDIUM priority class jobs

       charon.processor.priority_threads.low [0]
	      Threads reserved for LOW priority	class jobs

       Let's consider the following configuration:

	    charon {
		 processor {
		      priority_threads {
			   high	= 1
			   medium = 4

       With this configuration,	one  thread  is	 reserved  for	HIGH  priority
       tasks.  As currently only liveness checking and stroke message process-
       ing is done with	high priority, one or two  threads  should  be	suffi-

       The  MEDIUM class mostly	processes non-blocking jobs. Unless your setup
       is experiencing many blocks in locks while accessing shared  resources,
       threads for one or two times the	number of CPU cores is fine.

       It  is  usually not required to reserve threads for CRITICAL jobs. Jobs
       in this class rarely return and do not  release	their  thread  to  the

       The  remaining  threads	are available for LOW priority jobs. Reserving
       threads does not	make sense (until we have an even lower	priority).

       To see what the threads are actually  doing,  invoke  ipsec  statusall.
       Under high load,	something like this will show up:

	    worker threads: 2 or 32 idle, 5/1/2/22 working,
		 job queue: 0/0/1/149, scheduled: 198

       From 32 worker threads,

       2      are currently idle.

       5      are  running  CRITICAL  priority jobs (dispatching from sockets,

       1      is currently handling a HIGH priority job. This is actually  the
	      thread currently providing this information via stroke.

       2      are  handling  MEDIUM  priority jobs, likely IKE_SA_INIT or CRE-
	      ATE_CHILD_SA messages.

       22     are handling LOW priority	jobs, probably waiting for an  EAP-RA-
	      DIUS response while processing IKE_AUTH messages.

       The  job	 queue	load shows how many jobs are queued for	each priority,
       ready for execution. The	single MEDIUM priority job will	 get  executed
       immediately,  as	 we  have  two spare threads reserved for MEDIUM class

       If a responder receives more connection requests	per  seconds  than  it
       can handle, it does not make sense to accept more IKE_SA_INIT messages.
       And if they are queued but can't	get processed in time, an answer might
       be sent after the client	has already given up and restarted its connec-
       tion setup. This	additionally increases the load	on the responder.

       To limit	the responder load resulting from new connection attempts, the
       daemon  can  drop  IKE_SA_INIT messages just after reception. There are
       two mechanisms to decide	if this	should	happen,	 configured  with  the
       following options:

       charon.init_limit_half_open [0]
	      Limit  based  on	the  number  of	 half  open IKE_SAs. Half open
	      IKE_SAs are SAs in connecting state, but not yet established.

       charon.init_limit_job_load [0]
	      Limit based on the number	of jobs	currently queued for  process-
	      ing (sum over all	job priorities).

       The  second  limit  includes  load  from	 other jobs, such as rekeying.
       Choosing	a good value is	difficult and depends on the hardware and  ex-
       pected load.

       The first limit is simpler to calculate,	but includes the load from new
       connections only. If your responder is capable of negotiating 100  tun-
       nels/s, you might set this limit	to 1000. The daemon will then drop new
       connection attempts if generating a response would require more than 10
       seconds.	 If  you are allowing for a maximum response time of more than
       30 seconds, consider  adjusting	the  timeout  for  connecting  IKE_SAs
       (charon.half_open_timeout).  A responder, by default, deletes an	IKE_SA
       if the initiator	does not establish it within 30	 seconds.  Under  high
       load, a higher value might be required.

       To  do  stability testing and performance optimizations,	the IKE	daemon
       charon provides the load-tester plugin. This plugin allows one to setup
       thousands of tunnels concurrently against the daemon itself or a	remote

       WARNING:	Never enable the load-testing plugin on	productive systems. It
       provides	 preconfigured credentials and allows an attacker to authenti-
       cate as any user.

   Configuration details
       For public key authentication, the responder uses the "CN=srv, OU=load-
       test,  O=strongSwan"  identity.	For the	initiator, each	connection at-
       tempt uses a different identity in the  form  "CN=c1-r1,	 OU=load-test,
       O=strongSwan",  where the first number indicates	the client number, the
       second the authentication round (if multiple authentication rounds  are

       For  PSK	 authentication,  FQDN	identities  are	 used. The server uses,  the	 client	 uses  an   identity   in   the	  form

       For   EAP   authentication,   the   client  uses	 a  NAI	 in  the  form

       To configure multiple authentication rounds, concatenate	multiple meth-
       ods using, e.g.
	    initiator_auth = pubkey|psk|eap-md5|eap-aka

       The responder uses a hardcoded certificate based	on a 1024-bit RSA key.
       This certificate	additionally serves as CA certificate. A peer uses the
       same private key, but generates client certificates on demand signed by
       the CA certificate. Install the Responder/CA certificate	on the	remote
       host to authenticate all	clients.

       To  speed  up  testing,	the  load  tester  plugin implements a special
       Diffie-Hellman implementation called modpnull. By setting
	    proposal = aes128-sha1-modpnull
       this wicked fast	DH implementation is used. It does not provide any se-
       curity at all, but allows one to	run tests without DH calculation over-

       In the simplest case, the daemon	initiates IKE_SAs against itself using
       the  loopback interface.	This will actually establish double the	number
       of IKE_SAs, as the daemon is initiator and responder for	each IKE_SA at
       the  same  time.	 Installation of IPsec SAs would fail, as each SA gets
       installed twice.	To simulate the	correct	behavior, a fake kernel	inter-
       face  can be enabled which does not install the IPsec SAs at the	kernel

       A simple	loopback configuration might look like this:

	    charon {
		 # create new IKE_SAs for each CHILD_SA	to simulate
		 # different clients
		 reuse_ikesa = no
		 # turn	off denial of service protection
		 dos_protection	= no

		 plugins {
		      load-tester {
			   # enable the	plugin
			   enable = yes
			   # use 4 threads to initiate connections
			   # simultaneously
			   initiators =	4
			   # each thread initiates 1000	connections
			   iterations =	1000
			   # delay each	initiation in each thread by 20ms
			   delay = 20
			   # enable the	fake kernel interface to
			   # avoid SA conflicts
			   fake_kernel = yes

       This will initiate 4000 IKE_SAs within 20 seconds. You may increase the
       delay  value  if	your box can not handle	that much load,	or decrease it
       to put more load	on it. If the daemon  starts  retransmitting  messages
       your box	probably can not handle	all connection attempts.

       The  plugin  also  allows one to	test against a remote host. This might
       help to test against a real world configuration.	A connection setup  to
       do stress testing of a gateway might look like this:

	    charon {
		 reuse_ikesa = no
		 threads = 32

		 plugins {
		      load-tester {
			   enable = yes
			   # 10000 connections,	ten in parallel
			   initiators =	10
			   iterations =	1000
			   # use a delay of 100ms, overall time	is:
			   # iterations	* delay	= 100s
			   delay = 100
			   # address of	the gateway
			   remote =
			   # IKE-proposal to use
			   proposal = aes128-sha1-modp1024
			   # use faster	PSK authentication instead
			   # of	1024bit	RSA
			   initiator_auth = psk
			   responder_auth = psk
			   # request a virtual IP using	configuration
			   # payloads
			   request_virtual_ip =	yes
			   # enable CHILD_SA every 60s
			   child_rekey = 60

       Retransmission  timeouts	 in  the IKEv2 daemon charon can be configured
       globally	using the three	keys listed below:

	      charon.retransmit_base [1.8]
	      charon.retransmit_timeout	[4.0]
	      charon.retransmit_tries [5]
	      charon.retransmit_jitter [0]
	      charon.retransmit_limit [0]

       The following algorithm is used to calculate the	timeout:

	    relative timeout = retransmit_timeout * retransmit_base ^ (n-1)

       Where n is the current retransmission  count.  The  calculated  timeout
       can't  exceed the configured retransmit_limit (if any), which is	useful
       if the number of	retries	is high.

       If a jitter in percent is configured, the timeout is modified  as  fol-

	    relative timeout -=	random(0, retransmit_jitter * relative timeout)

       Using the default values, packets are retransmitted in:

       Retransmission	Relative Timeout   Absolute Timeout
       1			      4s		 4s
       2			      7s		11s
       3			     13s		24s
       4			     23s		47s
       5			     42s		89s
       giving up		     76s	       165s

       The variables used above	are configured as follows:

       ${piddir}	       /var/run
       ${prefix}	       /usr/local
       ${random_device}	       /dev/random
       ${urandom_device}       /dev/urandom

       /etc/strongswan.conf	  configuration	file
       /etc/strongswan.d/	  directory containing included	config snippets
       /etc/strongswan.d/charon/  plugin specific config snippets

       ipsec.conf(5), ipsec.secrets(5),	ipsec(8), charon-cmd(8)

       Written	for  the strongSwan project <>	by To-
       bias Brunner, Andreas Steffen and Martin	Willi.

5.8.4							    STRONGSWAN.CONF(5)


Want to link to this manual page? Use this URL:

home | help