strongswan.conf
This page documents the configuration options of the most current release. Therefore, you should always consult the strongswan.conf(5) man page that comes with the release you are using to confirm which options are actually available. |
Overview
While the swanctl.conf
and the legacy
ipsec.conf
configuration files are well suited to define IPsec-related
configuration parameters, it is not useful for other strongSwan applications to
read options from these files. As the number of components of the strongSwan
project is continually growing, we needed a more flexible configuration file that
is easy to extend and can be used by all components.
The default strongswan.conf
file is installed under ${sysconfdir}
, i.e.
the path usually is /etc/strongswan.conf
.
Since version 5.1.2 the default config file may be split up and separate files
are placed in the ${sysconfdir}/strongswan.d
directory.
The location in which strongswan.conf
is looked for can be overwritten at
start time of the process using libstrongswan by setting the STRONGSWAN_CONF
environmental variable to the desired location.
Reloading
The IKE charon
daemon and some of its derivatives
reloads strongswan.conf
if it receives a SIGHUP
signal (that has to be
sent manually to the charon
daemon) or can be
triggered via either the vici
reload-settings
or
the swanctl
--reload-settings
commands.
This reloads the logger settings and some plugins
also support reloading their configuration (e.g. the
attr
, the pkcs11
or the
eap-radius
plugins) and many settings are always
read directly from the latest config (some at least for new connections).
Syntax
The format consists of hierarchical sections
and a list of key/value
pairs
in each section
.
Each section has a name, followed by C-style curly brackets defining the section
body. Each section body contains a set of subsections
and key/value
pairs:
settings := (section|keyvalue)* section := name { settings } keyvalue := key = value\n
Values must be terminated by a newline. Comments are possible using the
#
character. Section names and keys may contain any printable character except:
. , : { } = " # \n \t space
An example might look like this:
a = b section-one { somevalue = asdf subsection { othervalue = xxx } # yei, a comment yetanother = zz } section-two { x = 12 }
Indentation is optional. You may use tabs or spaces.
Referencing other Sections
Since version 5.7.0 it is possible to inherit settings and sections from another
section. This feature is mainly useful in
swanctl.conf
which uses the same configuration
file format.
The syntax for references is as follows:
section := name : references { settings } references := absname[, absname]* absname := name[.name]*
All key/value
pairs and all subsections
of the referenced sections will
be inherited by the section that references them via their absolute name. Values
may be overridden in the section or any of its sub-sections (use an empty
assignment to clear a value so its default value, if any, will apply). It is
currently not possible to limit the inclusion level or clear/remove inherited
subsections
.
If the order is important (e.g. for auth rounds in a connection, if round
is
not used), it should be noted that inherited settings/sections will follow those
defined in the current section (if multiple sections are referenced, their
settings are enumerated left to right).
References are evaluated dynamically at runtime, so referring to sections later in the config file or included via other files is no problem.
Here is an example of how this might look like in
swanctl.conf
:
conn-defaults { # default settings for all conns (e.g. a cert, or IP pools) } eap-defaults { # defaults if eap is used (e.g. a remote auth round) } child-defaults { # defaults for child configs (e.g. traffic selectors) } connections { conn-a : conn-defaults, eap-defaults { # set/override stuff specific to this connection children { child-a : child-defaults { # set/override stuff specific to this child } } } conn-b : conn-defaults { # set/override stuff specific to this connection children { child-b : child-defaults { # set/override stuff specific to this child } } } conn-c : connections.conn-a { # everything is inherited, including everything conn-a # already inherits from the sections it and its # sub-section reference } }
Including Files
The include
statement allows to include other files into strongswan.conf
,
e.g.
include /some/path/*.conf
If the file name is not an absolute path, it is considered to be relative to the directory of the file containing the include statement. The file name may include shell wildcards. Also, such inclusions can be nested.
Sections loaded from the included files extend previously loaded sections; already existing values are replaced. It is important to note that settings are added relative to the section the include statement is in.
As an example, the following three files result in the same final config as the one given above:
a = b section-one { somevalue = before include include include.conf } include other.conf
File include.conf
:
# settings loaded from this file are added to section-one # the following replaces the previous value somevalue = asdf subsection { othervalue = yyy } yetanother = zz
File other.conf
:
# this extends section-one and subsection section-one { subsection { # this replaces the previous value othervalue = xxx } } section-two { x = 12 }
Reading values
The config file is read by libstrongswan during library initialization (or when
a reload is triggered). Values are accessed using a dot-separated section list
and a key: Accessing section-one.subsection.othervalue
in the examples above
will return xxx
.
Have a look at the settings interface src/libstrongswan/settings/settings.h
to learn about the details.
Number Formats
Options that define an integer value can be specified as decimal (the default)
or hexadecimal (0x
prefix, upper- or lowercase letters are accepted).
Locale-dependent strings (e.g. the thousands separator of the current locale)
may also be accepted in locales other than C
.
Options that define a floating-point value can be specified as decimal (the
default) or hexadecimal (0x
prefix, upper- or lowercase letters are accepted).
The radix character (decimal separator) in either case is locale-dependent,
usually '.'
.
Time Formats
Unless stated otherwise, options that define a time are specified in seconds.
The s
, m
, h
and d
suffixes may be used to automatically convert values
given in seconds, minutes, hours or days (for instance, instead of configuring
a rekey time of 4
hours as 14400
seconds, 4h
may be used).
There are some global options that don’t accept these suffixes as they are configured as integer values in seconds or milliseconds, or even as floating-point numbers (e.g. the retransmission timeout). Options that accept the suffixes have a corresponding default value.
Keys
The following list shows all strongswan.conf
keys that are currently defined
(using dot notation).
-
${prefix}
refers to the directory that can be configured with the--prefix
./configure
option (defaults to/usr/local
). -
${sysconfdir}
refers to the directory that can be configured with the--sysconfdir
./configure
option (defaults to${prefix}/etc
). -
${piddir}
refers to the directory that can be configured with the--with-piddir
./configure
option (defaults to/var/run
). -
${nm_ca_dir}
refers to the directory that can be configured with the--with-nm-ca-dir
./configure
option (defaults to/usr/share/ca-certificates
).
attest
database |
File measurement information database URI. If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
load |
Plugins to load in |
charon
Many of the options in this section also apply to
charon-cmd
,
charon-systemd
and other derivatives of
the charon
daemon. Just use their respective name
(e.g. charon-systemd
instead of charon
).
Key | Default | Description [Default] |
---|---|---|
accept_private_algs |
|
Deliberately violate the IKE standard’s requirement and allow the use of private
algorithm identifiers, even if the peer implementation is unknown (i.e. if the
peer doesn’t send a vendor ID via |
block_threshold |
|
Maximum number of half-open IKE_SAs (including unprocessed IKE_SA_INITs) for a single peer IP |
cache_crls |
|
Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be
saved under a unique file name derived from the public key of the Certification
Authority (CA) to |
check_current_path |
|
By default, after detecting any changes to interfaces and/or addresses no action is taken if the current path to the remote peer still looks usable. Enabling this option will use DPD to check if the path actually still works, or, for instance, the peer removed the state after a longer phase without connectivity. It will also trigger a MOBIKE update if NAT mappings were removed during the downtime |
cert_cache |
|
Whether relations in validated certificate chains should be cached in memory |
cisco_flexvpn |
|
Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order
to make Cisco brand devices allow negotiating a local traffic selector (from
strongSwan’s point of view) that is not the assigned virtual IP address if such
an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID
prevents the peer from narrowing the initiator’s local traffic selector and
allows it to e.g. negotiate a TS of |
cisco_unity |
|
Send Cisco Unity vendor ID payload (IKEv1 only),
see |
close_ike_on_child_failure |
|
Close the |
cookie_threshold |
|
Number of half-open IKE_SAs (including unprocessed IKE_SA_INITs) that activate the cookie mechanism |
cookie_threshold_ip |
|
Number of half-open IKE_SAs (including unprocessed IKE_SA_INITs) for a single peer IP that activate the cookie mechanism (since version 5.9.6) |
crypto_test |
Section to configure crypto tests, see charon.crypto_test |
|
delete_rekeyed |
|
Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings. However this might cause problems with implementations that continue to use rekeyed SAs until they expire |
delete_rekeyed_delay |
|
Delay in seconds until inbound IPsec SAs are deleted after rekeyings (IKEv2 only).
To process delayed packets the inbound part of a CHILD_SA is kept installed up
to the configured number of seconds after it got replaced during a rekeying. If
set to |
dh_exponent_ansi_x9_42 |
|
Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical strength |
dlopen_use_rtld_now |
|
Use RTLD_NOW with dlopen() when loading plugins and IMV/IMCs to reveal missing symbols immediately. Useful during development of custom plugins |
dns1 |
DNS server assigned to peer via configuration payload (CP), see
|
|
dns2 |
DNS server assigned to peer via configuration payload (CP) |
|
dos_protection |
|
Enable Denial of Service protection using cookies and aggressiveness checks |
filelog |
Section to define file loggers, see logger configuration |
|
flush_auth_cfg |
|
If enabled objects used during authentication (certificates, identities etc.) are released to free memory once an IKE_SA is established. Enabling this might conflict with plugins that later need access to e.g. the used certificates |
follow_redirects |
|
Whether to follow IKEv2 redirects, see RFC 5685 |
force_eap_only_authentication |
|
Violate the EAP-only authentication requirements according to
RFC 5998, even if the peer did not send an |
fragment_size |
|
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment when
using proprietary IKEv1 or standardized IKEv2 fragmentation. If specified, this
limit is used for both IPv4 and IPv6 with a default of |
group |
Name of the group the daemon changes to after startup |
|
half_open_timeout |
|
Timeout in seconds for connecting IKE_SAs, also see IKE_SA_INIT dropping |
hash_and_url |
|
Enable hash and URL support |
host_resolver.max_threads |
|
Maximum number of concurrent resolver threads (they are terminated if unused) |
host_resolver.min_threads |
|
Minimum number of resolver threads to keep around |
ignore_acquire_ts |
|
If this is disabled the traffic selectors from the kernel’s acquire events,
which are derived from the triggering packet, are prepended to the traffic
selectors from the configuration for IKEv2 connection. By enabling this, such
specific traffic selectors will be ignored and only the ones in the config will
be sent. This always happens for IKEv1 connections as the protocol only supports
one set of traffic selectors per |
ignore_routing_tables |
A space-separated list of routing tables to be excluded from route lookup |
|
ikesa_limit |
|
Maximum number of IKE_SAs that can be established at the same time before new connection attempts are blocked |
ikesa_table_segments |
|
Number of exclusively locked segments in the hash table, see IKE_SA lookup tuning |
ikesa_table_size |
|
Size of the |
inactivity_close_ike |
|
Whether to close IKE_SA if the only |
init_limit_half_open |
|
Limit new connections based on the current number of half open IKE_SAs, see IKE_SA_INIT dropping |
init_limit_job_load |
|
Limit new connections based on the number of jobs currently queued for processing, see IKE_SA_INIT dropping |
initiator_only |
|
Causes charon daemon to ignore IKE initiation requests |
install_routes |
|
Install routes into a separate routing table for established IPsec tunnels. If disabled a more efficient lookup for source and next-hop addresses is used. Since version 5.5.2 |
install_virtual_ip |
|
Install virtual IP addresses |
install_virtual_ip_on |
The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface |
|
integrity_test |
|
Check |
interfaces_ignore |
A comma-separated list of network interfaces that should be ignored by the
|
|
interfaces_use |
A comma-separated list of network interfaces that should be used by the
|
|
keep_alive |
|
NAT keep alive interval in seconds |
keep_alive_dpd_margin |
|
Number of seconds the keep alive interval may be exceeded before a DPD is sent
instead of a NAT keep alive ( |
leak_detective |
Section to configure the internal memory leak detective, see charon.leak_detective |
|
load |
Plugins to load in IKEv2 charon daemon, see Plugin Load |
|
load_modular |
|
If enabled the list of plugins to load is determined by individual |
make_before_break |
|
Initiate IKEv2 reauthentication with a make-before-break instead of a
break-before-make scheme. Make-before-break uses overlapping |
max_ikev1_exchanges |
|
Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about and track concurrently |
max_packet |
[→] |
Maximum packet size in bytes accepted by charon
|
multiple_authentication |
|
Enable multiple authentication exchanges, see RFC 4739 |
nbns1 |
WINS server assigned to peer via configuration payload (CP), see
|
|
nbns2 |
WINS server assigned to peer via configuration payload (CP) |
|
ocsp_nonce_len |
|
Length of nonces in OCSP requests. According to RFC 8954, valid values are between 1 and 32, with new clients required to use 32. Some servers might not support that so lowering the value to e.g. 16 might be necessary. Since version 5.9.13 |
port |
|
UDP port used locally. If set to 0 a random port will be allocated |
port_nat_t |
|
UDP port used locally in case of NAT-T. If set to 0 a random port will be
allocated. Has to be different from |
prefer_best_path |
|
By default, charon keeps SAs on the routing path with addresses it previously used if that path is still usable. By enabling this option, it tries more aggressively to update SAs with MOBIKE on routing priority changes using the cheapest path. This adds more noise, but allows to dynamically adapt SAs to routing priority changes. This option has no effect if MOBIKE is not supported or disabled |
prefer_configured_proposals |
|
Prefer locally configured proposals for IKE/IPsec over supplied ones as responder
(disabling this can avoid keying retries due to |
prefer_temporary_addrs |
|
By default public IPv6 addresses are preferred over temporary ones according to RFC 4941 to make connections more stable. Enable this option to reverse this. |
process_route |
|
Process |
processor.priority_threads |
Subsection to configure the number of reserved threads per priority class, see Job Priority |
|
reject_trusted_end_entity |
|
Reject peers that use trusted end-entity certificates (i.e. local certificates). Since version 5.9.12 |
rdn_matching |
[→] |
How the Relative Distinguished Names (RDNs) a certificate’s Subject Distinguished
Name (DN) is composed of, are matched against configured identities. Possible
values are |
receive_delay |
|
Delay in ms for receiving packets, to simulate a larger Round Trip Time (RTT) |
receive_delay_response |
|
Delay response messages |
receive_delay_request |
|
Delay request messages |
receive_delay_type |
|
Specific IKEv2 message type to delay, |
replay_window |
|
Size of the AH/ESP replay window, in packets |
reqid_base |
|
Value of the first reqid to be automatically assigned to a CHILD_SA (since version 5.9.9) |
retransmit_base |
|
Base to use for calculating exponential back off, see Retransmission |
retransmit_jitter |
|
Maximum jitter in percent to apply randomly to calculated retransmission timeout
( |
retransmit_limit |
|
Upper limit in seconds for calculated retransmission timeout ( |
retransmit_timeout |
|
Timeout in seconds before sending first retransmit, see Retransmission |
retransmit_tries |
|
Number of times to retransmit a packet before giving up, see Retransmission |
retry_initiate_interval |
|
Interval in seconds to use when retrying to initiate an |
reuse_ikesa |
|
Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1) |
routing_table |
|
Numerical routing table to install routes to |
routing_table_prio |
|
Priority of the routing table |
rsa_pss |
|
Whether to use RSA with PSS padding instead of PKCS#1 padding by default |
rsa_pss_trailerfield |
|
Whether to encode an explicit |
send_delay |
|
Delay in ms for sending packets, to simulate a larger Round Trip Time (RTT) |
send_delay_request |
|
Delay request messages |
send_delay_response |
|
Delay response messages |
send_delay_type |
|
Specific IKEv2 message type to delay ( |
send_vendor_id |
|
Send strongSwan vendor ID payload |
signature_authentication |
|
Whether to enable Signature Authentication as per RFC 7427 |
signature_authentication_ constraints |
|
If enabled, signature schemes configured in |
spi_label |
[→] |
Value mixed into the local IKE SPIs after applying |
spi_mask |
[→] |
Mask applied to local IKE SPIs before mixing in |
spi_min |
[→] |
The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be
set lower than |
spi_max |
[→] |
The upper limit for SPIs requested from the kernel for IPsec SAs.
|
start-scripts |
Section containing a list of scripts ( |
|
stop-scripts |
Section containing a list of scripts ( |
|
syslog |
Section to define syslog loggers, see logger configuration |
|
threads |
|
Number of worker threads in Several of these are reserved for long running
tasks in internal modules and plugins. Therefore, make sure you don’t set this
value too low. The number of idle worker threads listed in |
user |
Name of the user the daemon changes to after startup |
|
x509.enforce_critical |
|
Discard certificates with unsupported or unknown critical extensions |
charon.crypto_test
bench |
|
Benchmark crypto algorithms and order them by efficiency |
bench_size |
|
Buffer size used for crypto benchmark |
bench_time |
|
Time in ms during which crypto algorithm performance is measured |
on_add |
|
Test crypto algorithms during registration (requires test vectors provided by
the |
on_create |
|
Test crypto algorithms on each crypto primitive instantiation |
required |
|
Strictly require at least one test vector to enable an algorithm |
rng_true |
|
Whether to test RNG with TRUE quality. Requires a lot of entropy |
charon.leak_detective
detailed |
|
Includes source file names and line numbers in leak detective output |
usage_threshold |
[→] |
Threshold in bytes for allocations to be included in usage reports ( |
usage_threshold_count |
|
Threshold in number of allocations for allocations to be included in usage
reports ( |
Dangerous Options
Key | Default |
---|---|
accept_unencrypted_mainmode_messages |
no |
Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. Some
implementations send the third Main Mode message unencrypted, probably to find
the PSKs for the specified ID for authentication. This is very similar to
Aggressive Mode and has the same security implications: A passive attacker can
sniff the negotiated identity and can start brute forcing the PSK using the
HASH payload. Don’t enable this option unless you know exactly what the
implications are and compatibility to such devices is required (e.g. some
SonicWall boxes).
|
i_dont_care_about_security_and_use_aggressive_mode_psk |
no |
If enabled, IKE Responders are allowed to use IKEv1 Aggressive Mode with Pre-Shared Keys (PSKs). This is strongly discouraged due to security concerns (offline attacks on the openly transmitted hash of the PSK). |
charon.plugins
Key |
Default |
Description [Default] |
charon.plugins.addrblock
depth |
|
How deep towards the root CA to validate issuer cert RFC 3779 requires that all addrblocks claimed by a certificate must
be contained in the In practice, third party (root) CAs may not contain the extension, making the
|
strict |
|
If set to |
charon.plugins.attr
<attribute> |
Attribute assigned to a peer via |
charon.plugins.attr-sql
crash_recovery |
|
Release all online leases during startup. Disable this to share the database between multiple VPN gateways |
database |
Database URI used to access the database |
|
lease_history |
|
Enable logging of IP pool leases |
charon.plugins.bliss
use_bliss_b |
|
Use the enhanced BLISS-B key generation and signature algorithm |
charon.plugins.botan
internal_rng_only |
|
If enabled, only Botan’s internal RNG will be used throughout the plugin.
Otherwise and if supported by Botan, |
charon.plugins.bypass-lan
interfaces_ignore |
A comma-separated list of network interfaces for which connected subnets
should be ignored. If |
|
interfaces_use |
A comma-separated list of network interfaces for which connected subnets should be considered. All other interfaces are ignored |
charon.plugins.certexpire
csv.cron |
Cron style string specifying CSV export times |
|
csv.empty_string |
String to use in empty intermediate CA fields |
|
csv.fixed_fields |
|
Use a fixed intermediate CA field count |
csv.format |
[→] |
|
csv.local |
|
|
csv.remote |
|
|
csv.separator |
|
CSV field separator |
charon.plugins.coupling
file |
File to store coupling list to |
|
hash |
|
Hashing algorithm to fingerprint coupled certificates
( |
max |
|
Maximum number of coupling entries to create |
charon.plugins.curl
redir |
|
Maximum number of redirects followed by the plugin, set to |
tls_backend |
The SSL/TLS backend to configure in curl if multiple are available (requires
|
charon.plugins.dhcp
force_server_address |
|
Always use the configured server address[1] |
identity_lease |
|
Derive user-defined MAC address from hash of IKE identity. The client identity
|
interface |
Interface name the plugin uses for address allocation. The default is to bind
to any ( |
|
server |
[→] |
|
use_server_port |
|
Use the |
charon.plugins.duplicheck
enable |
|
Enable duplicheck functionality |
socket |
[→] |
Socket provided by the duplicheck plugin.
|
charon.plugins.eap-aka-3gpp
seq_check |
Enable to activate sequence check of the AKA SQN values in order to trigger resync cycles |
charon.plugins.eap-aka-3gpp2
seq_check |
Enable to activate sequence check of the AKA SQN values in order to trigger resync cycles |
charon.plugins.eap-dynamic
prefer_user |
|
If enabled the order of the EAP methods in an |
preferred |
The preferred EAP method(s) to be used. If not set, the first registered method will be used initially. If a comma separated list is specified, the methods are tried in the given order before trying the rest of the registered methods |
charon.plugins.eap-gtc
backend |
|
XAuth backend to use |
charon.plugins.eap-peap
fragment_size |
|
Maximum size of an EAP-PEAP packet |
max_message_count |
|
Maximum number of processed EAP-PEAP packets. ( |
include_length |
|
Include length in non-fragmented EAP-PEAP packets |
phase2_method |
[→] |
Phase2 EAP client authentication method.
|
phase2_piggyback |
|
Phase2 EAP Identity request piggybacked by server onto TLS Finished message |
phase2_tnc |
|
Start phase2 EAP-TNC protocol after successful client authentication |
request_peer_auth |
|
Request peer authentication based on a client certificate |
charon.plugins.eap-radius
accounting |
|
Enable EAP-RADIUS accounting |
accounting_close_on_timeout |
|
Close the IKE_SA if there is a timeout during interim RADIUS accounting updates |
accounting_interval |
|
Interval in seconds for interim RADIUS accounting updates, if not specified by the RADIUS server in the Access-Accept message |
accounting_requires_vip |
|
If enabled, accounting is disabled unless an IKE_SA has at least one virtual IP |
accounting_send_class |
|
If enabled, adds the Class attributes received in Access-Accept message to the RADIUS accounting messages |
class_group |
|
Use the class attribute sent in the Access-Accept message as group membership information. |
close_all_on_timeout |
|
Closes all IKE_SAs if communication with the RADIUS server times out. If it is not set only the current IKE_SA is closed |
dae.enable |
|
Enables support for the Dynamic Authorization Extension |
dae.listen |
[→] |
Address to listen for DAE messages from the RADIUS server.
|
dae.port |
|
Port to listen for DAE requests |
dae.secret |
Shared secret used to verify/sign DAE messages.If set, make sure to adjust the permissions of the config file accordingly |
|
eap_start |
|
Send EAP-Start instead of EAP-Identity to start RADIUS conversation |
filter_id |
|
Use the filter_id attribute sent in the RADIUS-Accept message as group membership if the RADIUS tunnel_type attribute is set to ESP |
forward.ike_to_radius |
RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined by name
or attribute number, a colon can be used to specify vendor-specific attributes,
e.g. |
|
forward.radius_to_ike |
Same as above but from RADIUS to IKEv2, a strongSwan specific private notify
( |
|
id_prefix |
Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the EAP method |
|
nas_identifier |
[→] |
NAS-Identifier to include in RADIUS messages.
|
port |
|
Port of RADIUS server (authentication) |
retransmit_base |
|
Base to use for calculating exponential back off |
retransmit_timeout |
|
Timeout in seconds before sending first retransmit |
retransmit_tries |
|
Number of times to retransmit a packet before giving up |
secret |
Shared secret between RADIUS and NAS. If set, make sure to adjust the permissions of the config file accordingly |
|
server |
IP/Hostname of RADIUS server |
|
servers |
Section to specify multiple RADIUS servers. The |
|
sockets |
|
Number of sockets (ports) to use. Increase for high load |
station_id_with_port |
|
Whether to include the UDP port in the |
xauth |
Section to configure multiple XAuth authentication rounds via RADIUS |
charon.plugins.eap-simaka-sql
database |
Database URI |
|
remove_used |
|
Remove triplets/quintuplets after use |
charon.plugins.eap-tls
fragment_size |
|
Maximum size of an EAP-TLS packet |
include_length |
|
Include length in non-fragmented EAP-TLS packets |
max_message_count |
|
Maximum number of processed EAP-TLS packets ( |
charon.plugins.eap-tnc
max_message_count |
|
Maximum number of processed EAP-TNC packets ( |
protocol |
[→] |
IF-TNCCS protocol version to be used ( |
charon.plugins.eap-ttls
fragment_size |
|
Maximum size of an EAP-TTLS packet |
include_length |
|
Include length in non-fragmented EAP-TTLS packets |
max_message_count |
|
Maximum number of processed EAP-TTLS packets ( |
phase2_method |
|
Phase2 EAP client authentication method |
phase2_piggyback |
|
Phase2 EAP Identity request piggybacked by server onto TLS Finished message |
phase2_tnc |
|
Start phase2 EAP TNC protocol after successful client authentication |
phase2_tnc_method |
|
Phase2 EAP TNC transport protocol ( |
request_peer_auth |
|
Request peer authentication based on a client certificate |
charon.plugins.error-notify
socket |
[→] |
Socket provided by the error-notify plugin.
|
charon.plugins.ext-auth
charon.plugins.ext-auth.script |
Script or command to execute |
charon.plugins.forecast
groups |
[→] |
Comma-separated list of multicast groups to join locally. The local host receives
and forwards packets in the local LAN for joined multicast groups only. Packets
matching the list of multicast groups get forwarded to connected clients. The
default group includes host multicasts, IGMP, mDNS, LLMNR and SSDP/WS-Discovery
and is usually a good choice for Windows clients.
|
interface |
Name of the local interface to listen for broadcasts messages to forward. If no interface is configured, the first usable interface is used, which is usually just fine for single-homed hosts. If your host has multiple interfaces, set this option to the local LAN interface you want to forward broadcasts from/to. |
|
reinject |
Comma-separated list of |
charon.plugins.gcrypt
quick_random |
|
Use faster random numbers in gcrypt. For testing only, produces weak keys! |
charon.plugins.ha
autobalance |
|
Interval in seconds to automatically balance handled segments between nodes.
Set to |
buflen |
|
Buffer size for received HA messages. For IKEv1 the public DH factors are also
transmitted so depending on the DH group the HA messages can get quite big
(the default should be fine up to |
fifo_interface |
|
Enable the segment responsibility administration interface |
heartbeat_delay |
|
Time between heartbeats |
heartbeat_timeout |
|
Time after the last received heartbeet after which a failure is declared. |
local |
IP address on which to receive sync messages |
|
monitor |
|
Enable the heartbeat based remote node monitoring |
pools |
Optional HA-enabled virtual IP address pool subsection |
|
remote |
IP address to send sync messages to |
|
resync |
|
Enable automatic state resynchronization if a node joins the cluster |
secret |
If specified, the nodes automatically establish a pre-shared key authenticated IPsec tunnel for HA sync and control messages |
|
segment_count |
|
Number of ClusterIP segments to use |
charon.plugins.kernel-libipsec
allow_peer_ts |
|
Allow that the remote traffic selector equals the IKE peer |
fwmark |
[→] |
Firewall mark to set on outbound raw ESP packets. Since version 5.9.11
|
raw_esp |
|
Whether to send and receive ESP packets without UDP encapsulation if supported on this platform and no NAT is detected. Since version 5.9.11 |
charon.plugins.kernel-netlink
buflen |
[→] |
Buffer size for received Netlink messages.
|
fwmark |
Firewall mark to set on the routing rule that directs traffic to our own routing
table. The format is |
|
hw_offload_feature_interface |
|
If the kernel supports hardware offloading, the plugin needs to find the feature flag which represents hardware offloading support for network devices. Using the loopback device for this purpose is usually fine, since it should always be present. For rare cases in which the loopback device cannot be used to obtain the appropriate feature flag, this option can be used to specify an alternative interface for offload feature detection |
install_routes_xfrmi |
|
Whether routes via XFRM interfaces
are automatically installed for SAs that reference such an interface via
|
mss |
|
MSS to set on installed routes, |
mtu |
|
MTU to set on installed routes, |
port_bypass |
|
Whether to use port or socket based IKE XFRM bypass policies. IKE bypass policies are used to exempt IKE traffic from XFRM processing. The default socket based policies are directly tied to the IKE UDP sockets, port based policies use global XFRM bypass policies for the used IKE UDP ports. |
process_rules |
|
Whether to process changes in routing rules to trigger roam events. This is currently only useful if the kernel based route lookup is used (i.e. if route installation is disabled or an inverted fwmark match is configured) |
receive_buffer_size |
|
Maximum Netlink socket receive buffer in bytes. This value controls how many
bytes of Netlink messages can be queued to a Netlink socket. If set to 0,
the default from |
roam_events |
|
Whether to trigger roam events when interfaces, addresses or routes change |
set_proto_port_transport_sa |
|
Whether to set protocol and ports in the selector installed on transport mode IPsec SAs in the kernel. While doing so enforces policies for inbound traffic, it also prevents the use of a single IPsec SA by more than one traffic selector |
spdh_thresh |
Subsection to configure XFRM policy hashing thresholds for IPv4 and IPv6. The section defines hashing thresholds to configure in the kernel during daemon startup. Each address family takes a threshold for the local subnet of an IPsec policy (src in out-policies, dst in in- and forward-policies) and the remote subnet (dst in out-policies, src in in- and forward-policies). If the subnet has more or equal net bits than the threshold, the first threshold bits are used to calculate a hash to lookup the policy. Note: These settings are mostly obsolete since Linux 5.0, which started using a multi-level tree-based policy lookup. |
|
spdh_thresh.ipv4.lbits |
|
Local subnet XFRM policy hashing threshold for IPv4 |
spdh_thresh.ipv4.rbits |
|
Remote subnet XFRM policy hashing threshold for IPv4 |
spdh_thresh.ipv6.lbits |
|
Local subnet XFRM policy hashing threshold for IPv6 |
spdh_thresh.ipv6.rbits |
|
Remote subnet XFRM policy hashing threshold for IPv6 |
xfrm_acq_expires |
|
Lifetime of XFRM acquire state created by the kernel when traffic matches a trap
policy. The value gets written to |
charon.plugins.kernel-pfkey
events_buffer_size |
|
Size of the receive buffer for the event socket ( |
route_via_internal |
|
Whether to use the internal or external interface in installed routes.The internal interface is the one where the IP address contained in the local traffic selector is located, the external interface is the one over which the destination address of the IPsec tunnel can be reached. This is not relevant if virtual IPs are used, for which a TUN device is created that’s used in the routes |
charon.plugins.kernel-pfroute
mtu |
|
MTU to set on TUN devices created for virtual IPs |
vip_wait |
|
Time in ms to wait until virtual IP addresses appear/disappear before failing |
charon.plugins.load-tester
addrs |
Subsection that contains key/value pairs with address pools (in CIDR notation) to use for a specific network interface e.g. eth0 = 10.10.0.0/16 |
|
addrs_keep |
|
Whether to keep dynamic addresses installed even after the associated SA got terminated |
addrs_prefix |
|
Network prefix length to use when installing dynamic addresses. If set to |
ca_dir |
Directory to load (intermediate) CA certificates from |
|
child_rekey |
|
Seconds to start CHILD_SA rekeying after setup |
crl |
URI to a CRL to include as certificate distribution point in generated certificates |
|
delay |
|
Delay between initiatons for each thread |
delete_after_established |
|
Delete an IKE_SA as soon as it has been established |
digest |
|
Digest algorithm used when issuing certificates |
dpd_delay |
|
DPD delay to use in load test |
dynamic_port |
|
Base port to be used for requests (each client uses a different port) |
eap_password |
[→] |
EAP secret to use in load test.
|
enable |
|
Enable the load testing plugin |
esp |
[→] |
CHILD_SA proposal to use for load tests.
|
fake_kernel |
|
Fake the kernel interface to allow load-testing against self |
ike_rekey |
|
Seconds to start IKE_SA rekeying after setup |
init_limit |
|
Global limit of concurrently established SAs during load test |
initiator |
[→] |
Address to initiate from.
|
initiator_auth |
[→] |
Authentication method(s) the intiator uses.
|
initiator_id |
Initiator ID used in load test |
|
initiator_match |
Initiator ID to match against as responder |
|
initiator_tsi |
Traffic selector on initiator side, as proposed by initiator |
|
initiator_tsr |
Traffic selector on responder side, as proposed by initiator |
|
initiators |
|
Number of concurrent initiator threads to use in load test |
issuer_cert |
Path to the issuer certificate (if not configured a hard-coded default value is used) |
|
issuer_key |
Path to private key that is used to issue certificates (if not configured a hard-coded default value is used) |
|
iterations |
|
Number of IKE_SAs to initiate by each initiator in load test |
mode |
[→] |
IPsec mode to use, one of |
pool |
Provide virtual IPs from a named pool |
|
preshared_key |
[→] |
Preshared key to use in load test.
|
proposal |
[→] |
IKE proposal to use in load test.
|
request_virtual_ip |
|
Request an |
responder |
[→] |
Address to initiation connections to.
|
responder_auth |
|
Authentication method(s) the responder uses |
responder_id |
Responder ID used in load test |
|
responder_tsi |
[→] |
Traffic selector on initiator side, as narrowed by responder.
|
responder_tsr |
[→] |
Traffic selector on responder side, as narrowed by responder.
|
shutdown_when_complete |
|
Shutdown the daemon after all IKE_SAs have been established |
socket |
[→] |
Socket provided by the |
version |
|
IKE version to use ( |
charon.plugins.lookip
socket |
[→] |
Socket provided by the lookip plugin.
|
charon.plugins.ntru
parameter_set |
[→] |
The following parameter sets are available: |
charon.plugins.openssl
engine_id |
[→] |
ENGINE ID to use in the OpenSSL plugin.
|
fips_mode |
|
Set OpenSSL FIPS mode. With OpenSSL before 3.0, the supported values are
disabled( |
load_legacy |
|
Load the legacy provider in OpenSSL 3+ for algorithms like MD4, DES, or Blowfish (the first two are required for EAP-MSCHAPv2). If disabled, the default provider is loaded, or those configured in the OpenSSL config (e.g. the fips provider) |
charon.plugins.openxpki
database |
OpenXPKI MySQL/MariaDB URI. If it contains a password, make sure to adjust the permissions of the config file accordingly |
charon.plugins.osx-attr
append |
|
Whether DNS servers are appended to existing entries, instead of replacing them |
charon.plugins.pkcs11
modules |
This section lists available |
|
modules.<name>.path |
Full path to the shared object file of this |
|
modules.<name>.os_locking |
|
Whether OS locking should be enabled for this module |
modules.<name>.load_certs |
|
Whether the |
reload_certs |
|
Whether the |
use_dh |
|
Whether the |
use_ecc |
|
Whether the PKCS#11 modules should be used for |
use_hasher |
|
Whether the |
use_pubkey |
|
Whether the |
use_rng |
|
Whether the |
use_rsa_pss_hashers |
|
Whether the |
charon.plugins.radattr
dir |
Directory where RADIUS attributes are stored in client-ID specific files |
|
message_id |
|
RADIUS attributes are added to all IKE_AUTH messages by default [ |
charon.plugins.random
random |
[→] |
File to read random bytes from.
|
urandom |
[→] |
File to read pseudo random bytes from.
|
strong_equals_true |
no |
If enabled the |
charon.plugins.resolve
file |
[→] |
File where name servers are written to if not using |
resolvconf.iface |
[→] |
The interface name and protocol sent to |
resolvconf.path |
[→] |
Path/command for |
charon.plugins.revocation
enable_crl |
|
Whether CRL validation should be enabled |
enable_ocsp |
|
Whether OCSP validation should be enabled |
timeout |
|
charon.plugins.save-keys
esp |
|
Whether to save ESP keys |
ike |
|
Whether to save IKE keys |
wireshark_keys |
Directory where the keys are stored in the format supported by Wireshark. IKEv1
keys are stored in the |
charon.plugins.socket-default
set_source |
|
Set source address on outbound packets, if possible |
set_sourceif |
|
Force sending interface on outbound packets, if possible. This allows using IPv6 link-local addresses as tunnel endpoints |
use_ipv4 |
|
Listen on IPv4, if possible |
use_ipv6 |
|
Listen on IPv6, if possible |
charon.plugins.sql
database |
Database URI. If it contains a password, make sure to adjust the permissions of the config file accordingly |
|
loglevel |
|
Loglevel for logging to SQL database |
charon.plugins.stroke
allow_swap |
|
Analyze addresses/hostnames in |
ignore_missing_ca_basic_constraint |
|
Treat certificates in |
max_concurrent |
|
Maximum number of stroke messages handled concurrently |
secrets_file |
[→] |
Location of the |
socket |
[→] |
Socket provided by the stroke plugin.
|
timeout |
|
Timeout in ms for any stroke command. Use |
charon.plugins.systime-fix
interval |
|
Interval in seconds to check system time for validity. |
reauth |
|
Whether to use reauth or delete if an invalid cert lifetime is detected |
threshold |
Threshold date where system time is considered valid. Disabled if not specified |
|
threshold_format |
%Y |
|
timeout |
|
How long to wait for a valid system time if an interval is configured.
|
charon.plugins.tnc-ifmap
client_cert |
Path to X.509 certificate file of IF-MAP client |
|
client_key |
Path to private key file of IF-MAP client |
|
device_name |
Unique name of strongSwan server as a PEP and/or PDP device |
|
renew_session_interval |
|
Interval in seconds between periodic IF-MAP RenewSession requests |
server_cert |
Path to X.509 certificate file of IF-MAP server |
|
server_uri |
[→] |
URI of the form |
username_password |
Credentials of IF-MAP client of the form |
charon.plugins.tnc-imc
dlcose |
|
Unload IMC after use |
preferred_language |
|
Preferred language for TNC recommendations |
charon.plugins.tnc-imv
dlcose |
|
Unload IMV after use |
recommendation_policy |
[→] |
TNC recommendation policy, one of |
charon.plugins.tnc-pdp
pt_tls.enable |
|
Enable PT-TLS protocol on the strongSwan PDP |
pt_tls.port |
|
PT-TLS server port the strongSwan PDP is listening on |
radius.enable |
|
Enable RADIUS protocol on the strongSwan PDP |
radius.method |
|
EAP tunnel method to be used |
radius.port |
|
RADIUS server port the strongSwan PDP is listening on |
radius.secret |
Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure to adjust the permissions of the config file accordingly |
|
server |
Name of the strongSwan PDP as contained in the AAA certificate |
|
timeout |
Timeout in seconds before closing incomplete connections |
charon.plugins.tnccs-11
max_message_size |
[→] |
Maximum size of a PA-TNC message (XML & Base64 encoding).
|
charon.plugins.tnccs-20
max_batch_size |
Maximum size of a PB-TNC batch (upper limit via PT-EAP = |
|
max_message_size |
Maximum size of a PA-TNC message (upper limit via PT-EAP = |
|
mutual |
|
Enable PB-TNC mutual protocol |
charon.plugins.tpm
ek_handle |
Handle of the RSA or ECC Endorsement Key (EK) to be used to set up an
authenticated session with a TPM 2.0 (e.g. |
|
fips_186_4 |
|
Is the TPM 2.0 FIPS-186-4 compliant, which forces e.g. the use of the default salt length instead of maximum salt length with RSA-PSS padding |
tcti.name |
[→] |
Name of TPM 2.0 TCTI library. Valid values: |
tcti.opts |
[→] |
Options for the TPM 2.0 TCTI library. Defaults are |
use_rng |
|
Whether the TPM 2.0 should be used as RNG. For security reasons enable
only if an authenticated session can be set up (see |
charon.plugins.unbound
dlv_anchors |
File to read trusted keys for |
|
resolv_conf |
[→] |
File to read DNS resolver configuration from.
|
trust_anchors |
[→] |
File to read DNSSEC trust anchors from (usually root zone KSK). The format of
the file is the standard DNS Zone file format, anchors can be stored as DS or
DNSKEY entries in the file.
|
charon.plugins.updown
dns_handler |
|
Whether the updown script should handle DNS servers assigned via IKEv1
|
charon.plugins.vici
socket |
[→] |
URI the plugin listens for client connections.
|
charon.plugins.whitelist
enabled |
|
Enable whitelist checking |
socket |
Socket provided by the whitelist plugin.
|
charon.plugins.wolfssl
fips_mode |
|
Enable to prevent loading the plugin if wolfSSL is not in FIPS mode |
charon.plugins.xauth-eap
backend |
[→] |
EAP plugin to use.
|
charon.plugins.xauth-pam
pam_service |
[→] |
PAM service to use for authentication.
|
session |
|
Open/close a PAM session for each active IKE_SA |
trim_email |
|
If an email address is received as an XAuth username, trim it to just the username part |
charon-nm
Key | Default | Description [Default] |
---|---|---|
ca_dir |
[→] |
Directory from which to load CA certificates if no certificate is configured.
|
mtu |
|
MTU for XFRM interfaces created by the NM plugin |
charon-systemd
journal |
Section to configure native systemd journal logger, very similar to the syslog logger as described in Logging |
imv_policy_manager
command_allow |
Shell command to be executed with recommendation |
|
command_block |
Shell command to be executed with all other recommendations |
|
database |
Database URI for the database that stores the package information. If it contains a password, make sure to adjust access permissions of the config file accordingly |
|
load |
[→] |
Plugins to load in IMV policy manager.
|
libimcv
Alternatively the libimcv
options could be defined in a charon.imcv
subsection.
Key | Default | Description [Default] |
---|---|---|
assessment_result |
|
Whether IMVs send a standard IETF Assessment Result attribute |
database |
Global IMV policy database URI. If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
debug_level |
|
Debug level for a stand-alone |
load |
[→] |
Plugins to load in IMC/IMVs with stand-alone |
policy_script |
[→] |
Script called for each TNC connection to generate IMV policies.
|
stderr_quiet |
|
Disable output to stderr with a stand-alone |
libimcv.os_info
default_password_enabled |
|
Manually set whether a default password is enabled |
name |
Manually set the name of the client OS (e.g. |
|
version |
Manually set the version of the client OS (e.g. |
libimcv.swid_gen
command |
[→] |
SWID generator command to be executed.
|
tag_creator.name |
[→] |
Name of the |
tag_creator.regid |
[→] |
regid of the |
libimcv.plugins.imc-attestation
aik_blob |
AIK encrypted private key blob file (TPM 1.2 only) |
|
aik_cert |
AIK certificate file |
|
aik_handle |
AIK object handle, e.g. |
|
aik_pubkey |
AIK public key file |
|
hash_algorithm |
[→] |
Preferred measurement hash algorithm.
|
mandatory_dh_groups |
|
Enforce mandatory Diffie-Hellman groups |
nonce_len |
|
DH nonce length |
pcr_info |
|
Whether to send pcr_before and pcr_after info |
pcr_padding |
|
Whether to pad IMA SHA1 measurements values when extending into SHA256 PCR banks |
use_quote2 |
|
Use Quote2 AIK signature instead of Quote signature |
use_version_info |
|
Version Info is included in Quote2 signature |
libimcv.plugins.imc-hcd
push_info |
|
Send quadruple info without being prompted |
subtypes |
Section to define PWG HCD PA subtypes (see [HCD-IMC]) |
|
subtypes.<section> |
Defines a PWG HCD PA subtype section. Recognized subtype |
|
subtypes.<section>.<sw_type> |
Defines a software type section. Recognized |
|
subtypes.<section>.<sw_type>. <software> |
Defines a software section having an arbitrary name |
|
subtypes.<section>.<sw_type>. <software>.name |
Name of the software installed on the hardcopy device |
|
subtypes.<section>.<sw_type>. <software>.patches |
String describing all patches applied to the given software on this hardcopy
device. The individual patches are separated by a newline character |
|
subtypes.<section>.<sw_type>. <software>.string_version |
String describing the version of the given software on this hardcopy device |
|
subtypes.<section>.<sw_type>. <software>.version |
Hex-encoded version string with a length of 16 octets consisting of the fields major version number (4 octets), minor version number (4 octets), build number (4 octets), service pack major number (2 octets) and service pack minor number (2 octets) |
|
subtypes.<section>. attributes_natural_language |
|
Variable length natural language tag conforming to RFC 5646 specifies the language to be used in the health assessment message of a given subtype |
subtypes.system.certification_state |
Hex-encoded certification state |
|
subtypes.system.configuration_state |
Hex-encoded configuration state |
|
subtypes.system.machine_type_model |
String specifying the machine type and model of the hardcopy device |
|
subtypes.system.pstn_fax_enabled |
|
Specifies if a PSTN facsimile interface is installed and enabled on the hardcopy device |
subtypes.system.time_source |
String specifying the hostname of the network time server used by the hardcopy device |
|
subtypes.system. user_application_enabled |
|
Specifies if users can dynamically download and execute applications on the hardcopy device |
subtypes.system. user_application_persistence_enabled |
|
Specifies if user dynamically downloaded applications can persist outside the boundaries of a single job on the hardcopy device |
subtypes.system.vendor_name |
String specifying the manufacturer of the hardcopy device |
|
subtypes.system.vendor_smi_code |
Integer specifying the globally unique 24-bit SMI code assigned to the manufacturer of the hardcopy device |
libimcv.plugins.imc-os
device_cert |
Manually set the path to the client device certificate (e.g.
|
|
device_handle |
Manually set handle to a private key bound to a smartcard or TPM (e.g.
|
|
device_id |
Manually set the client device ID in hexadecimal format (e.g.
|
|
device_pubkey |
Manually set the path to the client device public key (e.g.
|
|
push_info |
|
Send operating system info without being prompted |
libimcv.plugins.imc-swima
eid_epoch |
[→] |
Set 32 bit epoch value for event IDs manually if software collector database is
not available.
|
subscriptions |
|
Accept SW Inventory or SW Events subscriptions |
swid_database |
URI to software collector database containing event timestamps, software creation and deletion events and collected software identifiers. If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
swid_directory |
[→] |
Directory where SWID tags are located.
|
swid_full |
|
Include file information in the XML-encoded SWID tags |
swid_pretty |
|
Generate XML-encoded SWID tags with pretty indentation |
libimcv.plugins.imc-test
additional_ids |
|
Number of additional IMC IDs |
command |
|
Command to be sent to the Test IMV. Valid commands are |
dummy_size |
|
Size of dummy attribute to be sent to the Test IMV ( |
retry |
|
Do a handshake retry |
retry_command |
Command to be sent to the IMV Test in the handshake retry. Valid commands are
|
libimcv.plugins.imv-attestation
cadir |
Path to directory with AIK cacerts |
|
dh_group |
[→] |
Preferred Diffie-Hellman group.
|
hash_algorithm |
[→] |
Preferred measurement hash algorithm.
|
min_nonce_len |
|
DH minimum nonce length |
remediation_uri |
URI pointing to attestation remediation instructions |
libtls
Alternatively the libtls
options could be defined in a charon.tls
subsection.
Key | Default | Description [Default] |
---|---|---|
cipher |
List of TLS encryption ciphers |
|
key_exchange |
List of TLS key exchange methods |
|
ke_group |
List of TLS key exchange groups |
|
mac |
List of TLS MAC algorithms |
|
signature |
List of TLS signature schemes |
|
suites |
List of TLS cipher suites |
|
send_certreq_authorities |
|
Whether to include CAs in a server’s |
version_min |
|
Minimum TLS version to negotiate |
version_max |
|
Maximum TLS version to negotiate |
libtnccs
Alternatively the libtnccs
options could be defined in a charon.tnc
subsection.
Key | Default | Description [Default] |
---|---|---|
tnc_config |
[→] |
TNC IMC/IMV configuration file.
|
manager
Key | Default | Description [Default] |
---|---|---|
database |
Credential database URI for If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
debug |
|
Enable debugging in |
load |
Plugins to load in |
|
socket |
FastCGI socket of |
|
threads |
|
Threads to use for request handling |
timeout |
|
Session timeout for |
medcli
database |
Mediation client database URI. If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
dpd |
|
DPD timeout to use in mediation client plugin |
rekey |
|
Rekeying time on mediation connections in mediation client plugin |
medsrv
database |
Mediation server database URI. If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
debug |
|
Debugging in mediation server web application |
dpd |
|
DPD timeout to use in mediation server plugin |
load |
Plugins to load in mediation server plugin |
|
password_length |
|
Minimum password length required for mediation server user accounts |
rekey |
|
Rekeying time on mediation connections in mediation server plugin |
socket |
Run Mediation server web application statically on socket |
|
threads |
|
Number of threads for mediation service web application |
timeout |
|
Session timeout for mediation service |
pki
load |
Plugins to load in |
|
scep.http_bind |
Source IP address to bind for HTTP operations |
|
scep.http_timeout |
|
Timeout for HTTP operations |
scep.renewal_via_pkcs_req |
|
Some SCEP servers (e.g. openxpki) are incorrectly doing certificate
renewal via |
pool
database |
Database URI for the database that stores IP pools and configuration attributes. If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
load |
Plugins to load in ipsec pool tool |
pt-tls-client
load |
Plugins to load in |
sec-updater
database |
Global IMV policy database URI. If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
load |
Plugins to load in |
|
tmp.deb_file |
[→] |
Temporary storage for downloaded deb package file.
|
tmp.tag_file |
[→] |
Temporary storage for generated SWID tags.
|
tnc_manage_command |
[→] |
strongTNC manage.py command used to import SWID tags.
|
sw-collector
database |
URI to software collector database containing event timestamps, software creation and deletion events and collected software identifiers. If it contains a password, make sure to adjust the access permissions of the config file accordingly |
|
first_file |
[→] |
Path pointing to file created when the Linux OS was installed.
|
first_time |
[→] |
Time in UTC when the Linux OS was installed.
|
history |
Path pointing to apt |
|
load |
Plugins to load in |
|
rest_api.timeout |
|
Timeout in seconds of |
rest_api.uri |
HTTP[S] URI of the central collector’s |
starter
config_file |
[→] |
|
load_warning |
|
Show |
dhcp.force_server_address
and then set dhcp.server
to the local broadcast address, e.g. 192.168.0.255
. That’s because some DHCP
daemons do not listen on the loopback interface and thus can’t be reached via unicast (or even broadcast 255.255.255.255
) from the same host.
DHCP
server will always send packets to the DHCP
server port and if no process binds that port an ICMP port unreachable
message will be sent back that might be problematic for some DHCP
servers. To avoid that, enabling this option will cause the plugin to bind the DHCP
server port to send its requests when acting as relay agent. This is not necessary if a DHCP server is already running on the same host and might even cause conflicts and since the server port is already bound, ICMP
messages should not be an issue.