Update charon.conf for bookworm.

1 files changed, 32 insertions, 9 deletions

diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf
index 7cbe7db..efb241c 100644
--- a/roles/common/files/etc/strongswan.d/charon.conf
+++ b/roles/common/files/etc/strongswan.d/charon.conf
@@ -1,87 +1,90 @@
 # Options for the charon IKE daemon.
 charon {
 
     # Deliberately violate the IKE standard's requirement and allow the use of
     # private algorithm identifiers, even if the peer implementation is unknown.
     # accept_private_algs = no
 
     # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
     # accept_unencrypted_mainmode_messages = no
 
-    # Maximum number of half-open IKE_SAs for a single peer IP.
+    # Maximum number of half-open IKE_SAs (including unprocessed IKE_SA_INITs)
+    # for a single peer IP.
     # block_threshold = 5
 
     # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
     # should be saved under a unique file name derived from the public key of
     # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
     # /etc/swanctl/x509crl (vici), respectively.
     # cache_crls = no
 
     # Whether relations in validated certificate chains should be cached in
     # memory.
     # cert_cache = yes
 
     # Whether to use DPD to check if the current path still works after any
     # changes to interfaces/addresses.
     # check_current_path = no
 
     # Send the Cisco FlexVPN vendor ID payload (IKEv2 only).
     # cisco_flexvpn = no
 
     # Send Cisco Unity vendor ID payload (IKEv1 only).
     # cisco_unity = no
 
     # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
     # close_ike_on_child_failure = no
 
-    # Number of half-open IKE_SAs that activate the cookie mechanism.
-    # cookie_threshold = 10
+    # Number of half-open IKE_SAs (including unprocessed IKE_SA_INITs) that
+    # activate the cookie mechanism.
+    # cookie_threshold = 30
+
+    # Number of half-open IKE_SAs (including unprocessed IKE_SA_INITs) for a
+    # single peer IP that activate the cookie  mechanism.
+    # cookie_threshold_ip = 3
 
     # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
     # delete_rekeyed = no
 
     # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
     # (IKEv2 only).
     # delete_rekeyed_delay = 5
 
     # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
     # strength.
     # dh_exponent_ansi_x9_42 = yes
 
     # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
     # missing symbols immediately.
     # dlopen_use_rtld_now = no
 
     # DNS server assigned to peer via configuration payload (CP).
     # dns1 =
 
     # DNS server assigned to peer via configuration payload (CP).
     # dns2 =
 
     # Enable Denial of Service protection using cookies and aggressiveness
     # checks.
     # dos_protection = yes
 
-    # Compliance with the errata for RFC 4753.
-    # ecp_x_coordinate_only = yes
-
     # Free objects during authentication (might conflict with plugins).
     # flush_auth_cfg = no
 
     # Whether to follow IKEv2 redirects (RFC 5685).
     # follow_redirects = yes
 
     # Violate RFC 5998 and use EAP-only authentication even if the peer did not
     # send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
     # force_eap_only_authentication = no
 
     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
     # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
     # to 1280 (use 0 for address family specific default values, which uses a
     # lower value for IPv4).  If specified this limit is used for both IPv4 and
     # IPv6.
     # fragment_size = 1280
 
     # Name of the group the daemon changes to after startup.
     # group =
 
@@ -239,40 +242,44 @@ charon {
 
     # Number of times to retransmit a packet before giving up.
     # retransmit_tries = 5
 
     # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
     # DNS resolution failed), 0 to disable retries.
     # retry_initiate_interval = 0
 
     # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
     # reuse_ikesa = yes
 
     # Numerical routing table to install routes to.
     # routing_table =
 
     # Priority of the routing table.
     # routing_table_prio =
 
     # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
     # rsa_pss = no
 
+    # Whether to encode an explicit trailerField value of 0x01 in the RSA-PSS
+    # algorithmIdentifier (CONTEXT3) or using the DEFAULT value by omitting it.
+    # rsa_pss_trailerfield = no
+
     # Delay in ms for sending packets, to simulate larger RTT.
     # send_delay = 0
 
     # Delay request messages.
     # send_delay_request = yes
 
     # Delay response messages.
     # send_delay_response = yes
 
     # Specific IKEv2 message type to delay, 0 for any.
     # send_delay_type = 0
 
     # Send strongSwan vendor ID payload
     # send_vendor_id = no
 
     # Whether to enable Signature Authentication as per RFC 7427.
     # signature_authentication = yes
 
     # Whether to enable constraints against IKEv2 signature schemes.
     # signature_authentication_constraints = yes
@@ -321,76 +328,92 @@ charon {
         # rng_true = no
 
     }
 
     host_resolver {
 
         # Maximum number of concurrent resolver threads (they are terminated if
         # unused).
         # max_threads = 3
 
         # Minimum number of resolver threads to keep around.
         # min_threads = 0
 
     }
 
     leak_detective {
 
         # Includes source file names and line numbers in leak detective output.
         # detailed = yes
 
-        # Threshold in bytes for leaks to be reported (0 to report all).
+        # Threshold in bytes for allocations to be included in usage reports (0
+        # to include all).
         # usage_threshold = 10240
 
-        # Threshold in number of allocations for leaks to be reported (0 to
-        # report all).
+        # Threshold in number of allocations for allocations to be included in
+        # usage reports (0 to include all).
         # usage_threshold_count = 0
 
     }
 
     processor {
 
         # Section to configure the number of reserved threads per priority class
         # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
         priority_threads {
 
         }
 
     }
 
     # Section containing a list of scripts (name = path) that are executed when
     # the daemon is started.
     start-scripts {
 
     }
 
     # Section containing a list of scripts (name = path) that are executed when
     # the daemon is terminated.
     stop-scripts {
 
     }
 
     tls {
 
         # List of TLS encryption ciphers.
         # cipher =
 
+        # List of TLS key exchange groups.
+        # ke_group =
+
         # List of TLS key exchange methods.
         # key_exchange =
 
         # List of TLS MAC algorithms.
         # mac =
 
+        # Whether to include CAs in a server's CertificateRequest message.
+        # send_certreq_authorities = yes
+
+        # List of TLS signature schemes.
+        # signature =
+
         # List of TLS cipher suites.
         # suites =
 
+        # Maximum TLS version to negotiate.
+        # version_max = 1.2
+
+        # Minimum TLS version to negotiate.
+        # version_min = 1.2
+
     }
 
     x509 {
 
         # Discard certificates with unsupported or unknown critical extensions.
         # enforce_critical = yes
 
     }
 
 }