1 files changed, 33 insertions, 3 deletions

diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf
index 22479cf..7cbe7db 100644
--- a/roles/common/files/etc/strongswan.d/charon.conf
+++ b/roles/common/files/etc/strongswan.d/charon.conf
@@ -1,6 +1,10 @@
 # Options for the charon IKE daemon.
 charon {
 
+    # Deliberately violate the IKE standard's requirement and allow the use of
+    # private algorithm identifiers, even if the peer implementation is unknown.
+    # accept_private_algs = no
+
     # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
     # accept_unencrypted_mainmode_messages = no
 
@@ -17,6 +21,13 @@ charon {
     # memory.
     # cert_cache = yes
 
+    # Whether to use DPD to check if the current path still works after any
+    # changes to interfaces/addresses.
+    # check_current_path = no
+
+    # Send the Cisco FlexVPN vendor ID payload (IKEv2 only).
+    # cisco_flexvpn = no
+
     # Send Cisco Unity vendor ID payload (IKEv1 only).
     # cisco_unity = no
 
@@ -60,6 +71,10 @@ charon {
     # Whether to follow IKEv2 redirects (RFC 5685).
     # follow_redirects = yes
 
+    # Violate RFC 5998 and use EAP-only authentication even if the peer did not
+    # send an EAP_ONLY_AUTHENTICATION notify during IKE_AUTH.
+    # force_eap_only_authentication = no
+
     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
     # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
     # to 1280 (use 0 for address family specific default values, which uses a
@@ -135,6 +150,11 @@ charon {
     # NAT keep alive interval.
     # keep_alive = 20s
 
+    # Number of seconds the keep alive interval may be exceeded before a DPD is
+    # sent instead of a NAT keep alive (0 to disable).  This is only useful if a
+    # clock is used that includes time spent suspended (e.g. CLOCK_BOOTTIME).
+    # keep_alive_dpd_margin = 0s
+
     # Plugins to load in the IKE daemon charon.
     # load =
 
@@ -176,14 +196,17 @@ charon {
     # INVALID_KE_PAYLOAD notifies).
     # prefer_configured_proposals = yes
 
-    # By default public IPv6 addresses are preferred over temporary ones (RFC
-    # 4941), to make connections more stable. Enable this option to reverse
-    # this.
+    # Controls whether permanent or temporary IPv6 addresses are used as source,
+    # or announced as additional addresses if MOBIKE is used.
     # prefer_temporary_addrs = no
 
     # Process RTM_NEWROUTE and RTM_DELROUTE events.
     # process_route = yes
 
+    # How RDNs in subject DNs of certificates are matched against configured
+    # identities (strict, reordered, or relaxed).
+    # rdn_matching = strict
+
     # Delay in ms for receiving packets, to simulate larger RTT.
     # receive_delay = 0
 
@@ -254,6 +277,13 @@ charon {
     # Whether to enable constraints against IKEv2 signature schemes.
     # signature_authentication_constraints = yes
 
+    # Value mixed into the local IKE SPIs after applying spi_mask.
+    # spi_label = 0x0000000000000000
+
+    # Mask applied to local IKE SPIs before mixing in spi_label (bits set will
+    # be replaced with spi_label).
+    # spi_mask = 0x0000000000000000
+
     # The upper limit for SPIs requested from the kernel for IPsec SAs.
     # spi_max = 0xcfffffff