1 files changed, 46 insertions, 7 deletions

diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf
index 17e917a..5ed6452 100644
--- a/roles/common/files/etc/strongswan.d/charon.conf
+++ b/roles/common/files/etc/strongswan.d/charon.conf
@@ -7,6 +7,12 @@ charon {
     # Maximum number of half-open IKE_SAs for a single peer IP.
     # block_threshold = 5
 
+    # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+    # be saved under a unique file name derived from the public key of the
+    # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+    # /etc/swanctl/x509crl (vici), respectively.
+    # cache_crls = no
+
     # Whether relations in validated certificate chains should be cached in
     # memory.
     # cert_cache = yes
@@ -20,10 +26,17 @@ charon {
     # Number of half-open IKE_SAs that activate the cookie mechanism.
     # cookie_threshold = 10
 
+    # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+    # delete_rekeyed = no
+
     # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
     # strength.
     # dh_exponent_ansi_x9_42 = yes
 
+    # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
+    # missing symbols immediately.
+    # dlopen_use_rtld_now = no
+
     # DNS server assigned to peer via configuration payload (CP).
     # dns1 =
 
@@ -40,11 +53,15 @@ charon {
     # Free objects during authentication (might conflict with plugins).
     # flush_auth_cfg = no
 
+    # Whether to follow IKEv2 redirects (RFC 5685).
+    # follow_redirects = yes
+
     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
-    # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
-    # address family specific        default values). If specified this limit is
-    # used for both IPv4 and IPv6.
-    # fragment_size = 0
+    # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+    # to 1280 (use 0 for address family specific default values, which uses a
+    # lower value for IPv4).  If specified this limit is used for both IPv4 and
+    # IPv6.
+    # fragment_size = 1280
 
     # Name of the group the daemon changes to after startup.
     # group =
@@ -58,6 +75,10 @@ charon {
     # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
     # i_dont_care_about_security_and_use_aggressive_mode_psk = no
 
+    # Whether to ignore the traffic selectors from the kernel's acquire events
+    # for IKEv2 connections (they are not used for IKEv1).
+    # ignore_acquire_ts = no
+
     # A space-separated list of routing tables to be excluded from route
     # lookups.
     # ignore_routing_tables =
@@ -116,6 +137,13 @@ charon {
     # Determine plugins to load via each plugin's load option.
     # load_modular = no
 
+    # Initiate IKEv2 reauthentication with a make-before-break scheme.
+    # make_before_break = no
+
+    # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
+    # and track concurrently.
+    # max_ikev1_exchanges = 3
+
     # Maximum packet size accepted by charon.
     # max_packet = 10000
 
@@ -136,6 +164,11 @@ charon {
     # will be allocated.
     # port_nat_t = 4500
 
+    # Prefer locally configured proposals for IKE/IPsec over supplied ones as
+    # responder (disabling this can avoid keying retries due to
+    # INVALID_KE_PAYLOAD notifies).
+    # prefer_configured_proposals = yes
+
     # By default public IPv6 addresses are preferred over temporary ones (RFC
     # 4941), to make connections more stable. Enable this option to reverse
     # this.
@@ -169,11 +202,11 @@ charon {
     # Number of times to retransmit a packet before giving up.
     # retransmit_tries = 5
 
-    # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
-    # resolution failed), 0 to disable retries.
+    # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
+    # DNS resolution failed), 0 to disable retries.
     # retry_initiate_interval = 0
 
-    # Initiate CHILD_SA within existing IKE_SAs.
+    # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
     # reuse_ikesa = yes
 
     # Numerical routing table to install routes to.
@@ -197,6 +230,12 @@ charon {
     # Send strongSwan vendor ID payload
     # send_vendor_id = no
 
+    # Whether to enable Signature Authentication as per RFC 7427.
+    # signature_authentication = yes
+
+    # Whether to enable constraints against IKEv2 signature schemes.
+    # signature_authentication_constraints = yes
+
     # Number of worker threads in charon.
     # threads = 16