From bac7811d2b35252b7a83a45d75bb344b4b1776a9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 16 May 2020 02:52:55 +0200 Subject: Upgrade baseline to Debian 10. --- roles/common/files/etc/strongswan.d/charon.conf | 32 +++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) (limited to 'roles/common/files/etc/strongswan.d/charon.conf') diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf index 5ed6452..22479cf 100644 --- a/roles/common/files/etc/strongswan.d/charon.conf +++ b/roles/common/files/etc/strongswan.d/charon.conf @@ -7,9 +7,9 @@ charon { # Maximum number of half-open IKE_SAs for a single peer IP. # block_threshold = 5 - # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should - # be saved under a unique file name derived from the public key of the - # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or # /etc/swanctl/x509crl (vici), respectively. # cache_crls = no @@ -29,6 +29,10 @@ charon { # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). # delete_rekeyed = no + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic # strength. # dh_exponent_ansi_x9_42 = yes @@ -164,6 +168,9 @@ charon { # will be allocated. # port_nat_t = 4500 + # Whether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + # Prefer locally configured proposals for IKE/IPsec over supplied ones as # responder (disabling this can avoid keying retries due to # INVALID_KE_PAYLOAD notifies). @@ -196,6 +203,14 @@ charon { # in strongswan.conf(5). # retransmit_base = 1.8 + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + # Timeout in seconds before sending first retransmit. # retransmit_timeout = 4.0 @@ -215,6 +230,9 @@ charon { # Priority of the routing table. # routing_table_prio = + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + # Delay in ms for sending packets, to simulate larger RTT. # send_delay = 0 @@ -236,6 +254,12 @@ charon { # Whether to enable constraints against IKEv2 signature schemes. # signature_authentication_constraints = yes + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + # Number of worker threads in charon. # threads = 16 @@ -250,7 +274,7 @@ charon { # Buffer size used for crypto benchmark. # bench_size = 1024 - # Number of iterations to test each algorithm. + # Time in ms during which crypto algorithm performance is measured. # bench_time = 50 # Test crypto algorithms during registration (requires test vectors -- cgit v1.2.3