diff options
| author | Bas van Dijk <v.dijk.bas@gmail.com> | 2018-03-26 17:18:08 +0200 |
|---|---|---|
| committer | Bas van Dijk <v.dijk.bas@gmail.com> | 2018-03-26 17:18:08 +0200 |
| commit | e9de38eb61e159e36ce4d905b02b8f4898ddae89 (patch) | |
| tree | e043dc017422e64bd81f3b772c1406fcb575582b | |
| parent | 85abad9e1c70f113faaeba1a95753070233dc06d (diff) | |
| download | nixpkgs-e9de38eb61e159e36ce4d905b02b8f4898ddae89.tar nixpkgs-e9de38eb61e159e36ce4d905b02b8f4898ddae89.tar.gz nixpkgs-e9de38eb61e159e36ce4d905b02b8f4898ddae89.tar.bz2 nixpkgs-e9de38eb61e159e36ce4d905b02b8f4898ddae89.tar.lz nixpkgs-e9de38eb61e159e36ce4d905b02b8f4898ddae89.tar.xz nixpkgs-e9de38eb61e159e36ce4d905b02b8f4898ddae89.tar.zst nixpkgs-e9de38eb61e159e36ce4d905b02b8f4898ddae89.zip | |
strongswan-swanctl: actually removed the strongswan parameter files
6 files changed, 2 insertions, 2273 deletions
diff --git a/nixos/modules/services/networking/strongswan-swanctl/module.nix b/nixos/modules/services/networking/strongswan-swanctl/module.nix index 30d039a2b7a..d770094960b 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/module.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/module.nix @@ -5,12 +5,7 @@ with (import ./param-lib.nix lib); let cfg = config.services.strongswan-swanctl; - - # TODO: auto-generate these files using: - # https://github.com/strongswan/strongswan/tree/master/conf - # IDEA: extend the format-options.py script to output these Nix files. - #strongswanParams = import ./strongswan-params.nix lib; - swanctlParams = import ./swanctl-params.nix lib; + swanctlParams = import ./swanctl-params.nix lib; in { options.services.strongswan-swanctl = { enable = mkEnableOption "strongswan-swanctl service"; @@ -32,11 +27,7 @@ in { ''; }; - # The structured strongswan configuration is commented out for - # now in favour of the literal config above. We should first - # discus if we want to add the 600+ options by default. - #strongswan = paramsToOptions strongswanParams; - swanctl = paramsToOptions swanctlParams; + swanctl = paramsToOptions swanctlParams; }; config = mkIf cfg.enable { @@ -76,7 +67,6 @@ in { path = with pkgs; [ kmod iproute iptables utillinux ]; environment.STRONGSWAN_CONF = pkgs.writeTextFile { name = "strongswan.conf"; - #text = paramsToConf cfg.strongswan strongswanParams; text = cfg.strongswan.extraConfig; }; restartTriggers = [ config.environment.etc."swanctl/swanctl.conf".source ]; diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix deleted file mode 100644 index 17bd632dc18..00000000000 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix +++ /dev/null @@ -1,572 +0,0 @@ -lib: with (import ./param-constructors.nix lib); - -let loglevelParams = import ./strongswan-loglevel-params.nix lib; -in { - accept_unencrypted_mainmode_messages = mkYesNoParam no '' - Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. Some - implementations send the third Main Mode message unencrypted, probably - to find the PSKs for the specified ID for authentication. This is very - similar to Aggressive Mode, and has the same security implications: A - passive attacker can sniff the negotiated Identity, and start brute - forcing the PSK using the HASH payload. It is recommended to keep this - option to no, unless you know exactly what the implications are and - require compatibility to such devices (for example, some SonicWall - boxes). - ''; - - block_threshold = mkIntParam 5 '' - Maximum number of half-open IKE_SAs for a single peer IP. - ''; - - cache_crls = mkYesNoParam no '' - Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP - should be saved under a unique file name derived from the public - key of the Certification Authority (CA) to - <literal>/etc/ipsec.d/crls</literal> (stroke) or - <literal>/etc/swanctl/x509crl</literal> (vici), respectively. - ''; - - cert_cache = mkYesNoParam yes '' - Whether relations in validated certificate chains should be cached in memory. - ''; - - cisco_unity = mkYesNoParam no '' - Send Cisco Unity vendor ID payload (IKEv1 only), see unity plugin. - ''; - - close_ike_on_child_failure = mkYesNoParam no '' - Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. - ''; - - cookie_threshold = mkIntParam 10 '' - Number of half-open IKE_SAs that activate the cookie mechanism. - ''; - - crypto_test.bench = mkYesNoParam no '' - Benchmark crypto algorithms and order them by efficiency. - ''; - - crypto_test.bench_size = mkIntParam 1024 '' - Buffer size used for crypto benchmark. - ''; - - crypto_test.bench_time = mkIntParam 50 '' - Number of iterations to test each algorithm. - ''; - - crypto_test.on_add = mkYesNoParam no '' - Test crypto algorithms during registration - (requires test vectors provided by the test-vectors plugin). - ''; - - crypto_test.on_create = mkYesNoParam no '' - Test crypto algorithms on each crypto primitive instantiation. - ''; - - crypto_test.required = mkYesNoParam no '' - Strictly require at least one test vector to enable an algorithm. - ''; - - crypto_test.rng_true = mkYesNoParam no '' - Whether to test RNG with TRUE quality; requires a lot of entropy. - ''; - - delete_rekeyed = mkYesNoParam no '' - Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). - Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings. - However, this might cause problems with implementations that continue - to use rekeyed SAs until they expire. - ''; - - delete_rekeyed_delay = mkIntParam 5 '' - Delay in seconds until inbound IPsec SAs are deleted after rekeyings - (IKEv2 only). - </para><para> - To process delayed packets the inbound part of a CHILD_SA is kept - installed up to the configured number of seconds after it got replaced - during a rekeying. If set to 0 the CHILD_SA will be kept installed until - it expires (if no lifetime is set it will be destroyed immediately). - ''; - - dh_exponent_ansi_x9_42 = mkYesNoParam yes '' - Use ANSI X9.42 DH exponent size or optimum size matched to - cryptographical strength. - ''; - - dlopen_use_rtld_now = mkYesNoParam no '' - Use RTLD_NOW with dlopen() when loading plugins and IMV/IMCs to reveal - missing symbols immediately. Useful during development of custom plugins. - ''; - - dns1 = mkOptionalStrParam '' - DNS server assigned to peer via configuration payload (CP), see attr plugin. - ''; - - dns2 = mkOptionalStrParam '' - DNS server assigned to peer via configuration payload (CP). - ''; - - dos_protection = mkYesNoParam yes '' - Enable Denial of Service protection using cookies and aggressiveness checks. - ''; - - ecp_x_coordinate_only = mkYesNoParam yes '' - Compliance with the errata for RFC 4753. - ''; - - filelog = mkAttrsOfParams ({ - append = mkYesNoParam yes '' - If this option is enabled log entries are appended to the existing file. - ''; - - flush_line = mkYesNoParam no '' - Enabling this option disables block buffering and enables line - buffering. That is, a flush to disk is enforced for each logged line. - ''; - - ike_name = mkYesNoParam no '' - Prefix each log entry with the connection name and a unique numerical - identifier for each IKE_SA. - ''; - - time_format = mkOptionalStrParam '' - Prefix each log entry with a timestamp. The option accepts a format string - as passed to strftime(3). - ''; - - time_add_ms = mkYesNoParam no '' - Adds the milliseconds within the current second after the timestamp - (separated by a dot, so time_format should end with %S or %T) - ''; - } // loglevelParams) ''Section to define file loggers, see LoggerConfiguration.''; - - flush_auth_cfg = mkYesNoParam no '' - If enabled objects used during authentication (certificates, identities - etc.) are released to free memory once an IKE_SA is - established. Enabling this might conflict with plugins that later need - access to e.g. the used certificates. - ''; - - follow_redirects = mkYesNoParam yes '' - Whether to follow IKEv2 redirects (RFC 5685). - ''; - - fragment_size = mkIntParam 1280 '' - Maximum size (complete IP datagram size in bytes) of a sent IKE fragment - when using proprietary IKEv1 or standardized IKEv2 fragmentation, - defaults to 1280 (use 0 for address family specific default values, - which uses a lower value for IPv4). If specified this limit is used for - both IPv4 and IPv6. - ''; - - group = mkOptionalStrParam '' - Name of the group the daemon changes to after startup. - ''; - - half_open_timeout = mkIntParam 30 '' - Timeout in seconds for connecting IKE_SAs, also see IKE_SA_INIT dropping. - ''; - - hash_and_url = mkYesNoParam no '' - Enable hash and URL support. - ''; - - host_resolver.max_threads = mkIntParam 3 '' - Maximum number of concurrent resolver threads (they are terminated if unused). - ''; - - host_resolver.min_threads = mkIntParam 0 '' - Minimum number of resolver threads to keep around. - ''; - - i_dont_care_about_security_and_use_aggressive_mode_psk = mkYesNoParam no '' - If enabled responders are allowed to use IKEv1 Aggressive Mode with - pre-shared keys, which is discouraged due to security concerns (offline - attacks on the openly transmitted hash of the PSK). - ''; - - ignore_acquire_ts = mkYesNoParam no '' - If this is disabled the traffic selectors from the kernel's acquire - events, which are derived from the triggering packet, are prepended to - the traffic selectors from the configuration for IKEv2 connection. By - enabling this, such specific traffic selectors will be ignored and only - the ones in the config will be sent. This always happens for IKEv1 - connections as the protocol only supports one set of traffic selectors - per CHILD_SA. - ''; - - ignore_routing_tables = mkSpaceSepListParam [] '' - A space-separated list of routing tables to be excluded from route lookup. - ''; - - ikesa_limit = mkIntParam 0 '' - Maximum number of IKE_SAs that can be established at the same time - before new connection attempts are blocked. - ''; - - ikesa_table_segments = mkIntParam 1 '' - Number of exclusively locked segments in the hash table, see IKE_SA - lookup tuning. - ''; - - ikesa_table_size = mkIntParam 1 '' - Size of the IKE_SA hash table, see IKE_SA lookup tuning. - ''; - - inactivity_close_ike = mkYesNoParam no '' - Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. - ''; - - init_limit_half_open = mkIntParam 0 '' - Limit new connections based on the current number of half open IKE_SAs, - see IKE_SA_INIT dropping. - ''; - - init_limit_job_load = mkIntParam 0 '' - Limit new connections based on the number of jobs currently queued for - processing, see IKE_SA_INIT dropping. - ''; - - initiator_only = mkYesNoParam no '' - Causes charon daemon to ignore IKE initiation requests. - ''; - - install_routes = mkYesNoParam yes '' - Install routes into a separate routing table for established IPsec - tunnels. If disabled a more efficient lookup for source and next-hop - addresses is used since 5.5.2. - ''; - - install_virtual_ip = mkYesNoParam yes '' - Install virtual IP addresses. - ''; - - install_virtual_ip_on = mkOptionalStrParam '' - The name of the interface on which virtual IP addresses should be - installed. If not specified the addresses will be installed on the - outbound interface. - ''; - - integrity_test = mkYesNoParam no '' - Check daemon, libstrongswan and plugin integrity at startup. - ''; - - interfaces_ignore = mkCommaSepListParam [] '' - List of network interfaces that should be ignored, if - <option>interfaces_use</option> is specified this option has no effect. - ''; - - interfaces_use = mkCommaSepListParam [] '' - List of network interfaces that should be used by - charon. All other interfaces are ignored. - ''; - - keep_alive = mkIntParam 20 '' - NAT keep alive interval in seconds. - ''; - - leak_detective.detailed = mkYesNoParam yes '' - Includes source file names and line numbers in leak detective output. - ''; - - leak_detective.usage_threshold = mkIntParam 10240 '' - Threshold in bytes for leaks to be reported (0 to report all). - ''; - - leak_detective.usage_threshold_count = mkIntParam 0 '' - Threshold in number of allocations for leaks to be reported (0 to report - all). - ''; - - load = mkSpaceSepListParam [] '' - Plugins to load in IKEv2 charon daemon, see PluginLoad. - ''; - - load_modular = mkYesNoParam no '' - If enabled the list of plugins to load is determined by individual load - settings for each plugin, see PluginLoad. - ''; - - make_before_break = mkYesNoParam no '' - Initiate IKEv2 reauthentication with a make-before-break instead of a - break-before-make scheme. Make-before-break uses overlapping IKE and - CHILD_SA during reauthentication by first recreating all new SAs before - deleting the old ones. This behavior can be beneficial to avoid - connectivity gaps during reauthentication, but requires support for - overlapping SAs by the peer. strongSwan can handle such overlapping SAs - since 5.3.0. - ''; - - max_ikev1_exchanges = mkIntParam 3 '' - Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about - and track concurrently. - ''; - - max_packet = mkIntParam 10000 '' - Maximum packet size accepted by charon. - ''; - - multiple_authentication = mkYesNoParam yes '' - Enable multiple authentication exchanges (RFC 4739). - ''; - - nbns1 = mkOptionalStrParam '' - WINS server assigned to peer via configuration payload (CP), see attr - plugin. - ''; - - nbns2 = mkOptionalStrParam '' - WINS server assigned to peer via configuration payload (CP). - ''; - - port = mkIntParam 500 '' - UDP port used locally. If set to 0 a random port will be allocated. - ''; - - port_nat_t = mkIntParam 4500 '' - UDP port used locally in case of NAT-T. If set to 0 a random port will - be allocated. Has to be different from charon.port, otherwise a random - port will be allocated. - ''; - - prefer_best_path = mkYesNoParam no '' - By default, charon keeps SAs on the routing path with addresses it - previously used if that path is still usable. By enabling this option, - it tries more aggressively to update SAs with MOBIKE on routing priority - changes using the cheapest path. This adds more noise, but allows to - dynamically adapt SAs to routing priority changes. This option has no - effect if MOBIKE is not supported or disabled. - ''; - - prefer_configured_proposals = mkYesNoParam yes '' - Prefer locally configured proposals for IKE/IPsec over supplied ones as - responder (disabling this can avoid keying retries due to - INVALID_KE_PAYLOAD notifies). - ''; - - prefer_temporary_addrs = mkYesNoParam no '' - By default public IPv6 addresses are preferred over temporary ones - (according to RFC 4941), to make connections more stable. Enable this - option to reverse this. - ''; - - process_route = mkYesNoParam yes '' - Process RTM_NEWROUTE and RTM_DELROUTE events. - ''; - - processor.priority_threads = { - critical = mkIntParam 0 '' - Threads reserved for CRITICAL priority class jobs. - ''; - - high = mkIntParam 0 '' - Threads reserved for HIGH priority class jobs. - ''; - - medium = mkIntParam 0 '' - Threads reserved for MEDIUM priority class jobs. - ''; - - low = mkIntParam 0 '' - Threads reserved for LOW priority class jobs. - ''; - }; - - receive_delay = mkIntParam 0 '' - Delay in ms for receiving packets, to simulate larger RTT. - ''; - - receive_delay_response = mkYesNoParam yes '' - Delay response messages. - ''; - - receive_delay_request = mkYesNoParam yes '' - Delay request messages. - ''; - - receive_delay_type = mkIntParam 0 '' - Specific IKEv2 message type to delay, 0 for any. - ''; - - replay_window = mkIntParam 32 '' - Size of the AH/ESP replay window, in packets. - ''; - - retransmit_base = mkFloatParam "1.8" '' - Base to use for calculating exponential back off, see Retransmission. - ''; - - retransmit_jitter = mkIntParam 0 '' - Maximum jitter in percent to apply randomly to calculated retransmission - timeout (0 to disable). - ''; - - retransmit_limit = mkIntParam 0 '' - Upper limit in seconds for calculated retransmission timeout (0 to - disable). - ''; - - retransmit_timeout = mkFloatParam "4.0" '' - Timeout in seconds before sending first retransmit. - ''; - - retransmit_tries = mkIntParam 5 '' - Number of times to retransmit a packet before giving up. - ''; - - retry_initiate_interval = mkIntParam 0 '' - Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if - DNS resolution failed), 0 to disable retries. - ''; - - reuse_ikesa = mkYesNoParam yes '' - Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). - ''; - - routing_table = mkIntParam 220 '' - Numerical routing table to install routes to. - ''; - - routing_table_prio = mkIntParam 220 '' - Priority of the routing table. - ''; - - rsa_pss = mkYesNoParam no '' - Whether to use RSA with PSS padding instead of PKCS#1 padding by default. - ''; - - send_delay = mkIntParam 0 '' - Delay in ms for sending packets, to simulate larger RTT. - ''; - - send_delay_request = mkYesNoParam yes '' - Delay request messages. - ''; - - send_delay_response = mkYesNoParam yes '' - Delay response messages. - ''; - - send_delay_type = mkIntParam 0 '' - Specific IKEv2 message type to delay, 0 for any. - ''; - - send_vendor_id = mkYesNoParam no '' - Send strongSwan vendor ID payload. - ''; - - signature_authentication = mkYesNoParam yes '' - Whether to enable Signature Authentication as per RFC 7427. - ''; - - signature_authentication_constraints = mkYesNoParam yes '' - If enabled, signature schemes configured in rightauth, in addition to - getting used as constraints against signature schemes employed in the - certificate chain, are also used as constraints against the signature - scheme used by peers during IKEv2. - ''; - - spi_min = mkHexParam "0xc0000000" '' - The lower limit for SPIs requested from the kernel for IPsec SAs. Should - not be set lower than 0x00000100 (256), as SPIs between 1 and 255 are - reserved by IANA. - ''; - - spi_max = mkHexParam "0xcfffffff" '' - The upper limit for SPIs requested from the kernel for IPsec SAs. - ''; - - start-scripts = mkAttrsOfParam (mkStrParam "" "") '' - Section containing a list of scripts (name = path) that are executed - when the daemon is started. - ''; - - stop-scripts = mkAttrsOfParam (mkStrParam "" "") '' - Section containing a list of scripts (name = path) that are executed - when the daemon is terminated. - ''; - - syslog = loglevelParams // { - identifier = mkOptionalStrParam '' - Identifier for use with openlog(3). - </para><para> - Global identifier used for an openlog(3) call, prepended to each log - message by syslog. If not configured, openlog(3) is not called, so - the value will depend on system defaults (often the program name). - ''; - - ike_name = mkYesNoParam no '' - Prefix each log entry with the connection name and a unique numerical - identifier for each IKE_SA. - ''; - }; - - threads = mkIntParam 16 '' - Number of worker threads in charon. Several of these are reserved for - long running tasks in internal modules and plugins. Therefore, make sure - you don't set this value too low. The number of idle worker threads - listed in ipsec statusall might be used as indicator on the number of - reserved threads (JobPriority has more on this). - ''; - - user = mkOptionalStrParam '' - Name of the user the daemon changes to after startup. - ''; - - x509.enforce_critical = mkYesNoParam yes '' - Discard certificates with unsupported or unknown critical extensions. - ''; - - plugins = import ./strongswan-charon-plugins-params.nix lib; - - imcv = { - assessment_result = mkYesNoParam yes '' - Whether IMVs send a standard IETF Assessment Result attribute. - ''; - - database = mkOptionalStrParam '' - Global IMV policy database URI. If it contains a password, make sure to - adjust the permissions of the config file accordingly. - ''; - - os_info.default_password_enabled = mkYesNoParam no '' - Manually set whether a default password is enabled. - ''; - - os_info.name = mkOptionalStrParam '' - Manually set the name of the client OS (e.g. <literal>NixOS</literal>). - ''; - - os_info.version = mkOptionalStrParam '' - Manually set the version of the client OS (e.g. <literal>17.09</literal>). - ''; - - policy_script = mkStrParam "ipsec _imv_policy" '' - Script called for each TNC connection to generate IMV policies. - ''; - }; - - tls = { - cipher = mkSpaceSepListParam [] '' - List of TLS encryption ciphers. - ''; - - key_exchange = mkSpaceSepListParam [] '' - List of TLS key exchange methods. - ''; - - mac = mkSpaceSepListParam [] '' - List of TLS MAC algorithms. - ''; - - suites = mkSpaceSepListParam [] '' - List of TLS cipher suites. - ''; - }; - - tnc = { - libtnccs.tnc_config = mkStrParam "/etc/tnc_config" '' - TNC IMC/IMV configuration file. - ''; - }; -} diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix deleted file mode 100644 index 116fb6d00a2..00000000000 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix +++ /dev/null @@ -1,1111 +0,0 @@ -lib : with (import ./param-constructors.nix lib); { - addrblock.strict = mkYesNoParam yes '' - If enabled, a subject certificate without an RFC 3779 address block - extension is rejected if the issuer certificate has such an addrblock - extension. If disabled, subject certificates issued without addrblock - extension are accepted without any traffic selector checks and no policy - is enforced by the plugin. - ''; - - android_log.loglevel = mkIntParam 1 '' - Loglevel for logging to Android specific logger. - ''; - - attr = mkAttrsOfParam (mkCommaSepListParam [] "") '' - Section to specify arbitrary attributes that are assigned to a peer - via configuration payload, see attr plugin. - </para><para> - The attribute can be either - <literal>address</literal>, - <literal>netmask</literal>, - <literal>dns</literal>, - <literal>nbns</literal>, - <literal>dhcp</literal>, - <literal>subnet</literal>, - <literal>split-include</literal>, - <literal>split-exclude</literal> - or the numeric identifier of the attribute type. The assigned value can be - an IPv4/IPv6 address, a subnet in CIDR notation or an arbitrary value - depending on the attribute type. Since some attribute types accept multiple - values all values must be specified as a list. - ''; - - attr-sql.crash_recovery = mkYesNoParam yes '' - Release all online leases during startup. Disable this to share the DB - between multiple VPN gateways. - ''; - - attr-sql.database = mkOptionalStrParam '' - Database URI for attr-sql plugin used by charon. If it contains a - password, make sure to adjust the permissions of the config file - accordingly. - ''; - - attr-sql.lease_history = mkYesNoParam yes '' - Enable logging of SQL IP pool leases. - ''; - - bliss.use_bliss_b = mkYesNoParam yes '' - Use the enhanced BLISS-B key generation and signature algorithm. - ''; - - bypass-lan.interfaces_ignore = mkCommaSepListParam [] '' - List of network interfaces for which connected subnets - should be ignored, if interfaces_use is specified this option has no - effect. - ''; - - bypass-lan.interfaces_use = mkCommaSepListParam [] '' - List of network interfaces for which connected subnets - should be considered. All other interfaces are ignored. - ''; - - certexpire.csv.cron = mkOptionalStrParam '' - Cron style string specifying CSV export times, see certexpire for - details. - ''; - - certexpire.csv.empty_string = mkOptionalStrParam '' - String to use in empty intermediate CA fields. - ''; - - certexpire.csv.fixed_fields = mkYesNoParam yes '' - Use a fixed intermediate CA field count. - ''; - - certexpire.csv.force = mkYesNoParam yes '' - Force export of all trustchains we have a private key for. - ''; - - certexpire.csv.format = mkStrParam "%d:%m:%Y" '' - strftime(3) format string to export expiration dates as. - ''; - - certexpire.csv.local = mkOptionalStrParam '' - strftime(3) format string for the CSV file name to export local - certificates to. - ''; - - certexpire.csv.remote = mkOptionalStrParam '' - strftime(3) format string for the CSV file name to export remote - certificates to. - ''; - - certexpire.csv.separator = mkStrParam "," '' - CSV field separator. - ''; - - coupling.file = mkOptionalStrParam '' - File to store coupling list to, see certcoupling plugin for details. - ''; - - coupling.hash = mkStrParam "sha1" '' - Hashing algorithm to fingerprint coupled certificates. - ''; - - coupling.max = mkIntParam 1 '' - Maximum number of coupling entries to create. - ''; - - curl.redir = mkIntParam (-1) '' - Maximum number of redirects followed by the plugin, set to 0 to disable - following redirects, set to -1 for no limit. - ''; - - dhcp.force_server_address = mkYesNoParam no '' - Always use the configured server address, see DHCP plugin for details. - ''; - - dhcp.identity_lease = mkYesNoParam no '' - Derive user-defined MAC address from hash of IKEv2 identity. - ''; - - dhcp.interface = mkOptionalStrParam '' - Interface name the plugin uses for address allocation. The default is to - bind to any and let the system decide which way to route the packets to - the DHCP server. - ''; - - dhcp.server = mkStrParam "255.255.255.255" '' - DHCP server unicast or broadcast IP address. - ''; - - dnscert.enable = mkYesNoParam no '' - Enable fetching of CERT RRs via DNS. - ''; - - duplicheck.enable = mkYesNoParam yes '' - Enable duplicheck plugin (if loaded). - ''; - - duplicheck.socket = mkStrParam "unix://\${piddir}/charon.dck" '' - Socket provided by the duplicheck plugin. - ''; - - eap-aka.request_identity = mkYesNoParam yes ""; - - eap-aka-3ggp2.seq_check = mkOptionalStrParam '' - Enable to activate sequence check of the AKA SQN values in order to trigger - resync cycles. - ''; - - eap-dynamic.prefer_user = mkYesNoParam no '' - If enabled, the eap-dynamic plugin will prefer the order of the EAP - methods in an EAP-Nak message sent by a client over the one configured - locally. - ''; - - eap-dynamic.preferred = mkCommaSepListParam [] '' - The preferred EAP method(s) to be used by the eap-dynamic plugin. If it is - not set, the first registered method will be used initially. The methods - are tried in the given order before trying the rest of the registered - methods. - ''; - - eap-gtc.backend = mkStrParam "pam" '' - XAuth backend to be used for credential verification, see EAP-GTC. - ''; - - eap-peap.fragment_size = mkIntParam 1024 '' - Maximum size of an EAP-PEAP packet. - ''; - - eap-peap.max_message_count = mkIntParam 32 '' - Maximum number of processed EAP-PEAP packets. - ''; - - eap-peap.include_length = mkYesNoParam no '' - Include length in non-fragmented EAP-PEAP packets. - ''; - - eap-peap.phase2_method = mkStrParam "mschapv2" '' - Phase2 EAP client authentication method. - ''; - - eap-peap.phase2_piggyback = mkYesNoParam no '' - Phase2 EAP Identity request piggybacked by server onto TLS Finished - message. - ''; - - eap-peap.phase2_tnc = mkYesNoParam no '' - Start phase2 EAP-TNC protocol after successful client authentication. - ''; - - eap-peap.request_peer_auth = mkYesNoParam no '' - Request peer authentication based on a client certificate. - ''; - - eap-radius.accounting = mkYesNoParam no '' - Enable EAP-RADIUS accounting. - ''; - - eap-radius.accounting_close_on_timeout = mkYesNoParam yes '' - Close the IKE_SA if there is a timeout during interim RADIUS accounting - updates. - ''; - - eap-radius.accounting_interval = mkIntParam 0 '' - Interval in seconds for interim RADIUS accounting updates, if not - specified by the RADIUS server in the Access-Accept message. - ''; - - eap-radius.accounting_requires_vip = mkYesNoParam no '' - If enabled, accounting is disabled unless an IKE_SA has at least one - virtual IP. - ''; - - eap-radius.accounting_send_class = mkYesNoParam no '' - If enabled, adds the Class attributes received in Access-Accept - message to the RADIUS accounting messages. - ''; - - eap-radius.class_group = mkYesNoParam no '' - Use the class attribute sent in the Access-Accept message as group - membership information, see EapRadius. - ''; - - eap-radius.close_all_on_timeout = mkYesNoParam no '' - Closes all IKE_SAs if communication with the RADIUS server times out. If - it is not set only the current IKE_SA is closed. - ''; - - eap-radius.dae.enable = mkYesNoParam no '' - Enables support for the Dynamic Authorization Extension (RFC 5176). - ''; - - eap-radius.dae.listen = mkStrParam "0.0.0.0" '' - Address to listen for DAE messages from the RADIUS server. - ''; - - eap-radius.dae.port = mkIntParam 3799 '' - Port to listen for DAE requests. - ''; - - eap-radius.dae.secret = mkOptionalStrParam '' - Shared secret used to verify/sign DAE messages.If set, make sure to - adjust the permissions of the config file accordingly. - ''; - - eap-radius.eap_start = mkYesNoParam no '' - Send EAP-Start instead of EAP-Identity to start RADIUS conversation. - ''; - - eap-radius.filter_id = mkYesNoParam no '' - Use the filter_id attribute sent in the RADIUS-Accept message as group - membership if the RADIUS tunnel_type attribute is set to ESP. - ''; - - eap-radius.forward.ike_to_radius = mkOptionalStrParam '' - RADIUS attributes to be forwarded from IKEv2 to RADIUS (can be defined - by name or attribute number, a colon can be used to specify - vendor-specific attributes, e.g. Reply-Message, or 11, or 36906:12). - ''; - - eap-radius.forward.radius_to_ike = mkOptionalStrParam '' - Same as above but from RADIUS to IKEv2, a strongSwan specific private - notify (40969) is used to transmit the attributes. - ''; - - eap-radius.id_prefix = mkOptionalStrParam '' - Prefix to EAP-Identity, some AAA servers use a IMSI prefix to select the - EAP method. - ''; - - eap-radius.nas_identifier = mkStrParam "strongSwan" '' - NAS-Identifier to include in RADIUS messages. - ''; - - eap-radius.port = mkIntParam 1812 '' - Port of RADIUS server (authentication). - ''; - - eap-radius.retransmit_base = mkFloatParam "1.4" '' - Base to use for calculating exponential back off. - ''; - - eap-radius.retransmit_timeout = mkFloatParam "2.0" '' - Timeout in seconds before sending first retransmit. - ''; - - eap-radius.retransmit_tries = mkIntParam 4 '' - Number of times to retransmit a packet before giving up. - ''; - - eap-radius.secret = mkOptionalStrParam '' - Shared secret between RADIUS and NAS. If set, make sure to adjust the - permissions of the config file accordingly. - ''; - - eap-radius.server = mkOptionalStrParam '' - IP/Hostname of RADIUS server. - ''; - - eap-radius.servers = mkAttrsOfParams { - nas_identifier = mkStrParam "strongSwan" '' - The nas_identifer (default: strongSwan) identifies the gateway against the - RADIUS server and allows it to enforce a policy, for example. - ''; - - secret = mkOptionalStrParam ""; - - sockets = mkIntParam 1 '' - The number of pre-allocated sockets to use. A value of 5 allows the - gateway to authentication 5 clients simultaneously over RADIUS. - ''; - - auth_port = mkIntParam 1812 '' - RADIUS UDP port - ''; - - address = mkOptionalStrParam '' - The server's IP/Hostname. - ''; - - acct_port = mkIntParam 1813 '' - Accounting port. - ''; - - preference = mkIntParam 0 '' - With the preference paramter of a server, priorities for specific servers - can be defined. This allows to use a secondary RADIUS server only if the - first gets unresponsive, or if it is overloaded. - ''; - } ''Section to specify multiple RADIUS servers, see EapRadius.''; - - eap-radius.sockets = mkIntParam 1 '' - Number of sockets (ports) to use, increase for high load. - ''; - - eap-radius.xauth = mkAttrsOfParams { - nextpin = mkOptionalStrParam ""; - password = mkOptionalStrParam ""; - passcode = mkOptionalStrParam ""; - answer = mkOptionalStrParam ""; - } '' - Section to configure multiple XAuth authentication rounds via RADIUS. - ''; - - eap-sim.request_identity = mkYesNoParam yes ""; - - eap-simaka-sql.database = mkOptionalStrParam ""; - - eap-simaka-sql.remove_used = mkOptionalStrParam ""; - - eap-tls.fragment_size = mkIntParam 1024 '' - Maximum size of an EAP-TLS packet. - ''; - - eap-tls.include_length = mkYesNoParam yes '' - Include length in non-fragmented EAP-TLS packets. - ''; - - eap-tls.max_message_count = mkIntParam 32 '' - Maximum number of processed EAP-TLS packets (0 = no limit). - ''; - - eap-tnc.max_message_count = mkIntParam 10 '' - Maximum number of processed EAP-TNC packets (0 = no limit). - ''; - - eap-tnc.protocol = mkStrParam "tnccs-2.0" '' - IF-TNCCS protocol version to be used (tnccs-1.1, tnccs-2.0, - tnccs-dynamic). - ''; - - eap-ttls.fragment_size = mkIntParam 1024 '' - Maximum size of an EAP-TTLS packet. - ''; - - eap-ttls.include_length = mkYesNoParam yes '' - Include length in non-fragmented EAP-TTLS packets. - ''; - - eap-ttls.max_message_count = mkIntParam 32 '' - Maximum number of processed EAP-TTLS packets (0 = no limit). - ''; - - eap-ttls.phase2_method = mkStrParam "md5" '' - Phase2 EAP client authentication method. - ''; - - eap-ttls.phase2_piggyback = mkYesNoParam no '' - Phase2 EAP Identity request piggybacked by server onto TLS Finished - message. - ''; - - eap-ttls.phase2_tnc = mkYesNoParam no '' - Start phase2 EAP TNC protocol after successful client authentication. - ''; - - eap-ttls-phase2_tnc_method = mkEnumParam ["pt" "legacy"] "pt" '' - Phase2 EAP TNC transport protocol (pt as IETF standard or legacy tnc) - ''; - - eap-ttls.request_peer_auth = mkYesNoParam no '' - Request peer authentication based on a client certificate. - ''; - - error-notify.socket = mkStrParam "unix://\${piddir}/charon.enfy" '' - Socket provided by the error-notify plugin. - ''; - - ext-auth.script = mkOptionalStrParam '' - Shell script to invoke for peer authorization (see ext-auth). - ''; - - gcrypt.quick_random = mkYesNoParam no '' - Use faster random numbers in gcrypt. For testing only, produces weak - keys! - ''; - - ha.autobalance = mkIntParam 0 '' - Interval in seconds to automatically balance handled segments between - nodes. Set to 0 to disable. - ''; - - ha.buflen = mkIntParam 2048 '' - Buffer size for received HA messages. For IKEv1 the public DH factors are - also transmitted so depending on the DH group the HA messages can get quite - big (the default should be fine up to <literal>modp4096</literal>). - ''; - - ha.fifo_interface = mkYesNoParam yes ""; - - ha.heartbeat_delay = mkIntParam 1000 ""; - - ha.heartbeat_timeout = mkIntParam 2100 ""; - - ha.local = mkOptionalIntParam ""; - - ha.monitor = mkYesNoParam yes ""; - - ha.pools = mkOptionalStrParam ""; - - ha.remote = mkOptionalStrParam ""; - - ha.resync = mkYesNoParam yes ""; - - ha.secret = mkOptionalStrParam ""; - - ha.segment_count = mkIntParam 1 ""; - - ipseckey.enable = mkYesNoParam no '' - Enable fetching of IPSECKEY RRs via DNS. - ''; - - kernel-libipsec.allow_peer_ts = mkYesNoParam no '' - Allow that the remote traffic selector equals the IKE peer (see - kernel-libipsec for details). - ''; - - kernel-netlink.buflen = mkOptionalIntParam '' - Buffer size for received Netlink messages. Defaults to - <literal>min(PAGE_SIZE, 8192)</literal>. - ''; - - kernel-netlink.force_receive_buffer_size = mkYesNoParam no '' - If the maximum Netlink socket receive buffer in bytes set by - receive_buffer_size exceeds the system-wide maximum from - <literal>/proc/sys/net/core/rmem_max</literal>, this option can be used to - override the limit. Enabling this option requires special privileges - (CAP_NET_ADMIN). - ''; - - kernel-netlink.fwmark = mkOptionalStrParam '' - Firewall mark to set on the routing rule that directs traffic to our own - routing table. The format is <literal>[!]mark[/mask]</literal>, where the - optional exclamation mark inverts the meaning (i.e. the rule only applies to - packets that don't match the mark). A possible use case are host-to-host - tunnels with kernel-libipsec. When set to !<mark> a more efficient - lookup for source and next-hop addresses may also be used since 5.3.3. - ''; - - kernel-netlink.mss = mkIntParam 0 '' - MSS to set on installed routes, 0 to disable. - ''; - - kernel-netlink.mtu = mkIntParam 0 '' - MTU to set on installed routes, 0 to disable. - ''; - - kernel-netlink.process_rules = mkYesNoParam no '' - Whether to process changes in routing rules to trigger roam events. This is - currently only useful if the kernel based route lookup is used (i.e. if - route installation is disabled or an inverted fwmark match is configured). - ''; - - kernel-netlink.receive_buffer_size = mkIntParam 0 '' - Maximum Netlink socket receive buffer in bytes. This value controls how many - bytes of Netlink messages can be received on a Netlink socket. The default - value is set by <literal>/proc/sys/net/core/rmem_default</literal>. The - specified value cannot exceed the system-wide maximum from - <literal>/proc/sys/net/core/rmem_max</literal>, unless - <option>force_receive_buffer_size</option> is enabled. - ''; - - kernel-netlink.roam_events = mkYesNoParam yes '' - Whether to trigger roam events when interfaces, addresses or routes - change. - ''; - - kernel-netlink.set_proto_port_transport_sa = mkYesNoParam no '' - Whether to set protocol and ports in the selector installed on transport - mode IPsec SAs in the kernel. While doing so enforces policies for - inbound traffic, it also prevents the use of a single IPsec SA by more - than one traffic selector. - ''; - - kernel-netlink.spdh_thresh.ipv4.lbits = mkIntParam 32 '' - Local subnet XFRM policy hashing threshold for IPv4. - ''; - - kernel-netlink.spdh_thresh.ipv4.rbits = mkIntParam 32 '' - Remote subnet XFRM policy hashing threshold for IPv4. - ''; - - kernel-netlink.spdh_thresh.ipv6.lbits = mkIntParam 128 '' - Local subnet XFRM policy hashing threshold for IPv6. - ''; - - kernel-netlink.spdh_thresh.ipv6.rbits = mkIntParam 128 '' - Remote subnet XFRM policy hashing threshold for IPv6. - ''; - - kernel-netlink.xfrm_acq_expires = mkIntParam 165 '' - Lifetime of XFRM acquire state created by the kernel when traffic matches a - trap policy. The value gets written to - <literal>/proc/sys/net/core/xfrm_acq_expires</literal>. Indirectly controls - the delay between XFRM acquire messages triggered by the kernel for a trap - policy. The same value is used as timeout for SPIs allocated by the - kernel. The default value equals the default total retransmission timeout - for IKE messages (since 5.5.3 this value is determined dynamically based on - the configuration). - ''; - - kernel-pfkey.events_buffer_size = mkIntParam 0 '' - Size of the receive buffer for the event socket (0 for default - size). Because events are received asynchronously installing e.g. lots - of policies may require a larger buffer than the default on certain - platforms in order to receive all messages. - ''; - - kernel-pfroute.vip_wait = mkIntParam 1000 '' - Time in ms to wait until virtual IP addresses appear/disappear before - failing. - ''; - - led.activity_led = mkOptionalStrParam ""; - - led.blink_time = mkIntParam 50 ""; - - load-tester = { - addrs = mkAttrsOfParam (mkOptionalStrParam "") '' - Section that contains key/value pairs with address pools (in CIDR - notation) to use for a specific network interface e.g. - <literal>eth0 = 10.10.0.0/16</literal>. - ''; - - addrs_keep = mkYesNoParam no '' - Whether to keep dynamic addresses even after the associated SA got - terminated. - ''; - - addrs_prefix = mkIntParam 16 '' - Network prefix length to use when installing dynamic addresses. - If set to -1 the full address is used (i.e. 32 or 128). - ''; - - ca_dir = mkOptionalStrParam '' - Directory to load (intermediate) CA certificates from. - ''; - - child_rekey = mkIntParam 600 '' - Seconds to start CHILD_SA rekeying after setup. - ''; - - crl = mkOptionalStrParam '' - URI to a CRL to include as certificate distribution point in generated - certificates. - ''; - - delay = mkIntParam 0 '' - Delay between initiatons for each thread. - ''; - - delete_after_established = mkYesNoParam no '' - Delete an IKE_SA as soon as it has been established. - ''; - - digest = mkStrParam "sha1" '' - Digest algorithm used when issuing certificates. - ''; - - dpd_delay = mkIntParam 0 '' - DPD delay to use in load test. - ''; - - dynamic_port = mkIntParam 0 '' - Base port to be used for requests (each client uses a different port). - ''; - - eap_password = mkStrParam "default-pwd" '' - EAP secret to use in load test. - ''; - - enable = mkYesNoParam no '' - Enable the load testing plugin. **WARNING**: Never enable this plugin on - productive systems. It provides preconfigured credentials and allows an - attacker to authenticate as any user. - ''; - - esp = mkStrParam "aes128-sha1" '' - CHILD_SA proposal to use for load tests. - ''; - - fake_kernel = mkYesNoParam no '' - Fake the kernel interface to allow load-testing against self. - ''; - - ike_rekey = mkIntParam 0 '' - Seconds to start IKE_SA rekeying after setup. - ''; - - init_limit = mkIntParam 0 '' - Global limit of concurrently established SAs during load test. - ''; - - initiator = mkStrParam "0.0.0.0" '' - Address to initiate from. - ''; - - initiators = mkIntParam 0 '' - Number of concurrent initiator threads to use in load test. - ''; - - initiator_auth = mkStrParam "pubkey" '' - Authentication method(s) the intiator uses. - ''; - - initiator_id = mkOptionalStrParam '' - Initiator ID used in load test. - ''; - - initiator_match = mkOptionalStrParam '' - Initiator ID to match against as responder. - ''; - - initiator_tsi = mkOptionalStrParam '' - Traffic selector on initiator side, as proposed by initiator. - ''; - - initiator_tsr = mkOptionalStrParam '' - Traffic selector on responder side, as proposed by initiator. - ''; - - iterations = mkIntParam 1 '' - Number of IKE_SAs to initiate by each initiator in load test. - ''; - - issuer_cert = mkOptionalStrParam '' - Path to the issuer certificate (if not configured a hard-coded default - value is used). - ''; - - issuer_key = mkOptionalStrParam '' - Path to private key that is used to issue certificates (if not configured - a hard-coded default value is used). - ''; - - mode = mkEnumParam ["tunnel" "transport" "beet"] "tunnel" '' - IPsec mode to use. - ''; - - pool = mkOptionalStrParam '' - Provide INTERNAL_IPV4_ADDRs from a named pool. - ''; - - preshared_key = mkStrParam "<default-psk>" '' - Preshared key to use in load test. - ''; - - proposal = mkStrParam "aes128-sha1-modp768" '' - IKE proposal to use in load test. - ''; - - responder = mkStrParam "127.0.0.1" '' - Address to initiation connections to. - ''; - - responder_auth = mkStrParam "pubkey" '' - Authentication method(s) the responder uses. - ''; - - responder_id = mkOptionalStrParam '' - Responder ID used in load test. - ''; - - responder_tsi = mkStrParam "initiator_tsi" '' - Traffic selector on initiator side, as narrowed by responder. - ''; - - responder_tsr = mkStrParam "initiator_tsr" '' - Traffic selector on responder side, as narrowed by responder. - ''; - - request_virtual_ip = mkYesNoParam no '' - Request an INTERNAL_IPV4_ADDR from the server. - ''; - - shutdown_when_complete = mkYesNoParam no '' - Shutdown the daemon after all IKE_SAs have been established. - ''; - - socket = mkStrParam "unix://\\\${piddir}/charon.ldt" '' - Socket provided by the load-tester plugin. - ''; - - version = mkIntParam 0 '' - IKE version to use (0 means use IKEv2 as initiator and accept any version - as responder). - ''; - }; - - lookip.socket = mkStrParam "unix://\\\${piddir}/charon.lkp" '' - Socket provided by the lookip plugin. - ''; - - ntru.max_drbg_requests = mkIntParam 4294967294 '' - Number of pseudo-random bit requests from the DRBG before an automatic - reseeding occurs. - ''; - - ntru.parameter_set = - mkEnumParam ["x9_98_speed" "x9_98_bandwidth" "x9_98_balance" "optimum"] "optimum" '' - The following parameter sets are available: - <literal>x9_98_speed</literal>, <literal>x9_98_bandwidth</literal>, - <literal>x9_98_balance</literal> and <literal>optimum</literal>, the last - set not being part of the X9.98 standard but having the best performance. - ''; - - openssl.engine_id = mkStrParam "pkcs11" '' - ENGINE ID to use in the OpenSSL plugin. - ''; - - openssl.fips_mode = mkIntParam 0 '' - Set OpenSSL FIPS mode: - <itemizedlist> - <listitem><para>disabled (0),</para></listitem> - <listitem><para>enabled (1),</para></listitem> - <listitem><para>Suite B enabled (2).</para></listitem> - </itemizedlist> - Defaults to the value configured with the - <literal>--with-fips-mode</literal> option. - - ''; - - osx-attr.append = mkYesNoParam yes '' - Whether DNS servers are appended to existing entries, instead of - replacing them. - ''; - - pkcs11.load_certs = mkYesNoParam yes '' - Whether to load certificates from tokens. - ''; - - pkcs11.modules = mkAttrsOfParams { - path = mkOptionalStrParam '' - Full path to the shared object file of this PKCS#11 module - ''; - - os_locking = mkYesNoParam no '' - Whether OS locking should be enabled for this module - ''; - - load_certs = mkYesNoParam no '' - Whether the PKCS#11 modules should load certificates from tokens (since 5.0.2) - ''; - } '' - List of available PKCS#11 modules, see SmartCardsIKEv2. - ''; - - pkcs11.reload_certs = mkYesNoParam no '' - Reload certificates from all tokens if charon receives a SIGHUP. - ''; - - pkcs11.use_dh = mkYesNoParam no '' - Whether the PKCS#11 modules should be used for DH and ECDH. - ''; - - pkcs11.use_ecc = mkYesNoParam no '' - Whether the PKCS#11 modules should be used for ECDH and ECDSA public key - operations. ECDSA private keys are used regardless of this option. - ''; - - pkcs11.use_hasher = mkYesNoParam no '' - Whether the PKCS#11 modules should be used to hash data. - ''; - - pkcs11.use_pubkey = mkYesNoParam no '' - Whether the PKCS#11 modules should be used for public key operations, - even for keys not stored on tokens. - ''; - - pkcs11.use_rng = mkYesNoParam no '' - Whether the PKCS#11 modules should be used as RNG. - ''; - - radattr.dir = mkOptionalStrParam '' - Directory where RADIUS attributes are stored in client-ID specific - files, see radattr. - ''; - - radattr.message_id = mkIntParam (-1) '' - RADIUS attributes are added to all IKE_AUTH messages by default (-1), or - only to the IKE_AUTH message with the given IKEv2 message ID. - ''; - - random.random = mkStrParam "/dev/random" '' - File to read random bytes from. - ''; - - random.urandom = mkStrParam "/dev/urandom" '' - File to read pseudo random bytes from. - ''; - - random.strong_equals_true = mkYesNoParam no '' - If enabled the RNG_STRONG class reads random bytes from the same source - as the RNG_TRUE class. - ''; - - resolve.file = mkStrParam "/etc/resolv.conf" '' - File used by the resolve plugin to write DNS server entries to. - ''; - - resolve.resolvconf.iface_prefix = mkStrParam "lo.inet.ipsec." '' - Prefix used by the resolve plugin for interface names sent to - resolvconf(8). The name server address is appended to this prefix to - make it unique. The result has to be a valid interface name according to - the rules defined by resolvconf. Also, it should have a high priority - according to the order defined in interface-order(5). - ''; - - revocation.enable_crl = mkYesNoParam yes '' - Whether CRL validation should be enabled. - ''; - - revocation.enable_ocsp = mkYesNoParam yes '' - Whether OCSP validation should be enabled. - ''; - - save-keys.load = mkYesNoParam no '' - Whether to load the plugin. - ''; - - save-keys.esp = mkYesNoParam no '' - Whether to save ESP keys. - ''; - - save-keys.ike = mkYesNoParam no '' - Whether to save IKE keys. - ''; - - save-keys.wireshark_keys = mkOptionalStrParam '' - Directory where the keys are stored in the format supported by Wireshark. - IKEv1 keys are stored in the <literal>ikev1_decryption_table</literal> file. - IKEv2 keys are stored in the <literal>ikev2_decryption_table</literal> file. - Keys for ESP CHILD_SAs are stored in the <literal>esp_sa</literal> file. - ''; - - socket-default.fwmark = mkOptionalStrParam '' - Firewall mark to set on outbound packets (a possible use case are - host-to-host tunnels with kernel-libipsec). - ''; - - socket-default.set_source = mkYesNoParam yes '' - Set source address on outbound packets, if possible. - ''; - - socket-default.set_sourceif = mkYesNoParam no '' - Force sending interface on outbound packets, if possible. This allows - using IPv6 link-local addresses as tunnel endpoints. - ''; - - socket-default.use_ipv4 = mkYesNoParam yes '' - Listen on IPv4, if possible. - ''; - - socket-default.use_ipv6 = mkYesNoParam yes '' - Listen on IPv6, if possible. - ''; - - sql.database = mkOptionalStrParam '' - Database URI for charon's SQL plugin. If it contains a password, make - sure to adjust the permissions of the config file accordingly. - ''; - - sql.loglevel = mkIntParam (-1) '' - Loglevel for logging to SQL database. - ''; - - stroke.allow_swap = mkYesNoParam yes '' - Analyze addresses/hostnames in left/right to detect which side is local - and swap configuration options if necessary. If disabled left is always - local. - ''; - - stroke.ignore_missing_ca_basic_constraint = mkYesNoParam no '' - Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA - certificates even if they don't contain a CA basic constraint. - ''; - - stroke.max_concurrent = mkIntParam 4 '' - Maximum number of stroke messages handled concurrently. - ''; - - stroke.secrets_file = mkStrParam "\${sysconfdir}/ipsec.secrets" '' - Location of the ipsec.secrets file. - ''; - - stroke.socket = mkStrParam "unix://\${piddir}/charon.ctl" '' - Socket provided by the stroke plugin. - ''; - - stroke.timeout = mkIntParam 0 '' - Timeout in ms for any stroke command. Use 0 to disable the timeout. - ''; - - systime-fix.interval = mkIntParam 0 '' - Interval in seconds to check system time for validity. 0 disables the - check. See systime-fix plugin. - ''; - - systime-fix.reauth = mkYesNoParam no '' - Whether to use reauth or delete if an invalid cert lifetime is detected. - ''; - - systime-fix.threshold = mkOptionalStrParam '' - Threshold date where system time is considered valid. Disabled if not - specified. - ''; - - systime-fix.threshold_format = mkStrParam "%Y" '' - strptime(3) format used to parse threshold option. - ''; - - systime-fix.timeout = mkDurationParam "0s" '' - How long to wait for a valid system time if an interval is - configured. 0 to recheck indefinitely. - ''; - - tnc-ifmap.client_cert = mkOptionalStrParam '' - Path to X.509 certificate file of IF-MAP client. - ''; - - tnc-ifmap.client_key = mkOptionalStrParam '' - Path to private key file of IF-MAP client. - ''; - - tnc-ifmap.device_name = mkOptionalStrParam '' - Unique name of strongSwan server as a PEP and/or PDP device. - ''; - - tnc-ifmap.renew_session_interval = mkIntParam 150 '' - Interval in seconds between periodic IF-MAP RenewSession requests. - ''; - - tnc-ifmap.server_cert = mkOptionalStrParam '' - Path to X.509 certificate file of IF-MAP server. - ''; - - tnc-ifmap.server_uri = mkStrParam "https://localhost:8444/imap" '' - URI of the form <literal>[https://]servername[:port][/path]</literal>. - ''; - - tnc-ifmap.username_password = mkOptionalStrParam '' - Credentials of IF-MAP client of the form - <literal>username:password</literal>. If set, make sure to adjust the - permissions of the config file accordingly. - ''; - - tnc-imc.dlcose = mkYesNoParam yes '' - Unload IMC after use. - ''; - - tnc-imc.preferred_language = mkStrParam "en" '' - Preferred language for TNC recommendations. - ''; - - tnc-imv.dlcose = mkYesNoParam yes '' - Unload IMV after use. - ''; - - tnc-imv.recommendation_policy = mkEnumParam ["default" "any" "all"] "default" '' - default TNC recommendation policy. - ''; - - tnc-pdp.pt_tls.enable = mkYesNoParam yes '' - Enable PT-TLS protocol on the strongSwan PDP. - ''; - - tnc-pdp.pt_tls.port = mkIntParam 271 '' - PT-TLS server port the strongSwan PDP is listening on. - ''; - - tnc-pdp.radius.enable = mkYesNoParam yes '' - Enable RADIUS protocol on the strongSwan PDP. - ''; - - tnc-pdp.radius.method = mkStrParam "ttls" '' - EAP tunnel method to be used. - ''; - - tnc-pdp.radius.port = mkIntParam 1812 '' - RADIUS server port the strongSwan PDP is listening on. - ''; - - tnc-pdp.radius.secret = mkOptionalStrParam '' - Shared RADIUS secret between strongSwan PDP and NAS. If set, make sure - to adjust the permissions of the config file accordingly. - ''; - - tnc-pdp.server = mkOptionalStrParam '' - Name of the strongSwan PDP as contained in the AAA certificate. - ''; - - tnc-pdp.timeout = mkOptionalIntParam '' - Timeout in seconds before closing incomplete connections. - ''; - - tnccs-11.max_message_size = mkIntParam 45000 '' - Maximum size of a PA-TNC message (XML & Base64 encoding). - ''; - - tnccs-20.max_batch_size = mkIntParam 65522 '' - Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529). - ''; - - tnccs-20.max_message_size = mkIntParam 65490 '' - Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497). - ''; - - tnccs-20.mutual = mkYesNoParam no '' - Enable PB-TNC mutual protocol. - ''; - - tpm.use_rng = mkYesNoParam no '' - Whether the TPM should be used as RNG. - ''; - - unbound.dlv_anchors = mkOptionalStrParam '' - File to read trusted keys for DLV from. It uses the same format as - <option>trust_anchors</option>. Only one DLV can be configured, which is - then used as a root trusted DLV, this means that it is a lookaside for the - root. - ''; - - unbound.resolv_conf = mkStrParam "/etc/resolv.conf" '' - File to read DNS resolver configuration from. - ''; - - unbound.trust_anchors = mkStrParam "/etc/ipsec.d/dnssec.keys" '' - File to read DNSSEC trust anchors from (usually root zone KSK). The - format of the file is the standard DNS Zone file format, anchors can be - stored as DS or DNSKEY entries in the file. - ''; - - updown.dns_handler = mkYesNoParam no '' - Whether the updown script should handle DNS servers assigned via IKEv1 - Mode Config or IKEv2 Config Payloads (if enabled they can't be handled - by other plugins, like resolve). - ''; - - vici.socket = mkStrParam "unix://\${piddir}/charon.vici" '' - Socket the vici plugin serves clients. - ''; - - whitelist.enable = mkYesNoParam yes '' - Enable loaded whitelist plugin. - ''; - - whitelist.socket = mkStrParam "unix://\${piddir}/charon.wlst" '' - Socket provided by the whitelist plugin. - ''; - - xauth-eap.backend = mkStrParam "radius" '' - EAP plugin to be used as backend for XAuth credential verification, see - XAuthEAP. - ''; - - xauth-pam.pam_service = mkStrParam "login" '' - PAM service to be used for authentication, see XAuthPAM. - ''; - - xauth-pam.session = mkYesNoParam no '' - Open/close a PAM session for each active IKE_SA. - ''; - - xauth-pam.trim_email = mkYesNoParam yes '' - If an email address is given as an XAuth username, trim it to just the - username part. - ''; -} diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-libimcv-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-libimcv-params.nix deleted file mode 100644 index 2ca2c9c396e..00000000000 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-libimcv-params.nix +++ /dev/null @@ -1,291 +0,0 @@ -lib : with (import ./param-constructors.nix lib); { - debug_level = mkIntParam 1 '' - Debug level for a stand-alone libimcv library. - ''; - - load = mkSpaceSepListParam ["random" "nonce" "gmp" "pubkey" "x509"] '' - Plugins to load in IMC/IMVs with stand-alone libimcv library. - ''; - - stderr_quiet = mkYesNoParam no '' - Disable the output to stderr with a stand-alone libimcv library. - ''; - - swid_gen = { - command = mkStrParam "/usr/local/bin/swid_generator" '' - SWID generator command to be executed. - ''; - - tag_creator = { - name = mkStrParam "strongSwan Project" '' - Name of the tagCreator entity. - ''; - - regid = mkStrParam "strongswan.org" '' - regid of the tagCreator entity. - ''; - }; - }; - - plugins = { - - imc-attestation = { - aik_blob = mkOptionalStrParam '' - AIK encrypted private key blob file. - ''; - - aik_cert = mkOptionalStrParam '' - AIK certificate file. - ''; - - aik_handle = mkOptionalStrParam '' - AIK object handle, e.g. 0x81010003. - ''; - - aik_pubkey = mkOptionalStrParam '' - AIK public key file. - ''; - - mandatory_dh_groups = mkYesNoParam yes '' - Enforce mandatory Diffie-Hellman groups - ''; - - nonce_len = mkIntParam 20 '' - DH nonce length. - ''; - - pcr_info = mkYesNoParam no '' - Whether to send pcr_before and pcr_after info. - ''; - - use_quote2 = mkYesNoParam yes '' - Use Quote2 AIK signature instead of Quote signature. - ''; - - use_version_info = mkYesNoParam no '' - Version Info is included in Quote2 signature. - ''; - }; - - imc-hcd.push_info = mkYesNoParam yes '' - Send quadruple info without being prompted. - ''; - - imc-hcd.subtypes = let - imcHcdSubtypeParams = let - softwareParams = mkAttrsOfParams { - name = mkOptionalStrParam '' - Name of the software installed on the hardcopy device. - ''; - - patches = mkOptionalStrParam '' - String describing all patches applied to the given software on this - hardcopy device. The individual patches are separated by a newline - character '\\n'. - ''; - - string_version = mkOptionalStrParam '' - String describing the version of the given software on this hardcopy device. - ''; - - version = mkOptionalStrParam '' - Hex-encoded version string with a length of 16 octets consisting of - the fields major version number (4 octets), minor version number (4 - octets), build number (4 octets), service pack major number (2 - octets) and service pack minor number (2 octets). - ''; - } '' - Defines a software section having an arbitrary name. - ''; - in { - firmware = softwareParams; - resident_application = softwareParams; - user_application = softwareParams; - attributes_natural_language = mkStrParam "en" '' - Variable length natural language tag conforming to RFC 5646 specifies - the language to be used in the health assessment message of a given - subtype. - ''; - }; - in { - system = imcHcdSubtypeParams // { - certification_state = mkOptionalStrParam '' - Hex-encoded certification state. - ''; - - configuration_state = mkOptionalStrParam '' - Hex-encoded configuration state. - ''; - - machine_type_model = mkOptionalStrParam '' - String specifying the machine type and model of the hardcopy device. - ''; - - pstn_fax_enabled = mkYesNoParam no '' - Specifies if a PSTN facsimile interface is installed and enabled on the - hardcopy device. - ''; - - time_source = mkOptionalStrParam '' - String specifying the hostname of the network time server used by the - hardcopy device. - ''; - - user_application_enabled = mkYesNoParam no '' - Specifies if users can dynamically download and execute applications on - the hardcopy device. - ''; - - user_application_persistence_enabled = mkYesNoParam no '' - Specifies if user dynamically downloaded applications can persist outside - the boundaries of a single job on the hardcopy device. - ''; - - vendor_name = mkOptionalStrParam '' - String specifying the manufacturer of the hardcopy device. - ''; - - vendor_smi_code = mkOptionalIntParam '' - Integer specifying the globally unique 24-bit SMI code assigned to the - manufacturer of the hardcopy device. - ''; - }; - control = imcHcdSubtypeParams; - marker = imcHcdSubtypeParams; - finisher = imcHcdSubtypeParams; - interface = imcHcdSubtypeParams; - scanner = imcHcdSubtypeParams; - }; - - imc-os = { - device_cert = mkOptionalStrParam '' - Manually set the path to the client device certificate - (e.g. /etc/pts/aikCert.der) - ''; - - device_id = mkOptionalStrParam '' - Manually set the client device ID in hexadecimal format - (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31) - ''; - - device_pubkey = mkOptionalStrParam '' - Manually set the path to the client device public key - (e.g. /etc/pts/aikPub.der) - ''; - - push_info = mkYesNoParam yes '' - Send operating system info without being prompted. - ''; - }; - - imc-scanner.push_info = mkYesNoParam yes '' - Send open listening ports without being prompted. - ''; - - imc-swid = { - swid_full = mkYesNoParam no '' - Include file information in the XML-encoded SWID tags. - ''; - - swid_pretty = mkYesNoParam no '' - Generate XML-encoded SWID tags with pretty indentation. - ''; - - swid_directory = mkStrParam "\${prefix}/share" '' - Directory where SWID tags are located. - ''; - }; - - imc-swima = { - eid_epoch = mkHexParam "0x11223344" '' - Set 32 bit epoch value for event IDs manually if software collector - database is not available. - ''; - - swid_database = mkOptionalStrParam '' - URI to software collector database containing event timestamps, software - creation and deletion events and collected software identifiers. If it - contains a password, make sure to adjust the permissions of the config - file accordingly. - ''; - - swid_directory = mkStrParam "\${prefix}/share" '' - Directory where SWID tags are located. - ''; - - swid_pretty = mkYesNoParam no '' - Generate XML-encoded SWID tags with pretty indentation. - ''; - - swid_full = mkYesNoParam no '' - Include file information in the XML-encoded SWID tags. - ''; - }; - - imc-test = { - additional_ids = mkIntParam 0 '' - Number of additional IMC IDs. - ''; - - command = mkStrParam "none" '' - Command to be sent to the Test IMV. - ''; - - dummy_size = mkIntParam 0 '' - Size of dummy attribute to be sent to the Test IMV (0 = disabled). - ''; - - retry = mkYesNoParam no '' - Do a handshake retry. - ''; - - retry_command = mkOptionalStrParam '' - Command to be sent to the IMV Test in the handshake retry. - ''; - }; - - imv-attestation = { - cadir = mkOptionalStrParam '' - Path to directory with AIK cacerts. - ''; - - dh_group = mkStrParam "ecp256" '' - Preferred Diffie-Hellman group. - ''; - - hash_algorithm = mkStrParam "sha256" '' - Preferred measurement hash algorithm. - ''; - - min_nonce_len = mkIntParam 0 '' - DH minimum nonce length. - ''; - - remediation_uri = mkOptionalStrParam '' - URI pointing to attestation remediation instructions. - ''; - }; - - imv-os.remediation_uri = mkOptionalStrParam '' - URI pointing to operating system remediation instructions. - ''; - - imv-scanner.remediation_uri = mkOptionalStrParam '' - URI pointing to scanner remediation instructions. - ''; - - imv-swima.rest_api = { - uri = mkOptionalStrParam '' - HTTP URI of the SWID REST API. - ''; - - timeout = mkIntParam 120 '' - Timeout of SWID REST API HTTP POST transaction. - ''; - }; - - imv-test.rounds = mkIntParam 0 '' - Number of IMC-IMV retry rounds. - ''; - }; -} diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-loglevel-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-loglevel-params.nix deleted file mode 100644 index 0f517d8ead4..00000000000 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-loglevel-params.nix +++ /dev/null @@ -1,29 +0,0 @@ -lib : with (import ./param-constructors.nix lib); - -let mkJournalParam = description : - mkEnumParam [(-1) 0 1 2 3 4] 0 "Logging level for ${description}"; -in { - default = mkIntParam 1 '' - Specifies the default loglevel to be used for subsystems for which no - specific loglevel is defined. - ''; - - app = mkJournalParam "applications other than daemons."; - asn = mkJournalParam "low-level encoding/decoding (ASN.1, X.509 etc.)"; - cfg = mkJournalParam "configuration management and plugins."; - chd = mkJournalParam "CHILD_SA/IPsec SA."; - dmn = mkJournalParam "main daemon setup/cleanup/signal handling."; - enc = mkJournalParam "packet encoding/decoding encryption/decryption operations."; - esp = mkJournalParam "libipsec library messages."; - ike = mkJournalParam "IKE_SA/ISAKMP SA."; - imc = mkJournalParam "integrity Measurement Collector."; - imv = mkJournalParam "integrity Measurement Verifier."; - job = mkJournalParam "jobs queuing/processing and thread pool management."; - knl = mkJournalParam "IPsec/Networking kernel interface."; - lib = mkJournalParam "libstrongwan library messages."; - mgr = mkJournalParam "IKE_SA manager, handling synchronization for IKE_SA access."; - net = mkJournalParam "IKE network communication."; - pts = mkJournalParam "platform Trust Service."; - tls = mkJournalParam "libtls library messages."; - tnc = mkJournalParam "trusted Network Connect."; -} diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix deleted file mode 100644 index 249aa22b29e..00000000000 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix +++ /dev/null @@ -1,258 +0,0 @@ -# See: https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf -# -# When strongSwan is upgraded please update the parameters in this file. You can -# see which parameters should be deleted, changed or added by diffing -# the strongswan conf directory: -# -# git clone https://github.com/strongswan/strongswan.git -# cd strongswan -# git diff 5.5.3..5.6.0 conf/ - -lib: with (import ./param-constructors.nix lib); - -let charonParams = import ./strongswan-charon-params.nix lib; -in { - aikgen = { - load = mkSpaceSepListParam [] '' - Plugins to load in ipsec aikgen tool. - ''; - }; - attest = { - database = mkOptionalStrParam '' - File measurement information database URI. If it contains a password, - make sure to adjust the permissions of the config file accordingly. - ''; - - load = mkSpaceSepListParam [] '' - Plugins to load in ipsec attest tool. - ''; - }; - - # Since we only use charon-systemd we don't need to generate options for charon. - # charon = charonParams; - - charon-nm = { - ca_dir = mkStrParam "<default>" '' - Directory from which to load CA certificates if no certificate is - configured. - ''; - }; - - charon-systemd = charonParams // { - journal = import ./strongswan-loglevel-params.nix lib; - }; - - imv_policy_manager = { - command_allow = mkOptionalStrParam '' - Shell command to be executed with recommendation allow. - ''; - - command_block = mkOptionalStrParam '' - Shell command to be executed with all other recommendations. - ''; - - database = mkOptionalStrParam '' - Database URI for the database that stores the package information. If it - contains a password, make sure to adjust permissions of the config file - accordingly. - ''; - - load = mkSpaceSepListParam ["sqlite"] '' - Plugins to load in IMV policy manager. - ''; - }; - - libimcv = import ./strongswan-libimcv-params.nix lib; - - manager = { - database = mkOptionalStrParam '' - Credential database URI for manager. If it contains a password, make - sure to adjust the permissions of the config file accordingly. - ''; - - debug = mkYesNoParam no '' - Enable debugging in manager. - ''; - - load = mkSpaceSepListParam [] '' - Plugins to load in manager. - ''; - - socket = mkOptionalStrParam '' - FastCGI socket of manager, to run it statically. - ''; - - threads = mkIntParam 10 '' - Threads to use for request handling. - ''; - - timeout = mkDurationParam "15m" '' - Session timeout for manager. - ''; - }; - - medcli = { - database = mkOptionalStrParam '' - Mediation client database URI. If it contains a password, make sure to - adjust the permissions of the config file accordingly. - ''; - - dpd = mkDurationParam "5m" '' - DPD timeout to use in mediation client plugin. - ''; - - rekey = mkDurationParam "20m" '' - Rekeying time on mediation connections in mediation client plugin. - ''; - }; - - medsrv = { - database = mkOptionalStrParam '' - Mediation server database URI. If it contains a password, make sure to - adjust the permissions of the config file accordingly. - ''; - - debug = mkYesNoParam no '' - Debugging in mediation server web application. - ''; - - dpd = mkDurationParam "5m" '' - DPD timeout to use in mediation server plugin. - ''; - - load = mkSpaceSepListParam [] '' - Plugins to load in mediation server plugin. - ''; - - password_length = mkIntParam 6 '' - Minimum password length required for mediation server user accounts. - ''; - - rekey = mkDurationParam "20m" '' - Rekeying time on mediation connections in mediation server plugin. - ''; - - socket = mkOptionalStrParam '' - Run Mediation server web application statically on socket. - ''; - - threads = mkIntParam 5 '' - Number of thread for mediation service web application. - ''; - - timeout = mkDurationParam "15m" '' - Session timeout for mediation service. - ''; - }; - - pki.load = mkSpaceSepListParam [] '' - Plugins to load in ipsec pki tool. - ''; - - pool = { - database = mkOptionalStrParam '' - Database URI for the database that stores IP pools and configuration - attributes. If it contains a password, make sure to adjust the - permissions of the config file accordingly. - ''; - - load = mkSpaceSepListParam [] '' - Plugins to load in ipsec pool tool. - ''; - }; - - pt-tls-client.load = mkSpaceSepListParam [] '' - Plugins to load in ipsec pt-tls-client tool. - ''; - - scepclient.load = mkSpaceSepListParam [] '' - Plugins to load in ipsec scepclient tool. - ''; - - sec-updater = { - database = mkOptionalStrParam '' - Global IMV policy database URI. If it contains a password, make - sure to adjust the permissions of the config file accordingly. - ''; - - swid_gen.command = mkStrParam "/usr/local/bin/swid_generator" '' - SWID generator command to be executed. - ''; - - swid_gen.tag_creator.name = mkStrParam "strongSwan Project" '' - Name of the tagCreator entity. - ''; - - swid_gen.tag_creator.regid = mkStrParam "strongswan.org" '' - regid of the tagCreator entity. - ''; - - tnc_manage_command = mkStrParam "/var/www/tnc/manage.py" '' - strongTNC manage.py command used to import SWID tags. - ''; - - tmp.deb_file = mkStrParam "/tmp/sec-updater.deb" '' - Temporary storage for downloaded deb package file. - ''; - - tmp.tag_file = mkStrParam "/tmp/sec-updater.tag" '' - Temporary storage for generated SWID tags. - ''; - - load = mkSpaceSepListParam [] '' - Plugins to load in sec-updater tool. - ''; - }; - - starter = { - config_file = mkStrParam "\${sysconfdir}/ipsec.conf" '' - Location of the ipsec.conf file. - ''; - - load_warning = mkYesNoParam yes '' - Show charon.load setting warning, see - https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad - ''; - }; - - sw-collector = { - database = mkOptionalStrParam '' - URI to software collector database containing event timestamps, - software creation and deletion events and collected software - identifiers. If it contains a password, make sure to adjust the - permissions of the config file accordingly. - ''; - - first_file = mkStrParam "/var/log/bootstrap.log" '' - Path pointing to file created when the Linux OS was installed. - ''; - - first_time = mkStrParam "0000-00-00T00:00:00Z" '' - Time in UTC when the Linux OS was installed. - ''; - - history = mkOptionalStrParam '' - Path pointing to apt history.log file. - ''; - - rest_api = { - uri = mkOptionalStrParam '' - HTTP URI of the central collector's REST API. - ''; - - timeout = mkIntParam 120 '' - Timeout of REST API HTTP POST transaction. - ''; - }; - - load = mkSpaceSepListParam [] "Plugins to load in sw-collector tool."; - }; - - swanctl = { - load = mkSpaceSepListParam [] "Plugins to load in swanctl."; - - socket = mkStrParam "unix://\${piddir}/charon.vici" '' - VICI socket to connect to by default. - ''; - }; -} |