diff options
| author | Bas van Dijk <v.dijk.bas@gmail.com> | 2018-02-28 11:04:41 +0100 |
|---|---|---|
| committer | Bas van Dijk <v.dijk.bas@gmail.com> | 2018-02-28 11:04:41 +0100 |
| commit | 592a89befc71867b22960da752b80ab4707ff586 (patch) | |
| tree | b358113156e6c223a5d2fa99b06995c1e3fe90b7 /nixos | |
| parent | 7c94804680e6a40ddb4e2ef8039cede241a8b647 (diff) | |
| download | nixpkgs-592a89befc71867b22960da752b80ab4707ff586.tar nixpkgs-592a89befc71867b22960da752b80ab4707ff586.tar.gz nixpkgs-592a89befc71867b22960da752b80ab4707ff586.tar.bz2 nixpkgs-592a89befc71867b22960da752b80ab4707ff586.tar.lz nixpkgs-592a89befc71867b22960da752b80ab4707ff586.tar.xz nixpkgs-592a89befc71867b22960da752b80ab4707ff586.tar.zst nixpkgs-592a89befc71867b22960da752b80ab4707ff586.zip | |
strongswan-swanctl: support strongswan-5.6.2 configuration options
Diffstat (limited to 'nixos')
3 files changed, 37 insertions, 5 deletions
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix index 2b28b57963e..17bd632dc18 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix @@ -19,7 +19,7 @@ in { ''; cache_crls = mkYesNoParam no '' - Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP + Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to <literal>/etc/ipsec.d/crls</literal> (stroke) or diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix index 5fd2b4b0c0a..116fb6d00a2 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix @@ -423,6 +423,12 @@ lib : with (import ./param-constructors.nix lib); { nodes. Set to 0 to disable. ''; + ha.buflen = mkIntParam 2048 '' + Buffer size for received HA messages. For IKEv1 the public DH factors are + also transmitted so depending on the DH group the HA messages can get quite + big (the default should be fine up to <literal>modp4096</literal>). + ''; + ha.fifo_interface = mkYesNoParam yes ""; ha.heartbeat_delay = mkIntParam 1000 ""; @@ -461,7 +467,7 @@ lib : with (import ./param-constructors.nix lib); { If the maximum Netlink socket receive buffer in bytes set by receive_buffer_size exceeds the system-wide maximum from <literal>/proc/sys/net/core/rmem_max</literal>, this option can be used to - override the limit. Enabling this option requires special priviliges + override the limit. Enabling this option requires special privileges (CAP_NET_ADMIN). ''; @@ -482,6 +488,12 @@ lib : with (import ./param-constructors.nix lib); { MTU to set on installed routes, 0 to disable. ''; + kernel-netlink.process_rules = mkYesNoParam no '' + Whether to process changes in routing rules to trigger roam events. This is + currently only useful if the kernel based route lookup is used (i.e. if + route installation is disabled or an inverted fwmark match is configured). + ''; + kernel-netlink.receive_buffer_size = mkIntParam 0 '' Maximum Netlink socket receive buffer in bytes. This value controls how many bytes of Netlink messages can be received on a Netlink socket. The default @@ -845,6 +857,25 @@ lib : with (import ./param-constructors.nix lib); { Whether OCSP validation should be enabled. ''; + save-keys.load = mkYesNoParam no '' + Whether to load the plugin. + ''; + + save-keys.esp = mkYesNoParam no '' + Whether to save ESP keys. + ''; + + save-keys.ike = mkYesNoParam no '' + Whether to save IKE keys. + ''; + + save-keys.wireshark_keys = mkOptionalStrParam '' + Directory where the keys are stored in the format supported by Wireshark. + IKEv1 keys are stored in the <literal>ikev1_decryption_table</literal> file. + IKEv2 keys are stored in the <literal>ikev2_decryption_table</literal> file. + Keys for ESP CHILD_SAs are stored in the <literal>esp_sa</literal> file. + ''; + socket-default.fwmark = mkOptionalStrParam '' Firewall mark to set on outbound packets (a possible use case are host-to-host tunnels with kernel-libipsec). diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index 39d184131c3..939f58e2bab 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -583,9 +583,10 @@ in { <literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to pubkey or a key strength definition (for example - <literal>pubkey-sha1-sha256</literal> or - <literal>rsa-2048-ecdsa-256-sha256-sha384-sha512</literal>). Unless - disabled in <literal>strongswan.conf</literal>, or explicit IKEv2 + <literal>pubkey-sha256-sha512</literal>, + <literal>rsa-2048-sha256-sha384-sha512</literal> or + <literal>rsa-2048-sha256-ecdsa-256-sha256-sha384</literal>). + Unless disabled in <literal>strongswan.conf</literal>, or explicit IKEv2 signature constraints are configured (refer to the description of the <option>local</option> section's <option>auth</option> keyword for details), such key types and hash algorithms are also applied as |