From 592a89befc71867b22960da752b80ab4707ff586 Mon Sep 17 00:00:00 2001 From: Bas van Dijk Date: Wed, 28 Feb 2018 11:04:41 +0100 Subject: [PATCH] strongswan-swanctl: support strongswan-5.6.2 configuration options --- .../strongswan-charon-params.nix | 2 +- .../strongswan-charon-plugins-params.nix | 33 ++++++++++++++++++- .../strongswan-swanctl/swanctl-params.nix | 7 ++-- 3 files changed, 37 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix index 2b28b57963e1..17bd632dc180 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix @@ -19,7 +19,7 @@ in { ''; cache_crls = mkYesNoParam no '' - Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP + Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix index 5fd2b4b0c0a4..116fb6d00a2c 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix @@ -423,6 +423,12 @@ lib : with (import ./param-constructors.nix lib); { nodes. Set to 0 to disable. ''; + ha.buflen = mkIntParam 2048 '' + Buffer size for received HA messages. For IKEv1 the public DH factors are + also transmitted so depending on the DH group the HA messages can get quite + big (the default should be fine up to modp4096). + ''; + ha.fifo_interface = mkYesNoParam yes ""; ha.heartbeat_delay = mkIntParam 1000 ""; @@ -461,7 +467,7 @@ lib : with (import ./param-constructors.nix lib); { If the maximum Netlink socket receive buffer in bytes set by receive_buffer_size exceeds the system-wide maximum from /proc/sys/net/core/rmem_max, this option can be used to - override the limit. Enabling this option requires special priviliges + override the limit. Enabling this option requires special privileges (CAP_NET_ADMIN). ''; @@ -482,6 +488,12 @@ lib : with (import ./param-constructors.nix lib); { MTU to set on installed routes, 0 to disable. ''; + kernel-netlink.process_rules = mkYesNoParam no '' + Whether to process changes in routing rules to trigger roam events. This is + currently only useful if the kernel based route lookup is used (i.e. if + route installation is disabled or an inverted fwmark match is configured). + ''; + kernel-netlink.receive_buffer_size = mkIntParam 0 '' Maximum Netlink socket receive buffer in bytes. This value controls how many bytes of Netlink messages can be received on a Netlink socket. The default @@ -845,6 +857,25 @@ lib : with (import ./param-constructors.nix lib); { Whether OCSP validation should be enabled. ''; + save-keys.load = mkYesNoParam no '' + Whether to load the plugin. + ''; + + save-keys.esp = mkYesNoParam no '' + Whether to save ESP keys. + ''; + + save-keys.ike = mkYesNoParam no '' + Whether to save IKE keys. + ''; + + save-keys.wireshark_keys = mkOptionalStrParam '' + Directory where the keys are stored in the format supported by Wireshark. + IKEv1 keys are stored in the ikev1_decryption_table file. + IKEv2 keys are stored in the ikev2_decryption_table file. + Keys for ESP CHILD_SAs are stored in the esp_sa file. + ''; + socket-default.fwmark = mkOptionalStrParam '' Firewall mark to set on outbound packets (a possible use case are host-to-host tunnels with kernel-libipsec). diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix index 39d184131c36..939f58e2bab9 100644 --- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix +++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix @@ -583,9 +583,10 @@ in { rsa-2048-ecdsa-256). To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to pubkey or a key strength definition (for example - pubkey-sha1-sha256 or - rsa-2048-ecdsa-256-sha256-sha384-sha512). Unless - disabled in strongswan.conf, or explicit IKEv2 + pubkey-sha256-sha512, + rsa-2048-sha256-sha384-sha512 or + rsa-2048-sha256-ecdsa-256-sha256-sha384). + Unless disabled in strongswan.conf, or explicit IKEv2 signature constraints are configured (refer to the description of the section's keyword for details), such key types and hash algorithms are also applied as