mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 23:13:19 +00:00
strongswan-swanctl: support strongswan-5.6.2 configuration options
This commit is contained in:
parent
7c94804680
commit
592a89befc
@ -19,7 +19,7 @@ in {
|
||||
'';
|
||||
|
||||
cache_crls = mkYesNoParam no ''
|
||||
Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP
|
||||
Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
|
||||
should be saved under a unique file name derived from the public
|
||||
key of the Certification Authority (CA) to
|
||||
<literal>/etc/ipsec.d/crls</literal> (stroke) or
|
||||
|
@ -423,6 +423,12 @@ lib : with (import ./param-constructors.nix lib); {
|
||||
nodes. Set to 0 to disable.
|
||||
'';
|
||||
|
||||
ha.buflen = mkIntParam 2048 ''
|
||||
Buffer size for received HA messages. For IKEv1 the public DH factors are
|
||||
also transmitted so depending on the DH group the HA messages can get quite
|
||||
big (the default should be fine up to <literal>modp4096</literal>).
|
||||
'';
|
||||
|
||||
ha.fifo_interface = mkYesNoParam yes "";
|
||||
|
||||
ha.heartbeat_delay = mkIntParam 1000 "";
|
||||
@ -461,7 +467,7 @@ lib : with (import ./param-constructors.nix lib); {
|
||||
If the maximum Netlink socket receive buffer in bytes set by
|
||||
receive_buffer_size exceeds the system-wide maximum from
|
||||
<literal>/proc/sys/net/core/rmem_max</literal>, this option can be used to
|
||||
override the limit. Enabling this option requires special priviliges
|
||||
override the limit. Enabling this option requires special privileges
|
||||
(CAP_NET_ADMIN).
|
||||
'';
|
||||
|
||||
@ -482,6 +488,12 @@ lib : with (import ./param-constructors.nix lib); {
|
||||
MTU to set on installed routes, 0 to disable.
|
||||
'';
|
||||
|
||||
kernel-netlink.process_rules = mkYesNoParam no ''
|
||||
Whether to process changes in routing rules to trigger roam events. This is
|
||||
currently only useful if the kernel based route lookup is used (i.e. if
|
||||
route installation is disabled or an inverted fwmark match is configured).
|
||||
'';
|
||||
|
||||
kernel-netlink.receive_buffer_size = mkIntParam 0 ''
|
||||
Maximum Netlink socket receive buffer in bytes. This value controls how many
|
||||
bytes of Netlink messages can be received on a Netlink socket. The default
|
||||
@ -845,6 +857,25 @@ lib : with (import ./param-constructors.nix lib); {
|
||||
Whether OCSP validation should be enabled.
|
||||
'';
|
||||
|
||||
save-keys.load = mkYesNoParam no ''
|
||||
Whether to load the plugin.
|
||||
'';
|
||||
|
||||
save-keys.esp = mkYesNoParam no ''
|
||||
Whether to save ESP keys.
|
||||
'';
|
||||
|
||||
save-keys.ike = mkYesNoParam no ''
|
||||
Whether to save IKE keys.
|
||||
'';
|
||||
|
||||
save-keys.wireshark_keys = mkOptionalStrParam ''
|
||||
Directory where the keys are stored in the format supported by Wireshark.
|
||||
IKEv1 keys are stored in the <literal>ikev1_decryption_table</literal> file.
|
||||
IKEv2 keys are stored in the <literal>ikev2_decryption_table</literal> file.
|
||||
Keys for ESP CHILD_SAs are stored in the <literal>esp_sa</literal> file.
|
||||
'';
|
||||
|
||||
socket-default.fwmark = mkOptionalStrParam ''
|
||||
Firewall mark to set on outbound packets (a possible use case are
|
||||
host-to-host tunnels with kernel-libipsec).
|
||||
|
@ -583,9 +583,10 @@ in {
|
||||
<literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of
|
||||
hashing algorithms for trustchain validation, append hash algorithms to
|
||||
pubkey or a key strength definition (for example
|
||||
<literal>pubkey-sha1-sha256</literal> or
|
||||
<literal>rsa-2048-ecdsa-256-sha256-sha384-sha512</literal>). Unless
|
||||
disabled in <literal>strongswan.conf</literal>, or explicit IKEv2
|
||||
<literal>pubkey-sha256-sha512</literal>,
|
||||
<literal>rsa-2048-sha256-sha384-sha512</literal> or
|
||||
<literal>rsa-2048-sha256-ecdsa-256-sha256-sha384</literal>).
|
||||
Unless disabled in <literal>strongswan.conf</literal>, or explicit IKEv2
|
||||
signature constraints are configured (refer to the description of the
|
||||
<option>local</option> section's <option>auth</option> keyword for
|
||||
details), such key types and hash algorithms are also applied as
|
||||
|
Loading…
Reference in New Issue
Block a user