mkdir -p './initramfs-tools/scripts/nfs-premount'
mkdir -p './initramfs-tools/scripts/nfs-top'
mkdir -p './initramfs-tools/scripts/panic'
+mkdir -p './ipsec.d/aacerts'
+mkdir -p './ipsec.d/acerts'
+mkdir -p './ipsec.d/cacerts'
+mkdir -p './ipsec.d/certs'
+mkdir -p './ipsec.d/crls'
+mkdir -p './ipsec.d/ocspcerts'
+mkdir -p './ipsec.d/policies'
+mkdir -p './ipsec.d/private'
+mkdir -p './ipsec.d/reqs'
mkdir -p './kernel/install.d'
mkdir -p './letsencrypt/renewal-hooks/deploy'
mkdir -p './letsencrypt/renewal-hooks/post'
mkdir -p './letsencrypt/renewal-hooks/pre'
+mkdir -p './logcheck/violations.ignore.d'
mkdir -p './monit/conf-available'
mkdir -p './networkd-dispatcher/dormant.d'
mkdir -p './networkd-dispatcher/no-carrier.d'
maybe chmod 0644 'apparmor.d/local/README'
maybe chmod 0644 'apparmor.d/local/sbin.dhclient'
maybe chmod 0644 'apparmor.d/local/usr.bin.man'
+maybe chmod 0644 'apparmor.d/local/usr.lib.ipsec.charon'
+maybe chmod 0644 'apparmor.d/local/usr.lib.ipsec.stroke'
maybe chmod 0644 'apparmor.d/local/usr.sbin.mysqld'
maybe chmod 0644 'apparmor.d/local/usr.sbin.named'
maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd'
maybe chmod 0755 'apparmor.d/tunables/xdg-user-dirs.d'
maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs.d/site.local'
maybe chmod 0644 'apparmor.d/usr.bin.man'
+maybe chmod 0644 'apparmor.d/usr.lib.ipsec.charon'
+maybe chmod 0644 'apparmor.d/usr.lib.ipsec.stroke'
maybe chmod 0644 'apparmor.d/usr.sbin.mysqld'
maybe chmod 0644 'apparmor.d/usr.sbin.named'
maybe chmod 0644 'apparmor.d/usr.sbin.rsyslogd'
maybe chmod 0755 'init.d/fail2ban'
maybe chmod 0755 'init.d/grub-common'
maybe chmod 0755 'init.d/hwclock.sh'
+maybe chmod 0755 'init.d/ipsec'
maybe chmod 0755 'init.d/irqbalance'
maybe chmod 0755 'init.d/keyboard-setup.sh'
maybe chmod 0755 'init.d/kmod'
maybe chmod 0644 'iproute2/rt_tables'
maybe chmod 0755 'iproute2/rt_tables.d'
maybe chmod 0644 'iproute2/rt_tables.d/README'
+maybe chmod 0644 'ipsec.conf'
+maybe chmod 0755 'ipsec.d'
+maybe chmod 0755 'ipsec.d/aacerts'
+maybe chmod 0755 'ipsec.d/acerts'
+maybe chmod 0755 'ipsec.d/cacerts'
+maybe chmod 0755 'ipsec.d/certs'
+maybe chmod 0755 'ipsec.d/crls'
+maybe chmod 0755 'ipsec.d/ocspcerts'
+maybe chmod 0755 'ipsec.d/policies'
+maybe chmod 0700 'ipsec.d/private'
+maybe chmod 0755 'ipsec.d/reqs'
+maybe chmod 0600 'ipsec.secrets'
maybe chmod 0644 'issue'
maybe chmod 0644 'issue.net'
maybe chmod 0755 'kernel'
maybe chmod 0644 'logcheck/ignore.d.server/rsyslog'
maybe chmod 0755 'logcheck/ignore.d.workstation'
maybe chmod 0644 'logcheck/ignore.d.workstation/mysql-server-5_7'
+maybe chmod 0755 'logcheck/violations.ignore.d'
maybe chmod 0644 'login.defs'
maybe chmod 0644 'logrotate.conf'
maybe chmod 0755 'logrotate.d'
maybe chmod 0710 'ssl/private'
maybe chgrp 'ssl-cert' 'ssl/private/ssl-cert-snakeoil.key'
maybe chmod 0640 'ssl/private/ssl-cert-snakeoil.key'
+maybe chmod 0644 'strongswan.conf'
+maybe chmod 0755 'strongswan.d'
+maybe chmod 0755 'strongswan.d/charon'
+maybe chmod 0644 'strongswan.d/charon-logging.conf'
+maybe chmod 0644 'strongswan.d/charon.conf'
+maybe chmod 0644 'strongswan.d/charon/aes.conf'
+maybe chmod 0644 'strongswan.d/charon/aesni.conf'
+maybe chmod 0644 'strongswan.d/charon/agent.conf'
+maybe chmod 0644 'strongswan.d/charon/attr.conf'
+maybe chmod 0644 'strongswan.d/charon/bypass-lan.conf'
+maybe chmod 0644 'strongswan.d/charon/connmark.conf'
+maybe chmod 0644 'strongswan.d/charon/constraints.conf'
+maybe chmod 0644 'strongswan.d/charon/counters.conf'
+maybe chmod 0644 'strongswan.d/charon/dnskey.conf'
+maybe chmod 0644 'strongswan.d/charon/eap-mschapv2.conf'
+maybe chmod 0644 'strongswan.d/charon/fips-prf.conf'
+maybe chmod 0644 'strongswan.d/charon/gcm.conf'
+maybe chmod 0644 'strongswan.d/charon/gmp.conf'
+maybe chmod 0644 'strongswan.d/charon/hmac.conf'
+maybe chmod 0644 'strongswan.d/charon/kernel-netlink.conf'
+maybe chmod 0644 'strongswan.d/charon/md4.conf'
+maybe chmod 0644 'strongswan.d/charon/md5.conf'
+maybe chmod 0644 'strongswan.d/charon/mgf1.conf'
+maybe chmod 0644 'strongswan.d/charon/nonce.conf'
+maybe chmod 0644 'strongswan.d/charon/openssl.conf'
+maybe chmod 0644 'strongswan.d/charon/pem.conf'
+maybe chmod 0644 'strongswan.d/charon/pgp.conf'
+maybe chmod 0644 'strongswan.d/charon/pkcs1.conf'
+maybe chmod 0644 'strongswan.d/charon/pkcs12.conf'
+maybe chmod 0644 'strongswan.d/charon/pkcs7.conf'
+maybe chmod 0644 'strongswan.d/charon/pkcs8.conf'
+maybe chmod 0644 'strongswan.d/charon/pubkey.conf'
+maybe chmod 0644 'strongswan.d/charon/random.conf'
+maybe chmod 0644 'strongswan.d/charon/rc2.conf'
+maybe chmod 0644 'strongswan.d/charon/resolve.conf'
+maybe chmod 0644 'strongswan.d/charon/revocation.conf'
+maybe chmod 0644 'strongswan.d/charon/sha1.conf'
+maybe chmod 0644 'strongswan.d/charon/sha2.conf'
+maybe chmod 0644 'strongswan.d/charon/socket-default.conf'
+maybe chmod 0644 'strongswan.d/charon/sshkey.conf'
+maybe chmod 0644 'strongswan.d/charon/stroke.conf'
+maybe chmod 0644 'strongswan.d/charon/updown.conf'
+maybe chmod 0644 'strongswan.d/charon/x509.conf'
+maybe chmod 0644 'strongswan.d/charon/xauth-generic.conf'
+maybe chmod 0644 'strongswan.d/charon/xcbc.conf'
+maybe chmod 0644 'strongswan.d/pool.conf'
+maybe chmod 0644 'strongswan.d/starter.conf'
maybe chmod 0644 'subgid'
maybe chmod 0644 'subgid-'
maybe chmod 0644 'subuid'
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2016 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# Author: Jonathan Davies <jonathan.davies@canonical.com>
+# Ryan Harper <ryan.harper@canonical.com>
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/ipsec/charon flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/authentication>
+ #include <abstractions/openssl>
+ #include <abstractions/p11-kit>
+
+ capability ipc_lock,
+ capability net_admin,
+ capability net_raw,
+
+ # allow priv dropping (LP: #1333655)
+ capability chown,
+ capability setgid,
+ capability setuid,
+
+ # libcharon-extra-plugins: xauth-pam
+ capability audit_write,
+
+ # libstrongswan-standard-plugins: agent
+ capability dac_override,
+
+ capability net_admin,
+ capability net_raw,
+
+ network,
+ network raw,
+
+ /bin/dash rmPUx,
+
+ # libchron-extra-plugins: kernel-libipsec
+ /dev/net/tun rw,
+
+ /etc/ipsec.conf r,
+ /etc/ipsec.secrets r,
+ /etc/ipsec.*.secrets r,
+ /etc/ipsec.d/ r,
+ /etc/ipsec.d/** r,
+ /etc/ipsec.d/crls/* rw,
+ /etc/opensc/opensc.conf r,
+ /etc/strongswan.conf r,
+ /etc/strongswan.d/ r,
+ /etc/strongswan.d/** r,
+ /etc/tnc_config r,
+
+ /proc/sys/net/core/xfrm_acq_expires w,
+
+ /run/charon.* rw,
+ /run/pcscd/pcscd.comm rw,
+
+ /usr/lib/ipsec/charon rmix,
+ /usr/lib/ipsec/imcvs/ r,
+ /usr/lib/ipsec/imcvs/** rm,
+
+ /usr/lib/*/opensc-pkcs11.so rm,
+
+ /var/lib/strongswan/* r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.ipsec.charon>
+}
--- /dev/null
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# Author: Jonathan Davies <jonathan.davies@canonical.com>
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/lib/ipsec/stroke flags=(attach_disconnected) {
+ #include <abstractions/base>
+
+ capability dac_override,
+
+ /etc/strongswan.conf r,
+ /etc/strongswan.d/ r,
+ /etc/strongswan.d/** r,
+
+ /run/charon.ctl rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.ipsec.stroke>
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: ipsec
+# Required-Start: $network $remote_fs
+# Required-Stop: $network $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Strongswan IPsec services
+### END INIT INFO
+
+# Author: Rene Mayrhofer <rene@mayrhofer.eu.org>
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="strongswan IPsec services"
+NAME=ipsec
+STARTER=/usr/sbin/$NAME
+PIDFILE=/var/run/charon.pid
+CHARON=/usr/lib/ipsec/charon
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$STARTER" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
+. /lib/lsb/init-functions
+
+# Create lock dir
+mkdir -p /var/lock/subsys
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+
+ # test if charon is currently running
+ if [ -e $CHARON ]; then
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $CHARON --test > /dev/null \
+ || return 1
+ fi
+
+ $STARTER start || return 2
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ # give the proper signal to stop
+ $STARTER stop || return 2
+
+ RETVAL=0
+ # but kill if that didn't work
+ if [ -e $PIDFILE ]; then
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ fi
+
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ if [ -e $CHARON ]; then
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $CHARON
+ [ "$?" = 2 ] && return 2
+ fi
+
+ # strongswan is known to leave PID files behind when something goes wrong, cleanup here
+ rm -f $PIDFILE
+ # and just to make sure they are really really dead at this point...
+ killall -9 $CHARON 2>/dev/null
+
+ return "$RETVAL"
+}
+
+do_reload() {
+ $STARTER reload
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ $STARTER status || exit $?
+ ;;
+ reload|force-reload)
+ log_daemon_msg "Reloading $DESC" "$NAME"
+ do_reload
+ log_end_msg $?
+ ;;
+ restart)
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
--- /dev/null
+# ipsec.conf - strongSwan IPsec configuration file
+
+# basic configuration
+
+config setup
+ # strictcrlpolicy=yes
+ # uniqueids = no
+
+# Add connections here.
+
+# Sample VPN connections
+
+#conn sample-self-signed
+# leftsubnet=10.1.0.0/16
+# leftcert=selfCert.der
+# leftsendcert=never
+# right=192.168.0.2
+# rightsubnet=10.2.0.0/16
+# rightcert=peerCert.der
+# auto=start
+
+#conn sample-with-ca-cert
+# leftsubnet=10.1.0.0/16
+# leftcert=myCert.pem
+# right=192.168.0.2
+# rightsubnet=10.2.0.0/16
+# rightid="C=CH, O=Linux strongSwan CN=peer name"
+# auto=start
--- /dev/null
+# This file holds shared secrets or RSA private keys for authentication.
+
+# RSA private key for this host, authenticating it to any other host
+# which knows the public part.
+
bind:x:116:122::/var/cache/bind:/usr/sbin/nologin
opendmarc:x:117:123::/var/run/opendmarc:/usr/sbin/nologin
serverbackup:x:1001:1001:backup:/home/serverbackup:/bin/bash
+strongswan:x:118:65534::/var/lib/strongswan:/usr/sbin/nologin
debian-spamd:x:115:121::/var/lib/spamassassin:/bin/sh
bind:x:116:122::/var/cache/bind:/usr/sbin/nologin
opendmarc:x:117:123::/var/run/opendmarc:/usr/sbin/nologin
+serverbackup:x:1001:1001:backup:/home/serverbackup:/bin/bash
+strongswan:x:118:65534::/var/lib/strongswan:/usr/sbin/nologin
bind:*:17844:0:99999:7:::
opendmarc:*:17846:0:99999:7:::
serverbackup:!:17884:0:99999:7:::
+strongswan:*:17894:0:99999:7:::
debian-spamd:*:17840:0:99999:7:::
bind:*:17844:0:99999:7:::
opendmarc:*:17846:0:99999:7:::
+serverbackup:!:17884:0:99999:7:::
+strongswan:*:17894:0:99999:7:::
--- /dev/null
+# strongswan.conf - strongSwan configuration file
+#
+# Refer to the strongswan.conf(5) manpage for details
+#
+# Configuration changes should be made in the included files
+
+charon {
+ load_modular = yes
+ plugins {
+ include strongswan.d/charon/*.conf
+ }
+}
+
+include strongswan.d/*.conf
--- /dev/null
+charon {
+
+ # Section to define file loggers, see LOGGER CONFIGURATION in
+ # strongswan.conf(5).
+ filelog {
+
+ # <filename> is the full path to the log file.
+ # <filename> {
+
+ # Loglevel for a specific subsystem.
+ # <subsystem> = <default>
+
+ # If this option is enabled log entries are appended to the existing
+ # file.
+ # append = yes
+
+ # Default loglevel.
+ # default = 1
+
+ # Enabling this option disables block buffering and enables line
+ # buffering.
+ # flush_line = no
+
+ # Prefix each log entry with the connection name and a unique
+ # numerical identifier for each IKE_SA.
+ # ike_name = no
+
+ # Adds the milliseconds within the current second after the
+ # timestamp (separated by a dot, so time_format should end with %S
+ # or %T).
+ # time_add_ms = no
+
+ # Prefix each log entry with a timestamp. The option accepts a
+ # format string as passed to strftime(3).
+ # time_format =
+
+ # }
+
+ }
+
+ # Section to define syslog loggers, see LOGGER CONFIGURATION in
+ # strongswan.conf(5).
+ syslog {
+
+ # Identifier for use with openlog(3).
+ # identifier =
+
+ # <facility> is one of the supported syslog facilities, see LOGGER
+ # CONFIGURATION in strongswan.conf(5).
+ # <facility> {
+
+ # Loglevel for a specific subsystem.
+ # <subsystem> = <default>
+
+ # Default loglevel.
+ # default = 1
+
+ # Prefix each log entry with the connection name and a unique
+ # numerical identifier for each IKE_SA.
+ # ike_name = no
+
+ # }
+
+ }
+
+}
+
--- /dev/null
+# Options for the charon IKE daemon.
+charon {
+
+ # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
+ # accept_unencrypted_mainmode_messages = no
+
+ # Maximum number of half-open IKE_SAs for a single peer IP.
+ # block_threshold = 5
+
+ # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
+ # should be saved under a unique file name derived from the public key of
+ # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
+ # /etc/swanctl/x509crl (vici), respectively.
+ # cache_crls = no
+
+ # Whether relations in validated certificate chains should be cached in
+ # memory.
+ # cert_cache = yes
+
+ # Send Cisco Unity vendor ID payload (IKEv1 only).
+ # cisco_unity = no
+
+ # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
+ # close_ike_on_child_failure = no
+
+ # Number of half-open IKE_SAs that activate the cookie mechanism.
+ # cookie_threshold = 10
+
+ # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
+ # delete_rekeyed = no
+
+ # Delay in seconds until inbound IPsec SAs are deleted after rekeyings
+ # (IKEv2 only).
+ # delete_rekeyed_delay = 5
+
+ # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
+ # strength.
+ # dh_exponent_ansi_x9_42 = yes
+
+ # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
+ # missing symbols immediately.
+ # dlopen_use_rtld_now = no
+
+ # DNS server assigned to peer via configuration payload (CP).
+ # dns1 =
+
+ # DNS server assigned to peer via configuration payload (CP).
+ # dns2 =
+
+ # Enable Denial of Service protection using cookies and aggressiveness
+ # checks.
+ # dos_protection = yes
+
+ # Compliance with the errata for RFC 4753.
+ # ecp_x_coordinate_only = yes
+
+ # Free objects during authentication (might conflict with plugins).
+ # flush_auth_cfg = no
+
+ # Whether to follow IKEv2 redirects (RFC 5685).
+ # follow_redirects = yes
+
+ # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
+ # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
+ # to 1280 (use 0 for address family specific default values, which uses a
+ # lower value for IPv4). If specified this limit is used for both IPv4 and
+ # IPv6.
+ # fragment_size = 1280
+
+ # Name of the group the daemon changes to after startup.
+ # group =
+
+ # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
+ # half_open_timeout = 30
+
+ # Enable hash and URL support.
+ # hash_and_url = no
+
+ # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
+ # i_dont_care_about_security_and_use_aggressive_mode_psk = no
+
+ # Whether to ignore the traffic selectors from the kernel's acquire events
+ # for IKEv2 connections (they are not used for IKEv1).
+ # ignore_acquire_ts = no
+
+ # A space-separated list of routing tables to be excluded from route
+ # lookups.
+ # ignore_routing_tables =
+
+ # Maximum number of IKE_SAs that can be established at the same time before
+ # new connection attempts are blocked.
+ # ikesa_limit = 0
+
+ # Number of exclusively locked segments in the hash table.
+ # ikesa_table_segments = 1
+
+ # Size of the IKE_SA hash table.
+ # ikesa_table_size = 1
+
+ # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
+ # inactivity_close_ike = no
+
+ # Limit new connections based on the current number of half open IKE_SAs,
+ # see IKE_SA_INIT DROPPING in strongswan.conf(5).
+ # init_limit_half_open = 0
+
+ # Limit new connections based on the number of queued jobs.
+ # init_limit_job_load = 0
+
+ # Causes charon daemon to ignore IKE initiation requests.
+ # initiator_only = no
+
+ # Install routes into a separate routing table for established IPsec
+ # tunnels.
+ # install_routes = yes
+
+ # Install virtual IP addresses.
+ # install_virtual_ip = yes
+
+ # The name of the interface on which virtual IP addresses should be
+ # installed.
+ # install_virtual_ip_on =
+
+ # Check daemon, libstrongswan and plugin integrity at startup.
+ # integrity_test = no
+
+ # A comma-separated list of network interfaces that should be ignored, if
+ # interfaces_use is specified this option has no effect.
+ # interfaces_ignore =
+
+ # A comma-separated list of network interfaces that should be used by
+ # charon. All other interfaces are ignored.
+ # interfaces_use =
+
+ # NAT keep alive interval.
+ # keep_alive = 20s
+
+ # Plugins to load in the IKE daemon charon.
+ # load =
+
+ # Determine plugins to load via each plugin's load option.
+ # load_modular = no
+
+ # Initiate IKEv2 reauthentication with a make-before-break scheme.
+ # make_before_break = no
+
+ # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
+ # and track concurrently.
+ # max_ikev1_exchanges = 3
+
+ # Maximum packet size accepted by charon.
+ # max_packet = 10000
+
+ # Enable multiple authentication exchanges (RFC 4739).
+ # multiple_authentication = yes
+
+ # WINS servers assigned to peer via configuration payload (CP).
+ # nbns1 =
+
+ # WINS servers assigned to peer via configuration payload (CP).
+ # nbns2 =
+
+ # UDP port used locally. If set to 0 a random port will be allocated.
+ # port = 500
+
+ # UDP port used locally in case of NAT-T. If set to 0 a random port will be
+ # allocated. Has to be different from charon.port, otherwise a random port
+ # will be allocated.
+ # port_nat_t = 4500
+
+ # Whether to prefer updating SAs to the path with the best route.
+ # prefer_best_path = no
+
+ # Prefer locally configured proposals for IKE/IPsec over supplied ones as
+ # responder (disabling this can avoid keying retries due to
+ # INVALID_KE_PAYLOAD notifies).
+ # prefer_configured_proposals = yes
+
+ # By default public IPv6 addresses are preferred over temporary ones (RFC
+ # 4941), to make connections more stable. Enable this option to reverse
+ # this.
+ # prefer_temporary_addrs = no
+
+ # Process RTM_NEWROUTE and RTM_DELROUTE events.
+ # process_route = yes
+
+ # Delay in ms for receiving packets, to simulate larger RTT.
+ # receive_delay = 0
+
+ # Delay request messages.
+ # receive_delay_request = yes
+
+ # Delay response messages.
+ # receive_delay_response = yes
+
+ # Specific IKEv2 message type to delay, 0 for any.
+ # receive_delay_type = 0
+
+ # Size of the AH/ESP replay window, in packets.
+ # replay_window = 32
+
+ # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
+ # in strongswan.conf(5).
+ # retransmit_base = 1.8
+
+ # Maximum jitter in percent to apply randomly to calculated retransmission
+ # timeout (0 to disable).
+ # retransmit_jitter = 0
+
+ # Upper limit in seconds for calculated retransmission timeout (0 to
+ # disable).
+ # retransmit_limit = 0
+
+ # Timeout in seconds before sending first retransmit.
+ # retransmit_timeout = 4.0
+
+ # Number of times to retransmit a packet before giving up.
+ # retransmit_tries = 5
+
+ # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
+ # DNS resolution failed), 0 to disable retries.
+ # retry_initiate_interval = 0
+
+ # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
+ # reuse_ikesa = yes
+
+ # Numerical routing table to install routes to.
+ # routing_table =
+
+ # Priority of the routing table.
+ # routing_table_prio =
+
+ # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
+ # rsa_pss = no
+
+ # Delay in ms for sending packets, to simulate larger RTT.
+ # send_delay = 0
+
+ # Delay request messages.
+ # send_delay_request = yes
+
+ # Delay response messages.
+ # send_delay_response = yes
+
+ # Specific IKEv2 message type to delay, 0 for any.
+ # send_delay_type = 0
+
+ # Send strongSwan vendor ID payload
+ # send_vendor_id = no
+
+ # Whether to enable Signature Authentication as per RFC 7427.
+ # signature_authentication = yes
+
+ # Whether to enable constraints against IKEv2 signature schemes.
+ # signature_authentication_constraints = yes
+
+ # The upper limit for SPIs requested from the kernel for IPsec SAs.
+ # spi_max = 0xcfffffff
+
+ # The lower limit for SPIs requested from the kernel for IPsec SAs.
+ # spi_min = 0xc0000000
+
+ # Number of worker threads in charon.
+ # threads = 16
+
+ # Name of the user the daemon changes to after startup.
+ # user =
+
+ crypto_test {
+
+ # Benchmark crypto algorithms and order them by efficiency.
+ # bench = no
+
+ # Buffer size used for crypto benchmark.
+ # bench_size = 1024
+
+ # Number of iterations to test each algorithm.
+ # bench_time = 50
+
+ # Test crypto algorithms during registration (requires test vectors
+ # provided by the test-vectors plugin).
+ # on_add = no
+
+ # Test crypto algorithms on each crypto primitive instantiation.
+ # on_create = no
+
+ # Strictly require at least one test vector to enable an algorithm.
+ # required = no
+
+ # Whether to test RNG with TRUE quality; requires a lot of entropy.
+ # rng_true = no
+
+ }
+
+ host_resolver {
+
+ # Maximum number of concurrent resolver threads (they are terminated if
+ # unused).
+ # max_threads = 3
+
+ # Minimum number of resolver threads to keep around.
+ # min_threads = 0
+
+ }
+
+ leak_detective {
+
+ # Includes source file names and line numbers in leak detective output.
+ # detailed = yes
+
+ # Threshold in bytes for leaks to be reported (0 to report all).
+ # usage_threshold = 10240
+
+ # Threshold in number of allocations for leaks to be reported (0 to
+ # report all).
+ # usage_threshold_count = 0
+
+ }
+
+ processor {
+
+ # Section to configure the number of reserved threads per priority class
+ # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
+ priority_threads {
+
+ }
+
+ }
+
+ # Section containing a list of scripts (name = path) that are executed when
+ # the daemon is started.
+ start-scripts {
+
+ }
+
+ # Section containing a list of scripts (name = path) that are executed when
+ # the daemon is terminated.
+ stop-scripts {
+
+ }
+
+ tls {
+
+ # List of TLS encryption ciphers.
+ # cipher =
+
+ # List of TLS key exchange methods.
+ # key_exchange =
+
+ # List of TLS MAC algorithms.
+ # mac =
+
+ # List of TLS cipher suites.
+ # suites =
+
+ }
+
+ x509 {
+
+ # Discard certificates with unsupported or unknown critical extensions.
+ # enforce_critical = yes
+
+ }
+
+}
+
--- /dev/null
+aes {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+aesni {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+agent {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+# Section to specify arbitrary attributes that are assigned to a peer via
+# configuration payload (CP).
+attr {
+
+ # <attr> is an attribute name or an integer, values can be an IP address,
+ # subnet or arbitrary value.
+ # <attr> =
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+bypass-lan {
+
+ # A comma-separated list of network interfaces for which connected subnets
+ # should be ignored, if interfaces_use is specified this option has no
+ # effect.
+ # interfaces_ignore =
+
+ # A comma-separated list of network interfaces for which connected subnets
+ # should be considered. All other interfaces are ignored.
+ # interfaces_use =
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = no
+
+}
+
--- /dev/null
+connmark {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+constraints {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+counters {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+dnskey {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+eap-mschapv2 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+fips-prf {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+gcm {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+gmp {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+hmac {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+kernel-netlink {
+
+ # Buffer size for received Netlink messages.
+ # buflen = <min(PAGE_SIZE, 8192)>
+
+ # Force maximum Netlink receive buffer on Netlink socket.
+ # force_receive_buffer_size = no
+
+ # Firewall mark to set on the routing rule that directs traffic to our
+ # routing table.
+ # fwmark =
+
+ # Whether to ignore errors potentially resulting from a retransmission.
+ # ignore_retransmit_errors = no
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # MSS to set on installed routes, 0 to disable.
+ # mss = 0
+
+ # MTU to set on installed routes, 0 to disable.
+ # mtu = 0
+
+ # Whether to perform concurrent Netlink ROUTE queries on a single socket.
+ # parallel_route = no
+
+ # Whether to perform concurrent Netlink XFRM queries on a single socket.
+ # parallel_xfrm = no
+
+ # Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+ # policy_update = no
+
+ # Whether to use port or socket based IKE XFRM bypass policies.
+ # port_bypass = no
+
+ # Whether to process changes in routing rules to trigger roam events.
+ # process_rules = no
+
+ # Maximum Netlink socket receive buffer in bytes.
+ # receive_buffer_size = 0
+
+ # Number of Netlink message retransmissions to send on timeout.
+ # retries = 0
+
+ # Whether to trigger roam events when interfaces, addresses or routes
+ # change.
+ # roam_events = yes
+
+ # Whether to set protocol and ports in the selector installed on transport
+ # mode IPsec SAs in the kernel.
+ # set_proto_port_transport_sa = no
+
+ # Netlink message retransmission timeout, 0 to disable retransmissions.
+ # timeout = 0
+
+ # Lifetime of XFRM acquire state and allocated SPIs in kernel.
+ # xfrm_acq_expires = 165
+
+ # XFRM policy hashing threshold configuration for IPv4 and IPv6.
+ spdh_thresh {
+
+ ipv4 {
+
+ # Local subnet XFRM policy hashing threshold for IPv4.
+ # lbits = 32
+
+ # Remote subnet XFRM policy hashing threshold for IPv4.
+ # rbits = 32
+
+ }
+
+ ipv6 {
+
+ # Local subnet XFRM policy hashing threshold for IPv6.
+ # lbits = 128
+
+ # Remote subnet XFRM policy hashing threshold for IPv6.
+ # rbits = 128
+
+ }
+
+ }
+
+}
+
--- /dev/null
+md4 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+md5 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+mgf1 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+nonce {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+openssl {
+
+ # ENGINE ID to use in the OpenSSL plugin.
+ # engine_id = pkcs11
+
+ # Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
+ # fips_mode = 0
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+pem {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+pgp {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+pkcs1 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+pkcs12 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+pkcs7 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+pkcs8 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+pubkey {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+random {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # File to read random bytes from.
+ # random = ${random_device}
+
+ # If set to yes the RNG_STRONG class reads random bytes from the same source
+ # as the RNG_TRUE class.
+ # strong_equals_true = no
+
+ # File to read pseudo random bytes from.
+ # urandom = ${urandom_device}
+
+}
+
--- /dev/null
+rc2 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+resolve {
+
+ # File where to add DNS server entries.
+ # file = /etc/resolv.conf
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ resolvconf {
+
+ # Prefix used for interface names sent to resolvconf(8).
+ # iface_prefix = lo.inet.ipsec.
+
+ }
+
+}
+
--- /dev/null
+revocation {
+
+ # Whether CRL validation should be enabled.
+ # enable_crl = yes
+
+ # Whether OCSP validation should be enabled.
+ # enable_ocsp = yes
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+sha1 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+sha2 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+socket-default {
+
+ # Firewall mark to set on outbound packets.
+ # fwmark =
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # Set source address on outbound packets, if possible.
+ # set_source = yes
+
+ # Force sending interface on outbound packets, if possible.
+ # set_sourceif = no
+
+ # Listen on IPv4, if possible.
+ # use_ipv4 = yes
+
+ # Listen on IPv6, if possible.
+ # use_ipv6 = yes
+
+}
+
--- /dev/null
+sshkey {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+stroke {
+
+ # Analyze addresses/hostnames in left|right to detect which side is local
+ # and swap configuration options if necessary. If disabled left is always
+ # local.
+ # allow_swap = yes
+
+ # Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
+ # certificates even if they don't contain a CA basic constraint.
+ # ignore_missing_ca_basic_constraint = no
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # Maximum number of stroke messages handled concurrently.
+ # max_concurrent = 4
+
+ # If enabled log level changes via stroke socket are not allowed.
+ # prevent_loglevel_changes = no
+
+ # Location of the ipsec.secrets file
+ # secrets_file = ${sysconfdir}/ipsec.secrets
+
+ # Socket provided by the stroke plugin.
+ # socket = unix://${piddir}/charon.ctl
+
+ # Timeout in ms for any stroke command. Use 0 to disable the timeout.
+ # timeout = 0
+
+}
+
--- /dev/null
+updown {
+
+ # Whether the updown script should handle assigned DNS servers (if enabled
+ # they can't be handled by other plugins, like resolve).
+ # dns_handler = no
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+x509 {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+xauth-generic {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+xcbc {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
--- /dev/null
+pool {
+
+ # Database URI for the database that stores IP pools and configuration
+ # attributes. If it contains a password, make sure to adjust the
+ # permissions of the config file accordingly.
+ # database =
+
+ # Plugins to load in ipsec pool tool.
+ # load =
+
+}
+
--- /dev/null
+starter {
+
+ # Location of the ipsec.conf file
+ # config_file = ${sysconfdir}/ipsec.conf
+
+ # Disable charon plugin load option warning.
+ # load_warning = yes
+
+}
+
--- /dev/null
+/lib/systemd/system/strongswan.service
\ No newline at end of file
projects / vserver / commitdiff