public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

strongswan-swanctl: support strongswan-5.6.2 configuration options

Browse Source
This commit is contained in:
Bas van Dijk 2018-02-28 11:04:41 +01:00
parent 7c94804680
commit 592a89befc
3 changed files with 37 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
View File

@ -19,7 +19,7 @@ in {
''; '';
cache_crls = mkYesNoParam no '' cache_crls = mkYesNoParam no ''
Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
should be saved under a unique file name derived from the public should be saved under a unique file name derived from the public
key of the Certification Authority (CA) to key of the Certification Authority (CA) to
<literal>/etc/ipsec.d/crls</literal> (stroke) or <literal>/etc/ipsec.d/crls</literal> (stroke) or

33
nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
View File

@ -423,6 +423,12 @@ lib : with (import ./param-constructors.nix lib); {
nodes. Set to 0 to disable. nodes. Set to 0 to disable.
''; '';
ha.buflen = mkIntParam 2048 ''
Buffer size for received HA messages. For IKEv1 the public DH factors are
also transmitted so depending on the DH group the HA messages can get quite
big (the default should be fine up to <literal>modp4096</literal>).
'';
ha.fifo_interface = mkYesNoParam yes ""; ha.fifo_interface = mkYesNoParam yes "";
ha.heartbeat_delay = mkIntParam 1000 ""; ha.heartbeat_delay = mkIntParam 1000 "";
@ -461,7 +467,7 @@ lib : with (import ./param-constructors.nix lib); {
If the maximum Netlink socket receive buffer in bytes set by If the maximum Netlink socket receive buffer in bytes set by
receive_buffer_size exceeds the system-wide maximum from receive_buffer_size exceeds the system-wide maximum from
<literal>/proc/sys/net/core/rmem_max</literal>, this option can be used to <literal>/proc/sys/net/core/rmem_max</literal>, this option can be used to
override the limit. Enabling this option requires special priviliges override the limit. Enabling this option requires special privileges
(CAP_NET_ADMIN). (CAP_NET_ADMIN).
''; '';
@ -482,6 +488,12 @@ lib : with (import ./param-constructors.nix lib); {
MTU to set on installed routes, 0 to disable. MTU to set on installed routes, 0 to disable.
''; '';
kernel-netlink.process_rules = mkYesNoParam no ''
Whether to process changes in routing rules to trigger roam events. This is
currently only useful if the kernel based route lookup is used (i.e. if
route installation is disabled or an inverted fwmark match is configured).
'';
kernel-netlink.receive_buffer_size = mkIntParam 0 '' kernel-netlink.receive_buffer_size = mkIntParam 0 ''
Maximum Netlink socket receive buffer in bytes. This value controls how many Maximum Netlink socket receive buffer in bytes. This value controls how many
bytes of Netlink messages can be received on a Netlink socket. The default bytes of Netlink messages can be received on a Netlink socket. The default
@ -845,6 +857,25 @@ lib : with (import ./param-constructors.nix lib); {
Whether OCSP validation should be enabled. Whether OCSP validation should be enabled.
''; '';
save-keys.load = mkYesNoParam no ''
Whether to load the plugin.
'';
save-keys.esp = mkYesNoParam no ''
Whether to save ESP keys.
'';
save-keys.ike = mkYesNoParam no ''
Whether to save IKE keys.
'';
save-keys.wireshark_keys = mkOptionalStrParam ''
Directory where the keys are stored in the format supported by Wireshark.
IKEv1 keys are stored in the <literal>ikev1_decryption_table</literal> file.
IKEv2 keys are stored in the <literal>ikev2_decryption_table</literal> file.
Keys for ESP CHILD_SAs are stored in the <literal>esp_sa</literal> file.
'';
socket-default.fwmark = mkOptionalStrParam '' socket-default.fwmark = mkOptionalStrParam ''
Firewall mark to set on outbound packets (a possible use case are Firewall mark to set on outbound packets (a possible use case are
host-to-host tunnels with kernel-libipsec). host-to-host tunnels with kernel-libipsec).

7
nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
View File

@ -583,9 +583,10 @@ in {
<literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of <literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of
hashing algorithms for trustchain validation, append hash algorithms to hashing algorithms for trustchain validation, append hash algorithms to
pubkey or a key strength definition (for example pubkey or a key strength definition (for example
<literal>pubkey-sha1-sha256</literal> or <literal>pubkey-sha256-sha512</literal>,
<literal>rsa-2048-ecdsa-256-sha256-sha384-sha512</literal>). Unless <literal>rsa-2048-sha256-sha384-sha512</literal> or
disabled in <literal>strongswan.conf</literal>, or explicit IKEv2 <literal>rsa-2048-sha256-ecdsa-256-sha256-sha384</literal>).
Unless disabled in <literal>strongswan.conf</literal>, or explicit IKEv2
signature constraints are configured (refer to the description of the signature constraints are configured (refer to the description of the
<option>local</option> section's <option>auth</option> keyword for <option>local</option> section's <option>auth</option> keyword for
details), such key types and hash algorithms are also applied as details), such key types and hash algorithms are also applied as