diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
index 3eec9886811..2b28b57963e 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
@@ -431,6 +431,10 @@ in {
Priority of the routing table.
'';
+ rsa_pss = mkYesNoParam no ''
+ Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
+ '';
+
send_delay = mkIntParam 0 ''
Delay in ms for sending packets, to simulate larger RTT.
'';
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
index 56a253d85d3..5fd2b4b0c0a 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
@@ -214,6 +214,11 @@ lib : with (import ./param-constructors.nix lib); {
virtual IP.
'';
+ eap-radius.accounting_send_class = mkYesNoParam no ''
+ If enabled, adds the Class attributes received in Access-Accept
+ message to the RADIUS accounting messages.
+ '';
+
eap-radius.class_group = mkYesNoParam no ''
Use the class attribute sent in the Access-Accept message as group
membership information, see EapRadius.
@@ -916,6 +921,11 @@ lib : with (import ./param-constructors.nix lib); {
strptime(3) format used to parse threshold option.
'';
+ systime-fix.timeout = mkDurationParam "0s" ''
+ How long to wait for a valid system time if an interval is
+ configured. 0 to recheck indefinitely.
+ '';
+
tnc-ifmap.client_cert = mkOptionalStrParam ''
Path to X.509 certificate file of IF-MAP client.
'';
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
index ad805305370..90828642da0 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-params.nix
@@ -144,12 +144,6 @@ in {
'';
};
- pacman.database = mkOptionalStrParam ''
- Database URI for the database that stores the package information. If it
- contains a password, make sure to adjust the permissions of the config
- file accordingly.
- '';
-
pki.load = mkSpaceSepListParam [] ''
Plugins to load in ipsec pki tool.
'';
@@ -174,6 +168,41 @@ in {
Plugins to load in ipsec scepclient tool.
'';
+ sec-updater = {
+ database = mkOptionalStrParam ''
+ Global IMV policy database URI. If it contains a password, make
+ sure to adjust the permissions of the config file accordingly.
+ '';
+
+ swid_gen.command = mkStrParam "/usr/local/bin/swid_generator" ''
+ SWID generator command to be executed.
+ '';
+
+ swid_gen.tag_creator.name = mkStrParam "strongSwan Project" ''
+ Name of the tagCreator entity.
+ '';
+
+ swid_gen.tag_creator.regid = mkStrParam "strongswan.org" ''
+ regid of the tagCreator entity.
+ '';
+
+ tnc_manage_command = mkStrParam "/var/www/tnc/manage.py" ''
+ strongTNC manage.py command used to import SWID tags.
+ '';
+
+ tmp.deb_file = mkStrParam "/tmp/sec-updater.deb" ''
+ Temporary storage for downloaded deb package file.
+ '';
+
+ tmp.tag_file = mkStrParam "/tmp/sec-updater.tag" ''
+ Temporary storage for generated SWID tags.
+ '';
+
+ load = mkSpaceSepListParam [] ''
+ Plugins to load in sec-updater tool.
+ '';
+ };
+
starter = {
config_file = mkStrParam "\${sysconfdir}/ipsec.conf" ''
Location of the ipsec.conf file.
diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
index 095ae549730..39d184131c3 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
@@ -286,7 +286,7 @@ in {
On initiators this setting specifies whether an INITIAL_CONTACT notify is
sent during IKE_AUTH if no existing connection is found with the remote
peer (determined by the identities of the first authentication
- round). Only if set to keep or replace will the client send a notify.
+ round). Unless set to never the client will send a notify.
'';
reauth_time = mkDurationParam "0s" ''
@@ -444,7 +444,12 @@ in {
ike: prefix are configured any signature scheme
constraint (without ike: prefix) will also apply to
IKEv2 authentication, unless this is disabled in
- strongswan.conf.
+ strongswan.conf. To use RSASSA-PSS signatures use
+ rsa/pss instead of pubkey or
+ rsa as in e.g.
+ ike:rsa/pss-sha256. If pubkey or
+ rsa constraints are configured RSASSA-PSS signatures
+ will only be used if enabled in strongswan.conf(5).
'';
@@ -585,7 +590,12 @@ in {
section's keyword for
details), such key types and hash algorithms are also applied as
constraints against IKEv2 signature authentication schemes used by the
- remote side.
+ remote side. To require RSASSA-PSS signatures use
+ rsa/pss instead of pubkey or
+ rsa as in e.g. rsa/pss-sha256. If
+ pubkey or rsa constraints are
+ configured RSASSA-PSS signatures will only be accepted if enabled in
+ strongswan.conf(5).
To specify trust chain constraints for EAP-(T)TLS, append a colon to the
EAP method, followed by the key type/size and hash algorithm as
@@ -872,27 +882,39 @@ in {
'';
mark_in = mkStrParam "0/0x00000000" ''
- Netfilter mark and mask for input traffic. On Linux Netfilter may
- require marks on each packet to match an SA having that option set. This
- allows Netfilter rules to select specific tunnels for incoming
- traffic. The special value %unique sets a unique mark
- on each CHILD_SA instance, beyond that the value
- %unique-dir assigns a different unique mark for each
- CHILD_SA direction (in/out).
+ Netfilter mark and mask for input traffic. On Linux, Netfilter may
+ require marks on each packet to match an SA/policy having that option
+ set. This allows installing duplicate policies and enables Netfilter
+ rules to select specific SAs/policies for incoming traffic. Note that
+ inbound marks are only set on policies, by default, unless
+ is enabled. The special value
+ %unique sets a unique mark on each CHILD_SA instance,
+ beyond that the value %unique-dir assigns a different
+ unique mark for each
An additional mask may be appended to the mark, separated by
/. The default mask if omitted is
0xffffffff.
'';
+ mark_in_sa = mkYesNoParam no ''
+ Whether to set on the inbound SA. By default,
+ the inbound mark is only set on the inbound policy. The tuple destination
+ address, protocol and SPI is unique and the mark is not required to find
+ the correct SA, allowing to mark traffic after decryption instead (where
+ more specific selectors may be used) to match different policies. Marking
+ packets before decryption is still possible, even if no mark is set on
+ the SA.
+ '';
+
mark_out = mkStrParam "0/0x00000000" ''
- Netfilter mark and mask for output traffic. On Linux Netfilter may
- require marks on each packet to match a policy having that option
- set. This allows Netfilter rules to select specific tunnels for outgoing
- traffic. The special value %unique sets a unique mark
- on each CHILD_SA instance, beyond that the value
- %unique-dir assigns a different unique mark for each
- CHILD_SA direction (in/out).
+ Netfilter mark and mask for output traffic. On Linux, Netfilter may
+ require marks on each packet to match a policy/SA having that option
+ set. This allows installing duplicate policies and enables Netfilter
+ rules to select specific policies/SAs for outgoing traffic. The special
+ value %unique sets a unique mark on each CHILD_SA
+ instance, beyond that the value %unique-dir assigns a
+ different unique mark for each CHILD_SA direction (in/out).
An additional mask may be appended to the mark, separated by
/. The default mask if omitted is