···
irrespective of the value of this option (even when set to no).
228
-
childless = mkEnumParam [ "allow" "force" "never" ] "allow" ''
229
-
Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values
230
-
are `allow` (the default), `force` and
231
-
`never`. If set to `allow`, responders
228
+
childless = mkEnumParam [ "allow" "prefer" "force" "never" ] "allow" ''
229
+
Use childless IKE_SA initiation (_allow_, _prefer_, _force_ or _never_).
231
+
Use childless IKE_SA initiation (RFC 6023) for IKEv2, with the first
232
+
CHILD_SA created with a separate CREATE_CHILD_SA exchange (e.g. to use an
233
+
independent DH exchange for all CHILD_SAs). Acceptable values are `allow`
234
+
(the default), `prefer`, `force` and `never`. If set to `allow`, responders
will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT
233
-
response) while initiators continue to create regular IKE_SAs with the
234
-
first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated
235
-
explicitly without any children (which will fail if the responder does not
236
-
support or has disabled this extension). If set to
237
-
`force`, only childless initiation is accepted and the
238
-
first CHILD_SA is created with a separate CREATE_CHILD_SA exchange
239
-
(e.g. to use an independent DH exchange for all CHILD_SAs). Finally,
240
-
setting the option to `never` disables support for
241
-
childless IKE_SAs as responder.
236
+
response) while initiators continue to create regular IKE_SAs with the first
237
+
CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated explicitly
238
+
without any children (which will fail if the responder does not support or
239
+
has disabled this extension). The effect of `prefer` is the same as `allow`
240
+
on responders, but as initiator a childless IKE_SA is initiated if the
241
+
responder supports it. If set to `force`, only childless initiation is
242
+
accepted in either role. Finally, setting the option to `never` disables
243
+
support for childless IKE_SAs as responder.
send_certreq = mkYesNoParam yes ''
···
if_id_in = mkStrParam "0" ''
XFRM interface ID set on inbound policies/SA, can be overridden by child
config, see there for details.
363
+
The special value `%unique` allocates a unique interface ID per IKE_SA,
364
+
which is inherited by all its CHILD_SAs (unless overridden there), beyond
365
+
that the value `%unique-dir` assigns a different unique interface ID for
366
+
each direction (in/out).
if_id_out = mkStrParam "0" ''
XFRM interface ID set on outbound policies/SA, can be overridden by child
config, see there for details.
374
+
The special value `%unique` allocates a unique interface ID per IKE_SA,
375
+
which is inherited by all its CHILD_SAs (unless overridden there), beyond
376
+
that the value `%unique-dir` assigns a different unique interface ID for
377
+
each direction (in/out).
mediation = mkYesNoParam no ''
···
988
-
hw_offload = mkEnumParam ["yes" "no" "auto"] "no" ''
1001
+
hw_offload = mkEnumParam ["yes" "no" "auto" "crypto" "packet"] "no" ''
Enable hardware offload for this CHILD_SA, if supported by the IPsec
990
-
implementation. The value `yes` enforces offloading
991
-
and the installation will fail if it's not supported by either kernel or
992
-
device. The value `auto` enables offloading, if it's
993
-
supported, but the installation does not fail otherwise.
1003
+
implementation. The values `crypto` or `packet` enforce crypto or full
1004
+
packet offloading and the installation will fail if the selected mode is not
1005
+
supported by either kernel or device. On Linux, `packet` also offloads
1006
+
policies, including trap policies. The value `auto` enables full packet
1007
+
or crypto offloading, if either is supported, but the installation does not
copy_df = mkYesNoParam yes ''
pyrox.dev