ims-volte-vowifi/strongswan-epdg
9
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
10808 commits 6 branches 236 tags 88 MiB
Commit graph

10808 commits

This branch
This branch
All branches
Author SHA1 Message Date
Martin Willi
9eaed7a5bb Use INIT macro to initialize IKE_SA manager entries 2013-02-25 12:10:02 +01:00
Reto Buerki
b32e732b2f Check kvm command existence in start-testing 2013-02-22 19:22:08 +01:00
Martin Willi
b443fa6123 Don't reject OPAQUE ports while verifying traffic selector substructure 2013-02-21 11:52:33 +01:00
Martin Willi
0abeac3a0b Document ipsec.conf leftprotoport extensions in manpage 2013-02-21 11:52:33 +01:00
Martin Willi
0e7ef7f522 Optionally support port ranges in leftprotoport 2013-02-21 11:52:33 +01:00
Martin Willi
fd658bce28 Support %opaque keyword in leftprotoport for "opaque" ports 2013-02-21 11:52:33 +01:00
Martin Willi
cd41b951ee Pass complete port range over stroke interface for more flexibility 2013-02-21 11:52:33 +01:00
Martin Willi
a1db77de7c Use a complete port range in traffic_selector_create_from_{subnet,cidr} 2013-02-21 11:52:33 +01:00
Martin Willi
c572b5c8c1 Print OPAQUE traffic selectors as what they are, not as port range 2013-02-21 11:52:33 +01:00
Martin Willi
7b368af61a Support "opaque" ports in traffic selector subset calculation 2013-02-21 10:51:19 +01:00
Martin Willi
7dbe1feef1 Slightly refactor traffic_selector_t.get_subset() 2013-02-21 10:48:48 +01:00
Martin Willi
de5d569b24 Migrate remaining traffic selector methods to METHOD macro 2013-02-21 10:28:21 +01:00
Tobias Brunner
0d237763dc openssl: Disable PKCS#7/CMS when building against OpenSSL < 0.9.8g 
Fixes #292.
 2013-02-20 18:34:54 +01:00
Martin Willi
a2fd08dd26 Install a route for shunt policies 
If we install a virtual IP, its source route would render the shunt policy
useless, as locally generated traffic wouldn't match. Having a route for each
shunt policy with higher priority chooses the correct source address for
bypassed destinations.
 2013-02-20 16:32:24 +01:00
Martin Willi
122b4b6e6d Include local address for Unity Split-Exclude shunt policies 
If we use a virtual IP, having a shunt policy for just that wouldn't work, as
we want a shunt bypass using the local address.
 2013-02-20 16:15:39 +01:00
Martin Willi
3dc9d427c9 After IKEv1 reauthentication, reinstall VIP routes after migrating CHILD_SAs 
During IKEv1 reauthentication, the virtual IP gets removed, then reinstalled.
The CHILD_SAs get migrated, but any associated route gets removed from the
kernel. Reinstall routes after adding the virtual IP again.
 2013-02-20 09:16:00 +01:00
Martin Willi
f836d433a9 When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeying 2013-02-20 08:57:17 +01:00
Andreas Steffen
7a93844f21 version bump to 5.0.3dr2 2013-02-19 20:25:13 +01:00
Andreas Steffen
371b752f00 treat IF-M and IF-TNCCS remediation instructions/parameters in an equal way 2013-02-19 20:00:57 +01:00
Martin Willi
295e42a47f systime-fix disables certificate lifetime validation if system time not synced 
The system time can be periodically checked. If it gets valid, certificates get
rechecked with the current lifetime. If certificates are invalid, associated
IKE_SAs can be closed or reauthenticated.
 2013-02-19 17:11:14 +01:00
Martin Willi
0ed31e7284 Add a stub for systime-fix, a plugin handling certificate lifetimes gracefully 2013-02-19 14:49:38 +01:00
Martin Willi
de399f550d Add a cert_validator hook allowing plugins to provide custom lifetime checking 2013-02-19 14:31:18 +01:00
Martin Willi
790e00aaa9 Make cert_validator_t.validate optional to implement 2013-02-19 14:31:18 +01:00
Tobias Brunner
39db06f155 Merge branch 'dnssec' 2013-02-19 12:25:27 +01:00
Tobias Brunner
d69eb0375f NEWS about ipseckey and unbound plugins added 2013-02-19 12:25:01 +01:00
Andreas Steffen
f0c102cbfa Added ikev2/rw-dnssec scenario 2013-02-19 12:25:01 +01:00
Andreas Steffen
1d4ff25fb8 Added ikev2/net2net-dnssec scenario 2013-02-19 12:25:01 +01:00
Andreas Steffen
37c589f0e0 Configure winnetou as a DNSSEC enabled nameserver for the strongswan.org, org, and root zones 2013-02-19 12:25:01 +01:00
Andreas Steffen
3fbc328d14 Build unbound and ipseckey plugins on KVM image 2013-02-19 12:25:01 +01:00
Andreas Steffen
65cdda5cf8 Streamlined log messages in ipseckey plugin 2013-02-19 12:25:00 +01:00
Andreas Steffen
a4ddc0bb26 Encode RSA public keys in RFC 3110 DNSKEY format 2013-02-19 12:25:00 +01:00
Andreas Steffen
f2145c8d3a Moved configuration from resolver manager to unbound plugin 
Also streamlined log messages in unbound plugin.
 2013-02-19 12:25:00 +01:00
Reto Guadagnini
95650c0836 ipseckey: Report IPSECKEYs with invalid DNSSEC security state 2013-02-19 12:25:00 +01:00
Reto Guadagnini
932717fbde ipseckey: Added "enable" option for the IPSECKEY plugin to strongswan.conf 2013-02-19 12:25:00 +01:00
Reto Guadagnini
a77bbc3b8c Added ipseckey plugin, which provides support for public keys in IPSECKEY RRs 2013-02-19 12:25:00 +01:00
Reto Guadagnini
d786cbda5c Implemented the resolver test script "dnssec" 2013-02-19 11:57:21 +01:00
Reto Guadagnini
cfd07978d0 unbound: Implementation of query method of unbound_resolver_t 2013-02-19 11:57:21 +01:00
Reto Guadagnini
5a4126b490 unbound: Implemented resolver_response_t as unbound_response_t 2013-02-19 11:57:21 +01:00
Reto Guadagnini
62ea67e700 Implemented rr_set_t interface 2013-02-19 11:57:21 +01:00
Reto Guadagnini
4a335a2164 unbound: Implemented rr_t as unbound_rr_t 2013-02-19 11:57:21 +01:00
Reto Guadagnini
9f963a7cfc Added unbound plugin implementing the resolver interface using libunbound 2013-02-19 11:57:21 +01:00
Reto Guadagnini
b1505b345b Added manager for DNS resolvers 2013-02-19 11:57:21 +01:00
Reto Guadagnini
ffdeeb6609 Added interface for DNS resolvers 2013-02-19 11:57:21 +01:00
Andreas Steffen
c381e46855 added missing return statement 2013-02-19 10:24:23 +01:00
Martin Willi
69faf63528 Fix encoding of issuerAndSubject while handling SCEP pending state 2013-02-19 09:53:47 +01:00
Andreas Steffen
0f7cb0caf4 reject PB-Experimental messages with NOSKIP flag set 2013-02-19 09:31:34 +01:00
Andreas Steffen
9b4a8e1ced added parameter descriptions 2013-02-19 07:44:57 +01:00
Andreas Steffen
2c1219c217 removed superfluous debug output 2013-02-15 15:19:16 +01:00
Martin Willi
b5b76df012 Add a timeout to clean up PDP RADIUS connections 2013-02-14 17:20:09 +01:00
Martin Willi
dadd9744b6 Keep the PDP connections lock while accessing its objects 
When we introduce connection timeouts, the state may disappear at any time.
This change prevents that, but is not very clear. We probably have to refactor
connection handling.
 2013-02-14 17:19:56 +01:00