Merge branch 'android-ipv6-transport'
Adds support to use IPv6 as transport addresses for IKE and ESP and a bunch of fixes. On Linux servers, this requires at least a 5.8 kernel so UDP encapsulation for IPv6 is supported. Fixes #892.
This commit is contained in:
Tobias Brunner
commit
364e69b683
|
|
@ -1,14 +1,14 @@
|
|||
apply plugin: 'com.android.application'
|
||||
|
||||
android {
|
||||
compileSdkVersion 28
|
||||
compileSdkVersion 29
|
||||
|
||||
defaultConfig {
|
||||
applicationId "org.strongswan.android"
|
||||
minSdkVersion 15
|
||||
targetSdkVersion 28
|
||||
versionCode 72
|
||||
versionName "2.3.0"
|
||||
targetSdkVersion 29
|
||||
versionCode 73
|
||||
versionName "2.3.1"
|
||||
}
|
||||
|
||||
sourceSets.main {
|
||||
|
|
@ -46,10 +46,10 @@ android {
|
|||
}
|
||||
|
||||
dependencies {
|
||||
implementation 'androidx.appcompat:appcompat:1.1.0'
|
||||
implementation 'androidx.preference:preference:1.1.0'
|
||||
implementation 'androidx.appcompat:appcompat:1.2.0'
|
||||
implementation 'androidx.preference:preference:1.1.1'
|
||||
implementation 'androidx.legacy:legacy-support-v4:1.0.0'
|
||||
implementation 'com.google.android.material:material:1.0.0'
|
||||
implementation 'com.google.android.material:material:1.2.1'
|
||||
testImplementation 'junit:junit:4.12'
|
||||
testImplementation 'org.mockito:mockito-core:2.28.2'
|
||||
testImplementation 'org.powermock:powermock-core:2.0.2'
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ public class VpnProfile implements Cloneable
|
|||
public static final int FLAGS_DISABLE_OCSP = 1 << 2;
|
||||
public static final int FLAGS_STRICT_REVOCATION = 1 << 3;
|
||||
public static final int FLAGS_RSA_PSS = 1 << 4;
|
||||
public static final int FLAGS_IPv6_TRANSPORT = 1 << 5;
|
||||
|
||||
private String mName, mGateway, mUsername, mPassword, mCertificate, mUserCertificate;
|
||||
private String mRemoteId, mLocalId, mExcludedSubnets, mIncludedSubnets, mSelectedApps;
|
||||
|
|
|
|||
|
|
@ -35,7 +35,6 @@ import android.os.Bundle;
|
|||
import android.os.Handler;
|
||||
import android.os.IBinder;
|
||||
import android.os.ParcelFileDescriptor;
|
||||
import android.preference.PreferenceManager;
|
||||
import android.security.KeyChain;
|
||||
import android.security.KeyChainException;
|
||||
import android.system.OsConstants;
|
||||
|
|
@ -77,6 +76,7 @@ import java.util.SortedSet;
|
|||
|
||||
import androidx.core.app.NotificationCompat;
|
||||
import androidx.core.content.ContextCompat;
|
||||
import androidx.preference.PreferenceManager;
|
||||
|
||||
public class CharonVpnService extends VpnService implements Runnable, VpnStateService.VpnStateListener
|
||||
{
|
||||
|
|
@ -288,7 +288,8 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
|
|||
SimpleFetcher.enable();
|
||||
addNotification();
|
||||
mBuilderAdapter.setProfile(mCurrentProfile);
|
||||
if (initializeCharon(mBuilderAdapter, mLogFile, mAppDir, mCurrentProfile.getVpnType().has(VpnTypeFeature.BYOD)))
|
||||
if (initializeCharon(mBuilderAdapter, mLogFile, mAppDir, mCurrentProfile.getVpnType().has(VpnTypeFeature.BYOD),
|
||||
(mCurrentProfile.getFlags() & VpnProfile.FLAGS_IPv6_TRANSPORT) != 0))
|
||||
{
|
||||
Log.i(TAG, "charon started");
|
||||
|
||||
|
|
@ -775,9 +776,10 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
|
|||
* @param logfile absolute path to the logfile
|
||||
* @param appdir absolute path to the data directory of the app
|
||||
* @param byod enable BYOD features
|
||||
* @param ipv6 enable IPv6 transport
|
||||
* @return TRUE if initialization was successful
|
||||
*/
|
||||
public native boolean initializeCharon(BuilderAdapter builder, String logfile, String appdir, boolean byod);
|
||||
public native boolean initializeCharon(BuilderAdapter builder, String logfile, String appdir, boolean byod, boolean ipv6);
|
||||
|
||||
/**
|
||||
* Deinitialize charon, provided by libandroidbridge.so
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ import android.content.Intent;
|
|||
import android.content.IntentFilter;
|
||||
import android.net.ConnectivityManager;
|
||||
import android.net.Network;
|
||||
import android.net.NetworkInfo;
|
||||
import android.net.NetworkRequest;
|
||||
import android.os.Build;
|
||||
|
||||
|
|
@ -126,10 +125,12 @@ public class NetworkManager extends BroadcastReceiver implements Runnable
|
|||
}
|
||||
}
|
||||
|
||||
@SuppressWarnings("deprecation")
|
||||
public boolean isConnected()
|
||||
{
|
||||
/* deprecated since API level 29 */
|
||||
ConnectivityManager cm = (ConnectivityManager)mContext.getSystemService(Context.CONNECTIVITY_SERVICE);
|
||||
NetworkInfo info = null;
|
||||
android.net.NetworkInfo info = null;
|
||||
if (cm != null)
|
||||
{
|
||||
info = cm.getActiveNetworkInfo();
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ public class ImcStateFragment extends Fragment implements VpnStateListener
|
|||
context.bindService(new Intent(context, VpnStateService.class),
|
||||
mServiceConnection, Service.BIND_AUTO_CREATE);
|
||||
/* hide it initially */
|
||||
getFragmentManager().beginTransaction().hide(this).commit();
|
||||
getParentFragmentManager().beginTransaction().hide(this).commit();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -192,7 +192,7 @@ public class ImcStateFragment extends Fragment implements VpnStateListener
|
|||
|
||||
public void updateView()
|
||||
{
|
||||
FragmentManager fm = getFragmentManager();
|
||||
FragmentManager fm = getParentFragmentManager();
|
||||
if (fm == null)
|
||||
{
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -81,7 +81,7 @@ public class RemediationInstructionsFragment extends ListFragment
|
|||
{
|
||||
super.onStart();
|
||||
|
||||
boolean two_pane = getFragmentManager().findFragmentById(R.id.remediation_instruction_fragment) != null;
|
||||
boolean two_pane = getParentFragmentManager().findFragmentById(R.id.remediation_instruction_fragment) != null;
|
||||
if (two_pane)
|
||||
{ /* two-pane layout, make list items selectable */
|
||||
getListView().setChoiceMode(ListView.CHOICE_MODE_SINGLE);
|
||||
|
|
|
|||
|
|
@ -205,8 +205,13 @@ public class VpnProfileControlActivity extends AppCompatActivity
|
|||
if (!pm.isIgnoringBatteryOptimizations(this.getPackageName()) &&
|
||||
!pref.getBoolean(Constants.PREF_IGNORE_POWER_WHITELIST, false))
|
||||
{
|
||||
if (getSupportFragmentManager().isStateSaved())
|
||||
{ /* we might get called via service connection and manual onActivityResult()
|
||||
* call when the activity is not active anymore and fragment transactions
|
||||
* would cause an illegalStateException */
|
||||
return false;
|
||||
}
|
||||
PowerWhitelistRequired whitelist = new PowerWhitelistRequired();
|
||||
mWaitingForResult = true;
|
||||
whitelist.show(getSupportFragmentManager(), DIALOG_TAG);
|
||||
return false;
|
||||
}
|
||||
|
|
@ -588,9 +593,11 @@ public class VpnProfileControlActivity extends AppCompatActivity
|
|||
.setTitle(R.string.power_whitelist_title)
|
||||
.setMessage(R.string.power_whitelist_text)
|
||||
.setPositiveButton(android.R.string.ok, (dialog, id) -> {
|
||||
VpnProfileControlActivity activity = (VpnProfileControlActivity)getActivity();
|
||||
activity.mWaitingForResult = true;
|
||||
Intent intent = new Intent(Settings.ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS,
|
||||
Uri.parse("package:" + getActivity().getPackageName()));
|
||||
getActivity().startActivityForResult(intent, ADD_TO_POWER_WHITELIST);
|
||||
Uri.parse("package:" + activity.getPackageName()));
|
||||
activity.startActivityForResult(intent, ADD_TO_POWER_WHITELIST);
|
||||
}).create();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2012-2019 Tobias Brunner
|
||||
* Copyright (C) 2012-2020 Tobias Brunner
|
||||
* Copyright (C) 2012 Giuliano Grassi
|
||||
* Copyright (C) 2012 Ralf Sager
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
|
|
@ -124,6 +124,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity
|
|||
private Switch mUseOcsp;
|
||||
private Switch mStrictRevocation;
|
||||
private Switch mRsaPss;
|
||||
private Switch mIPv6Transport;
|
||||
private EditText mNATKeepalive;
|
||||
private TextInputLayoutHelper mNATKeepaliveWrap;
|
||||
private EditText mIncludedSubnets;
|
||||
|
|
@ -194,6 +195,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity
|
|||
mUseOcsp = findViewById(R.id.use_ocsp);
|
||||
mStrictRevocation= findViewById(R.id.strict_revocation);
|
||||
mRsaPss= findViewById(R.id.rsa_pss);
|
||||
mIPv6Transport= findViewById(R.id.ipv6_transport);
|
||||
mIncludedSubnets = (EditText)findViewById(R.id.included_subnets);
|
||||
mIncludedSubnetsWrap = (TextInputLayoutHelper)findViewById(R.id.included_subnets_wrap);
|
||||
mExcludedSubnets = (EditText)findViewById(R.id.excluded_subnets);
|
||||
|
|
@ -712,6 +714,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity
|
|||
flags |= !mUseOcsp.isChecked() ? VpnProfile.FLAGS_DISABLE_OCSP : 0;
|
||||
flags |= mStrictRevocation.isChecked() ? VpnProfile.FLAGS_STRICT_REVOCATION : 0;
|
||||
flags |= mRsaPss.isChecked() ? VpnProfile.FLAGS_RSA_PSS : 0;
|
||||
flags |= mIPv6Transport.isChecked() ? VpnProfile.FLAGS_IPv6_TRANSPORT : 0;
|
||||
mProfile.setFlags(flags);
|
||||
mProfile.setIncludedSubnets(getString(mIncludedSubnets));
|
||||
mProfile.setExcludedSubnets(getString(mExcludedSubnets));
|
||||
|
|
@ -782,6 +785,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity
|
|||
mUseOcsp.setChecked(flags == null || (flags & VpnProfile.FLAGS_DISABLE_OCSP) == 0);
|
||||
mStrictRevocation.setChecked(flags != null && (flags & VpnProfile.FLAGS_STRICT_REVOCATION) != 0);
|
||||
mRsaPss.setChecked(flags != null && (flags & VpnProfile.FLAGS_RSA_PSS) != 0);
|
||||
mIPv6Transport.setChecked(flags != null && (flags & VpnProfile.FLAGS_IPv6_TRANSPORT) != 0);
|
||||
|
||||
/* check if the user selected a user certificate previously */
|
||||
useralias = savedInstanceState == null ? useralias : savedInstanceState.getString(VpnProfileDataSource.KEY_USER_CERTIFICATE);
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2016-2019 Tobias Brunner
|
||||
* Copyright (C) 2016-2020 Tobias Brunner
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -463,8 +463,7 @@ public class VpnProfileImportActivity extends AppCompatActivity
|
|||
}
|
||||
catch (IllegalArgumentException e)
|
||||
{
|
||||
e.printStackTrace();
|
||||
return null;
|
||||
throw new JSONException(getString(R.string.profile_import_failed_value, "uuid"));
|
||||
}
|
||||
ParsedVpnProfile profile = new ParsedVpnProfile();
|
||||
Integer flags = 0;
|
||||
|
|
@ -528,6 +527,11 @@ public class VpnProfileImportActivity extends AppCompatActivity
|
|||
profile.setDnsServers(getAddressList(obj, "dns-servers"));
|
||||
profile.setMTU(getInteger(obj, "mtu", Constants.MTU_MIN, Constants.MTU_MAX));
|
||||
profile.setNATKeepAlive(getInteger(obj, "nat-keepalive", Constants.NAT_KEEPALIVE_MIN, Constants.NAT_KEEPALIVE_MAX));
|
||||
if (obj.optBoolean("ipv6-transport", false))
|
||||
{
|
||||
flags |= VpnProfile.FLAGS_IPv6_TRANSPORT;
|
||||
}
|
||||
|
||||
JSONObject split = obj.optJSONObject("split-tunneling");
|
||||
if (split != null)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@ import android.content.SharedPreferences;
|
|||
import android.graphics.drawable.Icon;
|
||||
import android.os.Build;
|
||||
import android.os.IBinder;
|
||||
import android.preference.PreferenceManager;
|
||||
import android.service.quicksettings.Tile;
|
||||
import android.service.quicksettings.TileService;
|
||||
|
||||
|
|
@ -36,6 +35,8 @@ import org.strongswan.android.data.VpnType;
|
|||
import org.strongswan.android.logic.VpnStateService;
|
||||
import org.strongswan.android.utils.Constants;
|
||||
|
||||
import androidx.preference.PreferenceManager;
|
||||
|
||||
@TargetApi(Build.VERSION_CODES.N)
|
||||
public class VpnTileService extends TileService implements VpnStateService.VpnStateListener
|
||||
{
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ strongswan_CFLAGS := \
|
|||
-DHAVE_IPSEC_MODE_BEET \
|
||||
-DHAVE_IPSEC_DIR_FWD \
|
||||
-DHAVE_IN6ADDR_ANY \
|
||||
-DHAVE_IN6_PKTINFO \
|
||||
-DHAVE_NETINET_IP6_H \
|
||||
-DCONFIG_H_INCLUDED \
|
||||
-DMONOLITHIC \
|
||||
|
|
|
|||
|
|
@ -744,7 +744,7 @@ static job_requeue_t initiate(private_android_service_t *this)
|
|||
auth_cfg_t *auth;
|
||||
ike_cfg_create_t ike = {
|
||||
.version = IKEV2,
|
||||
.local = "0.0.0.0",
|
||||
.local = "",
|
||||
.local_port = charon->socket->get_port(charon->socket, FALSE),
|
||||
.force_encap = TRUE,
|
||||
.fragmentation = FRAGMENTATION_YES,
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ static const char imc_name[] = "Android";
|
|||
|
||||
static pen_type_t msg_types[] = {
|
||||
{ PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM },
|
||||
{ PEN_IETF, PA_SUBTYPE_IETF_VPN },
|
||||
{ PEN_IETF, PA_SUBTYPE_IETF_FIREWALL },
|
||||
{ PEN_TCG, PA_SUBTYPE_TCG_PTS },
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -479,7 +479,7 @@ static bool charonservice_register(plugin_t *plugin, plugin_feature_t *feature,
|
|||
/**
|
||||
* Set strongswan.conf options
|
||||
*/
|
||||
static void set_options(char *logfile)
|
||||
static void set_options(char *logfile, jboolean ipv6)
|
||||
{
|
||||
lib->settings->set_int(lib->settings,
|
||||
"charon.plugins.android_log.loglevel", ANDROID_DEBUG_LEVEL);
|
||||
|
|
@ -516,10 +516,10 @@ static void set_options(char *logfile)
|
|||
* information */
|
||||
lib->settings->set_bool(lib->settings,
|
||||
"charon.plugins.socket-default.set_source", FALSE);
|
||||
/* the Linux kernel does currently not support UDP encaspulation for IPv6
|
||||
* so lets disable IPv6 for now to avoid issues with dual-stack gateways */
|
||||
/* the Linux kernel only supports UDP encap for IPv6 since 5.8, so let's use
|
||||
* IPv6 only if requested, to avoid issues with older dual-stack servers */
|
||||
lib->settings->set_bool(lib->settings,
|
||||
"charon.plugins.socket-default.use_ipv6", FALSE);
|
||||
"charon.plugins.socket-default.use_ipv6", ipv6);
|
||||
|
||||
#ifdef USE_BYOD
|
||||
lib->settings->set_str(lib->settings,
|
||||
|
|
@ -545,6 +545,7 @@ static void charonservice_init(JNIEnv *env, jobject service, jobject builder,
|
|||
PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
|
||||
PLUGIN_CALLBACK(kernel_net_register, kernel_android_net_create),
|
||||
PLUGIN_PROVIDE(CUSTOM, "kernel-net"),
|
||||
PLUGIN_DEPENDS(CUSTOM, "socket"),
|
||||
PLUGIN_CALLBACK(charonservice_register, NULL),
|
||||
PLUGIN_PROVIDE(CUSTOM, "android-backend"),
|
||||
PLUGIN_DEPENDS(CUSTOM, "libcharon"),
|
||||
|
|
@ -633,7 +634,7 @@ static void __attribute__ ((constructor))register_logger()
|
|||
* Initialize charon and the libraries via JNI
|
||||
*/
|
||||
JNI_METHOD(CharonVpnService, initializeCharon, jboolean,
|
||||
jobject builder, jstring jlogfile, jstring jappdir, jboolean byod)
|
||||
jobject builder, jstring jlogfile, jstring jappdir, jboolean byod, jboolean ipv6)
|
||||
{
|
||||
struct sigaction action;
|
||||
struct utsname utsname;
|
||||
|
|
@ -655,7 +656,7 @@ JNI_METHOD(CharonVpnService, initializeCharon, jboolean,
|
|||
/* set options before initializing other libraries that might read them */
|
||||
logfile = androidjni_convert_jstring(env, jlogfile);
|
||||
|
||||
set_options(logfile);
|
||||
set_options(logfile, ipv6);
|
||||
free(logfile);
|
||||
|
||||
if (!libipsec_init())
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (C) 2012-2015 Tobias Brunner
|
||||
* Copyright (C) 2012-2016 Tobias Brunner
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -58,10 +58,15 @@ struct private_android_net_t {
|
|||
linked_list_t *vips;
|
||||
|
||||
/**
|
||||
* Socket used to determine source address
|
||||
* Socket used to determine source address (IPv4)
|
||||
*/
|
||||
int socket_v4;
|
||||
|
||||
/**
|
||||
* Socket used to determine source address (IPv6)
|
||||
*/
|
||||
int socket_v6;
|
||||
|
||||
/**
|
||||
* Whether the device is currently connected
|
||||
*/
|
||||
|
|
@ -116,10 +121,24 @@ METHOD(kernel_net_t, get_source_addr, host_t*,
|
|||
socklen_t addrlen;
|
||||
timeval_t now;
|
||||
job_t *job;
|
||||
int socket;
|
||||
|
||||
if (dest->get_family(dest) == AF_INET)
|
||||
{
|
||||
socket = this->socket_v4;
|
||||
}
|
||||
else
|
||||
{
|
||||
socket = this->socket_v6;
|
||||
}
|
||||
if (socket < 0)
|
||||
{
|
||||
DBG1(DBG_KNL, "unable to determine src address for address family");
|
||||
return NULL;
|
||||
}
|
||||
addrlen = *dest->get_sockaddr_len(dest);
|
||||
addr.sockaddr.sa_family = AF_UNSPEC;
|
||||
if (connect(this->socket_v4, &addr.sockaddr, addrlen) < 0)
|
||||
if (connect(socket, &addr.sockaddr, addrlen) < 0)
|
||||
{
|
||||
DBG1(DBG_KNL, "failed to disconnect socket: %s", strerror(errno));
|
||||
return NULL;
|
||||
|
|
@ -129,7 +148,7 @@ METHOD(kernel_net_t, get_source_addr, host_t*,
|
|||
* at all */
|
||||
charonservice->bypass_socket(charonservice, -1, 0);
|
||||
}
|
||||
if (connect(this->socket_v4, dest->get_sockaddr(dest), addrlen) < 0)
|
||||
if (connect(socket, dest->get_sockaddr(dest), addrlen) < 0)
|
||||
{
|
||||
/* don't report an error if we are not connected (ENETUNREACH) */
|
||||
if (errno != ENETUNREACH)
|
||||
|
|
@ -159,7 +178,7 @@ METHOD(kernel_net_t, get_source_addr, host_t*,
|
|||
}
|
||||
return NULL;
|
||||
}
|
||||
if (getsockname(this->socket_v4, &addr.sockaddr, &addrlen) < 0)
|
||||
if (getsockname(socket, &addr.sockaddr, &addrlen) < 0)
|
||||
{
|
||||
DBG1(DBG_KNL, "failed to determine src address: %s", strerror(errno));
|
||||
return NULL;
|
||||
|
|
@ -276,6 +295,7 @@ METHOD(kernel_net_t, destroy, void,
|
|||
this->mutex->destroy(this->mutex);
|
||||
this->vips->destroy(this->vips);
|
||||
close(this->socket_v4);
|
||||
close(this->socket_v6);
|
||||
free(this);
|
||||
}
|
||||
|
||||
|
|
@ -314,6 +334,24 @@ kernel_net_t *kernel_android_net_create()
|
|||
}
|
||||
charonservice->bypass_socket(charonservice, this->socket_v4, AF_INET);
|
||||
|
||||
switch (charon->socket->supported_families(charon->socket))
|
||||
{
|
||||
case SOCKET_FAMILY_IPV6:
|
||||
case SOCKET_FAMILY_BOTH:
|
||||
this->socket_v6 = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
|
||||
if (this->socket_v6 < 0)
|
||||
{
|
||||
DBG1(DBG_KNL, "failed to create socket to lookup IPv6 src "
|
||||
"addresses: %s", strerror(errno));
|
||||
}
|
||||
charonservice->bypass_socket(charonservice, this->socket_v6,
|
||||
AF_INET6);
|
||||
break;
|
||||
default:
|
||||
this->socket_v6 = -1;
|
||||
break;
|
||||
}
|
||||
|
||||
this->mutex->lock(this->mutex);
|
||||
this->network_manager->add_connectivity_cb(
|
||||
this->network_manager, (void*)connectivity_cb, this);
|
||||
|
|
|
|||
|
|
@ -365,6 +365,23 @@
|
|||
android:textSize="12sp"
|
||||
android:text="@string/profile_rsa_pss_hint" />
|
||||
|
||||
<Switch
|
||||
android:id="@+id/ipv6_transport"
|
||||
android:layout_width="match_parent"
|
||||
android:layout_height="wrap_content"
|
||||
android:layout_marginLeft="4dp"
|
||||
android:layout_marginStart="4dp"
|
||||
android:text="@string/profile_ipv6_transport_label" />
|
||||
|
||||
<TextView
|
||||
android:layout_width="match_parent"
|
||||
android:layout_height="wrap_content"
|
||||
android:layout_marginBottom="10dp"
|
||||
android:layout_marginLeft="4dp"
|
||||
android:layout_marginStart="4dp"
|
||||
android:textSize="12sp"
|
||||
android:text="@string/profile_ipv6_transport_hint" />
|
||||
|
||||
<TextView
|
||||
android:layout_width="match_parent"
|
||||
android:layout_height="wrap_content"
|
||||
|
|
|
|||
|
|
@ -105,6 +105,8 @@
|
|||
<string name="profile_strict_revocation_hint">Im strikten Modus schlägt die Authentisierung nicht nur dann fehl, wenn das Server-Zertifikat gesperrt wurde, sondern auch wenn der Status des Zertifikats unbekannt ist (z.B. weil OCSP fehl schlug und keine gültige CRL verfügbar war).</string>
|
||||
<string name="profile_rsa_pss_label">RSA/PSS Signaturen verwenden</string>
|
||||
<string name="profile_rsa_pss_hint">Verwendet das stärkere PSS Encoding anstatt des klassischen PKCS#1 Encoding für RSA Signaturen. Die Authentisierung wird fehlschlagen, wenn der Server solche Signaturen nicht unterstützt.</string>
|
||||
<string name="profile_ipv6_transport_label">IPv6 Transport-Adressen verwenden</string>
|
||||
<string name="profile_ipv6_transport_hint">Verwende IPv6 für die äusseren Transport-Adressen, falls verfügbar. Dies kann nur aktiviert werden, wenn der Server UDP Encapsulation für IPv6 unterstützt. Zu beachten ist, dass dies beim Linux Kernel erst seit Version 5.8 der Fall ist und somit viele Server noch keine Unterstützung bieten.</string>
|
||||
<string name="profile_split_tunneling_label">Split-Tunneling</string>
|
||||
<string name="profile_split_tunneling_intro">Standardmässig leitet der Client allen Netzwerkverkehr durch den VPN Tunnel, ausser der Server schränkt die Subnetze beim Verbindungsaufbau ein, in welchem Fall nur der Verkehr via VPN geleitet wird, den der Server erlaubt (der Rest wird standardmässig behandelt, als ob kein VPN vorhanden wäre).</string>
|
||||
<string name="profile_split_tunnelingv4_title">Blockiere IPv4 Verkehr der nicht für das VPN bestimmt ist</string>
|
||||
|
|
|
|||
|
|
@ -105,6 +105,8 @@
|
|||
<string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
|
||||
<string name="profile_rsa_pss_label">Use RSA/PSS signatures</string>
|
||||
<string name="profile_rsa_pss_hint">Use the stronger PSS encoding instead of the classic PKCS#1 encoding for RSA signatures. Authentication will fail if the server does not support such signatures.</string>
|
||||
<string name="profile_ipv6_transport_label">Use IPv6 transport addresses</string>
|
||||
<string name="profile_ipv6_transport_hint">Use IPv6 for outer transport addresses if available. Can only be enabled if UDP encapsulation for IPv6 is supported by the server. Note that the Linux kernel only supports this since version 5.8, so many servers will not support it yet.</string>
|
||||
<string name="profile_split_tunneling_label">Split tunneling</string>
|
||||
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
|
||||
<string name="profile_split_tunnelingv4_title">Block IPv4 traffic not destined for the VPN</string>
|
||||
|
|
|
|||
|
|
@ -102,6 +102,8 @@
|
|||
<string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
|
||||
<string name="profile_rsa_pss_label">Use RSA/PSS signatures</string>
|
||||
<string name="profile_rsa_pss_hint">Use the stronger PSS encoding instead of the classic PKCS#1 encoding for RSA signatures. Authentication will fail if the server does not support such signatures.</string>
|
||||
<string name="profile_ipv6_transport_label">Use IPv6 transport addresses</string>
|
||||
<string name="profile_ipv6_transport_hint">Use IPv6 for outer transport addresses if available. Can only be enabled if UDP encapsulation for IPv6 is supported by the server. Note that the Linux kernel only supports this since version 5.8, so many servers will not support it yet.</string>
|
||||
<string name="profile_split_tunneling_label">Split tunneling</string>
|
||||
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
|
||||
<string name="profile_split_tunnelingv4_title">Block IPv4 traffic not destined for the VPN</string>
|
||||
|
|
|
|||
|
|
@ -103,6 +103,8 @@
|
|||
<string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
|
||||
<string name="profile_rsa_pss_label">Use RSA/PSS signatures</string>
|
||||
<string name="profile_rsa_pss_hint">Use the stronger PSS encoding instead of the classic PKCS#1 encoding for RSA signatures. Authentication will fail if the server does not support such signatures.</string>
|
||||
<string name="profile_ipv6_transport_label">Use IPv6 transport addresses</string>
|
||||
<string name="profile_ipv6_transport_hint">Use IPv6 for outer transport addresses if available. Can only be enabled if UDP encapsulation for IPv6 is supported by the server. Note that the Linux kernel only supports this since version 5.8, so many servers will not support it yet.</string>
|
||||
<string name="profile_split_tunneling_label">Split tunneling</string>
|
||||
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
|
||||
<string name="profile_split_tunnelingv4_title">Block IPv4 traffic not destined for the VPN</string>
|
||||
|
|
|
|||
|
|
@ -102,6 +102,8 @@
|
|||
<string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
|
||||
<string name="profile_rsa_pss_label">Use RSA/PSS signatures</string>
|
||||
<string name="profile_rsa_pss_hint">Use the stronger PSS encoding instead of the classic PKCS#1 encoding for RSA signatures. Authentication will fail if the server does not support such signatures.</string>
|
||||
<string name="profile_ipv6_transport_label">Use IPv6 transport addresses</string>
|
||||
<string name="profile_ipv6_transport_hint">Use IPv6 for outer transport addresses if available. Can only be enabled if UDP encapsulation for IPv6 is supported by the server. Note that the Linux kernel only supports this since version 5.8, so many servers will not support it yet.</string>
|
||||
<string name="profile_split_tunneling_label">拆分隧道</string>
|
||||
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
|
||||
<string name="profile_split_tunnelingv4_title">屏蔽不通过VPN的IPV4流量</string>
|
||||
|
|
|
|||
|
|
@ -102,6 +102,8 @@
|
|||
<string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
|
||||
<string name="profile_rsa_pss_label">Use RSA/PSS signatures</string>
|
||||
<string name="profile_rsa_pss_hint">Use the stronger PSS encoding instead of the classic PKCS#1 encoding for RSA signatures. Authentication will fail if the server does not support such signatures.</string>
|
||||
<string name="profile_ipv6_transport_label">Use IPv6 transport addresses</string>
|
||||
<string name="profile_ipv6_transport_hint">Use IPv6 for outer transport addresses if available. Can only be enabled if UDP encapsulation for IPv6 is supported by the server. Note that the Linux kernel only supports this since version 5.8, so many servers will not support it yet.</string>
|
||||
<string name="profile_split_tunneling_label">拆分隧道</string>
|
||||
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
|
||||
<string name="profile_split_tunnelingv4_title">屏蔽不通过VPN的IPV4流量</string>
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!--
|
||||
Copyright (C) 2012-2019 Tobias Brunner
|
||||
Copyright (C) 2012-2020 Tobias Brunner
|
||||
Copyright (C) 2012 Giuliano Grassi
|
||||
Copyright (C) 2012 Ralf Sager
|
||||
HSR Hochschule fuer Technik Rapperswil
|
||||
|
|
@ -105,6 +105,8 @@
|
|||
<string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
|
||||
<string name="profile_rsa_pss_label">Use RSA/PSS signatures</string>
|
||||
<string name="profile_rsa_pss_hint">Use the stronger PSS encoding instead of the classic PKCS#1 encoding for RSA signatures. Authentication will fail if the server does not support such signatures.</string>
|
||||
<string name="profile_ipv6_transport_label">Use IPv6 transport addresses</string>
|
||||
<string name="profile_ipv6_transport_hint">Use IPv6 for outer transport addresses if available. Can only be enabled if UDP encapsulation for IPv6 is supported by the server. Note that the Linux kernel only supports this since version 5.8, so many servers will not support it yet.</string>
|
||||
<string name="profile_split_tunneling_label">Split tunneling</string>
|
||||
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
|
||||
<string name="profile_split_tunnelingv4_title">Block IPv4 traffic not destined for the VPN</string>
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ buildscript {
|
|||
google()
|
||||
}
|
||||
dependencies {
|
||||
classpath 'com.android.tools.build:gradle:3.6.3'
|
||||
classpath 'com.android.tools.build:gradle:4.0.1'
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#Wed Feb 26 10:22:42 CET 2020
|
||||
#Mon Oct 05 15:58:06 CEST 2020
|
||||
distributionBase=GRADLE_USER_HOME
|
||||
distributionPath=wrapper/dists
|
||||
zipStoreBase=GRADLE_USER_HOME
|
||||
zipStorePath=wrapper/dists
|
||||
distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-all.zip
|
||||
distributionUrl=https\://services.gradle.org/distributions/gradle-6.1.1-all.zip
|
||||
|
|
|
|||
|
|
@ -24,7 +24,12 @@ done
|
|||
for host in $STRONGSWANHOSTS
|
||||
do
|
||||
log_action "Guest $host"
|
||||
execute "virsh shutdown $host"
|
||||
|
||||
if running_any $host; then
|
||||
execute "virsh shutdown $host"
|
||||
else
|
||||
echo_warn "...not running"
|
||||
fi
|
||||
rm -f $VIRTIMGSTORE/$host.$IMGEXT
|
||||
done
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue