Tobias Brunner
2ed8b36a8a
strongswan.conf: Add missing options
2013-07-22 17:46:41 +02:00
Tobias Brunner
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
Tobias Brunner
b2dfa0624d
ipsec.conf.5: closeaction is now supported for IKEv1
2013-07-17 18:18:57 +02:00
Tobias Brunner
baa6419ec1
kernel-pfroute: Make time that is waited for VIPs to appear configurable
...
One second might be too short for IPs to appear/disappear, especially on
virtualized hosts.
2013-07-17 17:45:17 +02:00
Tobias Brunner
598bec78fa
socket-default: Add options to disable address families
2013-07-05 09:48:27 +02:00
Tobias Brunner
b7b5432ff8
stroke: Changed how proto/port are specified in left|rightsubnet
...
Using a colon as separator conflicts with IPv6 addresses.
2013-06-28 15:10:09 +02:00
Tobias Brunner
68b7448eab
capabilities: Make the user and group charon(-nm) changes to configurable
2013-06-25 17:16:33 +02:00
Andreas Steffen
adf8a05a3d
Removed obsoleted strongswan.conf options
2013-06-21 23:25:24 +02:00
Tobias Brunner
4d62ad7571
charon-cmd: Link strongswan.conf(5) and charon-cmd(8) man pages
2013-06-21 16:35:19 +02:00
Martin Willi
24df067810
man: update ipsec.conf.5, describing new proto/port definition within leftsubnet
2013-06-19 16:36:01 +02:00
Tobias Brunner
7971278c92
stroke: Load credentials from PKCS#12 files (P12 token)
2013-05-08 15:02:41 +02:00
Tobias Brunner
87692be215
Load any type (RSA/ECDSA) of public key via left|rightsigkey
2013-05-07 17:08:31 +02:00
Tobias Brunner
fa1d3d39dc
left|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly
...
The default is now PKCS#1. With the dns: and ssh: prefixes other formats
can be selected.
2013-05-07 15:38:28 +02:00
Martin Willi
0be946dce3
Use the GEN silent rule when generating files with sed
2013-05-06 15:04:56 +02:00
Tobias Brunner
37873f9994
kernel-netlink: Add an option to disable roam events
2013-05-03 15:11:19 +02:00
Andreas Steffen
6b99da026c
added libstrongswan.plugins.openssl.fips_mode to man page
2013-04-16 13:44:06 +02:00
Andreas Steffen
654c88bca8
Added charon.initiator_only option which causes charon to ignore IKE initiation requests by peers
2013-04-14 19:57:49 +02:00
Andreas Steffen
1044710b04
implemented periodic IF-MAP RenewSession request
2013-04-03 21:38:04 +02:00
Tobias Brunner
96ad2b17b0
Updated strongswan.conf(5) man page
2013-04-01 16:56:47 +02:00
Andreas Steffen
0cf4dc53c7
updated strongswan.conf man page for tn_ifmap plugin
2013-03-31 19:05:53 +02:00
Martin Willi
e82deaf6ce
Merge branch 'multi-cert'
...
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
2013-03-01 11:35:32 +01:00
Martin Willi
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
Martin Willi
0abeac3a0b
Document ipsec.conf leftprotoport extensions in manpage
2013-02-21 11:52:33 +01:00
Andreas Steffen
f2145c8d3a
Moved configuration from resolver manager to unbound plugin
...
Also streamlined log messages in unbound plugin.
2013-02-19 12:25:00 +01:00
Reto Guadagnini
932717fbde
ipseckey: Added "enable" option for the IPSECKEY plugin to strongswan.conf
2013-02-19 12:25:00 +01:00
Martin Willi
e212033ef2
Merge branch 'ike-dscp'
2013-02-14 17:11:35 +01:00
Martin Willi
88f4cd3988
Add ikedscp documentation to ipsec.conf.5
2013-02-06 15:42:14 +01:00
Tobias Brunner
9d9410e7b9
Typo in strongswan.conf(5) man page fixed
2013-01-31 11:52:11 +01:00
Tobias Brunner
c186b3940a
Documented new options in strongswan.conf(5) man page
2013-01-25 20:22:20 +01:00
Martin Willi
11a7abf554
Add ipsec.conf.5 updates regarding multiple certificates in leftcert
2013-01-18 09:33:15 +01:00
Tobias Brunner
ee6902ef7f
Added an option to configure the maximum size of a fragment
2013-01-12 11:54:58 +01:00
Tobias Brunner
365d9a6f67
Added an option that allows to force IKEv1 fragmentation
2013-01-12 11:54:32 +01:00
Tobias Brunner
97973f8609
Use a connection specific option to en-/disable IKEv1 fragmentation
2012-12-24 13:00:01 +01:00
Tobias Brunner
2f62bb1549
Add an option to en-/disable IKE fragmentation
...
Fragments are always accepted but will not be sent if disabled. The
vendor ID is only sent if the option is enabled.
2012-12-24 12:29:31 +01:00
Andreas Steffen
133fb74841
add dlcose strongswan.conf option to tnc-imc/tnc-imv plugins
2012-12-09 19:40:13 +01:00
Andreas Steffen
742722e2f5
updated strongswan.conf man page
2012-11-12 10:45:38 +01:00
Andreas Steffen
ffd3556bad
scanner imc/imv pair uses IETF VPN PA-TNC message subtype
2012-10-31 21:58:21 +01:00
Tobias Brunner
3689f0f6cc
FQDNs are actually not resolved when loading secrets
2012-10-29 10:06:43 +01:00
Tobias Brunner
2380f3a830
Added documentation for NTLM secrets
2012-10-25 09:51:47 +02:00
Martin Willi
cd844e1c97
Remove obsolete pluto smartcard syntax in ipsec.secrets.5
2012-10-24 13:07:53 +02:00
Martin Willi
f6d8fb3687
Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcards
2012-10-24 13:07:53 +02:00
Martin Willi
05e266ea9d
Add leftcert ipsec.conf.5 documentation about smartcard certificates
2012-10-24 13:07:53 +02:00
Martin Willi
5b2e669ba2
Add ipsec.conf.5 documentation for explicit PRFs in IKE proposals
2012-10-24 11:49:37 +02:00
Tobias Brunner
3c4d383443
Added an option to reload certificates from PKCS#11 tokens on SIGHUP
2012-10-18 14:42:09 +02:00
Tobias Brunner
b4f6c39e55
Terminate unused resolver threads after a timeout
2012-10-18 12:26:00 +02:00
Andreas Steffen
6ab1502519
implemented os_info_t class
2012-10-10 21:54:21 +02:00
Tobias Brunner
358104a47f
Added description for flush_auth_cfg and acct_port plus some minor editorial changes
2012-09-25 12:22:05 +02:00
Tobias Brunner
31990a19cc
Documentation about some time values clarified
2012-09-24 16:02:03 +02:00
Tobias Brunner
e8e9048fee
Added an option to configure the interface on which virtual IP addresses are installed
2012-09-21 18:16:26 +02:00
Tobias Brunner
9513225e6b
Added options and a lookup function that will allow filtering of network interfaces
2012-09-21 18:16:26 +02:00
Martin Willi
55f126fd55
Update ipsec.conf.5, leftsubnet can handle multiple subnets in IKEv1 with Unity
2012-09-18 17:17:48 +02:00
Tobias Brunner
b7a500e985
Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>
2012-09-18 14:40:41 +02:00
Tobias Brunner
bc6ec4de73
Option added to enforce a configured destination address for DHCP packets
2012-09-13 10:59:24 +02:00
Tobias Brunner
629cdca82c
Updates to strongswan.conf(5) man page (added several missing options)
2012-09-12 16:53:45 +02:00
Tobias Brunner
72970b458d
Some updates to ipsec.conf(5) man page
2012-09-12 16:53:45 +02:00
Tobias Brunner
f4cc7ea11b
Add uniqueids=never to ignore INITIAL_CONTACT notifies
...
With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received. With this new option
it also ignores these notifies.
2012-09-10 17:37:18 +02:00
Martin Willi
c51af950b1
Add random plugin options to strongswan.conf.5
2012-09-10 17:07:51 +02:00
Andreas Steffen
3b51f34040
added libimcv.assessment_result to strongswan.conf man page
2012-09-09 23:50:32 +02:00
Martin Willi
1323dc1138
Merge branch 'multi-vip'
...
Brings support for multiple virtual IPs and multiple pools in
left/rigthsourceip definitions. Also introduces the new left/rightdns
options to configure requested DNS server address family and respond
with multiple connection specific servers.
2012-08-31 12:55:56 +02:00
Tobias Brunner
5f6ef5d5ce
Documentation for eap-dynamic added
2012-08-31 11:42:03 +02:00
Martin Willi
26bc695806
Updated ipsec.conf.5 with multiple left/rightsourceip support
2012-08-30 16:43:45 +02:00
Martin Willi
c60f1da424
Add a description of the leftdns option to ipsec.conf.5
2012-08-21 09:38:01 +02:00
Tobias Brunner
e4ef4c9877
Merge branch 'android-ndk'
...
This branch comes with some preliminary changes for the user-land IPsec
implementation and the Android App.
One important change is that the UDP ports used by the socket-default plugin
were made configurable (either via ./configure or strongswan.conf).
Also, the plugin does randomly allocate a port if it is configured to 0,
which is useful for client implementations. A consequence of these
changes is that the local UDP port used when creating ike_cfg_t objects has
to be fetched from the socket.
2012-08-13 10:45:39 +02:00
Tobias Brunner
9ede42e112
Documentation fixes regarding xauth-pam/eap-gtc plugins
2012-08-11 16:05:05 +02:00
Andreas Steffen
da21793679
make max_message_size parameter consistent with similar options
2012-08-09 14:11:08 +02:00
Tobias Brunner
6fbf4472ea
Added option to prevent socket-default from setting the source address on outbound packets
2012-08-08 15:39:07 +02:00
Tobias Brunner
224ab4c59b
socket-default plugin allocates random ports if configured to 0.
...
Also added strongswan.conf options to change the ports.
2012-08-08 15:30:27 +02:00
Tobias Brunner
56d07af3be
Added ESP log group for libipsec log messages.
2012-08-08 15:12:25 +02:00
Tobias Brunner
162621ed57
Moved Android specific logger to separate plugin.
...
This is mainly because the other parts of the existing android plugin
can not be built in the NDK (access to keystore and system properties are
not part of the stable NDK libraries).
2012-08-08 15:07:43 +02:00
Martin Willi
46df61dff7
Add an ipsec.conf leftgroups2 parameter for the second authentication round
2012-07-26 11:51:58 +02:00
Andreas Steffen
be735f0148
added PA-TNC max_msg_len option to man page
2012-07-13 11:02:23 +02:00
Andreas Steffen
d7dcbc95a9
make maximum PB-TNC batch size configurable
2012-07-11 17:09:05 +02:00
Andreas Steffen
c8aabefd08
added charon.plugins.eap-tnc.protocol option
2012-07-11 17:09:05 +02:00
Andreas Steffen
4492ffc907
EAP-TNC does not support fragmentation
2012-07-11 17:09:04 +02:00
Andreas Steffen
87efdef35b
configure size of ITA Dummy PA-TNC attribute
2012-07-11 17:09:04 +02:00
Andreas Steffen
3bd452f8f3
max_message_count = 0 disables limit
2012-07-11 17:09:04 +02:00
Tobias Brunner
66e12b926e
Some updates in ipsec.conf(5) for 5.0.0
2012-06-26 12:39:53 +02:00
Andreas Steffen
c38d6905a2
added charon.cisco_unity to strongswan.conf.5 man page
2012-06-25 11:47:40 +02:00
Andreas Steffen
2045a9d36d
added secret as valid authby argument
2012-06-18 22:11:18 +02:00
Martin Willi
7c4214bd38
Add documentation for signature hash algorithm enforcing to man ipsec.conf
2012-06-12 15:01:39 +02:00
Tobias Brunner
95e41fb80a
starter: Drop support for %defaultroute.
2012-06-11 17:33:29 +02:00
Tobias Brunner
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
Tobias Brunner
18dac73f02
Updated ipsec.conf(5) to reflect changes to IPComp support.
2012-05-24 15:32:28 +02:00
Martin Willi
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
Tobias Brunner
13de38e354
Documented strongswan.conf options for radattr plugin.
2012-05-01 13:32:43 +02:00
Tobias Brunner
5895c2e948
Option added to set identifier for syslog(3) logging.
...
This identifier is added to each log message by syslog.
2012-04-20 09:26:12 +02:00
Andreas Steffen
0293f09597
updated supported EAP methods
2012-03-30 11:15:10 +02:00
Tobias Brunner
ed2cab08d2
Make resolvconf interface prefix configurable.
2012-03-27 10:44:21 +02:00
Martin Willi
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
Martin Willi
75e3d90d43
Updated ipsec.conf man page for the use of IKEv1 with pluto
2012-03-20 17:31:39 +01:00
Martin Willi
c8d46f2959
Dropped support of deprecated authby=eap and eap= options
2012-03-20 17:31:38 +01:00
Andreas Steffen
f673958e59
added the strongswan.conf options of the tnc-pdp plugin
2012-03-16 11:14:40 +01:00
Andreas Steffen
e01751035e
completed imc/imv-attestation settings
2012-02-07 22:11:51 +01:00
Tobias Brunner
9ec66bc1a5
Added an option to load CA certificates without CA basic constraint.
...
Enabling this option treats all certificates in ipsec.d/cacerts and
ipsec.conf ca sections as CA certificates even if they do not contain a
CA basic constraint.
2012-02-01 14:34:52 +01:00
Martin Willi
503dee4d2f
Added RADIUS accounting option to strongswan.conf manual
2012-02-01 11:35:13 +01:00
Tobias Brunner
7c0c2349a9
Make number of concurrently handled stroke messages configurable.
2011-12-29 18:41:39 +01:00
Tobias Brunner
54d096a712
Added ASN debug group to log low-level encoding/decoding (ASN.1, X.509).
...
This will allow us to remove quite some clutter from the LIB debug group
for higher debug levels.
2011-12-16 16:44:38 +01:00
Tobias Brunner
49b44c98c1
Charon also supports type=passthrough|drop.
2011-12-14 19:01:39 +01:00
Tobias Brunner
b768d6a4a5
Documented xauth_identity in ipsec.conf(5) man page.
2011-12-14 18:04:39 +01:00
Tobias Brunner
6d4c6b8f41
Documented binary secrets in ipsec.secrets(5) man page.
2011-12-14 17:46:27 +01:00