Martin Willi
e1fe2781b0
bus: Add an ike_update() hook invoked when peer endpoints change
2015-02-20 15:33:59 +01:00
Martin Willi
a12f357b40
attribute-manager: Pass full IKE_SA to handler methods
2015-02-20 13:34:56 +01:00
Martin Willi
a16058a491
attribute-manager: Pass the full IKE_SA to provider methods
2015-02-20 13:34:56 +01:00
Martin Willi
751363275f
attributes: Move the configuration attributes framework to libcharon
2015-02-20 13:34:55 +01:00
Martin Willi
38227d0e08
ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA manager
2015-02-20 13:34:49 +01:00
Tobias Brunner
472156eea5
ike: Do remote address updates also when behind static NATs
...
We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.
The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.
2014-10-13 15:20:17 +02:00
Volker Rümelin
05db0f97e3
ikev1: Add fragmentation support for Windows peers
...
I still think ipsec/l2tp with fragmentation support is a useful
fallback option in case the Windows IKEv2 connection fails because
of fragmentation problems.
Tested with Windows XP, 7 and 8.1.
2014-10-10 10:54:37 +02:00
Tobias Brunner
1446fd8ac9
ike: IKE_SA may fragment IKEv2 messages
2014-10-10 09:32:41 +02:00
Tobias Brunner
40bab9a176
ike: Move fragmentation to ike_sa_t
...
The message() hook on bus_t is now called exactly once before (plain) and
once after fragmenting (!plain), not twice for the complete message and again
for each individual fragment, as was the case in earlier iterations.
For inbound messages the hook is called once for each fragment (!plain)
and twice for the reassembled message.
2014-10-10 09:30:26 +02:00
Tobias Brunner
ff60134157
ikev2: Skip peer addresses we can't send packets to when looking for valid paths
2014-09-12 10:29:36 +02:00
Tobias Brunner
34e402ef8d
ike: Reset IKE_SA in state CONNECTING instead of reauthenticating
...
Due to how reauthentication works for IKEv1 we could get a second
IKE_SA, which might cause problems, when connectivity problems arise
when the connection is initially established.
Fixes #670 .
2014-09-09 10:56:15 +02:00
Tobias Brunner
614359a7d5
bus: Add ike_reestablish_pre hook, called before DNS resolution
...
The old hook is renamed to ike_reestablish_post and is now also called
when the initiation of the new IKE_SA failed.
2014-07-22 11:10:36 +02:00
Martin Willi
eef7427b0f
bus: Add a handle_vips() hook invoked after handling configuration attributes
...
Similar to assign_vips() used by a peer assigning virtual IPs to the other peer,
the handle_vips() hook gets invoked on a peers after receiving attributes. On
release of the same attributes the hook gets invoked again.
This is useful to inspect handled attributes, as the ike_updown() hook is
invoked after authentication, when attributes have not been handled yet.
2014-06-17 15:14:51 +02:00
Martin Willi
9d257034d8
ike: Create an enumerator for (un-)handled configuration attributes on IKE_SA
2014-06-16 15:59:17 +02:00
Martin Willi
5ae3221075
ike: Store unhandled attributes on IKE_SA as well
2014-06-16 15:59:16 +02:00
Martin Willi
094963d1b1
ikev2: Apply extensions and conditions before starting rekeying
...
The extensions and conditions apply to the rekeyed IKE_SA as well, so we should
migrate them. Especially when using algorithms from private space, we need
EXT_STRONGSWAN to properly select these algorithms during IKE rekeying.
2014-04-17 09:24:51 +02:00
Martin Willi
713a1122b4
ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeying
2014-04-17 09:24:51 +02:00
Tobias Brunner
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
Tobias Brunner
53d2164c5d
ike: Simplify error handling if name resolution failed
...
This avoids a second name resolution attempt just to determine if %any
etc. was configured.
Fixes #440 .
2014-01-23 10:04:19 +01:00
Tobias Brunner
be8af56e7a
ike: Use proper hostname(s) when name resolution failed
...
Was wrong since 0edce68767
.
Fixes #440 .
2014-01-23 10:03:50 +01:00
Thomas Egerer
b190899473
ike_sa: Defer task manager destruction after child destruction
...
This patch exports the task manager's flush to allow flushing of all
queues with one function call from ike_sa->destroy. It allows the
access of intact children during task destructoin (see git-commit
e44ebdcf
) and allows the access of the task manager in
child_state_change hook.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2014-01-16 14:16:13 +01:00
Martin Willi
b76e96e2ef
ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying
...
Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
is perfectly valid. For short(er) DPD delays, this leads to the situation where
we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
Avoid that DPD by resetting the INBOUND timestamp during set_state().
2013-11-01 11:33:29 +01:00
Tobias Brunner
9292357030
ike-sa: Resolve hosts before reestablishing an IKE_SA
2013-09-23 11:49:52 +02:00
Martin Willi
beffdc6ab8
ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr
2013-09-04 10:38:37 +02:00
Martin Willi
0edce68767
ike-sa: use ike_cfg resolver functions
2013-09-04 10:38:36 +02:00
Tobias Brunner
07a9d5c91a
ike: Fix reestablishing SAs if no child-creating tasks are queued
2013-07-18 10:40:08 +02:00
Martin Willi
2b0c8ee37d
ike-sa: uninstall CHILD_SAs before removing virtual IPs
...
a3854d83
changed cleanup order. But we should remove CHILD_SAs first, as routes
for CHILD_SAs might get deleted while removing virtual IPs, resulting in
an error when a CHILD_SA tries to uninstall its route.
2013-07-18 10:35:38 +02:00
Tobias Brunner
68db844f99
ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA
2013-07-17 18:16:58 +02:00
Martin Willi
893da0411f
ike-sa: use arrays instead of linked lists in long lived collections
...
This saves about 1.5KB of memory per IKE_SA.
2013-07-17 17:20:17 +02:00
Tobias Brunner
bf92887af1
ike: Resolve hosts only for address families currently supported
2013-07-05 09:48:26 +02:00
Tobias Brunner
c949a4d501
Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restart
2013-07-01 09:58:34 +02:00
Tobias Brunner
4c74fa664b
Reuse reqid for trap policies installed for dpd|closeaction=hold
2013-07-01 09:58:25 +02:00
Martin Willi
3568abe7be
Use ref_get() to make sure IKE_SA unique IDs are unique
2013-06-11 15:54:27 +02:00
Martin Willi
a3854d8371
Don't unset IKE_SA on bus before we released virtual IPs and attributes
2013-05-06 14:56:01 +02:00
Andreas Steffen
12fa1784d0
emit a single assig_vips bus message for all VIPs
2013-04-06 14:16:30 +02:00
Andreas Steffen
ba2880d569
ifmap plugin subscribes to assing_vip bus signal
2013-04-06 11:09:41 +02:00
Martin Willi
c45cf9048e
Raise an alert if an IKE_SA could not have been reauthenticated and expires
2013-03-14 14:20:54 +01:00
Martin Willi
d954a2081b
child_sa_t.get_usestats() can additionally return the number of processed packets
2013-03-14 14:20:54 +01:00
Martin Willi
21dd4c4bea
Without MOBIKE, update remote host only if it is behind NAT
2013-03-01 11:26:47 +01:00
Martin Willi
cdf75a39e3
Move initial message dropping to task manager
...
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295 .
2013-02-25 12:12:19 +01:00
Martin Willi
5b15bd5f9d
Set configured DSCP value while generating IKE packets
2013-02-06 15:20:32 +01:00
Tobias Brunner
b816037739
Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments
...
Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.
2012-12-24 12:29:27 +01:00
Martin Willi
43b4c2ea75
Inherit virtual IP and attributes from old to new, not from new to old
2012-12-10 17:01:00 +01:00
Martin Willi
d88597f0dd
Don't wait while removing external IPs used for load testing
2012-11-29 10:22:51 +01:00
Martin Willi
b185cdd16d
Install virtual IPs via interface name, and use an interface lookup where required
2012-11-29 10:22:51 +01:00
Martin Willi
50bd755871
Add an optional kernel-interface parameter to install IPs with a custom prefix
2012-11-29 10:22:51 +01:00
Tobias Brunner
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
Tobias Brunner
1d6dc62727
Added a new alert that is raised if peer does not respond to initial IKE message
2012-10-16 14:16:17 +02:00
Tobias Brunner
2d39f79b9b
IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabled
...
Fixes #229 .
2012-09-25 09:31:47 +02:00
Martin Willi
28a3d5bfbd
Pass full pool list to release_address
2012-09-11 16:18:28 +02:00
Tobias Brunner
bcf8cdd556
Only initiate an exchange from send_dpd() if a task was actually queued
...
Otherwise, the initiator would prematurely initiate Quick Mode if it has
DPD enabled and XAuth is used.
2012-09-07 18:05:22 +02:00
Tobias Brunner
3babde90bb
Trigger ike_updown event caused by retransmits only after reestablish() has been called
...
This allows listeners to migrate to the new IKE_SA with the
ike_reestablish event without having to worry about an ike_updown event
for the old IKE_SA.
2012-09-06 11:27:28 +02:00
Tobias Brunner
4dbb193190
Add ike_reestablish() event that is triggered when an IKE_SA is reestablished
...
This is particularly useful during reauthentication to get the new
IKE_SA.
2012-09-06 11:25:14 +02:00
Tobias Brunner
873b63b771
Add a new condition to mark IKE_SAs that are currently being reauthenticated
2012-09-06 11:23:11 +02:00
Tobias Brunner
d2e8f20d94
Clear virtual IPs before storing assigned ones on the IKE_SA
...
Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.
2012-09-05 14:35:57 +02:00
Martin Willi
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
Martin Willi
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
Tobias Brunner
f3fefb1847
Increase log verbosity when sending NAT keep-alives
2012-08-08 15:41:02 +02:00
Tobias Brunner
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
Tobias Brunner
75f8316332
Use send_no_marker to send NAT keepalives.
2012-08-08 15:12:25 +02:00
Tobias Brunner
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
Martin Willi
764035d515
Block XAuth transaction on established IKE_SAs, but allow Mode Config
2012-08-03 13:07:57 +02:00
Martin Willi
394b9f6b65
Reject initial exchange messages early once IKE_SA is established
2012-08-02 13:04:54 +02:00
Andreas Steffen
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
Tobias Brunner
77e4282643
Avoid queueing more than one retry initiate job.
2012-05-30 15:32:52 +02:00
Tobias Brunner
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
Tobias Brunner
a46fe56858
Resolve hosts before reauthenticating due to address change.
2012-05-25 17:05:53 +02:00
Tobias Brunner
c6da59f014
Don't queue delete_ike_sa job when setting IKE_DELETING.
...
This avoids deleting IKE_SAs during reauthentication (without
trying to reestablish them).
2012-05-25 17:05:53 +02:00
Tobias Brunner
7457143072
During reauthentication reestablish IKE_SA even if deleting the old one fails.
2012-05-25 17:05:53 +02:00
Tobias Brunner
23470d849a
Integrated main parts of IKE_REAUTH task into ike_sa_t.reestablish.
2012-05-25 17:05:53 +02:00
Tobias Brunner
12715f1953
Fixed route lookup in case MOBIKE is not enabled.
2012-05-25 17:05:53 +02:00
Martin Willi
cbc1a20ffe
Wrap task managers flush_queue() in IKE_SA
2012-05-21 14:05:01 +02:00
Tobias Brunner
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
Martin Willi
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
Tobias Brunner
ae9ce83511
Properly initialize src in ike_sa_t.is_any_path_valid().
2012-04-06 10:54:44 +02:00
Martin Willi
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
Martin Willi
f98af1ddd5
Trigger DPD not before IKE_SA state gets updated
2012-03-20 17:31:39 +01:00
Martin Willi
a994050e9c
Don't re-resolve addresses during initiate if they have already been set
2012-03-20 17:31:38 +01:00
Martin Willi
783c496966
Update state before triggering DPD, as we cancel it if PASSIVE
2012-03-20 17:31:38 +01:00
Martin Willi
47b8f6ef4b
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
2012-03-20 17:31:37 +01:00
Martin Willi
1a0648490c
Invoke ike_updown hooks for reauthenticated IKEv1 SAs
2012-03-20 17:31:36 +01:00
Martin Willi
11aadd7722
Disable DPD checking for peers not supporting it
2012-03-20 17:31:35 +01:00
Martin Willi
1e624ce876
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
2012-03-20 17:31:35 +01:00
Martin Willi
3a0b67bce5
Destroy IKE_SA after reauthentication initiatend and lifetime limit reached
2012-03-20 17:31:33 +01:00
Martin Willi
beab4a90ae
Query for XAuth identity in get_other_eap_id(), too
2012-03-20 17:31:32 +01:00
Martin Willi
9c64f214f1
Support initiation of childless IKEv1 ISAKMP SAs
2012-03-20 17:31:32 +01:00
Martin Willi
7e9e1f96df
Don't trigger reauthentication if initiator authenticated using XAuth
2012-03-20 17:31:32 +01:00
Martin Willi
3a925f74ab
Do not query CHILD_SA during delete if they already expired
2012-03-20 17:31:31 +01:00
Martin Willi
3d54ae94d9
Handle initiation of not supported IKE versions properly
2012-03-20 17:31:30 +01:00
Martin Willi
d9c1dae293
Implemented resetting of IKEv1 task manager, enabling additional keyingtries
2012-03-20 17:31:29 +01:00
Martin Willi
448e2e2945
Check message version before processing it on an IKE_SA
2012-03-20 17:31:29 +01:00
Martin Willi
438a8d785f
Added a TODO for creating IKE_SAs with unsupported protocol version
2012-03-20 17:31:28 +01:00
Martin Willi
3b08de850a
Removed obsolete task header inclusion in IKE_SA
2012-03-20 17:31:27 +01:00
Martin Willi
873df908cc
Moved MOBIKE task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
Martin Willi
26eee421b4
Check in task manager if we have to requeue IKE tasks in a non-first keyingtry
2012-03-20 17:31:27 +01:00
Martin Willi
cedb412e5a
Moved IKE_SA reauth task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
Martin Willi
dab60d6411
Moved IKE_SA rekey task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
Martin Willi
3ed148b37e
Moved IKE_SA delete task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
Martin Willi
83c5fda053
Moved CHILD_SA delete task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
Martin Willi
463a73cc0f
Moved CHILD_SA rekey task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00