e1fe2781b0
bus: Add an ike_update() hook invoked when peer endpoints change
2015-02-20 15:33:59 +01:00
a12f357b40
attribute-manager: Pass full IKE_SA to handler methods
2015-02-20 13:34:56 +01:00
a16058a491
attribute-manager: Pass the full IKE_SA to provider methods
2015-02-20 13:34:56 +01:00
751363275f
attributes: Move the configuration attributes framework to libcharon
2015-02-20 13:34:55 +01:00
38227d0e08
ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA manager
2015-02-20 13:34:49 +01:00
472156eea5
ike: Do remote address updates also when behind static NATs
...
We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.
The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.
2014-10-13 15:20:17 +02:00
05db0f97e3
ikev1: Add fragmentation support for Windows peers
...
I still think ipsec/l2tp with fragmentation support is a useful
fallback option in case the Windows IKEv2 connection fails because
of fragmentation problems.
Tested with Windows XP, 7 and 8.1.
2014-10-10 10:54:37 +02:00
1446fd8ac9
ike: IKE_SA may fragment IKEv2 messages
2014-10-10 09:32:41 +02:00
40bab9a176
ike: Move fragmentation to ike_sa_t
...
The message() hook on bus_t is now called exactly once before (plain) and
once after fragmenting (!plain), not twice for the complete message and again
for each individual fragment, as was the case in earlier iterations.
For inbound messages the hook is called once for each fragment (!plain)
and twice for the reassembled message.
2014-10-10 09:30:26 +02:00
ff60134157
ikev2: Skip peer addresses we can't send packets to when looking for valid paths
2014-09-12 10:29:36 +02:00
34e402ef8d
ike: Reset IKE_SA in state CONNECTING instead of reauthenticating
...
Due to how reauthentication works for IKEv1 we could get a second
IKE_SA, which might cause problems, when connectivity problems arise
when the connection is initially established.
Fixes #670 .
2014-09-09 10:56:15 +02:00
614359a7d5
bus: Add ike_reestablish_pre hook, called before DNS resolution
...
The old hook is renamed to ike_reestablish_post and is now also called
when the initiation of the new IKE_SA failed.
2014-07-22 11:10:36 +02:00
eef7427b0f
bus: Add a handle_vips() hook invoked after handling configuration attributes
...
Similar to assign_vips() used by a peer assigning virtual IPs to the other peer,
the handle_vips() hook gets invoked on a peers after receiving attributes. On
release of the same attributes the hook gets invoked again.
This is useful to inspect handled attributes, as the ike_updown() hook is
invoked after authentication, when attributes have not been handled yet.
2014-06-17 15:14:51 +02:00
9d257034d8
ike: Create an enumerator for (un-)handled configuration attributes on IKE_SA
2014-06-16 15:59:17 +02:00
5ae3221075
ike: Store unhandled attributes on IKE_SA as well
2014-06-16 15:59:16 +02:00
094963d1b1
ikev2: Apply extensions and conditions before starting rekeying
...
The extensions and conditions apply to the rekeyed IKE_SA as well, so we should
migrate them. Especially when using algorithms from private space, we need
EXT_STRONGSWAN to properly select these algorithms during IKE rekeying.
2014-04-17 09:24:51 +02:00
713a1122b4
ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeying
2014-04-17 09:24:51 +02:00
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
53d2164c5d
ike: Simplify error handling if name resolution failed
...
This avoids a second name resolution attempt just to determine if %any
etc. was configured.
Fixes #440 .
2014-01-23 10:04:19 +01:00
be8af56e7a
ike: Use proper hostname(s) when name resolution failed
...
Was wrong since 0edce68767Fixes #440 .
2014-01-23 10:03:50 +01:00
b190899473
ike_sa: Defer task manager destruction after child destruction
...
This patch exports the task manager's flush to allow flushing of all
queues with one function call from ike_sa->destroy. It allows the
access of intact children during task destructoin (see git-commit
e44ebdcf
2014-01-16 14:16:13 +01:00
b76e96e2ef
ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying
...
Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
is perfectly valid. For short(er) DPD delays, this leads to the situation where
we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
Avoid that DPD by resetting the INBOUND timestamp during set_state().
2013-11-01 11:33:29 +01:00
9292357030
ike-sa: Resolve hosts before reestablishing an IKE_SA
2013-09-23 11:49:52 +02:00
beffdc6ab8
ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr
2013-09-04 10:38:37 +02:00
0edce68767
ike-sa: use ike_cfg resolver functions
2013-09-04 10:38:36 +02:00
07a9d5c91a
ike: Fix reestablishing SAs if no child-creating tasks are queued
2013-07-18 10:40:08 +02:00
2b0c8ee37d
ike-sa: uninstall CHILD_SAs before removing virtual IPs
...
a3854d83
2013-07-18 10:35:38 +02:00
68db844f99
ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA
2013-07-17 18:16:58 +02:00
893da0411f
ike-sa: use arrays instead of linked lists in long lived collections
...
This saves about 1.5KB of memory per IKE_SA.
2013-07-17 17:20:17 +02:00
bf92887af1
ike: Resolve hosts only for address families currently supported
2013-07-05 09:48:26 +02:00
c949a4d501
Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restart
2013-07-01 09:58:34 +02:00
4c74fa664b
Reuse reqid for trap policies installed for dpd|closeaction=hold
2013-07-01 09:58:25 +02:00
3568abe7be
Use ref_get() to make sure IKE_SA unique IDs are unique
2013-06-11 15:54:27 +02:00
a3854d8371
Don't unset IKE_SA on bus before we released virtual IPs and attributes
2013-05-06 14:56:01 +02:00
12fa1784d0
emit a single assig_vips bus message for all VIPs
2013-04-06 14:16:30 +02:00
ba2880d569
ifmap plugin subscribes to assing_vip bus signal
2013-04-06 11:09:41 +02:00
c45cf9048e
Raise an alert if an IKE_SA could not have been reauthenticated and expires
2013-03-14 14:20:54 +01:00
d954a2081b
child_sa_t.get_usestats() can additionally return the number of processed packets
2013-03-14 14:20:54 +01:00
21dd4c4bea
Without MOBIKE, update remote host only if it is behind NAT
2013-03-01 11:26:47 +01:00
cdf75a39e3
Move initial message dropping to task manager
...
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295 .
2013-02-25 12:12:19 +01:00
5b15bd5f9d
Set configured DSCP value while generating IKE packets
2013-02-06 15:20:32 +01:00
b816037739
Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments
...
Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.
2012-12-24 12:29:27 +01:00
43b4c2ea75
Inherit virtual IP and attributes from old to new, not from new to old
2012-12-10 17:01:00 +01:00
d88597f0dd
Don't wait while removing external IPs used for load testing
2012-11-29 10:22:51 +01:00
b185cdd16d
Install virtual IPs via interface name, and use an interface lookup where required
2012-11-29 10:22:51 +01:00
50bd755871
Add an optional kernel-interface parameter to install IPs with a custom prefix
2012-11-29 10:22:51 +01:00
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
1d6dc62727
Added a new alert that is raised if peer does not respond to initial IKE message
2012-10-16 14:16:17 +02:00
2d39f79b9b
IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabled
...
Fixes #229 .
2012-09-25 09:31:47 +02:00
28a3d5bfbd
Pass full pool list to release_address
2012-09-11 16:18:28 +02:00
bcf8cdd556
Only initiate an exchange from send_dpd() if a task was actually queued
...
Otherwise, the initiator would prematurely initiate Quick Mode if it has
DPD enabled and XAuth is used.
2012-09-07 18:05:22 +02:00
3babde90bb
Trigger ike_updown event caused by retransmits only after reestablish() has been called
...
This allows listeners to migrate to the new IKE_SA with the
ike_reestablish event without having to worry about an ike_updown event
for the old IKE_SA.
2012-09-06 11:27:28 +02:00
4dbb193190
Add ike_reestablish() event that is triggered when an IKE_SA is reestablished
...
This is particularly useful during reauthentication to get the new
IKE_SA.
2012-09-06 11:25:14 +02:00
873b63b771
Add a new condition to mark IKE_SAs that are currently being reauthenticated
2012-09-06 11:23:11 +02:00
d2e8f20d94
Clear virtual IPs before storing assigned ones on the IKE_SA
...
Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.
2012-09-05 14:35:57 +02:00
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
f3fefb1847
Increase log verbosity when sending NAT keep-alives
2012-08-08 15:41:02 +02:00
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
75f8316332
Use send_no_marker to send NAT keepalives.
2012-08-08 15:12:25 +02:00
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
764035d515
Block XAuth transaction on established IKE_SAs, but allow Mode Config
2012-08-03 13:07:57 +02:00
394b9f6b65
Reject initial exchange messages early once IKE_SA is established
2012-08-02 13:04:54 +02:00
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
77e4282643
Avoid queueing more than one retry initiate job.
2012-05-30 15:32:52 +02:00
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
a46fe56858
Resolve hosts before reauthenticating due to address change.
2012-05-25 17:05:53 +02:00
c6da59f014
Don't queue delete_ike_sa job when setting IKE_DELETING.
...
This avoids deleting IKE_SAs during reauthentication (without
trying to reestablish them).
2012-05-25 17:05:53 +02:00
7457143072
During reauthentication reestablish IKE_SA even if deleting the old one fails.
2012-05-25 17:05:53 +02:00
23470d849a
Integrated main parts of IKE_REAUTH task into ike_sa_t.reestablish.
2012-05-25 17:05:53 +02:00
12715f1953
Fixed route lookup in case MOBIKE is not enabled.
2012-05-25 17:05:53 +02:00
cbc1a20ffe
Wrap task managers flush_queue() in IKE_SA
2012-05-21 14:05:01 +02:00
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
ae9ce83511
Properly initialize src in ike_sa_t.is_any_path_valid().
2012-04-06 10:54:44 +02:00
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
f98af1ddd5
Trigger DPD not before IKE_SA state gets updated
2012-03-20 17:31:39 +01:00
a994050e9c
Don't re-resolve addresses during initiate if they have already been set
2012-03-20 17:31:38 +01:00
783c496966
Update state before triggering DPD, as we cancel it if PASSIVE
2012-03-20 17:31:38 +01:00
47b8f6ef4b
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
2012-03-20 17:31:37 +01:00
1a0648490c
Invoke ike_updown hooks for reauthenticated IKEv1 SAs
2012-03-20 17:31:36 +01:00
11aadd7722
Disable DPD checking for peers not supporting it
2012-03-20 17:31:35 +01:00
1e624ce876
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
2012-03-20 17:31:35 +01:00
3a0b67bce5
Destroy IKE_SA after reauthentication initiatend and lifetime limit reached
2012-03-20 17:31:33 +01:00
beab4a90ae
Query for XAuth identity in get_other_eap_id(), too
2012-03-20 17:31:32 +01:00
9c64f214f1
Support initiation of childless IKEv1 ISAKMP SAs
2012-03-20 17:31:32 +01:00
7e9e1f96df
Don't trigger reauthentication if initiator authenticated using XAuth
2012-03-20 17:31:32 +01:00
3a925f74ab
Do not query CHILD_SA during delete if they already expired
2012-03-20 17:31:31 +01:00
3d54ae94d9
Handle initiation of not supported IKE versions properly
2012-03-20 17:31:30 +01:00
d9c1dae293
Implemented resetting of IKEv1 task manager, enabling additional keyingtries
2012-03-20 17:31:29 +01:00
448e2e2945
Check message version before processing it on an IKE_SA
2012-03-20 17:31:29 +01:00
438a8d785f
Added a TODO for creating IKE_SAs with unsupported protocol version
2012-03-20 17:31:28 +01:00
3b08de850a
Removed obsolete task header inclusion in IKE_SA
2012-03-20 17:31:27 +01:00
873df908cc
Moved MOBIKE task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
26eee421b4
Check in task manager if we have to requeue IKE tasks in a non-first keyingtry
2012-03-20 17:31:27 +01:00
cedb412e5a
Moved IKE_SA reauth task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
dab60d6411
Moved IKE_SA rekey task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
3ed148b37e
Moved IKE_SA delete task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
83c5fda053
Moved CHILD_SA delete task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
463a73cc0f
Moved CHILD_SA rekey task creation to protocol specific task manager
2012-03-20 17:31:27 +01:00
Martin Willi