We don't track CHILD_SA down events anymore and rely on NM's initial timeout
to let the user know if the connection failed initially. So we also don't
have to explicitly differentiate between initial connection failures and
later ones like we do an Android. Also, with the default retransmission
settings, there will only be one keying try as NM's timeout is lower than
the combined retransmission timeout of 165s.
There is no visual indicator while the connection is reestablished later.
Fixes#3300.
This change allows to customize the previously hard-coded remote traffic
selectors.
This does not actually write the newly added "remote-ts" configuration option
into NetworkManager's configuration file, but will use an existing value.
Exposing the config setting in the GUI could be done later if this is a
desired change.
Use case: remote firewall appliance wrongly accepts the `0.0.0.0/0` TS but
does not actually route external traffic, leaving the user with a partially
working internet connection.
Closesstrongswan/strongswan#173.
The need_secrets() method is called before connect() (where we clear the
previous secrets too), so e.g. a password-protected private could be
decrypted with the cached password from earlier but if the password was not
stored with the connection, it would later fail as no password was requested
from the user that could be passed to connect().
References #3428.
Also makes it configurable via configure script. Depending on `$datadir` is
not ideal as package maintainers might set that to a custom value. Depending
on `$datarootdir` might have been better, the default if pkg-config fails is
now based on that.
References #3339.
The code is structured similar to that in the Android client, but two-round
authentication (cert+EAP) is not supported as that might require multiple
secrets ("password" is currently the only secret field used for every
method) and other details are currently missing too (like configurable
client identities).
Since D-Bus 1.9.18 configuration files installed by third-party should
go in share/dbus-1/system.d. The old location is for sysadmin overrides.
Closesstrongswan/strongswan#150.
By default, charon and its derivatives internally handle the SIGSEGV,
SIGILL, and SIGBUS signals raised by threads (segv_handler). Add a compile
option so that the signal handling can optionally be done externally.
Closesstrongswan/strongswan#132.
Previously, when the user supplied an ECDSA key for public key authentication,
the user was always asked to provide a password, even if the key was not
encrypted.
Related: 954f73ea6e ("charon-nm: Parse any type of private key not only RSA")
Closesstrongswan/strongswan#108.
g_variant_builder_add() creates a new GVariant using g_variant_new() and
then adds it to the builder. Passing a GVariant probably adds the
pointer to the array, not the value. I think an alternative fix would
be to use "@u" as type string for the g_variant_builder_add() call, then
the already allocated GVariant is adopted.
Fixes: 9a71b7219c ("charon-nm: Port to libnm")
libnm-glib is deprecated for several years and reaching the end of its
life. Let's switch to the more up-to-date library.
Closesstrongswan/strongswan#85.
It does more than intended; apart from denying messages to that
particular interface it also denies all messages non-qualified with an
interface globally. This blocks messages completely unrelated to
strongSwan's VPN plugin, such as NetworkManager communication with the
VPN plugins.
From the dbus-daemon manual:
Be careful with send_interface/receive_interface, because the
interface field in messages is optional. In particular, do NOT
specify <deny send_interface="org.foo.Bar"/>! This will cause
no-interface messages to be blocked for all services, which is
almost certainly not what you intended. Always use rules of the form:
<deny send_interface="org.foo.Bar" send_destination="org.foo.Service"/>
We can just safely remove those rules, since we're sufficiently
protected by the send_destination matches and method calls are
disallowed by default anyway.
Closesstrongswan/strongswan#42.