241cf8e791
Update fallback drop policies if required.
2011-07-29 12:34:51 +02:00
f1c1965d64
Install fallback drop policies for all three directions.
2011-07-28 16:56:15 +02:00
d7a59f1976
Install fallback drop policies to avoid transmitting unencrypted packets.
...
During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy
is first uninstalled and then the new one is installed. In the short
time in between, where no policy is available in the kernel, unencrypted
packets could have been transmitted.
2011-07-27 13:44:33 +02:00
fbedc6a45b
Remove policies in kernel interfaces based on their priority.
...
This allows to unroute a connection while the same connection is
currently established. In this case both CHILD_SAs share the same
reqid but the installed policies have different priorities.
2011-07-27 13:41:35 +02:00
5d6b981572
Inherit authentication information during IKE_SA rekeying
2011-07-25 14:19:17 +02:00
9c67f5ff54
fixed some more misspellings
2011-07-20 22:19:01 +02:00
f3bb1bd039
Fixed common misspellings.
...
Mostly found by 'codespell'.
2011-07-20 16:14:10 +02:00
4742d6501a
shunt manager installs policies with %any hosts
2011-07-14 13:51:36 +02:00
0c2ce1905a
Adapted shunt manager to changed kernel interface (reqid in del_policy).
2011-07-06 12:48:26 +02:00
47daa0e6fe
Replaced more complex iterator usages.
2011-07-06 09:43:45 +02:00
572abc6cbd
Replaced ike_sa_t.create_additional_address_iterator with enumerator.
2011-07-06 09:43:45 +02:00
4bbce1ef37
Replaced ike_sa_t.create_child_sa_iterator with enumerator.
...
This required two new methods on ike_sa_t. One returns the number of
CHILD_SAs and one allows to remove a CHILD_SA.
2011-07-06 09:43:45 +02:00
e26304348c
Replaced simple iterator usages.
2011-07-06 09:43:45 +02:00
328f22e1d3
Add the reqid to kernel_ipsec_t.del_policy.
2011-07-06 09:43:45 +02:00
f87991704e
implemented PASS and DROP shunt policies
2011-06-28 19:42:54 +02:00
6a5c8ee7a5
Initialize trap_manager listener with INIT macro, too
2011-06-28 17:19:20 +02:00
06356a2981
Migrated trap_manager_t to INIT/METHOD macros
2011-06-28 14:42:29 +02:00
bc20bc1927
Check if colliding task has actually a CHILD, i.e. after a migrate
2011-06-03 10:49:54 +02:00
c76b8a21fe
logging initial EAP Identifier in EAP Identity Request
2011-05-29 10:30:02 +02:00
a4c040d536
Added strongswan.conf option to override half open IKE_SA timeout
2011-05-16 15:24:15 +02:00
9a96ba4b6e
Added a get_count() method to IKE_SA manager
2011-05-16 15:24:15 +02:00
a836cf8085
Fixed identiation in private_ike_sa_manager
2011-05-16 15:24:15 +02:00
69c3eca0e9
Added a non-blocking, skipping variant of IKE_SA enumerator
2011-05-16 15:24:13 +02:00
68447302d6
Typo fixed.
2011-04-28 12:50:30 +02:00
f9a552f011
Resolve and connect to RADIUS servers not before required
2011-04-21 14:01:25 +02:00
52846ec820
Remove superfluous test for peer_cfg on established IKE_SAs
2011-04-20 12:31:29 +02:00
bd01b9d8b2
Install ESN SAs if such a proposal has been negotiated
2011-04-20 12:26:58 +02:00
4876d4f3b3
Added an esn parameter to the kernel interface add_sa functions
2011-04-20 12:26:57 +02:00
1c004bebd8
Clearly mark switch cases that fall through.
2011-04-19 13:48:50 +02:00
3c0c321776
Neither rekey nor del can be NULL.
2011-04-14 18:10:27 +02:00
c98ed04de0
display EAP identifiers in HEX format
2011-04-06 17:34:27 +02:00
adcb221f19
log the EAP identifier also for vendor specific EAP methods
2011-04-05 13:57:37 +02:00
de93154231
log the initial value of the EAP identifier
2011-04-05 13:54:26 +02:00
2f7c12a2f4
added get_identifier() and set_identifier() methods
2011-04-05 13:32:10 +02:00
3ced6b51e4
Move establish/inherit of rekeyed IKE_SAs to delete messages
...
Having the inherit() function delayed to the IKE_SA establish procedure
was problematic. The task destroy function was never a good place and
results in locking/cleanup problems. After establishing the SA, it
should be really checked in ASAP to avoid any triggered DPD checks
to get lost.
2011-03-15 15:20:09 +01:00
f42156a8c8
Wrap IKE delete after rekey into rekey task for responder, too
2011-03-15 11:51:53 +01:00
41080cbbd9
Migrated ike_rekey task to INIT/METHOD macros
2011-03-15 11:30:02 +01:00
5f47296f22
Migrated sim_manager to INIT/METHOD macros
2011-03-08 16:42:27 +01:00
7b3bfe4b6c
Protect sim card/provider/hook (un-)registration with a rwlock
2011-03-08 16:42:27 +01:00
f58db72482
Splitted sim_manager.h header to sim_{card,provider,hooks}.h
2011-03-08 16:42:27 +01:00
e44ebdcfc8
Slightly change IKE_SA destruction order to inherit properly during ike_rekey task destruction
2011-02-28 10:31:36 +00:00
94030a670b
Report correct key size if a cipher is not supported
2011-02-07 16:39:33 +01:00
84545f6e7c
Some typos fixed.
2011-02-07 11:39:41 +01:00
b49d047bfc
Invoke the per-round authorize() hook before purging current auth info on IKE_SA
2011-02-03 17:08:39 +01:00
2b7686b5d8
Migrated ike_auth to INIT/METHOD macros, fixes missing initial_contact initialization
2011-02-02 15:13:39 +01:00
1d34612f07
Do not use destroyed rng/hasher if IKE_SA has been flush()ed
2011-02-01 09:25:55 +01:00
5c89a00f05
Do not log potentially hundreds of cert requests for unknown CAs at level 1
2011-01-28 08:29:23 +01:00
983a5e88d3
Revert "Send INITIAL_CONTACT even if we have a unique policy"
...
It makes sense to omit INITIAL_CONTACT if don't have a unique policy,
as a client might want to connect from different devices to the same
account.
This reverts commit 719c33b41a
2011-01-13 10:50:46 +01:00
2082417df3
Force port update as responder when initiator switches to 4500 in IKE_AUTH
2011-01-12 14:37:15 +01:00
8ba805f4db
Avoid variable name overloading
2011-01-12 14:37:09 +01:00
Tobias Brunner