Tobias Brunner
241cf8e791
Update fallback drop policies if required.
2011-07-29 12:34:51 +02:00
Tobias Brunner
f1c1965d64
Install fallback drop policies for all three directions.
2011-07-28 16:56:15 +02:00
Tobias Brunner
d7a59f1976
Install fallback drop policies to avoid transmitting unencrypted packets.
...
During the update of a CHILD_SA (e.g. caused by MOBIKE) the old policy
is first uninstalled and then the new one is installed. In the short
time in between, where no policy is available in the kernel, unencrypted
packets could have been transmitted.
2011-07-27 13:44:33 +02:00
Tobias Brunner
fbedc6a45b
Remove policies in kernel interfaces based on their priority.
...
This allows to unroute a connection while the same connection is
currently established. In this case both CHILD_SAs share the same
reqid but the installed policies have different priorities.
2011-07-27 13:41:35 +02:00
Martin Willi
5d6b981572
Inherit authentication information during IKE_SA rekeying
2011-07-25 14:19:17 +02:00
Andreas Steffen
9c67f5ff54
fixed some more misspellings
2011-07-20 22:19:01 +02:00
Tobias Brunner
f3bb1bd039
Fixed common misspellings.
...
Mostly found by 'codespell'.
2011-07-20 16:14:10 +02:00
Andreas Steffen
4742d6501a
shunt manager installs policies with %any hosts
2011-07-14 13:51:36 +02:00
Tobias Brunner
0c2ce1905a
Adapted shunt manager to changed kernel interface (reqid in del_policy).
2011-07-06 12:48:26 +02:00
Tobias Brunner
47daa0e6fe
Replaced more complex iterator usages.
2011-07-06 09:43:45 +02:00
Tobias Brunner
572abc6cbd
Replaced ike_sa_t.create_additional_address_iterator with enumerator.
2011-07-06 09:43:45 +02:00
Tobias Brunner
4bbce1ef37
Replaced ike_sa_t.create_child_sa_iterator with enumerator.
...
This required two new methods on ike_sa_t. One returns the number of
CHILD_SAs and one allows to remove a CHILD_SA.
2011-07-06 09:43:45 +02:00
Tobias Brunner
e26304348c
Replaced simple iterator usages.
2011-07-06 09:43:45 +02:00
Tobias Brunner
328f22e1d3
Add the reqid to kernel_ipsec_t.del_policy.
2011-07-06 09:43:45 +02:00
Andreas Steffen
f87991704e
implemented PASS and DROP shunt policies
2011-06-28 19:42:54 +02:00
Martin Willi
6a5c8ee7a5
Initialize trap_manager listener with INIT macro, too
2011-06-28 17:19:20 +02:00
Andreas Steffen
06356a2981
Migrated trap_manager_t to INIT/METHOD macros
2011-06-28 14:42:29 +02:00
Martin Willi
bc20bc1927
Check if colliding task has actually a CHILD, i.e. after a migrate
2011-06-03 10:49:54 +02:00
Andreas Steffen
c76b8a21fe
logging initial EAP Identifier in EAP Identity Request
2011-05-29 10:30:02 +02:00
Martin Willi
a4c040d536
Added strongswan.conf option to override half open IKE_SA timeout
2011-05-16 15:24:15 +02:00
Martin Willi
9a96ba4b6e
Added a get_count() method to IKE_SA manager
2011-05-16 15:24:15 +02:00
Martin Willi
a836cf8085
Fixed identiation in private_ike_sa_manager
2011-05-16 15:24:15 +02:00
Martin Willi
69c3eca0e9
Added a non-blocking, skipping variant of IKE_SA enumerator
2011-05-16 15:24:13 +02:00
Tobias Brunner
68447302d6
Typo fixed.
2011-04-28 12:50:30 +02:00
Martin Willi
f9a552f011
Resolve and connect to RADIUS servers not before required
2011-04-21 14:01:25 +02:00
Martin Willi
52846ec820
Remove superfluous test for peer_cfg on established IKE_SAs
2011-04-20 12:31:29 +02:00
Martin Willi
bd01b9d8b2
Install ESN SAs if such a proposal has been negotiated
2011-04-20 12:26:58 +02:00
Martin Willi
4876d4f3b3
Added an esn parameter to the kernel interface add_sa functions
2011-04-20 12:26:57 +02:00
Tobias Brunner
1c004bebd8
Clearly mark switch cases that fall through.
2011-04-19 13:48:50 +02:00
Tobias Brunner
3c0c321776
Neither rekey nor del can be NULL.
2011-04-14 18:10:27 +02:00
Andreas Steffen
c98ed04de0
display EAP identifiers in HEX format
2011-04-06 17:34:27 +02:00
Andreas Steffen
adcb221f19
log the EAP identifier also for vendor specific EAP methods
2011-04-05 13:57:37 +02:00
Andreas Steffen
de93154231
log the initial value of the EAP identifier
2011-04-05 13:54:26 +02:00
Andreas Steffen
2f7c12a2f4
added get_identifier() and set_identifier() methods
2011-04-05 13:32:10 +02:00
Martin Willi
3ced6b51e4
Move establish/inherit of rekeyed IKE_SAs to delete messages
...
Having the inherit() function delayed to the IKE_SA establish procedure
was problematic. The task destroy function was never a good place and
results in locking/cleanup problems. After establishing the SA, it
should be really checked in ASAP to avoid any triggered DPD checks
to get lost.
2011-03-15 15:20:09 +01:00
Martin Willi
f42156a8c8
Wrap IKE delete after rekey into rekey task for responder, too
2011-03-15 11:51:53 +01:00
Martin Willi
41080cbbd9
Migrated ike_rekey task to INIT/METHOD macros
2011-03-15 11:30:02 +01:00
Martin Willi
5f47296f22
Migrated sim_manager to INIT/METHOD macros
2011-03-08 16:42:27 +01:00
Martin Willi
7b3bfe4b6c
Protect sim card/provider/hook (un-)registration with a rwlock
2011-03-08 16:42:27 +01:00
Martin Willi
f58db72482
Splitted sim_manager.h header to sim_{card,provider,hooks}.h
2011-03-08 16:42:27 +01:00
Martin Willi
e44ebdcfc8
Slightly change IKE_SA destruction order to inherit properly during ike_rekey task destruction
2011-02-28 10:31:36 +00:00
Martin Willi
94030a670b
Report correct key size if a cipher is not supported
2011-02-07 16:39:33 +01:00
Tobias Brunner
84545f6e7c
Some typos fixed.
2011-02-07 11:39:41 +01:00
Martin Willi
b49d047bfc
Invoke the per-round authorize() hook before purging current auth info on IKE_SA
2011-02-03 17:08:39 +01:00
Martin Willi
2b7686b5d8
Migrated ike_auth to INIT/METHOD macros, fixes missing initial_contact initialization
2011-02-02 15:13:39 +01:00
Martin Willi
1d34612f07
Do not use destroyed rng/hasher if IKE_SA has been flush()ed
2011-02-01 09:25:55 +01:00
Martin Willi
5c89a00f05
Do not log potentially hundreds of cert requests for unknown CAs at level 1
2011-01-28 08:29:23 +01:00
Martin Willi
983a5e88d3
Revert "Send INITIAL_CONTACT even if we have a unique policy"
...
It makes sense to omit INITIAL_CONTACT if don't have a unique policy,
as a client might want to connect from different devices to the same
account.
This reverts commit 719c33b41a
.
2011-01-13 10:50:46 +01:00
Martin Willi
2082417df3
Force port update as responder when initiator switches to 4500 in IKE_AUTH
2011-01-12 14:37:15 +01:00
Martin Willi
8ba805f4db
Avoid variable name overloading
2011-01-12 14:37:09 +01:00