22e6a06b8c
mem-pool: Pass the remote IKE address, to re-acquire() an address during reauth
...
With make-before-break IKEv2 re-authentication, virtual IP addresses must be
assigned overlapping to the same peer. With the remote IKE address, the backend
can detect re-authentication attempts by comparing the remote host address and
port. This allows proper reassignment of the virtual IP if it is re-requested.
This change removes the mem-pool.reassign_online option, as it is obsolete now.
IPs get automatically reassigned if a peer re-requests the same address, and
additionally connects from the same address and port.
2015-02-20 13:34:57 +01:00
349f7f2412
ikev2: Trigger make-before-break reauthentication instead of reauth task
2015-02-20 13:34:57 +01:00
5cc0b23886
mem-pool: Document reassign_online option
2015-02-12 12:17:48 +01:00
8edea13a5a
kernel-netlink: Add missing documentation for two options
2014-12-19 15:36:01 +01:00
87888f9926
kernel-netlink: Alternatively support global port based IKE bypass policies
...
The socket based IKE bypass policies are usually superior, but not supported
on all networking stacks. The port based variant uses global policies for the
UDP ports we have IKE sockets for.
2014-11-21 10:55:45 +01:00
6f9df556ba
conf: Document kernel-netlink retransmission and parallelization options
2014-11-21 10:55:45 +01:00
9d75a28820
ike: Add IKEv2 in description of fragment_size option in strongswan.conf
2014-10-14 15:41:52 +02:00
3633b80147
eap-radius: Add option to set interval for interim accounting updates
...
Any interval returned by the RADIUS server in the Access-Accept message
overrides the configured interval. But it might be useful if RADIUS is
only used for accounting.
2014-10-10 09:51:13 +02:00
127a98dc90
ikev1: Move fragment generation to message_t
2014-10-10 09:30:26 +02:00
b2c1973ffb
ext-auth: Add an ext-auth plugin invoking an external authorization script
...
Original patch courtesy of Vyronas Tsingaras.
2014-10-06 18:30:46 +02:00
90fe4b3f8a
starter: Allow specifying the ipsec.conf location in strongswan.conf
2014-10-02 14:33:08 +02:00
213e02b872
stroke: Allow specifying the ipsec.secrets location in strongswan.conf
2014-10-02 14:31:00 +02:00
0efea2fd86
Don't fail to install if sysconfdir isn't writable
2014-09-26 10:52:37 +02:00
e2d9f27c19
systemd: Add a native systemd journal logger
2014-09-22 14:19:37 +02:00
90e6675a65
kernel-netlink: Optionally install protocol and ports on transport mode SAs
2014-09-12 10:45:50 +02:00
47a0e289d9
kernel-netlink: Add global option to configure MSS-clamping on installed routes
2014-09-12 10:13:30 +02:00
c1adf7e0c4
kernel-netlink: Add global option to set MTU on installed routes
2014-09-12 10:13:30 +02:00
33967467e2
conf: Document load-tester.crl option
2014-06-30 13:25:13 +02:00
da7cb76974
conf: Document charon.*-scripts options
2014-06-30 13:25:13 +02:00
38f27e172c
conf: Document swanctl options
2014-06-30 13:25:13 +02:00
4d066ef7fc
conf: Document aikgen options
2014-06-30 13:25:13 +02:00
3986c1e3fd
autoconf: Replace --disable-tools option with --disable-scepclient
...
Since using a separate option for pki this was the only tool that was still
enabled by that option.
2014-06-30 13:25:13 +02:00
566d1a90cd
Remove kernel-klips plugin
2014-06-19 14:20:33 +02:00
3bf98189d7
kernel-netlink: Follow RFC 6724 when selecting IPv6 source addresses
...
Instead of using the first address we find on an interface we should
consider properties like an address' scope or whether it is temporary
or public.
Fixes #543 .
2014-06-19 14:16:41 +02:00
18ba2a3035
Fixed typo in strongswan.conf
2014-06-05 11:26:54 +02:00
b70849ada2
configure: Separate pki from --disable-tools
...
While pki builds and runs just fine on Windows, this is not true for scepclient.
2014-06-04 15:53:08 +02:00
bfd8f8c5fe
Updated IMC/IMV entries in strongswan.conf man page
2014-05-31 20:37:57 +02:00
35952dc13f
conf: Fix sorting of options with Python 3
...
__cmp__() is not supported anymore with Python 3 and cmp() is deprecated.
Instead rich comparisons should be used (only __lt__() is required for
sorting).
2014-05-13 11:14:44 +02:00
5ee4984da5
conf: print is a function in Python 3
2014-05-13 11:14:43 +02:00
8d59090349
Implemented PT-EAP protocol (RFC 7171)
2014-05-12 06:59:21 +02:00
688b5b99ed
Changed default value to libimcv.imc-attestation.pcr_info = no
2014-05-10 20:08:20 +02:00
ae98a39e71
conf: Add a format-options --nosort option to keep order of sections as defined
2014-05-07 15:48:17 +02:00
e20deeca77
conf: Properly propagate whether a section is commented or not
2014-05-07 15:48:16 +02:00
7dbf9e1574
vici: Document strongswan.conf options
2014-05-07 14:13:38 +02:00
c4c9d291d2
ikev1: Add an option to accept unencrypted ID/HASH payloads
...
Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in
unencrypted form, probably to allow PSK lookup based on the ID payloads. We
by default reject that, but accept it if the
charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf.
Initial patch courtesy of Paul Stewart.
2014-04-17 08:52:28 +02:00
8c40609f96
Use python-based swidGenerator to generated SWID tags
2014-04-15 09:21:06 +02:00
0bd64fa5bf
Renamed the AIK public key parameter to imc-attestation.aik_pubkey
2014-04-15 09:21:05 +02:00
c54c26dd17
Implemented configurable Device ID in OS IMC
2014-04-15 09:21:05 +02:00
00b91c4325
eap-radius: Add option to not close IKE_SAs on timeouts during interim accouting updates
...
Fixes #528 .
2014-03-31 14:32:44 +02:00
9fa7b03769
conf: Order settings in man page alphabetically
...
For the config snippets the options are now explicitly ordered before
subsections.
2014-03-31 14:32:44 +02:00
dbd4fc074a
openac: Remove obsolete openac utility
...
The same functionality is now provided by the pki --acert subcommand.
2014-03-31 11:39:25 +02:00
342bc6e545
Disable mandatory ECP support for attestion
2014-03-07 21:56:34 +01:00
bd1c9f1eac
conf: Fix out-of-tree build from distribution
...
It worked from the repository, where strongswan.conf.5.main is generated
in the build dir, but not from the distribution where it is located in
the source dir, so explicitly create it in the source dir.
2014-02-27 12:02:13 +01:00
e1af4d88a6
conf: Ignore generated strongswan.conf.5.main
2014-02-18 10:08:54 +01:00
5645ad2976
conf: Fix installation on FreeBSD
...
Apparently, the -t option for install is not portable.
2014-02-13 13:53:25 +01:00
03650d5a2d
conf: The use of $^ is not portable
...
Generating strongswan.conf.5.main in a subshell gets the file
properly written to the builddir in out-of-tree builds.
2014-02-13 11:47:02 +01:00
efce4559e8
conf: Install config files world-readable but warn about permissions for certain options
2014-02-12 15:16:57 +01:00
5422bb9070
conf: Document variables and config files/dirs
2014-02-12 14:34:34 +01:00
7573a7ed56
conf: Only install config snippets for enabled components
2014-02-12 14:34:34 +01:00
ff94fe157a
conf: Document options of other programs
2014-02-12 14:34:34 +01:00
5ac757872b
conf: Document options of plugins in libpts
2014-02-12 14:34:34 +01:00
bf3f4bf7a2
conf: Document libimcv options
2014-02-12 14:34:34 +01:00
4576f7f960
conf: Document libtnccs options
2014-02-12 14:34:34 +01:00
d56a23c515
conf: Create automatically generated config snippets in build dir
2014-02-12 14:34:34 +01:00
7f535b3938
conf: Install config snippets in /usr/share/strongswan/templates/config too
2014-02-12 14:34:34 +01:00
6a2de77f2e
conf: Only install config snippets if they don't exist yet
2014-02-12 14:34:34 +01:00
fc380b175d
conf: Move load-tester options to plugin specific file
2014-02-12 14:34:34 +01:00
828815b0d8
conf: Options of all plugins documented
...
Some options are still missing descriptions though.
2014-02-12 14:34:34 +01:00
da8b16a160
conf: Add logger example config
2014-02-12 14:34:34 +01:00
5da20b3dc6
conf: Converted charon options
2014-02-12 14:34:33 +01:00
c4bb26b849
conf: Split strongswan.conf(5) man page and use generated snippet
2014-02-12 14:34:33 +01:00
7f62b7d02d
conf: Generate groff snippet for configuration options
2014-02-12 14:34:33 +01:00
91cc523ca7
conf: Generate strongswan.conf(5) man page in different directory
2014-02-12 14:34:33 +01:00
1b98f85821
conf: Generate and install config sippets for option descriptions
...
The strongswan.d directory is also created relative to the configured
location of strongswan.conf.
2014-02-12 14:34:33 +01:00
e90b37b9c3
conf: Script to convert option descriptions to man page and config snippets added
2014-02-12 14:34:33 +01:00
dee50a6046
conf: Create /etc/strongswan.d directory and include .conf files
2014-02-12 14:34:33 +01:00
45e19c7c88
conf: Simplified strongswan.conf template
2014-02-12 14:34:33 +01:00
c75acc4c44
conf: Install strongswan.conf template from a separate directory
2014-02-12 14:34:33 +01:00
Martin Willi