Martin Willi
22e6a06b8c
mem-pool: Pass the remote IKE address, to re-acquire() an address during reauth
...
With make-before-break IKEv2 re-authentication, virtual IP addresses must be
assigned overlapping to the same peer. With the remote IKE address, the backend
can detect re-authentication attempts by comparing the remote host address and
port. This allows proper reassignment of the virtual IP if it is re-requested.
This change removes the mem-pool.reassign_online option, as it is obsolete now.
IPs get automatically reassigned if a peer re-requests the same address, and
additionally connects from the same address and port.
2015-02-20 13:34:57 +01:00
Martin Willi
349f7f2412
ikev2: Trigger make-before-break reauthentication instead of reauth task
2015-02-20 13:34:57 +01:00
Tobias Brunner
5cc0b23886
mem-pool: Document reassign_online option
2015-02-12 12:17:48 +01:00
Tobias Brunner
8edea13a5a
kernel-netlink: Add missing documentation for two options
2014-12-19 15:36:01 +01:00
Martin Willi
87888f9926
kernel-netlink: Alternatively support global port based IKE bypass policies
...
The socket based IKE bypass policies are usually superior, but not supported
on all networking stacks. The port based variant uses global policies for the
UDP ports we have IKE sockets for.
2014-11-21 10:55:45 +01:00
Martin Willi
6f9df556ba
conf: Document kernel-netlink retransmission and parallelization options
2014-11-21 10:55:45 +01:00
Tobias Brunner
9d75a28820
ike: Add IKEv2 in description of fragment_size option in strongswan.conf
2014-10-14 15:41:52 +02:00
Tobias Brunner
3633b80147
eap-radius: Add option to set interval for interim accounting updates
...
Any interval returned by the RADIUS server in the Access-Accept message
overrides the configured interval. But it might be useful if RADIUS is
only used for accounting.
2014-10-10 09:51:13 +02:00
Tobias Brunner
127a98dc90
ikev1: Move fragment generation to message_t
2014-10-10 09:30:26 +02:00
Martin Willi
b2c1973ffb
ext-auth: Add an ext-auth plugin invoking an external authorization script
...
Original patch courtesy of Vyronas Tsingaras.
2014-10-06 18:30:46 +02:00
Shea Levy
90fe4b3f8a
starter: Allow specifying the ipsec.conf location in strongswan.conf
2014-10-02 14:33:08 +02:00
Shea Levy
213e02b872
stroke: Allow specifying the ipsec.secrets location in strongswan.conf
2014-10-02 14:31:00 +02:00
Shea Levy
0efea2fd86
Don't fail to install if sysconfdir isn't writable
2014-09-26 10:52:37 +02:00
Martin Willi
e2d9f27c19
systemd: Add a native systemd journal logger
2014-09-22 14:19:37 +02:00
Tobias Brunner
90e6675a65
kernel-netlink: Optionally install protocol and ports on transport mode SAs
2014-09-12 10:45:50 +02:00
Tobias Brunner
47a0e289d9
kernel-netlink: Add global option to configure MSS-clamping on installed routes
2014-09-12 10:13:30 +02:00
Tobias Brunner
c1adf7e0c4
kernel-netlink: Add global option to set MTU on installed routes
2014-09-12 10:13:30 +02:00
Tobias Brunner
33967467e2
conf: Document load-tester.crl option
2014-06-30 13:25:13 +02:00
Tobias Brunner
da7cb76974
conf: Document charon.*-scripts options
2014-06-30 13:25:13 +02:00
Tobias Brunner
38f27e172c
conf: Document swanctl options
2014-06-30 13:25:13 +02:00
Tobias Brunner
4d066ef7fc
conf: Document aikgen options
2014-06-30 13:25:13 +02:00
Tobias Brunner
3986c1e3fd
autoconf: Replace --disable-tools option with --disable-scepclient
...
Since using a separate option for pki this was the only tool that was still
enabled by that option.
2014-06-30 13:25:13 +02:00
Tobias Brunner
566d1a90cd
Remove kernel-klips plugin
2014-06-19 14:20:33 +02:00
Tobias Brunner
3bf98189d7
kernel-netlink: Follow RFC 6724 when selecting IPv6 source addresses
...
Instead of using the first address we find on an interface we should
consider properties like an address' scope or whether it is temporary
or public.
Fixes #543 .
2014-06-19 14:16:41 +02:00
Andreas Steffen
18ba2a3035
Fixed typo in strongswan.conf
2014-06-05 11:26:54 +02:00
Martin Willi
b70849ada2
configure: Separate pki from --disable-tools
...
While pki builds and runs just fine on Windows, this is not true for scepclient.
2014-06-04 15:53:08 +02:00
Andreas Steffen
bfd8f8c5fe
Updated IMC/IMV entries in strongswan.conf man page
2014-05-31 20:37:57 +02:00
Tobias Brunner
35952dc13f
conf: Fix sorting of options with Python 3
...
__cmp__() is not supported anymore with Python 3 and cmp() is deprecated.
Instead rich comparisons should be used (only __lt__() is required for
sorting).
2014-05-13 11:14:44 +02:00
Tobias Brunner
5ee4984da5
conf: print is a function in Python 3
2014-05-13 11:14:43 +02:00
Andreas Steffen
8d59090349
Implemented PT-EAP protocol (RFC 7171)
2014-05-12 06:59:21 +02:00
Andreas Steffen
688b5b99ed
Changed default value to libimcv.imc-attestation.pcr_info = no
2014-05-10 20:08:20 +02:00
Martin Willi
ae98a39e71
conf: Add a format-options --nosort option to keep order of sections as defined
2014-05-07 15:48:17 +02:00
Tobias Brunner
e20deeca77
conf: Properly propagate whether a section is commented or not
2014-05-07 15:48:16 +02:00
Martin Willi
7dbf9e1574
vici: Document strongswan.conf options
2014-05-07 14:13:38 +02:00
Martin Willi
c4c9d291d2
ikev1: Add an option to accept unencrypted ID/HASH payloads
...
Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in
unencrypted form, probably to allow PSK lookup based on the ID payloads. We
by default reject that, but accept it if the
charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf.
Initial patch courtesy of Paul Stewart.
2014-04-17 08:52:28 +02:00
Andreas Steffen
8c40609f96
Use python-based swidGenerator to generated SWID tags
2014-04-15 09:21:06 +02:00
Andreas Steffen
0bd64fa5bf
Renamed the AIK public key parameter to imc-attestation.aik_pubkey
2014-04-15 09:21:05 +02:00
Andreas Steffen
c54c26dd17
Implemented configurable Device ID in OS IMC
2014-04-15 09:21:05 +02:00
Tobias Brunner
00b91c4325
eap-radius: Add option to not close IKE_SAs on timeouts during interim accouting updates
...
Fixes #528 .
2014-03-31 14:32:44 +02:00
Tobias Brunner
9fa7b03769
conf: Order settings in man page alphabetically
...
For the config snippets the options are now explicitly ordered before
subsections.
2014-03-31 14:32:44 +02:00
Martin Willi
dbd4fc074a
openac: Remove obsolete openac utility
...
The same functionality is now provided by the pki --acert subcommand.
2014-03-31 11:39:25 +02:00
Andreas Steffen
342bc6e545
Disable mandatory ECP support for attestion
2014-03-07 21:56:34 +01:00
Tobias Brunner
bd1c9f1eac
conf: Fix out-of-tree build from distribution
...
It worked from the repository, where strongswan.conf.5.main is generated
in the build dir, but not from the distribution where it is located in
the source dir, so explicitly create it in the source dir.
2014-02-27 12:02:13 +01:00
Tobias Brunner
e1af4d88a6
conf: Ignore generated strongswan.conf.5.main
2014-02-18 10:08:54 +01:00
Tobias Brunner
5645ad2976
conf: Fix installation on FreeBSD
...
Apparently, the -t option for install is not portable.
2014-02-13 13:53:25 +01:00
Tobias Brunner
03650d5a2d
conf: The use of $^ is not portable
...
Generating strongswan.conf.5.main in a subshell gets the file
properly written to the builddir in out-of-tree builds.
2014-02-13 11:47:02 +01:00
Tobias Brunner
efce4559e8
conf: Install config files world-readable but warn about permissions for certain options
2014-02-12 15:16:57 +01:00
Tobias Brunner
5422bb9070
conf: Document variables and config files/dirs
2014-02-12 14:34:34 +01:00
Tobias Brunner
7573a7ed56
conf: Only install config snippets for enabled components
2014-02-12 14:34:34 +01:00
Tobias Brunner
ff94fe157a
conf: Document options of other programs
2014-02-12 14:34:34 +01:00
Tobias Brunner
5ac757872b
conf: Document options of plugins in libpts
2014-02-12 14:34:34 +01:00
Tobias Brunner
bf3f4bf7a2
conf: Document libimcv options
2014-02-12 14:34:34 +01:00
Tobias Brunner
4576f7f960
conf: Document libtnccs options
2014-02-12 14:34:34 +01:00
Tobias Brunner
d56a23c515
conf: Create automatically generated config snippets in build dir
2014-02-12 14:34:34 +01:00
Tobias Brunner
7f535b3938
conf: Install config snippets in /usr/share/strongswan/templates/config too
2014-02-12 14:34:34 +01:00
Tobias Brunner
6a2de77f2e
conf: Only install config snippets if they don't exist yet
2014-02-12 14:34:34 +01:00
Tobias Brunner
fc380b175d
conf: Move load-tester options to plugin specific file
2014-02-12 14:34:34 +01:00
Tobias Brunner
828815b0d8
conf: Options of all plugins documented
...
Some options are still missing descriptions though.
2014-02-12 14:34:34 +01:00
Tobias Brunner
da8b16a160
conf: Add logger example config
2014-02-12 14:34:34 +01:00
Tobias Brunner
5da20b3dc6
conf: Converted charon options
2014-02-12 14:34:33 +01:00
Tobias Brunner
c4bb26b849
conf: Split strongswan.conf(5) man page and use generated snippet
2014-02-12 14:34:33 +01:00
Tobias Brunner
7f62b7d02d
conf: Generate groff snippet for configuration options
2014-02-12 14:34:33 +01:00
Tobias Brunner
91cc523ca7
conf: Generate strongswan.conf(5) man page in different directory
2014-02-12 14:34:33 +01:00
Tobias Brunner
1b98f85821
conf: Generate and install config sippets for option descriptions
...
The strongswan.d directory is also created relative to the configured
location of strongswan.conf.
2014-02-12 14:34:33 +01:00
Tobias Brunner
e90b37b9c3
conf: Script to convert option descriptions to man page and config snippets added
2014-02-12 14:34:33 +01:00
Tobias Brunner
dee50a6046
conf: Create /etc/strongswan.d directory and include .conf files
2014-02-12 14:34:33 +01:00
Tobias Brunner
45e19c7c88
conf: Simplified strongswan.conf template
2014-02-12 14:34:33 +01:00
Tobias Brunner
c75acc4c44
conf: Install strongswan.conf template from a separate directory
2014-02-12 14:34:33 +01:00