Tobias Brunner
1665a4e050
ikev1: Use actual local identity as initiator or aggressive mode responder
...
If none is configured, there is a fallback to the IP address, which is
not stored on the static auth config, but is set on the IKE_SA.
Fixes #3394 .
2020-05-07 15:05:55 +02:00
Tobias Brunner
b8f02fc42d
ikev1: Store fallback identity (IP address) on IKE_SA's auth-cfg
...
The other auth-cfg object is shared via peer-cfg, so we must not
modify it. It's only stored to simplify memory management.
Fixes #3394 .
2020-05-07 15:05:55 +02:00
Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Thomas Egerer
eed20c21d3
ha: Add auth method for HA IKEv1 key derivation
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2018-12-07 10:17:56 +01:00
Tobias Brunner
784d96e031
Fixed some typos, courtesy of codespell
2018-09-17 18:51:44 +02:00
Tobias Brunner
419ae9a20a
ikev1: Default remote identity to %any for PSK lookup if not configured
...
Otherwise, the remote identity is ignored when matching owner identities
of PSKs and this way matching PSKs that explicitly have %any assigned is
improved.
Fixes #2497 .
2017-12-22 10:37:32 +01:00
Tobias Brunner
e92d8a56b3
ikev1: First do PSK lookups based on identities then fallback to IPs
...
This provides a solution for configs where there is e.g. a catch-all %any
PSK, while more specific PSKs would be found by the identities of configs
that e.g. use FQDNs as local/remote addresses.
Fixes #2223 .
2017-03-20 10:17:56 +01:00
Tobias Brunner
904f93f655
ikev1: Avoid modifying local auth config when detecting pubkey method
...
If it was necessary to pass the local certificates we could probably
clone the config (but we don't do that either when later looking for the
key to actually authenticate).
Passing auth adds the same subject cert to the config over and over
again (I guess we could also try to prevent that by searching for
duplicates).
2016-03-03 17:26:14 +01:00
Tobias Brunner
47ee60177e
ikev1: Pass current auth-cfg when looking for key to determine auth method
...
If multiple certificates use the same subjects we might choose the wrong
one otherwise. This way we use the one referenced with leftcert and
stored in the auth-cfg and we actually do the same thing later in the
pubkey authenticator.
Fixes #1077 .
2015-08-19 17:39:01 +02:00
Martin Willi
a777155ffe
diffie-hellman: Add a bool return value to set_other_public_value()
2015-03-23 17:54:03 +01:00
Martin Willi
520d58e010
encoding: Allow ke_payload_create_from_diffie_hellman() to fail
2015-03-23 17:54:02 +01:00
Martin Willi
55e85387bb
ikev1: Be more verbose if a peer config would match, but is unusable for Mode
2014-09-25 17:21:54 +02:00
Martin Willi
3ecfc83c6b
payload: Use common prefixes for all payload type identifiers
...
The old identifiers did not use a proper namespace and often clashed with
other defines.
2014-06-04 15:53:03 +02:00
Tobias Brunner
f30962de74
Fixed log message when no shared secret is found during IKEv1 Main Mode
2012-10-29 10:04:37 +01:00
Tobias Brunner
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
Martin Willi
1323dc1138
Merge branch 'multi-vip'
...
Brings support for multiple virtual IPs and multiple pools in
left/rigthsourceip definitions. Also introduces the new left/rightdns
options to configure requested DNS server address family and respond
with multiple connection specific servers.
2012-08-31 12:55:56 +02:00
Martin Willi
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
Martin Willi
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
Tobias Brunner
1184493407
Fall back to local address as IKEv1 identity if nothing else is configured
2012-08-24 12:55:01 +02:00
Martin Willi
f701ba8389
Lookup IKEv1 PSK even if the peer identity is not known
2012-07-31 15:39:33 +02:00
Reto Buerki
605985d122
Nonce: Let get_nonce, allocate_nonce return boolean
2012-07-16 14:53:34 +02:00
Martin Willi
523ce7c20c
Use received identity to look up PSK as aggressive responder
2012-05-23 12:18:45 +02:00
Tobias Brunner
1a624ff45a
Switch to alternative peer config in IKEv1 Main and Aggressive Mode.
2012-05-21 15:49:25 +02:00
Adrian-Ken Rueegsegger
afaf1bdf5e
Use nonce_gen instead of rng to generate nonces
...
Replace usage of rng plugin with nonce generator to create nonces in
IKE_INIT, CHILD_CREATE and QUICK_MODE tasks and the IKEv1 phase 1 helper.
2012-05-18 08:15:41 +02:00
Martin Willi
4c685e8850
Select public key auth method by checking what key we have
2012-03-20 17:31:39 +01:00
Martin Willi
23f9e7a18d
Pass IKEv1 specific keymat to ike_keys hook
2012-03-20 17:31:37 +01:00
Martin Willi
3624b09e21
Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper
2012-03-20 17:31:37 +01:00
Martin Willi
91c212fd6a
Select IKEv1 configurations by main/aggressive mode option
2012-03-20 17:31:34 +01:00
Martin Willi
c29a89b80d
Implemented a common Phase 1 helper class to use by main and aggressive modes
2012-03-20 17:31:33 +01:00