ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
17,434 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

29 Commits

Author SHA1 Message Date
Tobias Brunner 1665a4e050 ikev1: Use actual local identity as initiator or aggressive mode responder 
If none is configured, there is a fallback to the IP address, which is
not stored on the static auth config, but is set on the IKE_SA.

Fixes #3394.
 2020-05-07 15:05:55 +02:00
Tobias Brunner b8f02fc42d ikev1: Store fallback identity (IP address) on IKE_SA's auth-cfg 
The other auth-cfg object is shared via peer-cfg, so we must not
modify it.  It's only stored to simplify memory management.

Fixes #3394.
 2020-05-07 15:05:55 +02:00
Josh Soref b3ab7a48cc Spelling fixes 
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior

Closes strongswan/strongswan#164.
 2020-02-11 18:23:07 +01:00
Thomas Egerer eed20c21d3 ha: Add auth method for HA IKEv1 key derivation 
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2018-12-07 10:17:56 +01:00
Tobias Brunner 784d96e031 Fixed some typos, courtesy of codespell 2018-09-17 18:51:44 +02:00
Tobias Brunner 419ae9a20a ikev1: Default remote identity to %any for PSK lookup if not configured 
Otherwise, the remote identity is ignored when matching owner identities
of PSKs and this way matching PSKs that explicitly have %any assigned is
improved.

Fixes #2497.
 2017-12-22 10:37:32 +01:00
Tobias Brunner e92d8a56b3 ikev1: First do PSK lookups based on identities then fallback to IPs 
This provides a solution for configs where there is e.g. a catch-all %any
PSK, while more specific PSKs would be found by the identities of configs
that e.g. use FQDNs as local/remote addresses.

Fixes #2223.
 2017-03-20 10:17:56 +01:00
Tobias Brunner 904f93f655 ikev1: Avoid modifying local auth config when detecting pubkey method 
If it was necessary to pass the local certificates we could probably
clone the config (but we don't do that either when later looking for the
key to actually authenticate).
Passing auth adds the same subject cert to the config over and over
again (I guess we could also try to prevent that by searching for
duplicates).
 2016-03-03 17:26:14 +01:00
Tobias Brunner 47ee60177e ikev1: Pass current auth-cfg when looking for key to determine auth method 
If multiple certificates use the same subjects we might choose the wrong
one otherwise. This way we use the one referenced with leftcert and
stored in the auth-cfg and we actually do the same thing later in the
pubkey authenticator.

Fixes #1077.
 2015-08-19 17:39:01 +02:00
Martin Willi a777155ffe diffie-hellman: Add a bool return value to set_other_public_value() 2015-03-23 17:54:03 +01:00
Martin Willi 520d58e010 encoding: Allow ke_payload_create_from_diffie_hellman() to fail 2015-03-23 17:54:02 +01:00
Martin Willi 55e85387bb ikev1: Be more verbose if a peer config would match, but is unusable for Mode 2014-09-25 17:21:54 +02:00
Martin Willi 3ecfc83c6b payload: Use common prefixes for all payload type identifiers 
The old identifiers did not use a proper namespace and often clashed with
other defines.
 2014-06-04 15:53:03 +02:00
Tobias Brunner f30962de74 Fixed log message when no shared secret is found during IKEv1 Main Mode 2012-10-29 10:04:37 +01:00
Tobias Brunner 12642a6831 Moved data structures to new collections subfolder 2012-10-24 16:00:49 +02:00
Martin Willi 1323dc1138 Merge branch 'multi-vip' 
Brings support for multiple virtual IPs and multiple pools in
left/rigthsourceip definitions. Also introduces the new left/rightdns
options to configure requested DNS server address family and respond
with multiple connection specific servers.
 2012-08-31 12:55:56 +02:00
Martin Willi 497ce2cf51 Support multiple address pools configured on a peer_cfg 2012-08-30 16:43:42 +02:00
Martin Willi 101d26babe Support multiple virtual IPs on peer_cfg and ike_sa classes 2012-08-30 16:43:42 +02:00
Tobias Brunner 1184493407 Fall back to local address as IKEv1 identity if nothing else is configured 2012-08-24 12:55:01 +02:00
Martin Willi f701ba8389 Lookup IKEv1 PSK even if the peer identity is not known 2012-07-31 15:39:33 +02:00
Reto Buerki 605985d122 Nonce: Let get_nonce, allocate_nonce return boolean 2012-07-16 14:53:34 +02:00
Martin Willi 523ce7c20c Use received identity to look up PSK as aggressive responder 2012-05-23 12:18:45 +02:00
Tobias Brunner 1a624ff45a Switch to alternative peer config in IKEv1 Main and Aggressive Mode. 2012-05-21 15:49:25 +02:00
Adrian-Ken Rueegsegger afaf1bdf5e Use nonce_gen instead of rng to generate nonces 
Replace usage of rng plugin with nonce generator to create nonces in
IKE_INIT, CHILD_CREATE and QUICK_MODE tasks and the IKEv1 phase 1 helper.
 2012-05-18 08:15:41 +02:00
Martin Willi 4c685e8850 Select public key auth method by checking what key we have 2012-03-20 17:31:39 +01:00
Martin Willi 23f9e7a18d Pass IKEv1 specific keymat to ike_keys hook 2012-03-20 17:31:37 +01:00
Martin Willi 3624b09e21 Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper 2012-03-20 17:31:37 +01:00
Martin Willi 91c212fd6a Select IKEv1 configurations by main/aggressive mode option 2012-03-20 17:31:34 +01:00
Martin Willi c29a89b80d Implemented a common Phase 1 helper class to use by main and aggressive modes 2012-03-20 17:31:33 +01:00