Tobias Brunner
7313499914
proposal: Add ECC Brainpool DH groups to the default proposal
2013-10-17 13:36:09 +02:00
Tobias Brunner
dd438ee22c
Doxygen fixes
2013-10-15 11:25:55 +02:00
Martin Willi
f0c59e1cf8
proposal: Strip redundant integrity algos for ESP proposals only
2013-10-11 10:15:21 +02:00
Martin Willi
3070697f9f
ike: support multiple addresses, ranges and subnets in IKE address config
...
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
2013-09-04 10:38:37 +02:00
Martin Willi
beffdc6ab8
ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr
2013-09-04 10:38:37 +02:00
Martin Willi
62282ec0ed
backends: use ike_cfg host matching functions
2013-09-04 10:38:37 +02:00
Martin Willi
6f666192bb
ike-cfg: add methods to match a host against configured local/remote addresses
2013-09-04 10:38:37 +02:00
Martin Willi
e743275cae
ike-cfg: add a method to resolve local/remote hosts with port
2013-09-04 10:38:36 +02:00
Martin Willi
9aeaa7396e
peer-cfg: add a pull/push mode option to use with mode config
2013-09-04 10:33:37 +02:00
Martin Willi
2fa92ad256
proposal: correctly enumerate registered AEADs to build default IKE proposal
...
AEADs are not returned (anymore) with the encryption enumerator.
2013-07-19 15:05:17 +02:00
Tobias Brunner
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
Martin Willi
c907b57f56
proposal: use array to store proposal list
...
Removes another two linked lists (0.5KB) of memory per IKE/CHILD_SA pair.
2013-07-17 17:20:18 +02:00
Martin Willi
5cd64f979c
proposal: use a single list to store all transforms
...
Beside that it makes the code actually simpler, it reduces the number of lists
stored by each IKE_SA and each CHILD_SA by 4, which can be up to 1KB per SA.
2013-07-17 17:20:17 +02:00
Martin Willi
a485320393
Raise an alert if the responding peer narrowed traffic selectors
2013-06-19 16:11:46 +02:00
Martin Willi
246e2bed1d
Use subset matching instead of is_contained_in() to select a child_cfg
...
If one selector has a wider IP range than the other, but the other has a
wider port/protocol selector than the first one, none is completely contained
in the other. The check for a match using is_contained_in() therefore would
fail. Using get_subset() can handle such cases, fixing configuration selection.
2013-06-13 13:37:50 +02:00
Martin Willi
306a269e34
Add a DSCP configuration value to IKE configs
2013-02-06 15:20:32 +01:00
Tobias Brunner
365d9a6f67
Added an option that allows to force IKEv1 fragmentation
2013-01-12 11:54:32 +01:00
Tobias Brunner
97973f8609
Use a connection specific option to en-/disable IKEv1 fragmentation
2012-12-24 13:00:01 +01:00
Tobias Brunner
eba65182e4
Include 'aggressive' when comparing peer_cfg_t objects
2012-11-07 12:44:58 +01:00
Tobias Brunner
4eba7269b8
proposal_t.strip_dh() takes a DH group to keep, using MODP_NONE will remove all
2012-10-24 16:09:42 +02:00
Tobias Brunner
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
Tobias Brunner
2e7cc07ecd
Moved host_t and host_resolver_t to a new networking subfolder
2012-10-24 15:06:18 +02:00
Martin Willi
7ee16e4b85
Only add an implicit PRF based on the MAC alg if no PRF given in proposal
2012-10-24 11:49:37 +02:00
Martin Willi
e19b23e0b9
Remove peer_cfg IKE version matching, as it is done in ike_cfg matching
2012-10-24 10:19:33 +02:00
Martin Willi
7910116384
Respect IKE version while selecting an ike_cfg as responder
2012-10-24 10:19:33 +02:00
Martin Willi
1fdd62ffce
Remove version argument on peer_cfg constructor, use ike_cfg version instead
2012-10-24 10:19:33 +02:00
Martin Willi
9fc7cc6f9b
Add IKE version information to ike_cfg_t
2012-10-24 10:18:35 +02:00
Martin Willi
cf62d073f1
Move ike_version_t definition from peer_cfg_t to ike_cfg_t
2012-10-24 10:17:36 +02:00
Tobias Brunner
6676769e8c
Make sure we propose a dynamic TS if we don't have hosts to derive a TS from
...
7ee37114
removed this behavior.
2012-09-21 18:14:17 +02:00
Martin Willi
7ee37114c9
Derive a dynamic TS to multiple virtual IPs
2012-09-18 17:11:03 +02:00
Tobias Brunner
4c57c63062
Added possibility to register custom proposal keywords
...
Keyword lookup and registration are handled via the new lib->proposal object.
2012-09-13 15:44:46 +02:00
Tobias Brunner
995875210a
Removed len argument from proposal_get_token()
...
Also use enumerators instead of lexparser.h to parse proposal strings.
2012-09-13 15:44:01 +02:00
Tobias Brunner
455accc687
Ensure traffic selectors are dynamic before calling set_address() when deriving them
2012-09-12 18:13:47 +02:00
Tobias Brunner
f4cc7ea11b
Add uniqueids=never to ignore INITIAL_CONTACT notifies
...
With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received. With this new option
it also ignores these notifies.
2012-09-10 17:37:18 +02:00
Martin Willi
1323dc1138
Merge branch 'multi-vip'
...
Brings support for multiple virtual IPs and multiple pools in
left/rigthsourceip definitions. Also introduces the new left/rightdns
options to configure requested DNS server address family and respond
with multiple connection specific servers.
2012-08-31 12:55:56 +02:00
Martin Willi
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
Martin Willi
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
Tobias Brunner
a21fac9a85
Log configured IKE_SA proposals as initiator
2012-08-24 13:43:14 +02:00
Tobias Brunner
d2b4dff5dd
Log configured CHILD_SA proposals as initiator
2012-08-24 13:43:14 +02:00
Adrian-Ken Rueegsegger
9c2f08860d
Add DH group 15 (MODP-3072) to IKE proposal
2012-08-06 11:22:33 +02:00
Martin Willi
1b40b74de0
Pass opaque data to printf hooks and print_in_hook()
2012-07-13 13:23:29 +02:00
Andreas Steffen
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
Tobias Brunner
7a75cae856
Added support for IKEv1 IPComp proposals in proposal substructure.
2012-05-24 15:32:27 +02:00
Andreas Steffen
80c5b17d1a
make IKEv1 DPD timeout configurable in charon
2012-05-17 19:49:22 +02:00
Martin Willi
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
Tobias Brunner
bad192069f
Make AES-CMAC actually usable for IKEv2.
2012-04-04 10:51:46 +02:00
Martin Willi
5ce59d4c06
Added an aggressive mode peer_cfg option
2012-03-20 17:31:34 +01:00
Martin Willi
986237603f
Fix ike_version_t enum names
2012-03-20 17:31:29 +01:00
Martin Willi
15a682f4c2
Separated libcharon/sa directory with ikev1 and ikev2 subfolders
2012-03-20 17:31:26 +01:00
Martin Willi
ac009df132
Pass IKE version to peer config enumerator, filter configs
2012-03-20 17:31:25 +01:00