64e68d2298
man: Correct typo in description of closeaction
...
Closes strongswan/strongswan#158 .
2019-10-29 10:50:49 +01:00
e6d17d5613
man: Remove keylife/rekeymargin from ipsec.conf man page
...
We continue to parse them but remove the documentation because mixing the two
sets of keywords in the same config might result in unexpected behavior.
References #2663 .
2018-05-22 14:18:17 +02:00
e698bdea24
man: Fix documentation of pubkey constraints
...
Hash algorithms have to be repeated for multiple key types.
References #2514 .
2018-02-09 10:42:13 +01:00
fde0c763b6
auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf
...
Also document the rsa/pss prefix.
2017-11-08 16:48:10 +01:00
2269444b56
man: Fix documentation of inbound mark behavior in ipsec.conf(5)
2017-11-02 09:59:38 +01:00
32e5c49234
child-sa: Allow requesting different unique marks for in/out
...
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78 .
2017-08-07 14:22:27 +02:00
4270c8fcb0
stroke: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
46a3f92a76
Add an option to announce support for IKE fragmentation but not sending fragments
2017-05-23 16:41:57 +02:00
11ebba0042
man: Describe the tunneling of several subnets with IKEv1 in more detail
2017-03-23 18:26:54 +01:00
c055c7013e
man: Add note about modeconfig having to match
2017-03-23 18:16:45 +01:00
31456d1f85
man: Describe what happens when a FQDN is specified in left or right
2017-03-20 10:18:51 +01:00
af662a5170
starter: Enable IKE fragmentation by default
2016-10-04 10:08:21 +02:00
bbd4620777
man: Update description of the esp keyword
...
Clarifies how DH groups are applied, updates the proposal selection
description and ESN can now also be configured for IKEv1.
References #1039 .
2016-08-31 11:47:14 +02:00
8e3940f59c
man: Updated default proposals in ipsec.conf(5)
2016-03-11 10:25:06 +01:00
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
45c5b992e0
man: Update description of the actions performed for different dpdaction values
...
For instance, charon does not unroute `auto=route` connections with
`dpdaction=clear`.
2015-11-18 14:55:15 +01:00
4a2e17997f
man: Clarify identity parsing and identity type prefixes
...
References #1028 .
2015-08-17 11:49:04 +02:00
10b5e8bb45
man: Clarification of ah keyword description
2015-05-19 14:02:56 +02:00
a83d1245d8
man: More accurately describe features of the new parser in ipsec.conf(5)
2015-03-20 18:37:22 +01:00
276cf3b725
man: Add documentation about IKEv2 signature schemes
2015-03-04 13:54:12 +01:00
f2e2cce2aa
man: Describe trust chain constraints configuration for EAP methods
2015-03-03 14:08:01 +01:00
cc1682bef9
ipsec-types: Support the %unique mark value
2015-02-20 16:34:53 +01:00
aaf9911aeb
man: Document IKEv2 fragmentation in ipsec.conf(5)
2015-02-10 18:38:54 +01:00
c355e2b2c7
stroke: Add support for address range definitions of in-memory pools
2014-10-30 12:32:45 +01:00
9388bf1363
man: Document identification type prefixes in ipsec.conf(5)
2014-10-30 11:07:10 +01:00
b906d41214
man: Document where left|rightsigkey searches for public key files
2014-07-14 10:58:28 +02:00
8b123d2e4a
man: Document replay_window ipsec.conf option
2014-06-30 14:50:32 +02:00
d048a319df
ike: Restart inactivity counter after doing a CHILD_SA rekey
...
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.
This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.
2014-01-23 16:19:22 +01:00
6956061197
ipsec.conf.5: Note about ICMP[v6] message type/code added
2013-10-17 16:57:39 +02:00
5fdbb3c6ad
ipsec.conf: Add a description for the new 'ah' keyword.
2013-10-11 10:15:22 +02:00
8250fc10e8
Build generated man pages via configure script
2013-09-13 14:32:51 +02:00
6301ec0ac5
man: add support for multiple addresses/ranges/subnets in ipsec.conf left=
2013-09-04 10:38:37 +02:00
16149401e9
man: update ipsec.conf modeconfig keyword
2013-09-04 10:33:38 +02:00
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
b2dfa0624d
ipsec.conf.5: closeaction is now supported for IKEv1
2013-07-17 18:18:57 +02:00
b7b5432ff8
stroke: Changed how proto/port are specified in left|rightsubnet
...
Using a colon as separator conflicts with IPv6 addresses.
2013-06-28 15:10:09 +02:00
24df067810
man: update ipsec.conf.5, describing new proto/port definition within leftsubnet
2013-06-19 16:36:01 +02:00
87692be215
Load any type (RSA/ECDSA) of public key via left|rightsigkey
2013-05-07 17:08:31 +02:00
fa1d3d39dc
left|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly
...
The default is now PKCS#1. With the dns: and ssh: prefixes other formats
can be selected.
2013-05-07 15:38:28 +02:00
e82deaf6ce
Merge branch 'multi-cert'
...
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
2013-03-01 11:35:32 +01:00
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
0abeac3a0b
Document ipsec.conf leftprotoport extensions in manpage
2013-02-21 11:52:33 +01:00
88f4cd3988
Add ikedscp documentation to ipsec.conf.5
2013-02-06 15:42:14 +01:00
11a7abf554
Add ipsec.conf.5 updates regarding multiple certificates in leftcert
2013-01-18 09:33:15 +01:00
365d9a6f67
Added an option that allows to force IKEv1 fragmentation
2013-01-12 11:54:32 +01:00
97973f8609
Use a connection specific option to en-/disable IKEv1 fragmentation
2012-12-24 13:00:01 +01:00
f6d8fb3687
Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcards
2012-10-24 13:07:53 +02:00
05e266ea9d
Add leftcert ipsec.conf.5 documentation about smartcard certificates
2012-10-24 13:07:53 +02:00
5b2e669ba2
Add ipsec.conf.5 documentation for explicit PRFs in IKE proposals
2012-10-24 11:49:37 +02:00
55f126fd55
Update ipsec.conf.5, leftsubnet can handle multiple subnets in IKEv1 with Unity
2012-09-18 17:17:48 +02:00
Kenyon Ralph