b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
73ee7b6664
swanctl: Add missing header guards for load commands
2020-01-28 15:29:40 +01:00
91c6387e69
swanctl: Add missing `extern` for `swanctl_dir` variable in header
...
This clearly never was correct, but didn't cause problems so far.
However, GCC 10 will default to `-fno-common` instead of
`-fcommon` (https://gcc.gnu.org/PR85678 ), so compilation there fails
with something like:
```
libtool: link: gcc ... -o .libs/swanctl ...
ld: commands/load_authorities.o:strongswan/src/swanctl/./swanctl.h:33:
multiple definition of `swanctl_dir'; commands/load_all.o:strongswan/src/swanctl/./swanctl.h:33: first defined here
```
Fixes: 501bd53a6cCloses strongswan/strongswan#163 .
2020-01-28 15:29:40 +01:00
026024bc02
swanctl: Include ca_id property in list-conns command
2019-12-06 10:07:46 +01:00
55fc514ed2
swanctl: Document the remote ca_id option for identity based CA constraints
2019-12-06 10:07:46 +01:00
7cde77c638
swanctl: Document wildcard matching for remote identities
2019-11-12 10:59:38 +01:00
b9949e98c2
Some whitespace fixes
...
Didn't change some of the larger testing scripts that use an inconsistent
indentation style.
2019-08-22 15:18:06 +02:00
b31bff125c
swanctl: Move documentation of if_id_in/out after all mark-related options
...
Also fix a typo.
2019-04-29 17:38:28 +02:00
c863960eb1
vici: Support initiation of IKE_SAs
...
The configuration must allow the initiation of a childless IKE_SA (which
is already the case with the default of 'accept').
2019-04-25 15:23:19 +02:00
2889b77da2
vici: Make childless initiation of IKE_SAs configurable
2019-04-25 15:23:19 +02:00
0396969a36
vici: Add support for interface ID configurable on IKE_SA
2019-04-04 09:36:38 +02:00
801a5d3133
kernel-netlink: Don't install routes for CHILD_SAs with interface ID
2019-04-04 09:31:38 +02:00
19b6d9a622
swanctl: Report interface IDs in --list-sas
2019-04-04 09:31:38 +02:00
18ed5a07db
vici: Make interface ID configurable
2019-04-03 12:00:08 +02:00
4ad397ef79
swanctl: Fix documentation of default value of hostaccess
2019-03-07 18:49:29 +01:00
501bd53a6c
swanctl: Make credential directories relative to swanctl.conf
...
All directories are now considered relative to the loaded swanctl.conf
file, in particular, when loading it from a custom location via --file
argument. The base directory, which is used if no custom location for
swanctl.conf is specified, is now also configurable at runtime via
SWANCTL_DIR environment variable.
Closes strongswan/strongswan#120 .
2018-12-14 09:11:14 +01:00
b98db90763
swanctl: Fix typos in usage for swanctl rekey/terminate commands
...
Closes strongswan/strongswan#113 .
2018-10-02 09:30:03 +02:00
b01327b5e1
swanctl: Document PPKs
2018-09-18 10:12:45 +02:00
784d96e031
Fixed some typos, courtesy of codespell
2018-09-17 18:51:44 +02:00
0b8d00adaf
counters: Fix exit status in error case
2018-09-17 18:51:42 +02:00
80e8845d36
swanctl: Allow passing a custom config file for each --load* command
...
Mainly for debugging, but could also be used to e.g. use a separate file
for connections and secrets.
2018-09-11 18:14:45 +02:00
755985867e
swanctl: Report the use of a PPK in --list-sas
...
If we later decide the PPK_ID would be helpful, printing this on a
separate line would probably make sense.
2018-09-10 18:03:30 +02:00
1fb46f7119
swanctl: Report PPK configuration in --list-conns
2018-09-10 18:03:02 +02:00
7f94528061
vici: Make PPK related options configurable
2018-09-10 18:03:02 +02:00
3703dff2aa
swanctl: Add support for PPKs
2018-09-10 18:03:01 +02:00
8505c28289
swanctl: Add --reauth option to --rekey command
2018-08-31 12:39:46 +02:00
902dc29f7a
child-sa: Use SA matching mark as SA set mark if the latter is %same
...
For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.
2018-08-31 12:26:40 +02:00
b9aacf9adc
vici: Document kernel requirements for set_mark_in/set_mark_out options
2018-08-31 12:26:40 +02:00
60f7896923
vici: Make in-/outbound marks the SA should set configurable
2018-08-31 12:26:40 +02:00
c993eaf9d1
kernel: Add option to control DS field behavior
2018-08-29 11:36:04 +02:00
dc8b015d78
kernel: Add options to control DF and ECN header bits/fields via XFRM
...
The options control whether the DF and ECN header bits/fields are copied
from the unencrypted packets to the encrypted packets in tunnel mode (DF only
for IPv4), and for ECN whether the same is done for inbound packets.
Note: This implementation only works with Linux/Netlink/XFRM.
Based on a patch by Markus Sattler.
2018-08-29 11:36:04 +02:00
61c3870bef
conf: Document reference syntax
2018-06-27 14:19:35 +02:00
ef4a63524f
vici: list cert_policy parameter
2018-06-22 10:39:40 +02:00
2c7a4b0704
swanctl: Document new HW offload options/behavior
2018-05-24 10:49:19 +02:00
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
c057cd26fa
swanctl: Add option to force IKE_SA termination
2018-05-22 10:06:07 +02:00
4eaf08c35b
vici: list-conn reports DPD settings and swanctl displays them
2018-02-15 16:28:06 +01:00
e698bdea24
man: Fix documentation of pubkey constraints
...
Hash algorithms have to be repeated for multiple key types.
References #2514 .
2018-02-09 10:42:13 +01:00
6d98bb926e
swanctl: Allow dots in authority/shared secret/pool names
...
Use argument evaluation provided by settings_t instead of using strings
to enumerate key/values.
If section names contain dots the latter causes the names to get split
and interpreted as non-existing sections and subsections.
This currently doesn't work for connections and their subsections due to
the recursion.
2017-12-22 10:11:21 +01:00
c87b16d256
swanctl: Add check for conflicting short options
2017-11-13 10:09:41 +01:00
f0c7cbd1d7
swanctl: Properly register --counters commmand
...
Use C instead of c, which is already used for --load-conns.
2017-11-13 09:45:14 +01:00
fde0c763b6
auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf
...
Also document the rsa/pss prefix.
2017-11-08 16:48:10 +01:00
052bccfac4
swanctl: Add --counters command
2017-11-08 16:28:28 +01:00
2dad293647
ike: Do not send initial contact only for UNIQUE_NEVER
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-11-02 10:17:24 +01:00
2d244f178f
vici: Make setting mark on inbound SA configurable
2017-11-02 09:59:38 +01:00
32e5c49234
child-sa: Allow requesting different unique marks for in/out
...
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78 .
2017-08-07 14:22:27 +02:00
4272a3e9d7
swanctl: Read default socket from swanctl.socket option
...
Also read from swanctl.plugins.vici.socket so we get
libstrongswan.plugins.vici.socket if it is defined.
Fixes #2372 .
2017-07-27 13:22:57 +02:00
ae48325a59
swanctl: Include config snippets from conf.d subdirectory
...
Fixes #2371 .
2017-07-27 13:20:24 +02:00
93e0898f60
swanctl: Document eap_id in remote sections
2017-07-05 18:08:04 +02:00
0afe0eca67
vici: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
Josh Soref