Josh Soref
b3ab7a48cc
Spelling fixes
...
* accumulating
* acquire
* alignment
* appropriate
* argument
* assign
* attribute
* authenticate
* authentication
* authenticator
* authority
* auxiliary
* brackets
* callback
* camellia
* can't
* cancelability
* certificate
* choinyambuu
* chunk
* collector
* collision
* communicating
* compares
* compatibility
* compressed
* confidentiality
* configuration
* connection
* consistency
* constraint
* construction
* constructor
* database
* decapsulated
* declaration
* decrypt
* derivative
* destination
* destroyed
* details
* devised
* dynamic
* ecapsulation
* encoded
* encoding
* encrypted
* enforcing
* enumerator
* establishment
* excluded
* exclusively
* exited
* expecting
* expire
* extension
* filter
* firewall
* foundation
* fulfillment
* gateways
* hashing
* hashtable
* heartbeats
* identifier
* identifiers
* identities
* identity
* implementers
* indicating
* initialize
* initiate
* initiation
* initiator
* inner
* instantiate
* legitimate
* libraries
* libstrongswan
* logger
* malloc
* manager
* manually
* measurement
* mechanism
* message
* network
* nonexistent
* object
* occurrence
* optional
* outgoing
* packages
* packets
* padding
* particular
* passphrase
* payload
* periodically
* policies
* possible
* previously
* priority
* proposal
* protocol
* provide
* provider
* pseudo
* pseudonym
* public
* qualifier
* quantum
* quintuplets
* reached
* reading
* recommendation to
* recommendation
* recursive
* reestablish
* referencing
* registered
* rekeying
* reliable
* replacing
* representing
* represents
* request
* request
* resolver
* result
* resulting
* resynchronization
* retriable
* revocation
* right
* rollback
* rule
* rules
* runtime
* scenario
* scheduled
* security
* segment
* service
* setting
* signature
* specific
* specified
* speed
* started
* steffen
* strongswan
* subjectaltname
* supported
* threadsafe
* traffic
* tremendously
* treshold
* unique
* uniqueness
* unknown
* until
* upper
* using
* validator
* verification
* version
* version
* warrior
Closes strongswan/strongswan#164 .
2020-02-11 18:23:07 +01:00
Tobias Brunner
73ee7b6664
swanctl: Add missing header guards for load commands
2020-01-28 15:29:40 +01:00
Tobias Brunner
91c6387e69
swanctl: Add missing `extern` for `swanctl_dir` variable in header
...
This clearly never was correct, but didn't cause problems so far.
However, GCC 10 will default to `-fno-common` instead of
`-fcommon` (https://gcc.gnu.org/PR85678 ), so compilation there fails
with something like:
```
libtool: link: gcc ... -o .libs/swanctl ...
ld: commands/load_authorities.o:strongswan/src/swanctl/./swanctl.h:33:
multiple definition of `swanctl_dir'; commands/load_all.o:strongswan/src/swanctl/./swanctl.h:33: first defined here
```
Fixes: 501bd53a6c
("swanctl: Make credential directories relative to swanctl.conf")
Closes strongswan/strongswan#163 .
2020-01-28 15:29:40 +01:00
Martin Willi
026024bc02
swanctl: Include ca_id property in list-conns command
2019-12-06 10:07:46 +01:00
Martin Willi
55fc514ed2
swanctl: Document the remote ca_id option for identity based CA constraints
2019-12-06 10:07:46 +01:00
Tobias Brunner
7cde77c638
swanctl: Document wildcard matching for remote identities
2019-11-12 10:59:38 +01:00
Tobias Brunner
b9949e98c2
Some whitespace fixes
...
Didn't change some of the larger testing scripts that use an inconsistent
indentation style.
2019-08-22 15:18:06 +02:00
Tobias Brunner
b31bff125c
swanctl: Move documentation of if_id_in/out after all mark-related options
...
Also fix a typo.
2019-04-29 17:38:28 +02:00
Tobias Brunner
c863960eb1
vici: Support initiation of IKE_SAs
...
The configuration must allow the initiation of a childless IKE_SA (which
is already the case with the default of 'accept').
2019-04-25 15:23:19 +02:00
Tobias Brunner
2889b77da2
vici: Make childless initiation of IKE_SAs configurable
2019-04-25 15:23:19 +02:00
Tobias Brunner
0396969a36
vici: Add support for interface ID configurable on IKE_SA
2019-04-04 09:36:38 +02:00
Tobias Brunner
801a5d3133
kernel-netlink: Don't install routes for CHILD_SAs with interface ID
2019-04-04 09:31:38 +02:00
Tobias Brunner
19b6d9a622
swanctl: Report interface IDs in --list-sas
2019-04-04 09:31:38 +02:00
Tobias Brunner
18ed5a07db
vici: Make interface ID configurable
2019-04-03 12:00:08 +02:00
Tobias Brunner
4ad397ef79
swanctl: Fix documentation of default value of hostaccess
2019-03-07 18:49:29 +01:00
Tobias Brunner
501bd53a6c
swanctl: Make credential directories relative to swanctl.conf
...
All directories are now considered relative to the loaded swanctl.conf
file, in particular, when loading it from a custom location via --file
argument. The base directory, which is used if no custom location for
swanctl.conf is specified, is now also configurable at runtime via
SWANCTL_DIR environment variable.
Closes strongswan/strongswan#120 .
2018-12-14 09:11:14 +01:00
Matt Selsky
b98db90763
swanctl: Fix typos in usage for swanctl rekey/terminate commands
...
Closes strongswan/strongswan#113 .
2018-10-02 09:30:03 +02:00
Tobias Brunner
b01327b5e1
swanctl: Document PPKs
2018-09-18 10:12:45 +02:00
Tobias Brunner
784d96e031
Fixed some typos, courtesy of codespell
2018-09-17 18:51:44 +02:00
Tobias Brunner
0b8d00adaf
counters: Fix exit status in error case
2018-09-17 18:51:42 +02:00
Tobias Brunner
80e8845d36
swanctl: Allow passing a custom config file for each --load* command
...
Mainly for debugging, but could also be used to e.g. use a separate file
for connections and secrets.
2018-09-11 18:14:45 +02:00
Tobias Brunner
755985867e
swanctl: Report the use of a PPK in --list-sas
...
If we later decide the PPK_ID would be helpful, printing this on a
separate line would probably make sense.
2018-09-10 18:03:30 +02:00
Tobias Brunner
1fb46f7119
swanctl: Report PPK configuration in --list-conns
2018-09-10 18:03:02 +02:00
Tobias Brunner
7f94528061
vici: Make PPK related options configurable
2018-09-10 18:03:02 +02:00
Tobias Brunner
3703dff2aa
swanctl: Add support for PPKs
2018-09-10 18:03:01 +02:00
Tobias Brunner
8505c28289
swanctl: Add --reauth option to --rekey command
2018-08-31 12:39:46 +02:00
Martin Willi
902dc29f7a
child-sa: Use SA matching mark as SA set mark if the latter is %same
...
For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.
2018-08-31 12:26:40 +02:00
Martin Willi
b9aacf9adc
vici: Document kernel requirements for set_mark_in/set_mark_out options
2018-08-31 12:26:40 +02:00
Tobias Brunner
60f7896923
vici: Make in-/outbound marks the SA should set configurable
2018-08-31 12:26:40 +02:00
Tobias Brunner
c993eaf9d1
kernel: Add option to control DS field behavior
2018-08-29 11:36:04 +02:00
Tobias Brunner
dc8b015d78
kernel: Add options to control DF and ECN header bits/fields via XFRM
...
The options control whether the DF and ECN header bits/fields are copied
from the unencrypted packets to the encrypted packets in tunnel mode (DF only
for IPv4), and for ECN whether the same is done for inbound packets.
Note: This implementation only works with Linux/Netlink/XFRM.
Based on a patch by Markus Sattler.
2018-08-29 11:36:04 +02:00
Tobias Brunner
61c3870bef
conf: Document reference syntax
2018-06-27 14:19:35 +02:00
Andreas Steffen
ef4a63524f
vici: list cert_policy parameter
2018-06-22 10:39:40 +02:00
Tobias Brunner
2c7a4b0704
swanctl: Document new HW offload options/behavior
2018-05-24 10:49:19 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Tobias Brunner
c057cd26fa
swanctl: Add option to force IKE_SA termination
2018-05-22 10:06:07 +02:00
Andreas Steffen
4eaf08c35b
vici: list-conn reports DPD settings and swanctl displays them
2018-02-15 16:28:06 +01:00
Tobias Brunner
e698bdea24
man: Fix documentation of pubkey constraints
...
Hash algorithms have to be repeated for multiple key types.
References #2514 .
2018-02-09 10:42:13 +01:00
Tobias Brunner
6d98bb926e
swanctl: Allow dots in authority/shared secret/pool names
...
Use argument evaluation provided by settings_t instead of using strings
to enumerate key/values.
If section names contain dots the latter causes the names to get split
and interpreted as non-existing sections and subsections.
This currently doesn't work for connections and their subsections due to
the recursion.
2017-12-22 10:11:21 +01:00
Tobias Brunner
c87b16d256
swanctl: Add check for conflicting short options
2017-11-13 10:09:41 +01:00
Tobias Brunner
f0c7cbd1d7
swanctl: Properly register --counters commmand
...
Use C instead of c, which is already used for --load-conns.
2017-11-13 09:45:14 +01:00
Tobias Brunner
fde0c763b6
auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf
...
Also document the rsa/pss prefix.
2017-11-08 16:48:10 +01:00
Tobias Brunner
052bccfac4
swanctl: Add --counters command
2017-11-08 16:28:28 +01:00
Thomas Egerer
2dad293647
ike: Do not send initial contact only for UNIQUE_NEVER
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-11-02 10:17:24 +01:00
Tobias Brunner
2d244f178f
vici: Make setting mark on inbound SA configurable
2017-11-02 09:59:38 +01:00
Eyal Birger
32e5c49234
child-sa: Allow requesting different unique marks for in/out
...
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78 .
2017-08-07 14:22:27 +02:00
Tobias Brunner
4272a3e9d7
swanctl: Read default socket from swanctl.socket option
...
Also read from swanctl.plugins.vici.socket so we get
libstrongswan.plugins.vici.socket if it is defined.
Fixes #2372 .
2017-07-27 13:22:57 +02:00
Tobias Brunner
ae48325a59
swanctl: Include config snippets from conf.d subdirectory
...
Fixes #2371 .
2017-07-27 13:20:24 +02:00
Tobias Brunner
93e0898f60
swanctl: Document eap_id in remote sections
2017-07-05 18:08:04 +02:00
Tobias Brunner
0afe0eca67
vici: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00