Implements simpler routes for passthrough policies on Linux, which
basically act as fallbacks on routes in other routing tables. This way
they require less information (e.g. no interface or source IP) and can
be installed earlier and are not affected by updates.
Closes strongswan/strongswan#165.
Fixes#3118.
Enables us to ignore any future kernel features for routes unless
we actually need to consider them for the source IP routes.
Also enables us to actually really skip IPsec processing for those networks
(because even the routes don't touch those packets). It's more what
users expect.
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
This is mainly an issue on FreeBSD where the current kernel still only
allows the daemon to use reqids < IPSEC_MANUAL_REQID_MAX (0x3fff = 16383).
Fixes#2315.
Charon refuses to make use of algorithms IDs from the private space
for unknown peer implementations [1]. If you chose to ignore and violate
that section of the RFC since you *know* your peers *must* support those
private IDs, there's no way to disable that behavior.
With this commit a strongswan.conf option is introduced which allows to
deliberately ignore parts of section 3.12 from the standard.
[1] http://tools.ietf.org/html/rfc7296#section-3.12
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Doing this for the self-signed check also (i.e. if this and issuer are
the same) is particularly useful if the issuer uses a different key type.
Otherwise, we'd try to verify the signature with an incompatible key
that would result in a log message.
Fixes#3357.
With these changes we return the lifetimes of the actually selected
transform back to the client, which is an issue if the peer uses
different lifetimes for different proposals. We now also return the
correct transform and proposal IDs.
Fixes#3329.
Previously, we simply used the lifetimes of the first
proposal/transform, which is not correct if the initiator uses different
lifetimes in its proposals/transforms.
If an IKE_SA is terminated while a task is active, the delete task is
simply queued (unless the deletion is forced). If the active task times
out before any optional timeout associated with the termination hits, the
IKE_SA previously was reestablished without considering the termination
request.
Fixes#3335.
These Debian package sources have not been updated for years and are
severely out-of-date. Since the Debian packages are properly
maintained nowadays, we don't have to provide our own package sources
to serve as examples.
References #3344.
Also makes it configurable via configure script. Depending on `$datadir` is
not ideal as package maintainers might set that to a custom value. Depending
on `$datarootdir` might have been better, the default if pkg-config fails is
now based on that.
References #3339.
Makes the client's IKE identity configurable in the NM GUI. For PSK
authentication the identity is now configured via that new field
and not the username anymore (old configs still work and are migrated
when edited). The client identity now also defaults to the IP address
if not configured when using EAP/PSK.
Fixes#2581.
With these changes, the NM service should be able to handle
reauthentication (and redirection) by switching to the new IKE_SA and
not considering the old SA going down an error.
Fixes#852.
Adds support for EAP-TLS to the NM plugin. The certificates/key
source (file, smartcard, agent) can now be selected independently of
the authentication method (i.e. for both certificate and EAP-TLS auth).
Fixes#2097.
The code is structured similar to that in the Android client, but two-round
authentication (cert+EAP) is not supported as that might require multiple
secrets ("password" is currently the only secret field used for every
method) and other details are currently missing too (like configurable
client identities).
This adds an optional field to the NM plugin to configure the server
identity, so it can differ from the address or certificate subject,
which are used by default.
It also updates the Glade file to GTK+ 3.2.
Closesstrongswan/strongswan#57.
Tobias Brunner