Tobias Brunner
c9599d4101
proposal: Extract proposal selection code in ike/child_cfg_t
...
Also invert the PREFER_CONFIGURED flag (i.e. make it PREFER_SUPPLIED)
so the default, without flags, is what we preferred so far.
2019-10-24 17:36:33 +02:00
Thomas Egerer
f930b732c4
proposal: Use flags to select/match proposals
...
During proposal selection with ike/child_cfgs a couple of boolean
variables can be set (e.g. private, prefer_self, strip_dh). To simplify
the addition of new parameters, these functions now use a set of flags
instead of indiviual boolean values.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2019-10-24 17:22:53 +02:00
Tobias Brunner
4899a4c025
aggressive-mode: Trigger alerts for authentication failures
2018-08-31 11:02:43 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Tobias Brunner
0a954d6789
ike: Add configuration option to switch to preferring supplied proposals over local ones
2016-06-17 18:48:07 +02:00
Tobias Brunner
3a40d572c6
ike-cfg: Add option to prefer supplied proposals over locally configured ones
2016-06-17 18:48:07 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Martin Willi
4f243dfaa9
ikev1: Defer Mode Config push after CHILD adoption when using XAuth
2014-08-25 09:55:44 +02:00
Martin Willi
891bbbd4bb
ikev1: Defer Mode Config push after CHILD adoption and reauth detection
...
When an initiator starts reauthentication on a connection that uses push
mode to assign a virtual IP, we can't execute the Mode Config before releasing
the virtual IP. Otherwise we would request a new and different lease, which
the client probably can't handle. Defer Mode Config execution, so the same IP
gets first released then reassigned during reauthentication.
2014-08-25 09:55:44 +02:00
Martin Willi
3ecfc83c6b
payload: Use common prefixes for all payload type identifiers
...
The old identifiers did not use a proper namespace and often clashed with
other defines.
2014-06-04 15:53:03 +02:00
Tobias Brunner
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
Tobias Brunner
9e1ce63915
ikev1: Fix config switching due to failed authentication during Aggressive mode
...
The encoded ID payload gets destroyed by the authenticator, which caused
a segmentation fault after the switch.
Fixes #501 .
2014-02-12 13:53:03 +01:00
Martin Willi
e3311e9b87
ikev1: implement mode config push mode
2013-09-04 10:33:38 +02:00
Tobias Brunner
8a0a1ae857
Delete IKE_SAs if responder does not initiate XAuth exchange within a certain time frame
2013-03-19 12:00:00 +01:00
Volker Rümelin
0ff8d20a89
Add support for draft-ietf-ipsec-nat-t-ike-03 and earlier
...
This adds support for early versions of the draft that eventually
resulted in RFC 3947.
2012-12-19 11:03:42 +01:00
Martin Willi
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
Martin Willi
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
Martin Willi
cd55a3cb77
Use actual daemon name to enable XAuth/PSK with aggressive mode
2012-08-10 11:53:18 +02:00
Martin Willi
9d2968e272
As a responder, don't start a TRANSACTION request if we expect one from the initiator
2012-06-29 13:40:31 +02:00
Martin Willi
8ff45cfd99
Queue a mode config task as responder if we need a virtual IP
2012-06-27 11:42:56 +02:00
Martin Willi
c2a391746c
Add basic support for XAuth responder authentication
2012-06-27 11:42:56 +02:00
Martin Willi
0c32b9c62f
Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes
2012-06-25 10:18:35 +02:00
Martin Willi
b31a56f128
Require a scary option to respond to Aggressive Mode PSK requests
...
While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.
2012-06-14 10:25:48 +02:00
Martin Willi
e5f0f9ff96
Enforce uniqueness policy in IKEv1 main and aggressive modes
2012-06-08 16:15:22 +02:00
Tobias Brunner
647cd741e8
Added support for IKEv1 IPComp proposals in SA payload.
2012-05-24 15:32:28 +02:00
Martin Willi
3c475660c5
Apply IDir before deriving keys as aggressive initiator
2012-05-23 12:27:47 +02:00
Tobias Brunner
1a624ff45a
Switch to alternative peer config in IKEv1 Main and Aggressive Mode.
2012-05-21 15:49:25 +02:00
Martin Willi
7ce504e182
Flush task queues explicitly, not implicitly if task returns ALREADY_DONE
2012-05-21 14:17:09 +02:00
Tobias Brunner
7a56c35fc9
Remove executable flag from source files.
2012-05-18 10:04:08 +02:00
Martin Willi
3624b09e21
Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper
2012-03-20 17:31:37 +01:00
Martin Willi
f420f51f55
Invoke authorization hooks for IKEv1 connections
2012-03-20 17:31:36 +01:00
Martin Willi
2ddd45c9a7
Simplified DPD handling by using a task for a single message only
2012-03-20 17:31:35 +01:00
Clavister OpenSource
3e6b740336
Isakmp_dpd task added.
2012-03-20 17:31:35 +01:00
Martin Willi
37c12bd31e
Streamlined debug output when initiating IKEv1 IKE_SAs
2012-03-20 17:31:34 +01:00
Martin Willi
91c212fd6a
Select IKEv1 configurations by main/aggressive mode option
2012-03-20 17:31:34 +01:00
Martin Willi
ee325b555f
Implemented aggressive mode using Phase 1 helper class
2012-03-20 17:31:33 +01:00