Martin Willi
79d6fc7f72
Renamed ike_natd_v1 to isakmp_natd
2012-03-20 17:31:26 +01:00
Martin Willi
824dc0adad
Renamed ike_cert_pre_v1 to isakmp_cert_pre
2012-03-20 17:31:26 +01:00
Martin Willi
0aa2af5efc
Renamed ike_cert_post_v1 to isakmp_cert_post
2012-03-20 17:31:26 +01:00
Martin Willi
ef175c92d9
Initiate IKE_ANY configurations with IKEv2
2012-03-20 17:31:25 +01:00
Martin Willi
53816600ff
Added a quick_delete task flag to enforce delete, even if CHILD_SA not found
2012-03-20 17:31:24 +01:00
Martin Willi
b24b73b7f3
Flush auth configs, if enabled, for both IKEv1 and IKEv2
2012-03-20 17:31:23 +01:00
Martin Willi
c459dae556
Use IKEv1 specific tasks to close Quick Mode SAs
2012-03-20 17:31:22 +01:00
Martin Willi
5f23be840b
Use the IKEv1 specific delete in IKEv1 SAs
2012-03-20 17:31:22 +01:00
Martin Willi
69adeb5bf2
Replace xauth_request task with a new stub where we reimplement it
2012-03-20 17:31:15 +01:00
Martin Willi
c64a4b4f8e
Implemented post-authentication certificate handling for IKEv1
2012-03-20 17:31:13 +01:00
Martin Willi
0bcdb8e571
Implemented pre-authentication certificate handling for IKEv1
2012-03-20 17:31:13 +01:00
Tobias Brunner
1cc4ec46cf
Task added for IKEv1 NAT detection.
...
There is already support for both Main and Aggressive Mode.
2012-03-20 17:31:10 +01:00
Clavister OpenSource
02c36eeb86
IKEv1 XAuth: Adding "initiate" flag parameter to the initiate_xauth method, signalling whether or not to call the task_manager->initiate method after queueing the task.
2012-03-20 17:31:10 +01:00
Clavister OpenSource
65359ccbbc
IKEv1 XAuth: Add "initiate xauth" method, which adds the xauth task into the queue for initiation.
2012-03-20 17:31:09 +01:00
Tobias Brunner
68c6863bbb
Moved main part of message processing to task managers.
...
This will allow individual error handling for each IKE version and should
allow better handling of IKEv1 retransmits.
2012-03-20 17:31:08 +01:00
Tobias Brunner
44ff1153e8
Addded ike_sa_t.set_statistic to set timestamps from task manager.
2012-03-20 17:31:08 +01:00
Clavister OpenSource
e63cb7f816
Revert "IKEv1 XAuth: Temporarilty add an "initiate_later" flag to the task manager. When set to TRUE it will cause "initiate" to be called when the current process_response call is finished. This change should be reverted once we have a better method in place."
...
This reverts commit c6c28f4ac522dd8afb457847bca79eee77f78706.
Revert "IKEv1 XAuth: Added temporary "initiate_xauth" public method to ike_sa_t. This allows us to initiate an XAuth password authentication exchange after responding to the final message of Main Mode. This change should be reverted once we have a better method to initiate this exchange."
This reverts commit 5529dc50477e25df9dd5f3c442bb1521c0baf225.
2012-03-20 17:31:07 +01:00
Martin Willi
a2f8fc9711
Use a dedicated IKEv1 vendor ID task to fix using IKEv2 payloads in IKEv1
2012-03-20 17:31:07 +01:00
Martin Willi
d08269c700
Added a get_rekey/reauth_time() jitter parameter to get time without randomization
2012-03-20 17:30:52 +01:00
Clavister OpenSource
e3bb68841a
IKEv1 XAuth: Added temporary "initiate_xauth" public method to ike_sa_t. This allows us to initiate an XAuth password authentication exchange after responding to the final message of Main Mode. This change should be reverted once we have a better method to initiate this exchange.
2012-03-20 17:30:51 +01:00
Martin Willi
384c1a32a2
XAUTH is initiated based on configuration, no need to call externally
2012-03-20 17:30:49 +01:00
Clavister OpenSource
df99e976be
Temp fix for compile error with XAUTH code.
2012-03-20 17:30:49 +01:00
Clavister OpenSource
23f4e4b42d
IKEv1 XAUTH: Added ability to configure XAUTH+PSK. Added task to handle XAUTH requests. Modified task_manager_v1 to enable it to initiate new tasks immediately after finishing a response.
2012-03-20 17:30:49 +01:00
Martin Willi
17ec1c74de
Don't compare initiator flag in IKE_SA manager, pass initiator parameter to IKE_SA constructor
2012-03-20 17:30:47 +01:00
Tobias Brunner
0cec72df40
Provide keymat_t to message_t to encrypt/decrypt data.
2012-03-20 17:30:45 +01:00
Martin Willi
a09972df2b
Added a generic TASK_ prefix to all task types
2012-03-20 17:30:45 +01:00
Martin Willi
744c080153
Initiate and respond to quick mode task (stub)
2012-03-20 17:30:45 +01:00
Martin Willi
26b55dc6c8
Implemented first two exchanges of Main Mode as initiator
2012-03-20 17:30:43 +01:00
Tobias Brunner
273f2f8054
Added factory function to create task_manager_t implementations.
2012-03-20 17:30:43 +01:00
Tobias Brunner
4b64a1a17d
Added factory function to create keymat_t implementations.
2012-03-20 17:30:43 +01:00
Tobias Brunner
0b611540ef
Store IKE version of an SA on ike_sa_t.
2012-03-20 17:30:43 +01:00
Tobias Brunner
6ab936f046
Use keymat_t as common interface, renamed current implementation to _v2.
2012-03-20 17:30:42 +01:00
Martin Willi
e69f7dcddf
Use task manager as generic interface, renamed implementation to _v2.
2012-03-20 17:30:41 +01:00
Tobias Brunner
4ed52db2bb
Allow creation of message_t objects for IKEv1 packets.
2012-03-20 17:30:40 +01:00
Tobias Brunner
72b2811204
Simplified some route lookups now that we store all peer addresses in a list.
2012-03-09 10:22:21 +01:00
Tobias Brunner
94bbc60256
Renamed list of additional peer addresses as it now stores all known addresses.
2012-03-09 10:17:42 +01:00
Martin Willi
4d7a2128b6
Re-resolve hosts on additional keyingtries
2012-03-06 16:05:28 +01:00
Martin Willi
fbaf5cd213
Be a little more verbose before starting IKE_SA reauthentication
2012-03-05 18:06:14 +01:00
Martin Willi
a07b69734b
Send an AUTH_LIFETIME update after updating the lifetime, but can not reauth actively
2012-03-05 18:06:14 +01:00
Martin Willi
bdcf441703
Set hard timeouts when setting a lifetime
2012-03-05 18:06:13 +01:00
Martin Willi
e9fcf1c6cc
Fix IKE_SA timeout debug output on 64bit platforms
2012-03-05 18:06:13 +01:00
Martin Willi
85dd6a8deb
Trigger DPD not before IKE_SA state gets updated
2012-02-02 10:35:50 +01:00
Martin Willi
916cdca851
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
2012-02-02 10:34:04 +01:00
Thomas Egerer
dbd2169569
Change order of destroy/get_ref function calls
...
Since DESTROY_IF might destroy the peer_cfg, a get_ref on a freed object
is subject to fail.
2011-11-04 11:11:17 +01:00
Tobias Brunner
7ab19d571d
Throw an alert when the peer address cannot be resolved during initiation.
2011-08-12 09:59:27 +02:00
Tobias Brunner
5baaaa5ed5
Properly initialize ike_sa_t.
2011-08-01 13:08:15 +02:00
Martin Willi
5d6b981572
Inherit authentication information during IKE_SA rekeying
2011-07-25 14:19:17 +02:00
Tobias Brunner
f3bb1bd039
Fixed common misspellings.
...
Mostly found by 'codespell'.
2011-07-20 16:14:10 +02:00
Tobias Brunner
572abc6cbd
Replaced ike_sa_t.create_additional_address_iterator with enumerator.
2011-07-06 09:43:45 +02:00
Tobias Brunner
4bbce1ef37
Replaced ike_sa_t.create_child_sa_iterator with enumerator.
...
This required two new methods on ike_sa_t. One returns the number of
CHILD_SAs and one allows to remove a CHILD_SA.
2011-07-06 09:43:45 +02:00
Tobias Brunner
e26304348c
Replaced simple iterator usages.
2011-07-06 09:43:45 +02:00
Martin Willi
a4c040d536
Added strongswan.conf option to override half open IKE_SA timeout
2011-05-16 15:24:15 +02:00
Tobias Brunner
68447302d6
Typo fixed.
2011-04-28 12:50:30 +02:00
Martin Willi
3ced6b51e4
Move establish/inherit of rekeyed IKE_SAs to delete messages
...
Having the inherit() function delayed to the IKE_SA establish procedure
was problematic. The task destroy function was never a good place and
results in locking/cleanup problems. After establishing the SA, it
should be really checked in ASAP to avoid any triggered DPD checks
to get lost.
2011-03-15 15:20:09 +01:00
Martin Willi
e44ebdcfc8
Slightly change IKE_SA destruction order to inherit properly during ike_rekey task destruction
2011-02-28 10:31:36 +00:00
Martin Willi
2082417df3
Force port update as responder when initiator switches to 4500 in IKE_AUTH
2011-01-12 14:37:15 +01:00
Martin Willi
9ca5d0280e
Moved check if packet already encoded to ike_sa, avoids message() hook invocation twice
2011-01-05 16:45:52 +01:00
Martin Willi
c67de660d2
Move critical bit checking to ike_sa, notify payload includes unsupported payload type
2011-01-05 16:45:44 +01:00
Martin Willi
89fda1abb5
Moved message()-hook invocation to generate_message(), catch pre-generated IKE_SA_INITs, too
2011-01-05 16:45:41 +01:00
Martin Willi
6c2d466b90
Support manually triggerd DPD check, even if DPD disabled in config
2011-01-05 16:45:40 +01:00
Tobias Brunner
5774408898
Change behavior of responder during roaming.
...
If the current source address is not available anymore, the responder
uses ike_mobike_t.roam, thus, uses multiple address combinations when
trying to notify the initiator.
2010-10-12 11:11:05 +02:00
Tobias Brunner
261b2572d1
Send list of additional addresses even if current path is still valid.
2010-10-12 11:11:05 +02:00
Tobias Brunner
bab56a4abb
Extracted path checking in ike_sa_t.roam into separate functions.
2010-10-12 11:11:05 +02:00
Tobias Brunner
13876431d6
Explicitly configure MOBIKE tasks to update the list of additional addresses.
2010-10-12 11:11:05 +02:00
Tobias Brunner
cd26eedc5c
Do not update hosts based on retransmitted messages.
2010-10-12 11:11:04 +02:00
Tobias Brunner
d5bd775126
Do not update remote host if we are behind a NAT.
2010-10-12 11:11:04 +02:00
Tobias Brunner
bb381e26c6
Refer to scheduler and processor via lib and not hydra.
2010-09-02 19:04:18 +02:00
Tobias Brunner
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
Tobias Brunner
61e8e73206
Refer to scheduler via hydra and not charon.
2010-09-02 19:01:24 +02:00
Tobias Brunner
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
Tobias Brunner
277f02ce9e
Slightly refactored port floating.
...
In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.
2010-08-30 13:42:58 +02:00
Martin Willi
b519071299
Use AEAD wrapper for encryption payload encryption/decryption
2010-08-19 19:02:33 +02:00
Martin Willi
02571374c4
Recreate IKE_SA_INIT related tasks only if they have completed
2010-06-30 13:48:47 +02:00
Martin Willi
550d9085fa
Flush auth configs, create new keymat during SA reset
2010-06-07 14:59:39 +02:00
Martin Willi
dbdb69f908
Recreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH
2010-06-07 14:58:57 +02:00
Martin Willi
ea340ee840
Wrap task enumerator in ike_sa
2010-06-07 11:37:55 +02:00
Martin Willi
8bced61b76
Migrated ike_sa_t to INIT/METHOD macros
2010-06-07 09:30:27 +00:00
Martin Willi
fe02d99b96
Use wrapped getters for close/dpd action
2010-06-02 11:48:51 +02:00
Martin Willi
84aa96e5f5
Invoke updown hook if IKE_SA delete is enforced in deleting state
2010-04-06 12:11:28 +02:00
Martin Willi
045833c79d
Release virtual IPs with the same identity as we acquired it
2010-03-25 14:29:10 +01:00
Tobias Brunner
58f86d0f0f
Changed all usages of lib->attributes to hydra->attributes.
2010-03-24 18:54:26 +01:00
Tobias Brunner
08c5572602
Moving charon to libcharon.
2010-03-19 13:34:52 +01:00