79d6fc7f72
Renamed ike_natd_v1 to isakmp_natd
2012-03-20 17:31:26 +01:00
824dc0adad
Renamed ike_cert_pre_v1 to isakmp_cert_pre
2012-03-20 17:31:26 +01:00
0aa2af5efc
Renamed ike_cert_post_v1 to isakmp_cert_post
2012-03-20 17:31:26 +01:00
ef175c92d9
Initiate IKE_ANY configurations with IKEv2
2012-03-20 17:31:25 +01:00
53816600ff
Added a quick_delete task flag to enforce delete, even if CHILD_SA not found
2012-03-20 17:31:24 +01:00
b24b73b7f3
Flush auth configs, if enabled, for both IKEv1 and IKEv2
2012-03-20 17:31:23 +01:00
c459dae556
Use IKEv1 specific tasks to close Quick Mode SAs
2012-03-20 17:31:22 +01:00
5f23be840b
Use the IKEv1 specific delete in IKEv1 SAs
2012-03-20 17:31:22 +01:00
69adeb5bf2
Replace xauth_request task with a new stub where we reimplement it
2012-03-20 17:31:15 +01:00
c64a4b4f8e
Implemented post-authentication certificate handling for IKEv1
2012-03-20 17:31:13 +01:00
0bcdb8e571
Implemented pre-authentication certificate handling for IKEv1
2012-03-20 17:31:13 +01:00
1cc4ec46cf
Task added for IKEv1 NAT detection.
...
There is already support for both Main and Aggressive Mode.
2012-03-20 17:31:10 +01:00
02c36eeb86
IKEv1 XAuth: Adding "initiate" flag parameter to the initiate_xauth method, signalling whether or not to call the task_manager->initiate method after queueing the task.
2012-03-20 17:31:10 +01:00
65359ccbbc
IKEv1 XAuth: Add "initiate xauth" method, which adds the xauth task into the queue for initiation.
2012-03-20 17:31:09 +01:00
68c6863bbb
Moved main part of message processing to task managers.
...
This will allow individual error handling for each IKE version and should
allow better handling of IKEv1 retransmits.
2012-03-20 17:31:08 +01:00
44ff1153e8
Addded ike_sa_t.set_statistic to set timestamps from task manager.
2012-03-20 17:31:08 +01:00
e63cb7f816
Revert "IKEv1 XAuth: Temporarilty add an "initiate_later" flag to the task manager. When set to TRUE it will cause "initiate" to be called when the current process_response call is finished. This change should be reverted once we have a better method in place."
...
This reverts commit c6c28f4ac522dd8afb457847bca79eee77f78706.
Revert "IKEv1 XAuth: Added temporary "initiate_xauth" public method to ike_sa_t. This allows us to initiate an XAuth password authentication exchange after responding to the final message of Main Mode. This change should be reverted once we have a better method to initiate this exchange."
This reverts commit 5529dc50477e25df9dd5f3c442bb1521c0baf225.
2012-03-20 17:31:07 +01:00
a2f8fc9711
Use a dedicated IKEv1 vendor ID task to fix using IKEv2 payloads in IKEv1
2012-03-20 17:31:07 +01:00
d08269c700
Added a get_rekey/reauth_time() jitter parameter to get time without randomization
2012-03-20 17:30:52 +01:00
e3bb68841a
IKEv1 XAuth: Added temporary "initiate_xauth" public method to ike_sa_t. This allows us to initiate an XAuth password authentication exchange after responding to the final message of Main Mode. This change should be reverted once we have a better method to initiate this exchange.
2012-03-20 17:30:51 +01:00
384c1a32a2
XAUTH is initiated based on configuration, no need to call externally
2012-03-20 17:30:49 +01:00
df99e976be
Temp fix for compile error with XAUTH code.
2012-03-20 17:30:49 +01:00
23f4e4b42d
IKEv1 XAUTH: Added ability to configure XAUTH+PSK. Added task to handle XAUTH requests. Modified task_manager_v1 to enable it to initiate new tasks immediately after finishing a response.
2012-03-20 17:30:49 +01:00
17ec1c74de
Don't compare initiator flag in IKE_SA manager, pass initiator parameter to IKE_SA constructor
2012-03-20 17:30:47 +01:00
0cec72df40
Provide keymat_t to message_t to encrypt/decrypt data.
2012-03-20 17:30:45 +01:00
a09972df2b
Added a generic TASK_ prefix to all task types
2012-03-20 17:30:45 +01:00
744c080153
Initiate and respond to quick mode task (stub)
2012-03-20 17:30:45 +01:00
26b55dc6c8
Implemented first two exchanges of Main Mode as initiator
2012-03-20 17:30:43 +01:00
273f2f8054
Added factory function to create task_manager_t implementations.
2012-03-20 17:30:43 +01:00
4b64a1a17d
Added factory function to create keymat_t implementations.
2012-03-20 17:30:43 +01:00
0b611540ef
Store IKE version of an SA on ike_sa_t.
2012-03-20 17:30:43 +01:00
6ab936f046
Use keymat_t as common interface, renamed current implementation to _v2.
2012-03-20 17:30:42 +01:00
e69f7dcddf
Use task manager as generic interface, renamed implementation to _v2.
2012-03-20 17:30:41 +01:00
4ed52db2bb
Allow creation of message_t objects for IKEv1 packets.
2012-03-20 17:30:40 +01:00
72b2811204
Simplified some route lookups now that we store all peer addresses in a list.
2012-03-09 10:22:21 +01:00
94bbc60256
Renamed list of additional peer addresses as it now stores all known addresses.
2012-03-09 10:17:42 +01:00
4d7a2128b6
Re-resolve hosts on additional keyingtries
2012-03-06 16:05:28 +01:00
fbaf5cd213
Be a little more verbose before starting IKE_SA reauthentication
2012-03-05 18:06:14 +01:00
a07b69734b
Send an AUTH_LIFETIME update after updating the lifetime, but can not reauth actively
2012-03-05 18:06:14 +01:00
bdcf441703
Set hard timeouts when setting a lifetime
2012-03-05 18:06:13 +01:00
e9fcf1c6cc
Fix IKE_SA timeout debug output on 64bit platforms
2012-03-05 18:06:13 +01:00
85dd6a8deb
Trigger DPD not before IKE_SA state gets updated
2012-02-02 10:35:50 +01:00
916cdca851
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
2012-02-02 10:34:04 +01:00
dbd2169569
Change order of destroy/get_ref function calls
...
Since DESTROY_IF might destroy the peer_cfg, a get_ref on a freed object
is subject to fail.
2011-11-04 11:11:17 +01:00
7ab19d571d
Throw an alert when the peer address cannot be resolved during initiation.
2011-08-12 09:59:27 +02:00
5baaaa5ed5
Properly initialize ike_sa_t.
2011-08-01 13:08:15 +02:00
5d6b981572
Inherit authentication information during IKE_SA rekeying
2011-07-25 14:19:17 +02:00
f3bb1bd039
Fixed common misspellings.
...
Mostly found by 'codespell'.
2011-07-20 16:14:10 +02:00
572abc6cbd
Replaced ike_sa_t.create_additional_address_iterator with enumerator.
2011-07-06 09:43:45 +02:00
4bbce1ef37
Replaced ike_sa_t.create_child_sa_iterator with enumerator.
...
This required two new methods on ike_sa_t. One returns the number of
CHILD_SAs and one allows to remove a CHILD_SA.
2011-07-06 09:43:45 +02:00
e26304348c
Replaced simple iterator usages.
2011-07-06 09:43:45 +02:00
a4c040d536
Added strongswan.conf option to override half open IKE_SA timeout
2011-05-16 15:24:15 +02:00
68447302d6
Typo fixed.
2011-04-28 12:50:30 +02:00
3ced6b51e4
Move establish/inherit of rekeyed IKE_SAs to delete messages
...
Having the inherit() function delayed to the IKE_SA establish procedure
was problematic. The task destroy function was never a good place and
results in locking/cleanup problems. After establishing the SA, it
should be really checked in ASAP to avoid any triggered DPD checks
to get lost.
2011-03-15 15:20:09 +01:00
e44ebdcfc8
Slightly change IKE_SA destruction order to inherit properly during ike_rekey task destruction
2011-02-28 10:31:36 +00:00
2082417df3
Force port update as responder when initiator switches to 4500 in IKE_AUTH
2011-01-12 14:37:15 +01:00
9ca5d0280e
Moved check if packet already encoded to ike_sa, avoids message() hook invocation twice
2011-01-05 16:45:52 +01:00
c67de660d2
Move critical bit checking to ike_sa, notify payload includes unsupported payload type
2011-01-05 16:45:44 +01:00
89fda1abb5
Moved message()-hook invocation to generate_message(), catch pre-generated IKE_SA_INITs, too
2011-01-05 16:45:41 +01:00
6c2d466b90
Support manually triggerd DPD check, even if DPD disabled in config
2011-01-05 16:45:40 +01:00
5774408898
Change behavior of responder during roaming.
...
If the current source address is not available anymore, the responder
uses ike_mobike_t.roam, thus, uses multiple address combinations when
trying to notify the initiator.
2010-10-12 11:11:05 +02:00
261b2572d1
Send list of additional addresses even if current path is still valid.
2010-10-12 11:11:05 +02:00
bab56a4abb
Extracted path checking in ike_sa_t.roam into separate functions.
2010-10-12 11:11:05 +02:00
13876431d6
Explicitly configure MOBIKE tasks to update the list of additional addresses.
2010-10-12 11:11:05 +02:00
cd26eedc5c
Do not update hosts based on retransmitted messages.
2010-10-12 11:11:04 +02:00
d5bd775126
Do not update remote host if we are behind a NAT.
2010-10-12 11:11:04 +02:00
bb381e26c6
Refer to scheduler and processor via lib and not hydra.
2010-09-02 19:04:18 +02:00
f6659688ab
Refer to kernel interface via hydra and not charon.
2010-09-02 19:01:25 +02:00
61e8e73206
Refer to scheduler via hydra and not charon.
2010-09-02 19:01:24 +02:00
c5f7146b17
Refer to processor via hydra and not charon.
2010-09-02 19:01:22 +02:00
277f02ce9e
Slightly refactored port floating.
...
In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.
2010-08-30 13:42:58 +02:00
b519071299
Use AEAD wrapper for encryption payload encryption/decryption
2010-08-19 19:02:33 +02:00
02571374c4
Recreate IKE_SA_INIT related tasks only if they have completed
2010-06-30 13:48:47 +02:00
550d9085fa
Flush auth configs, create new keymat during SA reset
2010-06-07 14:59:39 +02:00
dbdb69f908
Recreate IKE_INIT/IKE_NATD/IKE_VENDOR tasks if we reset SA during IKE_AUTH
2010-06-07 14:58:57 +02:00
ea340ee840
Wrap task enumerator in ike_sa
2010-06-07 11:37:55 +02:00
8bced61b76
Migrated ike_sa_t to INIT/METHOD macros
2010-06-07 09:30:27 +00:00
fe02d99b96
Use wrapped getters for close/dpd action
2010-06-02 11:48:51 +02:00
84aa96e5f5
Invoke updown hook if IKE_SA delete is enforced in deleting state
2010-04-06 12:11:28 +02:00
045833c79d
Release virtual IPs with the same identity as we acquired it
2010-03-25 14:29:10 +01:00
58f86d0f0f
Changed all usages of lib->attributes to hydra->attributes.
2010-03-24 18:54:26 +01:00
08c5572602
Moving charon to libcharon.
2010-03-19 13:34:52 +01:00
Martin Willi