Tobias Brunner
6ecf1aab35
unbound: Add support for DLV (DNSSEC Lookaside Validation)
...
Fixes #392 .
2013-10-11 15:45:25 +02:00
Tobias Brunner
eeb34af069
kernel-libipsec: Add an option to allow remote TS to match the IKE peer
...
Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.
It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.
2013-10-11 15:32:44 +02:00
Tobias Brunner
80f8b3a6d8
socket-default: Allow setting firewall mark on outbound packets
2013-10-11 15:32:44 +02:00
Tobias Brunner
51fefe4606
kernel-netlink: Allow setting firewall marks on routing rule
2013-10-11 15:32:44 +02:00
Martin Willi
5fdbb3c6ad
ipsec.conf: Add a description for the new 'ah' keyword.
2013-10-11 10:15:22 +02:00
Tobias Brunner
3e3db3743e
xauth-pam: Make trimming of email addresses optional
...
Fixes #430 .
2013-10-04 10:49:54 +02:00
Ansis Atteka
255b9dac5d
kernel-netlink: Allow to override xfrm_acq_expires value
...
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
2013-09-23 10:45:14 +02:00
Tobias Brunner
b07aee496a
strongswan.conf: Use configured piddir for UNIX sockets
2013-09-13 14:32:51 +02:00
Tobias Brunner
8250fc10e8
Build generated man pages via configure script
2013-09-13 14:32:51 +02:00
Andreas Steffen
ae32172619
Make SWID directory where tags are stored configurable
2013-09-05 12:25:02 +02:00
Martin Willi
6301ec0ac5
man: add support for multiple addresses/ranges/subnets in ipsec.conf left=
2013-09-04 10:38:37 +02:00
Martin Willi
16149401e9
man: update ipsec.conf modeconfig keyword
2013-09-04 10:33:38 +02:00
Andreas Steffen
0d9e375193
Selectively enable PT-TLS and/or RADIUS sockets in tnc-pdp plugin
2013-08-26 20:36:07 +02:00
Andreas Steffen
12b3db5006
moved tnc_imv plugin to libtnccs thanks to recommendation callback function
2013-08-15 23:34:22 +02:00
Andreas Steffen
9d8c28e2f5
Documented plugin move from libcharon to libtnccs in strongswan.conf
2013-08-15 23:34:22 +02:00
Andreas Steffen
f5b5d262e8
Add PT-TLS interface to strongSwan PDP
2013-08-15 23:34:22 +02:00
Tobias Brunner
e99cfe5f20
strongswan.conf: Add note about reserved threads
2013-08-07 09:06:01 +02:00
Tobias Brunner
3021139f6f
strongswan.conf: Moved some stuff around
2013-07-23 12:23:05 +02:00
Tobias Brunner
2ed8b36a8a
strongswan.conf: Add missing options
2013-07-22 17:46:41 +02:00
Tobias Brunner
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
Tobias Brunner
b2dfa0624d
ipsec.conf.5: closeaction is now supported for IKEv1
2013-07-17 18:18:57 +02:00
Tobias Brunner
baa6419ec1
kernel-pfroute: Make time that is waited for VIPs to appear configurable
...
One second might be too short for IPs to appear/disappear, especially on
virtualized hosts.
2013-07-17 17:45:17 +02:00
Tobias Brunner
598bec78fa
socket-default: Add options to disable address families
2013-07-05 09:48:27 +02:00
Tobias Brunner
b7b5432ff8
stroke: Changed how proto/port are specified in left|rightsubnet
...
Using a colon as separator conflicts with IPv6 addresses.
2013-06-28 15:10:09 +02:00
Tobias Brunner
68b7448eab
capabilities: Make the user and group charon(-nm) changes to configurable
2013-06-25 17:16:33 +02:00
Andreas Steffen
adf8a05a3d
Removed obsoleted strongswan.conf options
2013-06-21 23:25:24 +02:00
Tobias Brunner
4d62ad7571
charon-cmd: Link strongswan.conf(5) and charon-cmd(8) man pages
2013-06-21 16:35:19 +02:00
Martin Willi
24df067810
man: update ipsec.conf.5, describing new proto/port definition within leftsubnet
2013-06-19 16:36:01 +02:00
Tobias Brunner
7971278c92
stroke: Load credentials from PKCS#12 files (P12 token)
2013-05-08 15:02:41 +02:00
Tobias Brunner
87692be215
Load any type (RSA/ECDSA) of public key via left|rightsigkey
2013-05-07 17:08:31 +02:00
Tobias Brunner
fa1d3d39dc
left|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly
...
The default is now PKCS#1. With the dns: and ssh: prefixes other formats
can be selected.
2013-05-07 15:38:28 +02:00
Martin Willi
0be946dce3
Use the GEN silent rule when generating files with sed
2013-05-06 15:04:56 +02:00
Tobias Brunner
37873f9994
kernel-netlink: Add an option to disable roam events
2013-05-03 15:11:19 +02:00
Andreas Steffen
6b99da026c
added libstrongswan.plugins.openssl.fips_mode to man page
2013-04-16 13:44:06 +02:00
Andreas Steffen
654c88bca8
Added charon.initiator_only option which causes charon to ignore IKE initiation requests by peers
2013-04-14 19:57:49 +02:00
Andreas Steffen
1044710b04
implemented periodic IF-MAP RenewSession request
2013-04-03 21:38:04 +02:00
Tobias Brunner
96ad2b17b0
Updated strongswan.conf(5) man page
2013-04-01 16:56:47 +02:00
Andreas Steffen
0cf4dc53c7
updated strongswan.conf man page for tn_ifmap plugin
2013-03-31 19:05:53 +02:00
Martin Willi
e82deaf6ce
Merge branch 'multi-cert'
...
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
2013-03-01 11:35:32 +01:00
Martin Willi
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
Martin Willi
0abeac3a0b
Document ipsec.conf leftprotoport extensions in manpage
2013-02-21 11:52:33 +01:00
Andreas Steffen
f2145c8d3a
Moved configuration from resolver manager to unbound plugin
...
Also streamlined log messages in unbound plugin.
2013-02-19 12:25:00 +01:00
Reto Guadagnini
932717fbde
ipseckey: Added "enable" option for the IPSECKEY plugin to strongswan.conf
2013-02-19 12:25:00 +01:00
Martin Willi
e212033ef2
Merge branch 'ike-dscp'
2013-02-14 17:11:35 +01:00
Martin Willi
88f4cd3988
Add ikedscp documentation to ipsec.conf.5
2013-02-06 15:42:14 +01:00
Tobias Brunner
9d9410e7b9
Typo in strongswan.conf(5) man page fixed
2013-01-31 11:52:11 +01:00
Tobias Brunner
c186b3940a
Documented new options in strongswan.conf(5) man page
2013-01-25 20:22:20 +01:00
Martin Willi
11a7abf554
Add ipsec.conf.5 updates regarding multiple certificates in leftcert
2013-01-18 09:33:15 +01:00
Tobias Brunner
ee6902ef7f
Added an option to configure the maximum size of a fragment
2013-01-12 11:54:58 +01:00
Tobias Brunner
365d9a6f67
Added an option that allows to force IKEv1 fragmentation
2013-01-12 11:54:32 +01:00