Tobias Brunner
61c3870bef
conf: Document reference syntax
2018-06-27 14:19:35 +02:00
Andreas Steffen
ef4a63524f
vici: list cert_policy parameter
2018-06-22 10:39:40 +02:00
Tobias Brunner
2c7a4b0704
swanctl: Document new HW offload options/behavior
2018-05-24 10:49:19 +02:00
Tobias Brunner
1b67166921
Unify format of HSR copyright statements
2018-05-23 16:32:53 +02:00
Tobias Brunner
c057cd26fa
swanctl: Add option to force IKE_SA termination
2018-05-22 10:06:07 +02:00
Andreas Steffen
4eaf08c35b
vici: list-conn reports DPD settings and swanctl displays them
2018-02-15 16:28:06 +01:00
Tobias Brunner
e698bdea24
man: Fix documentation of pubkey constraints
...
Hash algorithms have to be repeated for multiple key types.
References #2514 .
2018-02-09 10:42:13 +01:00
Tobias Brunner
6d98bb926e
swanctl: Allow dots in authority/shared secret/pool names
...
Use argument evaluation provided by settings_t instead of using strings
to enumerate key/values.
If section names contain dots the latter causes the names to get split
and interpreted as non-existing sections and subsections.
This currently doesn't work for connections and their subsections due to
the recursion.
2017-12-22 10:11:21 +01:00
Tobias Brunner
c87b16d256
swanctl: Add check for conflicting short options
2017-11-13 10:09:41 +01:00
Tobias Brunner
f0c7cbd1d7
swanctl: Properly register --counters commmand
...
Use C instead of c, which is already used for --load-conns.
2017-11-13 09:45:14 +01:00
Tobias Brunner
fde0c763b6
auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf
...
Also document the rsa/pss prefix.
2017-11-08 16:48:10 +01:00
Tobias Brunner
052bccfac4
swanctl: Add --counters command
2017-11-08 16:28:28 +01:00
Thomas Egerer
2dad293647
ike: Do not send initial contact only for UNIQUE_NEVER
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-11-02 10:17:24 +01:00
Tobias Brunner
2d244f178f
vici: Make setting mark on inbound SA configurable
2017-11-02 09:59:38 +01:00
Eyal Birger
32e5c49234
child-sa: Allow requesting different unique marks for in/out
...
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78 .
2017-08-07 14:22:27 +02:00
Tobias Brunner
4272a3e9d7
swanctl: Read default socket from swanctl.socket option
...
Also read from swanctl.plugins.vici.socket so we get
libstrongswan.plugins.vici.socket if it is defined.
Fixes #2372 .
2017-07-27 13:22:57 +02:00
Tobias Brunner
ae48325a59
swanctl: Include config snippets from conf.d subdirectory
...
Fixes #2371 .
2017-07-27 13:20:24 +02:00
Tobias Brunner
93e0898f60
swanctl: Document eap_id in remote sections
2017-07-05 18:08:04 +02:00
Tobias Brunner
0afe0eca67
vici: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
Tobias Brunner
7c4f88d4be
vici: Make hardware offload configurable
2017-05-23 16:58:00 +02:00
Tobias Brunner
46a3f92a76
Add an option to announce support for IKE fragmentation but not sending fragments
2017-05-23 16:41:57 +02:00
Tobias Brunner
cbbd34f507
swanctl: Use returned key ID to track loaded private keys
...
There was a direct call to load_key() for unencrypted keys that didn't
remove the key ID from the hashtable, which caused keys to get unloaded
when --load-creds was called multiple times.
2017-05-23 16:41:02 +02:00
Noel Kuntze
693107f6ae
swanctl: Reformulate IKEv1 selector restriction, describe problems with TS narrowing
2017-03-23 18:27:05 +01:00
Tobias Brunner
a7cd424206
swanctl: Mention including files when referring to strongswan.conf(5)
2017-03-23 18:27:05 +01:00
Tobias Brunner
d5a19a17dc
swanctl: Describe what happens when a FQDN is specified in local|remote_addrs
2017-03-20 10:18:51 +01:00
Tobias Brunner
f927ba975b
vici: Add support for mediation extension
2017-02-16 19:24:09 +01:00
Tobias Brunner
e2d9971215
swanctl: Add --rekey command
2017-02-16 19:24:09 +01:00
Tobias Brunner
04c0219e55
vici: Use unique names for CHILD_SAs in the list-sas command
...
The original name is returned in the new "name" attribute.
This fixes an issue with bindings that map VICI messages to
dictionaries. For instance, in roadwarrior scenarios where every
CHILD_SA has the same name only the information of the last CHILD_SA
would end up in the dictionary for that name.
2017-02-16 19:24:08 +01:00
Tobias Brunner
75665375b7
swanctl: Allow specifying pubkeys directly via 0x/0s prefix
2017-02-16 19:24:08 +01:00
Tobias Brunner
bd6ef6be7e
vici: Add support to load CA certificates from tokens and paths in authority sections
2017-02-16 19:24:08 +01:00
Tobias Brunner
2f8354ca6c
vici: Add support to load certificates from file paths
...
Probably not that useful via swanctl.conf but could be when used via VICI.
2017-02-16 19:24:08 +01:00
Tobias Brunner
00bf6a2a49
vici: Add support to load certificates from tokens
2017-02-16 19:24:08 +01:00
Tobias Brunner
d2e3ff8e0c
swanctl: Add `token` secrets for keys on tokens/smartcards
2017-02-16 19:24:07 +01:00
Tobias Brunner
ebb517581f
swanctl: Pass optional connection name to --initiate/install/uninstall
2017-02-16 19:24:07 +01:00
Tobias Brunner
ed105f45af
vici: Add support for NT Hash secrets
...
Fixes #1002 .
2017-02-16 19:23:51 +01:00
Tobias Brunner
3bedf10b25
vici: Add support for IPv6 Transport Proxy Mode
2017-02-16 19:23:50 +01:00
Tobias Brunner
e00bc9f6b2
vici: Add support for certificate policies
2017-02-16 19:23:50 +01:00
Tobias Brunner
44fcc83310
vici: Add missing dscp setting for IKE_SAs
...
Fixes #2170 .
2017-02-16 19:23:31 +01:00
Tobias Brunner
d460ab2bff
swanctl: Automatically unload removed shared keys
2017-02-16 19:21:13 +01:00
Tobias Brunner
04180409ad
swanctl: Automatically unload removed private keys
2017-02-16 19:21:12 +01:00
Tobias Brunner
257f6cb8e7
swanctl: Add possibility to query a specific pool by name
2017-02-16 19:21:12 +01:00
Martin Willi
72547830fb
swanctl: List CHILD_SA marks, if set
2017-02-13 15:11:20 +01:00
Tobias Brunner
7caba2eb55
swanctl: Add 'private' directory/section to load any type of private key
2016-10-05 11:33:36 +02:00
Tobias Brunner
d5c6a0bac4
vici: Enable IKE fragmentation by default
2016-10-04 10:08:21 +02:00
Tobias Brunner
50721a61d8
vici: Make installation of outbound FWD policies configurable
2016-09-28 17:56:43 +02:00
Tobias Brunner
318a48a589
swanctl: Add man page entry for flush-certs command
2016-09-15 11:58:51 +02:00
Andreas Steffen
2c7cfe7630
vici: flush-certs command flushes certificate cache
...
When fresh CRLs are released with a high update frequency (e.g.
every 24 hours) or OCSP is used then the certificate cache gets
quickly filled with stale CRLs or OCSP responses. The new VICI
flush-certs command allows to flush e.g. cached CRLs or OCSP
responses only. Without the type argument all kind of certificates
(e.g. also received end entity and intermediate CA certificates)
are purged.
2016-09-13 17:02:59 +02:00
Tobias Brunner
f883cd6df6
swanctl: Document how DH groups in CHILD_SA proposals are applied
...
References #1039 .
2016-08-31 11:47:25 +02:00
Andreas Steffen
7f65a8c271
vici: Increased various string buffers to BUF_LEN (512 bytes)
2016-07-29 12:34:40 +02:00
Martin Willi
518a5b2ece
configure: Check for and explicitly link against -latomic
...
Some C libraries, such as uClibc, require an explicit link for some atomic
functions. Check for any libatomic, and explcily link it.
2016-06-14 14:27:20 +02:00