Martin Willi
96c2b3cf89
Support multiple addresses/pools in left/rightsourceip
2012-08-30 16:43:42 +02:00
Tobias Brunner
454fb91367
Removed deprecated options from ipsec.conf template
2012-08-24 11:52:01 +02:00
Martin Willi
da646ab94a
Remove unused ipsec.conf left/rightnatip keyword
2012-08-21 09:38:01 +02:00
Martin Willi
17319aa28d
Add a left/rightdns keyword to configure connection specific DNS attributes
2012-08-21 09:38:00 +02:00
Tobias Brunner
21d8392041
starter: Restore original config in case also= is used (which reads the same values)
2012-08-16 16:45:11 +02:00
Tobias Brunner
71b89d6722
Only load kernel plugins in starter when flushing SAD/SPD entries
...
This avoids keeping the kernel sockets open when they are not actually
needed, which could lead to resource problems (in particular with PF_KEY
where all open sockets receive all messages).
Fixes #217 .
2012-08-16 16:14:15 +02:00
Martin Willi
46df61dff7
Add an ipsec.conf leftgroups2 parameter for the second authentication round
2012-07-26 11:51:58 +02:00
Tobias Brunner
f102c5f341
Mask the configured mark value to ensure it is in range
2012-06-26 12:50:58 +02:00
Tobias Brunner
d86cf32b4b
Removed -o argument when creating .../ipsec.d with install
...
This should have been removed with 2b52d5cb41
.
2012-06-25 16:37:34 +02:00
Tobias Brunner
c236f19e50
ldaphost and ldapbase ca section keywords are deprecated
2012-06-25 10:52:16 +02:00
Tobias Brunner
31bcaf604a
starter: Fixed parsing of %defaultroute.
2012-06-15 10:46:56 +02:00
Martin Willi
e36497700c
Print the kind of *Swan during starter startup
2012-06-14 10:25:48 +02:00
Andreas Steffen
e49f18f74d
thanks to narrowing treat right|leftsubnetwithin as synonyms for right|leftsubnet
2012-06-14 07:55:12 +02:00
Tobias Brunner
25fb9d3f4a
starter: Print additional help texts for selected deprecated keywords.
2012-06-12 16:15:03 +02:00
Tobias Brunner
9707d9db79
starter: Improved how deprecated keywords are handled.
...
We only throw a warning now instead of rejecting the config.
2012-06-12 16:15:03 +02:00
Tobias Brunner
5c7a219804
Revert "starter: Don't treat unsupported keywords as fatal errors just report them."
...
This reverts commit e55876a657
.
2012-06-12 16:15:03 +02:00
Tobias Brunner
e7c01bed49
starter: Fixed parsing of left|right=%any.
2012-06-12 10:16:51 +02:00
Tobias Brunner
4d21846912
starter: Fix comparison of connections.
2012-06-11 17:33:32 +02:00
Tobias Brunner
3e2ff81e5d
starter: Removed all unsupported keywords.
2012-06-11 17:33:32 +02:00
Tobias Brunner
e55876a657
starter: Don't treat unsupported keywords as fatal errors just report them.
2012-06-11 17:33:32 +02:00
Tobias Brunner
fff4b74db2
Bye bye Pluto!
...
Charon will take over IKEv1 duties from here. This also removes
libfreeswan and whack.
2012-06-11 17:33:32 +02:00
Tobias Brunner
ee3026a1e2
starter: Remove all ties to pluto/libfreeswan.
...
Moved some types/constants in the process.
2012-06-11 17:33:32 +02:00
Tobias Brunner
5b09310e67
starter: Use custom type for SA specific options (flags).
2012-06-11 17:33:31 +02:00
Tobias Brunner
29906e0eab
starter: Parse left|rightprotoport directly in confread.c.
2012-06-11 17:33:31 +02:00
Tobias Brunner
eca839b0a7
starter: No special handling for left|rightsubnet, just pass it on as string.
2012-06-11 17:33:31 +02:00
Tobias Brunner
6ce841b213
starter: Use host_t to parse left|rightsourceip.
...
Also for the yet unused natip option.
2012-06-11 17:33:31 +02:00
Tobias Brunner
0ac29be793
starter: Remove left|rightsubnetwithin option (charon narrows left|rightsubnet down accordingly).
2012-06-11 17:33:31 +02:00
Tobias Brunner
8dd094e185
starter: Don't resolve any addresses in starter.
...
Also removed remains of some unknown iface option.
2012-06-11 17:33:31 +02:00
Tobias Brunner
efc69e9f38
starter: Removed pfs and pfsgroup options (handled via esp option).
2012-06-11 17:33:31 +02:00
Tobias Brunner
6d065f14ae
starter: Store mode of the IPsec SA/policy in a separate member.
2012-06-11 17:33:30 +02:00
Tobias Brunner
f82365ad27
starter: Use custom type to mark seen keywords.
2012-06-11 17:33:30 +02:00
Tobias Brunner
57323f6259
starter: Remove left|rightnexthop option.
...
Charon does this lookup dynamically.
2012-06-11 17:33:30 +02:00
Tobias Brunner
7cce0e96f2
starter: Replaced all usages of clone_str() with strdupnull().
2012-06-11 17:33:30 +02:00
Tobias Brunner
e838c39ba9
starter: Parse authby as string.
2012-06-11 17:33:30 +02:00
Tobias Brunner
041e763b77
starter: Remove main parts of pluto support (invoke, whack).
2012-06-11 17:33:30 +02:00
Tobias Brunner
95e41fb80a
starter: Drop support for %defaultroute.
2012-06-11 17:33:29 +02:00
Tobias Brunner
163b227386
starter: Migrated logging to libstrongswan.
2012-06-11 17:33:29 +02:00
Tobias Brunner
bcfb6b8efc
starter: Remove unneeded starter_exec function.
2012-06-11 17:33:29 +02:00
Andreas Steffen
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
Tobias Brunner
4a10eda1a0
starter: Go back to single threaded mode.
...
Mixing multiple threads and fork(2) wasn't a very good idea it seems.
At least in some environments this caused strange side-effects.
2012-06-08 14:12:07 +02:00
Tobias Brunner
b200fa573b
starter: Only handle SIGCHLD asynchronously and the rest in pselect(2).
2012-06-06 14:23:25 +02:00
Tobias Brunner
18a3741042
starter: (De-)Initialize logging when forking.
2012-06-05 09:22:16 +02:00
Tobias Brunner
402ae88af9
starter: Close open file descriptors when forking daemons.
2012-06-04 18:09:56 +02:00
Tobias Brunner
89c97952bd
starter: Changed signal handling now that starter is multi-threaded.
2012-06-04 18:09:56 +02:00
Andreas Steffen
80c5b17d1a
make IKEv1 DPD timeout configurable in charon
2012-05-17 19:49:22 +02:00
Tobias Brunner
d3590016e9
starter: Initialize thread pool so kernel events are consumed.
2012-05-15 08:55:19 +02:00
Martin Willi
9e25007646
Explicitly cast from strict_t to crl_policy_t
2012-05-14 14:11:54 +02:00
Martin Willi
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
Andreas Steffen
5f1931ada1
added support for raw RSA public keys to stroke
2012-04-30 00:31:42 +02:00
Martin Willi
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
Martin Willi
c8d46f2959
Dropped support of deprecated authby=eap and eap= options
2012-03-20 17:31:38 +01:00
Martin Willi
c791def8c1
Added support for authby/xauth_server legacy options
2012-03-20 17:31:38 +01:00
Martin Willi
e129168ba6
Added a "aggressive" ipsec.conf connection option
2012-03-20 17:31:34 +01:00
Martin Willi
d94c923648
Support an "any" IKE version for both IKEv1 or IKEv2
2012-03-20 17:31:25 +01:00
Martin Willi
21a4fc832e
Pass ipsec.conf xauth_identity option via stroke to charon configurations
2012-03-20 17:31:23 +01:00
Martin Willi
cf1772f685
Do not ignore configs for IKEv1 in charon anymore
2012-03-20 17:30:43 +01:00
Martin Willi
498d172c33
Use correct time_t variables to store ARG_TIME options
2012-01-18 10:31:45 +01:00
Tobias Brunner
9d17c1a679
Starter depends on whack/stroke on Android.
...
With this change whack and stroke get installed automatically if starter is
enabled.
2012-01-12 19:19:47 +01:00
Tobias Brunner
2e0b478a01
Android 4 requires LOCAL_MODULE_TAGS to be set for all modules.
...
Because all packages are now marked as optional executables that are to
be installed on the final system have to be added to PRODUCT_PACKAGES in
build/target/product/core.mk. Dependencies (such as libraries) are
installed automatically.
2012-01-12 19:18:35 +01:00
Sansar Choinyambuu
75d5f6d132
Fixed bug at checking error code from file stat
2011-11-28 15:02:49 +01:00
Tobias Brunner
edad908792
Fixed compiler warnings regarding enum comparison.
...
Warnings like
comparison of unsigned expression < 0 is always false
are reported with -Wextra when enum types that are compiled to an
unsigned type (which is up to the compiler) are checked for negativity.
2011-11-25 09:40:30 +01:00
Tobias Brunner
4f775afda9
Added missing Android.mk files to distribution.
2011-11-22 18:31:12 +01:00
Mirko Parthey
f3da58aaa9
Fix DNS error handling for keyexchange=ike.
...
starter fails to load a connection when a peer's DNS name is temporarily
unresolvable and keyexchange=ike was specified, which defaults to IKEv2.
The connection loads just fine in case of keyexchange=ikev2.
2011-10-25 09:44:17 +02:00
Tobias Brunner
bb3357e886
starter: Android.mk updated to use kernel-netlink via libhydra.
2011-10-21 14:24:34 +02:00
Tobias Brunner
adab84533e
starter: Use kernel interfaces to flush SAD and SPD.
...
This now supports platforms where neither 'ip xfrm' nor 'setkey' are
available (like Android).
2011-10-21 14:24:34 +02:00
Tobias Brunner
f3a682c1ff
starter: Load plugins specific to starter.
2011-10-21 14:24:34 +02:00
Tobias Brunner
d19eaf7457
starter: INFO_FILE is not used anymore.
2011-10-21 14:24:34 +02:00
Tobias Brunner
1c10577648
starter: Only try to start pluto on Android if it is actually enabled.
2011-10-14 17:36:21 +02:00
Tobias Brunner
652ddf5ce2
starter: Close open file descriptors after forking.
...
This avoids problems with Android's adb which leaves several file
descriptors open when executing processes.
2011-10-13 11:19:17 +02:00
Tobias Brunner
aa82ae3aa4
starter: Only create self-signed certificate if scepclient is built.
2011-10-12 16:37:21 +02:00
Tobias Brunner
b66a3b3d28
Build starter on Android.
2011-10-11 16:30:20 +02:00
Tobias Brunner
187a5faf64
starter: Updated gitignores after LEX/YACC change.
2011-10-10 20:07:37 +02:00
Tobias Brunner
6f4eaa41a7
starter: Use automake LEX/YACC automatisms.
2011-10-10 19:31:04 +02:00
Tobias Brunner
e01fed7eb3
starter: fallback include handling without glob(3).
2011-10-10 18:05:44 +02:00
Tobias Brunner
0b706426a5
starter: Check for processes with PIDs stored in pid files.
2011-09-28 13:57:59 +02:00
Martin Willi
40921edc38
Support resolution of "allow_any" DNS names in charon (%hostname)
2011-09-02 13:42:45 +02:00
Martin Willi
e59a50009c
starter passes unresolved DNS names to charon
...
Based on an initial patch by Mirko Parthey.
2011-08-29 09:58:18 +02:00
Tobias Brunner
45048eae23
Verify that executables are available and set (pluto|charon)start accordingly.
...
Some distributions enable both daemons but then distribute the
executables in two separate packages. If only one package is installed
but both daemons are enabled in ipsec.conf, starter will try to start
the non existing daemon over and over again, and will each time readd
the configs to the other daemon.
2011-08-11 13:38:05 +02:00
Tobias Brunner
889a62a8d4
pluto: --debug-kernel aliasing was not fully complete.
2011-08-02 18:15:50 +02:00
Andreas Steffen
f87991704e
implemented PASS and DROP shunt policies
2011-06-28 19:42:54 +02:00
Martin Willi
f34ebc845b
Add a closeaction ipsec.conf keyword to configure close action
2011-06-07 12:07:21 +02:00
Martin Willi
513701f41b
Fix some warnings triggered by gcc 4.6 -Wunused-but-set-variable
2011-05-19 15:47:40 +02:00
Tobias Brunner
67ec2be665
IKEv2 was only partially the default for connections with auto=route and auto=start.
...
Connections with auto=route and auto=start that did not have
keyexchange=ikev2 explicitly specified did get added to charon,
but did not get routed or started by charon.
2011-04-27 11:33:06 +02:00
Tobias Brunner
f36a6ebd30
starter: Make sure interface name is null-terminated.
2011-04-19 13:48:51 +02:00
Tobias Brunner
1c004bebd8
Clearly mark switch cases that fall through.
2011-04-19 13:48:50 +02:00
Tobias Brunner
cc2429d9a2
In scanf the maxmium length of %s does not include the null-terminator.
2011-04-14 18:10:27 +02:00
Tobias Brunner
bac28c73ed
starter_conn_t.id is an unsigned long.
2011-04-14 18:10:27 +02:00
Tobias Brunner
e92e687584
Removed empty man page for starter.
2011-02-07 11:39:41 +01:00
Martin Willi
2b52d5cb41
Do not install config files with user/group, as it might not exist on build machine
2011-01-17 18:08:17 +01:00
Martin Willi
6367de28ad
Added a left/rightcertpolicy keyword to specify certificatePolicy requirements
2011-01-07 15:51:35 +01:00
Martin Willi
6c302616f1
Added a tfc ipsec.conf keyword to control Traffic Flow Confidentiality
2010-12-20 09:45:39 +01:00
Andreas Steffen
0bc5547d0c
*** HISTORICAL MOMENT: IKEv2 becomes the default! ***
2010-10-09 20:46:55 +02:00
Tobias Brunner
0a1233e642
Moved man pages for config files to a separate directory.
2010-09-10 12:01:19 +02:00
Tobias Brunner
3255e489be
Of course, mark is also supported by pluto.
2010-09-06 12:04:26 +02:00
Tobias Brunner
a674c79a37
mark_in and mark_out are also supported by pluto.
2010-09-06 11:53:59 +02:00
Tobias Brunner
ddc961c369
Fixed left-/rightnexthop ipsec.conf options.
2010-09-03 11:47:42 +02:00
Tobias Brunner
b5be105aaf
pluto: Added support for statically configured reqids.
2010-09-02 19:04:25 +02:00
Tobias Brunner
a0d13f42e6
starter: Some whitespace cleanup.
2010-09-02 19:04:25 +02:00
Tobias Brunner
eeca1b0466
pluto: Removed references to KLIPS from documentation, log messages and comments.
2010-09-02 19:04:24 +02:00
Tobias Brunner
08c0d340b8
Moved ipsec_transform_t to kernel_ipsec.h in libhydra.
...
Because of this libfreeswan, pluto, starter etc. now depend on that
file (and libhydra). This resolved some duplicate declarations.
2010-09-02 19:01:25 +02:00