9d9a772ee1
use MOBIKE enabled DPD if we are NATed
...
update SAs if we detect changes in NAT mappings
2008-10-06 13:37:04 +00:00
aa1b90a5b2
do not run CHILD_SA delete action if rekeying
2008-10-03 16:01:14 +00:00
7827997346
also respect the mobike=no setting as responder
2008-09-30 12:36:58 +00:00
a341a68fac
merging renaming of mode_t to ipsec_mode_t back to trunk
2008-09-25 13:56:23 +00:00
507f26f685
merging modularized kernel interface back to trunk
2008-09-25 07:56:58 +00:00
07d7f9a402
time values in strongswan.conf can be optionally specified in days (d), hours (h), minutes (m), or seconds (s)
2008-09-04 16:19:46 +00:00
60055b7e1c
charon.keep_alive = 0 disables the sending of NAT keep alives
2008-09-03 19:00:08 +00:00
3dfecde4c0
configure NAT keep alive interval using the charon.keep_alive key
2008-09-03 18:49:06 +00:00
703791715b
handle INFORMATIONAL exchanges with NATD payloads in mobike task
2008-09-02 14:02:40 +00:00
a44d02627f
cosmetics
2008-08-26 19:54:47 +00:00
919019b3cd
completed support of AUTHZ_CA_CERT and AUTHZ_CA_CERT_NAME attributes
2008-08-26 05:15:34 +00:00
822901061b
ported parts of two-sim branch
...
eap_identity parameter to exchange in eap_identity
some auth_info/peer_cfg refactorings
fixed some bugs, introduced new ones
2008-08-22 10:44:51 +00:00
1caa265c61
a (incomplete) implementation of draft-sheffer-ikev2-gtc-00.txt using PAM
2008-08-21 12:10:07 +00:00
9f1ec81290
corrected typo
2008-08-11 18:40:22 +00:00
342c84ddec
initiator sends contents of rightca= if present as a certificate request without searching for further CA certificates
2008-08-05 09:05:57 +00:00
f0a8fa25ba
using a entry cache for duplicate checks, avoids deadlocks
2008-07-30 14:15:08 +00:00
98ba96f185
demoted IKE state change output to debug level 2
2008-07-28 14:01:45 +00:00
3fd9c75717
ignore AUTH_LIFETIME value if reauthentication has already been scheduled earlier
2008-07-28 13:53:04 +00:00
f6facbe75c
completed IKE_SA logging at the AUDIT level
2008-07-23 18:46:34 +00:00
6410231335
IKE_SA rekeying inherits other_host from old IKE_SA
2008-07-23 07:44:26 +00:00
0eede4a31f
cosmetics
2008-07-23 06:38:24 +00:00
51c8f8261f
some more changes to IKE_SA and CHILD_SA logging
2008-07-22 17:10:10 +00:00
32f5ee159e
cosmetics
2008-07-22 12:13:48 +00:00
66da78b4bb
ipsec status lists IPCOMP CPIs
2008-07-22 12:03:58 +00:00
c3967e779e
own CPI was not deleted due to copy-and-paste error
2008-07-22 10:53:56 +00:00
eba7470b76
consistent logging of SPIs and CPIs
2008-07-22 10:16:45 +00:00
fb34475b5c
consistent logging of IKE and CHILD SAs
2008-07-21 12:47:59 +00:00
a4a3e0c7dc
introduced an additional bus->signal parameter for signal specific data
...
added SIG_IKE/SIG_CHD macros for signal emitting
2008-07-18 15:51:40 +00:00
5353f22ed7
fixed potential segfault in resolve_hosts
2008-07-17 11:06:31 +00:00
7beea2e99f
fixed acquire-delay bug by:
...
installing policies before states
updating policies if protocol has changed
2008-07-16 11:51:37 +00:00
ef3f717bfe
reverted [4125],[4166], reimplemented the proper way
2008-07-11 08:54:56 +00:00
6b5d95919c
setting ike_sa on bus in checkout_new
2008-07-11 08:47:18 +00:00
e7991a2eef
do a route lookup to allow routing of left=%any connections
2008-07-09 14:16:19 +00:00
62bd123952
peer_cfg lookup takes peer addresses into account
2008-07-01 09:05:20 +00:00
866ba8e0b6
strongswan.conf's charon.close_ike_on_child_failure closes IKE_SA if CHILD_SA setup in IKE_AUTH fails
2008-07-01 07:54:09 +00:00
d510eaea47
sending INTERNAL_ADDRESS_FAILURE if virtual IP requested but none found
2008-07-01 06:36:52 +00:00
125aaf1ab1
log received vendor id as a hex value
2008-06-27 17:11:54 +00:00
7e8af02626
flushing task_manager on shutdown while IKE_SA is usable
2008-06-25 11:40:50 +00:00
e9ab669bc2
resolving hosts before route
2008-06-23 08:30:35 +00:00
bc997f6583
display selected IKE proposal in ipsec statusall
2008-06-22 11:24:33 +00:00
7d4bb52073
make config_auth_method_t backward compatible to existing sql templates
2008-06-10 20:31:53 +00:00
ea0823dffd
ECDSA with OpenSSL
2008-06-10 09:08:27 +00:00
5a22a02156
DNS resolving of ike_cfg hosts dynamically on demand
2008-06-06 15:05:54 +00:00
011b1cca94
do not roam IKE_SA in created or deleting state
2008-06-04 14:31:06 +00:00
de3d65a132
filtering out non matching path probing pairs explicitly
2008-05-23 15:43:42 +00:00
85a119bc0b
replying to COOKIE2 mobike notify properly
...
including COOKIE2 ourself after path probing
2008-05-21 17:56:21 +00:00
cb9edc54eb
using fixed size keys in key derivation for AES-XCBC PRF
2008-05-21 14:58:03 +00:00
d4aad55434
IPComp for IKEv2
2008-05-08 16:19:11 +00:00
1d5d6f9667
Hash and URL cosmetics
2008-04-18 21:27:08 +00:00
6439267a8c
support for hash and URL encoded certificate payloads in charon
2008-04-18 11:24:45 +00:00
46a5604a04
splitted IKE_SA manager destroy to allow plugin interaction
2008-04-17 10:46:25 +00:00
4904d26120
slightly optimized IKE_SA checkin
2008-04-16 08:43:32 +00:00
2c463cdfb1
optimized half-open IKE_SA lookup (no checkout)
2008-04-16 08:34:52 +00:00
6a365f0740
added API for random number generators, served through credential factory
...
ported randomizer_t to a rng_t on top of /dev/(u)random (plugin random)
2008-04-15 05:56:35 +00:00
0644ebd3de
implemented IKE_SA uniqueness using ipsec.conf uniqueids paramater
...
additionally supports a "keep" value to keep the old IKE_SA
2008-04-14 13:23:24 +00:00
a593db5d35
ike_sa_manager enumerable, not iterable
2008-04-14 11:37:46 +00:00
348af092ac
added close_action as a seperate config option to dpd_action
2008-04-14 08:17:18 +00:00
cadb5d16e5
fixed jumping IKE_SA unique ids
2008-04-14 07:55:23 +00:00
45819d7d49
fixed rightsourceip=%config scenarios
2008-04-14 07:18:16 +00:00
b1bdfa4890
fixed disabling the sending of cert requests
2008-04-13 17:31:07 +00:00
96926b006d
using dpd actions to enforce connection state
...
dpd actions a per child-, not peer ike-sa
2008-04-11 08:14:48 +00:00
4a6474c2c3
enabling acquire for mediated connections
2008-04-10 12:51:04 +00:00
78abba428f
enabling reauthentication on mediation connections
2008-04-10 08:42:27 +00:00
4a03518112
fixing a problem if the mediation server initiates the rekeying
2008-04-10 07:24:30 +00:00
22452f70fc
mediation connections should now properly rekey
2008-04-09 18:12:22 +00:00
cdcfe777f4
implementation of an CFG attribute framework, currently supporting virtual IPs
...
updated ipsec.conf sourceip parameter to support
CIDR notatation to serve from a pool
%poolname to query a separate (database?) pool
2008-04-09 12:54:47 +00:00
4a96521965
signature in connectivity checks is now built with the message id in network byte order
2008-04-08 13:45:30 +00:00
1d295d1ffa
printing the checklist, two bugfixes
2008-04-08 12:31:27 +00:00
6f186d7e2e
connect manager: restart the sender if it is not running anymore
2008-04-08 09:21:27 +00:00
03e5336340
better logging for chunks in connect manager
2008-04-08 08:41:23 +00:00
028a345c63
refactored callback data in connect manager
2008-04-08 08:33:15 +00:00
6970925422
fast finishing connectivity checks on the initiators side
2008-04-07 15:45:37 +00:00
dd563e60df
corrected the logging for retransmissions of connectivity checks
2008-04-07 14:45:39 +00:00
b03c1d415c
changed how retransmissions of connectivity checks are sent
2008-04-07 11:26:15 +00:00
70a568b015
fixing another memory leak
2008-04-07 09:36:52 +00:00
4c7e6112c5
and another
2008-04-03 15:22:06 +00:00
471f923071
fixed two other memory leaks
2008-04-03 15:13:25 +00:00
196b28a470
demoted more notify debug messages to level 2
2008-04-02 19:15:05 +00:00
c3f803c4c6
fixing some memory leaks
2008-04-02 18:21:03 +00:00
1ee637d8b1
generate debug output if ocsp response does not contain status information for a given certificate
2008-04-02 14:28:17 +00:00
080555e76a
demoted received notify debug message to level 2
2008-04-01 20:22:38 +00:00
9c2a905d63
stopping connectivity checks on the responders side after receiving an IKE_SA_INIT request with the proper ME_CONNECTID
2008-04-01 11:38:18 +00:00
e5ab32a7ee
timing of connectivity checks adjusted
2008-03-31 15:04:38 +00:00
9e183cd5b8
signal fixed
2008-03-31 14:27:16 +00:00
dcc777652e
changed error message
2008-03-29 13:26:53 +00:00
d20e5c6ab5
replaced get_public() by create_public_enumerator() to try multiple public keys for signature verification
2008-03-27 19:07:23 +00:00
54150b3f13
checking the size of ME_* notify payloads
2008-03-27 10:17:29 +00:00
b0dee635d2
replaced the COOKIE notify payload in connectivity checks with a ME_CONNECTAUTH notify payload
2008-03-27 09:54:09 +00:00
dc04b7c743
mediation extension adapted to the naming convention of the current version of the draft. note: the external interface (config, autotools) has not yet been changed
2008-03-26 18:40:19 +00:00
3c7e72f5b0
added equals() method to peer_cfg, ike_cfg, proposals, auth_info
...
allows easier merging of ipsec.conf connections
replaced some iterators through enumerators
made proposals algorithm_t private using enumerator
2008-03-26 10:06:45 +00:00
36524c4844
added support for certificate requests for not yet known CAs
2008-03-20 10:09:56 +00:00
ae8715f956
attempt to achieve consistent debugging output
2008-03-19 12:06:38 +00:00
72d68379dc
correctly unregister IKE_SA at the bus
2008-03-15 14:08:43 +00:00
df3462ddbe
two small fixes
2008-03-13 15:03:06 +00:00
552cc11b1f
merged the modularization branch (credentials) back to trunk
2008-03-13 14:14:44 +00:00
b48bdac20b
improved P2P_NAT debugging
2008-02-27 20:30:39 +00:00
fb7e7dc484
refactored connect_manager_t to use the find functions on linked lists
2008-02-14 13:42:36 +00:00
5bbac9ffff
split connections with different virtual IPs in different peer_cfgs
...
respect different peer_cfg's when initiating a CHILD_SA within an existing IKE_SA
2008-02-05 12:39:30 +00:00
663fedbe44
implemented IKEV2 EAP-SIM server and client test module that use triplets stored in a file. For details see the scenario 'ikev2/rw-eap-sim-rsa'
2008-02-04 14:52:06 +00:00
3b1692c058
use identifiers in EAP_SUCCESS/EAP_FAILURE payloads
2008-02-04 11:43:10 +00:00
b0e40caafb
NAT-T conditions were not inherited during IKE_SA rekeying
2008-01-29 01:41:47 +00:00
3a36ce1164
added missing hasher include
2008-01-03 10:42:21 +00:00
b8461a37db
fixed EAP-MD5 to accept Name attribute in challenge
2007-12-18 10:44:44 +00:00
0f806802ae
implemented Expanded EAP types to support vendor specific methods
2007-12-13 17:31:21 +00:00
3243ac6d5e
fixed actual ID length when AT_IDENTITY gets padded
2007-12-13 14:39:38 +00:00
26e2467692
ported EAP-AKA branch into trunk
2007-12-13 10:54:29 +00:00
4b403e7672
merged EAP-MD5 into trunk
2007-12-12 14:29:10 +00:00
3895125275
removed c++ style comments
...
fixed compiler warnings
2007-12-04 10:48:27 +00:00
b8249ff5ed
fixed mobike/auth_lifetime in conjunction with p2p-natt
2007-12-04 10:05:36 +00:00
addc4b3ce4
removed redundant server reflexive endpoint debug message
2007-12-04 00:45:00 +00:00
3af513753a
improved P2P_ENDPOINT debugging
2007-12-03 23:06:17 +00:00
7805ad302d
moved AUTH_LIFETIME handling in its own task (cleaner separation, proper payload order)
2007-12-03 10:52:18 +00:00
17d6e9aa00
improving [3361]: moved one of the added return values
2007-11-22 11:22:33 +00:00
f210387a6b
added two return statements comitted by Marius Tomaschewski
2007-11-21 23:42:27 +00:00
ee61471113
implemented RFC4478 (repeated authentication)
...
changed %V printf handler to take a time delta, %#V now takes two arguments
2007-11-20 12:06:40 +00:00
91b16af0fa
fixed NO_PROPOSAL_CHOSEN response on IKE_SA_INIT
2007-11-14 09:41:08 +00:00
d5da42a9e4
fixed _updown target for ipv6
2007-11-06 13:45:54 +00:00
00fb758755
adding new virtual ip before deleting old one to keep IP on reauthentication
2007-10-25 07:50:23 +00:00
d5cc175833
experimental P2P-NAT-T for IKEv2 merged back from branch
2007-10-03 15:10:41 +00:00
56db479192
ID payload with explicit payload type
2007-10-02 11:55:10 +00:00
f53b74c96f
moved force_encap to ike_config, enables responder to enforce udp encapsulation
...
fixed bugs in force_encap code
2007-10-01 16:41:34 +00:00
011fb1b97e
removed accidentally checked in debugging code
2007-10-01 12:25:26 +00:00
9dae1bed00
implemented IKEv2 force_encap connection parameter
...
enforces UDP encapsulation by faking NAT detection payloads
to hurdle restrictive firewalls
2007-10-01 12:19:39 +00:00
f215e91999
implemented more aggressive MOBIKE path probing
...
do not queue more than one MOBIKE task
2007-09-28 08:22:37 +00:00
278396b6da
typos
2007-09-27 10:36:03 +00:00
d9d69536b0
improved MOBIKE roaming between interfaces
2007-09-24 12:15:25 +00:00
703b4b0332
connection name to IKE_SA initiating
2007-09-15 20:30:04 +00:00
a2ab401c56
put IKE_SA and CHILD_SA names in single quotes
2007-09-15 16:06:58 +00:00
be682af3e8
log name of IKE_SA in state changes
2007-09-15 15:54:51 +00:00
3f4076b7c8
log name of established IKE_SA
2007-09-15 15:54:30 +00:00
21b3099ac4
log name of established CHILD_SA
2007-09-15 15:53:10 +00:00
eff806eb5a
added missing 'break' in checkout_by_peer
2007-09-13 13:00:23 +00:00
dd52993068
only switch to port 4500 if we are on 500: fixed reauthentication in NAT
...
scenarios
2007-09-12 11:11:10 +00:00
794d2526b4
removed unused chunk variable
2007-09-12 07:54:56 +00:00
a8827c9b63
moving virtual IP when interface changes due mobike
2007-09-12 07:36:45 +00:00
12fa4387c6
fixed NAT detection with mobike
2007-09-12 07:14:05 +00:00
1cb2cb622e
overwrite shared_key with random bytes before freeing it
2007-09-11 21:06:46 +00:00
f0c156fbc9
replaced get_rsa_private_key() by rsa_signature() in order restrict the distribution of private key material
2007-09-11 10:18:25 +00:00
5474dc6500
implemented routeability checks for mobike (experimental)
2007-09-03 12:37:25 +00:00
9164e49ac0
added mobike=yes|no connection option
...
yes: include mobike support notifies as initiator
no: only enable mobike as responder when initiator supports it
default: yes
2007-08-29 12:11:25 +00:00
98f97433af
rerouting CHILD_SA if its IKE_SA gets deleted
2007-08-27 09:10:12 +00:00
c045d90a8e
corrected debug output
2007-08-10 11:23:45 +00:00
c019260e01
backports from the p2p-nat-t branch:
...
* double assignment of function ''destroy'' in some jobs
* typos
2007-07-19 14:12:19 +00:00
c87395908a
not touching IKE_SA_INIT from ike_mobike_t anymore
2007-07-19 08:08:22 +00:00
cc68e173fe
fixed payload order (Nonce, KE) for IKE_SA_INIT
2007-07-16 07:01:49 +00:00
29100db902
changed mobike behavior to NOT use additional responder addresses until we have path discovery
2007-07-04 07:26:34 +00:00
419201c15d
fixed responder initiated CHILD_SA rekeying when using virtual IPs
2007-07-04 06:27:33 +00:00
7b8bae9941
fixed firewall script invocation when interface is not available anymore
2007-07-03 13:49:29 +00:00
3bc62fe70e
improved MOBIKE:
...
prefer address family already used
do not change address implicit when mobike supported
handle multiple simultaneous roaming requests more properly
proper enabling/disabling of UDP encapsulation
2007-07-03 12:32:38 +00:00
bcac22f3a6
DBG1 level for 'peer supports MOBIKE' debug message
2007-07-02 20:13:15 +00:00
Martin Willi