Tobias Brunner
d223fe807a
libcharon: Use lib->ns instead of charon->name
2014-02-12 14:34:32 +01:00
Tobias Brunner
53d2164c5d
ike: Simplify error handling if name resolution failed
...
This avoids a second name resolution attempt just to determine if %any
etc. was configured.
Fixes #440 .
2014-01-23 10:04:19 +01:00
Tobias Brunner
be8af56e7a
ike: Use proper hostname(s) when name resolution failed
...
Was wrong since 0edce68767
.
Fixes #440 .
2014-01-23 10:03:50 +01:00
Thomas Egerer
b190899473
ike_sa: Defer task manager destruction after child destruction
...
This patch exports the task manager's flush to allow flushing of all
queues with one function call from ike_sa->destroy. It allows the
access of intact children during task destructoin (see git-commit
e44ebdcf
) and allows the access of the task manager in
child_state_change hook.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2014-01-16 14:16:13 +01:00
Martin Willi
b76e96e2ef
ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying
...
Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
is perfectly valid. For short(er) DPD delays, this leads to the situation where
we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
Avoid that DPD by resetting the INBOUND timestamp during set_state().
2013-11-01 11:33:29 +01:00
Tobias Brunner
9292357030
ike-sa: Resolve hosts before reestablishing an IKE_SA
2013-09-23 11:49:52 +02:00
Martin Willi
beffdc6ab8
ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr
2013-09-04 10:38:37 +02:00
Martin Willi
0edce68767
ike-sa: use ike_cfg resolver functions
2013-09-04 10:38:36 +02:00
Tobias Brunner
07a9d5c91a
ike: Fix reestablishing SAs if no child-creating tasks are queued
2013-07-18 10:40:08 +02:00
Martin Willi
2b0c8ee37d
ike-sa: uninstall CHILD_SAs before removing virtual IPs
...
a3854d83
changed cleanup order. But we should remove CHILD_SAs first, as routes
for CHILD_SAs might get deleted while removing virtual IPs, resulting in
an error when a CHILD_SA tries to uninstall its route.
2013-07-18 10:35:38 +02:00
Tobias Brunner
68db844f99
ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA
2013-07-17 18:16:58 +02:00
Martin Willi
893da0411f
ike-sa: use arrays instead of linked lists in long lived collections
...
This saves about 1.5KB of memory per IKE_SA.
2013-07-17 17:20:17 +02:00
Tobias Brunner
bf92887af1
ike: Resolve hosts only for address families currently supported
2013-07-05 09:48:26 +02:00
Tobias Brunner
c949a4d501
Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restart
2013-07-01 09:58:34 +02:00
Tobias Brunner
4c74fa664b
Reuse reqid for trap policies installed for dpd|closeaction=hold
2013-07-01 09:58:25 +02:00
Martin Willi
3568abe7be
Use ref_get() to make sure IKE_SA unique IDs are unique
2013-06-11 15:54:27 +02:00
Martin Willi
a3854d8371
Don't unset IKE_SA on bus before we released virtual IPs and attributes
2013-05-06 14:56:01 +02:00
Andreas Steffen
12fa1784d0
emit a single assig_vips bus message for all VIPs
2013-04-06 14:16:30 +02:00
Andreas Steffen
ba2880d569
ifmap plugin subscribes to assing_vip bus signal
2013-04-06 11:09:41 +02:00
Martin Willi
c45cf9048e
Raise an alert if an IKE_SA could not have been reauthenticated and expires
2013-03-14 14:20:54 +01:00
Martin Willi
d954a2081b
child_sa_t.get_usestats() can additionally return the number of processed packets
2013-03-14 14:20:54 +01:00
Martin Willi
21dd4c4bea
Without MOBIKE, update remote host only if it is behind NAT
2013-03-01 11:26:47 +01:00
Martin Willi
cdf75a39e3
Move initial message dropping to task manager
...
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295 .
2013-02-25 12:12:19 +01:00
Martin Willi
5b15bd5f9d
Set configured DSCP value while generating IKE packets
2013-02-06 15:20:32 +01:00
Tobias Brunner
b816037739
Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments
...
Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.
2012-12-24 12:29:27 +01:00
Martin Willi
43b4c2ea75
Inherit virtual IP and attributes from old to new, not from new to old
2012-12-10 17:01:00 +01:00
Martin Willi
d88597f0dd
Don't wait while removing external IPs used for load testing
2012-11-29 10:22:51 +01:00
Martin Willi
b185cdd16d
Install virtual IPs via interface name, and use an interface lookup where required
2012-11-29 10:22:51 +01:00
Martin Willi
50bd755871
Add an optional kernel-interface parameter to install IPs with a custom prefix
2012-11-29 10:22:51 +01:00
Tobias Brunner
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
Tobias Brunner
1d6dc62727
Added a new alert that is raised if peer does not respond to initial IKE message
2012-10-16 14:16:17 +02:00
Tobias Brunner
2d39f79b9b
IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabled
...
Fixes #229 .
2012-09-25 09:31:47 +02:00
Martin Willi
28a3d5bfbd
Pass full pool list to release_address
2012-09-11 16:18:28 +02:00
Tobias Brunner
bcf8cdd556
Only initiate an exchange from send_dpd() if a task was actually queued
...
Otherwise, the initiator would prematurely initiate Quick Mode if it has
DPD enabled and XAuth is used.
2012-09-07 18:05:22 +02:00
Tobias Brunner
3babde90bb
Trigger ike_updown event caused by retransmits only after reestablish() has been called
...
This allows listeners to migrate to the new IKE_SA with the
ike_reestablish event without having to worry about an ike_updown event
for the old IKE_SA.
2012-09-06 11:27:28 +02:00
Tobias Brunner
4dbb193190
Add ike_reestablish() event that is triggered when an IKE_SA is reestablished
...
This is particularly useful during reauthentication to get the new
IKE_SA.
2012-09-06 11:25:14 +02:00
Tobias Brunner
873b63b771
Add a new condition to mark IKE_SAs that are currently being reauthenticated
2012-09-06 11:23:11 +02:00
Tobias Brunner
d2e8f20d94
Clear virtual IPs before storing assigned ones on the IKE_SA
...
Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.
2012-09-05 14:35:57 +02:00
Martin Willi
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
Martin Willi
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
Tobias Brunner
f3fefb1847
Increase log verbosity when sending NAT keep-alives
2012-08-08 15:41:02 +02:00
Tobias Brunner
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
Tobias Brunner
75f8316332
Use send_no_marker to send NAT keepalives.
2012-08-08 15:12:25 +02:00
Tobias Brunner
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
Martin Willi
764035d515
Block XAuth transaction on established IKE_SAs, but allow Mode Config
2012-08-03 13:07:57 +02:00
Martin Willi
394b9f6b65
Reject initial exchange messages early once IKE_SA is established
2012-08-02 13:04:54 +02:00
Andreas Steffen
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
Tobias Brunner
77e4282643
Avoid queueing more than one retry initiate job.
2012-05-30 15:32:52 +02:00
Tobias Brunner
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
Tobias Brunner
a46fe56858
Resolve hosts before reauthenticating due to address change.
2012-05-25 17:05:53 +02:00