ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
12,324 Commits 6 Branches 233 Tags 88 MiB
Commit Graph

170 Commits

Author SHA1 Message Date
Tobias Brunner d223fe807a libcharon: Use lib->ns instead of charon->name 2014-02-12 14:34:32 +01:00
Tobias Brunner 53d2164c5d ike: Simplify error handling if name resolution failed 
This avoids a second name resolution attempt just to determine if %any
etc. was configured.

Fixes #440.
 2014-01-23 10:04:19 +01:00
Tobias Brunner be8af56e7a ike: Use proper hostname(s) when name resolution failed 
Was wrong since 0edce68767.

Fixes #440.
 2014-01-23 10:03:50 +01:00
Thomas Egerer b190899473 ike_sa: Defer task manager destruction after child destruction 
This patch exports the task manager's flush to allow flushing of all
queues with one function call from ike_sa->destroy. It allows the
access of intact children during task destructoin (see git-commit
e44ebdcf) and allows the access of the task manager in
child_state_change hook.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
 2014-01-16 14:16:13 +01:00
Martin Willi b76e96e2ef ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying 
Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
is perfectly valid. For short(er) DPD delays, this leads to the situation where
we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
Avoid that DPD by resetting the INBOUND timestamp during set_state().
 2013-11-01 11:33:29 +01:00
Tobias Brunner 9292357030 ike-sa: Resolve hosts before reestablishing an IKE_SA 2013-09-23 11:49:52 +02:00
Martin Willi beffdc6ab8 ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addr 2013-09-04 10:38:37 +02:00
Martin Willi 0edce68767 ike-sa: use ike_cfg resolver functions 2013-09-04 10:38:36 +02:00
Tobias Brunner 07a9d5c91a ike: Fix reestablishing SAs if no child-creating tasks are queued 2013-07-18 10:40:08 +02:00
Martin Willi 2b0c8ee37d ike-sa: uninstall CHILD_SAs before removing virtual IPs 
a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes
for CHILD_SAs might get deleted while removing virtual IPs, resulting in
an error when a CHILD_SA tries to uninstall its route.
 2013-07-18 10:35:38 +02:00
Tobias Brunner 68db844f99 ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SA 2013-07-17 18:16:58 +02:00
Martin Willi 893da0411f ike-sa: use arrays instead of linked lists in long lived collections 
This saves about 1.5KB of memory per IKE_SA.
 2013-07-17 17:20:17 +02:00
Tobias Brunner bf92887af1 ike: Resolve hosts only for address families currently supported 2013-07-05 09:48:26 +02:00
Tobias Brunner c949a4d501 Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restart 2013-07-01 09:58:34 +02:00
Tobias Brunner 4c74fa664b Reuse reqid for trap policies installed for dpd|closeaction=hold 2013-07-01 09:58:25 +02:00
Martin Willi 3568abe7be Use ref_get() to make sure IKE_SA unique IDs are unique 2013-06-11 15:54:27 +02:00
Martin Willi a3854d8371 Don't unset IKE_SA on bus before we released virtual IPs and attributes 2013-05-06 14:56:01 +02:00
Andreas Steffen 12fa1784d0 emit a single assig_vips bus message for all VIPs 2013-04-06 14:16:30 +02:00
Andreas Steffen ba2880d569 ifmap plugin subscribes to assing_vip bus signal 2013-04-06 11:09:41 +02:00
Martin Willi c45cf9048e Raise an alert if an IKE_SA could not have been reauthenticated and expires 2013-03-14 14:20:54 +01:00
Martin Willi d954a2081b child_sa_t.get_usestats() can additionally return the number of processed packets 2013-03-14 14:20:54 +01:00
Martin Willi 21dd4c4bea Without MOBIKE, update remote host only if it is behind NAT 2013-03-01 11:26:47 +01:00
Martin Willi cdf75a39e3 Move initial message dropping to task manager 
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.

Fixes #295.
 2013-02-25 12:12:19 +01:00
Martin Willi 5b15bd5f9d Set configured DSCP value while generating IKE packets 2013-02-06 15:20:32 +01:00
Tobias Brunner b816037739 Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments 
Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.
 2012-12-24 12:29:27 +01:00
Martin Willi 43b4c2ea75 Inherit virtual IP and attributes from old to new, not from new to old 2012-12-10 17:01:00 +01:00
Martin Willi d88597f0dd Don't wait while removing external IPs used for load testing 2012-11-29 10:22:51 +01:00
Martin Willi b185cdd16d Install virtual IPs via interface name, and use an interface lookup where required 2012-11-29 10:22:51 +01:00
Martin Willi 50bd755871 Add an optional kernel-interface parameter to install IPs with a custom prefix 2012-11-29 10:22:51 +01:00
Tobias Brunner 12642a6831 Moved data structures to new collections subfolder 2012-10-24 16:00:49 +02:00
Tobias Brunner 1d6dc62727 Added a new alert that is raised if peer does not respond to initial IKE message 2012-10-16 14:16:17 +02:00
Tobias Brunner 2d39f79b9b IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabled 
Fixes #229.
 2012-09-25 09:31:47 +02:00
Martin Willi 28a3d5bfbd Pass full pool list to release_address 2012-09-11 16:18:28 +02:00
Tobias Brunner bcf8cdd556 Only initiate an exchange from send_dpd() if a task was actually queued 
Otherwise, the initiator would prematurely initiate Quick Mode if it has
DPD enabled and XAuth is used.
 2012-09-07 18:05:22 +02:00
Tobias Brunner 3babde90bb Trigger ike_updown event caused by retransmits only after reestablish() has been called 
This allows listeners to migrate to the new IKE_SA with the
ike_reestablish event without having to worry about an ike_updown event
for the old IKE_SA.
 2012-09-06 11:27:28 +02:00
Tobias Brunner 4dbb193190 Add ike_reestablish() event that is triggered when an IKE_SA is reestablished 
This is particularly useful during reauthentication to get the new
IKE_SA.
 2012-09-06 11:25:14 +02:00
Tobias Brunner 873b63b771 Add a new condition to mark IKE_SAs that are currently being reauthenticated 2012-09-06 11:23:11 +02:00
Tobias Brunner d2e8f20d94 Clear virtual IPs before storing assigned ones on the IKE_SA 
Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.
 2012-09-05 14:35:57 +02:00
Martin Willi 497ce2cf51 Support multiple address pools configured on a peer_cfg 2012-08-30 16:43:42 +02:00
Martin Willi 101d26babe Support multiple virtual IPs on peer_cfg and ike_sa classes 2012-08-30 16:43:42 +02:00
Tobias Brunner f3fefb1847 Increase log verbosity when sending NAT keep-alives 2012-08-08 15:41:02 +02:00
Tobias Brunner b223d517c8 Replaced usages of CHARON_*_PORT with calls to get_port(). 2012-08-08 15:12:25 +02:00
Tobias Brunner 75f8316332 Use send_no_marker to send NAT keepalives. 2012-08-08 15:12:25 +02:00
Tobias Brunner e7ea057fd2 Make the UDP ports charon listens for packets on (and uses as source ports) configurable. 2012-08-08 15:07:43 +02:00
Martin Willi 764035d515 Block XAuth transaction on established IKE_SAs, but allow Mode Config 2012-08-03 13:07:57 +02:00
Martin Willi 394b9f6b65 Reject initial exchange messages early once IKE_SA is established 2012-08-02 13:04:54 +02:00
Andreas Steffen 1d315bddd3 implemented the right|leftallowany feature 2012-06-08 21:24:41 +02:00
Tobias Brunner 77e4282643 Avoid queueing more than one retry initiate job. 2012-05-30 15:32:52 +02:00
Tobias Brunner 60c82591c5 Retry IKE_SA initiation if DNS resolution failed. 
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
 2012-05-30 15:32:52 +02:00
Tobias Brunner a46fe56858 Resolve hosts before reauthenticating due to address change. 2012-05-25 17:05:53 +02:00