Tobias Brunner
e6d17d5613
man: Remove keylife/rekeymargin from ipsec.conf man page
...
We continue to parse them but remove the documentation because mixing the two
sets of keywords in the same config might result in unexpected behavior.
References #2663 .
2018-05-22 14:18:17 +02:00
Tobias Brunner
e698bdea24
man: Fix documentation of pubkey constraints
...
Hash algorithms have to be repeated for multiple key types.
References #2514 .
2018-02-09 10:42:13 +01:00
Tobias Brunner
fde0c763b6
auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf
...
Also document the rsa/pss prefix.
2017-11-08 16:48:10 +01:00
Tobias Brunner
2269444b56
man: Fix documentation of inbound mark behavior in ipsec.conf(5)
2017-11-02 09:59:38 +01:00
Eyal Birger
32e5c49234
child-sa: Allow requesting different unique marks for in/out
...
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78 .
2017-08-07 14:22:27 +02:00
Tobias Brunner
4270c8fcb0
stroke: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
Tobias Brunner
46a3f92a76
Add an option to announce support for IKE fragmentation but not sending fragments
2017-05-23 16:41:57 +02:00
Noel Kuntze
11ebba0042
man: Describe the tunneling of several subnets with IKEv1 in more detail
2017-03-23 18:26:54 +01:00
Noel Kuntze
c055c7013e
man: Add note about modeconfig having to match
2017-03-23 18:16:45 +01:00
Noel Kuntze
31456d1f85
man: Describe what happens when a FQDN is specified in left or right
2017-03-20 10:18:51 +01:00
Tobias Brunner
af662a5170
starter: Enable IKE fragmentation by default
2016-10-04 10:08:21 +02:00
Tobias Brunner
bbd4620777
man: Update description of the esp keyword
...
Clarifies how DH groups are applied, updates the proposal selection
description and ESN can now also be configured for IKEv1.
References #1039 .
2016-08-31 11:47:14 +02:00
Tobias Brunner
8e3940f59c
man: Updated default proposals in ipsec.conf(5)
2016-03-11 10:25:06 +01:00
Tobias Brunner
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
Tobias Brunner
45c5b992e0
man: Update description of the actions performed for different dpdaction values
...
For instance, charon does not unroute `auto=route` connections with
`dpdaction=clear`.
2015-11-18 14:55:15 +01:00
Tobias Brunner
4a2e17997f
man: Clarify identity parsing and identity type prefixes
...
References #1028 .
2015-08-17 11:49:04 +02:00
Adrian-Ken Rueegsegger
10b5e8bb45
man: Clarification of ah keyword description
2015-05-19 14:02:56 +02:00
Tobias Brunner
a83d1245d8
man: More accurately describe features of the new parser in ipsec.conf(5)
2015-03-20 18:37:22 +01:00
Tobias Brunner
276cf3b725
man: Add documentation about IKEv2 signature schemes
2015-03-04 13:54:12 +01:00
Martin Willi
f2e2cce2aa
man: Describe trust chain constraints configuration for EAP methods
2015-03-03 14:08:01 +01:00
Martin Willi
cc1682bef9
ipsec-types: Support the %unique mark value
2015-02-20 16:34:53 +01:00
Tobias Brunner
aaf9911aeb
man: Document IKEv2 fragmentation in ipsec.conf(5)
2015-02-10 18:38:54 +01:00
Tobias Brunner
c355e2b2c7
stroke: Add support for address range definitions of in-memory pools
2014-10-30 12:32:45 +01:00
Martin Willi
9388bf1363
man: Document identification type prefixes in ipsec.conf(5)
2014-10-30 11:07:10 +01:00
Tobias Brunner
b906d41214
man: Document where left|rightsigkey searches for public key files
2014-07-14 10:58:28 +02:00
Tobias Brunner
8b123d2e4a
man: Document replay_window ipsec.conf option
2014-06-30 14:50:32 +02:00
Martin Willi
d048a319df
ike: Restart inactivity counter after doing a CHILD_SA rekey
...
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.
This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.
2014-01-23 16:19:22 +01:00
Tobias Brunner
6956061197
ipsec.conf.5: Note about ICMP[v6] message type/code added
2013-10-17 16:57:39 +02:00
Martin Willi
5fdbb3c6ad
ipsec.conf: Add a description for the new 'ah' keyword.
2013-10-11 10:15:22 +02:00
Tobias Brunner
8250fc10e8
Build generated man pages via configure script
2013-09-13 14:32:51 +02:00
Martin Willi
6301ec0ac5
man: add support for multiple addresses/ranges/subnets in ipsec.conf left=
2013-09-04 10:38:37 +02:00
Martin Willi
16149401e9
man: update ipsec.conf modeconfig keyword
2013-09-04 10:33:38 +02:00
Tobias Brunner
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
Tobias Brunner
b2dfa0624d
ipsec.conf.5: closeaction is now supported for IKEv1
2013-07-17 18:18:57 +02:00
Tobias Brunner
b7b5432ff8
stroke: Changed how proto/port are specified in left|rightsubnet
...
Using a colon as separator conflicts with IPv6 addresses.
2013-06-28 15:10:09 +02:00
Martin Willi
24df067810
man: update ipsec.conf.5, describing new proto/port definition within leftsubnet
2013-06-19 16:36:01 +02:00
Tobias Brunner
87692be215
Load any type (RSA/ECDSA) of public key via left|rightsigkey
2013-05-07 17:08:31 +02:00
Tobias Brunner
fa1d3d39dc
left|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly
...
The default is now PKCS#1. With the dns: and ssh: prefixes other formats
can be selected.
2013-05-07 15:38:28 +02:00
Martin Willi
e82deaf6ce
Merge branch 'multi-cert'
...
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
2013-03-01 11:35:32 +01:00
Martin Willi
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
Martin Willi
0abeac3a0b
Document ipsec.conf leftprotoport extensions in manpage
2013-02-21 11:52:33 +01:00
Martin Willi
88f4cd3988
Add ikedscp documentation to ipsec.conf.5
2013-02-06 15:42:14 +01:00
Martin Willi
11a7abf554
Add ipsec.conf.5 updates regarding multiple certificates in leftcert
2013-01-18 09:33:15 +01:00
Tobias Brunner
365d9a6f67
Added an option that allows to force IKEv1 fragmentation
2013-01-12 11:54:32 +01:00
Tobias Brunner
97973f8609
Use a connection specific option to en-/disable IKEv1 fragmentation
2012-12-24 13:00:01 +01:00
Martin Willi
f6d8fb3687
Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcards
2012-10-24 13:07:53 +02:00
Martin Willi
05e266ea9d
Add leftcert ipsec.conf.5 documentation about smartcard certificates
2012-10-24 13:07:53 +02:00
Martin Willi
5b2e669ba2
Add ipsec.conf.5 documentation for explicit PRFs in IKE proposals
2012-10-24 11:49:37 +02:00
Martin Willi
55f126fd55
Update ipsec.conf.5, leftsubnet can handle multiple subnets in IKEv1 with Unity
2012-09-18 17:17:48 +02:00
Tobias Brunner
b7a500e985
Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>
2012-09-18 14:40:41 +02:00