Tobias Brunner
d5c6a0bac4
vici: Enable IKE fragmentation by default
2016-10-04 10:08:21 +02:00
Tobias Brunner
50721a61d8
vici: Make installation of outbound FWD policies configurable
2016-09-28 17:56:43 +02:00
Andreas Steffen
7f65a8c271
vici: Increased various string buffers to BUF_LEN (512 bytes)
2016-07-29 12:34:40 +02:00
Andreas Steffen
b1df631212
vici list-conns sends reauthentication and rekeying time information
2016-05-04 18:13:52 +02:00
Andreas Steffen
c26e4330e7
Implemented IPsec policies restricted to given network interface
2016-04-09 16:51:02 +02:00
Andreas Steffen
7f57c4f9fb
Support manually-set IPsec policy priorities
2016-04-09 16:51:01 +02:00
Tobias Brunner
2ba5dadb12
peer-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
Tobias Brunner
8a00a8452d
child-cfg: Use struct to pass data to constructor
2016-04-09 16:51:01 +02:00
Andreas Steffen
b12c53ce77
Use standard unsigned integer types
2016-03-24 18:52:48 +01:00
Tobias Brunner
20df9d315c
vici: Don't hold write lock while running or undoing start actions
...
Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock. So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.
By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior. This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.
Fixes #1185 .
2016-03-11 08:32:18 +01:00
Andreas Steffen
35babdf43f
Initialize ts variable
2016-03-11 08:29:23 +01:00
Andreas Steffen
3f1de98678
Support of IP address ranges in traffic selectors
2016-03-10 13:59:37 +01:00
Tobias Brunner
101abed566
vici: Replace child configs atomically
...
This also leaves unmodified configs as they are.
2016-03-08 10:21:58 +01:00
Tobias Brunner
229cdf6bc8
vici: Order auth rounds by optional `round` parameter instead of by position in the request
2016-03-08 10:04:55 +01:00
Tobias Brunner
1ecec95dff
vici: Add support for pubkey constraints with EAP-TLS
...
This is a feature currently supported by stroke.
2016-03-04 16:19:54 +01:00
Tobias Brunner
3c23a75120
auth-cfg: Make IKE signature schemes configurable
...
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
2016-03-04 16:19:54 +01:00
Andreas Steffen
ffd29ab30a
vici: Support multiple named raw ublic keys
2016-01-10 00:12:57 +01:00
Andreas Steffen
87371460f6
vici: Support of raw public keys
2016-01-09 07:23:29 +01:00
Andreas Steffen
cc874350b8
Apply pubkey and signature constraints in vici plugin
2015-12-17 17:49:48 +01:00
Martin Willi
1db918c4f8
vici: Use an empty local auth round if none given
...
While it hardly makes sense to use none for negotiated SAs, it actually does
when installing shunt policies.
2015-12-07 10:05:07 +01:00
Martin Willi
b26ba1b4a4
vici: Limit start action undoing to IKE_SAs using the base peer config name
...
If two peer configs use the same child config names, potentailly delete
the wrong CHILD_SA. Check the peer config name as well to avoid that.
2015-12-07 10:05:07 +01:00
Martin Willi
23b1f71372
vici: Close empty IKE_SAs after undoing CHILD_SA start actions
2015-12-07 10:05:07 +01:00
Martin Willi
2facf18833
vici: Use value based array to store CHILD_SA ids during restart
...
The previous approach stored a pointer to a volatile stack variable, which
works for a single ID, but not for multiple.
2015-12-07 10:05:07 +01:00
Martin Willi
f3b2d4a9d8
vici: Undo start actions when unloading configs
2015-12-07 10:05:07 +01:00
Tobias Brunner
ff0abde9ed
controller: Optionally adhere to init limits also when initiating IKE_SAs
2015-08-21 18:21:13 +02:00
Tobias Brunner
9322e5b398
vici: Add option to disable policy installation for CHILD_SAs
2015-08-17 12:01:36 +02:00
Andreas Steffen
63d370387d
vici: Certification Authority support added.
...
CDP and OCSP URIs for a one or multiple certification authorities
can be added via the VICI interface. swanctl allows to read
definitions from a new authorities section.
2015-07-21 13:02:30 +02:00
Andreas Steffen
e194349148
vici: Compute rekey_bytes and rekey_packets if life_bytes and life_packets are defined
2015-07-20 21:34:09 +02:00
Timo Teräs
17d3435693
vici: Default to certificate subject for identity
...
If id is not specified and certificate authentication is used, use the
certificate subject name as identity. Simplifies configuration as in most cases
this is the right thing to do.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
2015-05-04 13:42:51 +02:00
Martin Willi
1549a98493
vici: Don't use a default rand_time larger than half of rekey/reauth_time
2015-03-03 13:49:14 +01:00
Martin Willi
f6511e36b5
vici: If a IKE reauth_time is configured, disable the default rekey_time
2015-03-03 13:49:14 +01:00
Martin Willi
971a91685d
controller: Use the CHILD_SA unique_id to terminate CHILD_SAs
2015-02-20 13:34:50 +01:00
Martin Willi
d73a46171d
vici: Support a replay_window CHILD_SA option
2014-06-17 16:41:31 +02:00
Martin Willi
dfb23fa159
vici: Add Windows support
2014-06-04 15:53:12 +02:00
Martin Willi
8d74ec9e80
ike: Add an additional but separate AEAD proposal to CHILD config
...
This currently has no effect: We don't include AEAD algorithms in the default
ESP proposal, as we don't know if it is supported by the backend. But as we
hopefully get an algorithm query mechanism on kernel interfaces some day, we
add the appropriate functionality nonetheless.
2014-05-16 16:51:19 +02:00
Martin Willi
879e3d12ca
ike: Add an additional but separate AEAD proposal to IKE config, if supported
2014-05-16 16:51:19 +02:00
Martin Willi
80b56fb468
vici: Support the close_action keyword, as we have it documented
2014-05-14 16:26:53 +02:00
Martin Willi
afb7ef4908
vici: Properly filter by CHILD_SA name while undoing start actions
2014-05-07 14:13:39 +02:00
Martin Willi
682c9966fa
vici: Fallback to socket listening port if no explicit local port specified
2014-05-07 14:13:39 +02:00
Martin Willi
dffd60083d
vici: Support a "mtu" value for the tfc_padding option
2014-05-07 14:13:39 +02:00
Martin Willi
5619d40613
vici: Handle the "trap" action as an alias for "route"
2014-05-07 14:13:39 +02:00
Martin Willi
f3e1ec4a85
vici: Have an explicit "relaxed" keyword for the default revocation policy
2014-05-07 14:13:38 +02:00
Martin Willi
585814470d
vici: Use a default child rekey time of 1 hour
2014-05-07 14:13:38 +02:00
Martin Willi
046befeca5
vici: Use a default IKE rekey time of 4 hours
2014-05-07 14:13:38 +02:00
Martin Willi
afb8f492ef
vici: Support referencing external named pools for peer configs
2014-05-07 14:13:37 +02:00
Martin Willi
3ad9c34c92
vici: Actually add configured virtual IPs to peer config
2014-05-07 14:13:37 +02:00
Martin Willi
e651afe67b
vici: Use a default rand_time of the difference between hard and soft lifetimes
2014-05-07 14:13:37 +02:00
Martin Willi
c520510508
vici: Use a default hard lifetime of 110% of the soft lifetime
2014-05-07 14:13:37 +02:00
Martin Willi
7de35b7ff6
vici: Perform specified start_action on connection load, undo it on unload
2014-05-07 14:13:37 +02:00
Martin Willi
b57739f721
vici: Support pinning end entity and CA certificates to connections
2014-05-07 14:13:37 +02:00