a3854d8371
Don't unset IKE_SA on bus before we released virtual IPs and attributes
2013-05-06 14:56:01 +02:00
12fa1784d0
emit a single assig_vips bus message for all VIPs
2013-04-06 14:16:30 +02:00
ba2880d569
ifmap plugin subscribes to assing_vip bus signal
2013-04-06 11:09:41 +02:00
c45cf9048e
Raise an alert if an IKE_SA could not have been reauthenticated and expires
2013-03-14 14:20:54 +01:00
d954a2081b
child_sa_t.get_usestats() can additionally return the number of processed packets
2013-03-14 14:20:54 +01:00
21dd4c4bea
Without MOBIKE, update remote host only if it is behind NAT
2013-03-01 11:26:47 +01:00
cdf75a39e3
Move initial message dropping to task manager
...
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295 .
2013-02-25 12:12:19 +01:00
5b15bd5f9d
Set configured DSCP value while generating IKE packets
2013-02-06 15:20:32 +01:00
b816037739
Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments
...
Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.
2012-12-24 12:29:27 +01:00
43b4c2ea75
Inherit virtual IP and attributes from old to new, not from new to old
2012-12-10 17:01:00 +01:00
d88597f0dd
Don't wait while removing external IPs used for load testing
2012-11-29 10:22:51 +01:00
b185cdd16d
Install virtual IPs via interface name, and use an interface lookup where required
2012-11-29 10:22:51 +01:00
50bd755871
Add an optional kernel-interface parameter to install IPs with a custom prefix
2012-11-29 10:22:51 +01:00
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
1d6dc62727
Added a new alert that is raised if peer does not respond to initial IKE message
2012-10-16 14:16:17 +02:00
2d39f79b9b
IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabled
...
Fixes #229 .
2012-09-25 09:31:47 +02:00
28a3d5bfbd
Pass full pool list to release_address
2012-09-11 16:18:28 +02:00
bcf8cdd556
Only initiate an exchange from send_dpd() if a task was actually queued
...
Otherwise, the initiator would prematurely initiate Quick Mode if it has
DPD enabled and XAuth is used.
2012-09-07 18:05:22 +02:00
3babde90bb
Trigger ike_updown event caused by retransmits only after reestablish() has been called
...
This allows listeners to migrate to the new IKE_SA with the
ike_reestablish event without having to worry about an ike_updown event
for the old IKE_SA.
2012-09-06 11:27:28 +02:00
4dbb193190
Add ike_reestablish() event that is triggered when an IKE_SA is reestablished
...
This is particularly useful during reauthentication to get the new
IKE_SA.
2012-09-06 11:25:14 +02:00
873b63b771
Add a new condition to mark IKE_SAs that are currently being reauthenticated
2012-09-06 11:23:11 +02:00
d2e8f20d94
Clear virtual IPs before storing assigned ones on the IKE_SA
...
Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.
2012-09-05 14:35:57 +02:00
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
f3fefb1847
Increase log verbosity when sending NAT keep-alives
2012-08-08 15:41:02 +02:00
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
75f8316332
Use send_no_marker to send NAT keepalives.
2012-08-08 15:12:25 +02:00
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
764035d515
Block XAuth transaction on established IKE_SAs, but allow Mode Config
2012-08-03 13:07:57 +02:00
394b9f6b65
Reject initial exchange messages early once IKE_SA is established
2012-08-02 13:04:54 +02:00
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
77e4282643
Avoid queueing more than one retry initiate job.
2012-05-30 15:32:52 +02:00
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
a46fe56858
Resolve hosts before reauthenticating due to address change.
2012-05-25 17:05:53 +02:00
c6da59f014
Don't queue delete_ike_sa job when setting IKE_DELETING.
...
This avoids deleting IKE_SAs during reauthentication (without
trying to reestablish them).
2012-05-25 17:05:53 +02:00
7457143072
During reauthentication reestablish IKE_SA even if deleting the old one fails.
2012-05-25 17:05:53 +02:00
23470d849a
Integrated main parts of IKE_REAUTH task into ike_sa_t.reestablish.
2012-05-25 17:05:53 +02:00
12715f1953
Fixed route lookup in case MOBIKE is not enabled.
2012-05-25 17:05:53 +02:00
cbc1a20ffe
Wrap task managers flush_queue() in IKE_SA
2012-05-21 14:05:01 +02:00
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
ae9ce83511
Properly initialize src in ike_sa_t.is_any_path_valid().
2012-04-06 10:54:44 +02:00
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
f98af1ddd5
Trigger DPD not before IKE_SA state gets updated
2012-03-20 17:31:39 +01:00
a994050e9c
Don't re-resolve addresses during initiate if they have already been set
2012-03-20 17:31:38 +01:00
783c496966
Update state before triggering DPD, as we cancel it if PASSIVE
2012-03-20 17:31:38 +01:00
47b8f6ef4b
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
2012-03-20 17:31:37 +01:00
1a0648490c
Invoke ike_updown hooks for reauthenticated IKEv1 SAs
2012-03-20 17:31:36 +01:00
11aadd7722
Disable DPD checking for peers not supporting it
2012-03-20 17:31:35 +01:00
1e624ce876
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
2012-03-20 17:31:35 +01:00
Martin Willi