Martin Willi
a3854d8371
Don't unset IKE_SA on bus before we released virtual IPs and attributes
2013-05-06 14:56:01 +02:00
Andreas Steffen
12fa1784d0
emit a single assig_vips bus message for all VIPs
2013-04-06 14:16:30 +02:00
Andreas Steffen
ba2880d569
ifmap plugin subscribes to assing_vip bus signal
2013-04-06 11:09:41 +02:00
Martin Willi
c45cf9048e
Raise an alert if an IKE_SA could not have been reauthenticated and expires
2013-03-14 14:20:54 +01:00
Martin Willi
d954a2081b
child_sa_t.get_usestats() can additionally return the number of processed packets
2013-03-14 14:20:54 +01:00
Martin Willi
21dd4c4bea
Without MOBIKE, update remote host only if it is behind NAT
2013-03-01 11:26:47 +01:00
Martin Willi
cdf75a39e3
Move initial message dropping to task manager
...
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295 .
2013-02-25 12:12:19 +01:00
Martin Willi
5b15bd5f9d
Set configured DSCP value while generating IKE packets
2013-02-06 15:20:32 +01:00
Tobias Brunner
b816037739
Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments
...
Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.
2012-12-24 12:29:27 +01:00
Martin Willi
43b4c2ea75
Inherit virtual IP and attributes from old to new, not from new to old
2012-12-10 17:01:00 +01:00
Martin Willi
d88597f0dd
Don't wait while removing external IPs used for load testing
2012-11-29 10:22:51 +01:00
Martin Willi
b185cdd16d
Install virtual IPs via interface name, and use an interface lookup where required
2012-11-29 10:22:51 +01:00
Martin Willi
50bd755871
Add an optional kernel-interface parameter to install IPs with a custom prefix
2012-11-29 10:22:51 +01:00
Tobias Brunner
12642a6831
Moved data structures to new collections subfolder
2012-10-24 16:00:49 +02:00
Tobias Brunner
1d6dc62727
Added a new alert that is raised if peer does not respond to initial IKE message
2012-10-16 14:16:17 +02:00
Tobias Brunner
2d39f79b9b
IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabled
...
Fixes #229 .
2012-09-25 09:31:47 +02:00
Martin Willi
28a3d5bfbd
Pass full pool list to release_address
2012-09-11 16:18:28 +02:00
Tobias Brunner
bcf8cdd556
Only initiate an exchange from send_dpd() if a task was actually queued
...
Otherwise, the initiator would prematurely initiate Quick Mode if it has
DPD enabled and XAuth is used.
2012-09-07 18:05:22 +02:00
Tobias Brunner
3babde90bb
Trigger ike_updown event caused by retransmits only after reestablish() has been called
...
This allows listeners to migrate to the new IKE_SA with the
ike_reestablish event without having to worry about an ike_updown event
for the old IKE_SA.
2012-09-06 11:27:28 +02:00
Tobias Brunner
4dbb193190
Add ike_reestablish() event that is triggered when an IKE_SA is reestablished
...
This is particularly useful during reauthentication to get the new
IKE_SA.
2012-09-06 11:25:14 +02:00
Tobias Brunner
873b63b771
Add a new condition to mark IKE_SAs that are currently being reauthenticated
2012-09-06 11:23:11 +02:00
Tobias Brunner
d2e8f20d94
Clear virtual IPs before storing assigned ones on the IKE_SA
...
Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.
2012-09-05 14:35:57 +02:00
Martin Willi
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
Martin Willi
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
Tobias Brunner
f3fefb1847
Increase log verbosity when sending NAT keep-alives
2012-08-08 15:41:02 +02:00
Tobias Brunner
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
Tobias Brunner
75f8316332
Use send_no_marker to send NAT keepalives.
2012-08-08 15:12:25 +02:00
Tobias Brunner
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
Martin Willi
764035d515
Block XAuth transaction on established IKE_SAs, but allow Mode Config
2012-08-03 13:07:57 +02:00
Martin Willi
394b9f6b65
Reject initial exchange messages early once IKE_SA is established
2012-08-02 13:04:54 +02:00
Andreas Steffen
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
Tobias Brunner
77e4282643
Avoid queueing more than one retry initiate job.
2012-05-30 15:32:52 +02:00
Tobias Brunner
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
Tobias Brunner
a46fe56858
Resolve hosts before reauthenticating due to address change.
2012-05-25 17:05:53 +02:00
Tobias Brunner
c6da59f014
Don't queue delete_ike_sa job when setting IKE_DELETING.
...
This avoids deleting IKE_SAs during reauthentication (without
trying to reestablish them).
2012-05-25 17:05:53 +02:00
Tobias Brunner
7457143072
During reauthentication reestablish IKE_SA even if deleting the old one fails.
2012-05-25 17:05:53 +02:00
Tobias Brunner
23470d849a
Integrated main parts of IKE_REAUTH task into ike_sa_t.reestablish.
2012-05-25 17:05:53 +02:00
Tobias Brunner
12715f1953
Fixed route lookup in case MOBIKE is not enabled.
2012-05-25 17:05:53 +02:00
Martin Willi
cbc1a20ffe
Wrap task managers flush_queue() in IKE_SA
2012-05-21 14:05:01 +02:00
Tobias Brunner
42500c274a
Use name from initialization to access settings in libcharon.
...
Also fixes several whitespace errors.
2012-05-03 13:57:04 +02:00
Martin Willi
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
Tobias Brunner
ae9ce83511
Properly initialize src in ike_sa_t.is_any_path_valid().
2012-04-06 10:54:44 +02:00
Martin Willi
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
Martin Willi
f98af1ddd5
Trigger DPD not before IKE_SA state gets updated
2012-03-20 17:31:39 +01:00
Martin Willi
a994050e9c
Don't re-resolve addresses during initiate if they have already been set
2012-03-20 17:31:38 +01:00
Martin Willi
783c496966
Update state before triggering DPD, as we cancel it if PASSIVE
2012-03-20 17:31:38 +01:00
Martin Willi
47b8f6ef4b
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
2012-03-20 17:31:37 +01:00
Martin Willi
1a0648490c
Invoke ike_updown hooks for reauthenticated IKEv1 SAs
2012-03-20 17:31:36 +01:00
Martin Willi
11aadd7722
Disable DPD checking for peers not supporting it
2012-03-20 17:31:35 +01:00
Martin Willi
1e624ce876
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
2012-03-20 17:31:35 +01:00