Martin Willi
d048a319df
ike: Restart inactivity counter after doing a CHILD_SA rekey
...
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.
This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.
2014-01-23 16:19:22 +01:00
Tobias Brunner
6956061197
ipsec.conf.5: Note about ICMP[v6] message type/code added
2013-10-17 16:57:39 +02:00
Martin Willi
5fdbb3c6ad
ipsec.conf: Add a description for the new 'ah' keyword.
2013-10-11 10:15:22 +02:00
Tobias Brunner
8250fc10e8
Build generated man pages via configure script
2013-09-13 14:32:51 +02:00
Martin Willi
6301ec0ac5
man: add support for multiple addresses/ranges/subnets in ipsec.conf left=
2013-09-04 10:38:37 +02:00
Martin Willi
16149401e9
man: update ipsec.conf modeconfig keyword
2013-09-04 10:33:38 +02:00
Tobias Brunner
0ceb288815
Fix various API doc issues and typos
...
Partially based on an old patch by Adrian-Ken Rueegsegger.
2013-07-18 18:30:36 +02:00
Tobias Brunner
b2dfa0624d
ipsec.conf.5: closeaction is now supported for IKEv1
2013-07-17 18:18:57 +02:00
Tobias Brunner
b7b5432ff8
stroke: Changed how proto/port are specified in left|rightsubnet
...
Using a colon as separator conflicts with IPv6 addresses.
2013-06-28 15:10:09 +02:00
Martin Willi
24df067810
man: update ipsec.conf.5, describing new proto/port definition within leftsubnet
2013-06-19 16:36:01 +02:00
Tobias Brunner
87692be215
Load any type (RSA/ECDSA) of public key via left|rightsigkey
2013-05-07 17:08:31 +02:00
Tobias Brunner
fa1d3d39dc
left|rightrsasigkey accepts SSH keys but the key format has to be specified explicitly
...
The default is now PKCS#1. With the dns: and ssh: prefixes other formats
can be selected.
2013-05-07 15:38:28 +02:00
Martin Willi
e82deaf6ce
Merge branch 'multi-cert'
...
Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.
2013-03-01 11:35:32 +01:00
Martin Willi
a36b49f3cb
Merge branch 'opaque-ports'
...
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
2013-03-01 11:27:12 +01:00
Martin Willi
0abeac3a0b
Document ipsec.conf leftprotoport extensions in manpage
2013-02-21 11:52:33 +01:00
Martin Willi
88f4cd3988
Add ikedscp documentation to ipsec.conf.5
2013-02-06 15:42:14 +01:00
Martin Willi
11a7abf554
Add ipsec.conf.5 updates regarding multiple certificates in leftcert
2013-01-18 09:33:15 +01:00
Tobias Brunner
365d9a6f67
Added an option that allows to force IKEv1 fragmentation
2013-01-12 11:54:32 +01:00
Tobias Brunner
97973f8609
Use a connection specific option to en-/disable IKEv1 fragmentation
2012-12-24 13:00:01 +01:00
Martin Willi
f6d8fb3687
Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcards
2012-10-24 13:07:53 +02:00
Martin Willi
05e266ea9d
Add leftcert ipsec.conf.5 documentation about smartcard certificates
2012-10-24 13:07:53 +02:00
Martin Willi
5b2e669ba2
Add ipsec.conf.5 documentation for explicit PRFs in IKE proposals
2012-10-24 11:49:37 +02:00
Martin Willi
55f126fd55
Update ipsec.conf.5, leftsubnet can handle multiple subnets in IKEv1 with Unity
2012-09-18 17:17:48 +02:00
Tobias Brunner
b7a500e985
Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity>
2012-09-18 14:40:41 +02:00
Tobias Brunner
72970b458d
Some updates to ipsec.conf(5) man page
2012-09-12 16:53:45 +02:00
Tobias Brunner
f4cc7ea11b
Add uniqueids=never to ignore INITIAL_CONTACT notifies
...
With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received. With this new option
it also ignores these notifies.
2012-09-10 17:37:18 +02:00
Martin Willi
1323dc1138
Merge branch 'multi-vip'
...
Brings support for multiple virtual IPs and multiple pools in
left/rigthsourceip definitions. Also introduces the new left/rightdns
options to configure requested DNS server address family and respond
with multiple connection specific servers.
2012-08-31 12:55:56 +02:00
Tobias Brunner
5f6ef5d5ce
Documentation for eap-dynamic added
2012-08-31 11:42:03 +02:00
Martin Willi
26bc695806
Updated ipsec.conf.5 with multiple left/rightsourceip support
2012-08-30 16:43:45 +02:00
Martin Willi
c60f1da424
Add a description of the leftdns option to ipsec.conf.5
2012-08-21 09:38:01 +02:00
Tobias Brunner
56d07af3be
Added ESP log group for libipsec log messages.
2012-08-08 15:12:25 +02:00
Martin Willi
46df61dff7
Add an ipsec.conf leftgroups2 parameter for the second authentication round
2012-07-26 11:51:58 +02:00
Tobias Brunner
66e12b926e
Some updates in ipsec.conf(5) for 5.0.0
2012-06-26 12:39:53 +02:00
Andreas Steffen
2045a9d36d
added secret as valid authby argument
2012-06-18 22:11:18 +02:00
Martin Willi
7c4214bd38
Add documentation for signature hash algorithm enforcing to man ipsec.conf
2012-06-12 15:01:39 +02:00
Tobias Brunner
95e41fb80a
starter: Drop support for %defaultroute.
2012-06-11 17:33:29 +02:00
Tobias Brunner
18dac73f02
Updated ipsec.conf(5) to reflect changes to IPComp support.
2012-05-24 15:32:28 +02:00
Martin Willi
b24be29646
Merge branch 'ikev1'
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/encoding/generator.c
src/libcharon/encoding/payloads/notify_payload.c
src/libcharon/encoding/payloads/notify_payload.h
src/libcharon/encoding/payloads/payload.c
src/libcharon/network/receiver.c
src/libcharon/sa/authenticator.c
src/libcharon/sa/authenticator.h
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libcharon/sa/task_manager.c
src/libstrongswan/credentials/auth_cfg.c
2012-05-02 11:12:31 +02:00
Andreas Steffen
0293f09597
updated supported EAP methods
2012-03-30 11:15:10 +02:00
Martin Willi
b1f2f05c92
Merge branch 'ikev1-clean' into ikev1-master
...
Conflicts:
configure.in
man/ipsec.conf.5.in
src/libcharon/daemon.c
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_radius/eap_radius_accounting.c
src/libcharon/plugins/eap_radius/eap_radius_forward.c
src/libcharon/plugins/farp/farp_listener.c
src/libcharon/sa/ike_sa.c
src/libcharon/sa/keymat.c
src/libcharon/sa/task_manager.c
src/libcharon/sa/trap_manager.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/utils.h
Applied lost changes of moved files keymat.c and task_manager.c.
Updated listener_t.message hook signature in new plugins.
2012-03-20 17:57:53 +01:00
Martin Willi
75e3d90d43
Updated ipsec.conf man page for the use of IKEv1 with pluto
2012-03-20 17:31:39 +01:00
Martin Willi
c8d46f2959
Dropped support of deprecated authby=eap and eap= options
2012-03-20 17:31:38 +01:00
Tobias Brunner
54d096a712
Added ASN debug group to log low-level encoding/decoding (ASN.1, X.509).
...
This will allow us to remove quite some clutter from the LIB debug group
for higher debug levels.
2011-12-16 16:44:38 +01:00
Tobias Brunner
49b44c98c1
Charon also supports type=passthrough|drop.
2011-12-14 19:01:39 +01:00
Tobias Brunner
b768d6a4a5
Documented xauth_identity in ipsec.conf(5) man page.
2011-12-14 18:04:39 +01:00
Tobias Brunner
de13eab0e6
Documented the strict flag (!) for ike and esp options in ipsec.conf.
2011-09-26 17:51:53 +02:00
Tobias Brunner
7213abcbfb
PTS log group documented in man pages.
2011-09-12 15:07:20 +02:00
Tobias Brunner
5b217e4994
Document charon's default log levels in ipsec.conf(5).
2011-09-12 15:07:20 +02:00
Tobias Brunner
f3bb1bd039
Fixed common misspellings.
...
Mostly found by 'codespell'.
2011-07-20 16:14:10 +02:00
Martin Willi
4876f896a4
Added documentation and NEWS for closeaction
2011-06-07 12:07:22 +02:00