e4013bb904
Added xauth-noauth plugin
...
This XAuth backend does not do any authentication of client credentials
but simply sends a successful XAuth status to the client, thereby
concluding the XAuth exchange. This can be useful to fallback to basic
RSA authentication with clients that can not be configured without XAuth
authentication.
2013-03-19 11:23:03 +01:00
d954a2081b
child_sa_t.get_usestats() can additionally return the number of processed packets
2013-03-14 14:20:54 +01:00
9d9042d6d9
As Quick Mode initiator, select a subset of the proposed and the returned TS
...
Cisco 5505 firewalls don't return the port if we send a specific one, letting
the is_contained_in() checks fail. Using get_subset() selection builds the
Quick Mode correctly with the common subset of selectors.
Based on an initial patch from Paul Stewart.
2013-03-07 10:00:06 +01:00
a1db77de7c
Use a complete port range in traffic_selector_create_from_{subnet,cidr}
2013-02-21 11:52:33 +01:00
21235e1ec2
Merge branch 'ikev1-fragmentation'
...
This adds support for the proprietary IKEv1 fragmentation extension.
Conflicts:
NEWS
2013-01-12 11:58:26 +01:00
7ae245f685
Properly detect fragmentation capabilities
...
Cisco sends 0xc0000000 so we check that part of the VID separately.
2013-01-12 11:54:54 +01:00
365d9a6f67
Added an option that allows to force IKEv1 fragmentation
2013-01-12 11:54:32 +01:00
1954cc7720
Streamline debug output when receiving intermediate CA certificates in IKEv1
2013-01-11 10:24:23 +01:00
bf10ee9495
Refactored IKEv1 cert payload processing to multiple functions
2013-01-11 10:21:56 +01:00
6d3e7a64a0
IKEv1 support for PKCS#7 wrapped certificates
2013-01-11 10:21:56 +01:00
10eee5fcba
Fixed some typos in comments
2013-01-11 10:21:51 +01:00
97973f8609
Use a connection specific option to en-/disable IKEv1 fragmentation
2012-12-24 13:00:01 +01:00
2f62bb1549
Add an option to en-/disable IKE fragmentation
...
Fragments are always accepted but will not be sent if disabled. The
vendor ID is only sent if the option is enabled.
2012-12-24 12:29:31 +01:00
c4daac2c0b
Log added NAT-T vendor IDs
2012-12-24 12:29:27 +01:00
667720c801
Detect a peer's support for IKE fragmentation
...
Fragments are accepted even if this vendor ID is not seen.
2012-12-24 12:29:27 +01:00
656e01eab3
Add parantheses to avoid compiler warning
2012-12-24 10:12:23 +01:00
ef33a4ab82
Fixed some typos, courtesy of codespell
2012-12-20 09:35:26 +01:00
0ff8d20a89
Add support for draft-ietf-ipsec-nat-t-ike-03 and earlier
...
This adds support for early versions of the draft that eventually
resulted in RFC 3947.
2012-12-19 11:03:42 +01:00
283898d6e0
Fix traffic selectors also as initiator in case of transport mode over NAT
2012-12-13 15:27:29 +01:00
2990671748
Fix debug output if responder selected invalid traffic selectors during QM
2012-12-13 15:27:28 +01:00
214c081dd6
Log sent vendor IDs for IKEv1
2012-11-02 15:52:19 +01:00
f48e727232
Remove all ESP proposals with non-matching DH group during Quick Mode
...
According to RFC 2409, section 5.5, if PFS is used all proposals MUST
include the selected DH group, so we remove proposals without the
proposed group and remove other DH groups from the remaining proposals.
2012-10-24 16:09:42 +02:00
2a43350334
Missed one in 6c10cece
2012-09-28 20:55:40 +02:00
6c10cecebf
Completed state handling in isakmp_cert_pre
...
Should not be a problem, but makes static analyzers happy.
2012-09-28 19:01:09 +02:00
336dd7a9c7
Don't complain about multiple TS in IKEv1, as it supported with Unity
2012-09-18 17:17:48 +02:00
7ee37114c9
Derive a dynamic TS to multiple virtual IPs
2012-09-18 17:11:03 +02:00
abdb82fcc5
Use the vararg list constructor in quick mode task
2012-09-18 17:11:03 +02:00
a889cfe5e1
Change traffic selectors during Quick Mode in case of a NAT in transport mode
...
Windows 7 sends its internal address as TSi. While we don't support the
NAT-T drafts as used by Windows XP it is interesting to note that the
client there omits the TSi payload which then would automatically get set
to the public IP address of the client.
Fixes #220 .
2012-09-14 09:40:18 +02:00
d4cca1beea
Always send a configuration payload in IKEv1 TRANSACTIONs, even if it is empty
2012-09-11 17:20:17 +02:00
c4acf37502
Don't use host address for dynamic TS in IKEv1 if a virtual IP was expected
2012-09-11 16:18:29 +02:00
594c58e111
Pass the full list of pools to acquire_address, enumerate in providers
...
If the provider has access to the full pool list, it can enumerate
them twice, for example to search for existing leases first, and
only search for new leases in a second step.
Fixes lease enumeration in attr-sql using multiple pools.
2012-09-11 16:18:28 +02:00
f942588f95
Add a responder narrow() hook to change TS in the kernel, but not on the wire
2012-09-11 16:14:39 +02:00
d2e8f20d94
Clear virtual IPs before storing assigned ones on the IKE_SA
...
Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.
2012-09-05 14:35:57 +02:00
4c892fe533
In mode_config, destroy temporary pool list instead of the virtual IP list twice
2012-09-05 14:18:52 +02:00
b5d2bf975b
Request and acquire multiple virtual IPs in IKEv1 Mode Config
2012-08-30 16:43:43 +02:00
d55fe264d1
Pass all configured pool names to attribute provider enumerator
2012-08-30 16:43:43 +02:00
feb8550401
Pass a list instead of a single virtual IP to attribute enumerators
2012-08-30 16:43:42 +02:00
497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
e4ef4c9877
Merge branch 'android-ndk'
...
This branch comes with some preliminary changes for the user-land IPsec
implementation and the Android App.
One important change is that the UDP ports used by the socket-default plugin
were made configurable (either via ./configure or strongswan.conf).
Also, the plugin does randomly allocate a port if it is configured to 0,
which is useful for client implementations. A consequence of these
changes is that the local UDP port used when creating ike_cfg_t objects has
to be fetched from the socket.
2012-08-13 10:45:39 +02:00
cd55a3cb77
Use actual daemon name to enable XAuth/PSK with aggressive mode
2012-08-10 11:53:18 +02:00
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
8b560a4565
Implement late peer config switching after XAuth authentication
...
If additional authentication constraints, such as group membership,
is not fulfilled by an XAuth backend, we search for another
peer configuration that fulfills all constraints, including those
from phase1.
2012-07-26 15:17:36 +02:00
40ca05cff8
Check if XAuth round complies to configured authentication round
2012-07-26 12:40:27 +02:00
9191946a63
Merge auth config items added from XAuth backends to IKE_SA
2012-07-26 12:07:48 +02:00
87dd205b61
Add a return value to hasher_t.allocate_hash()
2012-07-16 14:55:06 +02:00
92f207477c
Check rng return value when generating fake NAT detection payloads
2012-07-16 14:53:35 +02:00
605985d122
Nonce: Let get_nonce, allocate_nonce return boolean
2012-07-16 14:53:34 +02:00
07836f559d
Send cert request based on peers configured authentication class
2012-07-10 17:15:59 +02:00
Tobias Brunner