497ce2cf51
Support multiple address pools configured on a peer_cfg
2012-08-30 16:43:42 +02:00
101d26babe
Support multiple virtual IPs on peer_cfg and ike_sa classes
2012-08-30 16:43:42 +02:00
a21fac9a85
Log configured IKE_SA proposals as initiator
2012-08-24 13:43:14 +02:00
d2b4dff5dd
Log configured CHILD_SA proposals as initiator
2012-08-24 13:43:14 +02:00
1184493407
Fall back to local address as IKEv1 identity if nothing else is configured
2012-08-24 12:55:01 +02:00
20915d6fa7
Apply send delay before adding non-ESP marker
...
Otherwise the packet header could not be parsed correctly when NAT-T is
used.
2012-08-24 11:23:36 +02:00
014d007000
use pen_type_t for PA Message Subtype
2012-08-23 10:49:00 +02:00
078755d099
Added a method to enumerate registered EAP methods
2012-08-21 16:48:47 +02:00
e0d3014a17
Add a DNS attribute handler to updown, passing servers to updown script
2012-08-21 09:38:01 +02:00
63e460542c
Add a stroke attribute_handler requesting DNS servers given with leftdns
2012-08-21 09:38:01 +02:00
9937ca069a
Serve ipsec.conf rightdns servers through stroke attribute provider
2012-08-21 09:38:01 +02:00
17319aa28d
Add a left/rightdns keyword to configure connection specific DNS attributes
2012-08-21 09:38:00 +02:00
f26796deb5
Remove unused src/dst variables in send_no_marker()
2012-08-21 09:34:32 +02:00
10bdc7a968
Remove the unused second IKE_SA entry match function argument
...
LLVMs clang complains about this parameter, so remove it.
2012-08-20 17:42:14 +02:00
acf27437cd
Add keymat_t constructor registration function
...
Using the register_constructor function enables custom keymat_t
implementations per IKE version. If no constructor is registered the
default behavior is preserved.
2012-08-20 13:02:47 +02:00
ba27bf2af0
CAP_AUDIT_WRITE is now required by xauth-pam not eap-gtc plugin
2012-08-17 14:24:48 +02:00
113d2a6b99
Removed manual EAP method registration in eap-gtc plugin
2012-08-17 14:24:37 +02:00
91c0e0e3d9
Enable build of eap-tls, eap-ttls and eap-peap on Android
2012-08-17 13:55:44 +02:00
aaefeafb49
Enable UDP decapsulation for both address families
...
Since the 3.5 Linux kernel both UDP implementations have a separate static
flag to indicate whether ANY sockets enabled UDP decapsulation.
As we only ever enabled it for one address family (in earlier versions IPv4
only, now for IPv6, if supported, and for IPv4 otherwise) UDP decapsulation
wouldn't work anymore (at least for one address family).
2012-08-16 15:26:37 +02:00
11b514bff6
Correctly transmit EAP-MSCHAPv2 user name if it contains a domain part
2012-08-16 10:03:49 +02:00
09ae3d79ca
Merge branch 'android-app'
...
This branch introduces a userland IPsec implementation (libipsec) and an
Android App which targets the VpnService API that is provided by Android 4+.
The implementation is based on the bachelor thesis 'Userland IPsec for
Android 4' by Giuliano Grassi and Ralf Sager.
2012-08-13 12:07:52 +02:00
e4ef4c9877
Merge branch 'android-ndk'
...
This branch comes with some preliminary changes for the user-land IPsec
implementation and the Android App.
One important change is that the UDP ports used by the socket-default plugin
were made configurable (either via ./configure or strongswan.conf).
Also, the plugin does randomly allocate a port if it is configured to 0,
which is useful for client implementations. A consequence of these
changes is that the local UDP port used when creating ike_cfg_t objects has
to be fetched from the socket.
2012-08-13 10:45:39 +02:00
000668d308
Doxygen fix
2012-08-11 16:50:22 +02:00
cd55a3cb77
Use actual daemon name to enable XAuth/PSK with aggressive mode
2012-08-10 11:53:18 +02:00
27128c1e32
EAP-GTC can use any XAuth backend, including xauth-pam
...
This makes EAP-GTC a generic plain password authentication method,
as it is used with XAuth. Instead of verifying credentials with
PAM, any backend can be configured. The default is xauth-pam,
providing the same functionality as EAP-GTC in strongSwan 4.x.
2012-08-10 10:43:44 +02:00
b9e4916321
Add xauth-pam, an XAuth backend verifying credentials with PAM
2012-08-10 10:43:44 +02:00
da21793679
make max_message_size parameter consistent with similar options
2012-08-09 14:11:08 +02:00
053276e69a
Use a CALLBACK feature to create charon's sender and receiver
2012-08-08 15:41:02 +02:00
5764a9b355
Moved packet_t to libstrongswan
2012-08-08 15:41:02 +02:00
f3fefb1847
Increase log verbosity when sending NAT keep-alives
2012-08-08 15:41:02 +02:00
6d11dd5770
Only log the sending of regular packets in sender_t
...
When sender_t is used to send ESP packets this would otherwise cause an extreme
amount of debug messages.
With this change all messages sent via sender_t.send_no_marker() cause no extra
DBG1 log message, but for debugging purposes the socket plugins do log the same
message again with DBG2 for all packets.
2012-08-08 15:41:02 +02:00
6fbf4472ea
Added option to prevent socket-default from setting the source address on outbound packets
2012-08-08 15:39:07 +02:00
224ab4c59b
socket-default plugin allocates random ports if configured to 0.
...
Also added strongswan.conf options to change the ports.
2012-08-08 15:30:27 +02:00
b223d517c8
Replaced usages of CHARON_*_PORT with calls to get_port().
2012-08-08 15:12:25 +02:00
a7babe25ee
Added get_port() method to socket_t to learn the listening port.
2012-08-08 15:12:25 +02:00
75f8316332
Use send_no_marker to send NAT keepalives.
2012-08-08 15:12:25 +02:00
30dc7dff4d
Avoid double-free when prepending Non-ESP marker.
2012-08-08 15:12:25 +02:00
fb6c52adcd
Function added to send packets without Non-ESP marker.
2012-08-08 15:12:25 +02:00
fe4a152b85
Avoid unnecessary copy of packet data when removing Non-ESP marker.
2012-08-08 15:12:25 +02:00
73470cfe57
Added packet_t.skip_bytes method to skip bytes at the start of a packet.
2012-08-08 15:12:25 +02:00
896941d365
Improved how NAT-T keepalives are handled in sockets/receiver.
2012-08-08 15:12:24 +02:00
e49abcede0
Let kernel interfaces decide how to enable UDP decapsulation of ESP packets.
2012-08-08 15:12:24 +02:00
08b2ce7aa7
Callback for ESP packets added to receiver.
2012-08-08 15:12:24 +02:00
064da8b96b
Add Non-ESP marker in sender and not individual socket plugins.
2012-08-08 15:12:24 +02:00
65da43e2fc
Handle Non-ESP marker in receiver and not individual socket plugins.
2012-08-08 15:12:24 +02:00
162621ed57
Moved Android specific logger to separate plugin.
...
This is mainly because the other parts of the existing android plugin
can not be built in the NDK (access to keystore and system properties are
not part of the stable NDK libraries).
2012-08-08 15:07:43 +02:00
657a3ba609
Link android plugin against liblog in the NDK.
...
Doesn't seem to hurt the build within the source tree.
2012-08-08 15:07:43 +02:00
e7ea057fd2
Make the UDP ports charon listens for packets on (and uses as source ports) configurable.
2012-08-08 15:07:43 +02:00
4e98ca1800
Remove queued IKEv1 message before processing it
...
Avoids destruction or processing of a queued message in
recursive process_message() call.
2012-08-08 14:54:03 +02:00
6204c1182d
Include src address in hash of initial message for Main Mode
...
If two initiators use the same SPI and also use the same SA proposal the
hash for the initial message would be exactly the same. For IKEv2 and
Aggressive Mode that's not a problem as these messages include random
data (Ni, KEi payloads).
2012-08-08 14:47:36 +02:00
9c2f08860d
Add DH group 15 (MODP-3072) to IKE proposal
2012-08-06 11:22:33 +02:00
764035d515
Block XAuth transaction on established IKE_SAs, but allow Mode Config
2012-08-03 13:07:57 +02:00
f02a305569
Fix linking of addrblock plugin when building monolithic
...
Fixes #212 .
2012-08-03 10:50:21 +02:00
394b9f6b65
Reject initial exchange messages early once IKE_SA is established
2012-08-02 13:04:54 +02:00
f701ba8389
Lookup IKEv1 PSK even if the peer identity is not known
2012-07-31 15:39:33 +02:00
63ac6d00b0
Proper fallback if capability dropping is not available
2012-07-27 14:46:42 +02:00
d511a71daa
Include stdint.h for UINTxx_MAX defines
...
Fixes #205 .
2012-07-27 13:47:59 +02:00
777bcdc0d5
Don't include acquiring packet traffic selectors in IKEv1
...
As we only can negotiate a single TS in IKEv1, don't prepend the
triggering packet TS, as we do in IKEv2. Otherwise we don't establish
the TS of the configuration, but only that of the triggering packet.
Fixes #207 .
2012-07-26 15:45:49 +02:00
8b560a4565
Implement late peer config switching after XAuth authentication
...
If additional authentication constraints, such as group membership,
is not fulfilled by an XAuth backend, we search for another
peer configuration that fulfills all constraints, including those
from phase1.
2012-07-26 15:17:36 +02:00
40ca05cff8
Check if XAuth round complies to configured authentication round
2012-07-26 12:40:27 +02:00
874f7c7e2c
Don't add ANY identity constraint to auth config, as XAuth rounds don't use one
2012-07-26 12:38:34 +02:00
9191946a63
Merge auth config items added from XAuth backends to IKE_SA
2012-07-26 12:07:48 +02:00
46df61dff7
Add an ipsec.conf leftgroups2 parameter for the second authentication round
2012-07-26 11:51:58 +02:00
81419807f5
Release leaking child config after uninstalling shunt policy
2012-07-23 17:15:40 +02:00
73514b3217
Don't print hexdumps on loglevel 1 if hash verification fails
2012-07-20 17:36:27 +02:00
09e3717525
Fix EAP-MSCHAPv2 master key derivation, broken with 87dd205b
2012-07-18 16:46:05 +02:00
6719889e0a
Use centralized hasher names in coupling plugin
2012-07-17 17:32:03 +02:00
931da8202b
handled return values in tnc-pdp
2012-07-16 22:54:38 +02:00
ff9e46772f
Handle PRF failures in eap-aka-3gpp2
2012-07-16 14:55:08 +02:00
a564e4ca77
Refactored error handling in keymat_v1_t
2012-07-16 14:55:07 +02:00
4decfae6c2
Clean up error handling in keymat_v2_t
2012-07-16 14:55:07 +02:00
511f0b18b9
Cleaned up memory management and return values for encryption payload
2012-07-16 14:55:07 +02:00
87dd205b61
Add a return value to hasher_t.allocate_hash()
2012-07-16 14:55:06 +02:00
e185612dd8
Add a return value to keymat_v1_t.{get,update,confirm}_iv
2012-07-16 14:55:06 +02:00
8bd6a30af1
Add a return value to hasher_t.get_hash()
2012-07-16 14:55:06 +02:00
ce73fc19db
Add a return value to crypter_t.set_key()
2012-07-16 14:53:38 +02:00
3b96189a2a
Add a return value to crypter_t.decrypt()
2012-07-16 14:53:38 +02:00
e35abbe588
Add a return value to crypter_t.encrypt
2012-07-16 14:53:37 +02:00
e59f983160
Check rng return value when generating identity in eap-simaka-reauth plugin
2012-07-16 14:53:36 +02:00
e37f9ac2c9
Check rng return value when generating pseudonym in eap-simaka-pseudonym plugin
2012-07-16 14:53:36 +02:00
8beeb8e116
Check rng return value when generating nonces in eap-aka plugin
2012-07-16 14:53:36 +02:00
18ce1bb721
Check rng return value when generating nonces in eap-sim plugin
2012-07-16 14:53:36 +02:00
10b6ca5fb2
Check rng return value when generating RAND in eap-aka-3gpp2 plugin
2012-07-16 14:53:36 +02:00
162f489a27
Check rng return value when generating challenges in eap-md5 and mschapv2 plugins
2012-07-16 14:53:36 +02:00
7ae2671036
Check rng return value when generating Transaction IDs in DHCP plugin
2012-07-16 14:53:36 +02:00
f1c78cfee7
Check rng return value when generating ME CONNECT_ID and KEY
2012-07-16 14:53:35 +02:00
1bb9c51e87
Check rng return value when generating IKEv1 message IDs
2012-07-16 14:53:35 +02:00
504918348d
Check rng return value when generating COOKIE2 during MOBIKE
2012-07-16 14:53:35 +02:00
0c096e9bb5
Check rng return value when generating COOKIE secret in receiver
2012-07-16 14:53:35 +02:00
92f207477c
Check rng return value when generating fake NAT detection payloads
2012-07-16 14:53:35 +02:00
ca9b68eb9e
Check rng return value when encrypting encryption payload
2012-07-16 14:53:35 +02:00
5d91d8c469
Check rng return value when generating SPIs in ike_sa_manager_t
2012-07-16 14:53:35 +02:00
605985d122
Nonce: Let get_nonce, allocate_nonce return boolean
2012-07-16 14:53:34 +02:00
f3ca96b2bf
Add a return value to prf_t.set_key()
2012-07-16 14:53:34 +02:00
ecc080b393
Add a return value to prf_t.allocate_bytes()
2012-07-16 14:53:34 +02:00
a7e6539135
Use a bool return value in keymat_v1_t.get_hash_phase2()
2012-07-16 14:53:34 +02:00
e4c5c1d03e
Add a return value to keymat_v1_t.get_hash()
2012-07-16 14:53:34 +02:00
bb1e0c59e1
Add a return value to keymat_v2_t.get_auth_octets()
2012-07-16 14:53:34 +02:00
2baae8e3ea
Add a return value to keymat_v2_t.get_psk_sig()
2012-07-16 14:53:34 +02:00
bc47488323
Add a return value to prf_t.get_bytes()
2012-07-16 14:53:33 +02:00
edd54734c8
prf_plus_create() can return NULL on failure
2012-07-16 14:53:33 +02:00
5d79e6c6b4
Add a return value to prf_plus_t.allocate_bytes()
2012-07-16 14:53:33 +02:00
2d56575d52
Add a return value to signer_t.set_key()
2012-07-16 14:53:33 +02:00
86d2cdc1ed
Add a return value to simaka_crypto_t.derive_keys_*()
2012-07-16 14:53:33 +02:00
5fb719e0de
Add a return value to radius_message_t.sign()
2012-07-16 14:53:33 +02:00
264e702109
Add a return value to simaka_message_t.generate()
2012-07-16 14:53:33 +02:00
ad08730a4b
Add a return value to aead_t.set_key()
2012-07-16 14:53:32 +02:00
e2ed7bfd22
Add a return value to aead_t.encrypt()
2012-07-16 14:53:32 +02:00
d19f0ae3e0
Don't modify the message string passed to logger, as it gets reused
2012-07-13 15:43:04 +02:00
c6343cf0ad
Log to a malloc()ed buffer if the on-stack buffer is not large enough
2012-07-13 13:23:29 +02:00
1b40b74de0
Pass opaque data to printf hooks and print_in_hook()
2012-07-13 13:23:29 +02:00
893c3a4ead
Simplify NAT-D payload creation if UDP encapsulation is forced
...
We don't need any address lookups in that case as the content of the
payload is generated randomly anyway.
2012-07-13 11:13:43 +02:00
22e97e4f1f
updated Copyright info
2012-07-13 10:42:40 +02:00
968c83cdeb
restrict PA-TNC messages to maximum size
2012-07-12 21:26:18 +02:00
8d98f7fef6
Avoid that any % characters (e.g. in %any) are evaluated when logging via stroke
2012-07-12 16:58:00 +02:00
c9c3da66a8
removed unused variables
2012-07-11 23:15:44 +02:00
c56667f1db
fixed logging of unsupported TNCCS version
2012-07-11 17:09:05 +02:00
1de4af66d5
PB-TNC Client sends empty CLOSE batch only in DECIDED state
2012-07-11 17:09:05 +02:00
a287a3cdcd
have_recommendation() accepts NULL arguments
2012-07-11 17:09:05 +02:00
b8b678a567
send empty SDATA batch if no recommendation is available yet, but in order to avoid loops only if no empty CDATA batch was received
2012-07-11 17:09:05 +02:00
a5c79d0175
moved batch size calculation into pb_tnc_batch_t
2012-07-11 17:09:05 +02:00
d7dcbc95a9
make maximum PB-TNC batch size configurable
2012-07-11 17:09:05 +02:00
3a16bec8f9
limit the size of a PB-TNC batch to the maximum EAP-TNC packet size
2012-07-11 17:09:05 +02:00
6245edf37e
eliminate message length field in EAP-TNC
2012-07-11 17:09:05 +02:00
a04c51aea9
due to single fragment, total length does not have to be included
2012-07-11 17:09:04 +02:00
4492ffc907
EAP-TNC does not support fragmentation
2012-07-11 17:09:04 +02:00
07836f559d
Send cert request based on peers configured authentication class
2012-07-10 17:15:59 +02:00
3128e7fa7c
Don't send CERTREQs when initiating aggressive mode PSK
2012-07-09 12:05:23 +02:00
0619ddfaa4
Refactored heavily #ifdefd capability code to its own libstrongswan class
2012-07-04 11:01:40 +02:00
644c6c968d
Use spin locks to update IKE_SAs in controller_t
...
This ensures the listeners don't miss any events after the SAs have been
checked out in the asynchronously executed jobs. This is a matter of
memory visibility and not primary a matter of exclusive access.
2012-07-04 10:13:50 +02:00
c9355ea4a0
Fixed job handling in controller_t
...
Also IKE_SAs are now checked out in the jobs and not before.
2012-07-04 10:13:49 +02:00
9d2968e272
As a responder, don't start a TRANSACTION request if we expect one from the initiator
2012-06-29 13:40:31 +02:00
5f451f2d6a
IMCs and IMVs might depend on X.509 certificates or trusted public keys
2012-06-28 17:55:02 +02:00
0f018a7324
Show some uname() info in "ipsec statusall"
2012-06-28 11:56:40 +02:00
bd858af851
libcharon also requires kernel interfaces and a socket implementation
2012-06-27 12:15:09 +02:00
271377905d
Defer quick mode initiation if we expect a mode config request
2012-06-27 11:42:56 +02:00
8ff45cfd99
Queue a mode config task as responder if we need a virtual IP
2012-06-27 11:42:56 +02:00
c2a391746c
Add basic support for XAuth responder authentication
2012-06-27 11:42:56 +02:00
a9aa75b90e
Map XAuth responder authentication methods between IKEv1 and IKEv2
2012-06-27 11:42:56 +02:00
dc6d259635
Show remote EAP/XAuth identity in "statusall" on a separate line
2012-06-27 11:42:00 +02:00
aa54ecef44
Use static plugin features in libcharon to define essential dependencies
2012-06-27 11:31:16 +02:00
5def45b890
Ignore a received %any virtual IP for installation
2012-06-26 18:00:40 +02:00
9866c26c5b
Also build charon's IKEv1 implementation on Android
2012-06-26 07:56:15 +02:00
8497c5d147
Missing source file added to libcharon's Android.mk
2012-06-26 07:56:15 +02:00
e0efd7c121
Make rescheduling a job more predictable
...
This avoids race conditions between calls to cancel() and jobs that like
to be rescheduled. If jobs were able to reschedule themselves it would
theoretically be possible that two worker threads have the same job
assigned (the one currently executing the job and the one executing the
same but rescheduled job if it already is time to execute it), this means
that cancel() could be called twice for that job.
Creating a new job based on the current one and reschedule that is also
OK, but rescheduling itself is more efficient for jobs that need to be
executed often.
2012-06-25 17:49:12 +02:00
26d77eb3e6
Centralized thread cancellation in processor_t
...
This ensures that no threads are active when plugins and the rest of the
daemon are unloaded.
callback_job_t was simplified a lot in the process as its main
functionality is now contained in processor_t. The parent-child
relationships were abandoned as these were only needed to simplify job
cancellation.
2012-06-25 17:38:59 +02:00
7fec83af28
Give processor_t more control over the lifecycle of a job
...
Jobs are now destroyed by the processor, but they are allowed to
reschedule themselves. That is, parts of the reschedule functionality
already provided by callback_job_t is moved to the processor. Not yet
fully supported is JOB_REQUEUE_DIRECT and canceling jobs.
Note: job_t.destroy() is now called not only for queued jobs but also
after execution or cancellation of jobs. job_t.status can be used to
decide what to do in said method.
2012-06-25 17:10:28 +02:00
554a697a84
support Cisco Unity VID
2012-06-25 11:09:06 +02:00
0ba1ddaa24
Enforce uniqueids=keep based on XAuth identity
2012-06-25 10:18:35 +02:00
f145ea29e0
Don't send XAUTH_OK if a hook prevents SA to establish
2012-06-25 10:18:35 +02:00
0c32b9c62f
Enforce uniqueids=keep only for non-XAuth Main/Agressive Modes
2012-06-25 10:18:35 +02:00
dd1381e7d3
Show EAP/XAuth identity in "ipsec status", if available
2012-06-25 10:18:35 +02:00
0fbfcf2a3a
Use XAuth/EAP remote identity for uniqueness check
2012-06-25 10:18:34 +02:00
de5e8fb4e0
Add missing XAuth name variable when complaining about missing XAuth backend
2012-06-25 10:09:27 +02:00
e91157a4b6
Fix SIGSEGV if kernel install fails during Quick Mode as responder.
2012-06-22 11:34:38 +02:00
aa8898bc45
Fixed compile error because of charon->name in certexpire plugin.
2012-06-21 13:59:18 +02:00
e2dd114f37
Select requested virtual IP family based on remote TS, if no local TS available
2012-06-20 10:02:01 +02:00
af518b450e
Adopt children as XAuth initiator (which is IKE responder)
2012-06-14 14:49:19 +02:00
137035cc78
Show what kind of *Swan we run in "ipsec status"
2012-06-14 10:25:48 +02:00
b31a56f128
Require a scary option to respond to Aggressive Mode PSK requests
...
While Aggressive Mode PSK is widely used, it is known to be subject
to dictionary attacks by passive attackers. We don't complain as
initiator to be compatible with existing (insecure) setups, but
require a scary strongswan.conf option if someone wants to use it
as responder.
2012-06-14 10:25:48 +02:00
f7cbc0fafe
Use proper defines for IPV6_PKTINFO on Mac OS X Lion and newer.
2012-06-13 15:02:10 +02:00
e35bbb9740
Added signature scheme options left/rightauth
2012-06-12 15:01:39 +02:00
a37f2d2006
certificate_t->issued_by takes an argument to receive signature scheme
2012-06-12 14:24:49 +02:00
fd03443f42
added missing parameter in get_my_addr() and get_other_addr() calls
2012-06-09 14:06:45 +02:00
1d315bddd3
implemented the right|leftallowany feature
2012-06-08 21:24:41 +02:00
e5f0f9ff96
Enforce uniqueness policy in IKEv1 main and aggressive modes
2012-06-08 16:15:22 +02:00
82ad53b776
Try to rekey without KE exchange if peer returns INVALID_KE_PAYLOAD(NONE)
...
According to RFC5996, implementations should just ignore the KE payload
if they select a non-PFS proposals. Some implementations don't, but
return MODP_NONE in INVALID_KE_PAYLOAD, hence we accept that, too.
2012-06-08 10:35:02 +02:00
2d4c347af9
While checking for redundant quick modes, compare traffic selectors
...
If a configuration is instanced more than once using narrowing,
we should keep all unique quick modes up during rekeying.
2012-06-08 10:22:03 +02:00
106b938b6b
Store shorter soft lifetime of in- and outbound SAs only
2012-06-08 10:22:03 +02:00
7a5f372c57
Initiate quick mode rekeying with narrowed traffic selectors
2012-06-08 10:22:03 +02:00
d61f2906d4
Use traffic selectors passed to quick mode constructor as initiator
2012-06-08 10:22:03 +02:00
1e24fa4614
Instead of rekeying, delete a quick mode if we have a fresher instance
...
If both peers initiate quick mode rekeying simultaneously, we end up
with duplicate SAs for a configuration. This can't be avoided, nor do
the standards provide an appropriate solution. Instead of closing one
SA immediately, we keep both. But once rekeying triggers, we don't
refresh the SA with the shorter soft lifetime, but delete it.
2012-06-08 10:22:03 +02:00
ab24a32edf
As responder, enforce the same configuration while rekeying CHILD_SAs
2012-06-06 16:06:49 +02:00
21043198ff
Show expiration time of rekeyed CHILD_SAs in statusall
2012-06-05 10:29:43 +02:00
c8f7a114b6
Mark CHILD_SAs used for trap policies to uninstall them properly.
...
If the installation failed the state is not CHILD_ROUTED which means the
wrong priority is used to uninstall the policies. This is a problem for
kernel interfaces that keep track of installed policies as now the proper
policy is not found (if the priority is considered).
2012-06-04 18:04:48 +02:00
77e4282643
Avoid queueing more than one retry initiate job.
2012-05-30 15:32:52 +02:00
60c82591c5
Retry IKE_SA initiation if DNS resolution failed.
...
This is disabled by default and can be enabled with the
charon.retry_initiate_interval option in strongswan.conf.
2012-05-30 15:32:52 +02:00
eac9d77059
Job added to re-initiate an IKE_SA.
2012-05-30 15:32:52 +02:00
53915f14ae
Fix MOBIKE address update if responder address changed.
...
Use the source address of the current MOBIKE message as peer address
instead of assuming the address cached on the IKE_SA is still valid.
2012-05-25 17:05:53 +02:00
a46fe56858
Resolve hosts before reauthenticating due to address change.
2012-05-25 17:05:53 +02:00
c6da59f014
Don't queue delete_ike_sa job when setting IKE_DELETING.
...
This avoids deleting IKE_SAs during reauthentication (without
trying to reestablish them).
2012-05-25 17:05:53 +02:00
7457143072
During reauthentication reestablish IKE_SA even if deleting the old one fails.
2012-05-25 17:05:53 +02:00
23470d849a
Integrated main parts of IKE_REAUTH task into ike_sa_t.reestablish.
2012-05-25 17:05:53 +02:00
12715f1953
Fixed route lookup in case MOBIKE is not enabled.
2012-05-25 17:05:53 +02:00
daab61e51f
Added encapsulation mode transform attribute to IPComp proposal.
2012-05-25 09:26:42 +02:00
6695b48582
Add an additional proposal without IPComp to SA payload.
2012-05-24 15:32:28 +02:00
3451ecd7ac
Added log message if peer does not accept/provide IPComp proposal.
2012-05-24 15:32:28 +02:00
47b448b807
Added support to negotiate IPComp during Quick Mode.
2012-05-24 15:32:28 +02:00
647cd741e8
Added support for IKEv1 IPComp proposals in SA payload.
2012-05-24 15:32:28 +02:00
7a75cae856
Added support for IKEv1 IPComp proposals in proposal substructure.
2012-05-24 15:32:27 +02:00
00e11bcefd
Fix memleak during Quick Mode in case no SPI can be allocated from kernel.
2012-05-24 15:32:27 +02:00
624bb24d12
Properly filter IKEv1 proposals consisting of multiple proposal payloads.
...
Since a proposal_t object is created for each transform contained in the
proposal payload, it does not work to simply remove the last proposal_t
object added to the list (there may be several other extracted from the
previous proposal payload).
2012-05-24 15:32:27 +02:00
3c475660c5
Apply IDir before deriving keys as aggressive initiator
2012-05-23 12:27:47 +02:00
523ce7c20c
Use received identity to look up PSK as aggressive responder
2012-05-23 12:18:45 +02:00
51754f6654
Check if we actually have an initiating packet to free while processing responses
2012-05-23 11:50:12 +02:00
2ac996cb71
list IKEv1 Aggressive Mode in ipsec statusall
2012-05-23 11:12:27 +02:00
1a624ff45a
Switch to alternative peer config in IKEv1 Main and Aggressive Mode.
2012-05-21 15:49:25 +02:00
17949695bf
Cancel pending retransmits when flushing active task queue
2012-05-21 14:57:33 +02:00
4ce92ef350
Cancel active quick mode task when receiving INFORMATIONAL error
2012-05-21 14:57:33 +02:00
7ce504e182
Flush task queues explicitly, not implicitly if task returns ALREADY_DONE
2012-05-21 14:17:09 +02:00
Martin Willi