b01327b5e1
swanctl: Document PPKs
2018-09-18 10:12:45 +02:00
7f94528061
vici: Make PPK related options configurable
2018-09-10 18:03:02 +02:00
902dc29f7a
child-sa: Use SA matching mark as SA set mark if the latter is %same
...
For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.
2018-08-31 12:26:40 +02:00
b9aacf9adc
vici: Document kernel requirements for set_mark_in/set_mark_out options
2018-08-31 12:26:40 +02:00
60f7896923
vici: Make in-/outbound marks the SA should set configurable
2018-08-31 12:26:40 +02:00
c993eaf9d1
kernel: Add option to control DS field behavior
2018-08-29 11:36:04 +02:00
dc8b015d78
kernel: Add options to control DF and ECN header bits/fields via XFRM
...
The options control whether the DF and ECN header bits/fields are copied
from the unencrypted packets to the encrypted packets in tunnel mode (DF only
for IPv4), and for ECN whether the same is done for inbound packets.
Note: This implementation only works with Linux/Netlink/XFRM.
Based on a patch by Markus Sattler.
2018-08-29 11:36:04 +02:00
2c7a4b0704
swanctl: Document new HW offload options/behavior
2018-05-24 10:49:19 +02:00
e698bdea24
man: Fix documentation of pubkey constraints
...
Hash algorithms have to be repeated for multiple key types.
References #2514 .
2018-02-09 10:42:13 +01:00
fde0c763b6
auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf
...
Also document the rsa/pss prefix.
2017-11-08 16:48:10 +01:00
2dad293647
ike: Do not send initial contact only for UNIQUE_NEVER
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-11-02 10:17:24 +01:00
2d244f178f
vici: Make setting mark on inbound SA configurable
2017-11-02 09:59:38 +01:00
32e5c49234
child-sa: Allow requesting different unique marks for in/out
...
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78 .
2017-08-07 14:22:27 +02:00
ae48325a59
swanctl: Include config snippets from conf.d subdirectory
...
Fixes #2371 .
2017-07-27 13:20:24 +02:00
93e0898f60
swanctl: Document eap_id in remote sections
2017-07-05 18:08:04 +02:00
0afe0eca67
vici: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
7c4f88d4be
vici: Make hardware offload configurable
2017-05-23 16:58:00 +02:00
46a3f92a76
Add an option to announce support for IKE fragmentation but not sending fragments
2017-05-23 16:41:57 +02:00
693107f6ae
swanctl: Reformulate IKEv1 selector restriction, describe problems with TS narrowing
2017-03-23 18:27:05 +01:00
d5a19a17dc
swanctl: Describe what happens when a FQDN is specified in local|remote_addrs
2017-03-20 10:18:51 +01:00
f927ba975b
vici: Add support for mediation extension
2017-02-16 19:24:09 +01:00
bd6ef6be7e
vici: Add support to load CA certificates from tokens and paths in authority sections
2017-02-16 19:24:08 +01:00
2f8354ca6c
vici: Add support to load certificates from file paths
...
Probably not that useful via swanctl.conf but could be when used via VICI.
2017-02-16 19:24:08 +01:00
00bf6a2a49
vici: Add support to load certificates from tokens
2017-02-16 19:24:08 +01:00
d2e3ff8e0c
swanctl: Add `token` secrets for keys on tokens/smartcards
2017-02-16 19:24:07 +01:00
ed105f45af
vici: Add support for NT Hash secrets
...
Fixes #1002 .
2017-02-16 19:23:51 +01:00
3bedf10b25
vici: Add support for IPv6 Transport Proxy Mode
2017-02-16 19:23:50 +01:00
e00bc9f6b2
vici: Add support for certificate policies
2017-02-16 19:23:50 +01:00
44fcc83310
vici: Add missing dscp setting for IKE_SAs
...
Fixes #2170 .
2017-02-16 19:23:31 +01:00
7caba2eb55
swanctl: Add 'private' directory/section to load any type of private key
2016-10-05 11:33:36 +02:00
d5c6a0bac4
vici: Enable IKE fragmentation by default
2016-10-04 10:08:21 +02:00
50721a61d8
vici: Make installation of outbound FWD policies configurable
2016-09-28 17:56:43 +02:00
f883cd6df6
swanctl: Document how DH groups in CHILD_SA proposals are applied
...
References #1039 .
2016-08-31 11:47:25 +02:00
c26e4330e7
Implemented IPsec policies restricted to given network interface
2016-04-09 16:51:02 +02:00
7f57c4f9fb
Support manually-set IPsec policy priorities
2016-04-09 16:51:01 +02:00
b31e8c04f2
swanctl: Fix documented directory name for remote pubkeys
2016-03-22 18:11:51 +01:00
229cdf6bc8
vici: Order auth rounds by optional `round` parameter instead of by position in the request
2016-03-08 10:04:55 +01:00
130c485be6
swanctl: Document signature scheme constraints
2016-03-04 16:19:54 +01:00
b84e905482
swanctl: Fix minor typos in documentation
...
"UPD" should be "UDP".
Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
2016-02-29 11:05:44 +01:00
87371460f6
vici: Support of raw public keys
2016-01-09 07:23:29 +01:00
e333d4c0f1
swanctl.conf: IKEv2 fragmentation supported
2016-01-09 00:06:12 +01:00
9322e5b398
vici: Add option to disable policy installation for CHILD_SAs
2015-08-17 12:01:36 +02:00
63d370387d
vici: Certification Authority support added.
...
CDP and OCSP URIs for a one or multiple certification authorities
can be added via the VICI interface. swanctl allows to read
definitions from a new authorities section.
2015-07-21 13:02:30 +02:00
54cdf847cc
swanctl: Support loading PKCS#12 containers from a pkcs12 swanctl directory
2015-03-18 13:34:22 +01:00
f6511e36b5
vici: If a IKE reauth_time is configured, disable the default rekey_time
2015-03-03 13:49:14 +01:00
cc1682bef9
ipsec-types: Support the %unique mark value
2015-02-20 16:34:53 +01:00
5e92534313
vici: Add support for address range definitions of pools
2014-10-30 12:32:45 +01:00
9da2b19189
swanctl: Document identity type prefixes
2014-10-30 11:07:10 +01:00
8a59fa6467
swanctl: Document how connections.*.unique affects initiators
2014-09-09 10:56:15 +02:00
d236db8701
swanctl: Fix documentation of options for send_cert setting
2014-07-28 10:38:34 +02:00
Tobias Brunner