Tobias Brunner
b01327b5e1
swanctl: Document PPKs
2018-09-18 10:12:45 +02:00
Tobias Brunner
7f94528061
vici: Make PPK related options configurable
2018-09-10 18:03:02 +02:00
Martin Willi
902dc29f7a
child-sa: Use SA matching mark as SA set mark if the latter is %same
...
For inbound processing, it can be rather useful to apply the mark to the
packet in the SA, so the associated policy with that mark implicitly matches.
When using %unique as match mark, we don't know the mark beforehand, so
we most likely want to set the mark we match against.
2018-08-31 12:26:40 +02:00
Martin Willi
b9aacf9adc
vici: Document kernel requirements for set_mark_in/set_mark_out options
2018-08-31 12:26:40 +02:00
Tobias Brunner
60f7896923
vici: Make in-/outbound marks the SA should set configurable
2018-08-31 12:26:40 +02:00
Tobias Brunner
c993eaf9d1
kernel: Add option to control DS field behavior
2018-08-29 11:36:04 +02:00
Tobias Brunner
dc8b015d78
kernel: Add options to control DF and ECN header bits/fields via XFRM
...
The options control whether the DF and ECN header bits/fields are copied
from the unencrypted packets to the encrypted packets in tunnel mode (DF only
for IPv4), and for ECN whether the same is done for inbound packets.
Note: This implementation only works with Linux/Netlink/XFRM.
Based on a patch by Markus Sattler.
2018-08-29 11:36:04 +02:00
Tobias Brunner
2c7a4b0704
swanctl: Document new HW offload options/behavior
2018-05-24 10:49:19 +02:00
Tobias Brunner
e698bdea24
man: Fix documentation of pubkey constraints
...
Hash algorithms have to be repeated for multiple key types.
References #2514 .
2018-02-09 10:42:13 +01:00
Tobias Brunner
fde0c763b6
auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf
...
Also document the rsa/pss prefix.
2017-11-08 16:48:10 +01:00
Thomas Egerer
2dad293647
ike: Do not send initial contact only for UNIQUE_NEVER
...
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2017-11-02 10:17:24 +01:00
Tobias Brunner
2d244f178f
vici: Make setting mark on inbound SA configurable
2017-11-02 09:59:38 +01:00
Eyal Birger
32e5c49234
child-sa: Allow requesting different unique marks for in/out
...
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78 .
2017-08-07 14:22:27 +02:00
Tobias Brunner
ae48325a59
swanctl: Include config snippets from conf.d subdirectory
...
Fixes #2371 .
2017-07-27 13:20:24 +02:00
Tobias Brunner
93e0898f60
swanctl: Document eap_id in remote sections
2017-07-05 18:08:04 +02:00
Tobias Brunner
0afe0eca67
vici: Make 96-bit truncation for SHA-256 configurable
2017-05-26 11:22:28 +02:00
Tobias Brunner
7c4f88d4be
vici: Make hardware offload configurable
2017-05-23 16:58:00 +02:00
Tobias Brunner
46a3f92a76
Add an option to announce support for IKE fragmentation but not sending fragments
2017-05-23 16:41:57 +02:00
Noel Kuntze
693107f6ae
swanctl: Reformulate IKEv1 selector restriction, describe problems with TS narrowing
2017-03-23 18:27:05 +01:00
Tobias Brunner
d5a19a17dc
swanctl: Describe what happens when a FQDN is specified in local|remote_addrs
2017-03-20 10:18:51 +01:00
Tobias Brunner
f927ba975b
vici: Add support for mediation extension
2017-02-16 19:24:09 +01:00
Tobias Brunner
bd6ef6be7e
vici: Add support to load CA certificates from tokens and paths in authority sections
2017-02-16 19:24:08 +01:00
Tobias Brunner
2f8354ca6c
vici: Add support to load certificates from file paths
...
Probably not that useful via swanctl.conf but could be when used via VICI.
2017-02-16 19:24:08 +01:00
Tobias Brunner
00bf6a2a49
vici: Add support to load certificates from tokens
2017-02-16 19:24:08 +01:00
Tobias Brunner
d2e3ff8e0c
swanctl: Add `token` secrets for keys on tokens/smartcards
2017-02-16 19:24:07 +01:00
Tobias Brunner
ed105f45af
vici: Add support for NT Hash secrets
...
Fixes #1002 .
2017-02-16 19:23:51 +01:00
Tobias Brunner
3bedf10b25
vici: Add support for IPv6 Transport Proxy Mode
2017-02-16 19:23:50 +01:00
Tobias Brunner
e00bc9f6b2
vici: Add support for certificate policies
2017-02-16 19:23:50 +01:00
Tobias Brunner
44fcc83310
vici: Add missing dscp setting for IKE_SAs
...
Fixes #2170 .
2017-02-16 19:23:31 +01:00
Tobias Brunner
7caba2eb55
swanctl: Add 'private' directory/section to load any type of private key
2016-10-05 11:33:36 +02:00
Tobias Brunner
d5c6a0bac4
vici: Enable IKE fragmentation by default
2016-10-04 10:08:21 +02:00
Tobias Brunner
50721a61d8
vici: Make installation of outbound FWD policies configurable
2016-09-28 17:56:43 +02:00
Tobias Brunner
f883cd6df6
swanctl: Document how DH groups in CHILD_SA proposals are applied
...
References #1039 .
2016-08-31 11:47:25 +02:00
Andreas Steffen
c26e4330e7
Implemented IPsec policies restricted to given network interface
2016-04-09 16:51:02 +02:00
Andreas Steffen
7f57c4f9fb
Support manually-set IPsec policy priorities
2016-04-09 16:51:01 +02:00
Tobias Brunner
b31e8c04f2
swanctl: Fix documented directory name for remote pubkeys
2016-03-22 18:11:51 +01:00
Tobias Brunner
229cdf6bc8
vici: Order auth rounds by optional `round` parameter instead of by position in the request
2016-03-08 10:04:55 +01:00
Tobias Brunner
130c485be6
swanctl: Document signature scheme constraints
2016-03-04 16:19:54 +01:00
Chris Patterson
b84e905482
swanctl: Fix minor typos in documentation
...
"UPD" should be "UDP".
Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
2016-02-29 11:05:44 +01:00
Andreas Steffen
87371460f6
vici: Support of raw public keys
2016-01-09 07:23:29 +01:00
Andreas Steffen
e333d4c0f1
swanctl.conf: IKEv2 fragmentation supported
2016-01-09 00:06:12 +01:00
Tobias Brunner
9322e5b398
vici: Add option to disable policy installation for CHILD_SAs
2015-08-17 12:01:36 +02:00
Andreas Steffen
63d370387d
vici: Certification Authority support added.
...
CDP and OCSP URIs for a one or multiple certification authorities
can be added via the VICI interface. swanctl allows to read
definitions from a new authorities section.
2015-07-21 13:02:30 +02:00
Martin Willi
54cdf847cc
swanctl: Support loading PKCS#12 containers from a pkcs12 swanctl directory
2015-03-18 13:34:22 +01:00
Martin Willi
f6511e36b5
vici: If a IKE reauth_time is configured, disable the default rekey_time
2015-03-03 13:49:14 +01:00
Martin Willi
cc1682bef9
ipsec-types: Support the %unique mark value
2015-02-20 16:34:53 +01:00
Tobias Brunner
5e92534313
vici: Add support for address range definitions of pools
2014-10-30 12:32:45 +01:00
Martin Willi
9da2b19189
swanctl: Document identity type prefixes
2014-10-30 11:07:10 +01:00
Tobias Brunner
8a59fa6467
swanctl: Document how connections.*.unique affects initiators
2014-09-09 10:56:15 +02:00
Tobias Brunner
d236db8701
swanctl: Fix documentation of options for send_cert setting
2014-07-28 10:38:34 +02:00