| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
For instance, the NULL cipher has a block size of 1 but an IV length
of 0.
Fixes #854.
|
| |\
| |
| |
| |
| |
| |
| | |
Implement a forecast plugin that supports forwarding of multi- and broadcast
messages between a LAN and clients or between connected clients. It uses
IPsec policy marks to send packets over multiple identical multi- and broadcast
policies.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Introduce a connmark plugin that uses Netfilter conntracks mark to select the
correct return-path SAs for client-initiated connections. This can be used
to distinguish transport mode clients behind the same NAT router.
Fixes #365.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In this test two hosts establish a transport mode connection from behind
moon. sun uses the connmark plugin to distinguish the flows.
This is an example that shows how one can terminate L2TP/IPsec connections
from two hosts behind the same NAT. For simplification of the test, we use
an SSH connection instead, but this works for any connection initiated flow
that conntrack can track.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently supports transport mode connections using IPv4 only, and requires
a unique mark configured on the connection.
To select the correct outbound SA when multiple connections match (i.e.
multiple peers connected from the same IP address / NAT router) marks must be
configured. This mark should usually be unique, which can be configured in
ipsec.conf using mark=0xffffffff.
The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow
is tagged with the assigned mark as connmark. On the return path, the mark
gets restored from the conntrack entry to select the correct outbound SA.
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
| |
As with other configuration backends, XAuth is activated with a two round
client authentication using pubkey and xauth. In load-tester, this is configured
with initiator_auth=pubkey|xauth.
Fixes #835.
|
| |\
| |
| |
| |
| | |
Introduce an alternative make-before-break reauthentication scheme in addition
to the traditional break-before-make.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
As we now reuse the reqid for identical SAs, the behavior changes for
transport connections to multiple peers behind the same NAT. Instead of
rejecting the SA, we now have two valid SAs active. For the reverse path,
however, sun sends traffic always over the newer SA, resembling the behavior
before we introduced explicit SA conflicts for different reqids.
|
| | |
| |
| |
| |
| | |
As we now print the reqid parameter in the CHILD_SA details, adapt the grep
to still match the CHILD_SA mode and protocol.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With make-before-break IKEv2 re-authentication, virtual IP addresses must be
assigned overlapping to the same peer. With the remote IKE address, the backend
can detect re-authentication attempts by comparing the remote host address and
port. This allows proper reassignment of the virtual IP if it is re-requested.
This change removes the mem-pool.reassign_online option, as it is obsolete now.
IPs get automatically reassigned if a peer re-requests the same address, and
additionally connects from the same address and port.
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| |\
| |
| |
| |
| |
| |
| | |
Migrates the attribute framework and associated plugins from libhydra back
to libcharon. libcharon is the only user of this framework since pluto is gone.
With these changes, we can pass the full IKE_SA state to attribute providers
and handlers, bringing more flexibility to these plugins.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
While it has some tests that we don't directly cover with the new unit tests,
most of them require special infrastructure and therefore have not been used
for a long time.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
| |
Since pluto is gone, all existing users build upon libcharon.
|
| |\
| |
| |
| |
| | |
Fixes expires raised by charon-tkm to actually use a proto/dst/SPI tuple to
identify CHILD_SAs.
|
| | |
| |
| |
| |
| |
| | |
This test asserts that the handling of XFRM expire messages from the
kernel are handled correctly by the xfrm-proxy and the Esa Event Service
(EES) in charon-tkm.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Use the new get_dst_host getter to retrieve the destination host from
the SAD using the reqid, spi and protocol values received from the
xfrm-proxy.
|
| | |
| |
| |
| |
| | |
This function returns the destination host of an SAD entry for given
reqid, spi and protocol arguments or NULL if not found.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Store the remote instead of the local SPI in the SAD when adding a new
entry in the kernel plugin's add_sa() function.
Since only one ESA context must be destroyed for an inbound/outbound
CHILD SA pair, it does not matter which SPI is used to retrieve it in
the del_sa function.
|
| | |
| |
| |
| |
| | |
Make the CHILD/ESP SA database a public member of the global tkm_t
struct.
|
| | |
| |
| |
| | |
Change 'test_runner' to 'test-runner'.
|
