| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
We should ignore messages that have the flag set incorrectly.
This restores RFC compliance which was broken since the mentioned commit.
|
| |
|
|
|
|
|
|
|
|
|
| |
While this doesn't really create any problems it is not 100% correct to
accept such messages because, of course, the sender of an IKE_SA_INIT
request is always the original initiator of an IKE_SA.
We currently don't check the flag later, so we wouldn't notice if the
peer doesn't set it in later messages (ike_sa_id_t.equals doesn't
compare it anymore since we added support for IKEv1, in particular since
17ec1c74de).
|
| |
|
|
|
|
|
|
|
| |
If multiple certificates use the same subjects we might choose the wrong
one otherwise. This way we use the one referenced with leftcert and
stored in the auth-cfg and we actually do the same thing later in the
pubkey authenticator.
Fixes #1077.
|
| |
|
|
|
|
|
| |
This allows symmetric configuration of EAP methods (i.e. the same value
in leftauth and rightauth) when mutual EAP-only authentication is used.
Previously the client had to configure rightauth=eap or rightauth=any,
which prevented it from using this same config as responder.
|
| |
|
|
| |
This fixes the build on Windows.
|
| |
|
|
|
|
| |
When reestablishing the IKE_SA we should still use the original port
when right resolves to %any as some implementations might not like
initial IKE messages on port 4500 (especially for IKEv1).
|
| | |
|
| |
|
|
| |
Fixes #196.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The first segment only fit if the segmentation envelope attribute
was preceded by a Max Attribute Size Response attribute. The
improved implementation fills up the first PA-TNC message with
the first segment up to the maximum message size.
|
| |
|
|
|
|
|
|
|
|
|
| |
certain mark
If the routing rule we use to direct traffic to our own routing table
excludes traffic with a certain mark (fwmark = !<mark>) we can simplify
the route lookup and avoid dumping all routes by passing the mark to the
request. That way our own routes are ignored and we get the preferred
route back without having to dump and analyze all routes, which is quite a
burden on hosts with lots of routes.
|
| | |
|
| |
|
|
|
|
|
| |
This is required for the case where IDr is not sent (i.e. is %any).
The backend manager does the same.
Fixes #1044.
|
| |
|
|
|
|
| |
This may happen if something like `echo ... > /path/to/fifo` is used
before the plugin was able to create the FIFO. In that case we'd end
up in a loop always reading the same values from the static file.
|
| |
|
|
|
|
|
|
|
|
| |
Some implementations don't send a Key Length attribute for AES-128.
This was allowed for IKE in early drafts of RFC 3602, however, some
implementations also seem to do it for ESP, where it never was allowed.
And the final version of RFC 3602 demands a Key Length attribute for both
phases so they shouldn't do it anymore anyway.
Fixes #1064.
|
| |
|
|
|
|
|
|
|
|
| |
Not sure if defining multiple CA constraints and enforcing _all_ of them,
i.e. the previous behavior, makes even sense. To ensure a very specific
chain it should be enough to define the last intermediate CA. On the
other hand, the ability to define multiple CAs could simplify configuration.
This can currently only be used with swanctl/VICI based configs as `rightca`
only takes a single DN.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
During a rekeying we want to reuse the current reqid, but if the new SA
does not allocate it via kernel-interface the state there will disappear
when the old SA is destroyed after the rekeying. When the IKE_SA is
later reauthenticated with make-before-break reauthentication the new
CHILD_SAs there will get new reqids as no existing state is found in the
kernel-interface, breaking policy installation in the kernel.
Fixes: a49393954f31 ("child-sa: Use any fixed reqid configured on the CHILD_SA config")
|
| | |
|
| |
|
|
| |
References #1028.
|
| | |
|
| |
|
|
|
|
| |
This can be useful if the subject DN has to be configured with the
asn1dn: prefix in ipsec.conf (e.g. because the actual encoding can't be
created by strongSwan's string parser/encoder).
|
| |
|
|
|
|
|
|
|
|
|
| |
Vendor specific EAP methods may be registered with:
PLUGIN_CALLBACK(eap_method_register, <constructor>),
PLUGIN_PROVIDE(EAP_SERVER_VENDOR, <type>, <vendor>),
Same for client implementations via EAP_PEER_VENDOR.
References #969.
|
| |
|
|
|
|
|
|
|
| |
accounting messages
This attribute is more appropriate for single IPv6 virtual IPs than the
Framed-IPv6-Prefix attribute.
Fixes #1001.
|
| |
|
|
|
|
| |
These are defined in RFC 6911.
Fixes #1001.
|
| |
|
|
|
| |
Not all POSIX compatible systems might provide it yet. If not, we close
the lowest FD to close and hope it gets reused by opendir().
|
| |
|
|
|
|
|
| |
This avoids any allocations, since calling malloc() after fork() is
potentially unsafe.
Fixes #990.
|
| |
|
|
|
|
|
|
|
|
| |
Calling malloc() after fork() is potentially unsafe, so we should avoid
it if possible. opendir() will still require an allocation but that's
less than the variant using the enumerator wrapper, thus, decreasing
the conflict potential. This way we can also avoid closing the
FD for the enumerated directory itself.
References #990.
|
| |\
| |
| |
| |
| |
| |
| | |
Documents the ike/child-updown events and adds a ike/child-rekey event
and a new listen() method in the Python VICI bindings to listen for
arbitrary events (similar to the listen_events() method in the Ruby
bindings).
|
| | | |
|
| | |
| |
| |
| |
| | |
Also make sure events are unregistered in case of exceptions in
streamed_request().
|
