aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notifyTobias Brunner2016-03-041-0/+4
| |
| * ike-sa: Add new extension for IKEv2 redirection (RFC 5685)Tobias Brunner2016-03-041-1/+6
| |
| * daemon: Create global redirect manager instanceTobias Brunner2016-03-042-0/+8
| |
| * redirect-manager: Add manager for redirect providersTobias Brunner2016-03-044-2/+223
| |
| * redirect-provider: Add interface to redirect clients during initial messagesTobias Brunner2016-03-043-0/+61
|/ | | | | This will allow e.g. plugins to decide whether a connecting client is redirected to a different gateway using RFC 5685.
* Set PLUTO port variables to 0 in the case of no port restrictionsAndreas Steffen2016-03-041-1/+1
|
* Added port range support to NEWSAndreas Steffen2016-03-041-0/+5
|
* testing: Added swanctl/protoport-range scenarioAndreas Steffen2016-03-049-0/+159
|
* Port range support in updown scriptAndreas Steffen2016-03-041-13/+37
|
* Implemented port ranges in kernel_netlink interfaceAndreas Steffen2016-03-041-7/+19
|
* thread: Allow thread ID to be value returned by gettid()Thomas Egerer2016-03-044-14/+36
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Request missing SWID tags in a directed PA-TNC messageAndreas Steffen2016-03-043-20/+47
|
* Merge branch 'libhydra-bye-bye'Tobias Brunner2016-03-03199-950/+319
|\ | | | | | | | | Moves kernel plugins to libcharon and removes the unused libhydra. The kernel interface is now accessible under charon->kernel.
| * libhydra: Remove empty unused libraryTobias Brunner2016-03-03125-551/+26
| |
| * libhydra: Move kernel interface to libcharonTobias Brunner2016-03-0369-358/+257
| | | | | | | | This moves hydra->kernel_interface to charon->kernel.
| * libhydra: Move all kernel plugins to libcharonTobias Brunner2016-03-0328-43/+38
|/
* ikev1: Send and verify IPv6 addresses correctlyTobias Brunner2016-03-032-26/+18
| | | | | | | | According to the mode-config draft there is no prefix sent for IPv6 addresses in IKEv1. We still accept 17 bytes long addresses for backwards compatibility with older strongSwan releases. Fixes #1304.
* ikev1: Allow immediate deletion of rekeyed CHILD_SAsTobias Brunner2016-03-032-1/+25
| | | | | | | | | | | | | | | When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
* ikev1: Avoid modifying local auth config when detecting pubkey methodTobias Brunner2016-03-031-1/+1
| | | | | | | | | If it was necessary to pass the local certificates we could probably clone the config (but we don't do that either when later looking for the key to actually authenticate). Passing auth adds the same subject cert to the config over and over again (I guess we could also try to prevent that by searching for duplicates).
* forecast: Fix alignment when adding rulesTobias Brunner2016-03-031-114/+133
| | | | | | Basically the same issue as with the connmark plugin. Fixes #1212.
* connmark: Fix alignment when adding rulesTobias Brunner2016-03-031-160/+172
| | | | | | | | The structs that make up a message sent to the kernel have all to be aligned with XT_ALIGN. That was not necessarily the case when initializing the complete message as struct. Fixes #1212.
* ike: Keep track of send keepalive jobs to avoid scheduling more than one per ↵Tobias Brunner2016-03-033-11/+24
| | | | IKE_SA
* ike: Don't send NAT keepalives if we have no path to the other peerTobias Brunner2016-03-031-3/+9
| | | | | | | | If there is no path to the other peer there is no point in trying to send a NAT keepalive. If the condition changes back and forth within the keepalive interval there is a chance that multiple jobs get queued.
* vici: Provide ports of local and remote IKE endpointsTobias Brunner2016-03-032-2/+9
|
* duplicheck: Include required headers for FreeBSDDenis Volpato Martins2016-03-031-0/+2
| | | | Closes strongswan/strongswan#34.
* charon: Add custom logger to daemonThomas Egerer2016-03-014-43/+336
| | | | | | | | | | | This logger can be used to easily register custom logging instances using __attribute__((constructor)) benefiting from the global reload mechanism (with reset of log levels). Note that this is not intended to be used from plugins, which are loaded after loggers have already been initialized. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* vici: Correctly document 'up' key for updown eventsTobias Brunner2016-03-011-4/+4
| | | | Instead of sending 'no' it is omitted when an SA goes down.
* ikev2: Use config value for sending of vendor IDsThomas Egerer2016-03-011-13/+43
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* swanctl: Fix minor typos in documentationChris Patterson2016-02-291-3/+3
| | | | | | "UPD" should be "UDP". Signed-off-by: Chris Patterson <pattersonc@ainfosec.com>
* testing: Added swanctl/shunt-policies-nat-rwAndreas Steffen2016-02-2812-0/+231
|
* testing: Some minor fixes in test scenariosAndreas Steffen2016-02-282-0/+3
|
* Version bump to 5.4.0dr75.4.0dr7Andreas Steffen2016-02-281-1/+1
|
* testing: Added swanctl/protoport-dual scenarioAndreas Steffen2016-02-289-0/+142
|
* testing: converted af-alg scenarios to swanctlAndreas Steffen2016-02-2625-149/+198
|
* testing: Use absolute path to the _updown script in SQL scenariosTobias Brunner2016-02-1747-55/+55
| | | | | | /usr/local/sbin is not included in PATH set by the charon init script and since the ipsec script is obsolete when using swanctl it makes sense to change this anyway.
* ike-sa-manager: Store a reference to the thread that checked out an IKE_SATobias Brunner2016-02-171-13/+14
| | | | | | This could be helpful when debugging deadlocks that manifest around wait_for_entry(), as it helps identifying other involved threads (the thread object is seen in the thread_main() call in each thread's backtrace).
* testing: Increased ping interval in ikev2/trap-any scenarioAndreas Steffen2016-02-161-5/+5
|
* Version bump to 5.4.0dr65.4.0dr6Andreas Steffen2016-02-161-1/+1
|
* Corrected the description of the swanctl/dhcp-dynamic scenarioAndreas Steffen2016-02-161-1/+1
|
* Fix of the mutual TNC measurement use caseAndreas Steffen2016-02-1617-28/+234
| | | | | | | | | | | | | | | | | If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches is continued until the IKEv2 responder acting as a TNC server has also finished its TNC measurements. In the past if these measurements in the other direction were correct the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication successful and the IPsec connection was established even though the TNC measurement verification on the EAP peer side failed. The fix adds an "allow" group membership on each endpoint if the corresponding TNC measurements of the peer are successful. By requiring a "allow" group membership in the IKEv2 connection definition the IPsec connection succeeds only if the TNC measurements on both sides are valid.
* kernel-netlink: Allow Netlink send buffer size to be configured via compile ↵Tobias Brunner2016-02-121-3/+11
| | | | | | | option The receive buffer size can already be changed via strongswan.conf if necessary.
* utils: Add enum name for pseudo log group 'any'Tobias Brunner2016-02-052-12/+7
|
* libipsec: Pass the same data to del_policy() as to add_policy()Tobias Brunner2016-02-044-12/+17
| | | | | | We already do this for the other kernel interfaces. Fixes e1e88d5adde0 ("libipsec: Don't attempt deletion of any non-IPsec policies")
* libipsec: Don't attempt deletion of any non-IPsec policiesTobias Brunner2016-02-041-1/+1
| | | | | | | | An example are the fallback drop policies installed when updating SAs. We ignore such policies in add_policy() so there is no point in attempting to remove them. Since they use different priorities than regular policies this did not result in policies getting deleted unintentionally but there was an irritating log message on level 2 that indicated otherwise.
* testing: Added swanctl/dhcp-dynamic scenarioAndreas Steffen2016-02-0315-0/+279
|
* ikev2: Add debug message about failed IKE authenticationThomas Egerer2016-02-021-0/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Log successful authentication with signature schemeThomas Egerer2016-02-014-7/+7
| | | | | | Output is now identical to that of the IKEv2 pubkey authenticator. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* peer-cfg: Set DPD timeout to at least DPD delayTobias Brunner2016-02-011-0/+4
| | | | | | If DPD timeout is set but to a value smaller than the DPD delay the code in task_manager_v1.c:queue_liveliness_check will run into an integer underrun.
* ikev1: Always enable charon.reuse_ikesaTobias Brunner2016-02-012-3/+3
| | | | | | | | | With IKEv1 we have to reuse IKE_SAs as otherwise the responder might detect the new SA as reauthentication and will "adopt" the CHILD_SAs of the original IKE_SA, while the initiator will not do so. This could cause CHILD_SA rekeying to fail later. Fixes #1236.
* load-tester: Register kernel-ipsec implementation as plugin featureTobias Brunner2016-02-011-10/+11
| | | | | | | | | | | Otherwise, libcharon's dependency on kernel-ipsec can't be satisfied. This changed with db61c37690b5 ("kernel-interface: Return bool for kernel interface registration") as the registration of further kernel-ipsec implementations now fails and therefore even if other plugins are loaded the dependency will not be satisfied anymore. References #953.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 06:43:38 +0000