aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * ike-init: Ignore notifies related to redirects during rekeyingTobias Brunner2016-03-041-3/+13
| | | | | | | | Also don't query redirect providers in this case.
| * ike-sa: Add limit for the number of redirects within a defined time periodTobias Brunner2016-03-042-0/+54
| |
| * ike-sa: Reauthenticate to the same addresses we currently useTobias Brunner2016-03-041-2/+5
| | | | | | | | | | | | If the SA got redirected this would otherwise cause a reauthentication with the original gateway. Reestablishing the SA to the original gateway, if e.g. the new gateway is not reachable makes sense though.
| * vici: Don't redirect all SAs if no selectors are givenTobias Brunner2016-03-041-1/+1
| | | | | | | | | | This avoid confusion and redirecting all SAs can now easily be done explicitly (e.g. peer_ip=0.0.0.0/0).
| * vici: Match subnets and ranges against peer IP in redirect commandTobias Brunner2016-03-043-13/+43
| |
| * vici: Match identity with wildcards against remote ID in redirect commandTobias Brunner2016-03-043-6/+10
| |
| * swanctl: Add --redirect commandTobias Brunner2016-03-044-1/+138
| |
| * vici: Add redirect commandTobias Brunner2016-03-045-0/+150
| | | | | | | | | | This allows redirecting IKE_SAs by multiple different selectors, if none are given all SAs are redirected.
| * redirect-job: Add job to redirect an active IKE_SATobias Brunner2016-03-044-0/+159
| |
| * ike-sa: Add redirect() method to actively redirect an IKE_SATobias Brunner2016-03-042-0/+50
| |
| * ike-redirect: Add task to redirect active IKE_SAsTobias Brunner2016-03-047-0/+220
| |
| * ike-auth: Handle REDIRECT notifies during IKE_AUTHTobias Brunner2016-03-041-22/+44
| |
| * ike-sa: Handle redirect requests for established SAs as reestablishmentTobias Brunner2016-03-041-82/+174
| | | | | | | | | | | | | | We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs, which also includes the one actively queued during IKE_AUTH. To delete the old SA we use the recently added ike_reauth_complete task.
| * ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providersTobias Brunner2016-03-041-27/+51
| | | | | | | | | | | | To prevent the creation of the CHILD_SA we set a condition on the IKE_SA. We also schedule a delete job in case the client does not terminate the IKE_SA (which is a SHOULD in RFC 5685).
| * ike-config: Do not assign attributes for redirected IKE_SAsTobias Brunner2016-03-041-0/+5
| |
| * child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTHTobias Brunner2016-03-041-0/+4
| |
| * ike-sa: Add a condition to mark redirected IKE_SAsTobias Brunner2016-03-041-0/+5
| |
| * ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as serverTobias Brunner2016-03-041-0/+17
| |
| * ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriateTobias Brunner2016-03-041-1/+19
| |
| * ike-sa: Keep track of the address of the gateway that redirected usTobias Brunner2016-03-042-1/+27
| |
| * ikev2: Add option to disable following redirects as clientTobias Brunner2016-03-043-1/+23
| |
| * ikev2: Handle REDIRECT notifies during IKE_SA_INITTobias Brunner2016-03-043-0/+64
| |
| * ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providersTobias Brunner2016-03-041-0/+17
| |
| * redirect-manager: Add helper function to create and parse REDIRECT notify dataTobias Brunner2016-03-042-11/+162
| | | | | | | | The same encoding is also used for the REDIRECT_FROM notifies.
| * redirect-manager: Verify type of returned gateway IDTobias Brunner2016-03-041-1/+12
| |
| * ike-init: Send REDIRECT_SUPPORTED as initiatorTobias Brunner2016-03-041-0/+5
| |
| * ike-init: Enable redirection extension if client sends REDIRECT_SUPPORTED notifyTobias Brunner2016-03-041-0/+4
| |
| * ike-sa: Add new extension for IKEv2 redirection (RFC 5685)Tobias Brunner2016-03-041-1/+6
| |
| * daemon: Create global redirect manager instanceTobias Brunner2016-03-042-0/+8
| |
| * redirect-manager: Add manager for redirect providersTobias Brunner2016-03-044-2/+223
| |
| * redirect-provider: Add interface to redirect clients during initial messagesTobias Brunner2016-03-043-0/+61
|/ | | | | This will allow e.g. plugins to decide whether a connecting client is redirected to a different gateway using RFC 5685.
* Set PLUTO port variables to 0 in the case of no port restrictionsAndreas Steffen2016-03-041-1/+1
|
* Added port range support to NEWSAndreas Steffen2016-03-041-0/+5
|
* testing: Added swanctl/protoport-range scenarioAndreas Steffen2016-03-049-0/+159
|
* Port range support in updown scriptAndreas Steffen2016-03-041-13/+37
|
* Implemented port ranges in kernel_netlink interfaceAndreas Steffen2016-03-041-7/+19
|
* thread: Allow thread ID to be value returned by gettid()Thomas Egerer2016-03-044-14/+36
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Request missing SWID tags in a directed PA-TNC messageAndreas Steffen2016-03-043-20/+47
|
* Merge branch 'libhydra-bye-bye'Tobias Brunner2016-03-03199-950/+319
|\ | | | | | | | | Moves kernel plugins to libcharon and removes the unused libhydra. The kernel interface is now accessible under charon->kernel.
| * libhydra: Remove empty unused libraryTobias Brunner2016-03-03125-551/+26
| |
| * libhydra: Move kernel interface to libcharonTobias Brunner2016-03-0369-358/+257
| | | | | | | | This moves hydra->kernel_interface to charon->kernel.
| * libhydra: Move all kernel plugins to libcharonTobias Brunner2016-03-0328-43/+38
|/
* ikev1: Send and verify IPv6 addresses correctlyTobias Brunner2016-03-032-26/+18
| | | | | | | | According to the mode-config draft there is no prefix sent for IPv6 addresses in IKEv1. We still accept 17 bytes long addresses for backwards compatibility with older strongSwan releases. Fixes #1304.
* ikev1: Allow immediate deletion of rekeyed CHILD_SAsTobias Brunner2016-03-032-1/+25
| | | | | | | | | | | | | | | When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
* ikev1: Avoid modifying local auth config when detecting pubkey methodTobias Brunner2016-03-031-1/+1
| | | | | | | | | If it was necessary to pass the local certificates we could probably clone the config (but we don't do that either when later looking for the key to actually authenticate). Passing auth adds the same subject cert to the config over and over again (I guess we could also try to prevent that by searching for duplicates).
* forecast: Fix alignment when adding rulesTobias Brunner2016-03-031-114/+133
| | | | | | Basically the same issue as with the connmark plugin. Fixes #1212.
* connmark: Fix alignment when adding rulesTobias Brunner2016-03-031-160/+172
| | | | | | | | The structs that make up a message sent to the kernel have all to be aligned with XT_ALIGN. That was not necessarily the case when initializing the complete message as struct. Fixes #1212.
* ike: Keep track of send keepalive jobs to avoid scheduling more than one per ↵Tobias Brunner2016-03-033-11/+24
| | | | IKE_SA
* ike: Don't send NAT keepalives if we have no path to the other peerTobias Brunner2016-03-031-3/+9
| | | | | | | | If there is no path to the other peer there is no point in trying to send a NAT keepalive. If the condition changes back and forth within the keepalive interval there is a chance that multiple jobs get queued.
* vici: Provide ports of local and remote IKE endpointsTobias Brunner2016-03-032-2/+9
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 18:47:43 +0000