aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Merge branch 'bypass-lan'Tobias Brunner2017-02-0814-0/+907
|\ | | | | | | | | | | | | Adds a new plugin that automatically installs and updates bypass policies for locally attached subnets. This is useful for laptops etc. that are used in different networks and prefer maintaining access to local hosts (e.g. network printers or NAS) while connected to a VPN.
| * kernel-pfroute: Implement enumeration of local subnetsTobias Brunner2017-02-081-0/+194
| |
| * bypass-lan: Allow ignoring or only considering subnets of specific interfacesTobias Brunner2017-02-085-6/+102
| | | | | | | | The config can also be reloaded by sending a SIGHUP to charon.
| * bypass-lan: Configure interface on bypass policyTobias Brunner2017-02-081-1/+6
| | | | | | | | | | Currently, only the kernel-netlink plugin supports this, the others will just ignore it.
| * kernel-netlink: Return interface name in local subnet enumeratorTobias Brunner2017-02-081-5/+15
| |
| * kernel-interface: Add interface name to local subnet enumeratorTobias Brunner2017-02-084-4/+10
| |
| * bypass-lan: Add plugin that installs bypass policies for locally attached ↵Tobias Brunner2017-02-087-0/+437
| | | | | | | | subnets
| * kernel-netlink: Implement enumerator for local subnetsTobias Brunner2017-02-081-0/+130
| |
| * kernel-interface: Add method to enumerate locally attached subnetsTobias Brunner2017-02-083-0/+29
|/
* kernel-pfkey: Use the same priority range for trap and regular policiesTobias Brunner2017-02-081-15/+15
| | | | Same as the change in the kernel-netlink plugin.
* kernel-netlink: Use the same priority range for trap and regular policiesTobias Brunner2017-02-081-14/+14
| | | | | | | | | | | | | While trap and regular policies now often look the same (mainly because reqids are kept constant) trap policies still need to have a lower priority than regular policies to handle unroute/route correctly if e.g. IPComp is used or the mode changes. But if we use a completely different priority range that's lower than that of regular policies it is not possible to install overlapping trap policies. By differentiating trap from regular policies via the priority's LSB this issue is avoided while still maintaining the proper ordering of trap and regular policies. Fixes #1243.
* kernel-netlink: Fix spacing in log message when policy is unchangedTobias Brunner2017-02-081-1/+1
|
* ikev1: Factor out IV and QM managementTobias Brunner2017-02-086-261/+500
| | | | This simplifies implementing a custom keymat_v1_t.
* keymat: Allow keymat to modify signature scheme(s)Thomas Egerer2017-02-089-20/+52
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* forecast: Mark correct port in UDP NAT-T ruleJames Laird-Wah2017-02-081-1/+1
| | | | Closes strongswan/strongswan#62.
* android: New release after adding translation for Simplified ChineseTobias Brunner2017-02-071-2/+2
|
* android: Add translation for Simplified ChineseTobias Brunner2017-02-076-4/+180
| | | | Courtesy of Yick Xie.
* settings: Fix purge if order differs from alphabetical orderTobias Brunner2017-02-071-1/+1
|
* eap-dynamic: Publish the get_auth() method of the wrapped EAP methodTobias Brunner2017-02-071-0/+12
| | | | Fixes #2238.
* pkcs11: Fix documentation of load_certs optionTobias Brunner2017-02-061-2/+8
| | | | This option is actually module-specific.
* ike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcardsTobias Brunner2017-02-061-1/+2
| | | | | | Such an identity won't equal an actual peer's identity resulting in sending an INITIAL_CONTACT notify even if there might be an existing IKE_SA.
* proposal: Copy SPI and proposal number from correct proposal in select()Tobias Brunner2017-02-065-8/+47
| | | | | | | | If charon.prefer_configured_proposals is disabled select() is called on the received proposal. This incorrectly set the SPI to 0 as the configured proposal has no SPI set. Fixes #2190.
* kernel-netlink: Set NODAD flag for virtual IPv6 addressesTobias Brunner2017-02-061-10/+16
| | | | | | | The Optimistic Duplicate Address Detection (DAD) seems to fail in some cases (`dadfailed` in `ip addr`) rendering the virtual IP address unusable. Fixes #2183.
* kernel-netlink: Prefer matching label when selecting IPv6 source addressesTobias Brunner2017-02-061-3/+78
| | | | | | | | This implements rule 6 of RFC 6724 using the default priority table, so that e.g. global addresses are preferred over ULAs (which also have global scope) when the destination is a global address. Fixes #2138.
* kernel-netlink: Use correct 4 byte alignment for AH with IPv4Tobias Brunner2017-01-251-0/+5
| | | | | | | | By default, the kernel incorrectly uses an 8 byte alignment, which is mandatory for IPv6 but prohibited for IPv4. For many algorithms this doesn't matter but that's not the case for HMAC_SHA2_256_128. Since 2.6.39 the kernel can be explicitly configured to use a 4 byte alignment.
* kernel-netlink: Allow change of Netlink socket receive buffer sizeThomas Egerer2017-01-252-0/+61
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAsTobias Brunner2017-01-251-0/+2
| | | | | | | Picky kernels might otherwise reject our messages as RFC 2367 explicitly mandates this. Fixes #2212.
* kernel-pfroute: Don't set a gateway if it is of a different address family ↵Tobias Brunner2017-01-251-1/+2
| | | | than the destination
* libipsec: Add support for AES and Camellia in CCM modeTobias Brunner2017-01-251-3/+16
| | | | Fixes #2172.
* libipsec: Fix Windows build via MinGWTobias Brunner2017-01-255-1/+43
| | | | Fixes #2118.
* stroke: Default to %dynamic if no valid TS are specified in left|rightsubnetTobias Brunner2017-01-251-57/+44
| | | | | | | Otherwise, we'd end up with an empty TS list, which is not valid. Because end->tohost is set to !end->subnets in starter the removed branch was never used.
* init: Let systemd restart daemons if they get terminated unexpectedlyTobias Brunner2017-01-252-0/+2
| | | | Fixes #2205.
* init: Depend on network-online.target instead of network.target in systemd unitsTobias Brunner2017-01-252-2/+2
| | | | | | | This makes sure the network is "up" before connections are loaded/initiated. Fixes #2205.
* Merge branch 'charon-systemd-reload-loggers'Tobias Brunner2017-01-2514-48/+101
|\ | | | | | | | | | | | | | | | | | | Allows reloading strongswan.conf, the loggers, and the plugins in charon-systemd by sending a SIGHUP (as already supported by charon). Loggers are now also reloaded by VICI's `reload-settings` command (works with both daemons). Fixes #2222.
| * vici: Reload loggers after reloading strongswan.conf via reload-setting commandTobias Brunner2017-01-251-0/+1
| |
| * daemon: Use separate method to set default loggersTobias Brunner2017-01-2513-49/+85
| | | | | | | | | | This way it is not necessary to pass the same values to reload the loggers.
| * charon-systemd: Handle SIGHUP the same way charon doesTobias Brunner2017-01-251-0/+16
|/ | | | That is, reload strongswan.conf, the loggers and the plugins.
* ha: Fix assignment of IP addresses if multiple pools are definedTobias Brunner2017-01-251-2/+6
| | | | Fixes #2146.
* ha: Delete passive IKE_SA on other node after half-open timeoutTobias Brunner2017-01-251-0/+15
| | | | Fixes #1192.
* kernel-netlink: Return const pointer from lookup_algorithm()Thomas Egerer2017-01-231-3/+4
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* Merge branch 'android-import'Tobias Brunner2017-01-2018-51/+1298
|\ | | | | | | Adds a VPN profile import feature.
| * android: New release after adding profile import functionalityTobias Brunner2017-01-201-2/+2
| |
| * android: Handle profile file names with dots in themTobias Brunner2017-01-201-0/+3
| |
| * android: Handle errors when fetching profile in more detailTobias Brunner2017-01-206-16/+77
| |
| * android: Add activity to import VPN profiles from JSON-encoded filesTobias Brunner2017-01-2012-0/+1053
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The file format is documented on the wiki. URLs to .sswan files may be intercepted and downloaded files with a media type of application/vnd.strongswan.profile may also be opened (the file extension doesn't matter in that case). Whether downloaded files for which the media type is not correct but the extension is .sswan can be opened depends on the app that issues the Intent. For instance, from the default Downloads app it won't work due to the content:// URLs that do not contain the file name but when opening the downloaded file from within Chrome's Downloads view it works as these Intents use file:// URLs, which contain the complete file name (the latter requires a new permission).
| * android: Use a local broadcast to notify about profile changesTobias Brunner2017-01-203-47/+107
| | | | | | | | | | This allows other components to modify the profiles and notify about changes.
| * android: Add a UUID property to the VPN profilesTobias Brunner2017-01-203-2/+72
|/ | | | | | All new or edited profiles get a random UUID. We currently don't enforce one, though. Later we might change that and use the UUID as primary key.
* Merge branch 'ipsec-commands'Tobias Brunner2017-01-191-12/+20
|\ | | | | | | | | | | | | Fixes an issue with the ipsec script when used with sudo. I'd usually rebase this but the commit ID was already referenced elsewhere.
| * ipsec: Only allow specific commands to be executed via ipsec scriptTobias Brunner2017-01-181-12/+20
|/ | | | | The previous fallback allowed running any executable as root if executing ipsec via sudo was allowed, by using e.g. `sudo ipsec ../../../bin/sh`.
* bliss: Increase timeout for sampler unit testTobias Brunner2017-01-161-2/+2
| | | | Fixes #2204.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-09 03:40:24 +0000