Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | conf: Clarify resolution for two time settings | Tobias Brunner | 2015-08-10 | 2 | -4/+4 |
| | | | | Fixes #1061. | ||||
* | eap-radius: Change trigger for Accounting Start messages for IKEv1 | Tobias Brunner | 2015-08-06 | 1 | -1/+1 |
| | | | | | | | | | | | | | | | | | | | | | Some clients won't do Mode Config or XAuth during reauthentication. Because Start messages previously were triggered by TRANSACTION exchanges none were sent for new SAs of such clients, while Stop messages were still sent for the old SAs when they were destroyed. This resulted in an incorrect state on the RADIUS server. Since 31be582399 the assign_vips() event is also triggered during reauthentication if the client does not do a Mode Config exchange. So instead of waiting for a TRANSACTION exchange we trigger the Start message when a virtual IP is assigned to a client. With this the charon.plugins.eap-radius.accounting_requires_vip option would not have any effect for IKEv1 anymore. However, it previously also only worked if the client did an XAuth exchange, which is probably rarely used without virtual IPs, so this might not be much of a regression. Fixes #937. | ||||
* | kernel-netlink: Use PAGE_SIZE as default size for the netlink receive buffer | Tobias Brunner | 2015-08-04 | 1 | -1/+1 |
| | | | | | | | | The kernel uses NLMSG_GOODSIZE as default buffer size, which defaults to the PAGE_SIZE if it is lower than 8192 or to that value otherwise. In some cases (e.g. for dump messages) the kernel might use up to 16k for messages, which might require increasing this value. | ||||
* | kernel-netlink: Make buffer size for received Netlink messages configurable | Tobias Brunner | 2015-05-21 | 1 | -0/+3 |
| | |||||
* | imv_policy_manager: Added capability to execute an allow or block shell ↵ | Andreas Steffen | 2015-04-26 | 2 | -0/+14 |
| | | | | command string | ||||
* | Added PB-TNC test options to strongswan.conf man page | Andreas Steffen | 2015-03-27 | 1 | -0/+6 |
| | |||||
* | Fixed strongswan.conf man page entry of imc-attestation | Andreas Steffen | 2015-03-27 | 2 | -18/+18 |
| | |||||
* | Optionally announce PB-TNC mutual protocol capability | Andreas Steffen | 2015-03-23 | 1 | -0/+3 |
| | |||||
* | trap-manager: Add option to ignore traffic selectors from acquire events | Tobias Brunner | 2015-03-23 | 1 | -0/+11 |
| | | | | | | | | The specific traffic selectors from the acquire events, which are derived from the triggering packet, are usually prepended to those from the config. Some implementations might not be able to handle these properly. References #860. | ||||
* | kernel-pfkey: Add option to set receive buffer size of event socket | Tobias Brunner | 2015-03-06 | 2 | -0/+8 |
| | | | | | | | | If many requests are sent to the kernel the events generated by these requests may fill the receive buffer before the daemon is able to read these messages. Fixes #783. | ||||
* | ikev2: Add an option to disable constraints against signature schemes | Tobias Brunner | 2015-03-04 | 1 | -0/+8 |
| | | | | | | | | | | If this is disabled the schemes configured in `rightauth` are only checked against signature schemes used in the certificate chain and signature schemes used during IKEv2 are ignored. Disabling this could be helpful if existing connections with peers that don't support RFC 7427 use signature schemes in `rightauth` to verify certificate chains. | ||||
* | ikev2: Add a global option to disable RFC 7427 signature authentication | Tobias Brunner | 2015-03-04 | 1 | -0/+3 |
| | | | | This is mostly for testing. | ||||
* | Implemented improved BLISS-B signature algorithm | Andreas Steffen | 2015-02-25 | 2 | -0/+3 |
| | |||||
* | forecast: Document strongswan.conf options | Martin Willi | 2015-02-20 | 2 | -0/+30 |
| | |||||
* | mem-pool: Pass the remote IKE address, to re-acquire() an address during reauth | Martin Willi | 2015-02-20 | 1 | -4/+0 |
| | | | | | | | | | | | With make-before-break IKEv2 re-authentication, virtual IP addresses must be assigned overlapping to the same peer. With the remote IKE address, the backend can detect re-authentication attempts by comparing the remote host address and port. This allows proper reassignment of the virtual IP if it is re-requested. This change removes the mem-pool.reassign_online option, as it is obsolete now. IPs get automatically reassigned if a peer re-requests the same address, and additionally connects from the same address and port. | ||||
* | ikev2: Trigger make-before-break reauthentication instead of reauth task | Martin Willi | 2015-02-20 | 1 | -0/+10 |
| | |||||
* | mem-pool: Document reassign_online option | Tobias Brunner | 2015-02-12 | 1 | -0/+4 |
| | |||||
* | kernel-netlink: Add missing documentation for two options | Tobias Brunner | 2014-12-19 | 1 | -0/+6 |
| | |||||
* | kernel-netlink: Alternatively support global port based IKE bypass policies | Martin Willi | 2014-11-21 | 1 | -0/+9 |
| | | | | | | The socket based IKE bypass policies are usually superior, but not supported on all networking stacks. The port based variant uses global policies for the UDP ports we have IKE sockets for. | ||||
* | conf: Document kernel-netlink retransmission and parallelization options | Martin Willi | 2014-11-21 | 1 | -0/+17 |
| | |||||
* | ike: Add IKEv2 in description of fragment_size option in strongswan.conf | Tobias Brunner | 2014-10-14 | 1 | -3/+4 |
| | |||||
* | eap-radius: Add option to set interval for interim accounting updates | Tobias Brunner | 2014-10-10 | 1 | -1/+5 |
| | | | | | | Any interval returned by the RADIUS server in the Access-Accept message overrides the configured interval. But it might be useful if RADIUS is only used for accounting. | ||||
* | ikev1: Move fragment generation to message_t | Tobias Brunner | 2014-10-10 | 1 | -3/+4 |
| | |||||
* | ext-auth: Add an ext-auth plugin invoking an external authorization script | Martin Willi | 2014-10-06 | 2 | -0/+16 |
| | | | | Original patch courtesy of Vyronas Tsingaras. | ||||
* | starter: Allow specifying the ipsec.conf location in strongswan.conf | Shea Levy | 2014-10-02 | 1 | -0/+3 |
| | |||||
* | stroke: Allow specifying the ipsec.secrets location in strongswan.conf | Shea Levy | 2014-10-02 | 1 | -0/+3 |
| | |||||
* | Don't fail to install if sysconfdir isn't writable | Shea Levy | 2014-09-26 | 1 | -3/+3 |
| | |||||
* | systemd: Add a native systemd journal logger | Martin Willi | 2014-09-22 | 2 | -0/+14 |
| | |||||
* | kernel-netlink: Optionally install protocol and ports on transport mode SAs | Tobias Brunner | 2014-09-12 | 1 | -0/+9 |
| | |||||
* | kernel-netlink: Add global option to configure MSS-clamping on installed routes | Tobias Brunner | 2014-09-12 | 1 | -0/+3 |
| | |||||
* | kernel-netlink: Add global option to set MTU on installed routes | Tobias Brunner | 2014-09-12 | 1 | -0/+3 |
| | |||||
* | conf: Document load-tester.crl option | Tobias Brunner | 2014-06-30 | 1 | -0/+4 |
| | |||||
* | conf: Document charon.*-scripts options | Tobias Brunner | 2014-06-30 | 1 | -0/+8 |
| | |||||
* | conf: Document swanctl options | Tobias Brunner | 2014-06-30 | 2 | -0/+3 |
| | |||||
* | conf: Document aikgen options | Tobias Brunner | 2014-06-30 | 2 | -0/+3 |
| | |||||
* | autoconf: Replace --disable-tools option with --disable-scepclient | Tobias Brunner | 2014-06-30 | 2 | -3/+3 |
| | | | | | Since using a separate option for pki this was the only tool that was still enabled by that option. | ||||
* | Remove kernel-klips plugin | Tobias Brunner | 2014-06-19 | 2 | -6/+0 |
| | |||||
* | kernel-netlink: Follow RFC 6724 when selecting IPv6 source addresses | Tobias Brunner | 2014-06-19 | 1 | -0/+4 |
| | | | | | | | | Instead of using the first address we find on an interface we should consider properties like an address' scope or whether it is temporary or public. Fixes #543. | ||||
* | Fixed typo in strongswan.conf | Andreas Steffen | 2014-06-05 | 1 | -1/+1 |
| | |||||
* | configure: Separate pki from --disable-tools | Martin Willi | 2014-06-04 | 3 | -3/+3 |
| | | | | While pki builds and runs just fine on Windows, this is not true for scepclient. | ||||
* | Updated IMC/IMV entries in strongswan.conf man page | Andreas Steffen | 2014-05-31 | 11 | -35/+41 |
| | |||||
* | conf: Fix sorting of options with Python 3 | Tobias Brunner | 2014-05-13 | 1 | -2/+2 |
| | | | | | | __cmp__() is not supported anymore with Python 3 and cmp() is deprecated. Instead rich comparisons should be used (only __lt__() is required for sorting). | ||||
* | conf: print is a function in Python 3 | Tobias Brunner | 2014-05-13 | 1 | -13/+13 |
| | |||||
* | Implemented PT-EAP protocol (RFC 7171) | Andreas Steffen | 2014-05-12 | 2 | -1/+4 |
| | |||||
* | Changed default value to libimcv.imc-attestation.pcr_info = no | Andreas Steffen | 2014-05-10 | 1 | -1/+1 |
| | |||||
* | conf: Add a format-options --nosort option to keep order of sections as defined | Martin Willi | 2014-05-07 | 1 | -4/+10 |
| | |||||
* | conf: Properly propagate whether a section is commented or not | Tobias Brunner | 2014-05-07 | 1 | -3/+4 |
| | |||||
* | vici: Document strongswan.conf options | Martin Willi | 2014-05-07 | 2 | -0/+3 |
| | |||||
* | ikev1: Add an option to accept unencrypted ID/HASH payloads | Martin Willi | 2014-04-17 | 1 | -0/+15 |
| | | | | | | | | | Even in Main Mode, some Sonicwall boxes seem to send ID/HASH payloads in unencrypted form, probably to allow PSK lookup based on the ID payloads. We by default reject that, but accept it if the charon.accept_unencrypted_mainmode_messages option is set in strongswan.conf. Initial patch courtesy of Paul Stewart. | ||||
* | Use python-based swidGenerator to generated SWID tags | Andreas Steffen | 2014-04-15 | 1 | -0/+9 |
| |