path: root/conf
Commit message (Collapse)AuthorAgeFilesLines
* The pacman tool got replaced by the sec-updater toolTobias Brunner2017-11-152-8/+0
* sec-updater: Fix typo in documentationTobias Brunner2017-11-151-1/+1
* ikev2: Enumerate RSA/PSS schemes and use them if enabledTobias Brunner2017-11-081-0/+3
* systime-fix: Add timeout option to stop waiting for valid system timeTobias Brunner2017-11-081-0/+4
| | | | | A certificate check is forced once the timeout is reached even if the system time appears to be invalid.
* eap-radius: Optionally send Class attributes in RADIUS accounting messagesTobias Brunner2017-11-021-0/+4
| | | | | | | If enabled, add the RADIUS Class attributes received in Access-Accept messages to RADIUS accounting messages as suggested by RFC 2865 section 5.25. Fixes #2451.
* sec-updater: Import SWID tags of updated packagesAndreas Steffen2017-09-092-0/+30
| | | | | | | sec-updater downloads the deb package files from security updates from a given linux repository and uses the swid_generator command to derive a SWID tag. The SWID tag is then imported into strongTNC using the manage.py importswid command.
* sw-collector: Moved info class to libimcvAndreas Steffen2017-08-091-3/+0
* conf: Descriptions of several settings updatedTobias Brunner2017-08-083-12/+25
* Fixed some typos, courtesy of codespellTobias Brunner2017-08-071-1/+1
* conf: Match more characters in _ and **Tobias Brunner2017-08-071-1/+1
| | | | \w does not match e.g. / but \S does.
* swid-gen: Share SWID generator between sw-collector, imc-swima and imc-swidAndreas Steffen2017-08-044-15/+9
* sw-collector: Added --full optionAndreas Steffen2017-08-031-0/+3
* swanctl: Read default socket from swanctl.socket optionTobias Brunner2017-07-271-1/+4
| | | | | | | Also read from swanctl.plugins.vici.socket so we get libstrongswan.plugins.vici.socket if it is defined. Fixes #2372.
* conf: Add support to generate include statements in .conf filesTobias Brunner2017-07-271-7/+33
* curl: Enable following redirectsTobias Brunner2017-07-272-0/+4
| | | | | | | The maximum number of redirects can be limited. The functionality can also be disabled. Fixes #2366.
* sw-collector: sw-collector.first_file setting retrieves creation date from ↵Andreas Steffen2017-07-261-0/+3
| | | | file stats
* imv-swima: Implemented SW event processingAndreas Steffen2017-07-081-2/+2
* sw-collector: Query central collector databaseAndreas Steffen2017-07-081-0/+12
* sw-collector: Collects endpoint software eventsAndreas Steffen2017-07-082-1/+19
* imv-swima: Created SWIMA IMV pluginAndreas Steffen2017-07-082-0/+6
* imc-swima: Created SWIMA IMC pluginAndreas Steffen2017-07-082-0/+20
* eap-aka-3gpp: Add plugin that implements 3GPP MILENAGE algorithm in softwareTobias Brunner2017-07-054-2/+9
| | | | | | | | | | This is similar to the eap-aka-3gpp2 plugin. K (optionally concatenated with OPc) may be configured as binary EAP secret in ipsec.secrets or swanctl.conf. Based on a patch by Thomas Strangert. Fixes #2326.
* child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAsTobias Brunner2017-05-231-0/+10
| | | | | | | | After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't destroy the CHILD_SA (and the inbound SA) immediately. We delay it a few seconds or until the SA expires to allow delayed packets to get processed. The CHILD_SA remains in state CHILD_DELETING until it finally gets destroyed.
* kernel-netlink: Use total retransmit timeout as acquire timeoutTobias Brunner2017-05-231-3/+3
| | | | | | | By using the total retransmit timeout, modifications of timeout settings automatically reflect on the value of xfrm_acq_expires. If set, the value of xfrm_acq_expires configured by the user takes precedence over the calculated value.
* ike: Use optional jitter to calculate retransmission timeoutsTobias Brunner2017-05-232-1/+18
| | | | | Also adds an optional limit to avoid very high retransmission timeouts with high numbers of retries.
* socket-default: Add an option to force the sending interface via IP_PKTINFOMartin Willi2017-05-231-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | On Linux, setting the source address is insufficient to force a packet to be sent over a certain path. The kernel uses the best route to select the outgoing interface, even if we set a source address of a lower priority interface. This is not only true for interfaces attaching to the same subnet, but also for unrelated interfaces; the kernel (at least on 4.7) sends out the packet on whatever interface it sees fit, even if that network does not expect packets from the source address we force to. When a better interface becomes available, strongSwan sends its MOBIKE address list update using the old source address. But the kernel sends that packet over the new best interface. If that network drops packets having the unexpected source address from the old path, the MOBIKE update fails and the SA finally times out. To enforce a specific interface for our packet, we explicitly set the interface index from the interface where the source address is installed. According to ip(7), this overrules the specified source address to the primary interface address. As this could have side effects to installations using multiple addresses on a single interface, we disable the option by default for now. This also allows using IPv6 link-local addresses, which won't work if the outbound interface is not set explicitly.
* attr-sql: Make release of online leases during startup optionalTobias Brunner2017-05-191-0/+4
| | | | This cleanup prevents sharing the same DB between multiple VPN gateways.
* conf: Document recommended lower limit for SPIsTobias Brunner2017-03-231-0/+4
* conf: Remove snippet for aikpub2Tobias Brunner2017-03-232-3/+0
* The tpm plugin offers random number generationAndreas Steffen2017-03-202-0/+3
| | | | | | The tpm plugin can be used to derive true random numbers from a TPM 2.0 device. The get_random method must be explicitly enabled in strongswan.conf with the plugin.tpm.use_rng = yes option.
* kernel: Make range of SPIs for IPsec SAs configurableTobias Brunner2017-03-021-0/+6
* addrblock: Support an optional non-strict mode accepting certs without addrblockMartin Willi2017-03-022-0/+9
| | | | | | | This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration.
* ike-sa: Optionally try to migrate to the best path on routing priority changesMartin Willi2017-02-171-0/+10
| | | | | | | | | | | | | | When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable.
* revocation: More accurately describe the flags to disable OCSP/CRL validationTobias Brunner2017-02-151-2/+2
| | | | | | These options disable validation as such, e.g. even from cached CRLs, not only the fetching. Also made the plugin's validate() implementation a no-op if both options are disabled.
* bypass-lan: Allow ignoring or only considering subnets of specific interfacesTobias Brunner2017-02-082-0/+9
| | | | The config can also be reloaded by sending a SIGHUP to charon.
* pkcs11: Fix documentation of load_certs optionTobias Brunner2017-02-061-2/+8
| | | | This option is actually module-specific.
* kernel-netlink: Allow change of Netlink socket receive buffer sizeThomas Egerer2017-01-251-0/+17
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* revocation: OCSP and/or CRL fetching can be disabledAndreas Steffen2016-12-302-0/+8
* vici: strongswan.conf cache_crls = yes saves fetched CRLs to diskAndreas Steffen2016-10-111-0/+6
* nm: Make global CA directory configurableTobias Brunner2016-10-042-0/+4
* ike: Set default IKE fragment size to 1280Tobias Brunner2016-10-041-4/+5
| | | | | | This is the minimum size an IPv6 implementation must support. This makes it the default for IPv4 too, which presumably is also generally routable (otherwise, setting this to 0 falls back to the minimum of 576 for IPv4).
* kernel-netlink: Support configuring XFRM policy hashing thresholdsTobias Brunner2016-09-301-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | If the number of flows over a gateway exceeds the flow cache size of the Linux kernel, policy lookup gets very expensive. Policies covering more than a single address don't get hash-indexed by default, which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and its xfrm_policy_match() use. Starting with several hundred policies the overhead gets inacceptable. Starting with Linux 3.18, Linux can hash the first n-bit of a policy subnet to perform indexed lookup. With correctly chosen netbits, this can completely eliminate the performance impact of policy lookups, freeing the resources for ESP crypto. WARNING: Due to a bug in kernels 3.19 through 4.7, the kernel crashes with a NULL pointer dereference if a socket policy is installed while hash thresholds are changed. And because the hashtable rebuild triggered by the threshold change that causes this is scheduled it might also happen if the socket policies are seemingly installed after setting the thresholds. The fix for this bug - 6916fb3b10b3 ("xfrm: Ignore socket policies when rebuilding hash tables") - is included since 4.8 (and might get backported). As a workaround `charon.plugins.kernel-netlink.port_bypass` may be enabled to replace the socket policies that allow IKE traffic with port specific bypass policies.
* conf: Extend description of charon.plugins.kernel-netlink.xfrm_acq_expiresTobias Brunner2016-08-291-5/+9
* conf: aikpub2.opt added to Makefile.amAndreas Steffen2016-08-251-0/+1
* libtpmtss: Implemented TSS2 quote() methodAndreas Steffen2016-06-261-0/+3
* libimcv: migrate pts to tpm_tssAndreas Steffen2016-06-221-0/+3
* Created libtpmtss library handling access to v1.2 and v2.0 TPMsAndreas Steffen2016-06-222-2/+2
* aikpub2: Convert TSS 2.0 AIK public key blob into PKCS#1 formatAndreas Steffen2016-06-221-0/+2
* ike: Add configuration option to switch to preferring supplied proposals ↵Tobias Brunner2016-06-171-0/+5
| | | | over local ones
* p-cscf: Make sending requests configurable and disable it by defaultTobias Brunner2016-03-102-0/+12