Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf | Tobias Brunner | 2017-11-08 | 1 | -0/+6 |
| | | | | Also document the rsa/pss prefix. | ||||
* | man: Fix documentation of inbound mark behavior in ipsec.conf(5) | Tobias Brunner | 2017-11-02 | 1 | -5/+5 |
| | |||||
* | child-sa: Allow requesting different unique marks for in/out | Eyal Birger | 2017-08-07 | 1 | -1/+4 |
| | | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78. | ||||
* | stroke: Make 96-bit truncation for SHA-256 configurable | Tobias Brunner | 2017-05-26 | 1 | -0/+7 |
| | |||||
* | Add an option to announce support for IKE fragmentation but not sending ↵ | Tobias Brunner | 2017-05-23 | 1 | -6/+15 |
| | | | | fragments | ||||
* | man: Describe the tunneling of several subnets with IKEv1 in more detail | Noel Kuntze | 2017-03-23 | 1 | -1/+3 |
| | |||||
* | man: Add note about modeconfig having to match | Noel Kuntze | 2017-03-23 | 1 | -0/+1 |
| | |||||
* | man: Describe what happens when a FQDN is specified in left or right | Noel Kuntze | 2017-03-20 | 1 | -0/+5 |
| | |||||
* | starter: Enable IKE fragmentation by default | Tobias Brunner | 2016-10-04 | 1 | -4/+5 |
| | |||||
* | man: Update description of the esp keyword | Tobias Brunner | 2016-08-31 | 1 | -8/+19 |
| | | | | | | | Clarifies how DH groups are applied, updates the proposal selection description and ESN can now also be configured for IKEv1. References #1039. | ||||
* | man: Updated default proposals in ipsec.conf(5) | Tobias Brunner | 2016-03-11 | 1 | -4/+4 |
| | |||||
* | auth-cfg: Make IKE signature schemes configurable | Tobias Brunner | 2016-03-04 | 1 | -4/+9 |
| | | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints. | ||||
* | man: Update description of the actions performed for different dpdaction values | Tobias Brunner | 2015-11-18 | 1 | -7/+8 |
| | | | | | For instance, charon does not unroute `auto=route` connections with `dpdaction=clear`. | ||||
* | man: Clarify identity parsing and identity type prefixes | Tobias Brunner | 2015-08-17 | 1 | -6/+58 |
| | | | | References #1028. | ||||
* | man: Clarification of ah keyword description | Adrian-Ken Rueegsegger | 2015-05-19 | 1 | -1/+1 |
| | |||||
* | man: More accurately describe features of the new parser in ipsec.conf(5) | Tobias Brunner | 2015-03-20 | 1 | -46/+34 |
| | |||||
* | man: Add documentation about IKEv2 signature schemes | Tobias Brunner | 2015-03-04 | 1 | -0/+15 |
| | |||||
* | man: Describe trust chain constraints configuration for EAP methods | Martin Willi | 2015-03-03 | 1 | -1/+3 |
| | |||||
* | ipsec-types: Support the %unique mark value | Martin Willi | 2015-02-20 | 1 | -1/+3 |
| | |||||
* | man: Document IKEv2 fragmentation in ipsec.conf(5) | Tobias Brunner | 2015-02-10 | 1 | -4/+5 |
| | |||||
* | stroke: Add support for address range definitions of in-memory pools | Tobias Brunner | 2014-10-30 | 1 | -1/+3 |
| | |||||
* | man: Document identification type prefixes in ipsec.conf(5) | Martin Willi | 2014-10-30 | 1 | -2/+27 |
| | |||||
* | man: Document where left|rightsigkey searches for public key files | Tobias Brunner | 2014-07-14 | 1 | -2/+3 |
| | |||||
* | man: Document replay_window ipsec.conf option | Tobias Brunner | 2014-06-30 | 1 | -0/+9 |
| | |||||
* | ike: Restart inactivity counter after doing a CHILD_SA rekey | Martin Willi | 2014-01-23 | 1 | -1/+3 |
| | | | | | | | | | | | | When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect. | ||||
* | ipsec.conf.5: Note about ICMP[v6] message type/code added | Tobias Brunner | 2013-10-17 | 1 | -0/+8 |
| | |||||
* | ipsec.conf: Add a description for the new 'ah' keyword. | Martin Willi | 2013-10-11 | 1 | -0/+41 |
| | |||||
* | Build generated man pages via configure script | Tobias Brunner | 2013-09-13 | 1 | -1/+1 |
| | |||||
* | man: add support for multiple addresses/ranges/subnets in ipsec.conf left= | Martin Willi | 2013-09-04 | 1 | -3/+10 |
| | |||||
* | man: update ipsec.conf modeconfig keyword | Martin Willi | 2013-09-04 | 1 | -2/+1 |
| | |||||
* | Fix various API doc issues and typos | Tobias Brunner | 2013-07-18 | 1 | -1/+1 |
| | | | | Partially based on an old patch by Adrian-Ken Rueegsegger. | ||||
* | ipsec.conf.5: closeaction is now supported for IKEv1 | Tobias Brunner | 2013-07-17 | 1 | -2/+1 |
| | |||||
* | stroke: Changed how proto/port are specified in left|rightsubnet | Tobias Brunner | 2013-06-28 | 1 | -6/+7 |
| | | | | Using a colon as separator conflicts with IPv6 addresses. | ||||
* | man: update ipsec.conf.5, describing new proto/port definition within leftsubnet | Martin Willi | 2013-06-19 | 1 | -24/+34 |
| | |||||
* | Load any type (RSA/ECDSA) of public key via left|rightsigkey | Tobias Brunner | 2013-05-07 | 1 | -4/+6 |
| | |||||
* | left|rightrsasigkey accepts SSH keys but the key format has to be specified ↵ | Tobias Brunner | 2013-05-07 | 1 | -3/+9 |
| | | | | | | | explicitly The default is now PKCS#1. With the dns: and ssh: prefixes other formats can be selected. | ||||
* | Merge branch 'multi-cert' | Martin Willi | 2013-03-01 | 1 | -0/+4 |
|\ | | | | | | | | | Allows the configuration of multiple certificates in leftcert, and select the correct certificate to use based on the received certificate requests. | ||||
| * | Add ipsec.conf.5 updates regarding multiple certificates in leftcert | Martin Willi | 2013-01-18 | 1 | -0/+4 |
| | | |||||
* | | Merge branch 'opaque-ports' | Martin Willi | 2013-03-01 | 1 | -0/+8 |
|\ \ | | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends. | ||||
| * | | Document ipsec.conf leftprotoport extensions in manpage | Martin Willi | 2013-02-21 | 1 | -0/+8 |
| |/ | |||||
* / | Add ikedscp documentation to ipsec.conf.5 | Martin Willi | 2013-02-06 | 1 | -0/+5 |
|/ | |||||
* | Added an option that allows to force IKEv1 fragmentation | Tobias Brunner | 2013-01-12 | 1 | -4/+9 |
| | |||||
* | Use a connection specific option to en-/disable IKEv1 fragmentation | Tobias Brunner | 2012-12-24 | 1 | -0/+10 |
| | |||||
* | Updated ipsec.conf.5 regarding (CA) certificates loaded from smartcards | Martin Willi | 2012-10-24 | 1 | -5/+7 |
| | |||||
* | Add leftcert ipsec.conf.5 documentation about smartcard certificates | Martin Willi | 2012-10-24 | 1 | -0/+12 |
| | |||||
* | Add ipsec.conf.5 documentation for explicit PRFs in IKE proposals | Martin Willi | 2012-10-24 | 1 | -7/+17 |
| | |||||
* | Update ipsec.conf.5, leftsubnet can handle multiple subnets in IKEv1 with Unity | Martin Willi | 2012-09-18 | 1 | -2/+3 |
| | |||||
* | Set AUTH_RULE_IDENTITY_LOOSE for rightid=%<identity> | Tobias Brunner | 2012-09-18 | 1 | -0/+12 |
| | |||||
* | Some updates to ipsec.conf(5) man page | Tobias Brunner | 2012-09-12 | 1 | -49/+70 |
| | |||||
* | Add uniqueids=never to ignore INITIAL_CONTACT notifies | Tobias Brunner | 2012-09-10 | 1 | -9/+16 |
| | | | | | | With uniqueids=no the daemon still deletes any existing IKE_SA with the same peer if an INITIAL_CONTACT notify is received. With this new option it also ignores these notifies. |