Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.conf | Tobias Brunner | 2017-11-08 | 1 | -0/+6 |
| | | | | Also document the rsa/pss prefix. | ||||
* | man: Fix documentation of inbound mark behavior in ipsec.conf(5) | Tobias Brunner | 2017-11-02 | 1 | -5/+5 |
| | |||||
* | child-sa: Allow requesting different unique marks for in/out | Eyal Birger | 2017-08-07 | 1 | -1/+4 |
| | | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78. | ||||
* | stroke: Make 96-bit truncation for SHA-256 configurable | Tobias Brunner | 2017-05-26 | 1 | -0/+7 |
| | |||||
* | Add an option to announce support for IKE fragmentation but not sending ↵ | Tobias Brunner | 2017-05-23 | 1 | -6/+15 |
| | | | | fragments | ||||
* | man: Describe the tunneling of several subnets with IKEv1 in more detail | Noel Kuntze | 2017-03-23 | 1 | -1/+3 |
| | |||||
* | man: Add note about modeconfig having to match | Noel Kuntze | 2017-03-23 | 1 | -0/+1 |
| | |||||
* | man: Describe what happens when a FQDN is specified in left or right | Noel Kuntze | 2017-03-20 | 1 | -0/+5 |
| | |||||
* | starter: Enable IKE fragmentation by default | Tobias Brunner | 2016-10-04 | 1 | -4/+5 |
| | |||||
* | man: Update description of the esp keyword | Tobias Brunner | 2016-08-31 | 1 | -8/+19 |
| | | | | | | | Clarifies how DH groups are applied, updates the proposal selection description and ESN can now also be configured for IKEv1. References #1039. | ||||
* | man: Updated default proposals in ipsec.conf(5) | Tobias Brunner | 2016-03-11 | 1 | -4/+4 |
| | |||||
* | auth-cfg: Make IKE signature schemes configurable | Tobias Brunner | 2016-03-04 | 1 | -4/+9 |
| | | | | | | This also restores the charon.signature_authentication_constraints functionality, that is, if no explicit IKE signature schemes are configured we apply all regular signature constraints as IKE constraints. | ||||
* | man: Update description of the actions performed for different dpdaction values | Tobias Brunner | 2015-11-18 | 1 | -7/+8 |
| | | | | | For instance, charon does not unroute `auto=route` connections with `dpdaction=clear`. | ||||
* | man: Clarify identity parsing and identity type prefixes | Tobias Brunner | 2015-08-17 | 1 | -6/+58 |
| | | | | References #1028. | ||||
* | man: Clarification of ah keyword description | Adrian-Ken Rueegsegger | 2015-05-19 | 1 | -1/+1 |
| | |||||
* | man: More accurately describe features of the new parser in ipsec.conf(5) | Tobias Brunner | 2015-03-20 | 1 | -46/+34 |
| | |||||
* | man: Add documentation about IKEv2 signature schemes | Tobias Brunner | 2015-03-04 | 1 | -0/+15 |
| | |||||
* | man: Describe trust chain constraints configuration for EAP methods | Martin Willi | 2015-03-03 | 1 | -1/+3 |
| | |||||
* | ipsec-types: Support the %unique mark value | Martin Willi | 2015-02-20 | 1 | -1/+3 |
| | |||||
* | man: Document IKEv2 fragmentation in ipsec.conf(5) | Tobias Brunner | 2015-02-10 | 1 | -4/+5 |
| | |||||
* | stroke: Add support for address range definitions of in-memory pools | Tobias Brunner | 2014-10-30 | 1 | -1/+3 |
| | |||||
* | man: Document identification type prefixes in ipsec.conf(5) | Martin Willi | 2014-10-30 | 1 | -2/+27 |
| | |||||
* | man: Skip installation of ipsec.conf/secrets manpages when not building starter | Martin Willi | 2014-09-22 | 1 | -1/+5 |
| | |||||
* | man: Document where left|rightsigkey searches for public key files | Tobias Brunner | 2014-07-14 | 1 | -2/+3 |
| | |||||
* | man: Document replay_window ipsec.conf option | Tobias Brunner | 2014-06-30 | 1 | -0/+9 |
| | |||||
* | conf: Generate strongswan.conf(5) man page in different directory | Tobias Brunner | 2014-02-12 | 2 | -1783/+1 |
| | |||||
* | plugin-loader: Optionally use load option in each plugin section to load plugins | Tobias Brunner | 2014-02-12 | 1 | -0/+9 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This now works because all plugins use the same config namespace. If <ns>.load_modular is true, the list of plugins to load is determined via the value of the <ns>.plugins.<name>.load options. Using includes the following is possible: charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } charon-cmd { load_modular = yes plugins { include strongswan.d/charon-cmd/*.conf } } Where each .conf file would contain something like: <name> { load = yes <option> = <value> } To increase the priority of individual plugins load = <priority> can be used (the default is 1). For instance, to use openssl instead of the built-in crypto plugins set in strongswan.d/charon/openssl.conf: openssl { load = 10 } If two plugins have the same priority their order in the default plugin list is preserved. Plugins not found in that list are ordered alphabetically before other plugins with the same priority. | ||||
* | libtls: Move settings to <ns>.tls with fallback to libtls | Tobias Brunner | 2014-02-12 | 1 | -13/+12 |
| | |||||
* | lib: All settings use configured namespace | Tobias Brunner | 2014-02-12 | 1 | -142/+142 |
| | |||||
* | ike: Restart inactivity counter after doing a CHILD_SA rekey | Martin Willi | 2014-01-23 | 1 | -1/+3 |
| | | | | | | | | | | | | When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity job is queued for a time unrelated to the rekey time, so it might happen that the inactivity job gets executed just after rekeying. If this happens, inactivity is detected even if we had traffic on the rekeyed CHILD_SA just before rekeying. This change implies that inactivity checks can't handle inactivity timeouts for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter than the rekey time to have any effect. | ||||
* | man: Document xauth-pam session option | Martin Willi | 2014-01-23 | 1 | -0/+3 |
| | |||||
* | stroke: Add an option to prevent log level changes via stroke socket | Tobias Brunner | 2014-01-23 | 1 | -0/+3 |
| | |||||
* | man: Add documentation of the dhcp interface option | Thomas Egerer | 2014-01-20 | 1 | -0/+5 |
| | | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com> | ||||
* | Fixed formatting in strongswan.conf | Andreas Steffen | 2013-12-03 | 1 | -3/+7 |
| | |||||
* | Added DRBG automatic reseeding tests | Andreas Steffen | 2013-11-27 | 1 | -0/+4 |
| | |||||
* | Any of the four NTRU parameter sets can be selected | Andreas Steffen | 2013-11-27 | 1 | -2/+2 |
| | |||||
* | Make the NTRU parameter set configurable | Andreas Steffen | 2013-11-27 | 1 | -0/+5 |
| | |||||
* | Implemented libstrongswan.plugins.random.strong_equals_true option | Andreas Steffen | 2013-11-16 | 1 | -0/+4 |
| | |||||
* | man: strongswan.conf(5) updated | Tobias Brunner | 2013-10-29 | 1 | -5/+35 |
| | |||||
* | ipsec.conf.5: Note about ICMP[v6] message type/code added | Tobias Brunner | 2013-10-17 | 1 | -0/+8 |
| | |||||
* | unbound: Add support for DLV (DNSSEC Lookaside Validation) | Tobias Brunner | 2013-10-11 | 1 | -1/+9 |
| | | | | Fixes #392. | ||||
* | kernel-libipsec: Add an option to allow remote TS to match the IKE peer | Tobias Brunner | 2013-10-11 | 1 | -0/+7 |
| | | | | | | | | Setting the fwmark options for the kernel-netlink and socket-default plugins allow this kind of setup. It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make it work. | ||||
* | socket-default: Allow setting firewall mark on outbound packets | Tobias Brunner | 2013-10-11 | 1 | -0/+3 |
| | |||||
* | kernel-netlink: Allow setting firewall marks on routing rule | Tobias Brunner | 2013-10-11 | 1 | -0/+5 |
| | |||||
* | ipsec.conf: Add a description for the new 'ah' keyword. | Martin Willi | 2013-10-11 | 1 | -0/+41 |
| | |||||
* | xauth-pam: Make trimming of email addresses optional5.1.1dr4 | Tobias Brunner | 2013-10-04 | 1 | -0/+4 |
| | | | | Fixes #430. | ||||
* | kernel-netlink: Allow to override xfrm_acq_expires value | Ansis Atteka | 2013-09-23 | 1 | -0/+5 |
| | | | | | | | | | | | | | | | | When using auto=route, current xfrm_acq_expires default value implies that tunnel can be down for up to 165 seconds, if other peer rejected first IKE request with an AUTH_FAILED or NO_PROPOSAL_CHOSEN error message. These error messages are completely normal in setups where another application pushes configuration to both strongSwans without waiting for acknowledgment that they have updated their configurations. This patch allows strongswan to override xfrm_acq_expires default value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in strongswan.conf. Signed-off-by: Ansis Atteka <aatteka@nicira.com> | ||||
* | strongswan.conf: Use configured piddir for UNIX sockets | Tobias Brunner | 2013-09-13 | 1 | -6/+6 |
| | |||||
* | Build generated man pages via configure script | Tobias Brunner | 2013-09-13 | 5 | -23/+14 |
| | |||||
* | Make SWID directory where tags are stored configurable | Andreas Steffen | 2013-09-05 | 1 | -0/+3 |
| |