aboutsummaryrefslogtreecommitdiffstats
path: root/src/frontends/android/jni/libandroidbridge/backend/android_service.c
Commit message (Collapse)AuthorAgeFilesLines
* android: Migrate to the Gradle build systemTobias Brunner2015-11-121-848/+0
| | | | | This uses a manual way to trigger the NDK build (the default with on-the-fly Android.mk files does not work for us).
* android: Apply configured server portTobias Brunner2015-07-281-1/+4
|
* android: Apply configured MTUTobias Brunner2015-07-281-4/+8
| | | | | | While it is stored as property of individual profiles it is really a global setting because we currently don't support more than one connection.
* android: Encode connection settings as single Java string argumentTobias Brunner2015-07-281-49/+31
| | | | This makes adding new configuration settings easier.
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-201-1/+1
|
* ike-sa-manager: Remove IKE_SA checkout by CHILD_SA reqidMartin Willi2015-02-201-2/+1
|
* android: Enable IKEv2 fragmentationTobias Brunner2014-11-061-1/+1
|
* android: Use %any as AAA identity, but disable EAP-only authenticationTobias Brunner2014-11-061-5/+3
| | | | | | | Without verification of the identity we can't prevent a malicious user with a valid certificate from impersonating the AAA server and thus the VPN gateway. So unless we make the AAA identity configurable we have to prevent EAP-only authentication.
* android: Handle EAP-TLS in Android serviceTobias Brunner2014-11-061-6/+19
|
* android: Reduce CHILD_SA lifetimeTobias Brunner2014-09-121-2/+2
|
* android: Add DH groups to ESP proposalsTobias Brunner2014-09-121-2/+12
|
* android: Reestablish IKE_SA if CHILD_SA rekeying failedTobias Brunner2014-09-121-3/+36
|
* android: Report error if CHILD_SA rekeying failsTobias Brunner2014-09-121-0/+6
|
* android: For keyingtries > 0 notify the GUI if the limit is reached when ↵Tobias Brunner2014-07-221-0/+17
| | | | | | | | | | reestablishing The IKE_SA is destroyed anyway, so letting the GUI remain in "connecting" state would be incorrect. We still use keyingtries=0 for now, though. And we still abort after the first failed attempt initially, in case there is a configuration error.
* android: Terminate IKE_SA if initial IKE_SA_INIT failsTobias Brunner2014-07-221-1/+23
| | | | | | | | | | Since VpnStateService.disconnect() is now not called until the error dialog is dismissed the daemon would continue to try connecting. So while the error dialog is shown the connection might actually be successfully established in the background, which is not intended. This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of the second connection attempt (due to keyingtries=0).
* android: Only allow DNS queries for the configured hostnameTobias Brunner2014-07-221-0/+2
|
* android: Recreate the TUN device without DNS when reestablishing IKE_SAsTobias Brunner2014-07-221-0/+38
| | | | | This enables DNS resolution while reestablishing if the VPN gateway pushed DNS servers to the client that are only reachable via VPN.
* android: Use DNS proxy when reestablishing IKE_SAsTobias Brunner2014-07-221-4/+44
|
* bus: Add ike_reestablish_pre hook, called before DNS resolutionTobias Brunner2014-07-221-4/+5
| | | | | The old hook is renamed to ike_reestablish_post and is now also called when the initiation of the new IKE_SA failed.
* android: Set CHILD_STATE_DOWN when the IKE_SA gets reestablishedTobias Brunner2014-07-221-1/+7
|
* android: Set CHILD_STATE_DOWN whenever the CHILD_SA goes downTobias Brunner2014-07-221-6/+0
| | | | | | No matter what triggers it. We also don't close the TUN device, but we might handle that differently in the future to allow reestablishing the IKE_SA if host names have to be re-resolved via DNS.
* ike: Add an additional but separate AEAD proposal to IKE config, if supportedMartin Willi2014-05-161-0/+1
|
* ike: support multiple addresses, ranges and subnets in IKE address configMartin Willi2013-09-041-2/+2
| | | | | | | Replace the allowany semantic by a more powerful subnet and IP range matching. Multiple addresses, DNS names, subnets and ranges can be specified in a comma separated list. Initiators ignore the ranges/subnets, responders match configurations against all addresses, ranges and subnets.
* peer-cfg: add a pull/push mode option to use with mode configMartin Willi2013-09-041-1/+1
|
* android: Add new VpnType to enable BYOD featuresTobias Brunner2013-07-081-3/+9
|
* android: Use stronger ESP proposal including AES-GCMTobias Brunner2013-05-031-0/+6
|
* android: Also request a virtual IPv6 address and propose IPv6 TSTobias Brunner2013-03-201-7/+17
| | | | | This allows IPv6 over IPv4 but falls back nicely if we don't get a virtual IPv6 (or IPv4) address.
* android: Add support for combined certificate and EAP authenticationTobias Brunner2013-03-071-27/+50
| | | | | | This uses RFC 4739 multiple authentication rounds to first authenticate the client with a certificate followed by an EAP authentication round with username and password.
* android: Mitigate race condition on reauthenticationTobias Brunner2013-03-011-0/+4
| | | | | | | | If the TUN device gets recreated while another thread in handle_plain() has not yet called select(2) but already stored the file descriptor of the old TUN device in its FD set, select() will fail with EBADF. Fixes #301.
* Add a DSCP configuration value to IKE configsMartin Willi2013-02-061-1/+1
|
* Added an option that allows to force IKEv1 fragmentationTobias Brunner2013-01-121-1/+2
|
* Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-241-1/+1
|
* Remove version argument on peer_cfg constructor, use ike_cfg version insteadMartin Willi2012-10-241-1/+1
|
* Add IKE version information to ike_cfg_tMartin Willi2012-10-241-1/+1
|
* android: Ignore if peer is unreachable when reestablishing an SATobias Brunner2012-10-181-2/+7
|
* android: Use keyingtries=%forever and dpd|closeaction=restartTobias Brunner2012-10-181-3/+3
| | | | | | | We also ignore the CHILD_SA_DOWN event. This should allow us to keep the connection up as long as the user does not manually disconnect.
* android: Handle unreachable peers via alertTobias Brunner2012-10-161-17/+5
|
* android: Use 0.0.0.0/0 as local traffic selectorTobias Brunner2012-10-161-1/+2
| | | | | This is helpful if the responder also wants to tunnel e.g. multicast packages.
* android: Determine source address dynamicallyTobias Brunner2012-10-161-10/+3
|
* android: Don't use the default ESP proposal as it includes unsupported ↵Tobias Brunner2012-10-161-1/+4
| | | | algorithms
* android: Use AUTH_RULE_IDENTITY_LOOSETobias Brunner2012-09-181-0/+1
|
* android: Properly handle reauthentication initiated by the clientTobias Brunner2012-09-061-7/+42
|
* Merge branch 'android-client-cert'Tobias Brunner2012-09-041-8/+64
|\ | | | | | | Introduces IKEv2 client certificate authentication for the Android App.
| * android: Native parts handle ikev2-cert VPN typeTobias Brunner2012-08-311-8/+63
| |
* | Support multiple address pools configured on a peer_cfgMartin Willi2012-08-301-1/+1
| |
* | Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-301-8/+22
|/
* Job added which handles plain text packets read from TUN deviceTobias Brunner2012-08-131-1/+63
|
* Added a handler that writes inbound plain text packets to the TUN deviceTobias Brunner2012-08-131-0/+35
|
* Add simple callbacks to receive/send ESP packets via libipsec/receiver.Tobias Brunner2012-08-131-0/+31
|
* Add routes based on the installed IPsec policies to the TUN device builderTobias Brunner2012-08-131-0/+46
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-01 22:50:52 +0000