aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/plugins/unity/unity_narrow.c
Commit message (Collapse)AuthorAgeFilesLines
* unity: Reference IKE_SAs by the IKEv1 COOKIEs, improving lookup performanceMartin Willi2015-02-201-2/+2
| | | | | When handling thousands of IKE_SAs, the unique ID based lookup is rather slow, as we have no indexing.
* unity: Only do narrowing of responder's TS if we received 0.0.0.0/0Tobias Brunner2014-12-051-2/+84
| | | | | | | | | | | | | | | | | | | | | | | iOS and Mac OS X clients establish individual IPsec SAs for the traffic selectors received in Split-Include attributes (might have been different in earlier releases). If we return 0.0.0.0/0 as TSr that either results in a bunch of Quick Mode exchanges (for each TS), or with the latest client releases an error notify (ATTRIBUTES_NOT_SUPPORTED). We also can't install the IPsec SA with all configured subnets as that would cause conflicts if the client later negotiates SAs for other subnets, which iOS 8 does based on traffic to such subnets. For Shrew and the Cisco client, which propose 0.0.0.0/0, we still need to override the narrowed TS with 0.0.0.0/0, as they otherwise won't accept the Quick Mode response. Likewise, we also have to narrow the TS before installing the IPsec SAs and policies. So we basically have to follow the client's proposal and only modify TSr if we received 0.0.0.0/0. Since we don't get the original TS in the narrow hook we handle the inbound QM messages and make note of IKE_SAs on which we received a TSr of 0.0.0.0/0. Fixes #737.
* unity: Do not bump TS to 0.0.0.0/0 as initiator when no Split-Include receivedMartin Willi2014-08-251-1/+21
| | | | | | | When having the unity plugin enabled and both peers send the Unity Vendor ID, we proposed 0.0.0.0/0 as traffic selector, even if no Split-Include has been received on the SA. This can break compatibility with some responders, as they don't narrow the TS themselves, but expect the configured TS.
* unity: Handle narrowing according to roles in the IKE_SATobias Brunner2014-08-251-16/+33
| | | | | | Since the narrow hook types reflect the roles in the Quick Mode exchange the plugin behaved incorrectly if the server initiated the CHILD_SA rekeying.
* unity: Change local TS to 0.0.0.0/0 as responderTobias Brunner2014-01-231-4/+7
| | | | | Cisco clients and Shrew expect a remote TS of 0.0.0.0/0 if Unity is used, otherwise Quick Mode fails.
* unity: Replicate default behavior if no UNITY_SPLIT_INCLUDE attributes were ↵Tobias Brunner2013-07-171-11/+32
| | | | received
* As Unity responder, don't change the proposed TS at all, racoon doesn't like ↵Martin Willi2012-09-181-7/+4
| | | | that
* As initiator, narrow received Unity attributes to configured TSMartin Willi2012-09-181-4/+11
|
* When using Unity, bump up remote TS as initiator to 0.0.0.0/0, tooMartin Willi2012-09-181-5/+8
|
* Enable Cisco Unity only if Unity vendor id receivedMartin Willi2012-09-181-1/+2
|
* Exchange 0.0.0.0/0 traffic selectors with Unity, narrowing after exchangeMartin Willi2012-09-181-22/+87
|
* Check if subset calculation actually yields a TS in Unity narrowingMartin Willi2012-09-181-1/+5
|
* Add Cisco Unity client support for Split-Include and Local-LANMartin Willi2012-09-181-0/+94