| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
This allows us to install more than one FWD policy. We already do this
in the kernel-pfkey plugin (there the original reason was that not all
kernels support FWD policies).
|
| | |
|
| |
|
|
| |
Closes strongswan/strongswan#40.
|
| | |
|
| |
|
|
|
|
|
| |
Or the invoked script will get a broken value when `mark=%unique` is
used in a configuration.
Closes strongswan/strongswan#37.
|
| |
|
|
| |
Fixes #1365.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
| |
References #1347.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock. So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.
By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior. This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.
Fixes #1185.
|
| | |
|
| |
|
|
|
|
| |
Same as the change in the connmark plugin.
References #1229.
|
| |
|
|
|
|
|
|
|
| |
This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.
Fixes #1230.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).
Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.
Fixes #1229.
|
| | |
|
| |
|
|
| |
Numerically configured attributes are currently sent for both versions.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This also leaves unmodified configs as they are.
|
| |
|
|
| |
in the request
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This is a feature currently supported by stroke.
|
| |
|
|
|
|
| |
This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
|
| |
|
|
|
| |
This avoid confusion and redirecting all SAs can now easily be done
explicitly (e.g. peer_ip=0.0.0.0/0).
|
| | |
|
| | |
|
| |
|
|
|
| |
This allows redirecting IKE_SAs by multiple different selectors, if none
are given all SAs are redirected.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This moves hydra->kernel_interface to charon->kernel.
|
| | |
|
| |
|
|
|
|
| |
Basically the same issue as with the connmark plugin.
Fixes #1212.
|
| |
|
|
|
|
|
|
| |
The structs that make up a message sent to the kernel have all to be
aligned with XT_ALIGN. That was not necessarily the case when
initializing the complete message as struct.
Fixes #1212.
|
| | |
|
| |
|
|
| |
Closes strongswan/strongswan#34.
|
| |
|
|
| |
Instead of sending 'no' it is omitted when an SA goes down.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.
In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.
The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.
|
| | |
|
| |
|
|
|
|
| |
We already do this for the other kernel interfaces.
Fixes e1e88d5adde0 ("libipsec: Don't attempt deletion of any non-IPsec policies")
|
| |
|
|
|
|
|
|
|
|
|
| |
Otherwise, libcharon's dependency on kernel-ipsec can't be satisfied.
This changed with db61c37690b5 ("kernel-interface: Return bool for
kernel interface registration") as the registration of further
kernel-ipsec implementations now fails and therefore even if other
plugins are loaded the dependency will not be satisfied anymore.
References #953.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To handle Phase 2 exchanges on the other HA host we need to sync the last
block of the last Phase 1 message (or the last expected IV). If the
gateway is the initiator of a Main Mode SA the last message is an
inbound message. When handling such messages the expected IV is not
updated until it is successfully decrypted so we can't sync the IV
when processing the still encrypted (!plain) message. However, as responder,
i.e. if the last message is an outbound message, the reverse applies, that
is, we get the next IV after successfully encrypting the message, not
while handling the plain message.
Fixes #1267.
|
| |
|
|
| |
References #1267.
|
| |
|
|
|
|
|
|
| |
It is required for IKEv1 to determine the DH group of the CHILD SAs
during rekeying. It also fixes the status output for HA SAs, which so
far haven't shown the DH group on the passive side.
Fixes #1267.
|
| | |
|
