| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently supports transport mode connections using IPv4 only, and requires
a unique mark configured on the connection.
To select the correct outbound SA when multiple connections match (i.e.
multiple peers connected from the same IP address / NAT router) marks must be
configured. This mark should usually be unique, which can be configured in
ipsec.conf using mark=0xffffffff.
The plugin inserts CONNMARK netfilter target rules: Any peer-initiated flow
is tagged with the assigned mark as connmark. On the return path, the mark
gets restored from the conntrack entry to select the correct outbound SA.
|
| | |
|
| |
|
|
|
|
|
|
| |
As with other configuration backends, XAuth is activated with a two round
client authentication using pubkey and xauth. In load-tester, this is configured
with initiator_auth=pubkey|xauth.
Fixes #835.
|
| |
|
|
|
|
|
|
|
|
|
| |
With make-before-break IKEv2 re-authentication, virtual IP addresses must be
assigned overlapping to the same peer. With the remote IKE address, the backend
can detect re-authentication attempts by comparing the remote host address and
port. This allows proper reassignment of the virtual IP if it is re-requested.
This change removes the mem-pool.reassign_online option, as it is obsolete now.
IPs get automatically reassigned if a peer re-requests the same address, and
additionally connects from the same address and port.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
While it has some tests that we don't directly cover with the new unit tests,
most of them require special infrastructure and therefore have not been used
for a long time.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Since pluto is gone, all existing users build upon libcharon.
|
| | |
|
| |
|
|
|
| |
When handling thousands of IKE_SAs, the unique ID based lookup is rather slow,
as we have no indexing.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
As we now use the same reqid for multiple CHILD_SAs with the same selectors,
having marks based on the reqid makes not that much sense anymore. Instead we
use unique marks that use a custom identifier. This identifier is reused during
rekeying, keeping the marks constant for any rule relying on it (for example
installed by updown).
This also simplifies handling of reqid allocation, as we do not have to query
the marks that is not yet assigned for an unknown reqid.
|
| |
|
|
|
|
| |
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When rekey_child_sa is called while enumerating the children of an IKE_SA, and
the child to be rekeyed is redundant a QUICK_DELETE task is queued instead of a
QUICK_MODE task. This alters the IKE_SA's list of children (ike_sa_t::child_sas)
invalidating the current element of the child_sa_enumerator. The enumerate
function of linked_list_t will then advance to an element with unpredictable
contents most likely resulting in an segmentation violation. A similar behavior
should be observed when delete_child_sa is called.
This patch creates a list of protocol/spi values while holding the
child_sa_enumerator and performs the rekeying (deletion of redundant) chlidren
after releasing the enumerator.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| |
|
|
|
|
|
| |
While we fixed the wrong values in the description with d39e04b5, the example
values are still off by one.
Fixes #828.
|
| | |
|
| | |
|
| |
|
|
|
| |
When cancelling a builder, finalize throws an error which we might prefer
to avoid.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iOS and Mac OS X clients establish individual IPsec SAs for the traffic
selectors received in Split-Include attributes (might have been different
in earlier releases). If we return 0.0.0.0/0 as TSr that either results
in a bunch of Quick Mode exchanges (for each TS), or with the latest
client releases an error notify (ATTRIBUTES_NOT_SUPPORTED).
We also can't install the IPsec SA with all configured subnets as that
would cause conflicts if the client later negotiates SAs for other subnets,
which iOS 8 does based on traffic to such subnets.
For Shrew and the Cisco client, which propose 0.0.0.0/0, we still need to
override the narrowed TS with 0.0.0.0/0, as they otherwise won't accept
the Quick Mode response. Likewise, we also have to narrow the TS before
installing the IPsec SAs and policies.
So we basically have to follow the client's proposal and only modify TSr
if we received 0.0.0.0/0. Since we don't get the original TS in the
narrow hook we handle the inbound QM messages and make note of IKE_SAs on
which we received a TSr of 0.0.0.0/0.
Fixes #737.
|
| |
|
|
|
|
| |
Similar to the inbound rules, the ALE filter processes IP-in-IP packets for
outbound tunnel mode traffic. When using an outbound default-drop policy,
Windows does not allow connection initiation without these explicit rules.
|
| |
|
|
|
|
|
|
|
|
|
| |
When processing inbound tunnel mode packets, Windows decrypts packets and
filters them as IP-in-IP packets. We therefore require an ALE filter that
calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them
when using a default-drop policy.
Without these rules, any outbound packet created an ALE state that allows
inbound packets as well. Processing inbound packets without any outbound
traffic fails without these rules.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
As the underlying C functions, send/recv on ruby sockets are not guaranteed
to send/recv all requested bytes. Use wrapper functions to make sure we get
all bytes needed.
|
| |
|
|
| |
pki tool
|
| | |
|
| |
|
|
|
| |
If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket
over others. To handle all with equal priority, use a round-robin selection.
|
| |
|
|
|
| |
It is not only simpler, but also allows the use of arbitrary high fd numbers,
which silently fails with select().
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
When invoking /bin/sh, its default PATH is used. On some systems, that does
not include the PATH where the ipsec script is installed, as charon is invoked
with a custom PATH. Explicitly setting the PATH of charon should fix this
case, properly invoking the (default) updown script.
Fixes #745.
|
| |
|
|
|
| |
This is the behavior of some strtol() implementations, and it makes sense,
so force it.
|
| | |
|
| |
|
|
|
| |
For non-direct libstrongswan users, the deinitialization segfaults because
of the missing worker thread cancellation.
|
| |
|
|
| |
We want to avoid libvici users to get a cluttered stderr for no real error.
|
| |
|
|
|
|
|
|
| |
As we want to avoid the libstrongswan include dependencies for libvici, avoid
the use of the bool type. Unfortunately this change may break the ABI for
vici_dump(). As this function is mostly for debugging purposes, we do it
nonetheless; my apologies if somebody already relies on the ABI stability of
that function.
|
