| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Linux, setting the source address is insufficient to force a packet to be
sent over a certain path. The kernel uses the best route to select the outgoing
interface, even if we set a source address of a lower priority interface. This
is not only true for interfaces attaching to the same subnet, but also for
unrelated interfaces; the kernel (at least on 4.7) sends out the packet on
whatever interface it sees fit, even if that network does not expect packets
from the source address we force to.
When a better interface becomes available, strongSwan sends its MOBIKE address
list update using the old source address. But the kernel sends that packet over
the new best interface. If that network drops packets having the unexpected
source address from the old path, the MOBIKE update fails and the SA finally
times out.
To enforce a specific interface for our packet, we explicitly set the interface
index from the interface where the source address is installed. According to
ip(7), this overrules the specified source address to the primary interface
address. As this could have side effects to installations using multiple
addresses on a single interface, we disable the option by default for now.
This also allows using IPv6 link-local addresses, which won't work if
the outbound interface is not set explicitly.
|
| |
|
|
| |
fragments
|
| |
|
|
|
| |
We already do this for load-token and this should simplify client
implementations.
|
| |
|
|
| |
This cleanup prevents sharing the same DB between multiple VPN gateways.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Line 66 yields "TypeError: can't concat bytes to str" using Python 3.4.
"requestdata" was introduced in 22f08609f1b6 but is not actually used.
Since the original "request" is not used anywhere else this can be changed
to be similar to the other UTF-8 encoding changes in that commit.
Fixes: 22f08609f1b6 ("vici: Explicitly set the Python encoding type").
Closes strongswan/strongswan#66.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
responses
When constructing the result, all responses from Netlink were concatenated
iteratively, i.e. for each response, the previously acquired result was
copied to newly allocated memory and the current response appended to it.
This results in O(n^2) copy operations. Instead, we now check for the
total final length of the result and copy the individual responses to it
in one pass, i.e. in O(n) copy operations. In particular, this issue caused
very high CPU usage in memcpy() function as the result is copied over and
over. Common way how to hit the issue is when having 1000+ routes and 5+
connecting clients a second. In that case, the memcpy() function can
take 50%+ of one CPU thread on a decent CPU and the whole charon daemon
is stuck just reading routes and concatenating them together (connecting
clients are blocked in that particular case as this is done under mutex).
Closes strongswan/strongswan#65.
References #2055.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a the original responder narrows the selectors of its peer in addrblock,
the peer gets a subset of that selectors. However, once the original responder
initiates rekeying of that CHILD_SA, it sends the full selectors to the peer,
and then narrows the received selectors locally for the installation, only.
This is insufficient, as the peer ends up with wider selectors, sending traffic
that the original responder will reject to the stricter IPsec policy. So
additionally narrow the selectors when rekeying CHILD_SAs before sending the
TS list to the peer.
|
| | |
|
| |
|
|
|
|
|
| |
This is different if `ike` and `child` are provided and uninstall()
fails as we call that without knowing whether a matching shunt exists.
But if `ike` is not provided we explicitly search for a matching shunt
and if found don't need to look for a trap policy.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Previously, the client had to propose no wider selectors than the certificate
permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2
we can dynamically narrow the selectors to what the certificate allows. This
makes client and gateway configurations very simple by just proposing 0.0.0.0/0,
narrowed to selectors the client is permitted to route into the network.
|
| |
|
|
|
|
|
| |
This allows a gateway to enforce the addrblock policy on certificates that
actually have the extension only. For (legacy) certificates not having the
extension, traffic selectors are validated/narrowed by other means, most
likely by the configuration.
|
| | |
|
| |
|
|
|
| |
Fixes: 8d96f90a7983 ("vici: Add function to test if an event should be
generated")
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This way updates to the mediation config are respected and the order in
which configs are configured/loaded does not matter.
The SQL plugin currently maintains the strong relationship between
mediated and mediation connection (we could theoretically change that to a
string too).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The original name is returned in the new "name" attribute.
This fixes an issue with bindings that map VICI messages to
dictionaries. For instance, in roadwarrior scenarios where every
CHILD_SA has the same name only the information of the last CHILD_SA
would end up in the dictionary for that name.
|
| |
|
|
| |
sections
|
| |
|
|
| |
Probably not that useful via swanctl.conf but could be when used via VICI.
|
| | |
|
| |
|
|
|
|
|
| |
PINs are stored in a "hidden" credential set, so that its shared
secrets are not exposed via VICI. Since they are not explicitly loaded as
shared secrets via VICI a client might consider them as removed secrets and
remove them.
|
| |
|
|
| |
The two names are also transmitted in separate keys.
|
| |
|
|
| |
Also adds an `ike` parameter to the `uninstall` command.
|
| |
|
|
|
| |
The same goes for the start-action-job. When unrouting, we search for
the first policy with a matching child-cfg.
|
| |
|
|
|
| |
This will allow us to reuse the names of child configs e.g. when they
are defined in different connections.
|
| |
|
|
| |
Fixes #1002.
|
| | |
|
| | |
|
| |
|
|
| |
Fixes #2170.
|
| |
|
|
|
| |
This identifier can be set when adding/replacing a secret. The unique
identifiers of all secrets may be enumerated.
|
| |
|
|
| |
They are identified by their SHA-1 key identifier.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
After an interface disappeared we can't remove the policies correctly as
the name doesn't resolve to the previous index anymore.
And making the policies so specific might not provide that much benefit.
To handle the interfaces on the policies correctly would require some
changes to the child-cfg, kernel-interface etc. so they'd take interface
indices directly so we could target the policies correctly even if an
interface disappeared (or reappeared and got a new index).
|
| |
|
|
|
|
|
| |
For table dumps the kernel accepts RTA_PREFSRC to filter the routes, which is
what we do when doing userspace route calculations. For kernel-based route
lookups, however, the RTA_PREFSRC attribute is ignored and we must specify
RTA_SRC for policy based route lookups.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For gateways with many connections, installing routes is often disabled,
as we can use a static route configuration to achieve proper routing with
a single rule. If this is the case, there is no need to dump all routes and
do userspace route lookups, as there is no need to exclude routes we installed
ourself.
Doing kernel-based route lookups is not only faster with may routes, but also
can use the full power of Linux policy based routing; something we can hardly
rebuild in userspace when calculating routes.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
When using vici over RPyC and its (awesome) splitbrain, encoding and decoding
strings fails in vici, most likely because of the Monkey-Patch magic splitbrain
uses.
When specifying the implicit UTF-8 as encoding scheme explicitly, Python uses
the correct method to encode/decode the string, making vici useable in
splitbrain contexts.
|
| | |
|
| |
|
|
| |
The config can also be reloaded by sending a SIGHUP to charon.
|
| |
|
|
|
| |
Currently, only the kernel-netlink plugin supports this, the others will
just ignore it.
|
| | |
|
| | |
|
| |
|
|
| |
subnets
|
| | |
|
