| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
this implements gre key negotiation in ikev1 similarly to the
ipsec-tools patch in alpine.
the from/to port pair is internally used as gre key for gre
protocol traffic selectors. since from/to pairs 0/0xffff and
0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
will not work.
this is not standard compliant, and should probably not be upstreamed
or used widely, but it is applied for interoperability with alpine
racoon for the time being.
|
| |
|
|
|
|
|
| |
This is obsoleted by the new "timeout=-1" option that achieves
the same. Only for compatibility with old versions of quagga-nhrp.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| |
|
|
|
|
| |
Useful for monitoring and tracking full SA.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| |
|
|
| |
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
| |
This introduces support for specifying optional IKE SA specific
source and remote address for child sa initiation. This allows
to initiate wildcard connection for known address via vici.
In addition this allows impler implementation of trap-any patches
and is a prerequisite for dmvpn support.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
libstrongswan and kernel-netlink are the only two components which do
not adhere to the naming scheme used for all other tests. If the tests
are run by an external application this imposes problems due to clashing
names.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
| |
FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.
Fixes #2461.
|
| |
|
|
|
|
| |
The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.
Fixes #2457.
|
| | |
|
| | |
|
| |
|
|
|
| |
A certificate check is forced once the timeout is reached even if the
system time appears to be invalid.
|
| | |
|
| |
|
|
|
|
|
| |
If enabled, add the RADIUS Class attributes received in Access-Accept messages
to RADIUS accounting messages as suggested by RFC 2865 section 5.25.
Fixes #2451.
|
| | |
|
| |
|
|
|
|
|
| |
It seems that there is a race, at least in 10.13, that lets
if_indextoname() fail for the new TUN device. So we delay the call a bit,
which seems to "fix" the issue. It's strange anyway that the previous
delay was only applied when an iface entry was already found.
|
| |
|
|
| |
We don't need to access this as uint32_t so just cast it to a char*.
|
| |
|
|
|
|
| |
The value of DHCP_OPTEND is 255. When it is assigned this result in a
sign change as the positive int constant is cast to a signed char and -1
results. Clang 4.0 complains about this.
|
| |
|
|
|
|
|
|
| |
If an interface is renamed we already have an entry (based on the
ifindex) allocated but previously only set the usable state once
based on the original name.
Fixes #2403.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
When querying SAs the keys will end up in this buffer (the allocated
messages that are returned are already wiped). The kernel also returns
XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish
this here as we only see the response.
References #2388.
|
| |
|
|
|
| |
This should cause the right SA to get used if there are multiple outbound
SAs and the policies are installed properly.
|
| |
|
|
|
|
|
| |
This prevented new listeners from receiving notifies if they joined
after another listener disconnected previously, and if they themselves
disconnected their old connection would prevent them again from getting
notifies.
|
| |
|
|
|
|
|
|
|
| |
Multiple CHILD_SAs sharing the same traffic selectors (e.g. during
make-before-break reauthentication) also have the same reqid assigned.
If all matching entries are removed we could end up without entry even
though an SA exists that still uses these traffic selectors.
Fixes #2373.
|
| | |
|
| |
|
|
|
|
|
| |
VIRTUAL is a new reserved keyword in MySQL 5.7.6 that caused some of these
queries to fail.
Fixes #2359.
|
| |
|
|
| |
References #2347.
|
| |
|
|
|
|
|
|
|
|
| |
This is similar to the eap-aka-3gpp2 plugin. K (optionally concatenated
with OPc) may be configured as binary EAP secret in ipsec.secrets or
swanctl.conf.
Based on a patch by Thomas Strangert.
Fixes #2326.
|
| | |
|
| |
|
|
|
|
| |
Interestingly, this doesn't show up in the regression tests because the
compiler removes the first assignment (and thus the allocation) due to
-O2 that's included in our default CFLAGS.
|
| | |
|
| |
|
|
| |
This avoids the unportable five pointer hack.
|
| |
|
|
| |
This avoids the unportable five pointer hack.
|
| |
|
|
|
| |
This avoids the unportable 5 pointer hack, but requires enumerating in
the callback.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This way we only have to pass the traffic selectors once.
|
| | |
|
| |
|
|
|
|
|
| |
By using the total retransmit timeout, modifications of timeout settings
automatically reflect on the value of xfrm_acq_expires. If set, the
value of xfrm_acq_expires configured by the user takes precedence over
the calculated value.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When establishing a traffic-triggered CHILD_SA involves the setup of an
IKE_SA more than one exchange is required. As a result the temporary
acquire state may have expired -- even if the acquire expiration
(xfrm_acq_expires) time is set properly (165 by default). The expire
message sent by the kernel is not processed in charon since no trap can
be found by the trap manager.
A possible solution could be to track allocated SPIs. But since this is
a corner case and the tracking introduces quite a bit of overhead, it
seems much more sensible to add a new state if the update of a state
fails with NOT_FOUND.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
| |
Upcoming FreeBSD kernels will support updating the addresses of existing
SAs with new SADB_X_EXT_NEW_ADDRESS_SRC|DST extensions for the SADB_UPDATE
message.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Makes it potentially easier to add new flags.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
During initialization of the plugins the thread pool is not yet
initialized so there is no watcher thread that could handle the queued
Netlink message and the main thread will wait indefinitely for a
response.
Fixes #2199.
|
