aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ike_sa.c
Commit message (Collapse)AuthorAgeFilesLines
* bus: Add a handle_vips() hook invoked after handling configuration attributesMartin Willi2014-06-171-0/+1
| | | | | | | | | Similar to assign_vips() used by a peer assigning virtual IPs to the other peer, the handle_vips() hook gets invoked on a peers after receiving attributes. On release of the same attributes the hook gets invoked again. This is useful to inspect handled attributes, as the ike_updown() hook is invoked after authentication, when attributes have not been handled yet.
* ike: Create an enumerator for (un-)handled configuration attributes on IKE_SAMartin Willi2014-06-161-0/+21
|
* ike: Store unhandled attributes on IKE_SA as wellMartin Willi2014-06-161-2/+5
|
* ikev2: Apply extensions and conditions before starting rekeyingMartin Willi2014-04-171-0/+6
| | | | | | The extensions and conditions apply to the rekeyed IKE_SA as well, so we should migrate them. Especially when using algorithms from private space, we need EXT_STRONGSWAN to properly select these algorithms during IKE rekeying.
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-171-2/+14
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-121-3/+3
|
* ike: Simplify error handling if name resolution failedTobias Brunner2014-01-231-16/+3
| | | | | | | This avoids a second name resolution attempt just to determine if %any etc. was configured. Fixes #440.
* ike: Use proper hostname(s) when name resolution failedTobias Brunner2014-01-231-1/+1
| | | | | | Was wrong since 0edce687675df8f10f4026fa12a8fc3b3dd003f5. Fixes #440.
* ike_sa: Defer task manager destruction after child destructionThomas Egerer2014-01-161-1/+5
| | | | | | | | | | This patch exports the task manager's flush to allow flushing of all queues with one function call from ike_sa->destroy. It allows the access of intact children during task destructoin (see git-commit e44ebdcf) and allows the access of the task manager in child_state_change hook. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeyingMartin Willi2013-11-011-0/+8
| | | | | | | Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which is perfectly valid. For short(er) DPD delays, this leads to the situation where we send a DPD request during set_state(), but the IKE_SA has no hosts set yet. Avoid that DPD by resetting the INBOUND timestamp during set_state().
* ike-sa: Resolve hosts before reestablishing an IKE_SATobias Brunner2013-09-231-0/+2
|
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-041-1/+1
|
* ike-sa: use ike_cfg resolver functionsMartin Willi2013-09-041-16/+12
|
* ike: Fix reestablishing SAs if no child-creating tasks are queuedTobias Brunner2013-07-181-2/+5
|
* ike-sa: uninstall CHILD_SAs before removing virtual IPsMartin Willi2013-07-181-1/+8
| | | | | | a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes for CHILD_SAs might get deleted while removing virtual IPs, resulting in an error when a CHILD_SA tries to uninstall its route.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-171-1/+39
|
* ike-sa: use arrays instead of linked lists in long lived collectionsMartin Willi2013-07-171-116/+98
| | | | This saves about 1.5KB of memory per IKE_SA.
* ike: Resolve hosts only for address families currently supportedTobias Brunner2013-07-051-3/+16
|
* Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restartTobias Brunner2013-07-011-1/+2
|
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-011-1/+2
|
* Use ref_get() to make sure IKE_SA unique IDs are uniqueMartin Willi2013-06-111-2/+2
|
* Don't unset IKE_SA on bus before we released virtual IPs and attributesMartin Willi2013-05-061-10/+8
|
* emit a single assig_vips bus message for all VIPsAndreas Steffen2013-04-061-6/+8
|
* ifmap plugin subscribes to assing_vip bus signalAndreas Steffen2013-04-061-0/+6
|
* Raise an alert if an IKE_SA could not have been reauthenticated and expiresMartin Willi2013-03-141-0/+4
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-141-1/+1
| | | | packets
* Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
|
* Move initial message dropping to task managerMartin Willi2013-02-251-18/+0
| | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
* Set configured DSCP value while generating IKE packetsMartin Willi2013-02-061-1/+26
|
* Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain ↵Tobias Brunner2012-12-241-1/+2
| | | | | | | fragments Other implementations send fragments always in an initial message type even for transaction or quick mode exchanges.
* Inherit virtual IP and attributes from old to new, not from new to oldMartin Willi2012-12-101-5/+5
|
* Don't wait while removing external IPs used for load testingMartin Willi2012-11-291-2/+3
|
* Install virtual IPs via interface name, and use an interface lookup where ↵Martin Willi2012-11-291-5/+16
| | | | required
* Add an optional kernel-interface parameter to install IPs with a custom prefixMartin Willi2012-11-291-4/+4
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-241-1/+1
|
* Added a new alert that is raised if peer does not respond to initial IKE messageTobias Brunner2012-10-161-0/+2
|
* IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabledTobias Brunner2012-09-251-1/+4
| | | | Fixes #229.
* Pass full pool list to release_addressMartin Willi2012-09-111-13/+8
|
* Only initiate an exchange from send_dpd() if a task was actually queuedTobias Brunner2012-09-071-2/+8
| | | | | Otherwise, the initiator would prematurely initiate Quick Mode if it has DPD enabled and XAuth is used.
* Trigger ike_updown event caused by retransmits only after reestablish() has ↵Tobias Brunner2012-09-061-0/+4
| | | | | | | | been called This allows listeners to migrate to the new IKE_SA with the ike_reestablish event without having to worry about an ike_updown event for the old IKE_SA.
* Add ike_reestablish() event that is triggered when an IKE_SA is reestablishedTobias Brunner2012-09-061-0/+1
| | | | | This is particularly useful during reauthentication to get the new IKE_SA.
* Add a new condition to mark IKE_SAs that are currently being reauthenticatedTobias Brunner2012-09-061-9/+4
|
* Clear virtual IPs before storing assigned ones on the IKE_SATobias Brunner2012-09-051-0/+18
| | | | | Otherwise we'll end up with duplicate or invalid VIPs stored on the IKE_SA.
* Support multiple address pools configured on a peer_cfgMartin Willi2012-08-301-4/+14
|
* Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-301-45/+39
|
* Increase log verbosity when sending NAT keep-alivesTobias Brunner2012-08-081-1/+1
|
* Replaced usages of CHARON_*_PORT with calls to get_port().Tobias Brunner2012-08-081-4/+7
|
* Use send_no_marker to send NAT keepalives.Tobias Brunner2012-08-081-1/+1
|
* Make the UDP ports charon listens for packets on (and uses as source ports) ↵Tobias Brunner2012-08-081-4/+4
| | | | configurable.
* Block XAuth transaction on established IKE_SAs, but allow Mode ConfigMartin Willi2012-08-031-1/+0
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-13 13:51:13 +0000