aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ike_sa.c
Commit message (Collapse)AuthorAgeFilesLines
* ikev2: Migrate MOBIKE additional peer addresses to new SA after IKE_SA rekeyingMartin Willi2015-03-181-0/+6
|
* bus: Add an ike_update() hook invoked when peer endpoints changeMartin Willi2015-02-201-0/+2
|
* attribute-manager: Pass full IKE_SA to handler methodsMartin Willi2015-02-201-1/+1
|
* attribute-manager: Pass the full IKE_SA to provider methodsMartin Willi2015-02-201-3/+1
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-3/+4
|
* ike: Maintain per-IKE_SA CHILD_SAs in the global CHILD_SA managerMartin Willi2015-02-201-7/+58
|
* ike: Do remote address updates also when behind static NATsTobias Brunner2014-10-131-4/+7
| | | | | | | | We assume that a responder is behind a static NAT (e.g. port forwarding) and allow remote address updates in such situations. The problem described in RFC 5996 is only an issue if the NAT mapping can expire.
* ikev1: Add fragmentation support for Windows peersVolker Rümelin2014-10-101-0/+30
| | | | | | | | I still think ipsec/l2tp with fragmentation support is a useful fallback option in case the Windows IKEv2 connection fails because of fragmentation problems. Tested with Windows XP, 7 and 8.1.
* ike: IKE_SA may fragment IKEv2 messagesTobias Brunner2014-10-101-1/+1
|
* ike: Move fragmentation to ike_sa_tTobias Brunner2014-10-101-1/+64
| | | | | | | | | The message() hook on bus_t is now called exactly once before (plain) and once after fragmenting (!plain), not twice for the complete message and again for each individual fragment, as was the case in earlier iterations. For inbound messages the hook is called once for each fragment (!plain) and twice for the reassembled message.
* ikev2: Skip peer addresses we can't send packets to when looking for valid pathsTobias Brunner2014-09-121-0/+18
|
* ike: Reset IKE_SA in state CONNECTING instead of reauthenticatingTobias Brunner2014-09-091-0/+8
| | | | | | | | Due to how reauthentication works for IKEv1 we could get a second IKE_SA, which might cause problems, when connectivity problems arise when the connection is initially established. Fixes #670.
* bus: Add ike_reestablish_pre hook, called before DNS resolutionTobias Brunner2014-07-221-1/+5
| | | | | The old hook is renamed to ike_reestablish_post and is now also called when the initiation of the new IKE_SA failed.
* bus: Add a handle_vips() hook invoked after handling configuration attributesMartin Willi2014-06-171-0/+1
| | | | | | | | | Similar to assign_vips() used by a peer assigning virtual IPs to the other peer, the handle_vips() hook gets invoked on a peers after receiving attributes. On release of the same attributes the hook gets invoked again. This is useful to inspect handled attributes, as the ike_updown() hook is invoked after authentication, when attributes have not been handled yet.
* ike: Create an enumerator for (un-)handled configuration attributes on IKE_SAMartin Willi2014-06-161-0/+21
|
* ike: Store unhandled attributes on IKE_SA as wellMartin Willi2014-06-161-2/+5
|
* ikev2: Apply extensions and conditions before starting rekeyingMartin Willi2014-04-171-0/+6
| | | | | | The extensions and conditions apply to the rekeyed IKE_SA as well, so we should migrate them. Especially when using algorithms from private space, we need EXT_STRONGSWAN to properly select these algorithms during IKE rekeying.
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-171-2/+14
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-121-3/+3
|
* ike: Simplify error handling if name resolution failedTobias Brunner2014-01-231-16/+3
| | | | | | | This avoids a second name resolution attempt just to determine if %any etc. was configured. Fixes #440.
* ike: Use proper hostname(s) when name resolution failedTobias Brunner2014-01-231-1/+1
| | | | | | Was wrong since 0edce687675df8f10f4026fa12a8fc3b3dd003f5. Fixes #440.
* ike_sa: Defer task manager destruction after child destructionThomas Egerer2014-01-161-1/+5
| | | | | | | | | | This patch exports the task manager's flush to allow flushing of all queues with one function call from ike_sa->destroy. It allows the access of intact children during task destructoin (see git-commit e44ebdcf) and allows the access of the task manager in child_state_change hook. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeyingMartin Willi2013-11-011-0/+8
| | | | | | | Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which is perfectly valid. For short(er) DPD delays, this leads to the situation where we send a DPD request during set_state(), but the IKE_SA has no hosts set yet. Avoid that DPD by resetting the INBOUND timestamp during set_state().
* ike-sa: Resolve hosts before reestablishing an IKE_SATobias Brunner2013-09-231-0/+2
|
* ike-cfg: remove the to be obsoleted allow any parameter in get_my/other_addrMartin Willi2013-09-041-1/+1
|
* ike-sa: use ike_cfg resolver functionsMartin Willi2013-09-041-16/+12
|
* ike: Fix reestablishing SAs if no child-creating tasks are queuedTobias Brunner2013-07-181-2/+5
|
* ike-sa: uninstall CHILD_SAs before removing virtual IPsMartin Willi2013-07-181-1/+8
| | | | | | a3854d83 changed cleanup order. But we should remove CHILD_SAs first, as routes for CHILD_SAs might get deleted while removing virtual IPs, resulting in an error when a CHILD_SA tries to uninstall its route.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-171-1/+39
|
* ike-sa: use arrays instead of linked lists in long lived collectionsMartin Willi2013-07-171-116/+98
| | | | This saves about 1.5KB of memory per IKE_SA.
* ike: Resolve hosts only for address families currently supportedTobias Brunner2013-07-051-3/+16
|
* Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restartTobias Brunner2013-07-011-1/+2
|
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-011-1/+2
|
* Use ref_get() to make sure IKE_SA unique IDs are uniqueMartin Willi2013-06-111-2/+2
|
* Don't unset IKE_SA on bus before we released virtual IPs and attributesMartin Willi2013-05-061-10/+8
|
* emit a single assig_vips bus message for all VIPsAndreas Steffen2013-04-061-6/+8
|
* ifmap plugin subscribes to assing_vip bus signalAndreas Steffen2013-04-061-0/+6
|
* Raise an alert if an IKE_SA could not have been reauthenticated and expiresMartin Willi2013-03-141-0/+4
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-141-1/+1
| | | | packets
* Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
|
* Move initial message dropping to task managerMartin Willi2013-02-251-18/+0
| | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
* Set configured DSCP value while generating IKE packetsMartin Willi2013-02-061-1/+26
|
* Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain ↵Tobias Brunner2012-12-241-1/+2
| | | | | | | fragments Other implementations send fragments always in an initial message type even for transaction or quick mode exchanges.
* Inherit virtual IP and attributes from old to new, not from new to oldMartin Willi2012-12-101-5/+5
|
* Don't wait while removing external IPs used for load testingMartin Willi2012-11-291-2/+3
|
* Install virtual IPs via interface name, and use an interface lookup where ↵Martin Willi2012-11-291-5/+16
| | | | required
* Add an optional kernel-interface parameter to install IPs with a custom prefixMartin Willi2012-11-291-4/+4
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-241-1/+1
|
* Added a new alert that is raised if peer does not respond to initial IKE messageTobias Brunner2012-10-161-0/+2
|
* IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabledTobias Brunner2012-09-251-1/+4
| | | | Fixes #229.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-15 03:01:17 +0000