aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ike_sa.h
Commit message (Collapse)AuthorAgeFilesLines
* Fixed some typos, courtesy of codespellTobias Brunner2017-11-151-1/+1
|
* ike: Reset local SPI if retrying to connect in state IKE_CONNECTINGTobias Brunner2017-09-041-3/+5
| | | | | | | | | | | | | | In case we send retransmits for an IKE_SA_INIT where we propose a DH group the responder will reject we might later receive delayed responses that either contain INVALID_KE_PAYLOAD notifies with the group we already use or, if we retransmitted an IKE_SA_INIT with the requested group but then had to restart again, a KE payload with a group different from the one we proposed. So far we didn't change the initiator SPI when restarting the connection, i.e. these delayed responses were processed and might have caused fatal errors due to a failed DH negotiation or because of the internal retry counter in the ike-init task. Changing the initiator SPI avoids that as we won't process the delayed responses anymore that caused this confusion.
* ikev2: Negotiate support for IKE message ID synchronisation during IKE_AUTHTobias Brunner2017-02-081-0/+5
|
* ike: Publish getter for the current message ID on IKE_SATobias Brunner2017-02-081-1/+12
|
* ikev2: Add possibility to delay initiation of a queued taskTobias Brunner2016-06-171-2/+11
| | | | | | | | | | | Such a task is not initiated unless a certain time has passed. This allows delaying certain tasks but avoids problems if we'd do this via a scheduled job (e.g. if the IKE_SA is rekeyed in the meantime). If the IKE_SA is rekeyed the delay of such tasks is reset when the tasks are adopted i.e. they get executed immediately on the new IKE_SA. This hasn't been implemented for IKEv1 yet.
* ike: Reduce RETRY_INTERVAL a bitTobias Brunner2016-06-171-2/+2
| | | | Retry exchanges between 5 and 15 seconds after a temporary failure.
* ikev2: Add a new state to track rekeyed IKE_SAsTobias Brunner2016-06-171-0/+5
| | | | | | | | | This makes handling such IKE_SAs more specifically compared to keeping them in state IKE_CONNECTING or IKE_ESTABLISHED (which we did when we lost a collision - even triggering the ike_updown event), or using IKE_REKEYING for them, which would also be ambiguous. For instance, we can now reject anything but DELETES for such SAs.
* Use standard unsigned integer typesAndreas Steffen2016-03-241-13/+13
|
* ike-sa: Add condition to suspend online certificate revocation checks for an ↵Tobias Brunner2016-03-101-0/+5
| | | | IKE_SA
* ike-sa: Add method to verify certificates in completed authentication roundsTobias Brunner2016-03-101-0/+8
|
* ike-sa: Add limit for the number of redirects within a defined time periodTobias Brunner2016-03-041-0/+10
|
* ike-sa: Add redirect() method to actively redirect an IKE_SATobias Brunner2016-03-041-0/+9
|
* ike-sa: Add a condition to mark redirected IKE_SAsTobias Brunner2016-03-041-0/+5
|
* ike-sa: Keep track of the address of the gateway that redirected usTobias Brunner2016-03-041-0/+7
|
* ikev2: Handle REDIRECT notifies during IKE_SA_INITTobias Brunner2016-03-041-0/+10
|
* ike-sa: Add new extension for IKEv2 redirection (RFC 5685)Tobias Brunner2016-03-041-1/+6
|
* ike: Keep track of send keepalive jobs to avoid scheduling more than one per ↵Tobias Brunner2016-03-031-1/+3
| | | | IKE_SA
* ikev2: Enable signature authentication by transmitting supported hash algorithmsTobias Brunner2015-03-041-0/+5
|
* ikev2: Trigger make-before-break reauthentication instead of reauth taskMartin Willi2015-02-201-2/+3
|
* ikev1: Add fragmentation support for Windows peersVolker Rümelin2014-10-101-1/+1
| | | | | | | | I still think ipsec/l2tp with fragmentation support is a useful fallback option in case the Windows IKEv2 connection fails because of fragmentation problems. Tested with Windows XP, 7 and 8.1.
* ikev2: Negotiate support for IKEv2 fragmentationTobias Brunner2014-10-101-1/+1
|
* ike: Move fragmentation to ike_sa_tTobias Brunner2014-10-101-6/+24
| | | | | | | | | The message() hook on bus_t is now called exactly once before (plain) and once after fragmenting (!plain), not twice for the complete message and again for each individual fragment, as was the case in earlier iterations. For inbound messages the hook is called once for each fragment (!plain) and twice for the reassembled message.
* ike: Create an enumerator for (un-)handled configuration attributes on IKE_SAMartin Willi2014-06-161-0/+11
|
* ike: Store unhandled attributes on IKE_SA as wellMartin Willi2014-06-161-0/+3
|
* ikev2: Add inherit_pre() to apply config and hosts before IKE_SA rekeyingMartin Willi2014-04-171-1/+11
|
* Fix various API doc issues and typosTobias Brunner2013-07-181-7/+5
| | | | Partially based on an old patch by Adrian-Ken Rueegsegger.
* Fix IKE SA inherit API docAdrian-Ken Rueegsegger2013-01-221-2/+1
|
* Detect a peer's support for IKE fragmentationTobias Brunner2012-12-241-0/+5
| | | | Fragments are accepted even if this vendor ID is not seen.
* Add support for draft-ietf-ipsec-nat-t-ike-03 and earlierVolker Rümelin2012-12-191-0/+7
| | | | | This adds support for early versions of the draft that eventually resulted in RFC 3947.
* Moved packet_t and tun_device_t to networking folderTobias Brunner2012-10-241-1/+1
|
* Add a new condition to mark IKE_SAs that are currently being reauthenticatedTobias Brunner2012-09-061-0/+5
|
* Clear virtual IPs before storing assigned ones on the IKE_SATobias Brunner2012-09-051-0/+7
| | | | | Otherwise we'll end up with duplicate or invalid VIPs stored on the IKE_SA.
* Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-301-5/+5
|
* Moved packet_t to libstrongswanTobias Brunner2012-08-081-0/+1
|
* support Cisco Unity VIDAndreas Steffen2012-06-251-0/+5
|
* Avoid queueing more than one retry initiate job.Tobias Brunner2012-05-301-0/+9
|
* Wrap task managers flush_queue() in IKE_SAMartin Willi2012-05-211-0/+7
|
* Merge branch 'ikev1-clean' into ikev1-masterMartin Willi2012-03-201-6/+52
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: configure.in man/ipsec.conf.5.in src/libcharon/daemon.c src/libcharon/plugins/eap_ttls/eap_ttls_peer.c src/libcharon/plugins/eap_radius/eap_radius_accounting.c src/libcharon/plugins/eap_radius/eap_radius_forward.c src/libcharon/plugins/farp/farp_listener.c src/libcharon/sa/ike_sa.c src/libcharon/sa/keymat.c src/libcharon/sa/task_manager.c src/libcharon/sa/trap_manager.c src/libstrongswan/plugins/x509/x509_cert.c src/libstrongswan/utils.h Applied lost changes of moved files keymat.c and task_manager.c. Updated listener_t.message hook signature in new plugins.
| * Disable DPD checking for peers not supporting itMartin Willi2012-03-201-0/+5
| |
| * Set a condition flag if peer has been authenticated using XAuthMartin Willi2012-03-201-0/+5
| |
| * Do not query CHILD_SA during delete if they already expiredMartin Willi2012-03-201-1/+3
| |
| * Separated libcharon/sa directory with ikev1 and ikev2 subfoldersMartin Willi2012-03-201-1/+1
| |
| * Remove executable flag from source code filesMartin Willi2012-03-201-0/+0
| |
| * Replace xauth_request task with a new stub where we reimplement itMartin Willi2012-03-201-5/+8
| |
| * Handling of initial contactClavister OpenSource2012-03-201-0/+5
| |
| * IKEv1 XAuth: Adding "initiate" flag parameter to the initiate_xauth method, ↵Clavister OpenSource2012-03-201-1/+1
| | | | | | | | signalling whether or not to call the task_manager->initiate method after queueing the task.
| * Handle IKEv1 NAT-T vendor ID payload (only RFC 3947 for now).Tobias Brunner2012-03-201-1/+1
| |
| * IKEv1 XAuth: Add "initiate xauth" method, which adds the xauth task into the ↵Clavister OpenSource2012-03-201-0/+5
| | | | | | | | queue for initiation.
| * Addded ike_sa_t.set_statistic to set timestamps from task manager.Tobias Brunner2012-03-201-0/+8
| |
| * Revert "IKEv1 XAuth: Temporarilty add an "initiate_later" flag to the task ↵Clavister OpenSource2012-03-201-5/+0
| | | | | | | | | | | | | | | | | | | | manager. When set to TRUE it will cause "initiate" to be called when the current process_response call is finished. This change should be reverted once we have a better method in place." This reverts commit c6c28f4ac522dd8afb457847bca79eee77f78706. Revert "IKEv1 XAuth: Added temporary "initiate_xauth" public method to ike_sa_t. This allows us to initiate an XAuth password authentication exchange after responding to the final message of Main Mode. This change should be reverted once we have a better method to initiate this exchange." This reverts commit 5529dc50477e25df9dd5f3c442bb1521c0baf225.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-25 11:17:46 +0000