aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev1/tasks
Commit message (Collapse)AuthorAgeFilesLines
* ikev1: Inverse check when applying received KE value during Quick Mode5.3.0rc1Martin Willi2015-03-241-1/+1
| | | | Fixes Quick Mode negotiation when PFS is in use.
* diffie-hellman: Add a bool return value to set_other_public_value()Martin Willi2015-03-231-2/+6
|
* encoding: Allow ke_payload_create_from_diffie_hellman() to failMartin Willi2015-03-231-4/+17
|
* ikev1: Make sure SPIs in an IKEv1 DELETE payload match the current SATobias Brunner2015-03-231-0/+39
| | | | | | | | | | | | | | | | | | | | OpenBSD's isakmpd uses the latest ISAKMP SA to delete other expired SAs. This caused strongSwan to delete e.g. a rekeyed SA even though isakmpd meant to delete the old one. What isakmpd does might not be standard compliant. As RFC 2408 puts it: Deletion which is concerned with an ISAKMP SA will contain a Protocol-Id of ISAKMP and the SPIs are the initiator and responder cookies from the ISAKMP Header. This could either be interpreted as "copy the SPIs from the ISAKMP header of the current message to the DELETE payload" (which is what strongSwan assumed, and the direction IKEv2 took it, by not sending SPIs for IKE), or as clarification that ISAKMP "cookies" are actually the SPIs meant to be put in the payload (but that any ISAKMP SA may be deleted).
* ikev1: Adopt virtual IPs on new IKE_SA during re-authenticationTobias Brunner2015-03-191-29/+83
| | | | | | | | | | | Some clients like iOS/Mac OS X don't do a mode config exchange on the new SA during re-authentication. If we don't adopt the previous virtual IP Quick Mode rekeying will later fail. If a client does do Mode Config we directly reassign the VIPs we migrated from the old SA, without querying the attributes framework. Fixes #807, #810.
* ikev1: Mark rekeyed CHILD_SAs as INSTALLEDTobias Brunner2015-03-191-0/+2
| | | | | Since we keep them around until they finally expire they otherwise would block IKE_SA rekeying/reauthentication.
* ikev1: Set protocol ID and SPIs in INITIAL-CONTACT notification payloadsTobias Brunner2015-03-061-2/+13
| | | | | | | The payload we sent before is not compliant with RFC 2407 and thus some peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error). Fixes #819.
* attribute-manager: Pass full IKE_SA to handler methodsMartin Willi2015-02-201-4/+2
|
* attribute-manager: Pass the full IKE_SA to provider methodsMartin Willi2015-02-201-5/+5
|
* attributes: Move the configuration attributes framework to libcharonMartin Willi2015-02-201-14/+13
|
* ike: Consistently log CHILD_SAs with their unique_id instead of their reqidMartin Willi2015-02-202-4/+5
|
* inactivity-job: Schedule job by CHILD_SA unique ID instead of reqidMartin Willi2015-02-201-6/+3
|
* child-sa: Replace reqid based marks by "unique" marksMartin Willi2015-02-202-2/+36
| | | | | | | | | | | As we now use the same reqid for multiple CHILD_SAs with the same selectors, having marks based on the reqid makes not that much sense anymore. Instead we use unique marks that use a custom identifier. This identifier is reused during rekeying, keeping the marks constant for any rule relying on it (for example installed by updown). This also simplifies handling of reqid allocation, as we do not have to query the marks that is not yet assigned for an unknown reqid.
* ikev1: Send INITIAL_CONTACT notify in Main ModeThomas Egerer2014-10-301-0/+28
| | | | | | | | | We currently send the notify in Main Mode only, as it is explicitly not allowed by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make that work, we'd need to handle that notify in Aggressive Mode, which could allow a MitM to inject such notifies and do some harm. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Add fragmentation support for Windows peersVolker Rümelin2014-10-101-12/+27
| | | | | | | | I still think ipsec/l2tp with fragmentation support is a useful fallback option in case the Windows IKEv2 connection fails because of fragmentation problems. Tested with Windows XP, 7 and 8.1.
* ikev1: Fix handling of UNITY_LOAD_BALANCETobias Brunner2014-10-071-3/+3
| | | | | The re-authentication is now handled within the original IKE_SA if it has not yet been established, so we don't want to destroy it.
* ikev1: Make sure proposed IPsec mode matches our ownTobias Brunner2014-09-091-1/+2
| | | | References #557.
* ikev1: Defer Mode Config push after CHILD adoption when using XAuthMartin Willi2014-08-254-6/+40
|
* ikev1: Defer Mode Config push after CHILD adoption and reauth detectionMartin Willi2014-08-252-10/+35
| | | | | | | | When an initiator starts reauthentication on a connection that uses push mode to assign a virtual IP, we can't execute the Mode Config before releasing the virtual IP. Otherwise we would request a new and different lease, which the client probably can't handle. Defer Mode Config execution, so the same IP gets first released then reassigned during reauthentication.
* ikev1: Accept Quick Mode DELETES while Quick Mode rekeying is activeMartin Willi2014-08-251-2/+21
| | | | | | | | | | If a peer immediately sends DELETE messages when completing Quick Mode rekeying, the third Quick Mode message and the DELETE are sent simultaneously. This implies that DELETE messages may arrive before the completing third Quick Mode message. Handle this case by ignoring the DELETE INFORMATIONAL in Quick Mode and let the delete task handle it.
* ikev1: Allow late connection switching based on XAuth usernameTobias Brunner2014-06-181-6/+0
|
* bus: Add a handle_vips() hook invoked after handling configuration attributesMartin Willi2014-06-171-0/+2
| | | | | | | | | Similar to assign_vips() used by a peer assigning virtual IPs to the other peer, the handle_vips() hook gets invoked on a peers after receiving attributes. On release of the same attributes the hook gets invoked again. This is useful to inspect handled attributes, as the ike_updown() hook is invoked after authentication, when attributes have not been handled yet.
* ikev1: Invoke the assign_vips() bus hook for IKEv1 as wellMartin Willi2014-06-161-0/+4
|
* ike: Store unhandled attributes on IKE_SA as wellMartin Willi2014-06-161-5/+2
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-0413-68/+68
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ikev1: Fix debugging log when remote traffic selector selection failsMartin Willi2014-05-141-1/+1
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-123-4/+4
|
* ikev1: Fix config switching due to failed authentication during Aggressive modeTobias Brunner2014-02-121-3/+1
| | | | | | | The encoded ID payload gets destroyed by the authenticator, which caused a segmentation fault after the switch. Fixes #501.
* ikev1: Delete quick modes with the negotiated SA protocolMartin Willi2013-10-111-1/+1
|
* ikev1: Negotiate SPI with the first/negotiated proposal protocolMartin Willi2013-10-111-3/+18
|
* ikev1: For PFS prefer DH group from IKE_SA over first configuredThomas Egerer2013-09-101-18/+54
| | | | | | | | | | If PFS is configured for a CHILD_SA first try to create a list of proposals with using DH group negotiated during phase 1. If the resulting list is empty (i.e. the DH group(s) configured for PFS differ from the one(s) configured for the IKE_SA), fall back to the first configured DH group from the CHILD_SA. This modificiation is due to the fact that it is likely that the peer supports the same DH group for PFS it did already for the IKE_SA.
* ikev1: implement mode config push modeMartin Willi2013-09-044-68/+337
|
* xauth: add a configuration string option to be passed to XAuth instancesMartin Willi2013-09-031-1/+1
| | | | | | The configuration string is appended to the XAuth backend name, separated by a colon. The configuration string is passed untouched to the backend, where it can change the behavior of the XAuth module.
* ikev1: Always send ID payloads (traffic selectors) during Quick ModeTobias Brunner2013-07-251-26/+4
| | | | | | | Especially Windows 7 has problems if the peer does not send ID payloads for host-to-host connections (tunnel and transport mode). Fixes #319.
* ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peerTobias Brunner2013-07-171-0/+5
| | | | | We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any CHILD_SA requires it.
* ikev1: Support closeaction of CHILD_SA.Oliver Smith2013-07-171-7/+49
| | | | | | When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and closeaction has been set, we can now perform a restart or hold as is currently done for IKEv2.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-172-9/+19
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ike: Force NAT-T/UDP encapsulation if kernel interface requires itTobias Brunner2013-06-211-2/+16
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-8/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* ikev1: keep vendor ID task alive during full Main/Aggressive ModeMartin Willi2013-06-111-8/+75
| | | | Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-111-26/+10
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* Refactor check_for_rekeyed_child() in quick_mode taskMartin Willi2013-04-031-18/+24
|
* Reuse reqid of an existing Quick Mode, even if it has been rekeyedMartin Willi2013-04-031-1/+2
| | | | | | If two peers rekey Quick Modes at the same time, the original Quick Mode is in REKEYING state and hence the requid is not reused. This is required though, as two identical policies won't work if they have different requids.
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-192-2/+16
| | | | certain time frame
* Added xauth-noauth pluginTobias Brunner2013-03-191-29/+37
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-141-2/+2
| | | | packets
* As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
* Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-211-2/+2
|
* Merge branch 'ikev1-fragmentation'Tobias Brunner2013-01-121-5/+44
|\ | | | | | | | | | | | | This adds support for the proprietary IKEv1 fragmentation extension. Conflicts: NEWS
| * Properly detect fragmentation capabilitiesTobias Brunner2013-01-121-3/+27
| | | | | | | | Cisco sends 0xc0000000 so we check that part of the VID separately.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 00:45:18 +0000