| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
The encoded ID payload gets destroyed by the authenticator, which caused
a segmentation fault after the switch.
Fixes #501.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
If PFS is configured for a CHILD_SA first try to create a list of
proposals with using DH group negotiated during phase 1. If the
resulting list is empty (i.e. the DH group(s) configured for PFS differ
from the one(s) configured for the IKE_SA), fall back to the first
configured DH group from the CHILD_SA.
This modificiation is due to the fact that it is likely that the peer
supports the same DH group for PFS it did already for the IKE_SA.
|
| | |
|
| |
|
|
|
|
| |
The configuration string is appended to the XAuth backend name, separated by
a colon. The configuration string is passed untouched to the backend, where
it can change the behavior of the XAuth module.
|
| |
|
|
|
|
|
| |
Especially Windows 7 has problems if the peer does not send ID payloads
for host-to-host connections (tunnel and transport mode).
Fixes #319.
|
| |
|
|
|
| |
We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any
CHILD_SA requires it.
|
| |
|
|
|
|
| |
When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and
closeaction has been set, we can now perform a restart or hold as is
currently done for IKEv2.
|
| |
|
|
|
| |
Not directly returning a linked list allows us to change the internals of
the CHILD_SA transparently.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
|
| |
|
|
| |
Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
|
| |
|
|
|
|
| |
While this was problematic in earlier releases, it seems that it works just
fine the way we handle compression now. So there is no need to disable it over
NATed connections or when using forceencaps.
|
| | |
|
| |
|
|
|
|
| |
If two peers rekey Quick Modes at the same time, the original Quick Mode is
in REKEYING state and hence the requid is not reused. This is required though,
as two identical policies won't work if they have different requids.
|
| |
|
|
| |
certain time frame
|
| |
|
|
|
|
|
|
| |
This XAuth backend does not do any authentication of client credentials
but simply sends a successful XAuth status to the client, thereby
concluding the XAuth exchange. This can be useful to fallback to basic
RSA authentication with clients that can not be configured without XAuth
authentication.
|
| |
|
|
| |
packets
|
| |
|
|
|
|
|
|
| |
Cisco 5505 firewalls don't return the port if we send a specific one, letting
the is_contained_in() checks fail. Using get_subset() selection builds the
Quick Mode correctly with the common subset of selectors.
Based on an initial patch from Paul Stewart.
|
| | |
|
| |\
| |
| |
| |
| |
| |
| | |
This adds support for the proprietary IKEv1 fragmentation extension.
Conflicts:
NEWS
|
| | |
| |
| |
| | |
Cisco sends 0xc0000000 so we check that part of the VID separately.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Fragments are always accepted but will not be sent if disabled. The
vendor ID is only sent if the option is enabled.
|
| | | |
|
| | |
| |
| |
| | |
Fragments are accepted even if this vendor ID is not seen.
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
| |
|
|
|
| |
This adds support for early versions of the draft that eventually
resulted in RFC 3947.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
According to RFC 2409, section 5.5, if PFS is used all proposals MUST
include the selected DH group, so we remove proposals without the
proposed group and remove other DH groups from the remaining proposals.
|
| | |
|
| |
|
|
| |
Should not be a problem, but makes static analyzers happy.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Windows 7 sends its internal address as TSi. While we don't support the
NAT-T drafts as used by Windows XP it is interesting to note that the
client there omits the TSi payload which then would automatically get set
to the public IP address of the client.
Fixes #220.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
If the provider has access to the full pool list, it can enumerate
them twice, for example to search for existing leases first, and
only search for new leases in a second step.
Fixes lease enumeration in attr-sql using multiple pools.
|
| | |
|
| |
|
|
|
| |
Otherwise we'll end up with duplicate or invalid VIPs stored on the
IKE_SA.
|
