| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
| |
The encoded ID payload gets destroyed by the authenticator, which caused
a segmentation fault after the switch.
Fixes #501.
|
| |
|
|
|
|
|
|
|
|
| |
This patch exports the task manager's flush to allow flushing of all
queues with one function call from ike_sa->destroy. It allows the
access of intact children during task destructoin (see git-commit
e44ebdcf) and allows the access of the task manager in
child_state_change hook.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
| |
Fixes CVE-2013-6076.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Fixes #411.
|
| |
|
|
|
|
|
|
|
|
| |
If PFS is configured for a CHILD_SA first try to create a list of
proposals with using DH group negotiated during phase 1. If the
resulting list is empty (i.e. the DH group(s) configured for PFS differ
from the one(s) configured for the IKE_SA), fall back to the first
configured DH group from the CHILD_SA.
This modificiation is due to the fact that it is likely that the peer
supports the same DH group for PFS it did already for the IKE_SA.
|
| | |
|
| |
|
|
|
|
| |
The configuration string is appended to the XAuth backend name, separated by
a colon. The configuration string is passed untouched to the backend, where
it can change the behavior of the XAuth module.
|
| |
|
|
| |
The old code resulted in too few fragments in some cases.
|
| |
|
|
|
| |
This is same same logic used by sender and might apply in some cases (e.g.
when initiating to port 4500).
|
| |
|
|
|
|
|
| |
Especially Windows 7 has problems if the peer does not send ID payloads
for host-to-host connections (tunnel and transport mode).
Fixes #319.
|
| |
|
|
|
| |
We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any
CHILD_SA requires it.
|
| | |
|
| |
|
|
|
|
| |
When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and
closeaction has been set, we can now perform a restart or hold as is
currently done for IKEv2.
|
| |
|
|
|
| |
Not directly returning a linked list allows us to change the internals of
the CHILD_SA transparently.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
|
| |
|
|
| |
Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
|
| |
|
|
|
|
| |
While this was problematic in earlier releases, it seems that it works just
fine the way we handle compression now. So there is no need to disable it over
NATed connections or when using forceencaps.
|
| | |
|
| |
|
|
|
|
| |
If two peers rekey Quick Modes at the same time, the original Quick Mode is
in REKEYING state and hence the requid is not reused. This is required though,
as two identical policies won't work if they have different requids.
|
| | |
|
| |
|
|
| |
certain time frame
|
| |
|
|
|
|
|
|
| |
This XAuth backend does not do any authentication of client credentials
but simply sends a successful XAuth status to the client, thereby
concluding the XAuth exchange. This can be useful to fallback to basic
RSA authentication with clients that can not be configured without XAuth
authentication.
|
| | |
|
| |
|
|
| |
packets
|
| | |
|
| |
|
|
| |
Initial patch by Paul Stewart, fixes #289.
|
| |
|
|
|
|
|
|
| |
Cisco 5505 firewalls don't return the port if we send a specific one, letting
the is_contained_in() checks fail. Using get_subset() selection builds the
Quick Mode correctly with the common subset of selectors.
Based on an initial patch from Paul Stewart.
|
| |\
| |
| |
| |
| | |
Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
|
| | | |
|
| |/
|
|
|
|
|
| |
When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.
Fixes #295.
|
| |
|
|
| |
This applies for error notifies.
|
| |\
| |
| |
| |
| |
| |
| | |
This adds support for the proprietary IKEv1 fragmentation extension.
Conflicts:
NEWS
|
| | | |
|
| | |
| |
| |
| | |
Cisco sends 0xc0000000 so we check that part of the VID separately.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Fragments are always accepted but will not be sent if disabled. The
vendor ID is only sent if the option is enabled.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Fragments are accepted even if this vendor ID is not seen.
|
| | | |
|
| | |
| |
| |
| | |
are received
|
| | | |
|
| | | |
|
| | | |
|
