aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev1
Commit message (Collapse)AuthorAgeFilesLines
* ikev1: Add fragmentation support for Windows peersVolker Rümelin2014-10-101-12/+27
| | | | | | | | I still think ipsec/l2tp with fragmentation support is a useful fallback option in case the Windows IKEv2 connection fails because of fragmentation problems. Tested with Windows XP, 7 and 8.1.
* ikev1: Move defragmentation to message_tTobias Brunner2014-10-101-167/+16
|
* ike: Move fragmentation to ike_sa_tTobias Brunner2014-10-101-55/+6
| | | | | | | | | The message() hook on bus_t is now called exactly once before (plain) and once after fragmenting (!plain), not twice for the complete message and again for each individual fragment, as was the case in earlier iterations. For inbound messages the hook is called once for each fragment (!plain) and twice for the reassembled message.
* message: fragment() generates message and fragments and caches themTobias Brunner2014-10-101-31/+11
|
* ikev1: Move fragment generation to message_tTobias Brunner2014-10-101-132/+118
|
* ikev1: Fix handling of UNITY_LOAD_BALANCETobias Brunner2014-10-071-3/+3
| | | | | The re-authentication is now handled within the original IKE_SA if it has not yet been established, so we don't want to destroy it.
* ikev1: Don't queue more than one mode config or XAuth taskTobias Brunner2014-10-071-7/+22
| | | | | | | | At the time we reset an IKE_SA (e.g. when re-authenticating a not yet established SA due to a roaming event) such tasks might already be queued by one of the phase 1 tasks. If the SA is initiated again another task will get queued by the phase 1 task. This results in e.g. multiple mode config requests, which most gateways will have problems with.
* ikev1: Be more verbose if a peer config would match, but is unusable for ModeMartin Willi2014-09-251-0/+12
|
* ikev1: Make sure proposed IPsec mode matches our ownTobias Brunner2014-09-091-1/+2
| | | | References #557.
* ikev1: Defer Mode Config push after CHILD adoption when using XAuthMartin Willi2014-08-254-6/+40
|
* ikev1: Defer Mode Config push after CHILD adoption and reauth detectionMartin Willi2014-08-252-10/+35
| | | | | | | | When an initiator starts reauthentication on a connection that uses push mode to assign a virtual IP, we can't execute the Mode Config before releasing the virtual IP. Otherwise we would request a new and different lease, which the client probably can't handle. Defer Mode Config execution, so the same IP gets first released then reassigned during reauthentication.
* ikev1: Accept Quick Mode DELETES while Quick Mode rekeying is activeMartin Willi2014-08-251-2/+21
| | | | | | | | | | If a peer immediately sends DELETE messages when completing Quick Mode rekeying, the third Quick Mode message and the DELETE are sent simultaneously. This implies that DELETE messages may arrive before the completing third Quick Mode message. Handle this case by ignoring the DELETE INFORMATIONAL in Quick Mode and let the delete task handle it.
* ikev1: Allow late connection switching based on XAuth usernameTobias Brunner2014-06-181-6/+0
|
* bus: Add a handle_vips() hook invoked after handling configuration attributesMartin Willi2014-06-171-0/+2
| | | | | | | | | Similar to assign_vips() used by a peer assigning virtual IPs to the other peer, the handle_vips() hook gets invoked on a peers after receiving attributes. On release of the same attributes the hook gets invoked again. This is useful to inspect handled attributes, as the ike_updown() hook is invoked after authentication, when attributes have not been handled yet.
* ikev1: Invoke the assign_vips() bus hook for IKEv1 as wellMartin Willi2014-06-161-0/+4
|
* ike: Store unhandled attributes on IKE_SA as wellMartin Willi2014-06-161-5/+2
|
* payload: Use common prefixes for all payload type identifiersMartin Willi2014-06-0418-84/+84
| | | | | The old identifiers did not use a proper namespace and often clashed with other defines.
* ikev1: Fix debugging log when remote traffic selector selection failsMartin Willi2014-05-141-1/+1
|
* libcharon: Use lib->ns instead of charon->nameTobias Brunner2014-02-124-10/+10
|
* ikev1: Fix config switching due to failed authentication during Aggressive modeTobias Brunner2014-02-121-3/+1
| | | | | | | The encoded ID payload gets destroyed by the authenticator, which caused a segmentation fault after the switch. Fixes #501.
* ike_sa: Defer task manager destruction after child destructionThomas Egerer2014-01-161-4/+3
| | | | | | | | | | This patch exports the task manager's flush to allow flushing of all queues with one function call from ike_sa->destroy. It allows the access of intact children during task destructoin (see git-commit e44ebdcf) and allows the access of the task manager in child_state_change hook. Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* ikev1: Properly initialize list of fragments in case fragment ID is 0Volker Rümelin2013-10-311-1/+1
| | | | Fixes CVE-2013-6076.
* iv_gen: aead_t implementations provide an IV generatorTobias Brunner2013-10-111-0/+8
|
* ikev1: Delete quick modes with the negotiated SA protocolMartin Willi2013-10-111-1/+1
|
* ikev1: Negotiate SPI with the first/negotiated proposal protocolMartin Willi2013-10-111-3/+18
|
* ikev1: Fix double free when searching for redundant CHILD_SAsTobias Brunner2013-09-131-1/+1
| | | | Fixes #411.
* ikev1: For PFS prefer DH group from IKE_SA over first configuredThomas Egerer2013-09-101-18/+54
| | | | | | | | | | If PFS is configured for a CHILD_SA first try to create a list of proposals with using DH group negotiated during phase 1. If the resulting list is empty (i.e. the DH group(s) configured for PFS differ from the one(s) configured for the IKE_SA), fall back to the first configured DH group from the CHILD_SA. This modificiation is due to the fact that it is likely that the peer supports the same DH group for PFS it did already for the IKE_SA.
* ikev1: implement mode config push modeMartin Willi2013-09-045-76/+363
|
* xauth: add a configuration string option to be passed to XAuth instancesMartin Willi2013-09-031-1/+1
| | | | | | The configuration string is appended to the XAuth backend name, separated by a colon. The configuration string is passed untouched to the backend, where it can change the behavior of the XAuth module.
* ikev1: Fix calculation of the number of fragmentsTobias Brunner2013-08-151-1/+1
| | | | The old code resulted in too few fragments in some cases.
* ikev1: When sending fragments, use ports to decide if a non-ESP marker is addedTobias Brunner2013-08-151-6/+8
| | | | | This is same same logic used by sender and might apply in some cases (e.g. when initiating to port 4500).
* ikev1: Always send ID payloads (traffic selectors) during Quick ModeTobias Brunner2013-07-251-26/+4
| | | | | | | Especially Windows 7 has problems if the peer does not send ID payloads for host-to-host connections (tunnel and transport mode). Fixes #319.
* ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peerTobias Brunner2013-07-171-0/+5
| | | | | We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any CHILD_SA requires it.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-171-0/+34
|
* ikev1: Support closeaction of CHILD_SA.Oliver Smith2013-07-171-7/+49
| | | | | | When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and closeaction has been set, we can now perform a restart or hold as is currently done for IKEv2.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-173-27/+37
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ike: Force NAT-T/UDP encapsulation if kernel interface requires itTobias Brunner2013-06-211-2/+16
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-8/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* ikev1: keep vendor ID task alive during full Main/Aggressive ModeMartin Willi2013-06-111-8/+75
| | | | Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-111-26/+10
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* Refactor check_for_rekeyed_child() in quick_mode taskMartin Willi2013-04-031-18/+24
|
* Reuse reqid of an existing Quick Mode, even if it has been rekeyedMartin Willi2013-04-031-1/+2
| | | | | | If two peers rekey Quick Modes at the same time, the original Quick Mode is in REKEYING state and hence the requid is not reused. This is required though, as two identical policies won't work if they have different requids.
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-251-1/+1
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-192-2/+16
| | | | certain time frame
* Added xauth-noauth pluginTobias Brunner2013-03-191-29/+37
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* Make check whether to use IKEv1 fragmentation more readableMartin Willi2013-03-141-5/+14
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-141-2/+2
| | | | packets
* Add missing XAuthRespPSK switch case to IKEv1 key derivationMartin Willi2013-03-121-0/+1
|
* Ignore fourth Qick Mode message sent by Windows servers.Martin Willi2013-03-111-0/+9
| | | | Initial patch by Paul Stewart, fixes #289.
* As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 12:45:28 +0000