aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev1
Commit message (Collapse)AuthorAgeFilesLines
...
* ikev1: Fix double free when searching for redundant CHILD_SAsTobias Brunner2013-09-131-1/+1
| | | | Fixes #411.
* ikev1: For PFS prefer DH group from IKE_SA over first configuredThomas Egerer2013-09-101-18/+54
| | | | | | | | | | If PFS is configured for a CHILD_SA first try to create a list of proposals with using DH group negotiated during phase 1. If the resulting list is empty (i.e. the DH group(s) configured for PFS differ from the one(s) configured for the IKE_SA), fall back to the first configured DH group from the CHILD_SA. This modificiation is due to the fact that it is likely that the peer supports the same DH group for PFS it did already for the IKE_SA.
* ikev1: implement mode config push modeMartin Willi2013-09-045-76/+363
|
* xauth: add a configuration string option to be passed to XAuth instancesMartin Willi2013-09-031-1/+1
| | | | | | The configuration string is appended to the XAuth backend name, separated by a colon. The configuration string is passed untouched to the backend, where it can change the behavior of the XAuth module.
* ikev1: Fix calculation of the number of fragmentsTobias Brunner2013-08-151-1/+1
| | | | The old code resulted in too few fragments in some cases.
* ikev1: When sending fragments, use ports to decide if a non-ESP marker is addedTobias Brunner2013-08-151-6/+8
| | | | | This is same same logic used by sender and might apply in some cases (e.g. when initiating to port 4500).
* ikev1: Always send ID payloads (traffic selectors) during Quick ModeTobias Brunner2013-07-251-26/+4
| | | | | | | Especially Windows 7 has problems if the peer does not send ID payloads for host-to-host connections (tunnel and transport mode). Fixes #319.
* ikev1: Reestablish IKE_SA/CHILD_SAs if it gets deleted by the peerTobias Brunner2013-07-171-0/+5
| | | | | We call ike_sa_t.reestablish() so the IKE_SA is only recreated if any CHILD_SA requires it.
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-171-0/+34
|
* ikev1: Support closeaction of CHILD_SA.Oliver Smith2013-07-171-7/+49
| | | | | | When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and closeaction has been set, we can now perform a restart or hold as is currently done for IKEv2.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-173-27/+37
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ike: Force NAT-T/UDP encapsulation if kernel interface requires itTobias Brunner2013-06-211-2/+16
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-111-8/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* ikev1: keep vendor ID task alive during full Main/Aggressive ModeMartin Willi2013-06-111-8/+75
| | | | Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-111-26/+10
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* Refactor check_for_rekeyed_child() in quick_mode taskMartin Willi2013-04-031-18/+24
|
* Reuse reqid of an existing Quick Mode, even if it has been rekeyedMartin Willi2013-04-031-1/+2
| | | | | | If two peers rekey Quick Modes at the same time, the original Quick Mode is in REKEYING state and hence the requid is not reused. This is required though, as two identical policies won't work if they have different requids.
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-251-1/+1
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-192-2/+16
| | | | certain time frame
* Added xauth-noauth pluginTobias Brunner2013-03-191-29/+37
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* Make check whether to use IKEv1 fragmentation more readableMartin Willi2013-03-141-5/+14
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-141-2/+2
| | | | packets
* Add missing XAuthRespPSK switch case to IKEv1 key derivationMartin Willi2013-03-121-0/+1
|
* Ignore fourth Qick Mode message sent by Windows servers.Martin Willi2013-03-111-0/+9
| | | | Initial patch by Paul Stewart, fixes #289.
* As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
* Merge branch 'opaque-ports'Martin Willi2013-03-011-2/+2
|\ | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-211-2/+2
| |
* | Move initial message dropping to task managerMartin Willi2013-02-251-1/+15
|/ | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
* Properly send IKEv1 packets if no ike_cfg is known yetTobias Brunner2013-01-141-2/+5
| | | | This applies for error notifies.
* Merge branch 'ikev1-fragmentation'Tobias Brunner2013-01-122-22/+371
|\ | | | | | | | | | | | | This adds support for the proprietary IKEv1 fragmentation extension. Conflicts: NEWS
| * Added an option to configure the maximum size of a fragmentTobias Brunner2013-01-121-3/+10
| |
| * Properly detect fragmentation capabilitiesTobias Brunner2013-01-121-3/+27
| | | | | | | | Cisco sends 0xc0000000 so we check that part of the VID separately.
| * Added an option that allows to force IKEv1 fragmentationTobias Brunner2013-01-122-3/+6
| |
| * Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-242-10/+7
| |
| * Add an option to en-/disable IKE fragmentationTobias Brunner2012-12-242-5/+20
| | | | | | | | | | Fragments are always accepted but will not be sent if disabled. The vendor ID is only sent if the option is enabled.
| * Split larger messages into fragments if IKE fragmentation is supported by peerTobias Brunner2012-12-241-14/+114
| |
| * Log added NAT-T vendor IDsTobias Brunner2012-12-241-0/+1
| |
| * Detect a peer's support for IKE fragmentationTobias Brunner2012-12-241-0/+4
| | | | | | | | Fragments are accepted even if this vendor ID is not seen.
| * Don't handle fragmented messages larger than charon.max_packetTobias Brunner2012-12-241-4/+39
| |
| * Store inbound IKE fragments and reassemble the message when all fragments ↵Tobias Brunner2012-12-241-3/+166
| | | | | | | | are received
* | Streamline debug output when receiving intermediate CA certificates in IKEv1Martin Willi2013-01-111-1/+1
| |
* | Refactored IKEv1 cert payload processing to multiple functionsMartin Willi2013-01-111-73/+102
| |
* | IKEv1 support for PKCS#7 wrapped certificatesVolker Rümelin2013-01-111-0/+70
| |
* | Fixed some typos in commentsVolker Rümelin2013-01-111-1/+1
|/
* Add parantheses to avoid compiler warningMartin Willi2012-12-241-1/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2012-12-201-1/+1
|
* Add support for draft-ietf-ipsec-nat-t-ike-03 and earlierVolker Rümelin2012-12-195-36/+204
| | | | | This adds support for early versions of the draft that eventually resulted in RFC 3947.
* Fix traffic selectors also as initiator in case of transport mode over NATTobias Brunner2012-12-131-1/+1
|
* Fix debug output if responder selected invalid traffic selectors during QMTobias Brunner2012-12-131-2/+2
|
* Add alerts for sent/received message retransmissions and timeoutMartin Willi2012-11-291-0/+3
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 13:03:29 +0000