aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa/ikev2
Commit message (Collapse)AuthorAgeFilesLines
...
* Raise an ALERT_PROPOSAL_MISMATCH_IKE also when receiving NO_PROPOSAL_CHOSENMartin Willi2013-05-061-0/+20
|
* emit a single assig_vips bus message for all VIPsAndreas Steffen2013-04-061-0/+2
|
* Defer CHILD_SA rekeying if allocating an SPI failsMartin Willi2013-04-032-12/+26
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-141-2/+2
| | | | packets
* Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0Martin Willi2013-03-111-0/+4
|
* Merge branch 'multi-eap'Martin Willi2013-03-012-28/+50
|\ | | | | | | | | | | Fixes the use of EAP methods in the non-first authentication round if the initiator demands mutual EAP. Also mutual EAP can now be enforced when the initiator sets rightauth=eap, not only with rightauth=any.
| * Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-262-1/+18
| |
| * Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
| |
| * Refactor auth_cfg applying to a common functionMartin Willi2013-02-261-20/+17
| |
* | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-011-0/+12
|\ \ | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | Move initial message dropping to task managerMartin Willi2013-02-251-0/+12
| |/ | | | | | | | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
* | Merge branch 'tfc-notify'Martin Willi2013-03-011-0/+9
|\ \ | |/ |/| | | | | Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if kernel does not support it.
| * Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
| |
* | Add a global return_success() method implementationMartin Willi2013-02-141-8/+2
|/
* Fix check-in of IKE_SA when IKE_SA_INIT fails and hash table is enabledTobias Brunner2013-01-241-2/+13
| | | | | | | Setting the responder SPI to 0 can only be done while generating the response, otherwise we'd fail to check in the IKE_SA again in case the hash table is enabled. That's because we use the responder SPI as hash value since 5.0.0.
* Refactored IKEv2 cert/certreq payload processing to multiple functionsMartin Willi2013-01-111-112/+141
|
* Fixed some typos, courtesy of codespellTobias Brunner2012-12-202-2/+2
|
* Raise an alert if IKE SA is keptAdrian-Ken Rueegsegger2012-12-201-0/+1
| | | | | This alert is raised when the establishment of a child SA fails but the IKE SA is kept.
* Raise an alert if allocating virtual IPs failsMartin Willi2012-12-191-0/+2
|
* Raise an alert if kernel policy installation failsMartin Willi2012-12-191-0/+2
|
* Raise an alert if kernel SA installation failsMartin Willi2012-12-191-0/+2
|
* Raise an alert on traffic selector mismatchMartin Willi2012-12-191-0/+2
|
* Raise alerts when enforcing IKE_SA unique policyMartin Willi2012-12-191-0/+1
|
* Raise an alert if CHILD_SA proposals mismatchMartin Willi2012-12-191-0/+2
|
* Raise an alert if IKE proposals mismatchMartin Willi2012-12-191-0/+5
|
* Raise an alert of generating local authentication data failsMartin Willi2012-12-191-6/+10
|
* Fix GPL license header to properly "sed" itMartin Willi2012-11-301-1/+1
|
* Add alerts for sent/received message retransmissions and timeoutMartin Willi2012-11-291-0/+5
|
* Moved data structures to new collections subfolderTobias Brunner2012-10-242-2/+2
|
* Moved packet_t and tun_device_t to networking folderTobias Brunner2012-10-241-1/+1
|
* Raise a bus alert when IKE message body parsing failsMartin Willi2012-10-241-0/+2
|
* Respect IKE version while selecting an ike_cfg as responderMartin Willi2012-10-241-1/+2
|
* Ensure UNSUPPORTED_CRITICAL_PAYLOAD notify contains correct payload typeTobias Brunner2012-09-281-0/+1
|
* Made IP address enumeration more flexibleTobias Brunner2012-09-213-3/+3
| | | | Also added an option to enumerate addresses on ignored interfaces.
* Don't ignore loopback devices and allow addresses on them being enumeratedTobias Brunner2012-09-213-3/+3
|
* Derive a dynamic TS to multiple virtual IPsMartin Willi2012-09-181-39/+61
|
* Add AUTH_RULE_IDENTITY_LOOSE which allows to use IDr loosely as initiatorTobias Brunner2012-09-181-1/+2
| | | | | | If it is set on an auth config IDr will not be sent, and later the configured identity will not only be checked against the returned IDr, but also against other identities contained in the responder's certificate.
* Don't use host address for dynamic TS in IKEv2 if a virtual IP was expectedMartin Willi2012-09-111-1/+33
|
* Send FAILED_CP_REQUIRED if a configuration payload was expected, but not ↵Martin Willi2012-09-111-0/+9
| | | | received
* Pass the full list of pools to acquire_address, enumerate in providersMartin Willi2012-09-111-20/+6
| | | | | | | | If the provider has access to the full pool list, it can enumerate them twice, for example to search for existing leases first, and only search for new leases in a second step. Fixes lease enumeration in attr-sql using multiple pools.
* Add a responder narrow() hook to change TS in the kernel, but not on the wireMartin Willi2012-09-111-1/+26
|
* Add uniqueids=never to ignore INITIAL_CONTACT notifiesTobias Brunner2012-09-101-1/+2
| | | | | | With uniqueids=no the daemon still deletes any existing IKE_SA with the same peer if an INITIAL_CONTACT notify is received. With this new option it also ignores these notifies.
* Trigger ike_updown event caused by retransmits only after reestablish() has ↵Tobias Brunner2012-09-061-5/+0
| | | | | | | | been called This allows listeners to migrate to the new IKE_SA with the ike_reestablish event without having to worry about an ike_updown event for the old IKE_SA.
* Clear virtual IPs before storing assigned ones on the IKE_SATobias Brunner2012-09-051-0/+4
| | | | | Otherwise we'll end up with duplicate or invalid VIPs stored on the IKE_SA.
* Merge branch 'multi-vip'Martin Willi2012-08-313-88/+159
|\ | | | | | | | | | | | | Brings support for multiple virtual IPs and multiple pools in left/rigthsourceip definitions. Also introduces the new left/rightdns options to configure requested DNS server address family and respond with multiple connection specific servers.
| * Request and acquire multiple virtual IPs in IKEv2 configuration payloadMartin Willi2012-08-301-49/+67
| |
| * Pass all configured pool names to attribute provider enumeratorMartin Willi2012-08-301-2/+9
| |
| * Pass a list instead of a single virtual IP to attribute enumeratorsMartin Willi2012-08-301-11/+36
| |
| * Support multiple address pools configured on a peer_cfgMartin Willi2012-08-301-3/+11
| |
| * Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-303-55/+68
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-07 16:59:49 +0000