aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0Martin Willi2013-03-111-0/+4
|
* Ignore fourth Qick Mode message sent by Windows servers.Martin Willi2013-03-111-0/+9
| | | | Initial patch by Paul Stewart, fixes #289.
* As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
* Merge branch 'multi-eap'Martin Willi2013-03-012-28/+50
|\ | | | | | | | | | | Fixes the use of EAP methods in the non-first authentication round if the initiator demands mutual EAP. Also mutual EAP can now be enforced when the initiator sets rightauth=eap, not only with rightauth=any.
| * Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-262-1/+18
| |
| * Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
| |
| * Refactor auth_cfg applying to a common functionMartin Willi2013-02-261-20/+17
| |
* | Merge branch 'ikev1-rekeying'Martin Willi2013-03-011-0/+21
|\ \ | | | | | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * | When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| |/
* | Merge branch 'opaque-ports'Martin Willi2013-03-011-2/+2
|\ \ | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-211-2/+2
| | |
* | | Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
| | |
* | | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-014-45/+55
|\ \ \ | | | | | | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
| * | | Move initial message dropping to task managerMartin Willi2013-02-253-19/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
| * | | Use INIT macro to initialize IKE_SA manager entriesMartin Willi2013-02-251-17/+6
| | |/ | |/|
* | | Merge branch 'tfc-notify'Martin Willi2013-03-011-0/+9
|\ \ \ | | | | | | | | | | | | | | | | Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if kernel does not support it.
| * | | Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
| | |/ | |/|
* | | Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACTTobias Brunner2013-02-281-0/+1
| |/ |/| | | | | | | In other cases (i.e. when functions return DESTROY_ME) the event should already be triggered, but not in this forced situation.
* | Add a global return_success() method implementationMartin Willi2013-02-141-8/+2
| |
* | Merge branch 'ike-dscp'Martin Willi2013-02-141-1/+26
|\ \
| * | Set configured DSCP value while generating IKE packetsMartin Willi2013-02-061-1/+26
| |/
* / make TNC client authentication type available to IMVsAndreas Steffen2013-02-121-0/+57
|/
* Fix check-in of IKE_SA when IKE_SA_INIT fails and hash table is enabledTobias Brunner2013-01-241-2/+13
| | | | | | | Setting the responder SPI to 0 can only be done while generating the response, otherwise we'd fail to check in the IKE_SA again in case the hash table is enabled. That's because we use the responder SPI as hash value since 5.0.0.
* Avoid a deadlock when installing a trap policy failedTobias Brunner2013-01-231-1/+5
|
* Fix IKE SA inherit API docAdrian-Ken Rueegsegger2013-01-221-2/+1
|
* Properly send IKEv1 packets if no ike_cfg is known yetTobias Brunner2013-01-141-2/+5
| | | | This applies for error notifies.
* Merge branch 'ikev1-fragmentation'Tobias Brunner2013-01-125-25/+406
|\ | | | | | | | | | | | | This adds support for the proprietary IKEv1 fragmentation extension. Conflicts: NEWS
| * Added an option to configure the maximum size of a fragmentTobias Brunner2013-01-121-3/+10
| |
| * Properly detect fragmentation capabilitiesTobias Brunner2013-01-121-3/+27
| | | | | | | | Cisco sends 0xc0000000 so we check that part of the VID separately.
| * Added an option that allows to force IKEv1 fragmentationTobias Brunner2013-01-122-3/+6
| |
| * Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-242-10/+7
| |
| * Include source port in init hash for fragmented messagesTobias Brunner2012-12-241-1/+8
| |
| * Add an option to en-/disable IKE fragmentationTobias Brunner2012-12-242-5/+20
| | | | | | | | | | Fragments are always accepted but will not be sent if disabled. The vendor ID is only sent if the option is enabled.
| * Split larger messages into fragments if IKE fragmentation is supported by peerTobias Brunner2012-12-241-14/+114
| |
| * Log added NAT-T vendor IDsTobias Brunner2012-12-241-0/+1
| |
| * Detect a peer's support for IKE fragmentationTobias Brunner2012-12-242-0/+9
| | | | | | | | Fragments are accepted even if this vendor ID is not seen.
| * Map fragmented initial initial Main or Aggressive Mode messages to the same ↵Tobias Brunner2012-12-241-1/+17
| | | | | | | | IKE_SA
| * Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain ↵Tobias Brunner2012-12-241-1/+2
| | | | | | | | | | | | | | fragments Other implementations send fragments always in an initial message type even for transaction or quick mode exchanges.
| * Don't handle fragmented messages larger than charon.max_packetTobias Brunner2012-12-241-4/+39
| |
| * Don't update an IKE_SA-entry's cached message ID when handling fragmentsTobias Brunner2012-12-241-1/+4
| |
| * Store inbound IKE fragments and reassemble the message when all fragments ↵Tobias Brunner2012-12-241-3/+166
| | | | | | | | are received
* | Streamline debug output when receiving intermediate CA certificates in IKEv1Martin Willi2013-01-111-1/+1
| |
* | Refactored IKEv2 cert/certreq payload processing to multiple functionsMartin Willi2013-01-111-112/+141
| |
* | Refactored IKEv1 cert payload processing to multiple functionsMartin Willi2013-01-111-73/+102
| |
* | IKEv1 support for PKCS#7 wrapped certificatesVolker Rümelin2013-01-111-0/+70
| |
* | Fixed some typos in commentsVolker Rümelin2013-01-111-1/+1
|/
* Add parantheses to avoid compiler warningMartin Willi2012-12-241-1/+1
|
* Fixed some typos, courtesy of codespellTobias Brunner2012-12-203-3/+3
|
* Raise an alert if IKE SA is keptAdrian-Ken Rueegsegger2012-12-201-0/+1
| | | | | This alert is raised when the establishment of a child SA fails but the IKE SA is kept.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 14:32:44 +0000