aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Add ike_reestablish() event that is triggered when an IKE_SA is reestablishedTobias Brunner2012-09-061-0/+1
| | | | | This is particularly useful during reauthentication to get the new IKE_SA.
* Add a new condition to mark IKE_SAs that are currently being reauthenticatedTobias Brunner2012-09-062-9/+9
|
* Clear virtual IPs before storing assigned ones on the IKE_SATobias Brunner2012-09-054-0/+33
| | | | | Otherwise we'll end up with duplicate or invalid VIPs stored on the IKE_SA.
* In mode_config, destroy temporary pool list instead of the virtual IP list twiceMartin Willi2012-09-051-1/+1
|
* Merge branch 'multi-vip'Martin Willi2012-08-3114-214/+429
|\ | | | | | | | | | | | | Brings support for multiple virtual IPs and multiple pools in left/rigthsourceip definitions. Also introduces the new left/rightdns options to configure requested DNS server address family and respond with multiple connection specific servers.
| * Request and acquire multiple virtual IPs in IKEv1 Mode ConfigMartin Willi2012-08-301-47/+61
| |
| * Request and acquire multiple virtual IPs in IKEv2 configuration payloadMartin Willi2012-08-301-49/+67
| |
| * Pass all configured pool names to attribute provider enumeratorMartin Willi2012-08-302-4/+18
| |
| * Pass a list instead of a single virtual IP to attribute enumeratorsMartin Willi2012-08-302-22/+71
| |
| * Support multiple address pools configured on a peer_cfgMartin Willi2012-08-308-13/+70
| |
| * Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-3014-144/+207
| |
* | Merge branch 'eap-client-select'Tobias Brunner2012-08-313-10/+100
|\ \ | | | | | | | | | | | | | | | This brings support for EAP-Nak payloads on the client (to select a specific or supported method), and the server (via the eap-dynamic plugin which selects a method supported/requested by the client).
| * | Log the proper type for virtual EAP methodsTobias Brunner2012-08-311-1/+5
| | |
| * | Encode EAP-Naks in expanded format if we got an expanded type requestTobias Brunner2012-08-311-2/+2
| | | | | | | | | | | | | | | Since methods defined by the IETF (vendor ID 0) could also be encoded in expanded type format the previous check was insufficient.
| * | Allow clients to request a configured EAP method via EAP-NakTobias Brunner2012-08-311-4/+24
| | |
| * | Virtual EAP methods handle EAP-Naks themselvesTobias Brunner2012-08-311-5/+17
| | |
| * | Send EAP-Nak with supported types if requested type is unsupportedTobias Brunner2012-08-311-2/+4
| | |
| * | Filter invalid EAP authentication types when enumerating themTobias Brunner2012-08-312-1/+10
| | | | | | | | | | | | Valid authentication types defined by the IETF are 4-253 and 255.
| * | Added a method to enumerate registered EAP methodsTobias Brunner2012-08-212-0/+43
| |/
* / Fall back to local address as IKEv1 identity if nothing else is configuredTobias Brunner2012-08-241-2/+14
|/
* Remove the unused second IKE_SA entry match function argumentMartin Willi2012-08-201-4/+4
| | | | LLVMs clang complains about this parameter, so remove it.
* Add keymat_t constructor registration functionAdrian-Ken Rueegsegger2012-08-202-3/+45
| | | | | | Using the register_constructor function enables custom keymat_t implementations per IKE version. If no constructor is registered the default behavior is preserved.
* Merge branch 'android-app'Tobias Brunner2012-08-133-2/+3
|\ | | | | | | | | | | | | | | This branch introduces a userland IPsec implementation (libipsec) and an Android App which targets the VpnService API that is provided by Android 4+. The implementation is based on the bachelor thesis 'Userland IPsec for Android 4' by Giuliano Grassi and Ralf Sager.
| * Moved packet_t to libstrongswanTobias Brunner2012-08-082-1/+2
| |
| * Increase log verbosity when sending NAT keep-alivesTobias Brunner2012-08-081-1/+1
| |
* | Merge branch 'android-ndk'Tobias Brunner2012-08-133-10/+18
|\| | | | | | | | | | | | | | | | | | | | | | | This branch comes with some preliminary changes for the user-land IPsec implementation and the Android App. One important change is that the UDP ports used by the socket-default plugin were made configurable (either via ./configure or strongswan.conf). Also, the plugin does randomly allocate a port if it is configured to 0, which is useful for client implementations. A consequence of these changes is that the local UDP port used when creating ike_cfg_t objects has to be fetched from the socket.
| * Replaced usages of CHARON_*_PORT with calls to get_port().Tobias Brunner2012-08-083-7/+15
| |
| * Use send_no_marker to send NAT keepalives.Tobias Brunner2012-08-081-1/+1
| |
| * Make the UDP ports charon listens for packets on (and uses as source ports) ↵Tobias Brunner2012-08-083-10/+10
| | | | | | | | configurable.
* | Use actual daemon name to enable XAuth/PSK with aggressive modeMartin Willi2012-08-101-2/+3
|/
* Remove queued IKEv1 message before processing itMartin Willi2012-08-081-3/+5
| | | | | Avoids destruction or processing of a queued message in recursive process_message() call.
* Include src address in hash of initial message for Main ModeTobias Brunner2012-08-081-5/+31
| | | | | | | If two initiators use the same SPI and also use the same SA proposal the hash for the initial message would be exactly the same. For IKEv2 and Aggressive Mode that's not a problem as these messages include random data (Ni, KEi payloads).
* Block XAuth transaction on established IKE_SAs, but allow Mode ConfigMartin Willi2012-08-032-2/+1
|
* Reject initial exchange messages early once IKE_SA is establishedMartin Willi2012-08-021-0/+18
|
* Lookup IKEv1 PSK even if the peer identity is not knownMartin Willi2012-07-311-1/+1
|
* Don't include acquiring packet traffic selectors in IKEv1Martin Willi2012-07-261-0/+5
| | | | | | | | As we only can negotiate a single TS in IKEv1, don't prepend the triggering packet TS, as we do in IKEv2. Otherwise we don't establish the TS of the configuration, but only that of the triggering packet. Fixes #207.
* Implement late peer config switching after XAuth authenticationMartin Willi2012-07-261-15/+80
| | | | | | | If additional authentication constraints, such as group membership, is not fulfilled by an XAuth backend, we search for another peer configuration that fulfills all constraints, including those from phase1.
* Check if XAuth round complies to configured authentication roundMartin Willi2012-07-261-7/+18
|
* Merge auth config items added from XAuth backends to IKE_SAMartin Willi2012-07-261-0/+1
|
* Release leaking child config after uninstalling shunt policyMartin Willi2012-07-231-0/+1
|
* Refactored error handling in keymat_v1_tMartin Willi2012-07-161-25/+27
|
* Clean up error handling in keymat_v2_tMartin Willi2012-07-161-87/+65
|
* Cleaned up memory management and return values for encryption payloadMartin Willi2012-07-161-1/+4
|
* Add a return value to hasher_t.allocate_hash()Martin Willi2012-07-166-20/+80
|
* Add a return value to keymat_v1_t.{get,update,confirm}_ivMartin Willi2012-07-162-13/+31
|
* Add a return value to crypter_t.set_key()Martin Willi2012-07-162-5/+22
|
* Add a return value to crypter_t.decrypt()Martin Willi2012-07-161-2/+1
|
* Add a return value to crypter_t.encryptMartin Willi2012-07-161-2/+1
|
* Check rng return value when generating ME CONNECT_ID and KEYTobias Brunner2012-07-161-2/+14
|
* Check rng return value when generating IKEv1 message IDsTobias Brunner2012-07-161-8/+20
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 19:26:46 +0000