aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* ike: Migrate queued CHILD_SA-creating tasks when reestablishing an IKE_SATobias Brunner2013-07-174-2/+115
|
* ikev1: Support closeaction of CHILD_SA.Oliver Smith2013-07-171-7/+49
| | | | | | When a CHILD_SA is closed in IKEv1, if it is not being rekeyed and closeaction has been set, we can now perform a restart or hold as is currently done for IKEv2.
* child-sa: refactor proxy transport mode address lookupMartin Willi2013-07-171-56/+42
|
* child-sa: replace traffic selector lists by arraysMartin Willi2013-07-171-18/+19
| | | | Saves up to another 0.5KB of memory per CHILD_SA.
* child-sa: replace get_traffic_selectors() with create_ts_enumerator()Martin Willi2013-07-177-59/+78
| | | | | Not directly returning a linked list allows us to change the internals of the CHILD_SA transparently.
* ikev2: replace linked lists by arrays in task managerMartin Willi2013-07-171-70/+76
| | | | Eliminates another three lists, 0.5KB per IKE_SA.
* ike-sa: use arrays instead of linked lists in long lived collectionsMartin Willi2013-07-171-116/+98
| | | | This saves about 1.5KB of memory per IKE_SA.
* ike: Resolve hosts only for address families currently supportedTobias Brunner2013-07-051-3/+16
|
* Reuse reqid when restarting CHILD_SAs for dpd|closeaction=restartTobias Brunner2013-07-012-3/+4
|
* Reuse reqid for trap policies installed for dpd|closeaction=holdTobias Brunner2013-07-014-5/+8
|
* ikev2: keep the CHILD_SA we delete as initiator in the list to destroyMartin Willi2013-06-251-6/+5
| | | | | If the responder not correctly send the correct protocol or SPI in the delete response, we should remove the CHILD_SA regardless.
* ike: Force NAT-T/UDP encapsulation if kernel interface requires itTobias Brunner2013-06-212-5/+32
|
* ikev2: use protocol of selected proposal to delete a failed CHILD_SAMartin Willi2013-06-201-2/+2
| | | | Depending on the failure, the protocol might not yet be set on the CHILD_SA.
* ikev2: properly fall back to tunnel mode if transport/BEET mode not configuredMartin Willi2013-06-191-2/+8
|
* ikev2: support transport mode over NATMartin Willi2013-06-191-36/+150
|
* ike: reuse the reqid of an installed trap having the same configMartin Willi2013-06-191-1/+5
| | | | | | | When we have a trap installed, but a CHILD_SA gets established for the same config from the peer, we should reuse the same reqid. Otherwise we would have two identical policies using different reqids, what we can't handle in our kernel backend.
* trap-manager: add a method to find reqid for installed traps by configMartin Willi2013-06-192-2/+38
|
* trap-manager: don't check-in nonexisting IKE_SA if acquire failsMartin Willi2013-06-191-2/+1
|
* trap-manager: fix a memleak when installing a trap to %anyMartin Willi2013-06-191-0/+1
|
* kernel-interface: add an exchange initiator parameter to add_sa()Martin Willi2013-06-114-21/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new flag gives the kernel-interface a hint how it should priorize the use of newly installed SAs during rekeying. Consider the following rekey procedure in IKEv2: Initiator --- Responder I1 -------CREATE-------> R1 I2 <------CREATE-------- -------DELETE-------> R2 I3 <------DELETE-------- SAs are always handled as pairs, the following happens at the SA level: * Initiator starts the exchange at I1 * Responder installs new SA pair at R1 * Initiator installs new SA pair at I2 * Responder removes old SA pair at R2 * Initiator removes old SA pair at I3 This makes sure SAs get installed/removed overlapping during rekeying. However, to avoid any packet loss, it is crucial that the new outbound SA gets activated at the correct position: * as exchange initiator, in I2 * as exchange responder, in R2 This should guarantee that we don't use the new outbound SA before the peer could install its corresponding inbound SA. The new parameter allows the kernel backend to install the new SA with appropriate priorities, i.e. it should: * as exchange inititator, have the new outbound SA installed with higher priority than the old SA * as exchange responder, have the new outbound SA installed with lower priority than the old SA While we could split up the SA installation at the responder, this approach has another advantage: it allows the kernel backend to switch SAs based on other criteria, for example when receiving traffic on the new inbound SA.
* Use ref_get() to make sure IKE_SA unique IDs are uniqueMartin Willi2013-06-111-2/+2
|
* Use ref_get() to make sure CHILD_SA reqids are uniqueMartin Willi2013-06-111-2/+9
|
* ikev1: keep vendor ID task alive during full Main/Aggressive ModeMartin Willi2013-06-111-8/+75
| | | | Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
* ikev2: if installing a CHILD_SA as initiator fails, notify the responderMartin Willi2013-06-111-2/+36
|
* ikev2: raise LOCAL_AUTH_FAILED when receiving INFORMATIONAL with AUTH_FAILEDMartin Willi2013-06-111-0/+8
|
* ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+6
| | | | | | RFC 5996 compatible implementations MAY send an INFORMATIONAL message with an AUTHENTICATION_FAILED if the initiator failed to authenticate us. Handle such a message like a DELETE for an IKE_SA.
* ikev2: if responder authentication fails, send AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+29
| | | | | | | According to RFC 5996, we MAY send an INFORMATIONAL message having an AUTHENTICATION_FAILED. We don't do any retransmits, though, but just close the IKE_SA after one message has been sent, avoiding the danger that an unauthenticated IKE_SA stays alive.
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-112-33/+10
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* Properly compare CHILD_SAs during rekey collisionTobias Brunner2013-06-111-5/+12
| | | | | | | The previous code did not properly check for the situation when the DELETE for a redundant CHILD_SA created by a responder during a CHILD_SA rekey collision arrives before the responder's answer to the initiator's winning CREATE_CHILD_SA request.
* Raise LOCAL_AUTH_FAILED alert after receiving AUTHENTICATION_FAILUREMartin Willi2013-05-151-0/+1
|
* kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-061-5/+19
|
* child-sa: query SAD/SPD just for what we actually need to update statisticsMartin Willi2013-05-061-2/+5
|
* child-sa: pass traffic selector to add_sa() regardless of IPsec modeMartin Willi2013-05-061-14/+11
| | | | | This lets the kernel backend decide what to do with it, and in fact all kernel interfaces already handle this correctly.
* Raise an ALERT_PROPOSAL_MISMATCH_CHILD also when receiving NO_PROPOSAL_CHOSENMartin Willi2013-05-061-0/+20
|
* Raise an ALERT_PROPOSAL_MISMATCH_IKE also when receiving NO_PROPOSAL_CHOSENMartin Willi2013-05-061-0/+20
|
* Don't unset IKE_SA on bus before we released virtual IPs and attributesMartin Willi2013-05-061-10/+8
|
* emit a single assig_vips bus message for all VIPsAndreas Steffen2013-04-062-6/+10
|
* ifmap plugin subscribes to assing_vip bus signalAndreas Steffen2013-04-061-0/+6
|
* Refactor check_for_rekeyed_child() in quick_mode taskMartin Willi2013-04-031-18/+24
|
* Reuse reqid of an existing Quick Mode, even if it has been rekeyedMartin Willi2013-04-031-1/+2
| | | | | | If two peers rekey Quick Modes at the same time, the original Quick Mode is in REKEYING state and hence the requid is not reused. This is required though, as two identical policies won't work if they have different requids.
* Defer CHILD_SA rekeying if allocating an SPI failsMartin Willi2013-04-032-12/+26
|
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-251-1/+1
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-192-2/+16
| | | | certain time frame
* Make sure that xauth-noauth is not used accidentallyTobias Brunner2013-03-191-2/+5
| | | | It has to be selected explicitly with rightauth2=xauth-noauth.
* Added xauth-noauth pluginTobias Brunner2013-03-191-29/+37
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* Make check whether to use IKEv1 fragmentation more readableMartin Willi2013-03-141-5/+14
|
* Raise an alert if an IKE_SA could not have been reauthenticated and expiresMartin Willi2013-03-141-0/+4
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-145-7/+13
| | | | packets
* kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-141-3/+15
|
* Add missing XAuthRespPSK switch case to IKEv1 key derivationMartin Willi2013-03-121-0/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 09:32:46 +0000