aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Update routed connections in trap managerTobias Brunner2012-10-181-37/+39
| | | | | | Before this change, modified configs that have been updated with ipsec reload, could properly be started manually, but the old config would get used if triggered via trap policies.
* Added a new alert that is raised if peer does not respond to initial IKE messageTobias Brunner2012-10-161-0/+2
|
* Ensure UNSUPPORTED_CRITICAL_PAYLOAD notify contains correct payload typeTobias Brunner2012-09-281-0/+1
|
* Missed one in 6c10ceceTobias Brunner2012-09-281-0/+2
|
* Request is never NULL when responding with an INFORMATIONAL messageTobias Brunner2012-09-281-1/+1
|
* Completed state handling in isakmp_cert_preTobias Brunner2012-09-281-0/+4
| | | | Should not be a problem, but makes static analyzers happy.
* IKE_AUTH_LIFETIME task is not defined if IKEv2 is disabledTobias Brunner2012-09-251-1/+4
| | | | Fixes #229.
* Made IP address enumeration more flexibleTobias Brunner2012-09-213-3/+3
| | | | Also added an option to enumerate addresses on ignored interfaces.
* Don't ignore loopback devices and allow addresses on them being enumeratedTobias Brunner2012-09-213-3/+3
|
* Don't complain about multiple TS in IKEv1, as it supported with UnityMartin Willi2012-09-181-5/+0
|
* Derive a dynamic TS to multiple virtual IPsMartin Willi2012-09-184-70/+105
|
* Use the vararg list constructor in quick mode taskMartin Willi2012-09-181-16/+8
|
* Add AUTH_RULE_IDENTITY_LOOSE which allows to use IDr loosely as initiatorTobias Brunner2012-09-181-1/+2
| | | | | | If it is set on an auth config IDr will not be sent, and later the configured identity will not only be checked against the returned IDr, but also against other identities contained in the responder's certificate.
* Change traffic selectors during Quick Mode in case of a NAT in transport modeTobias Brunner2012-09-141-9/+19
| | | | | | | | | Windows 7 sends its internal address as TSi. While we don't support the NAT-T drafts as used by Windows XP it is interesting to note that the client there omits the TSi payload which then would automatically get set to the public IP address of the client. Fixes #220.
* Always send a configuration payload in IKEv1 TRANSACTIONs, even if it is emptyMartin Willi2012-09-111-29/+14
|
* Don't use host address for dynamic TS in IKEv1 if a virtual IP was expectedMartin Willi2012-09-111-40/+57
|
* Don't use host address for dynamic TS in IKEv2 if a virtual IP was expectedMartin Willi2012-09-111-1/+33
|
* Send FAILED_CP_REQUIRED if a configuration payload was expected, but not ↵Martin Willi2012-09-111-0/+9
| | | | received
* Pass full pool list to release_addressMartin Willi2012-09-111-13/+8
|
* Pass the full list of pools to acquire_address, enumerate in providersMartin Willi2012-09-112-40/+12
| | | | | | | | If the provider has access to the full pool list, it can enumerate them twice, for example to search for existing leases first, and only search for new leases in a second step. Fixes lease enumeration in attr-sql using multiple pools.
* Add a responder narrow() hook to change TS in the kernel, but not on the wireMartin Willi2012-09-112-3/+46
|
* Add uniqueids=never to ignore INITIAL_CONTACT notifiesTobias Brunner2012-09-102-2/+3
| | | | | | With uniqueids=no the daemon still deletes any existing IKE_SA with the same peer if an INITIAL_CONTACT notify is received. With this new option it also ignores these notifies.
* Only initiate an exchange from send_dpd() if a task was actually queuedTobias Brunner2012-09-071-2/+8
| | | | | Otherwise, the initiator would prematurely initiate Quick Mode if it has DPD enabled and XAuth is used.
* Trigger ike_updown event caused by retransmits only after reestablish() has ↵Tobias Brunner2012-09-063-10/+5
| | | | | | | | been called This allows listeners to migrate to the new IKE_SA with the ike_reestablish event without having to worry about an ike_updown event for the old IKE_SA.
* Add ike_reestablish() event that is triggered when an IKE_SA is reestablishedTobias Brunner2012-09-061-0/+1
| | | | | This is particularly useful during reauthentication to get the new IKE_SA.
* Add a new condition to mark IKE_SAs that are currently being reauthenticatedTobias Brunner2012-09-062-9/+9
|
* Clear virtual IPs before storing assigned ones on the IKE_SATobias Brunner2012-09-054-0/+33
| | | | | Otherwise we'll end up with duplicate or invalid VIPs stored on the IKE_SA.
* In mode_config, destroy temporary pool list instead of the virtual IP list twiceMartin Willi2012-09-051-1/+1
|
* Merge branch 'multi-vip'Martin Willi2012-08-3114-214/+429
|\ | | | | | | | | | | | | Brings support for multiple virtual IPs and multiple pools in left/rigthsourceip definitions. Also introduces the new left/rightdns options to configure requested DNS server address family and respond with multiple connection specific servers.
| * Request and acquire multiple virtual IPs in IKEv1 Mode ConfigMartin Willi2012-08-301-47/+61
| |
| * Request and acquire multiple virtual IPs in IKEv2 configuration payloadMartin Willi2012-08-301-49/+67
| |
| * Pass all configured pool names to attribute provider enumeratorMartin Willi2012-08-302-4/+18
| |
| * Pass a list instead of a single virtual IP to attribute enumeratorsMartin Willi2012-08-302-22/+71
| |
| * Support multiple address pools configured on a peer_cfgMartin Willi2012-08-308-13/+70
| |
| * Support multiple virtual IPs on peer_cfg and ike_sa classesMartin Willi2012-08-3014-144/+207
| |
* | Merge branch 'eap-client-select'Tobias Brunner2012-08-313-10/+100
|\ \ | | | | | | | | | | | | | | | This brings support for EAP-Nak payloads on the client (to select a specific or supported method), and the server (via the eap-dynamic plugin which selects a method supported/requested by the client).
| * | Log the proper type for virtual EAP methodsTobias Brunner2012-08-311-1/+5
| | |
| * | Encode EAP-Naks in expanded format if we got an expanded type requestTobias Brunner2012-08-311-2/+2
| | | | | | | | | | | | | | | Since methods defined by the IETF (vendor ID 0) could also be encoded in expanded type format the previous check was insufficient.
| * | Allow clients to request a configured EAP method via EAP-NakTobias Brunner2012-08-311-4/+24
| | |
| * | Virtual EAP methods handle EAP-Naks themselvesTobias Brunner2012-08-311-5/+17
| | |
| * | Send EAP-Nak with supported types if requested type is unsupportedTobias Brunner2012-08-311-2/+4
| | |
| * | Filter invalid EAP authentication types when enumerating themTobias Brunner2012-08-312-1/+10
| | | | | | | | | | | | Valid authentication types defined by the IETF are 4-253 and 255.
| * | Added a method to enumerate registered EAP methodsTobias Brunner2012-08-212-0/+43
| |/
* / Fall back to local address as IKEv1 identity if nothing else is configuredTobias Brunner2012-08-241-2/+14
|/
* Remove the unused second IKE_SA entry match function argumentMartin Willi2012-08-201-4/+4
| | | | LLVMs clang complains about this parameter, so remove it.
* Add keymat_t constructor registration functionAdrian-Ken Rueegsegger2012-08-202-3/+45
| | | | | | Using the register_constructor function enables custom keymat_t implementations per IKE version. If no constructor is registered the default behavior is preserved.
* Merge branch 'android-app'Tobias Brunner2012-08-133-2/+3
|\ | | | | | | | | | | | | | | This branch introduces a userland IPsec implementation (libipsec) and an Android App which targets the VpnService API that is provided by Android 4+. The implementation is based on the bachelor thesis 'Userland IPsec for Android 4' by Giuliano Grassi and Ralf Sager.
| * Moved packet_t to libstrongswanTobias Brunner2012-08-082-1/+2
| |
| * Increase log verbosity when sending NAT keep-alivesTobias Brunner2012-08-081-1/+1
| |
* | Merge branch 'android-ndk'Tobias Brunner2012-08-133-10/+18
|\| | | | | | | | | | | | | | | | | | | | | | | This branch comes with some preliminary changes for the user-land IPsec implementation and the Android App. One important change is that the UDP ports used by the socket-default plugin were made configurable (either via ./configure or strongswan.conf). Also, the plugin does randomly allocate a port if it is configured to 0, which is useful for client implementations. A consequence of these changes is that the local UDP port used when creating ike_cfg_t objects has to be fetched from the socket.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 22:01:20 +0000