aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-251-1/+1
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-192-2/+16
| | | | certain time frame
* Make sure that xauth-noauth is not used accidentallyTobias Brunner2013-03-191-2/+5
| | | | It has to be selected explicitly with rightauth2=xauth-noauth.
* Added xauth-noauth pluginTobias Brunner2013-03-191-29/+37
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* Make check whether to use IKEv1 fragmentation more readableMartin Willi2013-03-141-5/+14
|
* Raise an alert if an IKE_SA could not have been reauthenticated and expiresMartin Willi2013-03-141-0/+4
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-145-7/+13
| | | | packets
* kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-141-3/+15
|
* Add missing XAuthRespPSK switch case to IKEv1 key derivationMartin Willi2013-03-121-0/+1
|
* Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0Martin Willi2013-03-111-0/+4
|
* Ignore fourth Qick Mode message sent by Windows servers.Martin Willi2013-03-111-0/+9
| | | | Initial patch by Paul Stewart, fixes #289.
* As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
* Merge branch 'multi-eap'Martin Willi2013-03-012-28/+50
|\ | | | | | | | | | | Fixes the use of EAP methods in the non-first authentication round if the initiator demands mutual EAP. Also mutual EAP can now be enforced when the initiator sets rightauth=eap, not only with rightauth=any.
| * Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-262-1/+18
| |
| * Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
| |
| * Refactor auth_cfg applying to a common functionMartin Willi2013-02-261-20/+17
| |
* | Merge branch 'ikev1-rekeying'Martin Willi2013-03-011-0/+21
|\ \ | | | | | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * | When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| |/
* | Merge branch 'opaque-ports'Martin Willi2013-03-011-2/+2
|\ \ | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-211-2/+2
| | |
* | | Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
| | |
* | | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-014-45/+55
|\ \ \ | | | | | | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
| * | | Move initial message dropping to task managerMartin Willi2013-02-253-19/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
| * | | Use INIT macro to initialize IKE_SA manager entriesMartin Willi2013-02-251-17/+6
| | |/ | |/|
* | | Merge branch 'tfc-notify'Martin Willi2013-03-011-0/+9
|\ \ \ | | | | | | | | | | | | | | | | Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if kernel does not support it.
| * | | Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
| | |/ | |/|
* | | Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACTTobias Brunner2013-02-281-0/+1
| |/ |/| | | | | | | In other cases (i.e. when functions return DESTROY_ME) the event should already be triggered, but not in this forced situation.
* | Add a global return_success() method implementationMartin Willi2013-02-141-8/+2
| |
* | Merge branch 'ike-dscp'Martin Willi2013-02-141-1/+26
|\ \
| * | Set configured DSCP value while generating IKE packetsMartin Willi2013-02-061-1/+26
| |/
* / make TNC client authentication type available to IMVsAndreas Steffen2013-02-121-0/+57
|/
* Fix check-in of IKE_SA when IKE_SA_INIT fails and hash table is enabledTobias Brunner2013-01-241-2/+13
| | | | | | | Setting the responder SPI to 0 can only be done while generating the response, otherwise we'd fail to check in the IKE_SA again in case the hash table is enabled. That's because we use the responder SPI as hash value since 5.0.0.
* Avoid a deadlock when installing a trap policy failedTobias Brunner2013-01-231-1/+5
|
* Fix IKE SA inherit API docAdrian-Ken Rueegsegger2013-01-221-2/+1
|
* Properly send IKEv1 packets if no ike_cfg is known yetTobias Brunner2013-01-141-2/+5
| | | | This applies for error notifies.
* Merge branch 'ikev1-fragmentation'Tobias Brunner2013-01-125-25/+406
|\ | | | | | | | | | | | | This adds support for the proprietary IKEv1 fragmentation extension. Conflicts: NEWS
| * Added an option to configure the maximum size of a fragmentTobias Brunner2013-01-121-3/+10
| |
| * Properly detect fragmentation capabilitiesTobias Brunner2013-01-121-3/+27
| | | | | | | | Cisco sends 0xc0000000 so we check that part of the VID separately.
| * Added an option that allows to force IKEv1 fragmentationTobias Brunner2013-01-122-3/+6
| |
| * Use a connection specific option to en-/disable IKEv1 fragmentationTobias Brunner2012-12-242-10/+7
| |
| * Include source port in init hash for fragmented messagesTobias Brunner2012-12-241-1/+8
| |
| * Add an option to en-/disable IKE fragmentationTobias Brunner2012-12-242-5/+20
| | | | | | | | | | Fragments are always accepted but will not be sent if disabled. The vendor ID is only sent if the option is enabled.
| * Split larger messages into fragments if IKE fragmentation is supported by peerTobias Brunner2012-12-241-14/+114
| |
| * Log added NAT-T vendor IDsTobias Brunner2012-12-241-0/+1
| |
| * Detect a peer's support for IKE fragmentationTobias Brunner2012-12-242-0/+9
| | | | | | | | Fragments are accepted even if this vendor ID is not seen.
| * Map fragmented initial initial Main or Aggressive Mode messages to the same ↵Tobias Brunner2012-12-241-1/+17
| | | | | | | | IKE_SA
| * Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain ↵Tobias Brunner2012-12-241-1/+2
| | | | | | | | | | | | | | fragments Other implementations send fragments always in an initial message type even for transaction or quick mode exchanges.
| * Don't handle fragmented messages larger than charon.max_packetTobias Brunner2012-12-241-4/+39
| |
| * Don't update an IKE_SA-entry's cached message ID when handling fragmentsTobias Brunner2012-12-241-1/+4
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-03 11:22:21 +0000