aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
Commit message (Collapse)AuthorAgeFilesLines
...
* Use ref_get() to make sure IKE_SA unique IDs are uniqueMartin Willi2013-06-111-2/+2
|
* Use ref_get() to make sure CHILD_SA reqids are uniqueMartin Willi2013-06-111-2/+9
|
* ikev1: keep vendor ID task alive during full Main/Aggressive ModeMartin Willi2013-06-111-8/+75
| | | | Fixes DPD with Cisco IOS sending the DPD vendor ID not in the first message.
* ikev2: if installing a CHILD_SA as initiator fails, notify the responderMartin Willi2013-06-111-2/+36
|
* ikev2: raise LOCAL_AUTH_FAILED when receiving INFORMATIONAL with AUTH_FAILEDMartin Willi2013-06-111-0/+8
|
* ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+6
| | | | | | RFC 5996 compatible implementations MAY send an INFORMATIONAL message with an AUTHENTICATION_FAILED if the initiator failed to authenticate us. Handle such a message like a DELETE for an IKE_SA.
* ikev2: if responder authentication fails, send AUTHENTICATION_FAILEDMartin Willi2013-06-111-0/+29
| | | | | | | According to RFC 5996, we MAY send an INFORMATIONAL message having an AUTHENTICATION_FAILED. We don't do any retransmits, though, but just close the IKE_SA after one message has been sent, avoiding the danger that an unauthenticated IKE_SA stays alive.
* Allow IPComp on NATed connections, both for IKEv1 and IKEv2Martin Willi2013-06-112-33/+10
| | | | | | While this was problematic in earlier releases, it seems that it works just fine the way we handle compression now. So there is no need to disable it over NATed connections or when using forceencaps.
* Properly compare CHILD_SAs during rekey collisionTobias Brunner2013-06-111-5/+12
| | | | | | | The previous code did not properly check for the situation when the DELETE for a redundant CHILD_SA created by a responder during a CHILD_SA rekey collision arrives before the responder's answer to the initiator's winning CREATE_CHILD_SA request.
* Raise LOCAL_AUTH_FAILED alert after receiving AUTHENTICATION_FAILUREMartin Willi2013-05-151-0/+1
|
* kernel-interface: query SAD for last use time if SPD query didn't yield oneMartin Willi2013-05-061-5/+19
|
* child-sa: query SAD/SPD just for what we actually need to update statisticsMartin Willi2013-05-061-2/+5
|
* child-sa: pass traffic selector to add_sa() regardless of IPsec modeMartin Willi2013-05-061-14/+11
| | | | | This lets the kernel backend decide what to do with it, and in fact all kernel interfaces already handle this correctly.
* Raise an ALERT_PROPOSAL_MISMATCH_CHILD also when receiving NO_PROPOSAL_CHOSENMartin Willi2013-05-061-0/+20
|
* Raise an ALERT_PROPOSAL_MISMATCH_IKE also when receiving NO_PROPOSAL_CHOSENMartin Willi2013-05-061-0/+20
|
* Don't unset IKE_SA on bus before we released virtual IPs and attributesMartin Willi2013-05-061-10/+8
|
* emit a single assig_vips bus message for all VIPsAndreas Steffen2013-04-062-6/+10
|
* ifmap plugin subscribes to assing_vip bus signalAndreas Steffen2013-04-061-0/+6
|
* Refactor check_for_rekeyed_child() in quick_mode taskMartin Willi2013-04-031-18/+24
|
* Reuse reqid of an existing Quick Mode, even if it has been rekeyedMartin Willi2013-04-031-1/+2
| | | | | | If two peers rekey Quick Modes at the same time, the original Quick Mode is in REKEYING state and hence the requid is not reused. This is required though, as two identical policies won't work if they have different requids.
* Defer CHILD_SA rekeying if allocating an SPI failsMartin Willi2013-04-032-12/+26
|
* Fixed some typos, courtesy of codespellTobias Brunner2013-03-251-1/+1
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-192-2/+16
| | | | certain time frame
* Make sure that xauth-noauth is not used accidentallyTobias Brunner2013-03-191-2/+5
| | | | It has to be selected explicitly with rightauth2=xauth-noauth.
* Added xauth-noauth pluginTobias Brunner2013-03-191-29/+37
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* Make check whether to use IKEv1 fragmentation more readableMartin Willi2013-03-141-5/+14
|
* Raise an alert if an IKE_SA could not have been reauthenticated and expiresMartin Willi2013-03-141-0/+4
|
* child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-145-7/+13
| | | | packets
* kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-141-3/+15
|
* Add missing XAuthRespPSK switch case to IKEv1 key derivationMartin Willi2013-03-121-0/+1
|
* Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0Martin Willi2013-03-111-0/+4
|
* Ignore fourth Qick Mode message sent by Windows servers.Martin Willi2013-03-111-0/+9
| | | | Initial patch by Paul Stewart, fixes #289.
* As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
* Merge branch 'multi-eap'Martin Willi2013-03-012-28/+50
|\ | | | | | | | | | | Fixes the use of EAP methods in the non-first authentication round if the initiator demands mutual EAP. Also mutual EAP can now be enforced when the initiator sets rightauth=eap, not only with rightauth=any.
| * Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-262-1/+18
| |
| * Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
| |
| * Refactor auth_cfg applying to a common functionMartin Willi2013-02-261-20/+17
| |
* | Merge branch 'ikev1-rekeying'Martin Willi2013-03-011-0/+21
|\ \ | | | | | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * | When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| |/
* | Merge branch 'opaque-ports'Martin Willi2013-03-011-2/+2
|\ \ | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-211-2/+2
| | |
* | | Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
| | |
* | | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-014-45/+55
|\ \ \ | | | | | | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
| * | | Move initial message dropping to task managerMartin Willi2013-02-253-19/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When the last request message of the initial tunnel setup is retransmitted, we must retransmit the response instead of ignoring the request. Fixes #295.
| * | | Use INIT macro to initialize IKE_SA manager entriesMartin Willi2013-02-251-17/+6
| | |/ | |/|
* | | Merge branch 'tfc-notify'Martin Willi2013-03-011-0/+9
|\ \ \ | | | | | | | | | | | | | | | | Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if kernel does not support it.
| * | | Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support itMartin Willi2013-03-011-0/+9
| | |/ | |/|
* | | Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACTTobias Brunner2013-02-281-0/+1
| |/ |/| | | | | | | In other cases (i.e. when functions return DESTROY_ME) the event should already be triggered, but not in this forced situation.
* | Add a global return_success() method implementationMartin Willi2013-02-141-8/+2
| |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 15:39:22 +0000