aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
| * Don't create interim update entries if RADIUS accounting is disabledMartin Willi2013-03-142-7/+7
| |
| * Add support for RADIUS Interim accounting updatesMartin Willi2013-03-143-39/+269
| |
| * Add an option to delete any established IKE_SA if RADIUS server is not ↵Martin Willi2013-03-144-7/+67
| | | | | | | | responding
| * Make check whether to use IKEv1 fragmentation more readableMartin Willi2013-03-141-5/+14
| |
| * Send Acct-Terminate-Cause based on some alerts catched on the busMartin Willi2013-03-141-0/+62
| | | | | | | | | | Currently supported are user disconnects, session timeouts and if the peer does not respond on IKE packets or DPDs.
| * When IKEv1 DPD times out, raise missing SEND_RETRANSMIT_TIMOUT alertMartin Willi2013-03-142-1/+2
| |
| * Raise an alert if an IKE_SA could not have been reauthenticated and expiresMartin Willi2013-03-142-0/+6
| |
| * Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Accounting-RequestsMartin Willi2013-03-141-4/+33
| |
| * Support RADIUS accounting of sent/received packetsMartin Willi2013-03-141-13/+23
| |
| * Report the number of processed packets in "ipsec statusall"Martin Willi2013-03-141-5/+9
| |
| * child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-149-16/+20
| | | | | | | | packets
| * kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-142-5/+17
| |
| * Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Access-RequestMartin Willi2013-03-131-7/+56
| |
| * Forward Cisco Banner received from RADIUS to Unity capable clientsMartin Willi2013-03-123-5/+176
| |
| * In eap-radius, hand out received Framed-IP-Address attributes as virtual IPMartin Willi2013-03-125-2/+460
| |
* | Merge branch 'stroke-counters'Martin Willi2013-03-183-11/+185
|\ \ | | | | | | | | | | | | Extend stroke counters functionality by connection specific counters, and a resetcounters command to reset the global or connection counters.
| * | Add a "resetcounters" command to ipsec, clearing global or connection countersMartin Willi2013-03-153-1/+38
| | |
| * | Add connection name specific stroke countersMartin Willi2013-03-153-11/+148
| | |
* | | Merge branch 'stroke-timeout'Martin Willi2013-03-182-22/+94
|\ \ \ | |_|/ |/| | | | | Add a strongswan.conf timeout option for stroke control commands.
| * | If controller operations have a callback, don't succeed before hook gets calledMartin Willi2013-03-071-4/+12
| | |
| * | Add a stroke command timeout option, and report status of completed commandMartin Willi2013-03-071-18/+82
| |/
* | Add missing XAuthRespPSK switch case to IKEv1 key derivationMartin Willi2013-03-121-0/+1
| |
* | Support mutliple subnets and ranges as external load-tester addressesMartin Willi2013-03-111-15/+59
| |
* | Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0Martin Willi2013-03-111-0/+4
| |
* | Ignore fourth Qick Mode message sent by Windows servers.Martin Willi2013-03-111-0/+9
| | | | | | | | Initial patch by Paul Stewart, fixes #289.
* | As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | | | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
* | instead of cloning use extract_buf() methodAndreas Steffen2013-03-041-1/+1
| |
* | Fixed Doxygen comments after scanning complete src directoryTobias Brunner2013-03-024-5/+5
| |
* | Removed backend for old Android frontend patchTobias Brunner2013-03-0212-923/+82
| | | | | | | | Moved the remaining DNS handler to a new plugin.
* | added ERX_SUPPORTED IKEv2 NotifyAndreas Steffen2013-03-022-7/+11
| |
* | Merge branch 'multi-eap'Martin Willi2013-03-012-28/+50
|\ \ | | | | | | | | | | | | | | | Fixes the use of EAP methods in the non-first authentication round if the initiator demands mutual EAP. Also mutual EAP can now be enforced when the initiator sets rightauth=eap, not only with rightauth=any.
| * | Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-262-1/+18
| | |
| * | Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
| | |
| * | Refactor auth_cfg applying to a common functionMartin Willi2013-02-261-20/+17
| | |
* | | Merge branch 'multi-cert'Martin Willi2013-03-011-15/+32
|\ \ \ | | | | | | | | | | | | | | | | Allows the configuration of multiple certificates in leftcert, and select the correct certificate to use based on the received certificate requests.
| * | | Load multiple comma seperarated certificates in the leftcert optionMartin Willi2013-01-181-15/+32
| | | |
* | | | Merge branch 'systime'Martin Willi2013-03-016-0/+452
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | Add a systime-fix plugin allowing an embedded system to validate certificates if the system time has not been synchronized after boot. Certificates of established tunnels can be re-validated after the system time gets valid.
| * | | | systime-fix disables certificate lifetime validation if system time not syncedMartin Willi2013-02-194-0/+326
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The system time can be periodically checked. If it gets valid, certificates get rechecked with the current lifetime. If certificates are invalid, associated IKE_SAs can be closed or reauthenticated.
| * | | | Add a stub for systime-fix, a plugin handling certificate lifetimes gracefullyMartin Willi2013-02-194-0/+126
| | |_|/ | |/| |
* | | | Merge branch 'ikev1-rekeying'Martin Willi2013-03-011-0/+21
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
| * | | | When detecting a duplicate IKEv1 SA, adopt children, as it might be a rekeyingMartin Willi2013-02-201-0/+21
| | | | |
* | | | | Merge branch 'vip-shunts'Martin Willi2013-03-011-11/+6
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Installs bypass policies for the physical address if a virtual address is assigned, and installs a proper source route to actually use the physical address for bypassed destinations. Conflicts: src/libcharon/plugins/unity/unity_handler.c
| * | | | | Include local address for Unity Split-Exclude shunt policiesMartin Willi2013-02-201-10/+5
| |/ / / / | | | | | | | | | | | | | | | | | | | | If we use a virtual IP, having a shunt policy for just that wouldn't work, as we want a shunt bypass using the local address.
* | | | | Merge branch 'opaque-ports'Martin Willi2013-03-017-12/+18
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Adds a %opaque port option and support for port ranges in left/rightprotoport. Currently not supported by any of our kernel backends.
| * | | | | Don't reject OPAQUE ports while verifying traffic selector substructureMartin Willi2013-02-211-1/+5
| | | | | |
| * | | | | Pass complete port range over stroke interface for more flexibilityMartin Willi2013-02-211-14/+4
| | | | | |
| * | | | | Use a complete port range in traffic_selector_create_from_{subnet,cidr}Martin Willi2013-02-216-14/+24
| | |/ / / | |/| | |
* | | | | Without MOBIKE, update remote host only if it is behind NATMartin Willi2013-03-011-2/+3
| | | | |
* | | | | Merge branch 'ikev1-mm-retransmits'Martin Willi2013-03-014-45/+55
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly queues Main Mode messages when processing of the last message is still in progress.
| * | | | | For IKEv1 Main Mode, use message hash to detect early retransmissionsMartin Willi2013-02-251-10/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As the message ID is zero in all Main Mode messages, it can't be used to detect if we are already processing a given message.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 12:09:24 +0000