aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon
Commit message (Collapse)AuthorAgeFilesLines
...
* Avoid a race condition when reloading secrets from ipsec.secretsTobias Brunner2013-03-201-18/+25
| | | | | | | With the previous implementation that cleared the secrets in the active credential set and then loaded the secrets, IKE SA establishment would fail (as initiator or responder) if secrets are concurrently reloaded and the required secret was not yet loaded.
* android: Remove/filter header files from LOCAL_SRC_FILESTobias Brunner2013-03-201-3/+5
| | | | This avoids huge warnings when building the native code.
* Add an option to autobalance a HA cluster automaticallyMartin Willi2013-03-191-0/+59
|
* Check if for some reason we handle a HA segment on both nodesMartin Willi2013-03-191-1/+15
|
* Acquire HA segment lock while sending heartbeatMartin Willi2013-03-191-0/+2
|
* Removed unused variable 'id'Tobias Brunner2013-03-191-2/+1
|
* Avoid returning COOKIEs right after system bootTobias Brunner2013-03-191-1/+1
| | | | | | | | | | | When the monotonic timer is initialized to 0 right after the system is booted the daemon responded with COOKIES for COOKIE_CALMDOWN_DELAY (10s). Since the COOKIE verification code actually produces an overflow for COOKIE_LIFETIME (10s) it wouldn't even accept properly returned COOKIEs. Checking for last_cookie makes sense anyway as that condition must only apply if we actually sent a COOKIE before.
* Fix scheduling of heartbeat sending in HA pluginMartin Willi2013-03-191-2/+11
| | | | | | e0efd7c1 switches to automated job rescheduling for HA heartbeat. However, send_status() is initially called directly, which will not reschedule the job as required.
* Fix compiler warning in HA pluginMartin Willi2013-03-191-1/+1
|
* Don't try to mmap() empty ipsec.secret filesMartin Willi2013-03-191-1/+5
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-193-3/+27
| | | | certain time frame
* Make sure that xauth-noauth is not used accidentallyTobias Brunner2013-03-191-2/+5
| | | | It has to be selected explicitly with rightauth2=xauth-noauth.
* Added xauth-noauth pluginTobias Brunner2013-03-197-29/+305
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* In stroke counters, check if we have an IKE_SA before getting the name from itMartin Willi2013-03-191-3/+6
| | | | | Fixes a segfault when receiving an invalid IKE SPI, where we don't have an IKE_SA for the raised alert.
* Add an "esp" load-tester option to configure custom CHILD_SA ESP proposalMartin Willi2013-03-181-3/+16
|
* Algorithms are not really specific to an IKE versionTobias Brunner2013-03-181-1/+1
| | | | | | But not all of them can be used with IKEv1. Fixes #314.
* Merge branch 'radius-ext'Martin Willi2013-03-1819-98/+1203
|\ | | | | | | | | | | Bring some extensions to eap-radius, namely a virtual IP address provider based on received Framed-IPs, forwarding of Cisco Unity banners, Interim Accounting updates and the reporting of sent/received packets.
| * Don't create interim update entries if RADIUS accounting is disabledMartin Willi2013-03-142-7/+7
| |
| * Add support for RADIUS Interim accounting updatesMartin Willi2013-03-143-39/+269
| |
| * Add an option to delete any established IKE_SA if RADIUS server is not ↵Martin Willi2013-03-144-7/+67
| | | | | | | | responding
| * Make check whether to use IKEv1 fragmentation more readableMartin Willi2013-03-141-5/+14
| |
| * Send Acct-Terminate-Cause based on some alerts catched on the busMartin Willi2013-03-141-0/+62
| | | | | | | | | | Currently supported are user disconnects, session timeouts and if the peer does not respond on IKE packets or DPDs.
| * When IKEv1 DPD times out, raise missing SEND_RETRANSMIT_TIMOUT alertMartin Willi2013-03-142-1/+2
| |
| * Raise an alert if an IKE_SA could not have been reauthenticated and expiresMartin Willi2013-03-142-0/+6
| |
| * Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Accounting-RequestsMartin Willi2013-03-141-4/+33
| |
| * Support RADIUS accounting of sent/received packetsMartin Willi2013-03-141-13/+23
| |
| * Report the number of processed packets in "ipsec statusall"Martin Willi2013-03-141-5/+9
| |
| * child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-149-16/+20
| | | | | | | | packets
| * kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-142-5/+17
| |
| * Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Access-RequestMartin Willi2013-03-131-7/+56
| |
| * Forward Cisco Banner received from RADIUS to Unity capable clientsMartin Willi2013-03-123-5/+176
| |
| * In eap-radius, hand out received Framed-IP-Address attributes as virtual IPMartin Willi2013-03-125-2/+460
| |
* | Merge branch 'stroke-counters'Martin Willi2013-03-183-11/+185
|\ \ | | | | | | | | | | | | Extend stroke counters functionality by connection specific counters, and a resetcounters command to reset the global or connection counters.
| * | Add a "resetcounters" command to ipsec, clearing global or connection countersMartin Willi2013-03-153-1/+38
| | |
| * | Add connection name specific stroke countersMartin Willi2013-03-153-11/+148
| | |
* | | Merge branch 'stroke-timeout'Martin Willi2013-03-182-22/+94
|\ \ \ | |_|/ |/| | | | | Add a strongswan.conf timeout option for stroke control commands.
| * | If controller operations have a callback, don't succeed before hook gets calledMartin Willi2013-03-071-4/+12
| | |
| * | Add a stroke command timeout option, and report status of completed commandMartin Willi2013-03-071-18/+82
| |/
* | Add missing XAuthRespPSK switch case to IKEv1 key derivationMartin Willi2013-03-121-0/+1
| |
* | Support mutliple subnets and ranges as external load-tester addressesMartin Willi2013-03-111-15/+59
| |
* | Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0Martin Willi2013-03-111-0/+4
| |
* | Ignore fourth Qick Mode message sent by Windows servers.Martin Willi2013-03-111-0/+9
| | | | | | | | Initial patch by Paul Stewart, fixes #289.
* | As Quick Mode initiator, select a subset of the proposed and the returned TSMartin Willi2013-03-071-4/+11
| | | | | | | | | | | | | | | | Cisco 5505 firewalls don't return the port if we send a specific one, letting the is_contained_in() checks fail. Using get_subset() selection builds the Quick Mode correctly with the common subset of selectors. Based on an initial patch from Paul Stewart.
* | instead of cloning use extract_buf() methodAndreas Steffen2013-03-041-1/+1
| |
* | Fixed Doxygen comments after scanning complete src directoryTobias Brunner2013-03-024-5/+5
| |
* | Removed backend for old Android frontend patchTobias Brunner2013-03-0212-923/+82
| | | | | | | | Moved the remaining DNS handler to a new plugin.
* | added ERX_SUPPORTED IKEv2 NotifyAndreas Steffen2013-03-022-7/+11
| |
* | Merge branch 'multi-eap'Martin Willi2013-03-012-28/+50
|\ \ | | | | | | | | | | | | | | | Fixes the use of EAP methods in the non-first authentication round if the initiator demands mutual EAP. Also mutual EAP can now be enforced when the initiator sets rightauth=eap, not only with rightauth=any.
| * | Apply a mutual EAP auth_cfg not before the EAP method completesMartin Willi2013-02-262-1/+18
| | |
| * | Be a little more verbose why a peer_cfg is inacceptableMartin Willi2013-02-261-8/+16
| | |
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 12:27:16 +0000