| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
While they SHOULD be sent as 16-bit values according to RFC 3173
a responder MUST be able to accept CPI values encoded in four bytes.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iOS and Mac OS X clients establish individual IPsec SAs for the traffic
selectors received in Split-Include attributes (might have been different
in earlier releases). If we return 0.0.0.0/0 as TSr that either results
in a bunch of Quick Mode exchanges (for each TS), or with the latest
client releases an error notify (ATTRIBUTES_NOT_SUPPORTED).
We also can't install the IPsec SA with all configured subnets as that
would cause conflicts if the client later negotiates SAs for other subnets,
which iOS 8 does based on traffic to such subnets.
For Shrew and the Cisco client, which propose 0.0.0.0/0, we still need to
override the narrowed TS with 0.0.0.0/0, as they otherwise won't accept
the Quick Mode response. Likewise, we also have to narrow the TS before
installing the IPsec SAs and policies.
So we basically have to follow the client's proposal and only modify TSr
if we received 0.0.0.0/0. Since we don't get the original TS in the
narrow hook we handle the inbound QM messages and make note of IKE_SAs on
which we received a TSr of 0.0.0.0/0.
Fixes #737.
|
| |
|
|
| |
The second call resulted in a /32 subnet previously.
|
| | |
|
| |
|
|
|
|
| |
Similar to the inbound rules, the ALE filter processes IP-in-IP packets for
outbound tunnel mode traffic. When using an outbound default-drop policy,
Windows does not allow connection initiation without these explicit rules.
|
| |
|
|
|
|
|
|
|
|
|
| |
When processing inbound tunnel mode packets, Windows decrypts packets and
filters them as IP-in-IP packets. We therefore require an ALE filter that
calls the FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT callout to allow them
when using a default-drop policy.
Without these rules, any outbound packet created an ALE state that allows
inbound packets as well. Processing inbound packets without any outbound
traffic fails without these rules.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
As the underlying C functions, send/recv on ruby sockets are not guaranteed
to send/recv all requested bytes. Use wrapper functions to make sure we get
all bytes needed.
|
| |
|
|
| |
pki tool
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
If multiple sockets are ready, we previously preferred the IPv4 non-NAT socket
over others. To handle all with equal priority, use a round-robin selection.
|
| |
|
|
|
| |
It is not only simpler, but also allows the use of arbitrary high fd numbers,
which silently fails with select().
|
| |
|
|
| |
algorithms
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
|
|
| |
We currently send the notify in Main Mode only, as it is explicitly not allowed
by RFC 2407 to send (unprotected) notifications in Aggressive Mode. To make
that work, we'd need to handle that notify in Aggressive Mode, which could
allow a MitM to inject such notifies and do some harm.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
|
|
|
|
|
| |
Otherwise fragmented CREATE_CHILD_SA exchanges won't get accepted
because they don't contain an SA payload.
It also prevents a warning when ordering payloads.
Fixes #752.
|
| |
|
|
|
|
|
|
|
| |
When invoking /bin/sh, its default PATH is used. On some systems, that does
not include the PATH where the ipsec script is installed, as charon is invoked
with a custom PATH. Explicitly setting the PATH of charon should fix this
case, properly invoking the (default) updown script.
Fixes #745.
|
| |
|
|
|
| |
This is the behavior of some strtol() implementations, and it makes sense,
so force it.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.
The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.
|
| | |
|
| |
|
|
|
| |
For non-direct libstrongswan users, the deinitialization segfaults because
of the missing worker thread cancellation.
|
| |
|
|
| |
We want to avoid libvici users to get a cluttered stderr for no real error.
|
| |
|
|
|
|
|
|
| |
As we want to avoid the libstrongswan include dependencies for libvici, avoid
the use of the bool type. Unfortunately this change may break the ABI for
vici_dump(). As this function is mostly for debugging purposes, we do it
nonetheless; my apologies if somebody already relies on the ABI stability of
that function.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Even if the command actually can't fail, this looks more aligned to similar
commands.
|
| | |
|
| |
|
|
|
|
|
|
| |
I still think ipsec/l2tp with fragmentation support is a useful
fallback option in case the Windows IKEv2 connection fails because
of fragmentation problems.
Tested with Windows XP, 7 and 8.1.
|
| |
|
|
|
|
| |
Any interval returned by the RADIUS server in the Access-Accept message
overrides the configured interval. But it might be useful if RADIUS is
only used for accounting.
|
| |
|
|
|
|
|
|
| |
The maximum for IKEv1 is already 255 due to the 8-bit fragment number.
With an overhead of 17 bytes (x64) per fragment and a default maximum
of 10000 bytes per packet the maximum memory required is 14 kB
for a fragmented message.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
For instance, if a DPD exchange is initiated by the gateway when a
mobile client is roaming and it then gets a new IP address and sends
an address update via MOBIKE, the DPD retransmits would still be sent
to the old address and the SA would eventually get closed.
|
| |
|
|
|
| |
If a fragmented message is retransmitted only the first packet is passed
to the alert() hook.
|
