| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
When querying SAs the keys will end up in this buffer (the allocated
messages that are returned are already wiped). The kernel also returns
XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish
this here as we only see the response.
References #2388.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78.
|
| |
|
|
|
|
|
|
| |
Initiation might later fail, of course, but we don't really
require an IP address when installing, that is, unless the remote
traffic selector is dynamic. As that would result in installing a
0.0.0.0/0 remote TS which is not ideal when a single IP is expected as
remote.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This splits the SA installation also on the initiator, so we can avoid
installing the outbound SA if we lost a rekey collision, which might
have caused traffic loss depending on the timing of the DELETEs that are
sent in both directions.
|
| |
|
|
| |
We don't trigger it either when they are deleted individually.
|
| | |
|
| | |
|
| |
|
|
|
| |
This should cause the right SA to get used if there are multiple outbound
SAs and the policies are installed properly.
|
| | |
|
| |
|
|
| |
x86_64-w64-mingw32-gcc on Windows requires this.
|
| |
|
|
|
|
|
|
|
|
| |
If multiple threads want to enumerate child-cfgs and potentially lock
other locks (e.g. check out IKE_SAs) while doing so a deadlock could
be caused (as was the case with VICI configs with start_action=start).
It should also improve performance for roadwarrior connections and lots
of clients connecting concurrently.
Fixes #2374.
|
| |
|
|
| |
References #2377.
|
| |
|
|
|
|
|
| |
This prevented new listeners from receiving notifies if they joined
after another listener disconnected previously, and if they themselves
disconnected their old connection would prevent them again from getting
notifies.
|
| |
|
|
|
|
|
|
|
| |
Multiple CHILD_SAs sharing the same traffic selectors (e.g. during
make-before-break reauthentication) also have the same reqid assigned.
If all matching entries are removed we could end up without entry even
though an SA exists that still uses these traffic selectors.
Fixes #2373.
|
| |
|
|
|
|
|
|
| |
This way we get the log message in stroke and swanctl as last message
when establishing a connection. It's already like this for the IKE_SA
where IKE_ESTABLISHED is set after the corresponding log message.
Fixes #2364.
|
| | |
|
| |
|
|
|
|
|
| |
VIRTUAL is a new reserved keyword in MySQL 5.7.6 that caused some of these
queries to fail.
Fixes #2359.
|
| |
|
|
| |
References #2347.
|
| |
|
|
|
|
|
|
|
| |
Due to the lookup based on the mapped algorithm ID the resulting AH
proposals were invalid.
Fixes #2347.
Fixes: 8456d6f5a8e9 ("ikev1: Don't require AH mapping for integrity algorithm when generating proposal")
|
| |
|
|
|
|
|
|
|
|
| |
This is similar to the eap-aka-3gpp2 plugin. K (optionally concatenated
with OPc) may be configured as binary EAP secret in ipsec.secrets or
swanctl.conf.
Based on a patch by Thomas Strangert.
Fixes #2326.
|
| |
|
|
|
|
|
|
|
| |
If we find a redundant CHILD_SA (the peer probably rekeyed the SA before
us) we might not want to delete the old SA because the peer might still
use it (same applies to old CHILD_SAs after rekeyings). So only delete
them if configured to do so.
Fixes #2358.
|
| |
|
|
|
|
|
| |
traffic_selector_t::to_subnet() always sets the net/host (unless the
address family was invalid).
Fixes: 3070697f9f7c ("ike: support multiple addresses, ranges and subnets in IKE address config")
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Interestingly, this doesn't show up in the regression tests because the
compiler removes the first assignment (and thus the allocation) due to
-O2 that's included in our default CFLAGS.
|
| | |
|
| |
|
|
| |
This avoids the unportable five pointer hack.
|
| |
|
|
| |
This avoids the unportable five pointer hack.
|
| |
|
|
|
| |
This avoids the unportable 5 pointer hack, but requires enumerating in
the callback.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The correct truncation is 128-bit but some implementations insist on
using 96-bit truncation. With strongSwan this can be negotiated using
an algorithm identifier from a private range. But this doesn't work
with third-party implementations. This adds an option to use 96-bit
truncation even if the official identifier is used.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
implementation
|
| |
|
|
|
|
|
|
| |
After deleting a rekeyed CHILD_SA we uninstall the outbound SA but don't
destroy the CHILD_SA (and the inbound SA) immediately. We delay it
a few seconds or until the SA expires to allow delayed packets to get
processed. The CHILD_SA remains in state CHILD_DELETING until it finally
gets destroyed.
|
| |
|
|
|
| |
This makes sure we delete the right SA in case the addresses got updated
in the mean time.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
