| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
this implements gre key negotiation in ikev1 similarly to the
ipsec-tools patch in alpine.
the from/to port pair is internally used as gre key for gre
protocol traffic selectors. since from/to pairs 0/0xffff and
0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
will not work.
this is not standard compliant, and should probably not be upstreamed
or used widely, but it is applied for interoperability with alpine
racoon for the time being.
|
| |
|
|
|
|
|
| |
This is obsoleted by the new "timeout=-1" option that achieves
the same. Only for compatibility with old versions of quagga-nhrp.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| |
|
|
|
|
| |
Useful for monitoring and tracking full SA.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| |
|
|
| |
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| |
|
|
|
|
|
|
|
|
|
| |
This introduces support for specifying optional IKE SA specific
source and remote address for child sa initiation. This allows
to initiate wildcard connection for known address via vici.
In addition this allows impler implementation of trap-any patches
and is a prerequisite for dmvpn support.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
|
| |
|
|
|
| |
This prevents new SAs from getting created if we hit the global IKE_SA
limit (we still allow checkout_new(), which is used for rekeying).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
libstrongswan and kernel-netlink are the only two components which do
not adhere to the naming scheme used for all other tests. If the tests
are run by an external application this imposes problems due to clashing
names.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Due to circular references the hasher_from_signature_scheme() helper
does not take a signature_params_t object.
|
| |
|
|
|
| |
This also required some include restructuring (avoid including library.h
in headers) to avoid unresolvable circular dependencies.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
RFC 8247 demoted it to MUST NOT.
References #2427.
|
| |
|
|
|
|
|
|
| |
RFC 8247 demoted it to SHOULD NOT. This might break connections with
Windows clients unless they are configured to use a stronger group or
matching weak proposals are configured explicitly on the server.
References #2427.
|
| |
|
|
|
|
| |
RFC 8247 demoted MD5 to MUST NOT.
References #2427.
|
| |
|
|
|
|
|
| |
This removes algorithms that were deprecated by RFC 8221 (3DES, BF, MD5)
from the default proposals for ESP and AH.
References #8247.
|
| |
|
|
|
|
|
| |
FreeBSD 11.1 supports a new extension to configure larger anti-replay
windows, now configured as number of packets.
Fixes #2461.
|
| |
|
|
|
|
| |
The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.
Fixes #2457.
|
| | |
|
| | |
|
| |
|
|
|
| |
A certificate check is forced once the timeout is reached even if the
system time appears to be invalid.
|
| | |
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
If enabled, add the RADIUS Class attributes received in Access-Accept messages
to RADIUS accounting messages as suggested by RFC 2865 section 5.25.
Fixes #2451.
|
| |
|
|
|
|
|
| |
We do something similar in reestablish() for break-before-make reauth.
If we don't abort we'd be sending an IKE_AUTH without any TS payloads.
References #2430.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
It seems that there is a race, at least in 10.13, that lets
if_indextoname() fail for the new TUN device. So we delay the call a bit,
which seems to "fix" the issue. It's strange anyway that the previous
delay was only applied when an iface entry was already found.
|
| | |
|
| |
|
|
| |
We don't need to access this as uint32_t so just cast it to a char*.
|
| |
|
|
|
|
| |
The value of DHCP_OPTEND is 255. When it is assigned this result in a
sign change as the positive int constant is cast to a signed char and -1
results. Clang 4.0 complains about this.
|
| |
|
|
|
|
|
| |
This causes problems e.g. on Android where we handle the alert (and
reestablish the IKE_SA) even though it usually is no problem if the
peer retries with the requested group. We don't consider it as a
failure on the initiator either.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case we send retransmits for an IKE_SA_INIT where we propose a DH
group the responder will reject we might later receive delayed responses
that either contain INVALID_KE_PAYLOAD notifies with the group we already
use or, if we retransmitted an IKE_SA_INIT with the requested group but
then had to restart again, a KE payload with a group different from the
one we proposed. So far we didn't change the initiator SPI when
restarting the connection, i.e. these delayed responses were processed
and might have caused fatal errors due to a failed DH negotiation or
because of the internal retry counter in the ike-init task. Changing
the initiator SPI avoids that as we won't process the delayed responses
anymore that caused this confusion.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
If an interface is renamed we already have an entry (based on the
ifindex) allocated but previously only set the usable state once
based on the original name.
Fixes #2403.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
When querying SAs the keys will end up in this buffer (the allocated
messages that are returned are already wiped). The kernel also returns
XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish
this here as we only see the response.
References #2388.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78.
|
| |
|
|
|
|
|
|
| |
Initiation might later fail, of course, but we don't really
require an IP address when installing, that is, unless the remote
traffic selector is dynamic. As that would result in installing a
0.0.0.0/0 remote TS which is not ideal when a single IP is expected as
remote.
|
