| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
Fixes #1214.
|
| | |
|
| |
|
|
|
|
|
| |
add_policy()
The additional data can be helpful to identify the exact policy to
delete.
|
| |
|
|
|
|
| |
Obtained-from: pfSense
Sponsored-by: Rubicon Communications (Netgate)
Closes strongswan/strongswan#17.
|
| |
|
|
| |
References #595.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The next release of FreeBSD will support this.
While Linux defines constants for AES-GCM in pfkeyv2.h since 2.6.25 it
does not actually support it. When SAs are installed via PF_KEY only a
lookup in XFRM's list of encryption algorithms is done, but AES-GCM is in
a different table for AEAD algorithms (there is currently no lookup
function to find algorithms in that table via PF_KEY identifier).
|
| |
|
|
|
| |
This may be the case when SAs are reestablished after a crash of the
IKE daemon.
|
| |
|
|
|
|
|
|
|
|
|
| |
The current "inbound" flag is used for two purposes: To define the actual
direction of the SA, but also to determine the operation used for SA
installation. If an SPI has been allocated, an update operation is required
instead of an add.
While the inbound flag normally defines the kind of operation required, this
is not necessarily true in all cases. On the HA passive node, we install inbound
SAs without prior SPI allocation.
|
| |
|
|
|
|
|
|
| |
If many requests are sent to the kernel the events generated by these
requests may fill the receive buffer before the daemon is able to read
these messages.
Fixes #783.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
|
| |
|
|
|
|
|
|
|
| |
The FreeBSD and Mac OS X kernels interpret sadb_sa_replay as the size of the
replay window in bytes. Linux on the other hand does the same for PF_KEY it
does for XFRM so sadb_sa_replay denotes the number of packets/bits in the
window. Similarly, the window size on Linux is limited to 32 by the four
byte default bitmap used for IPsec SAs (may only be changed with
XFRMA_REPLAY_ESN_VAL), which is not the case on the other platforms.
|
| |
|
|
|
|
| |
Seems that packet counts can be retrieved after all. At least the Linux
and FreeBSD kernels treat the number of allocations as number of packets.
We actually installed packet limits in that field already.
|
| | |
|
| |
|
|
|
|
| |
policy routes
This is basically the same as 88f125f5605e54b38cf8913df79e32ec6bddff10.
|
| | |
|
| |
|
|
|
| |
This allows to determine the next hop to reach a subnet, for instance, when
installing routes for shunt policies.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
On some systems (e.g. on Debian/kFreeBSD) that header is required when
including ipsec.h, on Linux we require it too when including pfkeyv2.h,
so to simplify things we just always include it.
|
| |
|
|
|
|
| |
- get_cpi function was implemented to retrieve a CPI from the kernel.
- add_sa/update_sa/del_sa were updated to accommodate for IPComp SA.
- Updated add_policy_internal to update the SPD to support IPComp.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
INCLUDES are now deprecated and throw warnings when using automake 1.13.
We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and
defines are passed to AM_CPPFLAGS only.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If IPsec SAs are rekeyed due to an address change (e.g. because
update_sa is not supported) the exact same policy with the same reqid
will be installed, but with different addresses. After the rekeying the
old SA and its policies are removed, using the first matching mapping
breaks the mapping between the policies and the new SA (at least on
FreeBSD, the Linux kernel might only use the reqid for this). Using the
oldest matching SA is still an approximation but it solves the above
issue.
|
| | |
|
| | |
|
| |
|
|
| |
The daemon as such does not require this capability.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
When installing a route over a tun device for a virtual IP, the route must
be set over the tun, not the IKE interface.
|
| | |
|
| | |
|
| | |
|
