aboutsummaryrefslogtreecommitdiffstats
path: root/src/swanctl
Commit message (Collapse)AuthorAgeFilesLines
* swanctl: Add check for conflicting short optionsTobias Brunner2017-11-131-0/+9
|
* swanctl: Properly register --counters commmandTobias Brunner2017-11-131-1/+1
| | | | Use C instead of c, which is already used for --load-conns.
* auth-cfg: Add RSA/PSS schemes for pubkey and rsa if enabled in strongswan.confTobias Brunner2017-11-081-2/+9
| | | | Also document the rsa/pss prefix.
* swanctl: Add --counters commandTobias Brunner2017-11-083-1/+156
|
* ike: Do not send initial contact only for UNIQUE_NEVERThomas Egerer2017-11-021-1/+1
| | | | Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
* vici: Make setting mark on inbound SA configurableTobias Brunner2017-11-021-11/+23
|
* child-sa: Allow requesting different unique marks for in/outEyal Birger2017-08-071-2/+6
| | | | | | | | | | | | | | | | | | | | When requiring unique flags for CHILD_SAs, allow the configuration to request different marks for each direction by using the %unique-dir keyword. This is useful when different marks are desired for each direction but the number of peers is not predefined. An example use case is when implementing a site-to-site route-based VPN without VTI devices. A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks results in outbound traffic being wrongfully matched against the 'fwd' policy - for which the underlay 'template' does not match - and dropped. Using different marks for each direction avoids this issue as the 'fwd' policy uses the 'in' mark will not match outbound traffic. Closes strongswan/strongswan#78.
* swanctl: Read default socket from swanctl.socket optionTobias Brunner2017-07-271-0/+4
| | | | | | | Also read from swanctl.plugins.vici.socket so we get libstrongswan.plugins.vici.socket if it is defined. Fixes #2372.
* swanctl: Include config snippets from conf.d subdirectoryTobias Brunner2017-07-272-0/+3
| | | | Fixes #2371.
* swanctl: Document eap_id in remote sectionsTobias Brunner2017-07-051-0/+6
|
* vici: Make 96-bit truncation for SHA-256 configurableTobias Brunner2017-05-261-0/+9
|
* vici: Make hardware offload configurableTobias Brunner2017-05-231-0/+4
|
* Add an option to announce support for IKE fragmentation but not sending ↵Tobias Brunner2017-05-231-7/+11
| | | | fragments
* swanctl: Use returned key ID to track loaded private keysTobias Brunner2017-05-231-13/+6
| | | | | | There was a direct call to load_key() for unencrypted keys that didn't remove the key ID from the hashtable, which caused keys to get unloaded when --load-creds was called multiple times.
* swanctl: Reformulate IKEv1 selector restriction, describe problems with TS ↵Noel Kuntze2017-03-231-3/+10
| | | | narrowing
* swanctl: Mention including files when referring to strongswan.conf(5)Tobias Brunner2017-03-231-1/+2
|
* swanctl: Describe what happens when a FQDN is specified in local|remote_addrsTobias Brunner2017-03-201-0/+6
|
* vici: Add support for mediation extensionTobias Brunner2017-02-161-0/+24
|
* swanctl: Add --rekey commandTobias Brunner2017-02-164-1/+130
|
* vici: Use unique names for CHILD_SAs in the list-sas commandTobias Brunner2017-02-161-2/+3
| | | | | | | | | The original name is returned in the new "name" attribute. This fixes an issue with bindings that map VICI messages to dictionaries. For instance, in roadwarrior scenarios where every CHILD_SA has the same name only the information of the last CHILD_SA would end up in the dictionary for that name.
* swanctl: Allow specifying pubkeys directly via 0x/0s prefixTobias Brunner2017-02-161-28/+38
|
* vici: Add support to load CA certificates from tokens and paths in authority ↵Tobias Brunner2017-02-162-11/+33
| | | | sections
* vici: Add support to load certificates from file pathsTobias Brunner2017-02-161-0/+36
| | | | Probably not that useful via swanctl.conf but could be when used via VICI.
* vici: Add support to load certificates from tokensTobias Brunner2017-02-161-0/+48
|
* swanctl: Add `token` secrets for keys on tokens/smartcardsTobias Brunner2017-02-162-0/+106
|
* swanctl: Pass optional connection name to --initiate/install/uninstallTobias Brunner2017-02-162-5/+22
|
* vici: Add support for NT Hash secretsTobias Brunner2017-02-162-1/+25
| | | | Fixes #1002.
* vici: Add support for IPv6 Transport Proxy ModeTobias Brunner2017-02-161-3/+5
|
* vici: Add support for certificate policiesTobias Brunner2017-02-162-0/+7
|
* vici: Add missing dscp setting for IKE_SAsTobias Brunner2017-02-161-0/+8
| | | | Fixes #2170.
* swanctl: Automatically unload removed shared keysTobias Brunner2017-02-161-15/+49
|
* swanctl: Automatically unload removed private keysTobias Brunner2017-02-161-76/+175
|
* swanctl: Add possibility to query a specific pool by nameTobias Brunner2017-02-161-3/+11
|
* swanctl: List CHILD_SA marks, if setMartin Willi2017-02-131-0/+18
|
* swanctl: Add 'private' directory/section to load any type of private keyTobias Brunner2016-10-054-5/+26
|
* vici: Enable IKE fragmentation by defaultTobias Brunner2016-10-041-3/+3
|
* vici: Make installation of outbound FWD policies configurableTobias Brunner2016-09-281-0/+7
|
* swanctl: Add man page entry for flush-certs command5.5.1dr3Tobias Brunner2016-09-151-3/+4
|
* vici: flush-certs command flushes certificate cacheAndreas Steffen2016-09-133-1/+92
| | | | | | | | | | When fresh CRLs are released with a high update frequency (e.g. every 24 hours) or OCSP is used then the certificate cache gets quickly filled with stale CRLs or OCSP responses. The new VICI flush-certs command allows to flush e.g. cached CRLs or OCSP responses only. Without the type argument all kind of certificates (e.g. also received end entity and intermediate CA certificates) are purged.
* swanctl: Document how DH groups in CHILD_SA proposals are appliedTobias Brunner2016-08-311-6/+13
| | | | References #1039.
* vici: Increased various string buffers to BUF_LEN (512 bytes)Andreas Steffen2016-07-291-1/+1
|
* configure: Check for and explicitly link against -latomicMartin Willi2016-06-141-1/+1
| | | | | Some C libraries, such as uClibc, require an explicit link for some atomic functions. Check for any libatomic, and explcily link it.
* swanctl: indicate initiator and responder in --list-sasAndreas Steffen2016-05-071-2/+5
|
* swanctl: Do not display rekey times for shuntsAndreas Steffen2016-05-051-3/+5
|
* vici list-conns sends reauthentication and rekeying time informationAndreas Steffen2016-05-041-2/+71
|
* swanctl: --list-conns shows eap_id, xauth_id and aaa_idAndreas Steffen2016-05-041-0/+13
|
* swanctl: list EAP type in --list-connsAndreas Steffen2016-04-261-3/+10
|
* swanctl: log errors to stderrAndreas Steffen2016-04-243-3/+3
|
* Include manual policy priorities and restriction to interfaces in vici ↵Andreas Steffen2016-04-091-0/+13
| | | | list-conn command
* Implemented IPsec policies restricted to given network interfaceAndreas Steffen2016-04-091-0/+3
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-29 14:52:14 +0000