aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Use ikev2 keymat proxyReto Buerki2013-03-191-7/+18
| | | | | | Forward incoming calls to default ikev2 keymat instance. This is needed to make a stepwise migration to TKM keymat possible. It will be removed once the corresponding parts are implemented in the TKM.
* Add skeleton for TKM keymat variantReto Buerki2013-03-193-0/+256
|
* id_manager: Use limits given by TKMReto Buerki2013-03-191-5/+15
|
* Pass context limits on to id managerReto Buerki2013-03-194-12/+21
|
* Request limits from TKM on initReto Buerki2013-03-191-0/+15
|
* id_manager: Use array of bool instead of listReto Buerki2013-03-192-41/+42
| | | | | | Instead of storing the acquired context ids in a linked list, use an array of booleans for the job. A boolean value of true in the array designates an available context id.
* Use id manager to acquire DH context idReto Buerki2013-03-191-9/+23
|
* Add TKM_CTX_DH (Diffie-Hellman context) to id managerReto Buerki2013-03-192-3/+6
|
* Use id manager to acquire nonce context idReto Buerki2013-03-191-6/+16
|
* Add initial TKM Diffie-Hellman implementationReto Buerki2013-03-197-2/+234
| | | | | | | | | | The tkm_diffie_hellman_t plugin acquires a DH context from the Trusted Key Manager and uses it to get a DH public value and the calculated shared secret. Proper context handling is still missing though, the plugin currently uses context ID 1. The get_shared_secret function will be removed as soon as the TKM specific keymat is ready.
* charon-tkm: Register tkm nonce generatorReto Buerki2013-03-192-1/+9
|
* tkm_nonceg: Return nonce generated by TKMReto Buerki2013-03-191-1/+13
|
* Initialize TKM client library in tkm.cReto Buerki2013-03-193-6/+37
|
* Introduce TKM specific charon daemon (charon-tkm)Reto Buerki2013-03-1919-0/+1212
| | | | | | | | | | | | | | Analogous to charon-nm the charon-tkm daemon is a specialized charon instance used in combination with the trusted key manager (TKM) written in Ada. The charon-tkm is basically a copy of the charon-nm code which will register it's own TKM specific plugins. The daemon binary is built using the gprbuild utility. This is needed because it uses the tkm-rpc Ada library and consequently the Ada runtime. gprbuild takes care of the complete binding and linker steps required to properly initialize the Ada runtime.
* starter: Make daemon name configurableAdrian-Ken Rueegsegger2013-03-195-38/+126
| | | | | | | | A daemon can be specified using the '--daemon' command line parameter. This tells starter to invoke a daemon other than 'charon'. Additionally the ipsec script uses the environment variable DAEMON_NAME to tell the starter which daemon to use.
* Load arbitrary (non-host) attributes from strongswan.confTobias Brunner2013-03-191-21/+32
| | | | This allows to e.g. load Cisco-specific attributes that contain FQDNs.
* Don't try to mmap() empty ipsec.secret filesMartin Willi2013-03-191-1/+5
|
* Delete IKE_SAs if responder does not initiate XAuth exchange within a ↵Tobias Brunner2013-03-193-3/+27
| | | | certain time frame
* Make sure that xauth-noauth is not used accidentallyTobias Brunner2013-03-191-2/+5
| | | | It has to be selected explicitly with rightauth2=xauth-noauth.
* Added xauth-noauth pluginTobias Brunner2013-03-197-29/+305
| | | | | | | | This XAuth backend does not do any authentication of client credentials but simply sends a successful XAuth status to the client, thereby concluding the XAuth exchange. This can be useful to fallback to basic RSA authentication with clients that can not be configured without XAuth authentication.
* In stroke counters, check if we have an IKE_SA before getting the name from itMartin Willi2013-03-191-3/+6
| | | | | Fixes a segfault when receiving an invalid IKE SPI, where we don't have an IKE_SA for the raised alert.
* Add an "esp" load-tester option to configure custom CHILD_SA ESP proposalMartin Willi2013-03-181-3/+16
|
* Algorithms are not really specific to an IKE versionTobias Brunner2013-03-181-1/+1
| | | | | | But not all of them can be used with IKEv1. Fixes #314.
* Merge branch 'radius-ext'Martin Willi2013-03-1831-114/+1333
|\ | | | | | | | | | | Bring some extensions to eap-radius, namely a virtual IP address provider based on received Framed-IPs, forwarding of Cisco Unity banners, Interim Accounting updates and the reporting of sent/received packets.
| * Don't create interim update entries if RADIUS accounting is disabledMartin Willi2013-03-142-7/+7
| |
| * Add support for RADIUS Interim accounting updatesMartin Willi2013-03-143-39/+269
| |
| * Add an option to delete any established IKE_SA if RADIUS server is not ↵Martin Willi2013-03-144-7/+67
| | | | | | | | responding
| * Make check whether to use IKEv1 fragmentation more readableMartin Willi2013-03-141-5/+14
| |
| * Send Acct-Terminate-Cause based on some alerts catched on the busMartin Willi2013-03-141-0/+62
| | | | | | | | | | Currently supported are user disconnects, session timeouts and if the peer does not respond on IKE packets or DPDs.
| * When IKEv1 DPD times out, raise missing SEND_RETRANSMIT_TIMOUT alertMartin Willi2013-03-142-1/+2
| |
| * Raise an alert if an IKE_SA could not have been reauthenticated and expiresMartin Willi2013-03-142-0/+6
| |
| * Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Accounting-RequestsMartin Willi2013-03-141-4/+33
| |
| * Support RADIUS accounting of sent/received packetsMartin Willi2013-03-141-13/+23
| |
| * Report the number of processed packets in "ipsec statusall"Martin Willi2013-03-141-5/+9
| |
| * child_sa_t.get_usestats() can additionally return the number of processed ↵Martin Willi2013-03-149-16/+20
| | | | | | | | packets
| * Pass correclty sized pointer to lookup_algorithm() in PF_KEYMartin Willi2013-03-141-1/+1
| |
| * kernel_ipsec_t.query_sa() additionally returns the number of processed packetsMartin Willi2013-03-149-16/+50
| |
| * Send NAS-Port, NAS-IP and Calling/Called-Station-ID in Access-RequestMartin Willi2013-03-132-10/+56
| |
| * Forward Cisco Banner received from RADIUS to Unity capable clientsMartin Willi2013-03-123-5/+176
| |
| * Add a radius message method to enumerate vendor specific attributesMartin Willi2013-03-122-0/+92
| |
| * Add Altiga Private Enterprise Numbers that Cisco uses in VPN 3000Martin Willi2013-03-122-1/+4
| |
| * In eap-radius, hand out received Framed-IP-Address attributes as virtual IPMartin Willi2013-03-125-2/+460
| |
* | Merge branch 'stroke-counters'Martin Willi2013-03-188-23/+223
|\ \ | | | | | | | | | | | | Extend stroke counters functionality by connection specific counters, and a resetcounters command to reset the global or connection counters.
| * | Add a "resetcounters" command to ipsec, clearing global or connection countersMartin Willi2013-03-158-14/+53
| | |
| * | Add connection name specific stroke countersMartin Willi2013-03-157-20/+181
| | |
| * | Add a chunk_from_str() initializer that does not include 0-terminatorMartin Willi2013-03-151-0/+5
| | |
* | | Merge branch 'stroke-timeout'Martin Willi2013-03-182-22/+94
|\ \ \ | | | | | | | | | | | | Add a strongswan.conf timeout option for stroke control commands.
| * | | If controller operations have a callback, don't succeed before hook gets calledMartin Willi2013-03-071-4/+12
| | | |
| * | | Add a stroke command timeout option, and report status of completed commandMartin Willi2013-03-071-18/+82
| |/ /
* | | Merge branch 'netlink-align'Martin Willi2013-03-183-268/+151
|\ \ \ | |_|/ |/| | | | | | | | Fixes some Netlink alignment issues, and then refactors Netlink XFRM message attribute handling.
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 09:51:54 +0000