| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Also adds an `ike` parameter to the `uninstall` command.
|
| |
|
|
|
| |
The same goes for the start-action-job. When unrouting, we search for
the first policy with a matching child-cfg.
|
| |
|
|
|
| |
This will allow us to reuse the names of child configs e.g. when they
are defined in different connections.
|
| |
|
|
| |
Fixes #1002.
|
| | |
|
| | |
|
| |
|
|
| |
Fixes #2170.
|
| | |
|
| |
|
|
|
| |
This identifier can be set when adding/replacing a secret. The unique
identifiers of all secrets may be enumerated.
|
| |
|
|
| |
Also added is a method to enumerate the unique identifiers.
|
| | |
|
| |
|
|
| |
They are identified by their SHA-1 key identifier.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
After an interface disappeared we can't remove the policies correctly as
the name doesn't resolve to the previous index anymore.
And making the policies so specific might not provide that much benefit.
To handle the interfaces on the policies correctly would require some
changes to the child-cfg, kernel-interface etc. so they'd take interface
indices directly so we could target the policies correctly even if an
interface disappeared (or reappeared and got a new index).
|
| |
|
|
|
|
| |
These options disable validation as such, e.g. even from cached CRLs, not
only the fetching. Also made the plugin's validate() implementation a
no-op if both options are disabled.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SA ID (src, dst, proto, spi) is unique on ingress.
As such, explicit inbound marking is not needed to match an SA.
On the other hand, requiring inbound SAs to use marks forces the
installation of a mechanism for marking traffic (e.g. iptables) based
on some criteria.
Defining the criteria becomes complicated, for example when required to
support multiple SAs from the same src, especially when traffic is UDP
encapsulated.
This commit removes the assignment of the child_sa mark_in to the inbound SA.
Policies can be arbitrated by existing means - e.g, via netfilter policy
matching or using VTI interfaces - without the need to classify the flows prior
to state matching.
Since the reqid allocator regards the mark value, there is no risk of matching
the wrong policy.
And as explicit marking was required for route-based VPN to work before this
change, it should not cause regressions in existing setups.
Closes strongswan/strongswan#59.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
| |
Fixes: 267c1f7083d4 ("keymat: Allow keymat to modify signature scheme(s)")
|
| |
|
|
|
|
|
| |
For table dumps the kernel accepts RTA_PREFSRC to filter the routes, which is
what we do when doing userspace route calculations. For kernel-based route
lookups, however, the RTA_PREFSRC attribute is ignored and we must specify
RTA_SRC for policy based route lookups.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For gateways with many connections, installing routes is often disabled,
as we can use a static route configuration to achieve proper routing with
a single rule. If this is the case, there is no need to dump all routes and
do userspace route lookups, as there is no need to exclude routes we installed
ourself.
Doing kernel-based route lookups is not only faster with may routes, but also
can use the full power of Linux policy based routing; something we can hardly
rebuild in userspace when calculating routes.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
When using vici over RPyC and its (awesome) splitbrain, encoding and decoding
strings fails in vici, most likely because of the Monkey-Patch magic splitbrain
uses.
When specifying the implicit UTF-8 as encoding scheme explicitly, Python uses
the correct method to encode/decode the string, making vici useable in
splitbrain contexts.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
If this is the first message by the peer, i.e. we expect MID 0, the
message is not pre-processed in the task manager so we ignore it in the
task.
We also make sure to ignore such messages if the extension is disabled
and the peer already sent us one INFORMATIONAL, e.g. a DPD (we'd otherwise
consider the message with MID 0 as a retransmit).
|
| |
|
|
|
|
|
|
| |
If the responder never sent a message the expected MID is 0. While
the sent MID (M1) SHOULD be increased beyond the known value, it's
not necessarily the case.
Since M2 - 1 would then equal UINT_MAX setting that MID would get ignored
and while we'd return 0 in the notify we'd actually expect 1 afterwards.
|
| | |
|
| |
|
|
|
|
| |
We are very picky to only allow MID 0 for these messages (while we
currently don't support IPSEC_REPLAY_COUNTER_SYNC notifies we accept
them).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The config can also be reloaded by sending a SIGHUP to charon.
|
| |
|
|
|
| |
Currently, only the kernel-netlink plugin supports this, the others will
just ignore it.
|
| | |
|
| | |
|
| |
|
|
| |
subnets
|
| | |
|
| | |
|
| |
|
|
| |
Same as the change in the kernel-netlink plugin.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
While trap and regular policies now often look the same (mainly because
reqids are kept constant) trap policies still need to have a lower priority
than regular policies to handle unroute/route correctly if e.g. IPComp
is used or the mode changes. But if we use a completely different
priority range that's lower than that of regular policies it is not possible
to install overlapping trap policies. By differentiating trap from
regular policies via the priority's LSB this issue is avoided while
still maintaining the proper ordering of trap and regular policies.
Fixes #1243.
|
| | |
|
| |
|
|
| |
This simplifies implementing a custom keymat_v1_t.
|
| |
|
|
| |
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
|
| |
|
|
| |
Closes strongswan/strongswan#62.
|
| | |
|
