| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Globally configure logging in strongswan.conf.testing and replace all
charondebug statements with strongswan.conf settings.
|
| |
|
|
|
|
|
| |
We could make the same change for charon (actually setting it for charon
in strongswan.conf.testing would work for charon-systemd too), however,
there are dozens of test cases that currently set charondebug in
ipsec.conf.
|
| | |
|
| |
|
|
| |
There are some exceptions (e.g. those that use auto=start or p2pnat).
|
| |
|
|
|
|
|
| |
The main difference is that ping now reports icmp_seq instead of
icmp_req, so we match for icmp_.eq, which works with both releases.
tcpdump now also reports port 4500 as ipsec-nat-t.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.
In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.
The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.
|
| | |
|
| |
|
|
|
| |
By consistently using the `expect-connection` helper we can avoid pretty
much all previously needed calls to sleep.
|
| |
|
