6 years agoUpdated NEWS 5.4.0rc1
Andreas Steffen [Fri, 11 Mar 2016 10:31:02 +0000 (11:31 +0100)]
Updated NEWS

6 years agoman: Updated default proposals in ipsec.conf(5)
Tobias Brunner [Fri, 11 Mar 2016 09:24:36 +0000 (10:24 +0100)]
man: Updated default proposals in ipsec.conf(5)

6 years agoidentification: Make `written` signed to fix error checking when printing ranges
Tobias Brunner [Fri, 11 Mar 2016 09:06:58 +0000 (10:06 +0100)]
identification: Make `written` signed to fix error checking when printing ranges

6 years agovici: Don't hold write lock while running or undoing start actions
Tobias Brunner [Wed, 10 Feb 2016 11:09:37 +0000 (12:09 +0100)]
vici: Don't hold write lock while running or undoing start actions

Running or undoing start actions might require enumerating IKE_SAs,
which in turn might have to enumerate peer configs concurrently, which
requires acquiring a read lock.  So if we keep holding the write lock while
enumerating the SAs we provoke a deadlock.

By preventing other threads from acquiring the write lock while handling
actions, and thus preventing the modification of the configs, we largely
maintain the current synchronous behavior.  This way we also don't need to
acquire additional refs for config objects as they won't get modified/removed.

Fixes #1185.

6 years agoInitialize ts variable
Andreas Steffen [Fri, 11 Mar 2016 07:29:15 +0000 (08:29 +0100)]
Initialize ts variable

6 years agoforecast: Compare the complete rules when deleting them
Tobias Brunner [Wed, 9 Mar 2016 11:10:12 +0000 (12:10 +0100)]
forecast: Compare the complete rules when deleting them

Same as the change in the connmark plugin.

References #1229.

6 years agoconnmark: Don't restore CONNMARK for packets that already have a mark set
Tobias Brunner [Mon, 7 Mar 2016 15:52:43 +0000 (16:52 +0100)]
connmark: Don't restore CONNMARK for packets that already have a mark set

This allows e.g. modified versions of xl2tpd to set the mark in
situations where two clients are using the same source port behind the
same NAT, which CONNMARK can't restore properly as only one conntrack entry
will exist with the mark set to that of the client that sent the last packet.

Fixes #1230.

6 years agoconnmark: Compare the complete rules when deleting them
Tobias Brunner [Mon, 7 Mar 2016 14:32:02 +0000 (15:32 +0100)]
connmark: Compare the complete rules when deleting them

By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).

Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.

Fixes #1229.

6 years agoMerge branch 'subnet-identities'
Andreas Steffen [Thu, 10 Mar 2016 14:26:03 +0000 (15:26 +0100)]
Merge branch 'subnet-identities'

Implemented IKEv1 IPv4/IPv6 address subnet and range identities to
be used as owners for shared secrets.

swanctl supports configuration of traffic selectors with IPv4/IPv6
address ranges.

6 years agoSupport of IP address ranges in traffic selectors
Andreas Steffen [Thu, 10 Mar 2016 11:00:56 +0000 (12:00 +0100)]
Support of IP address ranges in traffic selectors

6 years agoUpdated swanctl/rw-psk-ikev1 scenario
Andreas Steffen [Thu, 10 Mar 2016 07:02:44 +0000 (08:02 +0100)]
Updated swanctl/rw-psk-ikev1 scenario

6 years agoImplemented IPv4/IPv6 subnet and range identities
Andreas Steffen [Tue, 8 Mar 2016 21:27:30 +0000 (22:27 +0100)]
Implemented IPv4/IPv6 subnet and range identities

IPV6_ADDR_RANGE identities have been fully implemented and can be
used as owners of shared secrets (PSKs).

6 years agoMerge branch 'p-cscf'
Tobias Brunner [Thu, 10 Mar 2016 11:00:56 +0000 (12:00 +0100)]
Merge branch 'p-cscf'

This adds the p-cscf plugin that can request P-CSCF server addresses from
an ePDG via IKEv2 (RFC 7651).  Addresses of the same families as requested
virtual IPs are requested if enabled in strongswan.conf for a particular
connection.  The plugin currently writes received addresses to the log.

6 years agoattr: Only enumerate attributes matching the IKE version of the current IKE_SA
Tobias Brunner [Thu, 11 Feb 2016 14:47:32 +0000 (15:47 +0100)]
attr: Only enumerate attributes matching the IKE version of the current IKE_SA

Numerically configured attributes are currently sent for both versions.

6 years agoattr: Add p-cscf keyword for P-CSCF server addresses
Tobias Brunner [Fri, 5 Feb 2016 15:47:26 +0000 (16:47 +0100)]
attr: Add p-cscf keyword for P-CSCF server addresses

6 years agop-cscf: Make sending requests configurable and disable it by default
Tobias Brunner [Thu, 4 Feb 2016 17:41:14 +0000 (18:41 +0100)]
p-cscf: Make sending requests configurable and disable it by default

6 years agop-cscf: Only send requests if virtual IPs of the same family are requested
Tobias Brunner [Thu, 4 Feb 2016 17:35:07 +0000 (18:35 +0100)]
p-cscf: Only send requests if virtual IPs of the same family are requested

6 years agop-cscf: Add attribute handler for P-CSCF server addresses
Tobias Brunner [Thu, 4 Feb 2016 17:26:29 +0000 (18:26 +0100)]
p-cscf: Add attribute handler for P-CSCF server addresses

6 years agop-cscf: Add plugin stub
Tobias Brunner [Wed, 3 Feb 2016 16:49:48 +0000 (17:49 +0100)]
p-cscf: Add plugin stub

6 years agopayloads: Verify P-CSCF configuration attributes like others carrying IP addresses
Tobias Brunner [Wed, 3 Feb 2016 16:34:34 +0000 (17:34 +0100)]
payloads: Verify P-CSCF configuration attributes like others carrying IP addresses

6 years agoattributes: Define P-CSCF address attributes described in RFC 7651
Tobias Brunner [Wed, 3 Feb 2016 16:32:16 +0000 (17:32 +0100)]
attributes: Define P-CSCF address attributes described in RFC 7651

6 years agoMerge branch 'mbb-reauth-online-revocation'
Tobias Brunner [Thu, 10 Mar 2016 10:48:12 +0000 (11:48 +0100)]
Merge branch 'mbb-reauth-online-revocation'

With these changes initiators of make-before-break reauthentications
suspend online revocation checks until after the new IKE_SA and all
CHILD_SAs are established.  See f1cbacc5d1be for details why that's

6 years agoNEWS: Added note on online revocation checks during make-before-break reauthentication
Tobias Brunner [Thu, 10 Mar 2016 10:46:44 +0000 (11:46 +0100)]
NEWS: Added note on online revocation checks during make-before-break reauthentication

6 years agotesting: Add ikev2/reauth-mbb-revoked scenario
Tobias Brunner [Tue, 27 Oct 2015 16:42:45 +0000 (17:42 +0100)]
testing: Add ikev2/reauth-mbb-revoked scenario

6 years agotesting: Generate a CRL that has moon's actual certificate revoked
Tobias Brunner [Tue, 27 Oct 2015 16:42:15 +0000 (17:42 +0100)]
testing: Generate a CRL that has moon's actual certificate revoked

6 years agoike-sa: Improve interaction between flush_auth_cfg and delayed revocation checks
Tobias Brunner [Wed, 28 Oct 2015 15:09:59 +0000 (16:09 +0100)]
ike-sa: Improve interaction between flush_auth_cfg and delayed revocation checks

6 years agoikev2: Delay online revocation checks during make-before-break reauthentication
Tobias Brunner [Tue, 27 Oct 2015 16:34:50 +0000 (17:34 +0100)]
ikev2: Delay online revocation checks during make-before-break reauthentication

We do these checks after the SA is fully established.

When establishing an SA the responder is always able to install the
CHILD_SA created with the IKE_SA before the initiator can do so.
During make-before-break reauthentication this could cause traffic sent
by the responder to get dropped if the installation of the SA on the
initiator is delayed e.g. by OCSP/CRL checks.

In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g.
with rightsubnet= the initiator is unable to reach them during
make-before-break reauthentication as it wouldn't be able to decrypt the
response that the responder sends using the new CHILD_SA.

By delaying the revocation checks until the make-before-break
reauthentication is completed we avoid the problems described above.
Since this only affects reauthentication, not the original IKE_SA, and the
delay until the checks are performed is usually not that long this
doesn't impose much of a reduction in the overall security.

6 years agoikev2: Add task that verifies a peer's certificate
Tobias Brunner [Tue, 27 Oct 2015 16:31:43 +0000 (17:31 +0100)]
ikev2: Add task that verifies a peer's certificate

On failure the SA is deleted and reestablished as configured.  The task
is activated after the REAUTH_COMPLETE task so a make-before-break reauth
is completed before the new SA might get torn down.

6 years agoikev2: Initiate other tasks after a no-op task
Tobias Brunner [Tue, 27 Oct 2015 16:29:53 +0000 (17:29 +0100)]
ikev2: Initiate other tasks after a no-op task

6 years agoikev2: Don't do online revocation checks in pubkey authenticator if requested
Tobias Brunner [Tue, 27 Oct 2015 16:28:20 +0000 (17:28 +0100)]
ikev2: Don't do online revocation checks in pubkey authenticator if requested

We also update the auth config so the constraints are not enforced.

6 years agoike-sa: Add condition to suspend online certificate revocation checks for an IKE_SA
Tobias Brunner [Tue, 27 Oct 2015 16:27:02 +0000 (17:27 +0100)]
ike-sa: Add condition to suspend online certificate revocation checks for an IKE_SA

6 years agoike-sa: Add method to verify certificates in completed authentication rounds
Tobias Brunner [Tue, 27 Oct 2015 16:25:22 +0000 (17:25 +0100)]
ike-sa: Add method to verify certificates in completed authentication rounds

6 years agoauth-cfg: Add a rule to suspend certificate validation constraints
Tobias Brunner [Tue, 27 Oct 2015 16:21:18 +0000 (17:21 +0100)]
auth-cfg: Add a rule to suspend certificate validation constraints

6 years agocredential-manager: Check cache queue when destroying trusted certificate enumerator
Tobias Brunner [Tue, 27 Oct 2015 16:17:54 +0000 (17:17 +0100)]
credential-manager: Check cache queue when destroying trusted certificate enumerator

We already do this in the trusted public key enumerator (which
internally uses the trusted certificate enumerator) but should do so
also when this enumerator is used directly (since the public key
enumerator has the read lock the additional call will just be skipped

6 years agocredential-manager: Make online revocation checks optional for public key enumerator
Tobias Brunner [Mon, 26 Oct 2015 14:35:23 +0000 (15:35 +0100)]
credential-manager: Make online revocation checks optional for public key enumerator

6 years agoMerge branch 'charon-conf-fallback'
Tobias Brunner [Tue, 8 Mar 2016 09:56:27 +0000 (10:56 +0100)]
Merge branch 'charon-conf-fallback'

Makes charon-systemd and charon-svc also load settings from the charon
section in strongswan.conf.

Fixes #1300.

6 years agocharon-svc: Inherit all settings from the charon section
Tobias Brunner [Mon, 8 Feb 2016 16:22:23 +0000 (17:22 +0100)]
charon-svc: Inherit all settings from the charon section

Same as with charon-systemd.

6 years agocharon-systemd: Inherit all settings from the charon section
Tobias Brunner [Mon, 8 Feb 2016 16:19:20 +0000 (17:19 +0100)]
charon-systemd: Inherit all settings from the charon section

Our default config files are very charon specific.  So to avoid
confusion when only charon-systemd is installed we just default to all
settings defined for charon.  Since charon-systemd probably won't be used
together with charon this should not cause conflicts (settings may still
be overridden via the charon-systemd section).

6 years agolibrary: Add option to register additional namespaces before calling library_init()
Tobias Brunner [Thu, 3 Mar 2016 17:12:06 +0000 (18:12 +0100)]
library: Add option to register additional namespaces before calling library_init()

Because settings are already accessed in library_init(), calling
add_fallback() externally after calling library_init() is not ideal.
This way namespaces already serve as fallback while library_init() is
executed and they are also in the correct order so that libstrongswan is
always the last root section.

6 years agovici: Replace child configs atomically
Tobias Brunner [Fri, 16 Oct 2015 10:40:10 +0000 (12:40 +0200)]
vici: Replace child configs atomically

This also leaves unmodified configs as they are.

6 years agopeer-cfg: Add method to atomically replace child configs
Tobias Brunner [Fri, 16 Oct 2015 10:31:38 +0000 (12:31 +0200)]
peer-cfg: Add method to atomically replace child configs

6 years agoike-cfg: Use new method to compare proposal lists in equals()
Tobias Brunner [Fri, 16 Oct 2015 10:29:47 +0000 (12:29 +0200)]
ike-cfg: Use new method to compare proposal lists in equals()

6 years agopeer-cfg: Use new method to compare linked lists in equals()
Tobias Brunner [Fri, 16 Oct 2015 10:26:57 +0000 (12:26 +0200)]
peer-cfg: Use new method to compare linked lists in equals()

This also compares the complete lists not only the first two items.

6 years agochild-cfg: Add equals() method
Tobias Brunner [Fri, 16 Oct 2015 10:25:37 +0000 (12:25 +0200)]
child-cfg: Add equals() method

6 years agolinked-list: Add method to compare two lists of objects for equality
Tobias Brunner [Fri, 16 Oct 2015 10:12:43 +0000 (12:12 +0200)]
linked-list: Add method to compare two lists of objects for equality

6 years agovici: Order auth rounds by optional `round` parameter instead of by position in the...
Tobias Brunner [Thu, 19 Nov 2015 11:58:23 +0000 (12:58 +0100)]
vici: Order auth rounds by optional `round` parameter instead of by position in the request

6 years agoikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messages
Tobias Brunner [Mon, 7 Mar 2016 13:04:41 +0000 (14:04 +0100)]
ikev1: Send NAT-D payloads after vendor ID payloads in Aggressive Mode messages

Some implementations might otherwise not recognize the NAT-D payload
type.  Also moves SIG and HASH payloads last in these messages.

Fixes #1239.

6 years agoike-sa-manager: Log a checkin/failure message for every checkout
Thomas Egerer [Mon, 7 Mar 2016 08:21:21 +0000 (09:21 +0100)]
ike-sa-manager: Log a checkin/failure message for every checkout

Signed-off-by: Thomas Egerer <>
6 years agotesting: Added swanctl/mult-auth-rsa-eap-sim-id scenario
Andreas Steffen [Sun, 6 Mar 2016 18:09:03 +0000 (19:09 +0100)]
testing: Added swanctl/mult-auth-rsa-eap-sim-id scenario

6 years agotesting: Added swanctl/xauth-rsa scenario
Andreas Steffen [Sun, 6 Mar 2016 11:28:55 +0000 (12:28 +0100)]
testing: Added swanctl/xauth-rsa scenario

6 years agoDisplay IKE ports with swanctl --list-sas
Andreas Steffen [Sat, 5 Mar 2016 17:19:00 +0000 (18:19 +0100)]
Display IKE ports with swanctl --list-sas

6 years agoVersion bump to 5.4.0rc1
Andreas Steffen [Sat, 5 Mar 2016 17:18:12 +0000 (18:18 +0100)]
Version bump to 5.4.0rc1

6 years agotesting: attr-sql is a charon plugin 5.4.0dr8
Andreas Steffen [Sat, 5 Mar 2016 14:53:22 +0000 (15:53 +0100)]
testing: attr-sql is a charon plugin

6 years agotesting: Added swanctl/rw-psk-ikev1 scenario
Andreas Steffen [Sat, 5 Mar 2016 12:50:41 +0000 (13:50 +0100)]
testing: Added swanctl/rw-psk-ikev1 scenario

6 years agotesting: Include IKE port information in evaltests
Andreas Steffen [Sat, 5 Mar 2016 12:44:06 +0000 (13:44 +0100)]
testing: Include IKE port information in evaltests

6 years agoVersion bump to 5.4.0dr8
Andreas Steffen [Fri, 4 Mar 2016 19:55:50 +0000 (20:55 +0100)]
Version bump to 5.4.0dr8

6 years agoike-sa-manager: Log some additional details like SPIs when checking out SAs
Tobias Brunner [Mon, 5 Oct 2015 15:49:52 +0000 (17:49 +0200)]
ike-sa-manager: Log some additional details like SPIs when checking out SAs

6 years agosmp: Correctly return IKE SPIs stored in network order
Tobias Brunner [Fri, 4 Mar 2016 09:28:00 +0000 (10:28 +0100)]
smp: Correctly return IKE SPIs stored in network order

6 years agovici: Correctly return IKE SPIs stored in network order
Tobias Brunner [Fri, 4 Mar 2016 09:25:40 +0000 (10:25 +0100)]
vici: Correctly return IKE SPIs stored in network order

6 years agostroke: Correctly print IKE SPIs stored in network order
Tobias Brunner [Fri, 4 Mar 2016 09:19:37 +0000 (10:19 +0100)]
stroke: Correctly print IKE SPIs stored in network order

6 years agobyteorder: Simplify htoun64/untoh64 functions
Tobias Brunner [Fri, 4 Mar 2016 09:15:49 +0000 (10:15 +0100)]
byteorder: Simplify htoun64/untoh64 functions

6 years agobyteorder: Always define be64toh/htobe64 macros
Tobias Brunner [Fri, 4 Mar 2016 09:13:49 +0000 (10:13 +0100)]
byteorder: Always define be64toh/htobe64 macros

6 years agoMerge branch 'ike-sig-contraints'
Tobias Brunner [Fri, 4 Mar 2016 15:42:41 +0000 (16:42 +0100)]
Merge branch 'ike-sig-contraints'

Signature scheme constraints against IKEv2 authentication may now be
configured independently of constraints against trustchains.

6 years agoNEWS: Add note about IKEv2 signature scheme constraints
Tobias Brunner [Fri, 4 Mar 2016 15:29:32 +0000 (16:29 +0100)]
NEWS: Add note about IKEv2 signature scheme constraints

6 years agoswanctl: Document signature scheme constraints
Tobias Brunner [Wed, 3 Feb 2016 14:45:09 +0000 (15:45 +0100)]
swanctl: Document signature scheme constraints

6 years agovici: Add support for pubkey constraints with EAP-TLS
Tobias Brunner [Wed, 3 Feb 2016 14:16:48 +0000 (15:16 +0100)]
vici: Add support for pubkey constraints with EAP-TLS

This is a feature currently supported by stroke.

6 years agoauth-cfg: Make IKE signature schemes configurable
Tobias Brunner [Mon, 1 Feb 2016 17:16:16 +0000 (18:16 +0100)]
auth-cfg: Make IKE signature schemes configurable

This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.

6 years agoikev2: Always store signature scheme in auth-cfg
Tobias Brunner [Mon, 1 Feb 2016 17:15:57 +0000 (18:15 +0100)]
ikev2: Always store signature scheme in auth-cfg

As we use a different rule we can always store the scheme.

6 years agoikev2: Diversify signature scheme rule
Thomas Egerer [Mon, 1 Feb 2016 17:15:15 +0000 (18:15 +0100)]
ikev2: Diversify signature scheme rule

This allows for different signature schemes for IKE authentication and
trustchain verification.

Signed-off-by: Thomas Egerer <>
6 years agoNEWS: Document RFC 5685 support
Tobias Brunner [Fri, 4 Mar 2016 15:07:17 +0000 (16:07 +0100)]
NEWS: Document RFC 5685 support

6 years agoMerge branch 'ike-redirect'
Tobias Brunner [Fri, 4 Mar 2016 15:03:07 +0000 (16:03 +0100)]
Merge branch 'ike-redirect'

This adds support for IKEv2 redirection (RFC 5685).  There is currently
no default implementation of the redirect_provider_t interface provided.
Plugins may implement the interface to decide if and when to redirect
connecting clients.  It is also possible to redirect established IKE_SAs
via VICI/swanctl.

6 years agoike-init: Verify REDIRECT notify before processing IKE_SA_INIT message
Tobias Brunner [Thu, 21 May 2015 12:56:01 +0000 (14:56 +0200)]
ike-init: Verify REDIRECT notify before processing IKE_SA_INIT message

An attacker could blindly send a message with invalid nonce data (or none
at all) to DoS an initiator if we just destroy the SA.  To prevent this we
ignore the message and wait for the one by the correct responder.

6 years agoikev2: Allow tasks to verify request messages before processing them
Tobias Brunner [Thu, 21 May 2015 12:48:35 +0000 (14:48 +0200)]
ikev2: Allow tasks to verify request messages before processing them

6 years agoikev2: Allow tasks to verify response messages before processing them
Tobias Brunner [Thu, 21 May 2015 12:45:52 +0000 (14:45 +0200)]
ikev2: Allow tasks to verify response messages before processing them

6 years agotask: Add optional pre_process() method
Tobias Brunner [Thu, 21 May 2015 12:38:02 +0000 (14:38 +0200)]
task: Add optional pre_process() method

This will eventually allow tasks to pre-process and verify received

6 years agotesting: Add ikev2/redirect-active scenario
Tobias Brunner [Tue, 12 May 2015 14:53:04 +0000 (16:53 +0200)]
testing: Add ikev2/redirect-active scenario

6 years agoike-init: Ignore notifies related to redirects during rekeying
Tobias Brunner [Thu, 30 Apr 2015 10:57:19 +0000 (12:57 +0200)]
ike-init: Ignore notifies related to redirects during rekeying

Also don't query redirect providers in this case.

6 years agoike-sa: Add limit for the number of redirects within a defined time period
Tobias Brunner [Thu, 30 Apr 2015 10:44:56 +0000 (12:44 +0200)]
ike-sa: Add limit for the number of redirects within a defined time period

6 years agoike-sa: Reauthenticate to the same addresses we currently use
Tobias Brunner [Thu, 30 Apr 2015 10:26:41 +0000 (12:26 +0200)]
ike-sa: Reauthenticate to the same addresses we currently use

If the SA got redirected this would otherwise cause a reauthentication with
the original gateway.  Reestablishing the SA to the original gateway, if e.g.
the new gateway is not reachable makes sense though.

6 years agovici: Don't redirect all SAs if no selectors are given
Tobias Brunner [Tue, 12 May 2015 15:49:46 +0000 (17:49 +0200)]
vici: Don't redirect all SAs if no selectors are given

This avoid confusion and redirecting all SAs can now easily be done
explicitly (e.g. peer_ip=

6 years agovici: Match subnets and ranges against peer IP in redirect command
Tobias Brunner [Thu, 30 Apr 2015 08:56:27 +0000 (10:56 +0200)]
vici: Match subnets and ranges against peer IP in redirect command

6 years agovici: Match identity with wildcards against remote ID in redirect command
Tobias Brunner [Tue, 28 Apr 2015 16:33:31 +0000 (18:33 +0200)]
vici: Match identity with wildcards against remote ID in redirect command

6 years agoswanctl: Add --redirect command
Tobias Brunner [Tue, 28 Apr 2015 16:00:01 +0000 (18:00 +0200)]
swanctl: Add --redirect command

6 years agovici: Add redirect command
Tobias Brunner [Tue, 28 Apr 2015 15:45:52 +0000 (17:45 +0200)]
vici: Add redirect command

This allows redirecting IKE_SAs by multiple different selectors, if none
are given all SAs are redirected.

6 years agoredirect-job: Add job to redirect an active IKE_SA
Tobias Brunner [Tue, 28 Apr 2015 15:29:42 +0000 (17:29 +0200)]
redirect-job: Add job to redirect an active IKE_SA

6 years agoike-sa: Add redirect() method to actively redirect an IKE_SA
Tobias Brunner [Tue, 28 Apr 2015 12:50:11 +0000 (14:50 +0200)]
ike-sa: Add redirect() method to actively redirect an IKE_SA

6 years agoike-redirect: Add task to redirect active IKE_SAs
Tobias Brunner [Tue, 28 Apr 2015 12:10:43 +0000 (14:10 +0200)]
ike-redirect: Add task to redirect active IKE_SAs

6 years agoike-auth: Handle REDIRECT notifies during IKE_AUTH
Tobias Brunner [Fri, 24 Apr 2015 14:59:44 +0000 (16:59 +0200)]
ike-auth: Handle REDIRECT notifies during IKE_AUTH

6 years agoike-sa: Handle redirect requests for established SAs as reestablishment
Tobias Brunner [Fri, 24 Apr 2015 14:57:43 +0000 (16:57 +0200)]
ike-sa: Handle redirect requests for established SAs as reestablishment

We handle this similar to how we do reestablishing IKE_SAs with all CHILD_SAs,
which also includes the one actively queued during IKE_AUTH.

To delete the old SA we use the recently added ike_reauth_complete task.

6 years agoike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers
Tobias Brunner [Thu, 23 Apr 2015 14:43:35 +0000 (16:43 +0200)]
ike-auth: Send REDIRECT notify during IKE_AUTH if requested by providers

To prevent the creation of the CHILD_SA we set a condition on the
IKE_SA.  We also schedule a delete job in case the client does not
terminate the IKE_SA (which is a SHOULD in RFC 5685).

6 years agoike-config: Do not assign attributes for redirected IKE_SAs
Tobias Brunner [Tue, 28 Apr 2015 16:15:35 +0000 (18:15 +0200)]
ike-config: Do not assign attributes for redirected IKE_SAs

6 years agochild-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTH
Tobias Brunner [Thu, 23 Apr 2015 14:36:49 +0000 (16:36 +0200)]
child-create: Don't create CHILD_SA if the IKE_SA got redirected in IKE_AUTH

6 years agoike-sa: Add a condition to mark redirected IKE_SAs
Tobias Brunner [Thu, 23 Apr 2015 14:31:39 +0000 (16:31 +0200)]
ike-sa: Add a condition to mark redirected IKE_SAs

6 years agoike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as server
Tobias Brunner [Thu, 23 Apr 2015 10:29:03 +0000 (12:29 +0200)]
ike-init: Handle REDIRECTED_FROM similar to REDIRECT_SUPPORTED as server

6 years agoike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriate
Tobias Brunner [Thu, 23 Apr 2015 10:23:46 +0000 (12:23 +0200)]
ike-init: Send REDIRECTED_FROM instead of REDIRECT_SUPPORTED if appropriate

6 years agoike-sa: Keep track of the address of the gateway that redirected us
Tobias Brunner [Thu, 23 Apr 2015 10:16:21 +0000 (12:16 +0200)]
ike-sa: Keep track of the address of the gateway that redirected us

6 years agoikev2: Add option to disable following redirects as client
Tobias Brunner [Mon, 20 Apr 2015 15:36:45 +0000 (17:36 +0200)]
ikev2: Add option to disable following redirects as client

6 years agoikev2: Handle REDIRECT notifies during IKE_SA_INIT
Tobias Brunner [Thu, 23 Apr 2015 09:50:31 +0000 (11:50 +0200)]
ikev2: Handle REDIRECT notifies during IKE_SA_INIT

6 years agoike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providers
Tobias Brunner [Wed, 22 Apr 2015 15:02:23 +0000 (17:02 +0200)]
ike-init: Send REDIRECT notify during IKE_SA_INIT if requested by providers

6 years agoredirect-manager: Add helper function to create and parse REDIRECT notify data
Tobias Brunner [Wed, 22 Apr 2015 12:34:53 +0000 (14:34 +0200)]
redirect-manager: Add helper function to create and parse REDIRECT notify data

The same encoding is also used for the REDIRECT_FROM notifies.