strongswan.git
6 years agoMerge branch 'stroke-timeout'
Martin Willi [Mon, 18 Mar 2013 09:11:46 +0000 (10:11 +0100)]
Merge branch 'stroke-timeout'

Add a strongswan.conf timeout option for stroke control commands.

6 years agoMerge branch 'netlink-align'
Martin Willi [Mon, 18 Mar 2013 09:09:35 +0000 (10:09 +0100)]
Merge branch 'netlink-align'

Fixes some Netlink alignment issues, and then refactors Netlink XFRM message
attribute handling.

6 years agoUse netlink_add_attribute() to copy over attributes during update_sa()
Martin Willi [Fri, 15 Mar 2013 15:01:32 +0000 (16:01 +0100)]
Use netlink_add_attribute() to copy over attributes during update_sa()

6 years agoUse a helper function to add XFRM_MARK attribute
Martin Willi [Fri, 15 Mar 2013 14:17:13 +0000 (15:17 +0100)]
Use a helper function to add XFRM_MARK attribute

6 years agoUse netlink_reserve() helper function in XFRM to simplify message construction
Martin Willi [Fri, 15 Mar 2013 14:05:00 +0000 (15:05 +0100)]
Use netlink_reserve() helper function in XFRM to simplify message construction

6 years agoAdd a Netlink utility function to add a RTA header and reserve space for data
Martin Willi [Fri, 15 Mar 2013 13:32:51 +0000 (14:32 +0100)]
Add a Netlink utility function to add a RTA header and reserve space for data

6 years agoCorrectly check buffer length in netlink_add_attribute()
Martin Willi [Fri, 15 Mar 2013 13:32:25 +0000 (14:32 +0100)]
Correctly check buffer length in netlink_add_attribute()

6 years agoAvoid unneeded termination of netlink algorithm name arrays with END_OF_LIST
Martin Willi [Fri, 15 Mar 2013 13:01:15 +0000 (14:01 +0100)]
Avoid unneeded termination of netlink algorithm name arrays with END_OF_LIST

6 years agoAdd missing XAuthRespPSK switch case to IKEv1 key derivation
Martin Willi [Fri, 8 Mar 2013 14:21:36 +0000 (15:21 +0100)]
Add missing XAuthRespPSK switch case to IKEv1 key derivation

6 years agostrdup() iface passed to queue_route_reinstall(), fixing double-free
Martin Willi [Mon, 11 Mar 2013 14:17:50 +0000 (15:17 +0100)]
strdup() iface passed to queue_route_reinstall(), fixing double-free

6 years agoSupport mutliple subnets and ranges as external load-tester addresses
Martin Willi [Mon, 11 Mar 2013 14:16:13 +0000 (15:16 +0100)]
Support mutliple subnets and ranges as external load-tester addresses

6 years agoAdd a constructor to create in-memory pools from an address range
Martin Willi [Mon, 11 Mar 2013 13:49:02 +0000 (14:49 +0100)]
Add a constructor to create in-memory pools from an address range

6 years agoWhen adding Netlink attributes, increase header length with potential alignment
Martin Willi [Mon, 11 Mar 2013 11:32:21 +0000 (12:32 +0100)]
When adding Netlink attributes, increase header length with potential alignment

If the payload is unaligned, we must make sure the total netlink message
length includes the added alignment for the first attribute.

6 years agoClean up IKE_SA state if IKE_SA_INIT request does not have message ID 0
Martin Willi [Mon, 11 Mar 2013 10:30:47 +0000 (11:30 +0100)]
Clean up IKE_SA state if IKE_SA_INIT request does not have message ID 0

6 years agoIgnore fourth Qick Mode message sent by Windows servers.
Martin Willi [Mon, 11 Mar 2013 09:52:13 +0000 (10:52 +0100)]
Ignore fourth Qick Mode message sent by Windows servers.

Initial patch by Paul Stewart, fixes #289.

6 years agoadded ITA Echo PA-TNC Subtype and ITA Echo Attribute type
Andreas Steffen [Mon, 11 Mar 2013 08:30:20 +0000 (09:30 +0100)]
added ITA Echo PA-TNC Subtype and ITA Echo Attribute type

6 years agoversion bump to 5.0.3dr4
Andreas Steffen [Mon, 11 Mar 2013 08:29:22 +0000 (09:29 +0100)]
version bump to 5.0.3dr4

6 years agomoved ar_id from imv_agent to imv_state
Andreas Steffen [Mon, 11 Mar 2013 07:54:02 +0000 (08:54 +0100)]
moved ar_id from imv_agent to imv_state

6 years agoesc() is only used if dladdr(3) is available 5.0.3dr3
Tobias Brunner [Fri, 8 Mar 2013 15:43:07 +0000 (16:43 +0100)]
esc() is only used if dladdr(3) is available

6 years agoFix maximum size of a mem_pool_t
Tobias Brunner [Thu, 7 Mar 2013 17:21:02 +0000 (18:21 +0100)]
Fix maximum size of a mem_pool_t

6 years agoNew Android release after adding translations and Cert/EAP authentication
Tobias Brunner [Thu, 7 Mar 2013 12:53:54 +0000 (13:53 +0100)]
New Android release after adding translations and Cert/EAP authentication

Also fixed a race condition during reauthentication and a freeze that
might happen while disconnecting.

6 years agoandroid: Add support for combined certificate and EAP authentication
Tobias Brunner [Thu, 7 Mar 2013 12:50:29 +0000 (13:50 +0100)]
android: Add support for combined certificate and EAP authentication

This uses RFC 4739 multiple authentication rounds to first
authenticate the client with a certificate followed by an
EAP authentication round with username and password.

6 years agoMerge branch 'pt-tls'
Martin Willi [Thu, 7 Mar 2013 13:10:50 +0000 (14:10 +0100)]
Merge branch 'pt-tls'

6 years agoIf controller operations have a callback, don't succeed before hook gets called
Martin Willi [Thu, 7 Mar 2013 11:13:26 +0000 (12:13 +0100)]
If controller operations have a callback, don't succeed before hook gets called

6 years agoAdd a stroke command timeout option, and report status of completed command
Martin Willi [Thu, 7 Mar 2013 10:45:33 +0000 (11:45 +0100)]
Add a stroke command timeout option, and report status of completed command

6 years agoAs Quick Mode initiator, select a subset of the proposed and the returned TS
Martin Willi [Thu, 7 Mar 2013 08:50:43 +0000 (09:50 +0100)]
As Quick Mode initiator, select a subset of the proposed and the returned TS

Cisco 5505 firewalls don't return the port if we send a specific one, letting
the is_contained_in() checks fail. Using get_subset() selection builds the
Quick Mode correctly with the common subset of selectors.

Based on an initial patch from Paul Stewart.

6 years agoIf TLS peer authentication not required, the client does nonetheless, allow it to...
Martin Willi [Wed, 6 Mar 2013 13:39:51 +0000 (14:39 +0100)]
If TLS peer authentication not required, the client does nonetheless, allow it to fail

6 years agoadded some otherNames OIDs
Andreas Steffen [Wed, 6 Mar 2013 10:50:32 +0000 (11:50 +0100)]
added some otherNames OIDs

6 years agoFix some apidoc in mem_pool.h
Martin Willi [Tue, 5 Mar 2013 16:52:07 +0000 (17:52 +0100)]
Fix some apidoc in mem_pool.h

6 years agotesting: Add screen package to base image
Tobias Brunner [Mon, 4 Mar 2013 17:05:49 +0000 (18:05 +0100)]
testing: Add screen package to base image

Makes working in a single SSH session easier.

6 years agotesting: Enable ssh connection to second IP by name (e.g. moon1)
Tobias Brunner [Mon, 4 Mar 2013 17:01:10 +0000 (18:01 +0100)]
testing: Enable ssh connection to second IP by name (e.g. moon1)

6 years agotesting: ssh script accepts IP addresses instead of host names
Tobias Brunner [Mon, 4 Mar 2013 10:55:26 +0000 (11:55 +0100)]
testing: ssh script accepts IP addresses instead of host names

6 years agotesting: ssh script forwards arguments to ssh command
Tobias Brunner [Mon, 4 Mar 2013 10:36:47 +0000 (11:36 +0100)]
testing: ssh script forwards arguments to ssh command

This allows to execute commands on a virtual host.

6 years agoremoved unneeded DS files
Andreas Steffen [Tue, 5 Mar 2013 08:08:25 +0000 (09:08 +0100)]
removed unneeded DS files

6 years agoinstead of cloning use extract_buf() method
Andreas Steffen [Mon, 4 Mar 2013 22:21:21 +0000 (23:21 +0100)]
instead of cloning use extract_buf() method

6 years agoDon't invoke addr2line if dladdr() did not yield a filename
Martin Willi [Mon, 4 Mar 2013 14:50:21 +0000 (15:50 +0100)]
Don't invoke addr2line if dladdr() did not yield a filename

6 years agoWhen receiving critical signals, additionally log backtraces to syslog/files
Martin Willi [Mon, 4 Mar 2013 14:46:34 +0000 (15:46 +0100)]
When receiving critical signals, additionally log backtraces to syslog/files

6 years agobacktrace_t.log() takes a NULL file pointer to log to registered dbg() hook
Martin Willi [Mon, 4 Mar 2013 14:45:03 +0000 (15:45 +0100)]
backtrace_t.log() takes a NULL file pointer to log to registered dbg() hook

6 years agoDon't use color escapes when printing backtraces to a non-TTY file
Martin Willi [Mon, 4 Mar 2013 14:07:03 +0000 (15:07 +0100)]
Don't use color escapes when printing backtraces to a non-TTY file

6 years agoAdd a utility function to resolve TTY color escape codes dynamically
Martin Willi [Mon, 4 Mar 2013 14:04:56 +0000 (15:04 +0100)]
Add a utility function to resolve TTY color escape codes dynamically

6 years agomake TNC Access Requestor ID available to IMVs
Andreas Steffen [Sun, 3 Mar 2013 16:18:09 +0000 (17:18 +0100)]
make TNC Access Requestor ID available to IMVs

6 years agoupdated NEWS
Andreas Steffen [Sun, 3 Mar 2013 16:17:08 +0000 (17:17 +0100)]
updated NEWS

6 years agoupgraded KVM test suite to Linux 3.8 kernel
Andreas Steffen [Sun, 3 Mar 2013 10:59:07 +0000 (11:59 +0100)]
upgraded KVM test suite to Linux 3.8 kernel

6 years agoadded openssl-ikev2/alg-aes-gcm scenario
Andreas Steffen [Sun, 3 Mar 2013 10:43:52 +0000 (11:43 +0100)]
added openssl-ikev2/alg-aes-gcm scenario

6 years agouse DNs in tnc/tnccs-20-tls scenario
Andreas Steffen [Sun, 3 Mar 2013 09:47:17 +0000 (10:47 +0100)]
use DNs in tnc/tnccs-20-tls scenario

6 years agoadded getpwuid_r and initgroups to whitelist
Andreas Steffen [Sun, 3 Mar 2013 08:04:49 +0000 (09:04 +0100)]
added getpwuid_r and initgroups to whitelist

6 years agothird parameter was not copied
Andreas Steffen [Sat, 2 Mar 2013 21:03:07 +0000 (22:03 +0100)]
third parameter was not copied

6 years agoFixed Doxygen comments after scanning complete src directory
Tobias Brunner [Sat, 2 Mar 2013 14:26:45 +0000 (15:26 +0100)]
Fixed Doxygen comments after scanning complete src directory

6 years agoInclude the whole src directory in apidoc and make source files browsable
Tobias Brunner [Sat, 2 Mar 2013 13:58:33 +0000 (14:58 +0100)]
Include the whole src directory in apidoc and make source files browsable

But still only scan header files as Doxygen can't figure out how they
are related to source files (at least not for class methods).

6 years agoPrevent Doxygen from processing __attribute__(...)
Tobias Brunner [Sat, 2 Mar 2013 12:33:25 +0000 (13:33 +0100)]
Prevent Doxygen from processing __attribute__(...)

Doxygen produces additional members/classes from these attributes.

6 years agoUpdated Doxyfile.in with a recent version of Doxygen
Tobias Brunner [Sat, 2 Mar 2013 12:08:52 +0000 (13:08 +0100)]
Updated Doxyfile.in with a recent version of Doxygen

6 years agoRemoved backend for old Android frontend patch
Tobias Brunner [Sat, 2 Mar 2013 14:57:00 +0000 (15:57 +0100)]
Removed backend for old Android frontend patch

Moved the remaining DNS handler to a new plugin.

6 years agoadded ERX_SUPPORTED IKEv2 Notify
Andreas Steffen [Sat, 2 Mar 2013 16:18:37 +0000 (17:18 +0100)]
added ERX_SUPPORTED IKEv2 Notify

6 years agoadded some new TCG IF-M message subtypes and attributes
Andreas Steffen [Sat, 2 Mar 2013 16:03:37 +0000 (17:03 +0100)]
added some new TCG IF-M message subtypes and attributes

6 years agoversion bump to 5.0.3dr3
Andreas Steffen [Sat, 2 Mar 2013 15:19:57 +0000 (16:19 +0100)]
version bump to 5.0.3dr3

6 years agoandroid: Mitigate race condition on reauthentication
Tobias Brunner [Fri, 1 Mar 2013 16:01:21 +0000 (17:01 +0100)]
android: Mitigate race condition on reauthentication

If the TUN device gets recreated while another thread in handle_plain()
has not yet called select(2) but already stored the file descriptor of the
old TUN device in its FD set, select() will fail with EBADF.

Fixes #301.

6 years agoopenssl: The EVP GCM interface requires at least OpenSSL 1.0.1
Tobias Brunner [Fri, 1 Mar 2013 15:56:37 +0000 (16:56 +0100)]
openssl: The EVP GCM interface requires at least OpenSSL 1.0.1

6 years agoMerge branch 'multi-eap'
Martin Willi [Fri, 1 Mar 2013 10:36:41 +0000 (11:36 +0100)]
Merge branch 'multi-eap'

Fixes the use of EAP methods in the non-first authentication round if the
initiator demands mutual EAP. Also mutual EAP can now be enforced when the
initiator sets rightauth=eap, not only with rightauth=any.

6 years agoMerge branch 'multi-cert'
Martin Willi [Fri, 1 Mar 2013 10:35:32 +0000 (11:35 +0100)]
Merge branch 'multi-cert'

Allows the configuration of multiple certificates in leftcert, and select
the correct certificate to use based on the received certificate requests.

6 years agoMerge branch 'systime'
Martin Willi [Fri, 1 Mar 2013 10:33:47 +0000 (11:33 +0100)]
Merge branch 'systime'

Add a systime-fix plugin allowing an embedded system to validate certificates
if the system time has not been synchronized after boot. Certificates of
established tunnels can be re-validated after the system time gets valid.

6 years agoMerge branch 'ikev1-rekeying'
Martin Willi [Fri, 1 Mar 2013 10:32:02 +0000 (11:32 +0100)]
Merge branch 'ikev1-rekeying'

Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces
the old Main Mode having a uniqueids=replace policy.

6 years agoMerge branch 'vip-shunts'
Martin Willi [Fri, 1 Mar 2013 10:30:13 +0000 (11:30 +0100)]
Merge branch 'vip-shunts'

Installs bypass policies for the physical address if a virtual address is
assigned, and installs a proper source route to actually use the physical
address for bypassed destinations.

Conflicts:
src/libcharon/plugins/unity/unity_handler.c

6 years agoMerge branch 'opaque-ports'
Martin Willi [Fri, 1 Mar 2013 10:27:12 +0000 (11:27 +0100)]
Merge branch 'opaque-ports'

Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.

6 years agoWhen running with an unprivileged user, initialize supplementary groups
Martin Willi [Wed, 20 Feb 2013 09:38:45 +0000 (10:38 +0100)]
When running with an unprivileged user, initialize supplementary groups

6 years agoWithout MOBIKE, update remote host only if it is behind NAT
Martin Willi [Fri, 22 Feb 2013 13:55:03 +0000 (14:55 +0100)]
Without MOBIKE, update remote host only if it is behind NAT

6 years agoMerge branch 'ikev1-mm-retransmits'
Martin Willi [Fri, 1 Mar 2013 10:24:42 +0000 (11:24 +0100)]
Merge branch 'ikev1-mm-retransmits'

Fixes retransmit of the last Main Mode or IKE_AUTH message, and correctly
queues Main Mode messages when processing of the last message is still in
progress.

6 years agoMerge branch 'tfc-notify'
Martin Willi [Fri, 1 Mar 2013 10:16:58 +0000 (11:16 +0100)]
Merge branch 'tfc-notify'

Introduces kernel backend features, sends ESP_TFC_PADDING_NOT_SUPPORTED if
kernel does not support it.

6 years agoSend ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support it
Martin Willi [Thu, 21 Feb 2013 09:09:39 +0000 (10:09 +0100)]
Send ESP_TFC_PADDING_NOT_SUPPORTED if the used kernel doesn't support it

6 years agoIndicate support for processing ESPv3 TFC padding in Netlink IPsec backend
Martin Willi [Thu, 21 Feb 2013 08:45:46 +0000 (09:45 +0100)]
Indicate support for processing ESPv3 TFC padding in Netlink IPsec backend

6 years agoIntroduce "features" for the kernel backends returning kernel capabilities
Martin Willi [Thu, 21 Feb 2013 08:39:23 +0000 (09:39 +0100)]
Introduce "features" for the kernel backends returning kernel capabilities

6 years agotesting: Add a script to easily connect to a host via SSH
Tobias Brunner [Tue, 19 Feb 2013 13:17:26 +0000 (14:17 +0100)]
testing: Add a script to easily connect to a host via SSH

This doesn't require any entries in /etc/hosts and the correct SSH
config is used to allow password-less access.

6 years agoopenssl: Provide AES-GCM implementation
Tobias Brunner [Tue, 12 Feb 2013 15:46:56 +0000 (16:46 +0100)]
openssl: Provide AES-GCM implementation

6 years agoFix cleanup in crypto_tester if AEAD implementation fails
Tobias Brunner [Tue, 12 Feb 2013 15:42:45 +0000 (16:42 +0100)]
Fix cleanup in crypto_tester if AEAD implementation fails

6 years agoOrder of arguments in Doxygen comment fixed
Tobias Brunner [Tue, 12 Feb 2013 15:40:54 +0000 (16:40 +0100)]
Order of arguments in Doxygen comment fixed

6 years agoFix auth_cfg_t.clone() for single-valued auth rules
Tobias Brunner [Mon, 18 Feb 2013 16:23:04 +0000 (17:23 +0100)]
Fix auth_cfg_t.clone() for single-valued auth rules

By using the default list enumerator and adding the rules with the public
add() method, clones of auth_cfg_t objects would return the values for
single-valued auth rules in the wrong order (i.e. the oldest instead of the
newest value was returned).  Using the internal enumerator (which the comment
already suggested) fixes this, but the clone will not be a full clone as
it does not contain any old values for single-valued auth rules.  Since
these will never be used anyway, this should be fine.

6 years agoTrigger an updown event when destroying an IKE_SA based on INITIAL_CONTACT
Tobias Brunner [Mon, 18 Feb 2013 11:05:58 +0000 (12:05 +0100)]
Trigger an updown event when destroying an IKE_SA based on INITIAL_CONTACT

In other cases (i.e. when functions return DESTROY_ME) the event should
already be triggered, but not in this forced situation.

6 years agoSupport different authentication schemes for PT-TLS
Martin Willi [Thu, 28 Feb 2013 11:03:40 +0000 (12:03 +0100)]
Support different authentication schemes for PT-TLS

6 years agoRequest a TLS client certificate even if no peer identity is given
Martin Willi [Thu, 28 Feb 2013 11:34:53 +0000 (12:34 +0100)]
Request a TLS client certificate even if no peer identity is given

This allows a peer to perform client authentication if it wants, but skip
it if not.

6 years agoWrap tls_t.get_{server,peer}_id methods in tls_socket_t
Martin Willi [Thu, 28 Feb 2013 10:44:33 +0000 (11:44 +0100)]
Wrap tls_t.get_{server,peer}_id methods in tls_socket_t

6 years agoDelegate tls_t.get_{peer,server}_id to handshake layer
Martin Willi [Thu, 28 Feb 2013 10:39:55 +0000 (11:39 +0100)]
Delegate tls_t.get_{peer,server}_id to handshake layer

This allows to get updated peer identities if the peer can't authenticate,
or does when it is optional.

6 years agoImplement a SASL PLAIN mechanism using shared secrets
Martin Willi [Wed, 27 Feb 2013 15:27:59 +0000 (16:27 +0100)]
Implement a SASL PLAIN mechanism using shared secrets

6 years agoImplement SASL authentication in PT-TLS client
Martin Willi [Wed, 27 Feb 2013 12:47:08 +0000 (13:47 +0100)]
Implement SASL authentication in PT-TLS client

6 years agoImplement SASL authentication in PT-TLS server
Martin Willi [Wed, 27 Feb 2013 10:43:29 +0000 (11:43 +0100)]
Implement SASL authentication in PT-TLS server

6 years agoDefine PT-TLS SASL result codes
Martin Willi [Wed, 27 Feb 2013 10:40:48 +0000 (11:40 +0100)]
Define PT-TLS SASL result codes

6 years agoDefine an interface for SASL mechanisms and provide a static factory
Martin Willi [Tue, 26 Feb 2013 13:54:36 +0000 (14:54 +0100)]
Define an interface for SASL mechanisms and provide a static factory

6 years agoPass a client identity to pt_tls_client, usable for TLS or SASL authentication
Martin Willi [Wed, 27 Feb 2013 13:11:00 +0000 (14:11 +0100)]
Pass a client identity to pt_tls_client, usable for TLS or SASL authentication

6 years agoDon't close underlying file descriptor before destroying a tls_socket
Martin Willi [Mon, 18 Feb 2013 10:45:01 +0000 (11:45 +0100)]
Don't close underlying file descriptor before destroying a tls_socket

tls_socket cleanup usually sends a TLS close notify, for which it uses a valid
socket.

6 years agoApply a mutual EAP auth_cfg not before the EAP method completes
Martin Willi [Tue, 26 Feb 2013 12:07:11 +0000 (13:07 +0100)]
Apply a mutual EAP auth_cfg not before the EAP method completes

6 years agoBe a little more verbose why a peer_cfg is inacceptable
Martin Willi [Tue, 26 Feb 2013 11:26:31 +0000 (12:26 +0100)]
Be a little more verbose why a peer_cfg is inacceptable

6 years agoRefactor auth_cfg applying to a common function
Martin Willi [Tue, 26 Feb 2013 11:16:31 +0000 (12:16 +0100)]
Refactor auth_cfg applying to a common function

6 years agoUse SIGUSR2 for SIG_CANCEL on Android
Tobias Brunner [Tue, 26 Feb 2013 10:07:28 +0000 (11:07 +0100)]
Use SIGUSR2 for SIG_CANCEL on Android

SIGRTMIN is defined as 32 while sigset_t is defined as
unsigned long (i.e. holds 32 signals).  Hence, the signal
could never be blocked.  Sending the signal still canceled
threads, but sometimes in situations where they shouldn't
have been canceled (e.g. while holding a lock).

Fixes #298.

6 years agoAndroid.mk updated to latest Makefiles
Tobias Brunner [Tue, 26 Feb 2013 09:11:36 +0000 (10:11 +0100)]
Android.mk updated to latest Makefiles

Fixes #300.

6 years agoFor IKEv1 Main Mode, use message hash to detect early retransmissions
Martin Willi [Mon, 25 Feb 2013 11:08:36 +0000 (12:08 +0100)]
For IKEv1 Main Mode, use message hash to detect early retransmissions

As the message ID is zero in all Main Mode messages, it can't be used to detect
if we are already processing a given message.

6 years agoMove initial message dropping to task manager
Martin Willi [Mon, 25 Feb 2013 10:42:50 +0000 (11:42 +0100)]
Move initial message dropping to task manager

When the last request message of the initial tunnel setup is retransmitted,
we must retransmit the response instead of ignoring the request.

Fixes #295.

6 years agoUse INIT macro to initialize IKE_SA manager entries
Martin Willi [Mon, 25 Feb 2013 10:52:55 +0000 (11:52 +0100)]
Use INIT macro to initialize IKE_SA manager entries

6 years agoCheck kvm command existence in start-testing
Reto Buerki [Fri, 22 Feb 2013 14:16:37 +0000 (15:16 +0100)]
Check kvm command existence in start-testing

6 years agoDon't reject OPAQUE ports while verifying traffic selector substructure
Martin Willi [Thu, 21 Feb 2013 10:45:24 +0000 (11:45 +0100)]
Don't reject OPAQUE ports while verifying traffic selector substructure

6 years agoDocument ipsec.conf leftprotoport extensions in manpage
Martin Willi [Thu, 21 Feb 2013 10:32:10 +0000 (11:32 +0100)]
Document ipsec.conf leftprotoport extensions in manpage

6 years agoOptionally support port ranges in leftprotoport
Martin Willi [Thu, 21 Feb 2013 10:24:37 +0000 (11:24 +0100)]
Optionally support port ranges in leftprotoport

6 years agoSupport %opaque keyword in leftprotoport for "opaque" ports
Martin Willi [Thu, 21 Feb 2013 10:13:26 +0000 (11:13 +0100)]
Support %opaque keyword in leftprotoport for "opaque" ports