4 years agoVersion bump to 5.5.2dr5 5.5.2dr5
Andreas Steffen [Thu, 23 Feb 2017 16:31:11 +0000 (17:31 +0100)]
Version bump to 5.5.2dr5

4 years agoUse of TPM 2.0 private keys for signatures via tpm plugin
Andreas Steffen [Thu, 16 Feb 2017 07:39:47 +0000 (08:39 +0100)]
Use of TPM 2.0 private keys for signatures via tpm plugin

4 years agoImplement signatures with private keys bound to TPM 2.0
Andreas Steffen [Mon, 13 Feb 2017 18:06:18 +0000 (19:06 +0100)]
Implement signatures with private keys bound to TPM 2.0

4 years agoandroid: New release after fixing potential ANR issue
Tobias Brunner [Mon, 20 Feb 2017 15:34:43 +0000 (16:34 +0100)]
android: New release after fixing potential ANR issue

4 years agoandroid: Send network change events from a separate thread via JNI
Tobias Brunner [Wed, 15 Feb 2017 15:08:35 +0000 (16:08 +0100)]
android: Send network change events from a separate thread via JNI

Doing this from the main UI thread (which delivers the broadcast) might
cause an ANR if there is a delay (e.g. while acquiring a mutex in the
native parts). There might also have been a race condition during
termination previously because Unregister() was not synchronized so there
might have been dangling events that got delivered while or after the mutex
in the native parts was destroyed.

4 years agoikev1: Respond to DPDs for rekeyed IKE_SAs
Tobias Brunner [Mon, 13 Feb 2017 10:54:53 +0000 (11:54 +0100)]
ikev1: Respond to DPDs for rekeyed IKE_SAs

Some devices always use the oldest IKE_SA to send DPDs and will delete
all IKE_SAs when there is no response. If uniqueness is not enforced
rekeyed IKE_SAs might not get deleted until they expire so we should
respond to DPDs.

References #2090.

4 years agoike-sa: Optionally try to migrate to the best path on routing priority changes
Martin Willi [Mon, 10 Oct 2016 13:59:52 +0000 (15:59 +0200)]
ike-sa: Optionally try to migrate to the best path on routing priority changes

When multihomed, a setup might prefer to dynamically stay on the cheapest
available path by using MOBIKE migrations. If the cheapest path goes away and
comes back, we currently stay on the more expensive path to reduce noise and
prevent potential migration issues. This is usually just fine for links not
generating real cost.

If we have more expensive links in the setup, it can be desirable to always
migrate to the cheapest link available. By setting charon.prefer_best_path,
charon tries to migrate to the path using the highest priority link, allowing
an external application to update routes to indirectly control MOBIKE behavior.
This option has no effect if MOBIKE is unavailable.

4 years agoikev2: Ignore roam events without MOBIKE but static local address
Tobias Brunner [Tue, 15 Nov 2016 14:42:33 +0000 (15:42 +0100)]
ikev2: Ignore roam events without MOBIKE but static local address

Disabling MOBIKE and statically configuring a local address should be
enough indication that the user doesn't want to roam to a different
address.  There might not be any routes that indicate we can use the
current address but it might still work (e.g. if the address is on an
interface that is not referenced in any routes and the address itself
is neither).  This way we avoid switching to another address for routes
that might be available on the system.

We currently don't make much use of COND_STALE anyway when MOBIKE is not
enabled, e.g. to avoid sending DPDs if the connection is seemingly down.
With MOBIKE enabled we don't exactly check that state but we do don't
send DPDs if there is no route/source address available.

4 years agoike-cfg: Add helper function to determine if a given IP address was configured
Tobias Brunner [Wed, 1 Feb 2017 17:00:57 +0000 (18:00 +0100)]
ike-cfg: Add helper function to determine if a given IP address was configured

4 years agoMerge branch 'vici-updates'
Tobias Brunner [Thu, 16 Feb 2017 18:24:17 +0000 (19:24 +0100)]
Merge branch 'vici-updates'

Adds several new features for the VICI interface and swanctl.

4 years agoNEWS: VICI updates
Tobias Brunner [Wed, 15 Feb 2017 16:49:06 +0000 (17:49 +0100)]
NEWS: VICI updates

4 years agovici: Only log messages if there actually is a listener
Tobias Brunner [Mon, 13 Feb 2017 16:38:49 +0000 (17:38 +0100)]
vici: Only log messages if there actually is a listener

4 years agovici: Let has_event_listeners() actually check if clients are registered
Tobias Brunner [Wed, 8 Feb 2017 14:20:58 +0000 (15:20 +0100)]
vici: Let has_event_listeners() actually check if clients are registered

Fixes: 8d96f90a7983 ("vici: Add function to test if an event should be

4 years agovici: Add support for mediation extension
Tobias Brunner [Tue, 7 Feb 2017 11:04:30 +0000 (12:04 +0100)]
vici: Add support for mediation extension

4 years agopeer-cfg: Store mediated_by as name and not peer-cfg reference
Tobias Brunner [Tue, 7 Feb 2017 10:30:49 +0000 (11:30 +0100)]
peer-cfg: Store mediated_by as name and not peer-cfg reference

This way updates to the mediation config are respected and the order in
which configs are configured/loaded does not matter.

The SQL plugin currently maintains the strong relationship between
mediated and mediation connection (we could theoretically change that to a
string too).

4 years agovici: Include uniqueness policy in list-conns
Tobias Brunner [Wed, 1 Feb 2017 10:02:22 +0000 (11:02 +0100)]
vici: Include uniqueness policy in list-conns

4 years agoswanctl: Add --rekey command
Tobias Brunner [Tue, 24 Jan 2017 15:34:32 +0000 (16:34 +0100)]
swanctl: Add --rekey command

4 years agovici: Add command to initiate SA rekeying
Tobias Brunner [Tue, 24 Jan 2017 15:26:48 +0000 (16:26 +0100)]
vici: Add command to initiate SA rekeying

4 years agovici: Use unique names for CHILD_SAs in the list-sas command
Tobias Brunner [Fri, 9 Dec 2016 13:45:41 +0000 (14:45 +0100)]
vici: Use unique names for CHILD_SAs in the list-sas command

The original name is returned in the new "name" attribute.

This fixes an issue with bindings that map VICI messages to
dictionaries.  For instance, in roadwarrior scenarios where every
CHILD_SA has the same name only the information of the last CHILD_SA
would end up in the dictionary for that name.

4 years agoswanctl: Allow specifying pubkeys directly via 0x/0s prefix
Tobias Brunner [Wed, 18 Jan 2017 16:46:27 +0000 (17:46 +0100)]
swanctl: Allow specifying pubkeys directly via 0x/0s prefix

4 years agovici: Add support to load CA certificates from tokens and paths in authority sections
Tobias Brunner [Wed, 30 Nov 2016 14:41:18 +0000 (15:41 +0100)]
vici: Add support to load CA certificates from tokens and paths in authority sections

4 years agovici: Add support to load certificates from file paths
Tobias Brunner [Wed, 30 Nov 2016 14:09:04 +0000 (15:09 +0100)]
vici: Add support to load certificates from file paths

Probably not that useful via swanctl.conf but could be when used via VICI.

4 years agovici: Add support to load certificates from tokens
Tobias Brunner [Wed, 30 Nov 2016 11:44:51 +0000 (12:44 +0100)]
vici: Add support to load certificates from tokens

4 years agoswanctl: Add `token` secrets for keys on tokens/smartcards
Tobias Brunner [Fri, 18 Nov 2016 15:40:34 +0000 (16:40 +0100)]
swanctl: Add `token` secrets for keys on tokens/smartcards

4 years agovici: Add command to load a private key from a token
Tobias Brunner [Fri, 18 Nov 2016 14:01:18 +0000 (15:01 +0100)]
vici: Add command to load a private key from a token

PINs are stored in a "hidden" credential set, so that its shared
secrets are not exposed via VICI.  Since they are not explicitly loaded as
shared secrets via VICI a client might consider them as removed secrets and
remove them.

4 years agovici: List namespace/peer-cfg name with policies and allow filtering
Tobias Brunner [Mon, 13 Feb 2017 17:18:58 +0000 (18:18 +0100)]
vici: List namespace/peer-cfg name with policies and allow filtering

The two names are also transmitted in separate keys.

4 years agoswanctl: Pass optional connection name to --initiate/install/uninstall
Tobias Brunner [Tue, 11 Oct 2016 16:27:29 +0000 (18:27 +0200)]
swanctl: Pass optional connection name to --initiate/install/uninstall

4 years agovici: Explicitly use peer name when uninstalling trap and shunt policies
Tobias Brunner [Wed, 16 Nov 2016 17:13:59 +0000 (18:13 +0100)]
vici: Explicitly use peer name when uninstalling trap and shunt policies

Also adds an `ike` parameter to the `uninstall` command.

4 years agostroke: Use peer name as namespace for shunt policies
Tobias Brunner [Wed, 8 Feb 2017 15:13:32 +0000 (16:13 +0100)]
stroke: Use peer name as namespace for shunt policies

The same goes for the start-action-job.  When unrouting, we search for
the first policy with a matching child-cfg.

4 years agoshunt-manager: Add an optional namespace for each shunt
Tobias Brunner [Wed, 16 Nov 2016 16:59:22 +0000 (17:59 +0100)]
shunt-manager: Add an optional namespace for each shunt

This will allow us to reuse the names of child configs e.g. when they
are defined in different connections.

4 years agovici: Add support for NT Hash secrets
Tobias Brunner [Wed, 16 Nov 2016 16:12:33 +0000 (17:12 +0100)]
vici: Add support for NT Hash secrets

Fixes #1002.

4 years agovici: Add support for IPv6 Transport Proxy Mode
Tobias Brunner [Wed, 16 Nov 2016 14:58:34 +0000 (15:58 +0100)]
vici: Add support for IPv6 Transport Proxy Mode

4 years agovici: Add support for certificate policies
Tobias Brunner [Wed, 16 Nov 2016 14:37:23 +0000 (15:37 +0100)]
vici: Add support for certificate policies

4 years agovici: Add missing dscp setting for IKE_SAs
Tobias Brunner [Fri, 11 Nov 2016 09:40:53 +0000 (10:40 +0100)]
vici: Add missing dscp setting for IKE_SAs

Fixes #2170.

4 years agoswanctl: Automatically unload removed shared keys
Tobias Brunner [Wed, 9 Nov 2016 15:49:35 +0000 (16:49 +0100)]
swanctl: Automatically unload removed shared keys

4 years agovici: Add possibility to remove shared keys by a unique identifier
Tobias Brunner [Wed, 9 Nov 2016 15:27:01 +0000 (16:27 +0100)]
vici: Add possibility to remove shared keys by a unique identifier

This identifier can be set when adding/replacing a secret.  The unique
identifiers of all secrets may be enumerated.

4 years agomem-cred: Add methods to add/remove shared keys with unique identifiers
Tobias Brunner [Wed, 9 Nov 2016 15:20:03 +0000 (16:20 +0100)]
mem-cred: Add methods to add/remove shared keys with unique identifiers

Also added is a method to enumerate the unique identifiers.

4 years agoswanctl: Automatically unload removed private keys
Tobias Brunner [Wed, 9 Nov 2016 11:25:00 +0000 (12:25 +0100)]
swanctl: Automatically unload removed private keys

4 years agovici: Add commands to enumerate and remove private keys
Tobias Brunner [Wed, 9 Nov 2016 10:49:32 +0000 (11:49 +0100)]
vici: Add commands to enumerate and remove private keys

They are identified by their SHA-1 key identifier.

4 years agomem-cred: Add method to remove a private key with a specific fingerprint
Tobias Brunner [Wed, 9 Nov 2016 10:22:11 +0000 (11:22 +0100)]
mem-cred: Add method to remove a private key with a specific fingerprint

4 years agoswanctl: Add possibility to query a specific pool by name
Tobias Brunner [Wed, 9 Nov 2016 09:37:56 +0000 (10:37 +0100)]
swanctl: Add possibility to query a specific pool by name

4 years agovici: Update get_pools() in Python and Ruby bindings
Tobias Brunner [Thu, 8 Dec 2016 17:14:40 +0000 (18:14 +0100)]
vici: Update get_pools() in Python and Ruby bindings

4 years agovici: Add option to query a specific pool
Tobias Brunner [Wed, 9 Nov 2016 09:18:01 +0000 (10:18 +0100)]
vici: Add option to query a specific pool

4 years agobypass-lan: Don't use interfaces in policies
Tobias Brunner [Mon, 13 Feb 2017 18:06:24 +0000 (19:06 +0100)]
bypass-lan: Don't use interfaces in policies

After an interface disappeared we can't remove the policies correctly as
the name doesn't resolve to the previous index anymore.
And making the policies so specific might not provide that much benefit.

To handle the interfaces on the policies correctly would require some
changes to the child-cfg, kernel-interface etc. so they'd take interface
indices directly so we could target the policies correctly even if an
interface disappeared (or reappeared and got a new index).

4 years agotesting: Fix ALLOWED_HOSTS in strongTNC settings.ini
Tobias Brunner [Thu, 16 Feb 2017 17:24:25 +0000 (18:24 +0100)]
testing: Fix ALLOWED_HOSTS in strongTNC settings.ini

4 years agotesting: Fix swanctl/ocsp-disabled scenario after changing the log messages
Tobias Brunner [Thu, 16 Feb 2017 16:51:16 +0000 (17:51 +0100)]
testing: Fix swanctl/ocsp-disabled scenario after changing the log messages

4 years agorevocation: More accurately describe the flags to disable OCSP/CRL validation
Tobias Brunner [Wed, 25 Jan 2017 15:17:38 +0000 (16:17 +0100)]
revocation: More accurately describe the flags to disable OCSP/CRL validation

These options disable validation as such, e.g. even from cached CRLs, not
only the fetching.  Also made the plugin's validate() implementation a
no-op if both options are disabled.

4 years agochild-sa: Do not install mark on inbound kernel SA
Eyal Birger [Wed, 25 Jan 2017 10:26:42 +0000 (12:26 +0200)]
child-sa: Do not install mark on inbound kernel SA

The SA ID (src, dst, proto, spi) is unique on ingress.

As such, explicit inbound marking is not needed to match an SA.

On the other hand, requiring inbound SAs to use marks forces the
installation of a mechanism for marking traffic (e.g. iptables) based
on some criteria.

Defining the criteria becomes complicated, for example when required to
support multiple SAs from the same src, especially when traffic is UDP

This commit removes the assignment of the child_sa mark_in to the inbound SA.

Policies can be arbitrated by existing means - e.g, via netfilter policy
matching or using VTI interfaces - without the need to classify the flows prior
to state matching.

Since the reqid allocator regards the mark value, there is no risk of matching
the wrong policy.

And as explicit marking was required for route-based VPN to work before this
change, it should not cause regressions in existing setups.

Closes strongswan/strongswan#59.

4 years agounit-tests: Allow default test timeout to be configured via compile option
Thomas Egerer [Fri, 10 Feb 2017 14:27:11 +0000 (15:27 +0100)]
unit-tests: Allow default test timeout to be configured via compile option

Signed-off-by: Thomas Egerer <>
4 years agotkm: Fix get_auth_octets() signature
Tobias Brunner [Mon, 13 Feb 2017 17:36:01 +0000 (18:36 +0100)]
tkm: Fix get_auth_octets() signature

Fixes: 267c1f7083d4 ("keymat: Allow keymat to modify signature scheme(s)")

4 years agokernel-netlink: Use RTA_SRC to specify route source in kernel-based lookups
Martin Willi [Thu, 19 Jan 2017 10:23:45 +0000 (11:23 +0100)]
kernel-netlink: Use RTA_SRC to specify route source in kernel-based lookups

For table dumps the kernel accepts RTA_PREFSRC to filter the routes, which is
what we do when doing userspace route calculations. For kernel-based route
lookups, however, the RTA_PREFSRC attribute is ignored and we must specify
RTA_SRC for policy based route lookups.

4 years agokernel-netlink: Use kernel-based route lookup if we do not install routes
Martin Willi [Thu, 19 Jan 2017 10:03:55 +0000 (11:03 +0100)]
kernel-netlink: Use kernel-based route lookup if we do not install routes

For gateways with many connections, installing routes is often disabled,
as we can use a static route configuration to achieve proper routing with
a single rule. If this is the case, there is no need to dump all routes and
do userspace route lookups, as there is no need to exclude routes we installed

Doing kernel-based route lookups is not only faster with may routes, but also
can use the full power of Linux policy based routing; something we can hardly
rebuild in userspace when calculating routes.

4 years agoswanctl: List CHILD_SA marks, if set
Martin Willi [Fri, 6 Jan 2017 12:01:34 +0000 (13:01 +0100)]
swanctl: List CHILD_SA marks, if set

4 years agovici: Include the Netfilter marks in listed CHILD_SAs
Martin Willi [Fri, 6 Jan 2017 11:42:04 +0000 (12:42 +0100)]
vici: Include the Netfilter marks in listed CHILD_SAs

4 years agovici: Explicitly set the Python encoding type
Martin Willi [Tue, 8 Dec 2015 16:13:59 +0000 (17:13 +0100)]
vici: Explicitly set the Python encoding type

When using vici over RPyC and its (awesome) splitbrain, encoding and decoding
strings fails in vici, most likely because of the Monkey-Patch magic splitbrain

When specifying the implicit UTF-8 as encoding scheme explicitly, Python uses
the correct method to encode/decode the string, making vici useable in
splitbrain contexts.

4 years agoMerge branch 'mid-sync'
Tobias Brunner [Wed, 8 Feb 2017 14:11:20 +0000 (15:11 +0100)]
Merge branch 'mid-sync'

Adds support for handling IKEV2_MESSAGE_ID_SYNC notifies as responder
(usually the original initiator) as defined in RFC 6311.  Some HA solutions
use these notifies to set the new IKEv2 message IDs after a failover event.

4 years agounit-tests: Add test cases for MID sync exchanges
Tobias Brunner [Tue, 4 Oct 2016 17:35:51 +0000 (19:35 +0200)]
unit-tests: Add test cases for MID sync exchanges

4 years agoikev2: Ignore IKEV2_MESSAGE_ID_SYNC notifies if extension is disabled
Tobias Brunner [Tue, 4 Oct 2016 15:07:30 +0000 (17:07 +0200)]
ikev2: Ignore IKEV2_MESSAGE_ID_SYNC notifies if extension is disabled

If this is the first message by the peer, i.e. we expect MID 0, the
message is not pre-processed in the task manager so we ignore it in the

We also make sure to ignore such messages if the extension is disabled
and the peer already sent us one INFORMATIONAL, e.g. a DPD (we'd otherwise
consider the message with MID 0 as a retransmit).

4 years agoikev2: Don't increase expected MID after handling MID sync message
Tobias Brunner [Tue, 4 Oct 2016 13:15:36 +0000 (15:15 +0200)]
ikev2: Don't increase expected MID after handling MID sync message

If the responder never sent a message the expected MID is 0.  While
the sent MID (M1) SHOULD be increased beyond the known value, it's
not necessarily the case.
Since M2 - 1 would then equal UINT_MAX setting that MID would get ignored
and while we'd return 0 in the notify we'd actually expect 1 afterwards.

4 years agoikev2: Don't cache response to MID sync request
Tobias Brunner [Mon, 19 Sep 2016 09:16:06 +0000 (11:16 +0200)]
ikev2: Don't cache response to MID sync request

4 years agoikev2: Accept INFORMATIONAL messages with MID 0 if used to sync MIDs
Tobias Brunner [Fri, 16 Sep 2016 15:44:39 +0000 (17:44 +0200)]
ikev2: Accept INFORMATIONAL messages with MID 0 if used to sync MIDs

We are very picky to only allow MID 0 for these messages (while we
currently don't support IPSEC_REPLAY_COUNTER_SYNC notifies we accept

4 years agoikev2: Negotiate support for IKE message ID synchronisation during IKE_AUTH
Tobias Brunner [Fri, 16 Sep 2016 15:37:59 +0000 (17:37 +0200)]
ikev2: Negotiate support for IKE message ID synchronisation during IKE_AUTH

4 years agoikev2: Add task to handle IKEV2_MESSAGE_ID_SYNC notifies as responder
Tobias Brunner [Fri, 16 Sep 2016 15:26:41 +0000 (17:26 +0200)]
ikev2: Add task to handle IKEV2_MESSAGE_ID_SYNC notifies as responder

4 years agoike: Publish getter for the current message ID on IKE_SA
Tobias Brunner [Fri, 16 Sep 2016 14:19:25 +0000 (16:19 +0200)]
ike: Publish getter for the current message ID on IKE_SA

4 years agoike: Add getter for the current message ID to task manager
Tobias Brunner [Fri, 16 Sep 2016 14:18:32 +0000 (16:18 +0200)]
ike: Add getter for the current message ID to task manager

4 years agoMerge branch 'bypass-lan'
Tobias Brunner [Wed, 8 Feb 2017 09:47:33 +0000 (10:47 +0100)]
Merge branch 'bypass-lan'

Adds a new plugin that automatically installs and updates bypass policies
for locally attached subnets.  This is useful for laptops etc. that are
used in different networks and prefer maintaining access to local hosts
(e.g. network printers or NAS) while connected to a VPN.

4 years agokernel-pfroute: Implement enumeration of local subnets
Tobias Brunner [Wed, 12 Oct 2016 16:32:14 +0000 (18:32 +0200)]
kernel-pfroute: Implement enumeration of local subnets

4 years agobypass-lan: Allow ignoring or only considering subnets of specific interfaces
Tobias Brunner [Wed, 12 Oct 2016 13:56:12 +0000 (15:56 +0200)]
bypass-lan: Allow ignoring or only considering subnets of specific interfaces

The config can also be reloaded by sending a SIGHUP to charon.

4 years agobypass-lan: Configure interface on bypass policy
Tobias Brunner [Wed, 12 Oct 2016 10:28:18 +0000 (12:28 +0200)]
bypass-lan: Configure interface on bypass policy

Currently, only the kernel-netlink plugin supports this, the others will
just ignore it.

4 years agokernel-netlink: Return interface name in local subnet enumerator
Tobias Brunner [Wed, 12 Oct 2016 10:22:42 +0000 (12:22 +0200)]
kernel-netlink: Return interface name in local subnet enumerator

4 years agokernel-interface: Add interface name to local subnet enumerator
Tobias Brunner [Wed, 12 Oct 2016 10:11:24 +0000 (12:11 +0200)]
kernel-interface: Add interface name to local subnet enumerator

4 years agobypass-lan: Add plugin that installs bypass policies for locally attached subnets
Tobias Brunner [Wed, 12 Oct 2016 08:05:10 +0000 (10:05 +0200)]
bypass-lan: Add plugin that installs bypass policies for locally attached subnets

4 years agokernel-netlink: Implement enumerator for local subnets
Tobias Brunner [Wed, 12 Oct 2016 07:52:45 +0000 (09:52 +0200)]
kernel-netlink: Implement enumerator for local subnets

4 years agokernel-interface: Add method to enumerate locally attached subnets
Tobias Brunner [Wed, 12 Oct 2016 07:24:49 +0000 (09:24 +0200)]
kernel-interface: Add method to enumerate locally attached subnets

4 years agokernel-pfkey: Use the same priority range for trap and regular policies
Tobias Brunner [Tue, 11 Oct 2016 13:14:27 +0000 (15:14 +0200)]
kernel-pfkey: Use the same priority range for trap and regular policies

Same as the change in the kernel-netlink plugin.

4 years agokernel-netlink: Use the same priority range for trap and regular policies
Tobias Brunner [Tue, 11 Oct 2016 12:30:21 +0000 (14:30 +0200)]
kernel-netlink: Use the same priority range for trap and regular policies

While trap and regular policies now often look the same (mainly because
reqids are kept constant) trap policies still need to have a lower priority
than regular policies to handle unroute/route correctly if e.g. IPComp
is used or the mode changes.  But if we use a completely different
priority range that's lower than that of regular policies it is not possible
to install overlapping trap policies.  By differentiating trap from
regular policies via the priority's LSB this issue is avoided while
still maintaining the proper ordering of trap and regular policies.

Fixes #1243.

4 years agokernel-netlink: Fix spacing in log message when policy is unchanged
Tobias Brunner [Tue, 11 Oct 2016 13:10:16 +0000 (15:10 +0200)]
kernel-netlink: Fix spacing in log message when policy is unchanged

4 years agoikev1: Factor out IV and QM management
Tobias Brunner [Wed, 14 Dec 2016 14:54:39 +0000 (15:54 +0100)]
ikev1: Factor out IV and QM management

This simplifies implementing a custom keymat_v1_t.

4 years agokeymat: Allow keymat to modify signature scheme(s)
Thomas Egerer [Thu, 1 Dec 2016 13:40:25 +0000 (14:40 +0100)]
keymat: Allow keymat to modify signature scheme(s)

Signed-off-by: Thomas Egerer <>
4 years agoforecast: Mark correct port in UDP NAT-T rule
James Laird-Wah [Wed, 8 Feb 2017 08:20:52 +0000 (19:20 +1100)]
forecast: Mark correct port in UDP NAT-T rule

Closes strongswan/strongswan#62.

4 years agoandroid: New release after adding translation for Simplified Chinese
Tobias Brunner [Tue, 7 Feb 2017 15:01:25 +0000 (16:01 +0100)]
android: New release after adding translation for Simplified Chinese

4 years agoandroid: Add translation for Simplified Chinese
Tobias Brunner [Mon, 23 Jan 2017 17:39:47 +0000 (18:39 +0100)]
android: Add translation for Simplified Chinese

Courtesy of Yick Xie.

4 years agosettings: Fix purge if order differs from alphabetical order
Tobias Brunner [Tue, 25 Oct 2016 08:46:36 +0000 (10:46 +0200)]
settings: Fix purge if order differs from alphabetical order

4 years agoeap-dynamic: Publish the get_auth() method of the wrapped EAP method
Tobias Brunner [Wed, 1 Feb 2017 10:16:42 +0000 (11:16 +0100)]
eap-dynamic: Publish the get_auth() method of the wrapped EAP method

Fixes #2238.

4 years agopkcs11: Fix documentation of load_certs option
Tobias Brunner [Mon, 5 Dec 2016 14:34:48 +0000 (15:34 +0100)]
pkcs11: Fix documentation of load_certs option

This option is actually module-specific.

4 years agoike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcards
Tobias Brunner [Mon, 14 Nov 2016 14:39:17 +0000 (15:39 +0100)]
ike-auth: Don't send INITIAL_CONTACT if remote ID contains wildcards

Such an identity won't equal an actual peer's identity resulting in
sending an INITIAL_CONTACT notify even if there might be an existing

4 years agoproposal: Copy SPI and proposal number from correct proposal in select()
Tobias Brunner [Thu, 15 Dec 2016 17:22:11 +0000 (18:22 +0100)]
proposal: Copy SPI and proposal number from correct proposal in select()

If charon.prefer_configured_proposals is disabled select() is called on
the received proposal. This incorrectly set the SPI to 0 as the
configured proposal has no SPI set.

Fixes #2190.

4 years agokernel-netlink: Set NODAD flag for virtual IPv6 addresses
Tobias Brunner [Tue, 13 Dec 2016 16:27:26 +0000 (17:27 +0100)]
kernel-netlink: Set NODAD flag for virtual IPv6 addresses

The Optimistic Duplicate Address Detection (DAD) seems to fail in some
cases (`dadfailed` in `ip addr`) rendering the virtual IP address unusable.

Fixes #2183.

4 years agokernel-netlink: Prefer matching label when selecting IPv6 source addresses
Tobias Brunner [Mon, 10 Oct 2016 08:00:19 +0000 (10:00 +0200)]
kernel-netlink: Prefer matching label when selecting IPv6 source addresses

This implements rule 6 of RFC 6724 using the default priority table,
so that e.g. global addresses are preferred over ULAs (which also have
global scope) when the destination is a global address.

Fixes #2138.

4 years agokernel-netlink: Use correct 4 byte alignment for AH with IPv4
Tobias Brunner [Fri, 4 Nov 2016 09:14:30 +0000 (10:14 +0100)]
kernel-netlink: Use correct 4 byte alignment for AH with IPv4

By default, the kernel incorrectly uses an 8 byte alignment, which is
mandatory for IPv6 but prohibited for IPv4.  For many algorithms this
doesn't matter but that's not the case for HMAC_SHA2_256_128.
Since 2.6.39 the kernel can be explicitly configured to use a 4 byte

4 years agokernel-netlink: Allow change of Netlink socket receive buffer size
Thomas Egerer [Thu, 17 Nov 2016 16:00:37 +0000 (17:00 +0100)]
kernel-netlink: Allow change of Netlink socket receive buffer size

Signed-off-by: Thomas Egerer <>
4 years agokernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs
Tobias Brunner [Mon, 16 Jan 2017 16:01:33 +0000 (17:01 +0100)]
kernel-pfkey: Set state to SADB_SASTATE_MATURE when adding/updating SAs

Picky kernels might otherwise reject our messages as RFC 2367 explicitly
mandates this.

Fixes #2212.

4 years agokernel-pfroute: Don't set a gateway if it is of a different address family than the...
Tobias Brunner [Fri, 7 Oct 2016 10:12:15 +0000 (12:12 +0200)]
kernel-pfroute: Don't set a gateway if it is of a different address family than the destination

4 years agolibipsec: Add support for AES and Camellia in CCM mode
Tobias Brunner [Wed, 16 Nov 2016 14:11:41 +0000 (15:11 +0100)]
libipsec: Add support for AES and Camellia in CCM mode

Fixes #2172.

4 years agolibipsec: Fix Windows build via MinGW
Tobias Brunner [Fri, 23 Sep 2016 06:52:17 +0000 (08:52 +0200)]
libipsec: Fix Windows build via MinGW

Fixes #2118.

4 years agostroke: Default to %dynamic if no valid TS are specified in left|rightsubnet
Tobias Brunner [Wed, 18 Jan 2017 13:51:57 +0000 (14:51 +0100)]
stroke: Default to %dynamic if no valid TS are specified in left|rightsubnet

Otherwise, we'd end up with an empty TS list, which is not valid.

Because end->tohost is set to !end->subnets in starter the removed branch was
never used.

4 years agoinit: Let systemd restart daemons if they get terminated unexpectedly
Tobias Brunner [Wed, 18 Jan 2017 12:54:56 +0000 (13:54 +0100)]
init: Let systemd restart daemons if they get terminated unexpectedly

Fixes #2205.

4 years agoinit: Depend on instead of in systemd units
Tobias Brunner [Wed, 18 Jan 2017 12:52:59 +0000 (13:52 +0100)]
init: Depend on instead of in systemd units

This makes sure the network is "up" before connections are

Fixes #2205.

4 years agoMerge branch 'charon-systemd-reload-loggers'
Tobias Brunner [Wed, 25 Jan 2017 13:58:24 +0000 (14:58 +0100)]
Merge branch 'charon-systemd-reload-loggers'

Allows reloading strongswan.conf, the loggers, and the plugins in
charon-systemd by sending a SIGHUP (as already supported by charon).

Loggers are now also reloaded by VICI's `reload-settings` command (works
with both daemons).

Fixes #2222.

4 years agovici: Reload loggers after reloading strongswan.conf via reload-setting command
Tobias Brunner [Mon, 23 Jan 2017 16:25:28 +0000 (17:25 +0100)]
vici: Reload loggers after reloading strongswan.conf via reload-setting command