strongswan.git
7 years agoTrigger DPD not before IKE_SA state gets updated
Martin Willi [Thu, 2 Feb 2012 09:33:40 +0000 (10:33 +0100)]
Trigger DPD not before IKE_SA state gets updated

7 years agoFix mapping of IKEv1 encapsulation mode
Martin Willi [Tue, 24 Jan 2012 12:31:37 +0000 (13:31 +0100)]
Fix mapping of IKEv1 encapsulation mode

7 years agoUse UDP encapsulation even in non-NAT situation if initiator requests it
Martin Willi [Mon, 23 Jan 2012 14:11:13 +0000 (15:11 +0100)]
Use UDP encapsulation even in non-NAT situation if initiator requests it

7 years agoUpdated ipsec.conf man page for the use of IKEv1 with pluto
Martin Willi [Mon, 23 Jan 2012 13:35:57 +0000 (14:35 +0100)]
Updated ipsec.conf man page for the use of IKEv1 with pluto

7 years agoSupport inactivity timeout in IKEv1 CHILD_SAs
Martin Willi [Mon, 23 Jan 2012 12:49:56 +0000 (13:49 +0100)]
Support inactivity timeout in IKEv1 CHILD_SAs

7 years agoUse a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher
Martin Willi [Mon, 23 Jan 2012 11:46:46 +0000 (12:46 +0100)]
Use a dedicated PRF for HASH/SIG payloads using ECDSA specific hasher

7 years agoSelect public key auth method by checking what key we have
Martin Willi [Mon, 23 Jan 2012 11:28:55 +0000 (12:28 +0100)]
Select public key auth method by checking what key we have

7 years agoSupport ECDSA signatures in IKEv1 pubkey authenticator
Martin Willi [Mon, 23 Jan 2012 11:27:57 +0000 (12:27 +0100)]
Support ECDSA signatures in IKEv1 pubkey authenticator

7 years agoExchange certificates when using IKEv1 ECDSA authentication
Martin Willi [Mon, 23 Jan 2012 11:26:42 +0000 (12:26 +0100)]
Exchange certificates when using IKEv1 ECDSA authentication

7 years agoAccept NULL auth_cfg_t passed to credential_manager_t.get_private()
Martin Willi [Mon, 23 Jan 2012 11:25:38 +0000 (12:25 +0100)]
Accept NULL auth_cfg_t passed to credential_manager_t.get_private()

7 years agoSupport encoding of IKEv1 ECDSA proposals
Martin Willi [Mon, 23 Jan 2012 11:25:00 +0000 (12:25 +0100)]
Support encoding of IKEv1 ECDSA proposals

7 years agoDropped support of deprecated authby=eap and eap= options
Martin Willi [Fri, 20 Jan 2012 15:03:18 +0000 (16:03 +0100)]
Dropped support of deprecated authby=eap and eap= options

7 years agoAdded support for authby/xauth_server legacy options
Martin Willi [Fri, 20 Jan 2012 14:33:26 +0000 (15:33 +0100)]
Added support for authby/xauth_server legacy options

7 years agoRenamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules
Martin Willi [Fri, 20 Jan 2012 14:00:06 +0000 (15:00 +0100)]
Renamed CONFIGURATION_ATTRIBUTE_LENGTH to streamline it with other ATTRIBUTE rules

7 years agoUse ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length
Martin Willi [Fri, 20 Jan 2012 13:57:18 +0000 (14:57 +0100)]
Use ATTRIBUTE_VALUE rule in configuration attribute to parse it with correct length

7 years agoDon't re-resolve addresses during initiate if they have already been set
Martin Willi [Fri, 20 Jan 2012 12:54:39 +0000 (13:54 +0100)]
Don't re-resolve addresses during initiate if they have already been set

7 years agoAdopt children after syncing a rekeyed IKEv1 SA
Martin Willi [Fri, 20 Jan 2012 12:42:37 +0000 (13:42 +0100)]
Adopt children after syncing a rekeyed IKEv1 SA

7 years agoSynchronize IKEv1 DPD sequence numbers
Martin Willi [Fri, 20 Jan 2012 11:23:46 +0000 (12:23 +0100)]
Synchronize IKEv1 DPD sequence numbers

7 years agoSetting message ID on task manager sets DPD sequence numbers in IKEv1
Martin Willi [Fri, 20 Jan 2012 11:22:56 +0000 (12:22 +0100)]
Setting message ID on task manager sets DPD sequence numbers in IKEv1

7 years agoUpdate state before triggering DPD, as we cancel it if PASSIVE
Martin Willi [Fri, 20 Jan 2012 11:21:48 +0000 (12:21 +0100)]
Update state before triggering DPD, as we cancel it if PASSIVE

7 years agoSet thread specific SA on bus for each enumerated IKE_SA
Martin Willi [Fri, 20 Jan 2012 11:21:13 +0000 (12:21 +0100)]
Set thread specific SA on bus for each enumerated IKE_SA

7 years agoSync remote virtual IP for IKEv1 SAs
Martin Willi [Fri, 20 Jan 2012 10:36:26 +0000 (11:36 +0100)]
Sync remote virtual IP for IKEv1 SAs

7 years agoSync new IKE_SA condition/extension flags
Martin Willi [Fri, 20 Jan 2012 10:23:27 +0000 (11:23 +0100)]
Sync new IKE_SA condition/extension flags

7 years agoAdded support for Phase1 IV synchronization to HA plugin
Martin Willi [Thu, 19 Jan 2012 15:34:59 +0000 (16:34 +0100)]
Added support for Phase1 IV synchronization to HA plugin

7 years agoInvoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted
Martin Willi [Thu, 19 Jan 2012 15:22:25 +0000 (16:22 +0100)]
Invoke bus_t.message hook twice, once plain and parsed, once encoded and encrypted

7 years agoCreate IKEv1 keymat hasher explicitly on sync
Martin Willi [Thu, 19 Jan 2012 14:55:29 +0000 (15:55 +0100)]
Create IKEv1 keymat hasher explicitly on sync

7 years agoClear initiator flag when checking out initial IKEv1 SA from message
Martin Willi [Thu, 19 Jan 2012 14:54:38 +0000 (15:54 +0100)]
Clear initiator flag when checking out initial IKEv1 SA from message

7 years agoAdded support to sync IKEv1 SAs key material in HA plugin
Martin Willi [Thu, 19 Jan 2012 10:11:22 +0000 (11:11 +0100)]
Added support to sync IKEv1 SAs key material in HA plugin

7 years agoPass IKEv1 specific keymat to ike_keys hook
Martin Willi [Wed, 18 Jan 2012 17:34:07 +0000 (18:34 +0100)]
Pass IKEv1 specific keymat to ike_keys hook

7 years agoUse a more complete implementation of a HA specific diffie_hellman_t
Martin Willi [Wed, 18 Jan 2012 17:24:48 +0000 (18:24 +0100)]
Use a more complete implementation of a HA specific diffie_hellman_t

7 years agoShow IKE version in ipsec statusall
Martin Willi [Wed, 18 Jan 2012 16:50:07 +0000 (17:50 +0100)]
Show IKE version in ipsec statusall

7 years agoApply proposal to a HA synced IKE_SA
Martin Willi [Wed, 18 Jan 2012 16:49:52 +0000 (17:49 +0100)]
Apply proposal to a HA synced IKE_SA

7 years agoSet selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper
Martin Willi [Wed, 18 Jan 2012 16:42:06 +0000 (17:42 +0100)]
Set selected proposal on IKEv1 SA, don't pass it separately to Phase 1 helper

7 years agoUpdated HA plugin to new IKEv2 specific keymat functions
Martin Willi [Wed, 18 Jan 2012 16:24:31 +0000 (17:24 +0100)]
Updated HA plugin to new IKEv2 specific keymat functions

7 years agoGet a reference for the child_cfg passed to child_create_create()
Martin Willi [Wed, 18 Jan 2012 16:24:08 +0000 (17:24 +0100)]
Get a reference for the child_cfg passed to child_create_create()

7 years agoInvoke bus_t.narrow hook in quick mode exchange
Martin Willi [Wed, 18 Jan 2012 12:28:15 +0000 (13:28 +0100)]
Invoke bus_t.narrow hook in quick mode exchange

7 years agoInvoke authorization hooks for IKEv1 connections
Martin Willi [Wed, 18 Jan 2012 12:12:07 +0000 (13:12 +0100)]
Invoke authorization hooks for IKEv1 connections

7 years agoInvoke ike_updown hooks for reauthenticated IKEv1 SAs
Martin Willi [Mon, 16 Jan 2012 15:47:18 +0000 (16:47 +0100)]
Invoke ike_updown hooks for reauthenticated IKEv1 SAs

7 years agoDon't invoke a child_updown hook when a quick mode to delete has been rekeyed
Martin Willi [Mon, 16 Jan 2012 15:18:01 +0000 (16:18 +0100)]
Don't invoke a child_updown hook when a quick mode to delete has been rekeyed

7 years agoInvoke child_rekey hook instead of child_updown when rekeying a quick mode
Martin Willi [Mon, 16 Jan 2012 15:17:27 +0000 (16:17 +0100)]
Invoke child_rekey hook instead of child_updown when rekeying a quick mode

7 years agoDon't invoke updown hook when flushing SAs for IKEv1, tasks will do it
Martin Willi [Mon, 16 Jan 2012 14:57:46 +0000 (15:57 +0100)]
Don't invoke updown hook when flushing SAs for IKEv1, tasks will do it

7 years agoFix "incoming" flag passed to bus_t.message() hook
Martin Willi [Mon, 16 Jan 2012 14:31:53 +0000 (15:31 +0100)]
Fix "incoming" flag passed to bus_t.message() hook

7 years agoContinue with next exchange after sending an INFORMATIONAL
Martin Willi [Fri, 13 Jan 2012 08:27:26 +0000 (09:27 +0100)]
Continue with next exchange after sending an INFORMATIONAL

7 years agoHandle retransmission of DPD exchange, both as initiator and responder
Martin Willi [Tue, 10 Jan 2012 18:13:58 +0000 (19:13 +0100)]
Handle retransmission of DPD exchange, both as initiator and responder

7 years agoDisable DPD checking for peers not supporting it
Martin Willi [Tue, 10 Jan 2012 16:40:07 +0000 (17:40 +0100)]
Disable DPD checking for peers not supporting it

7 years agoAdded missing DPD task name
Martin Willi [Tue, 10 Jan 2012 16:28:25 +0000 (17:28 +0100)]
Added missing DPD task name

7 years agoConfirm message reception time only if DPD sequence number valid
Martin Willi [Tue, 10 Jan 2012 16:26:42 +0000 (17:26 +0100)]
Confirm message reception time only if DPD sequence number valid

7 years agoSimplified DPD handling by using a task for a single message only
Martin Willi [Tue, 10 Jan 2012 16:21:52 +0000 (17:21 +0100)]
Simplified DPD handling by using a task for a single message only

7 years agoAdded missing short enum names for DPD notify types
Martin Willi [Tue, 10 Jan 2012 16:10:22 +0000 (17:10 +0100)]
Added missing short enum names for DPD notify types

7 years agoPrint IKEv1 notify types in message summary
Martin Willi [Tue, 10 Jan 2012 16:09:47 +0000 (17:09 +0100)]
Print IKEv1 notify types in message summary

7 years agoSupport IKEv1 notifies in message_t.get_notify()
Martin Willi [Tue, 10 Jan 2012 16:09:20 +0000 (17:09 +0100)]
Support IKEv1 notifies in message_t.get_notify()

7 years agoCheck if we have an RNG for IKEv1 task manager before using it
Martin Willi [Tue, 10 Jan 2012 15:02:46 +0000 (16:02 +0100)]
Check if we have an RNG for IKEv1 task manager before using it

7 years agoRemove unused DPD sequence number getter on task manager
Martin Willi [Tue, 10 Jan 2012 14:44:17 +0000 (15:44 +0100)]
Remove unused DPD sequence number getter on task manager

7 years agoDon't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state
Martin Willi [Tue, 10 Jan 2012 12:32:06 +0000 (13:32 +0100)]
Don't retransmit, rekey, reauth or DPD check SAs when in PASSIVE state

7 years agoSend DPD vendor ID
Clavister OpenSource [Tue, 10 Jan 2012 13:38:01 +0000 (14:38 +0100)]
Send DPD vendor ID

7 years agoIsakmp_dpd task added.
Clavister OpenSource [Tue, 10 Jan 2012 13:37:39 +0000 (14:37 +0100)]
Isakmp_dpd task added.

7 years agoDPD_R_U_THERE defines added
Clavister OpenSource [Tue, 10 Jan 2012 13:31:51 +0000 (14:31 +0100)]
DPD_R_U_THERE defines added

7 years agoRequest and handle retransmission of a lost third aggressive mode message
Martin Willi [Tue, 10 Jan 2012 10:37:06 +0000 (11:37 +0100)]
Request and handle retransmission of a lost third aggressive mode message

7 years agoStreamlined debug output when initiating IKEv1 IKE_SAs
Martin Willi [Tue, 10 Jan 2012 10:23:04 +0000 (11:23 +0100)]
Streamlined debug output when initiating IKEv1 IKE_SAs

7 years agoAccept unencrypted Aggressive Mode messages.
Tobias Brunner [Tue, 10 Jan 2012 09:58:29 +0000 (10:58 +0100)]
Accept unencrypted Aggressive Mode messages.

Racoon does not encrypt the third message during Aggressive Mode.

7 years agoEnforce encapsulation mode of configuration, in case initiator proposes both
Martin Willi [Mon, 9 Jan 2012 17:12:17 +0000 (18:12 +0100)]
Enforce encapsulation mode of configuration, in case initiator proposes both

7 years agoAdded a "aggressive" ipsec.conf connection option
Martin Willi [Mon, 9 Jan 2012 16:44:43 +0000 (17:44 +0100)]
Added a "aggressive" ipsec.conf connection option

7 years agoHandle aggressive mode task in IKEv1 task manager
Martin Willi [Mon, 9 Jan 2012 16:35:02 +0000 (16:35 +0000)]
Handle aggressive mode task in IKEv1 task manager

7 years agoSelect IKEv1 configurations by main/aggressive mode option
Martin Willi [Mon, 9 Jan 2012 16:33:15 +0000 (16:33 +0000)]
Select IKEv1 configurations by main/aggressive mode option

7 years agoAdded an aggressive mode peer_cfg option
Martin Willi [Mon, 9 Jan 2012 16:32:41 +0000 (16:32 +0000)]
Added an aggressive mode peer_cfg option

7 years agoFix sending of CERTREQ/CERT payloads in aggressive mode
Martin Willi [Mon, 9 Jan 2012 16:10:48 +0000 (17:10 +0100)]
Fix sending of CERTREQ/CERT payloads in aggressive mode

7 years agoEncrypt payloads of third aggressive mode message
Martin Willi [Mon, 9 Jan 2012 16:10:18 +0000 (17:10 +0100)]
Encrypt payloads of third aggressive mode message

7 years agoImplemented aggressive mode using Phase 1 helper class
Martin Willi [Mon, 9 Jan 2012 16:09:38 +0000 (17:09 +0100)]
Implemented aggressive mode using Phase 1 helper class

7 years agoMake use of the new Phase 1 helper class in main mode
Martin Willi [Mon, 9 Jan 2012 16:05:16 +0000 (17:05 +0100)]
Make use of the new Phase 1 helper class in main mode

7 years agoImplemented a common Phase 1 helper class to use by main and aggressive modes
Martin Willi [Mon, 9 Jan 2012 16:04:41 +0000 (17:04 +0100)]
Implemented a common Phase 1 helper class to use by main and aggressive modes

7 years agoFix error handling if no PSK found for main mode
Martin Willi [Mon, 9 Jan 2012 12:41:35 +0000 (13:41 +0100)]
Fix error handling if no PSK found for main mode

7 years agoInstall quick mode CHILD_SAs with negotiated encapsulation mode
Martin Willi [Thu, 5 Jan 2012 14:02:40 +0000 (15:02 +0100)]
Install quick mode CHILD_SAs with negotiated encapsulation mode

7 years agoSupport IKEv1 proposal encodings having both lifebytes and a lifetime
Martin Willi [Wed, 4 Jan 2012 13:43:15 +0000 (14:43 +0100)]
Support IKEv1 proposal encodings having both lifebytes and a lifetime

7 years agoTry to detect reauthentication as responder and adopt children to new SA
Martin Willi [Wed, 4 Jan 2012 16:51:22 +0000 (17:51 +0100)]
Try to detect reauthentication as responder and adopt children to new SA

7 years agoDestroy IKE_SA after reauthentication initiatend and lifetime limit reached
Martin Willi [Wed, 4 Jan 2012 16:50:19 +0000 (17:50 +0100)]
Destroy IKE_SA after reauthentication initiatend and lifetime limit reached

7 years agoAdded an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities
Martin Willi [Tue, 3 Jan 2012 15:23:37 +0000 (16:23 +0100)]
Added an IKE_SA manager method to enumerate IKE_SA IDs filtered by identities

7 years agoQuery for XAuth identity in get_other_eap_id(), too
Martin Willi [Wed, 4 Jan 2012 16:32:41 +0000 (17:32 +0100)]
Query for XAuth identity in get_other_eap_id(), too

7 years agoSet ISAKMP SA state to rekeying after triggering reauthentication
Martin Willi [Tue, 3 Jan 2012 13:47:44 +0000 (14:47 +0100)]
Set ISAKMP SA state to rekeying after triggering reauthentication

7 years agoInclude peer config overtime in negotiated ISAKMP SA lifetime
Martin Willi [Tue, 3 Jan 2012 12:33:18 +0000 (13:33 +0100)]
Include peer config overtime in negotiated ISAKMP SA lifetime

7 years agoInitiate IKEv1 reauthentication, take over all children
Martin Willi [Tue, 3 Jan 2012 11:00:12 +0000 (12:00 +0100)]
Initiate IKEv1 reauthentication, take over all children

7 years agoEstablish IKE_SA only once as XAuth responder
Martin Willi [Tue, 3 Jan 2012 10:59:21 +0000 (11:59 +0100)]
Establish IKE_SA only once as XAuth responder

7 years agoSupport initiation of childless IKEv1 ISAKMP SAs
Martin Willi [Tue, 3 Jan 2012 10:58:40 +0000 (11:58 +0100)]
Support initiation of childless IKEv1 ISAKMP SAs

7 years agoDon't trigger reauthentication if initiator authenticated using XAuth
Martin Willi [Tue, 3 Jan 2012 10:28:45 +0000 (11:28 +0100)]
Don't trigger reauthentication if initiator authenticated using XAuth

7 years agoSet a condition flag if peer has been authenticated using XAuth
Martin Willi [Tue, 3 Jan 2012 10:27:41 +0000 (11:27 +0100)]
Set a condition flag if peer has been authenticated using XAuth

7 years agoQueue Mode Config tasks after main mode as initiator, not as responder
Martin Willi [Tue, 3 Jan 2012 10:57:35 +0000 (11:57 +0100)]
Queue Mode Config tasks after main mode as initiator, not as responder

7 years agoSetting Mode Cfg identifier for CFG_ACK messages.
Clavister OpenSource [Wed, 28 Dec 2011 23:06:12 +0000 (00:06 +0100)]
Setting Mode Cfg identifier for CFG_ACK messages.

7 years agoAdd functions to set mode cfg identifier
Clavister OpenSource [Wed, 28 Dec 2011 23:05:04 +0000 (00:05 +0100)]
Add functions to set mode cfg identifier

7 years agoTry all matching XAuth secrets we find, not only the first one
Martin Willi [Mon, 2 Jan 2012 15:38:47 +0000 (16:38 +0100)]
Try all matching XAuth secrets we find, not only the first one

7 years agoFixed create_shared_enumerator method description
Martin Willi [Mon, 2 Jan 2012 15:38:30 +0000 (16:38 +0100)]
Fixed create_shared_enumerator method description

7 years agoAs responder, try to reuse the reqid of the CHILD_SA the initiator is rekeying
Martin Willi [Mon, 2 Jan 2012 15:36:39 +0000 (16:36 +0100)]
As responder, try to reuse the reqid of the CHILD_SA the initiator is rekeying

7 years agoReply quick mode with the same SA lifetime that we received
Martin Willi [Mon, 2 Jan 2012 14:49:20 +0000 (15:49 +0100)]
Reply quick mode with the same SA lifetime that we received

7 years agoDo not query CHILD_SA during delete if they already expired
Martin Willi [Mon, 2 Jan 2012 14:40:31 +0000 (15:40 +0100)]
Do not query CHILD_SA during delete if they already expired

7 years agoBe less verbose when deleting SAs triggered by a hard expire
Martin Willi [Mon, 2 Jan 2012 14:39:16 +0000 (15:39 +0100)]
Be less verbose when deleting SAs triggered by a hard expire

7 years agoImplemented CHILD_SA rekeying
Martin Willi [Mon, 2 Jan 2012 13:27:10 +0000 (14:27 +0100)]
Implemented CHILD_SA rekeying

7 years agoDon't return FAILED if a CHILD_SA to delete could not be found
Martin Willi [Mon, 2 Jan 2012 13:26:32 +0000 (14:26 +0100)]
Don't return FAILED if a CHILD_SA to delete could not be found

7 years agoSupport installing of quick mode SAs with a specific reqid
Martin Willi [Mon, 2 Jan 2012 12:36:10 +0000 (13:36 +0100)]
Support installing of quick mode SAs with a specific reqid

7 years agoDouble check that we could select a TS as quick mode responder
Martin Willi [Thu, 22 Dec 2011 12:26:38 +0000 (13:26 +0100)]
Double check that we could select a TS as quick mode responder

7 years agoImplemented responder retransmission, currently enabled for quick mode only
Martin Willi [Wed, 21 Dec 2011 16:08:08 +0000 (17:08 +0100)]
Implemented responder retransmission, currently enabled for quick mode only

7 years agoQueue IKEv1 INFORMATIONALS with higher priority to process notifies first
Martin Willi [Wed, 21 Dec 2011 14:02:02 +0000 (15:02 +0100)]
Queue IKEv1 INFORMATIONALS with higher priority to process notifies first

7 years agoAccept IKEv1 INVALID_KE_INFORMATION notifies without data
Martin Willi [Wed, 21 Dec 2011 14:01:29 +0000 (15:01 +0100)]
Accept IKEv1 INVALID_KE_INFORMATION notifies without data