| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2009-01-30 | If the "peer" address is not specified or derived from "to" for | Alexander Bluhm | |
| "ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@ | |||
| 2009-01-29 | Remove ikefail10 ipsecctl regression test as it always fails. It | Alexander Bluhm | |
| was expecting a certain parser error message. Accepting the ikefail10 config file is not considered to be a bug anymore. ok hshoexer@ | |||
| 2009-01-28 | Allow to specify ike and flow explicitly without peer. The any | Alexander Bluhm | |
| keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA. tested by grunk@, todd@, ok grunk@, hshoexer@, todd@ | |||
| 2009-01-20 | Regression tests for source flow NAT support. | Marco Pfatschbacher | |
| OK hshoexer@, markus@. | |||
| 2009-01-19 | Do not use "egress" keyword as it expands to an actual interface, | Hans-Joerg Hoexer | |
| which might be different on different machines. Use some fixed addresses instead. pointed out and ok david@ | |||
| 2008-12-22 | add regression test for aes-{128,192,256} being used with main and quick | Hans-Joerg Hoexer | |
| mode. | |||
| 2008-12-22 | Adopt to recent change: /32 now is treated as a network address. | Hans-Joerg Hoexer | |
| prodded by david@ | |||
| 2008-07-01 | Isakmpd acquire mode did not work with a config generated from | Alexander Bluhm | |
| ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd | |||
| 2008-07-01 | If multiple to addresses but no peer are given in an ike or flow | Alexander Bluhm | |
| rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer | |||
| 2008-01-04 | Add a regression test for handling addresses with trailing '/32' and address | Hans-Joerg Hoexer | |
| type IPV4_ADDR. | |||
| 2007-10-15 | Add new "reached end of file while parsing quoted string" as expected | Hans-Joerg Hoexer | |
| error message. | |||
| 2007-07-03 | both 'proto 50' and 'proto esp' must work in flow specifications | Markus Friedl | |
| 2007-05-10 | Do not crash when lists include the "any" keyword. Reported by | Hans-Joerg Hoexer | |
| <ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@ | |||
| 2007-03-16 | move autodetection of the ID type to the parser. this way the | Markus Friedl | |
| static flows have the correct ID, too. ok hshoexer, reyk | |||
| 2007-03-14 | We switched to aes cbc quite some time ago, so also use the correct | Hans-Joerg Hoexer | |
| key sizes here, too. We now have to use 128 bit key instead of 160. Noticed by david@ | |||
| 2007-02-19 | add a test for null encryption | Hans-Joerg Hoexer | |
| 2007-02-19 | we have to use '-k' now to show keys. | Hans-Joerg Hoexer | |
| 2007-02-19 | previous commit to parse.y was undone. adopt these two regression tests. | Hans-Joerg Hoexer | |
| 2007-02-16 | Adopt to recent change in parse.y (do not accept '\n' in quoted | Hans-Joerg Hoexer | |
| strings). The syntax error is now reported at the correct line. | |||
| 2007-01-10 | allow rule if there is at least _one_ matching address family combination. | Markus Friedl | |
| this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@ | |||
| 2007-01-04 | don't pass -1 as a netmask; report vicviq at gmail.com | Markus Friedl | |
| 2006-11-30 | wrong rid for protocol | Markus Friedl | |
| 2006-11-30 | sync: rmv to unregister ipsec connections | Markus Friedl | |
| 2006-11-30 | sync: proto/port in lid/rid/connection | Markus Friedl | |
| 2006-11-24 | fix typo for remote port; from Brian Candler | Markus Friedl | |
| 2006-11-21 | sync | Markus Friedl | |
| 2006-11-16 | add comment on how to update the *.ok files; ok hshoexer@ | Markus Friedl | |
| 2006-11-13 | Update to match improved address family check. | Ryan Thomas McBride | |
| 2006-11-01 | Adjust existing ikedel tests for aggressive mode support (we now | Ryan Thomas McBride | |
| delete both mainmode and aggressive mode phase 1 transforms) | |||
| 2006-10-31 | Remove bogus input line. | Hans-Joerg Hoexer | |
| 2006-10-31 | Add some regression tests for odd ipsecctl behaviour noticed by | Hans-Joerg Hoexer | |
| Prabhu Gurumurt. Test ikefail10 should fail, but does not and needs to be fixed. | |||
| 2006-08-29 | Test for an as yet unresolved problem: | Christian Weisgerber | |
| If list expansion produces peer pairings between different address families, this should be an error. Suggested by and ok hshoexer@ | |||
| 2006-08-29 | Add support for IKE AH rules to ipsecctl. Man page input by jmc@. | Christian Weisgerber | |
| ok hshoexer@ | |||
| 2006-07-21 | tests similar to ike49 and ike50, but with ipv6 addresses. | Hans-Joerg Hoexer | |
| 2006-07-21 | yet another test. | Hans-Joerg Hoexer | |
| 2006-07-21 | new tests for default peer usage | Hans-Joerg Hoexer | |
| 2006-07-21 | update and enable that test | Hans-Joerg Hoexer | |
| 2006-06-20 | The ike/ikedel tests 48 to 50 do net exist yet. They will be needed | Hans-Joerg Hoexer | |
| for stuff that will soon be commited. In the meanwhile disable them. Noticed by david@, thanks! | |||
| 2006-06-18 | adopt to recent changes | Hans-Joerg Hoexer | |
| 2006-06-16 | and fix the corresponding regression test. | Hans-Joerg Hoexer | |
| 2006-06-16 | adopt to recent changes | Hans-Joerg Hoexer | |
| 2006-06-15 | Add a bunch of test for deletion of ike rules, add a test for "to | Hans-Joerg Hoexer | |
| any" rules without a peer specified. These tests resulted in the recent fix in ipsecctl/ike.c. | |||
| 2006-06-15 | add safail2 | Hans-Joerg Hoexer | |
| 2006-06-15 | test invalid v6/v4 address combinations for SAs. | Hans-Joerg Hoexer | |
| 2006-06-13 | we use aes for manual keying as default now. adopt these tests. | Hans-Joerg Hoexer | |
| 2006-06-10 | adopted to recent change. | Hans-Joerg Hoexer | |
| 2006-06-08 | really, this is the correct *.ok output, what was generated in the past was | Todd T. Fries | |
| due to recently fixed code move some ike?? to ikefail? | |||
| 2006-06-08 | Add a transport mode specifier to ike rules. Tunnel mode remains the default. | Christian Weisgerber | |
| "looks right" hshoexer@ | |||
| 2006-06-08 | Add tests for a tiny regression I've just found | Hans-Joerg Hoexer | |
| 2006-06-02 | check port modifiers in ike rules | Christian Weisgerber | |
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |