summaryrefslogtreecommitdiff
path: root/regress/sbin/ipsecctl
AgeCommit message (Collapse)Author
2012-09-17sync with transform-name-fixMarkus Friedl
2012-09-15sync with recent ipsecctl changes/fixesMarkus Friedl
2012-07-10Rename "life" to "lifetime" to match iked.Lawrence Teo
ok mikeb naddy sthen; procedures ok henning
2012-07-08AES-CTR, AES-GCM, AES-GMAC are disallowed with manual SAsChristian Weisgerber
2011-07-06update regress for non-crypto flow 'type use' caseTheo de Raadt
2010-10-06Retire SkipjackMike Belopuhov
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
2010-05-10Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' ->Kenneth R Westerback
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley.
2009-08-04Add regress tests with IPv4 and IPv6 addresses for the srcid and/or dstid.Joel Sing
ok hshoexer@
2009-01-30If the "peer" address is not specified or derived from "to" forAlexander Bluhm
"ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@
2009-01-29Remove ikefail10 ipsecctl regression test as it always fails. ItAlexander Bluhm
was expecting a certain parser error message. Accepting the ikefail10 config file is not considered to be a bug anymore. ok hshoexer@
2009-01-28Allow to specify ike and flow explicitly without peer. The anyAlexander Bluhm
keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA. tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
2009-01-20Regression tests for source flow NAT support.Marco Pfatschbacher
OK hshoexer@, markus@.
2009-01-19Do not use "egress" keyword as it expands to an actual interface,Hans-Joerg Hoexer
which might be different on different machines. Use some fixed addresses instead. pointed out and ok david@
2008-12-22add regression test for aes-{128,192,256} being used with main and quickHans-Joerg Hoexer
mode.
2008-12-22Adopt to recent change: /32 now is treated as a network address.Hans-Joerg Hoexer
prodded by david@
2008-07-01Isakmpd acquire mode did not work with a config generated fromAlexander Bluhm
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
2008-07-01If multiple to addresses but no peer are given in an ike or flowAlexander Bluhm
rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer
2008-01-04Add a regression test for handling addresses with trailing '/32' and addressHans-Joerg Hoexer
type IPV4_ADDR.
2007-10-15Add new "reached end of file while parsing quoted string" as expectedHans-Joerg Hoexer
error message.
2007-07-03both 'proto 50' and 'proto esp' must work in flow specificationsMarkus Friedl
2007-05-10Do not crash when lists include the "any" keyword. Reported byHans-Joerg Hoexer
<ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@
2007-03-16move autodetection of the ID type to the parser. this way theMarkus Friedl
static flows have the correct ID, too. ok hshoexer, reyk
2007-03-14We switched to aes cbc quite some time ago, so also use the correctHans-Joerg Hoexer
key sizes here, too. We now have to use 128 bit key instead of 160. Noticed by david@
2007-02-19add a test for null encryptionHans-Joerg Hoexer
2007-02-19we have to use '-k' now to show keys.Hans-Joerg Hoexer
2007-02-19previous commit to parse.y was undone. adopt these two regression tests.Hans-Joerg Hoexer
2007-02-16Adopt to recent change in parse.y (do not accept '\n' in quotedHans-Joerg Hoexer
strings). The syntax error is now reported at the correct line.
2007-01-10allow rule if there is at least _one_ matching address family combination.Markus Friedl
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
2007-01-04don't pass -1 as a netmask; report vicviq at gmail.comMarkus Friedl
2006-11-30wrong rid for protocolMarkus Friedl
2006-11-30sync: rmv to unregister ipsec connectionsMarkus Friedl
2006-11-30sync: proto/port in lid/rid/connectionMarkus Friedl
2006-11-24fix typo for remote port; from Brian CandlerMarkus Friedl
2006-11-21syncMarkus Friedl
2006-11-16add comment on how to update the *.ok files; ok hshoexer@Markus Friedl
2006-11-13Update to match improved address family check.Ryan Thomas McBride
2006-11-01Adjust existing ikedel tests for aggressive mode support (we nowRyan Thomas McBride
delete both mainmode and aggressive mode phase 1 transforms)
2006-10-31Remove bogus input line.Hans-Joerg Hoexer
2006-10-31Add some regression tests for odd ipsecctl behaviour noticed byHans-Joerg Hoexer
Prabhu Gurumurt. Test ikefail10 should fail, but does not and needs to be fixed.
2006-08-29Test for an as yet unresolved problem:Christian Weisgerber
If list expansion produces peer pairings between different address families, this should be an error. Suggested by and ok hshoexer@
2006-08-29Add support for IKE AH rules to ipsecctl. Man page input by jmc@.Christian Weisgerber
ok hshoexer@
2006-07-21tests similar to ike49 and ike50, but with ipv6 addresses.Hans-Joerg Hoexer
2006-07-21yet another test.Hans-Joerg Hoexer
2006-07-21new tests for default peer usageHans-Joerg Hoexer
2006-07-21update and enable that testHans-Joerg Hoexer
2006-06-20The ike/ikedel tests 48 to 50 do net exist yet. They will be neededHans-Joerg Hoexer
for stuff that will soon be commited. In the meanwhile disable them. Noticed by david@, thanks!
2006-06-18adopt to recent changesHans-Joerg Hoexer
2006-06-16and fix the corresponding regression test.Hans-Joerg Hoexer
2006-06-16adopt to recent changesHans-Joerg Hoexer
2006-06-15Add a bunch of test for deletion of ike rules, add a test for "toHans-Joerg Hoexer
any" rules without a peer specified. These tests resulted in the recent fix in ipsecctl/ike.c.