Age | Commit message (Collapse) | Author | |
---|---|---|---|
2012-09-17 | sync with transform-name-fix | Markus Friedl | |
2012-09-15 | sync with recent ipsecctl changes/fixes | Markus Friedl | |
2012-07-10 | Rename "life" to "lifetime" to match iked. | Lawrence Teo | |
ok mikeb naddy sthen; procedures ok henning | |||
2012-07-08 | AES-CTR, AES-GCM, AES-GMAC are disallowed with manual SAs | Christian Weisgerber | |
2011-07-06 | update regress for non-crypto flow 'type use' case | Theo de Raadt | |
2010-10-06 | Retire Skipjack | Mike Belopuhov | |
There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts. | |||
2010-05-10 | Various comment typos. 'wether' -> 'whether' (most popular), 'possiblity' -> | Kenneth R Westerback | |
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@ and tech@ postings, many by Brad Tilley. | |||
2009-08-04 | Add regress tests with IPv4 and IPv6 addresses for the srcid and/or dstid. | Joel Sing | |
ok hshoexer@ | |||
2009-01-30 | If the "peer" address is not specified or derived from "to" for | Alexander Bluhm | |
"ike" rules in ipsec.conf, the default peer is used. In theory ipsecctl -f ipsec.conf can configure the default peer for each "ike" entry. As isakmpd only supports one default peer, the last "ike" rule that uses a default peer wins. This configuration is then significant for all "ike" rules that use the default peer. Now a warning is printed if a later rule in ipsec.conf changes the configuration of the original default peer. This should be an error but that would break existing user configs. So only a warning is printed. ok hshoexer@, todd@ | |||
2009-01-29 | Remove ikefail10 ipsecctl regression test as it always fails. It | Alexander Bluhm | |
was expecting a certain parser error message. Accepting the ikefail10 config file is not considered to be a bug anymore. ok hshoexer@ | |||
2009-01-28 | Allow to specify ike and flow explicitly without peer. The any | Alexander Bluhm | |
keyword as argument for the peer parameter will do that. An ike without peer creates the peer-default config. A flow without peer acquires a host-to-host SA. tested by grunk@, todd@, ok grunk@, hshoexer@, todd@ | |||
2009-01-20 | Regression tests for source flow NAT support. | Marco Pfatschbacher | |
OK hshoexer@, markus@. | |||
2009-01-19 | Do not use "egress" keyword as it expands to an actual interface, | Hans-Joerg Hoexer | |
which might be different on different machines. Use some fixed addresses instead. pointed out and ok david@ | |||
2008-12-22 | add regression test for aes-{128,192,256} being used with main and quick | Hans-Joerg Hoexer | |
mode. | |||
2008-12-22 | Adopt to recent change: /32 now is treated as a network address. | Hans-Joerg Hoexer | |
prodded by david@ | |||
2008-07-01 | Isakmpd acquire mode did not work with a config generated from | Alexander Bluhm | |
ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd | |||
2008-07-01 | If multiple to addresses but no peer are given in an ike or flow | Alexander Bluhm | |
rule, the current to address is taken as peer during expansion. This makes the broken regress test ikefail7 obsolete as address family mismatch cannot happen anymore. ok hshoexer | |||
2008-01-04 | Add a regression test for handling addresses with trailing '/32' and address | Hans-Joerg Hoexer | |
type IPV4_ADDR. | |||
2007-10-15 | Add new "reached end of file while parsing quoted string" as expected | Hans-Joerg Hoexer | |
error message. | |||
2007-07-03 | both 'proto 50' and 'proto esp' must work in flow specifications | Markus Friedl | |
2007-05-10 | Do not crash when lists include the "any" keyword. Reported by | Hans-Joerg Hoexer | |
<ralf.horstmann at gmx.net>, thanks! Slightly different fix. Also add a regression test. ok mpf@ | |||
2007-03-16 | move autodetection of the ID type to the parser. this way the | Markus Friedl | |
static flows have the correct ID, too. ok hshoexer, reyk | |||
2007-03-14 | We switched to aes cbc quite some time ago, so also use the correct | Hans-Joerg Hoexer | |
key sizes here, too. We now have to use 128 bit key instead of 160. Noticed by david@ | |||
2007-02-19 | add a test for null encryption | Hans-Joerg Hoexer | |
2007-02-19 | we have to use '-k' now to show keys. | Hans-Joerg Hoexer | |
2007-02-19 | previous commit to parse.y was undone. adopt these two regression tests. | Hans-Joerg Hoexer | |
2007-02-16 | Adopt to recent change in parse.y (do not accept '\n' in quoted | Hans-Joerg Hoexer | |
strings). The syntax error is now reported at the correct line. | |||
2007-01-10 | allow rule if there is at least _one_ matching address family combination. | Markus Friedl | |
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@ | |||
2007-01-04 | don't pass -1 as a netmask; report vicviq at gmail.com | Markus Friedl | |
2006-11-30 | wrong rid for protocol | Markus Friedl | |
2006-11-30 | sync: rmv to unregister ipsec connections | Markus Friedl | |
2006-11-30 | sync: proto/port in lid/rid/connection | Markus Friedl | |
2006-11-24 | fix typo for remote port; from Brian Candler | Markus Friedl | |
2006-11-21 | sync | Markus Friedl | |
2006-11-16 | add comment on how to update the *.ok files; ok hshoexer@ | Markus Friedl | |
2006-11-13 | Update to match improved address family check. | Ryan Thomas McBride | |
2006-11-01 | Adjust existing ikedel tests for aggressive mode support (we now | Ryan Thomas McBride | |
delete both mainmode and aggressive mode phase 1 transforms) | |||
2006-10-31 | Remove bogus input line. | Hans-Joerg Hoexer | |
2006-10-31 | Add some regression tests for odd ipsecctl behaviour noticed by | Hans-Joerg Hoexer | |
Prabhu Gurumurt. Test ikefail10 should fail, but does not and needs to be fixed. | |||
2006-08-29 | Test for an as yet unresolved problem: | Christian Weisgerber | |
If list expansion produces peer pairings between different address families, this should be an error. Suggested by and ok hshoexer@ | |||
2006-08-29 | Add support for IKE AH rules to ipsecctl. Man page input by jmc@. | Christian Weisgerber | |
ok hshoexer@ | |||
2006-07-21 | tests similar to ike49 and ike50, but with ipv6 addresses. | Hans-Joerg Hoexer | |
2006-07-21 | yet another test. | Hans-Joerg Hoexer | |
2006-07-21 | new tests for default peer usage | Hans-Joerg Hoexer | |
2006-07-21 | update and enable that test | Hans-Joerg Hoexer | |
2006-06-20 | The ike/ikedel tests 48 to 50 do net exist yet. They will be needed | Hans-Joerg Hoexer | |
for stuff that will soon be commited. In the meanwhile disable them. Noticed by david@, thanks! | |||
2006-06-18 | adopt to recent changes | Hans-Joerg Hoexer | |
2006-06-16 | and fix the corresponding regression test. | Hans-Joerg Hoexer | |
2006-06-16 | adopt to recent changes | Hans-Joerg Hoexer | |
2006-06-15 | Add a bunch of test for deletion of ike rules, add a test for "to | Hans-Joerg Hoexer | |
any" rules without a peer specified. These tests resulted in the recent fix in ipsecctl/ike.c. |