| Age | Commit message (Collapse) | Author |
|---|
|
ok bluhm@
|
|
ok patrick@
|
|
ok tobhe
|
|
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.
Automatic name server configuration is enabled by default for policies using
the 'iface' option.
discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@
|
|
addresses and routes in iked_vroute_sc to not depend on ikev2
process for cleanup.
This makes sure that all flows, routes and addresses are deleted
no matter which process is killed first.
ok patrick@
|
|
functions. config_setpfkey() is always called with id PROC_IKEV2.
|
|
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@
ok patrick@
|
|
Discussed with sthen@
ok patrick@
|
|
exchange. In the case of an invalid KE error, retry
CREATE_CHILD_SA exchange with different group instead
of restarting the full IKE handshake.
ok markus@
|
|
to assign the same 'config address' when an IKESA is negotiated with the
DSTID of an existing IKESA. The original IKESA will be closed and the
address will be transferred to the new IKESA.
ok patrick@
|
|
type or id, ignore the proposal instead of failing the exchange.
ok patrick@
|
|
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.
ok patrick@
|
|
Found by csszep <csszep (at) gmail (dot) com>
ok patrick@
|
|
|
|
|
|
ok patrick@
|
|
ok markus@
|
|
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.
ok patrick@
|
|
ok patrick@
|
|
or IKE message has been received within the specified time interval,
iked will start sending DPD messages.
ok patrick@
|
|
grouping fixed-size values in 'struct iked_static' which is sent in
a single message.
ok patrick@
|
|
each peer (identified by their 'dstid'). When 'set enforcesingleikesa'
is enabled, each peer can only have one active IKE SA at a time.
On successful authentication of a new connection, the old IKE SA is
automatically deleted.
ok patrick@
|
|
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.
ok patrick@
|
|
|
|
|
|
ok patrick@
|
|
This way the peer can delete its SAs and eventually reestablish the
connection without having to wait for a timeout.
ok markus@
|
|
for normal operation (UDP port 500) and one for NAT traversal (UDP 4500).
There are several command line options resulting in only one of the sockets
being created (-T, -t and -p). Add a new 'enum natt_mode' to make the
logic for those somewhat less complicated as well as some comments where
it makes sense.
From Wataru Ashihara <wataash (at) wataash (dot) com>
ok patrick@
|
|
instead of the full iked_user struct to preserve the RB_TREE pointers.
From Bernardo Cunha Vieira <bernardo (dot) vieira (at) almg (dot) gov (dot) br>
ok patrick@
|
|
From Wataru <wataash at wataash dot com>
ok patrick@
|
|
the UDP encapsulation port, similar to isakmpd's '-N' flag.
Being able to change the UDP encapsulation port is useful in cases
where ESP and UDP ports 500 and 4500 are blocked or rate limited.
ok sthen@
|
|
solution for multi-SA flows. As a result we only need a single
outgoing IPCOMP flow and can get rid of the two extra transport mode flows
for ESP.
ok bluhm@
|
|
allows us to deduplicate the network ranges sent in the TS payload and saves
some bytes on the wire.
ok patrick@
|
|
ok sthen@
|
|
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.
ok sthen@
tweaks from jmc@
tested by a handful
|
|
See RFC 5996, section 2.23, NAT Traversal:
In the case of a mismatching NAT_DETECTION_DESTINATION_IP hash, it
means that the system receiving the NAT_DETECTION_DESTINATION_IP
payload is behind a NAT and that system SHOULD start sending
keepalive packets as defined in [UDPENCAPS].
With markus@, ok reyk@
|
|
We reach an imsg payload limit with just a few traffic selectors
so in order to load more we need to split them up and send separately.
Suggested and OK reyk
|
|
|
|
Diff from markus@
OK mikeb@ patrick@
|
|
From and OK markus, OK reyk
|
|
As a related change, load the local.pub and local.key keys after
privsep and reload them on SIGHUP/reload.
OK mikeb@
|
|
clients can be given an IPv4 and IPv6 address at the same time,
thus enabling dual stack usage.
ok markus@ mikeb@
|
|
|
|
policy after receiving it from the parent. print_policy ->
print_proto -> getprotobynumber -> pledge abort because it tried to
access /etc/protocols without rpath. It was just a debugging message
that can be moved to the parent (printing the policy on the sender
side and not the receiver side). The parent has rpath and dns.
Issue found by sthen@ with "proto etherip"
OK sthen@ benno@
|
|
process for ISAKMP+IKEv1. I kept it to let somebody either contribute
the old protocol one day, I never intended to implement IKEv1 myself,
or to add a new kind of pipe to isakmpd to hand off IKEv1 messages.
As IKEv2 is widely supported by all major OS and networking vendors
now, I'm happy to scrap the idea of supporting ISAKMP+IKEv1. It is
still possible to use isakmpd for legacy VPNs.
OK mikeb@
|
|
calls on pf data to explicit_bzero().
ok mikeb@
|
|
OK mikeb@
|
|
(e.g. the policy might be used-after-free on 'ikectl reconfig')
ok mikeb@
|
|
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
