| Age | Commit message (Collapse) | Author |
|---|
|
this is like the -t command line option on iked itself, but you get
to keep the ike listener on port 500 and you can enable this on
specific policies instead of all of them.
this is useful if you're dealing with an org that can't firewall
ESP traffic well and so you need to force the traffic to be udp
encapsulated even if there's no NAT involved.
ok markus@ tobhe@
|
|
|
|
Authorization Extensions"(DAE) are supported.
feedback markus stu
ok tobhe
|
|
ok tobhe
|
|
|
|
make it easier to handle interoperability problems with older versions in
the future. The ID is constructed from the string "OpenIKED-" followed by
the version number.
Sending of the vendor ID payload can be disabled by specifying
"set novendorid" in iked.conf(5).
ok markus@ bluhm@
|
|
|
|
ok jmc@ sthen@ millert@
|
|
to iked. Encryption keys and nonces are generated by the handshake and don't
have to be supplied in the config.
|
|
|
|
|
|
correct "cast" in ipsec.conf.5 to "cast128", add missing
"chacha20-poly1305", and sync iked.conf.5 and ipsec.conf.5 some
places.
ok jmc sthen
|
|
protocols for a single policy, e.g. "proto { ipencap, ipv6 }".
feedback and ok benno@
ok patrick@
|
|
Lower limits lead to excessive rekeying and lost data in high performance
setups without much benefit.
Brought up by mvs@
ok patrick@ sthen@
|
|
ok patrick@
|
|
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@
ok patrick@
|
|
|
|
From Ryan Kavanagh
ok patrick@
|
|
after recent fixes.
|
|
To match all traffic use 0.0.0.0/0 or ::/0.
ok patrick@
|
|
assigned address.
|
|
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.
ok patrick@
|
|
ok patrick@
|
|
or IKE message has been received within the specified time interval,
iked will start sending DPD messages.
ok patrick@
|
|
each peer (identified by their 'dstid'). When 'set enforcesingleikesa'
is enabled, each peer can only have one active IKE SA at a time.
On successful authentication of a new connection, the old IKE SA is
automatically deleted.
ok patrick@
|
|
/etc/iked/ocsp/issuer.crt.
Try to get the OCSP url from the CA/issuer certificate, otherwise
use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
|
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.
ok patrick@
|
|
First transport mode for child SAs was implemented, then a few
interoperability issues have been identified with peers other than iked,
now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this so this
"just works".
Feedback tobhe deraadt sthen
OK tobhe
|
|
|
|
|
|
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@
|
|
interact with the per-policy active/passive options.
ok kn@
|
|
groups are not recommended to use and are only supported for backwards
compatibility.
Feedback from sthen@
ok kn@
|
|
|
|
|
|
It can be configured per policy with the new 'rdomain' option
(see iked.conf(5)).
Only the unencrypted (inner) rdomain has to be configured, the
encrypted rdomain is always the one the responsible iked instance
is running in.
The configured rdomain must exist before iked activates the IPsec SAs,
otherwise pfkey will return an error.
ok markus@, patrick@
|
|
similar settings to prevent double encapsulation.
ok kn@
|
|
Macros are expanded by the parser at parse time, whereas variables are
read as ordinary strings and left unmodified; hence, quoted `"$domain"'
gets passed to the daemon as is, which substitutes proper values before
passing it to the kernel. `$domain' without quotes never makes it to
the daemon, that is with `domain = foo' somewhere else "foo" is being
eventually passed unmodified to the kernel.
jmc prompted for a proper explanation and provided the final wording.
OK tobhe jmc
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
ok reyk@
|
|
|
|
The default behaviour remains unchanged.
ok mikeb@ bluhm@
|
|
Explain the use of the option (according to the RFC) and make clear it is
not usually needed for subnets specified in "from" and "to" options.
ok sthen@
|
|
Ok kn@
|
|
ok sthen@
|
|
used a private-use group number. Switch to the group number assigned in
RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this
is not the default), you can switch to another PFS group before updating
then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the
initiator can choose which to use.
|
|
This gives us more flexibilty for negotiating with other IKEv2 setups.
Tested by and ok sthen@
|
|
have a higher flexibility in negotiating with other peers, or even ease
migration from one proposal to a more secure one.
ok sthen@
|
|
responder. In practice this support means that clients like iPhones
can roam in different networks (LTE, WiFi) and change their external
addresses without having to re-do the whole handshake. It allows the
client to choose how and when to change the external tunnel endpoint
addresses on demand, depending on which network is better or even is
connected at all.
ok sthen@
tweaks from jmc@
tested by a handful
|
|
identity (username). OK mikeb@
|
