Age | Commit message (Collapse) | Author |
|
this is like the -t command line option on iked itself, but you get
to keep the ike listener on port 500 and you can enable this on
specific policies instead of all of them.
this is useful if you're dealing with an org that can't firewall
ESP traffic well and so you need to force the traffic to be udp
encapsulated even if there's no NAT involved.
ok markus@ tobhe@
|
|
Authorization Extensions"(DAE) are supported.
feedback markus stu
ok tobhe
|
|
ok tobhe@
|
|
Similar to the permission checks performed on iked.conf(5) due to the
possibility of it containing inline psk strings, require psk files to not be
group writable or world read-writable.
ok tobhe@
|
|
To use sec(4) instead of policy based tunnels, create a sec(4)
interface and add 'iface secXX' to your policy config.
sec(4) interfaces also support auto configuration for dynamic client
IPs via 'request any' like all other interfaces.
The config won't work without traffic selectors, 'from any to any'
should work for now but I plan to make this optional in the future.
ok dlg@
|
|
In most cases print_host(addr, buf, buflen) can be replaced with
strlcpy(buf, print_addr(addr), buflen).
Some code was never fully adjusted to the full power of print_host() and
there are remnants of times well before print_host() supported multiple
internal buffers.
With and OK tb@
|
|
|
|
make it easier to handle interoperability problems with older versions in
the future. The ID is constructed from the string "OpenIKED-" followed by
the version number.
Sending of the vendor ID payload can be disabled by specifying
"set novendorid" in iked.conf(5).
ok markus@ bluhm@
|
|
|
|
ok tobhe@
|
|
|
|
ok markus@
|
|
ok markus@
|
|
protocols for a single policy, e.g. "proto { ipencap, ipv6 }".
feedback and ok benno@
ok patrick@
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
ok patrick@
|
|
contain a partially copied password
ok tobhe
|
|
based on Streamlined NTRU Prime (coupled with X25519).
The sntrup761 implementation is imported from OpenSSH.
It is public domain code originally distributed as part
of the SUPERCOP cryptography benchmark suite
(https://bench.cr.yp.to/supercop.html).
The method is not part of the default proposal, but can
be enabled with 'ikesa group sntrup761x25519'.
ok markus@ patrick@
|
|
|
|
ok patrick@
|
|
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@
ok patrick@
|
|
'group none'. We currently send no transform of type DH by default,
which should be equivalent to explicitly sending a single DH transform
of type 'none'. However, the proposal matching logic had a bug where
these two would not match, effectively breaking the ability to negotiate
optional PFS. This commit fixes the bug but continues to send
no DH proposal by default to remain backwards compatible with older
versions.
ok patrick@
|
|
ok patrick@
|
|
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
For traffic selectors with a keyword on either 'from' or 'to' side,
install flow with address family of the opposite side. If both source
and destination address are keywords, install flows for both address
families.
The 'dynamic' keyword is special as it will only install flows
for the address family of the dynamically assigned address
(specified with the 'config address' option).
ok patrick@
|
|
ok patrick@
|
|
|
|
ok patrick@
|
|
transforms are not supported.
ok patrick@
|
|
to assign the same 'config address' when an IKESA is negotiated with the
DSTID of an existing IKESA. The original IKESA will be closed and the
address will be transferred to the new IKESA.
ok patrick@
|
|
|
|
The keyword is replaced at runtime with the address assigned from the pool
in 'config address'.
ok patrick@
|
|
At the moment the address is only negotiated and printed to the
log. If 'request addr 0.0.0.0' is configured, any address will
be accepted.
ok patrick@
|
|
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.
ok patrick@
|
|
ok patrick@
|
|
|
|
request. The locally configured request is used as fallback to find a
certificate or key to send. The local auth method for MSCHAP-V2 should
be IKEV2_AUTH_SIG_ANY, which defaults to X509 certificates, instead of
raw rsa keys.
Tested with Strongswan, iPhone and Windows
Found by and ok sthen@
ok patrick@
|
|
on acquire.
|
|
|
|
or IKE message has been received within the specified time interval,
iked will start sending DPD messages.
ok patrick@
|
|
each peer (identified by their 'dstid'). When 'set enforcesingleikesa'
is enabled, each peer can only have one active IKE SA at a time.
On successful authentication of a new connection, the old IKE SA is
automatically deleted.
ok patrick@
|
|
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.
ok patrick@
|
|
|
|
ok patrick@
|
|
|
|
parser aren't needed as they are checked at runtime during the handshake.
Moreover, these checks during startup of the daemon never worked
properly when dstid was not explicitly configured. The dstid depends
on the ID message payload which is only known after the initial handshake.
ok patrick@
|
|
ok patrick@
|
|
They can be configured with the new ikesa enc options aes-128-gcm,
aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
Tested with Strongswan by Stephan Mendling and myself
Tested with Juniper SRX by remi@
ok sthen@, patrick@
|
|
ok sthen@, patrick@
|