| Age | Commit message (Collapse) | Author |
|---|
|
names in ike_section_p2 applies to phase-1 transforms as well.
|
|
does not include a "," character. ok otto@
|
|
Only using p1name or p2name as a transform identifier (as in rev 1.74)
breaks setups that allow multiple transforms for a connection, e.g. in
ike passive esp from any to 1.1.1.1 quick enc aes-128
ike passive esp from any to 1.1.1.1 quick enc aes-192
the aes-128 will be overwritten. ok and feedback mikeb@
|
|
Tweaked from his fix and ok mikeb@
|
|
to specify extended options like SA Lifetime. All the hard work was
done by lteo@, while naddy@ and me have made sure that defaults and
AH still work; sthen and jmc have looked over the diffs as well.
|
|
ok mikeb naddy sthen; procedures ok henning
|
|
ok mikeb sthen haesbaert henning
|
|
ok mikeb@
|
|
command line, ok mikeb sthen
|
|
bug noticed and fix tested by robert
|
|
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
|
is used as the srcid, however the srcid type is not specified. Rectify this
by explicitly setting the srcid type to FQDN after successfully retrieving the
hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support
since get_id_type() returned ID_FQDN even when presented with a null pointer.
Issue reported by Mikolaj Kucharski.
|
|
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.
ok hshoexer@ markus@ todd@
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!
ok todd@
|
|
not accept the trailing '/32'.
Diff from Mitja Muzenic <mitja@muzenic.net>, thanks!
|
|
static flows have the correct ID, too. ok hshoexer, reyk
|
|
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk
at gmail.com>, thanks!
ok markus@
|
|
ok hshoexer@
|
|
|
|
|
|
store IKE connection string and phase2 IDs in the ipsec rule;
cleanup internal API: pass rules around instead of rule members;
report Brian Candler; fix with hshoexer, msf; ok hshoexer
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
|
|
however, this workaround might leak config entries in isakmpd;
ok (for now) hshoexer
|
|
|
|
ok hshoexer
|
|
|
|
ok hshoexer@
|
|
ok hshoexer@
|
|
ok hshoexer@
|
|
Noticed by Alexey E. Suslikov <cruel@texnika.com.ua>, thanks!
|
|
ok david msf
|
|
|
|
necessarily set anymore, as now the peer can be left out.
|
|
which were recently added to isakmpd. ok hshoexer@, markus@
|
|
heavyweight. Testing by Jason George, thanks!
|
|
|
|
"looks right" hshoexer@
|
|
fixes ike29.in in regress
looks right hshoexer@, ok naddy@
|
|
reference quick mode lifetimes, too, not main mode lifetimes.
Otherwise we might dereference a NULL pointer...
|
|
"put it in if it doesn't break regress" hshoexer@
|
|
can only be set globally (ie. Default-phase-[12]-lifetime).
|
|
|
|
more than one ISAKMP ID on the local peer.
ok hshoexer@
|
|
|
|
ok hshoexer@
|
|
|
|
|
