summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl/ike.c
AgeCommit message (Collapse)Author
2006-11-01KNF unrelated to previous commit.Ryan Thomas McBride
2006-11-01Add support for aggressive mode (from the k2k6 IPsec hackathon).Ryan Thomas McBride
ok hshoexer
2006-09-18KNF and clean some trailing white spaces, no binary change.Hans-Joerg Hoexer
2006-08-30actually use the right value for USER_FQDNMathieu Sauve-Frankel
ok hshoexer@
2006-08-29add support for ufqdn ids in ike rulesMathieu Sauve-Frankel
ok hshoexer@
2006-08-29Add support for IKE AH rules to ipsecctl. Man page input by jmc@.Christian Weisgerber
ok hshoexer@
2006-07-21When no peer is specified, no peer address is defined, thus do not use it.Hans-Joerg Hoexer
Noticed by Alexey E. Suslikov <cruel@texnika.com.ua>, thanks!
2006-06-18add group "none"; when choosen, pfs will be disabled.Hans-Joerg Hoexer
ok david msf
2006-06-16add a missing "force"Hans-Joerg Hoexer
2006-06-15be careful when touch the peer component of a rule. It is notHans-Joerg Hoexer
necessarily set anymore, as now the peer can be left out.
2006-06-13For IKE, allow main mode SHA2 and quick mode AESCTR transforms,Christian Weisgerber
which were recently added to isakmpd. ok hshoexer@, markus@
2006-06-10switch back to original defaults regarding DH groups. modp3072 is toHans-Joerg Hoexer
heavyweight. Testing by Jason George, thanks!
2006-06-08fix some indentation, noticed by david@Hans-Joerg Hoexer
2006-06-08Add a transport mode specifier to ike rules. Tunnel mode remains the default.Christian Weisgerber
"looks right" hshoexer@
2006-06-08allocate enough storage via sockaddr_storage for sockaddr_in6,Todd T. Fries
fixes ike29.in in regress looks right hshoexer@, ok naddy@
2006-06-08Fix a typo: When testing for quick mode lifetimes, make sure toHans-Joerg Hoexer
reference quick mode lifetimes, too, not main mode lifetimes. Otherwise we might dereference a NULL pointer...
2006-06-02support tcp/udp port modifiers in ike rulesChristian Weisgerber
"put it in if it doesn't break regress" hshoexer@
2006-06-02allow to specify phase 1 and 2 lifetimes. Right now, these valuesHans-Joerg Hoexer
can only be set globally (ie. Default-phase-[12]-lifetime).
2006-06-02Simplify main/quick mode parsing and generation of the actual ike config.Hans-Joerg Hoexer
2006-06-01change the local-ID section name to always be unique as we may want to use ↵Mathieu Sauve-Frankel
more than one ISAKMP ID on the local peer. ok hshoexer@
2006-06-01knfHans-Joerg Hoexer
2006-06-01permit feeding isakmpd.fifo IPv6 addressesTodd T. Fries
ok hshoexer@
2006-06-01Generate correct configuration for default peers.Hans-Joerg Hoexer
2006-05-31Small function header knf.Hans-Joerg Hoexer
2006-05-31Prepare for handling unnamed remote peers.Hans-Joerg Hoexer
2006-05-28matching brackets are usefulTodd T. Fries
ok dlg@
2006-05-27allow to specify groups to be used IKEHans-Joerg Hoexer
2006-05-15delete weird CTheo de Raadt
2006-04-13Add support for "local" to ike rules. Allows to specify the local IP to beHans-Joerg Hoexer
used on a multi-homed machine. Also, relax order of peer/local keywords. ok markus@
2006-03-31allow do delete dynamic rulesHans-Joerg Hoexer
ok reyk@
2006-03-31allow specification of encapsulated protocol for ike; ok hshoexerMarkus Friedl
2006-03-31allow specification of encapsulated protocol for flows; ok hshoexerMarkus Friedl
2006-03-20When being verbose while deleting ike rules (-dv), print deletions instead ofHans-Joerg Hoexer
additions. Suggested by david@
2006-03-20When adding a connection, do not explicitly start that connectionHans-Joerg Hoexer
using "t" and "c" fifo commands. This is prone to a race when adding several tunnels between the same peers. Just let isakmpd start that connection on its own (using the connection checker).
2006-03-07add an ike option for road warrior setups (hosts with dynamic ipReyk Floeter
addresses). "ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines). ok hshoexer@, looks fine markus@, jmc@
2006-02-03override authentication tag as well; ok hshoexer@Christian Weisgerber
2006-02-02Two fixes: generate default main mode config when using PSK, added missingHans-Joerg Hoexer
force (with naddy@) ok reyk@ naddy@
2006-01-17spacingTheo de Raadt
2006-01-16add support for pre-shared keys with "ike esp" using the new keywordReyk Floeter
"psk". rsa-sig is recommended and will still be used by default. ok hshoexer@, manpage ok jmc@
2005-12-28no close() after fdopen(); ok hshoexer@Christian Weisgerber
2005-12-28make sure isakmpd fifo is actually a fifo.Hans-Joerg Hoexer
2005-12-12use err() instead of errx()Hans-Joerg Hoexer
2005-11-24Remove old-style keyed sha1/md5. We only support hmac-sha1/md5.Hans-Joerg Hoexer
Noticed the hard way by <raff at brodewicz dot pl>
2005-11-12spacingTheo de Raadt
2005-11-06Improved address and address mask handling, derived from pfctl stuff.Hans-Joerg Hoexer
2005-11-06better handling of ip addresses, prepare for v6. Partially derived from diffHans-Joerg Hoexer
by todd@. Work in progress.
2005-10-28more error message cleanupHans-Joerg Hoexer
2005-10-16cleanup messages generated by err(3)Hans-Joerg Hoexer
2005-09-22use "force" keyword when adding to Phase 1 section, otherwise isakmpd willHans-Joerg Hoexer
write some annyoing warning to the logs...
2005-09-20add an entry to "Phase 1" section for each remote peer.Hans-Joerg Hoexer
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-03 02:34:08 +0000