| Age | Commit message (Collapse) | Author |
|---|
|
specifically, rewrite them to permit some markup in the column headers,
and use "Ta" instead of literal tabs; mandoc does not currently match groff
100%, but a mandoc fix may be some time off, and we've gone enough releases
with poorly formatting column lists.
in some cases i have rewritten the lists as -tag, where -column made
little sense.
|
|
construct;
this also sidesteps what seems to be a problem with mandoc, in that
"-column -compact" seems to mess up the formatting. thus these pages should
now have their lists formatted nicely (i.e. correctly aligned and with indent
applied);
as a side note, the fact that headers are not properly marked up is another
issue which will be addressed separately (a mandoc fix is needed, i think).
i have fudged a few of these to mark up properly, since the workaround does
make sense for some pages.
as another side note, i haven;t fixed man7, as i need to prepare a separate
diff for kristaps and ingo.
|
|
|
|
|
|
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
prompted by reyk
|
|
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
|
|
|
|
|
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8)
is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8)
and not worked on, but maybe in the future - I want to get IKEv2 support
first done right. So keep on using isakmpd(8) for IKEv1 for now...
ok deraadt@
|
|
also required to fix the mandoc build.
"fine. even if mandoc goes nowhere, it has found some bugs ;)" jmc@
ok sobrado@
|
|
|
|
|
|
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
|
Muzenic (mitja at muzenic dot net), many thanks!
|
|
pointed out by Prabhu Gurumurthy
ok deraadt@
|
|
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!
ok todd@
|
|
text from ipsecadm(8), hshoexer, and myself
|
|
of the SA matching return traffic; it was already there for spi but
not authkey/enckey (all 3 are required).
assistance and ok from jmc@
|
|
|
|
ok jmc@
|
|
|
|
|
|
Thanks to sthen <at> symphytum DOT spacehopper DOT org
|
|
had; more can go in here, so feel free...
many thanks to ho for feedback, and angelos and cedric who i harangued
endlessly to explain nat/ipsec to me;
the ipsec.conf.5 change just moves some stuff more appropriate to enc.4;
ok hshoexer
|
|
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
consistently in the rest of the page;
help/ok hshoexer
|
|
|
|
|
|
ok hshoexer
|
|
|
|
|
|
the list; move the rc stuff from ipsecctl to ipsec.conf;
ok hshoexer
|
|
ok hshoexer
|
|
- move example ruleset into a more logical order
- correct the if-bound example (spotted by hshoexer)
help/ok markus hshoexer
|
|
ok hshoexer ho
|
|
|
|
help/ok markus
|
|
|
|
pointed out by msf; explained by markus
|
|
|
|
|
|
input henning markus mcbride
ok mcbride hshoexer
|
|
|
|
|
|
|
|
help from ho hshoexer
|
