summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2006-05-27Adresses can be specified in CIDR notation, as symbolic host names, interfaceHans-Joerg Hoexer
names or interface group names. So it's time to document this...
2006-05-27allow to specify groups to be used IKEHans-Joerg Hoexer
2006-05-26vpn.8 removal;Jason McIntyre
2006-05-26\<char> is <char> except for \<newline> -- no exceptions. much like howTheo de Raadt
other things work. ok henning
2006-05-18paramter -> parameterMiod Vallat
2006-05-15permit proto 0; ok hshoexerTheo de Raadt
2006-05-15delete weird CTheo de Raadt
2006-05-11fix some spelling; noticed by david@Hans-Joerg Hoexer
2006-04-20constify char *infile here, too. noticed by lint.Hans-Joerg Hoexer
2006-04-19add support for interface groups.Hans-Joerg Hoexer
2006-04-19small cleanup: no need to strdup here.Hans-Joerg Hoexer
2006-04-19"type" keyword to specify flow type (require, use, etc.)Hans-Joerg Hoexer
2006-04-19add hostname resolver.Hans-Joerg Hoexer
at least some eyeballing by cloder@ tested by jean raby, requested/suggested by rod withworth
2006-04-13Add support for "local" to ike rules. Allows to specify the local IP to beHans-Joerg Hoexer
used on a multi-homed machine. Also, relax order of peer/local keywords. ok markus@
2006-04-12document that tunnel and transport mode can be specified for SAs.Hans-Joerg Hoexer
2006-03-31tweaks;Jason McIntyre
2006-03-31wenn dumping rules always show type, srcid and dstid (if set).Hans-Joerg Hoexer
ok reyk@
2006-03-31allow do delete dynamic rulesHans-Joerg Hoexer
ok reyk@
2006-03-31allow specification of encapsulated protocol for ike; ok hshoexerMarkus Friedl
2006-03-31allow specification of encapsulated protocol for flows; ok hshoexerMarkus Friedl
2006-03-31uppercase `ip';Jason McIntyre
2006-03-30when resolving interface names to ip adresses, set netmask to all bits 1Hans-Joerg Hoexer
2006-03-30allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok ↵Markus Friedl
hshoexer, reyk
2006-03-22add support for macros in ipsec.conf(5). some bits have already beenReyk Floeter
there. requested by david@ ok hshoexer@, msf@
2006-03-20When being verbose while deleting ike rules (-dv), print deletions instead ofHans-Joerg Hoexer
additions. Suggested by david@
2006-03-20When adding a connection, do not explicitly start that connectionHans-Joerg Hoexer
using "t" and "c" fifo commands. This is prone to a race when adding several tunnels between the same peers. Just let isakmpd start that connection on its own (using the connection checker).
2006-03-07add support for special "bypass" and "deny" flows.Reyk Floeter
ok hshoexer@, thanks jmc@
2006-03-07add an ike option for road warrior setups (hosts with dynamic ipReyk Floeter
addresses). "ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines). ok hshoexer@, looks fine markus@, jmc@
2006-02-21The new default encryption algorithm for main mode is AES instead of 3DES.Hans-Joerg Hoexer
Noticed as not being documented by otto@. ok otto@
2006-02-03override authentication tag as well; ok hshoexer@Christian Weisgerber
2006-02-02Two fixes: generate default main mode config when using PSK, added missingHans-Joerg Hoexer
force (with naddy@) ok reyk@ naddy@
2006-02-01noted by lint: include <string.h> instead of <strings.h>, add tow ARGSUSED1Hans-Joerg Hoexer
2006-01-20initialize authtype->string in case of RSA to avoid bad free()Christian Weisgerber
ok reyk@ hshoexer@
2006-01-17wrap long lines (no binary change)Reyk Floeter
2006-01-17spacingTheo de Raadt
2006-01-17no , after last element in enumTheo de Raadt
2006-01-16add support for pre-shared keys with "ike esp" using the new keywordReyk Floeter
"psk". rsa-sig is recommended and will still be used by default. ok hshoexer@, manpage ok jmc@
2005-12-28no close() after fdopen(); ok hshoexer@Christian Weisgerber
2005-12-28make sure isakmpd fifo is actually a fifo.Hans-Joerg Hoexer
2005-12-21Userland programs should include <errno.h> not <sys/errno.h>Todd C. Miller
OK deraadt@
2005-12-12use ARGSUSED1 hereHans-Joerg Hoexer
2005-12-12use err() instead of errx()Hans-Joerg Hoexer
2005-12-12Correctly copy interface names; fixes breakage noticed by naddy@Hans-Joerg Hoexer
ok naddy@ cvs: ----------------------------------------------------------------------
2005-12-06more appropriate error messages; ok hshoexerMarkus Friedl
2005-12-06ipip support: ip-in-ip w/o gif(4); ok hshoexerMarkus Friedl
2005-12-01spacingTheo de Raadt
2005-12-01do not choke and dump core when printing bypass flows. noticed by jacobHans-Joerg Hoexer
schlyter. Thanks!
2005-11-30handle that pfkey_ipsec_flush() can fail.Hans-Joerg Hoexer
2005-11-27sanity check constraints for transforms.Hans-Joerg Hoexer
ok deraadt@
2005-11-27truly permit auth/enc/comp expressions to be in any orderTheo de Raadt
hshoexer will add back in the contraint language