| Age | Commit message (Collapse) | Author |
|---|
|
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
|
|
does not include a "," character. ok otto@
|
|
Only using p1name or p2name as a transform identifier (as in rev 1.74)
breaks setups that allow multiple transforms for a connection, e.g. in
ike passive esp from any to 1.1.1.1 quick enc aes-128
ike passive esp from any to 1.1.1.1 quick enc aes-192
the aes-128 will be overwritten. ok and feedback mikeb@
|
|
Tweaked from his fix and ok mikeb@
|
|
"several."
Note: if anyone adds support for more unit specifiers in the future,
please change this back to "several" (instead of using an exact number)
so that it matches the iked.conf(5) man page. :)
While here, fix a typo in the quick mode section: "phase 1 lifetime" ->
"phase 2 lifetime"
ok mikeb sthen jmc haesbaert henning
|
|
|
|
to specify extended options like SA Lifetime. All the hard work was
done by lteo@, while naddy@ and me have made sure that defaults and
AH still work; sthen and jmc have looked over the diffs as well.
|
|
ok mikeb naddy sthen; procedures ok henning
|
|
ok mikeb sthen haesbaert henning
|
|
or AES-GMAC. These algorithms cannot be used safely with static
keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations.
Also include a tweak (with jmc@) to the key size explanation, for
completeness sake.
ok mikeb@
|
|
|
|
keyword in the grammar to create a esn-enabled rule (no reason to
do so for manual sa configuration). instead decode sa flags so
that we can also watch changes happening in the realtime with the
monitor mode. prompted and ok by naddy
|
|
ok mikeb@
|
|
|
|
characters;
prompted by a diff from robert peichaer org
thanks gilles and henning for feedback
ok deraadt zinke
|
|
ok miod@
|
|
|
|
|
|
- prevent an erroneous space in the formatting of -D
|
|
reminder to adjust synopsis and usage (again...)
|
|
command line, ok mikeb sthen
|
|
specifically, rewrite them to permit some markup in the column headers,
and use "Ta" instead of literal tabs; mandoc does not currently match groff
100%, but a mandoc fix may be some time off, and we've gone enough releases
with poorly formatting column lists.
in some cases i have rewritten the lists as -tag, where -column made
little sense.
|
|
construct;
this also sidesteps what seems to be a problem with mandoc, in that
"-column -compact" seems to mess up the formatting. thus these pages should
now have their lists formatted nicely (i.e. correctly aligned and with indent
applied);
as a side note, the fact that headers are not properly marked up is another
issue which will be addressed separately (a mandoc fix is needed, i think).
i have fudged a few of these to mark up properly, since the workaround does
make sense for some pages.
as another side note, i haven;t fixed man7, as i need to prepare a separate
diff for kristaps and ingo.
|
|
|
|
type (if not specified) to "use" instead of "require".
(since they will not get a key...)
ok mikeb claudio
|
|
|
|
|
|
|
|
bug noticed and fix tested by robert
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
prompted by reyk
|
|
(as aes-gmac) encryption transformations in the ipsec.conf(5).
Available "enc" arguments denoting use of
1) AES-GCM-16:
aes-128-gcm for 160 bit key (128+nonce)
aes-192-gcm for 224 bit key (192+nonce)
aes-256-gcm for 288 bit key (256+nonce)
2) ENCR_NULL_AUTH_AES_GMAC:
aes-128-gmac for 160 bit key (128+nonce)
aes-192-gmac for 224 bit key (192+nonce)
aes-256-gmac for 288 bit key (256+nonce)
Please note that aes-gmac family performs no encryption and provides
no confidentiality and is intended for cases in which confidentiality
is not desired (it can be thought of as AH with NAT-T support).
Also, although this implementation supports manual keying, it's
use is strictly discouraged as AES-GCM security depends on frequent
re-keying. So it can be thought of as a debug facility only.
Example configuration:
ike esp from 172.23.61.36 to 172.23.61.156 \
quick enc aes-256-gcm \
psk humppa
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
OK naddy
|
|
|
|
problem reported with the obvious fix for bgpd by Sebastian Benoit
<benoit-lists at fb12.de>, also PR 6432
applied to all the others by yours truly. ok theo
isn't it amazing how far this parser (and more) spread?
|
|
|
|
|
|
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8)
is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8)
and not worked on, but maybe in the future - I want to get IKEv2 support
first done right. So keep on using isakmpd(8) for IKEv1 for now...
ok deraadt@
|
|
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.
|
|
also required to fix the mandoc build.
"fine. even if mandoc goes nowhere, it has found some bugs ;)" jmc@
ok sobrado@
|
|
we don't know the size of, otherwise gcc >= 4 will error.
ok markus@ deraadt@
|
|
|
|
is used as the srcid, however the srcid type is not specified. Rectify this
by explicitly setting the srcid type to FQDN after successfully retrieving the
hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support
since get_id_type() returned ID_FQDN even when presented with a null pointer.
Issue reported by Mikolaj Kucharski.
|
|
given as an IPv4 or IPv6 address, rather than treating the IP address as
a FQDN.
ok hshoexer@ markus@ todd@
|
|
allocations fails.
looks right deraadt, krw
ok henning
|
|
"ike" rules in ipsec.conf, the default peer is used. In theory
ipsecctl -f ipsec.conf can configure the default peer for each "ike"
entry. As isakmpd only supports one default peer, the last "ike"
rule that uses a default peer wins. This configuration is then
significant for all "ike" rules that use the default peer.
Now a warning is printed if a later rule in ipsec.conf changes the
configuration of the original default peer. This should be an error
but that would break existing user configs. So only a warning is
printed.
ok hshoexer@, todd@
|
|
lines later. No functional change.
ok grunk@, hshoexer@
|
|
|
|
keyword as argument for the peer parameter will do that. An ike
without peer creates the peer-default config. A flow without peer
acquires a host-to-host SA.
tested by grunk@, todd@, ok grunk@, hshoexer@, todd@
|
|
for easier debugging.
ok grunk@, hshoexer@, todd@
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
