summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2006-06-28document lists, prodded by david@Hans-Joerg Hoexer
2006-06-18add group "none"; when choosen, pfs will be disabled.Hans-Joerg Hoexer
ok david msf
2006-06-16add a missing "force"Hans-Joerg Hoexer
2006-06-16report the correct line number on an error. Noticed by david@Hans-Joerg Hoexer
2006-06-15be careful when touch the peer component of a rule. It is notHans-Joerg Hoexer
necessarily set anymore, as now the peer can be left out.
2006-06-14recover list of key sizes from vpn(8); suggested by markus@, ok hshoexer@Christian Weisgerber
2006-06-13For IKE, allow main mode SHA2 and quick mode AESCTR transforms,Christian Weisgerber
which were recently added to isakmpd. ok hshoexer@, markus@
2006-06-12Fix a typo that prevented ipsecctl -ss from showing authenticationChristian Weisgerber
information for AH SAs. ok markus@, hshoexer@
2006-06-11the default encryption algorithm with static keying is AES-CBC now; ok hshoexer@Christian Weisgerber
2006-06-11As naddy@ pointed out RFC 3686 discourages use of AESCTR for staticHans-Joerg Hoexer
keying. markus@ seconds this, so use AES CBC as default. ok naddy@
2006-06-11Adopt to recent changes (mopd3072 is not the default anymore).Hans-Joerg Hoexer
Prodded by david@, thanks!
2006-06-10Better error message when a key file can not be opened or the provided key isHans-Joerg Hoexer
not of correct size. Suggested by david@
2006-06-10switch back to original defaults regarding DH groups. modp3072 is toHans-Joerg Hoexer
heavyweight. Testing by Jason George, thanks!
2006-06-10knf & careful data freeing, regression tested by toddTheo de Raadt
2006-06-09simplify previous;Jason McIntyre
2006-06-08fix usage, make synopsis more pretty. noticed by david@Hans-Joerg Hoexer
2006-06-08fix some indentation, noticed by david@Hans-Joerg Hoexer
2006-06-08Add a transport mode specifier to ike rules. Tunnel mode remains the default.Christian Weisgerber
"looks right" hshoexer@
2006-06-08allocate enough storage via sockaddr_storage for sockaddr_in6,Todd T. Fries
fixes ike29.in in regress looks right hshoexer@, ok naddy@
2006-06-08Fix a typo: When testing for quick mode lifetimes, make sure toHans-Joerg Hoexer
reference quick mode lifetimes, too, not main mode lifetimes. Otherwise we might dereference a NULL pointer...
2006-06-08turns out this really doesn't break what is in the tree; ok hshoexer@Todd T. Fries
2006-06-07make sure, we initialize unspecified keys and spis. Noticed byHans-Joerg Hoexer
naddy@, ok naddy@.
2006-06-07Do not yet expand the "any" keyword to v6 addresses. ok todd@Hans-Joerg Hoexer
2006-06-07remove unused prototype, ok todd@Hans-Joerg Hoexer
2006-06-02correct spelling of specifiedDavid Krause
2006-06-02exit(2) when loading of rules did work partially. ok markus@Hans-Joerg Hoexer
2006-06-02document port modifiers in ike rulesChristian Weisgerber
2006-06-02support tcp/udp port modifiers in ike rulesChristian Weisgerber
"put it in if it doesn't break regress" hshoexer@
2006-06-02print full information about tcpmd5 and ipcomp SAs, tooMarkus Friedl
2006-06-02add trailing \ when printing multiple lines for an SA, this wayMarkus Friedl
the output of ispecctl matches its input
2006-06-02mark up keywords using .Ic; ok hshoexerJason McIntyre
2006-06-02allow to specify phase 1 and 2 lifetimes. Right now, these valuesHans-Joerg Hoexer
can only be set globally (ie. Default-phase-[12]-lifetime).
2006-06-02simplify handling of peers.Hans-Joerg Hoexer
2006-06-02some more cleanup and simplification, no functional change.Hans-Joerg Hoexer
2006-06-02put src and dst host in dedicated structure. Make the API moreHans-Joerg Hoexer
compact which will soon simplify my life.
2006-06-02tiny style cleanup and white spacesHans-Joerg Hoexer
2006-06-02fix the formatting for sadb_register messages in monitor mode.Mathieu Sauve-Frankel
put back one mistakenly deleted newline. ok hshoexer@
2006-06-02Simplify main/quick mode parsing and generation of the actual ike config.Hans-Joerg Hoexer
2006-06-02Generalize parsing of main/quick mode specification. PreparationHans-Joerg Hoexer
for lifetime support.
2006-06-02Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.Hans-Joerg Hoexer
2006-06-01Final bits for SA grouping.Hans-Joerg Hoexer
2006-06-01pfkey bits needed for SA groupingHans-Joerg Hoexer
2006-06-01address has two `d', and i had to use a dictionary to check ;)Jason McIntyre
2006-06-01document port matching in flows; ok hshoexer@Christian Weisgerber
2006-06-01change the local-ID section name to always be unique as we may want to use ↵Mathieu Sauve-Frankel
more than one ISAKMP ID on the local peer. ok hshoexer@
2006-06-01Support flows with port modifiers for proto tcp/udp, e.g.Christian Weisgerber
flow proto udp from 1.2.3.4 port ntp to 5.6.7.8 ok hshoexer@ msf@
2006-06-01more to free, needed for SA grouping.Hans-Joerg Hoexer
2006-06-01convert pfkey to ipsec_rule and use ipsecctl_print_rule() when dumpingMarkus Friedl
the in-kernel SAs. this way we produce the same output as rule loading ok hshoexer
2006-06-01Add members dst2, proto2 and spi2 to struct ipsec_rule and defineHans-Joerg Hoexer
rule type "group". Needed for grouping.
2006-06-01Prepare for SA grouping.Hans-Joerg Hoexer