summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2007-02-19tweak;Jason McIntyre
2007-02-19Document NULL encryption.Hans-Joerg Hoexer
2007-02-19Bits for ESP+NULL encryption. This is useful, when AH can not beHans-Joerg Hoexer
used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks! ok markus@
2007-02-19do not display empty authkey/enckey line when -k option is notHans-Joerg Hoexer
specified. ok markus@
2007-02-19undo previous commit and keep the original behaviour of the parser.Hans-Joerg Hoexer
asked for by deraadt@
2007-02-16Address PR 5380: refer to DH MODP well-known group numbers.Chad Loder
Thanks to sthen <at> symphytum DOT spacehopper DOT org
2007-02-16Do not accept '\n' in quoted strings. Addresses issues noticed byHans-Joerg Hoexer
Prabhu Gurumurthy <pgurumu () gmail ! com> (http://marc.theaimsgroup.com/?l=openbsd-misc&m=116060233106902&w=2), thanks! ok markus@ cloder@ (uhm, quite some time ago)
2007-01-10allow rule if there is at least _one_ matching address family combination.Markus Friedl
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
2007-01-10add -k to usage();Jason McIntyre
2007-01-04don't pass -1 as a netmask; report vicviq at gmail.comMarkus Friedl
2007-01-03do not print secret keys by default, -k restores old behaviour; ok hshoexerMarkus Friedl
2007-01-02better support for IPv6 hostname/numeric representation.Jun-ichiro itojun Hagino
hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
2006-12-18call ike_setup_ids from a more appropriate location.Mathieu Sauve-Frankel
ok hshoexer@
2006-12-12a rewrite of enc.4, hopefully a little more useful than what we previouslyJason McIntyre
had; more can go in here, so feel free... many thanks to ho for feedback, and angelos and cedric who i harangued endlessly to explain nat/ipsec to me; the ipsec.conf.5 change just moves some stuff more appropriate to enc.4; ok hshoexer
2006-12-06SAD -> SADB; ok hshoexerJason McIntyre
2006-11-30typo: wrong rid for protocolMarkus Friedl
2006-11-30use rmv to unregister ipsec connections; ok hshoexer, hoMarkus Friedl
2006-11-30handle multiple SAs with different same src/dst but different port;Markus Friedl
store IKE connection string and phase2 IDs in the ipsec rule; cleanup internal API: pass rules around instead of rule members; report Brian Candler; fix with hshoexer, msf; ok hshoexer
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-24fix typo for remote port; from Brian CandlerMarkus Friedl
2006-11-21do not delete sections that might be shared with other connectionsMarkus Friedl
however, this workaround might leak config entries in isakmpd; ok (for now) hshoexer
2006-11-13briefly describe phases 1 and 2, and use these terms moreJason McIntyre
consistently in the rest of the page; help/ok hshoexer
2006-11-13previous was not quite right;Jason McIntyre
2006-11-13fix a macro mistake;Jason McIntyre
2006-11-13Handle rules with addresses from mismatched address families correctly.Ryan Thomas McBride
ok msf@
2006-11-10check both rule sourace and destination when grouping sa'sMathieu Sauve-Frankel
fixes PR5262 ok hshoexer@
2006-11-10When using -vv, also show grouped SAs.Hans-Joerg Hoexer
2006-11-10Fix grouping for SAs. Now all combinations of SAs are possible,Hans-Joerg Hoexer
not only ESP+AH (ie. ESP inside AH).
2006-11-10Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.Hans-Joerg Hoexer
2006-11-01KNF unrelated to previous commit.Ryan Thomas McBride
2006-11-01Add support for aggressive mode (from the k2k6 IPsec hackathon).Ryan Thomas McBride
ok hshoexer
2006-10-19note that all rules using enc0 should specify: keep state (if-bound)Jason McIntyre
2006-09-29add a new section header, since DESCRIPTION is getting so large...Jason McIntyre
2006-09-29make it clearer what needs to be run, and how; push manual keying downJason McIntyre
the list; move the rc stuff from ipsecctl to ipsec.conf; ok hshoexer
2006-09-26a better description of what our automatic keying example is up to;Jason McIntyre
ok hshoexer
2006-09-22- document which parts need to be packet filtered, and whyJason McIntyre
- move example ruleset into a more logical order - correct the if-bound example (spotted by hshoexer) help/ok markus hshoexer
2006-09-22typo in err(); from bret.lambert@gmail.com, thanks!Hans-Joerg Hoexer
2006-09-19sort SAs by spi; ok hshoexerMarkus Friedl
2006-09-18KNF and clean some trailing white spaces, no binary change.Hans-Joerg Hoexer
2006-09-15reorganise the sections to make more sense;Jason McIntyre
ok hshoexer ho
2006-09-15clarification;Jason McIntyre
2006-09-15add in filtering rules to allow keying daemons to talk;Jason McIntyre
help/ok markus
2006-09-14simplify an example. ok jmc@Hans-Joerg Hoexer
2006-09-13use "proto ipencap" for the gateway filter rules;Jason McIntyre
pointed out by msf; explained by markus
2006-09-12note that enc traffic is unecrypted; from mpfJason McIntyre
2006-09-12no need to Xr isakmpd.conf.5;Jason McIntyre
2006-09-12add a section on packet filtering ipsec traffic;Jason McIntyre
input henning markus mcbride ok mcbride hshoexer
2006-09-11improvememnts for `local', `peer', and `psk'; ok hshoexerJason McIntyre
2006-09-11- document how to set ipsec stuff running at bootJason McIntyre
- remove hazy tcp md5 blurb ok hshoexer
2006-09-07note that we can filter ipsec traffic on the enc interface;Jason McIntyre
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-19 18:55:34 +0000