Age | Commit message (Collapse) | Author | |
---|---|---|---|
2007-01-10 | allow rule if there is at least _one_ matching address family combination. | Markus Friedl | |
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@ | |||
2007-01-10 | add -k to usage(); | Jason McIntyre | |
2007-01-04 | don't pass -1 as a netmask; report vicviq at gmail.com | Markus Friedl | |
2007-01-03 | do not print secret keys by default, -k restores old behaviour; ok hshoexer | Markus Friedl | |
2007-01-02 | better support for IPv6 hostname/numeric representation. | Jun-ichiro itojun Hagino | |
hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested) | |||
2006-12-18 | call ike_setup_ids from a more appropriate location. | Mathieu Sauve-Frankel | |
ok hshoexer@ | |||
2006-12-12 | a rewrite of enc.4, hopefully a little more useful than what we previously | Jason McIntyre | |
had; more can go in here, so feel free... many thanks to ho for feedback, and angelos and cedric who i harangued endlessly to explain nat/ipsec to me; the ipsec.conf.5 change just moves some stuff more appropriate to enc.4; ok hshoexer | |||
2006-12-06 | SAD -> SADB; ok hshoexer | Jason McIntyre | |
2006-11-30 | typo: wrong rid for protocol | Markus Friedl | |
2006-11-30 | use rmv to unregister ipsec connections; ok hshoexer, ho | Markus Friedl | |
2006-11-30 | handle multiple SAs with different same src/dst but different port; | Markus Friedl | |
store IKE connection string and phase2 IDs in the ipsec rule; cleanup internal API: pass rules around instead of rule members; report Brian Candler; fix with hshoexer, msf; ok hshoexer | |||
2006-11-24 | add support to tag ipsec traffic belonging to specific IKE-initiated | Reyk Floeter | |
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@ | |||
2006-11-24 | fix typo for remote port; from Brian Candler | Markus Friedl | |
2006-11-21 | do not delete sections that might be shared with other connections | Markus Friedl | |
however, this workaround might leak config entries in isakmpd; ok (for now) hshoexer | |||
2006-11-13 | briefly describe phases 1 and 2, and use these terms more | Jason McIntyre | |
consistently in the rest of the page; help/ok hshoexer | |||
2006-11-13 | previous was not quite right; | Jason McIntyre | |
2006-11-13 | fix a macro mistake; | Jason McIntyre | |
2006-11-13 | Handle rules with addresses from mismatched address families correctly. | Ryan Thomas McBride | |
ok msf@ | |||
2006-11-10 | check both rule sourace and destination when grouping sa's | Mathieu Sauve-Frankel | |
fixes PR5262 ok hshoexer@ | |||
2006-11-10 | When using -vv, also show grouped SAs. | Hans-Joerg Hoexer | |
2006-11-10 | Fix grouping for SAs. Now all combinations of SAs are possible, | Hans-Joerg Hoexer | |
not only ESP+AH (ie. ESP inside AH). | |||
2006-11-10 | Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263. | Hans-Joerg Hoexer | |
2006-11-01 | KNF unrelated to previous commit. | Ryan Thomas McBride | |
2006-11-01 | Add support for aggressive mode (from the k2k6 IPsec hackathon). | Ryan Thomas McBride | |
ok hshoexer | |||
2006-10-19 | note that all rules using enc0 should specify: keep state (if-bound) | Jason McIntyre | |
2006-09-29 | add a new section header, since DESCRIPTION is getting so large... | Jason McIntyre | |
2006-09-29 | make it clearer what needs to be run, and how; push manual keying down | Jason McIntyre | |
the list; move the rc stuff from ipsecctl to ipsec.conf; ok hshoexer | |||
2006-09-26 | a better description of what our automatic keying example is up to; | Jason McIntyre | |
ok hshoexer | |||
2006-09-22 | - document which parts need to be packet filtered, and why | Jason McIntyre | |
- move example ruleset into a more logical order - correct the if-bound example (spotted by hshoexer) help/ok markus hshoexer | |||
2006-09-22 | typo in err(); from bret.lambert@gmail.com, thanks! | Hans-Joerg Hoexer | |
2006-09-19 | sort SAs by spi; ok hshoexer | Markus Friedl | |
2006-09-18 | KNF and clean some trailing white spaces, no binary change. | Hans-Joerg Hoexer | |
2006-09-15 | reorganise the sections to make more sense; | Jason McIntyre | |
ok hshoexer ho | |||
2006-09-15 | clarification; | Jason McIntyre | |
2006-09-15 | add in filtering rules to allow keying daemons to talk; | Jason McIntyre | |
help/ok markus | |||
2006-09-14 | simplify an example. ok jmc@ | Hans-Joerg Hoexer | |
2006-09-13 | use "proto ipencap" for the gateway filter rules; | Jason McIntyre | |
pointed out by msf; explained by markus | |||
2006-09-12 | note that enc traffic is unecrypted; from mpf | Jason McIntyre | |
2006-09-12 | no need to Xr isakmpd.conf.5; | Jason McIntyre | |
2006-09-12 | add a section on packet filtering ipsec traffic; | Jason McIntyre | |
input henning markus mcbride ok mcbride hshoexer | |||
2006-09-11 | improvememnts for `local', `peer', and `psk'; ok hshoexer | Jason McIntyre | |
2006-09-11 | - document how to set ipsec stuff running at boot | Jason McIntyre | |
- remove hazy tcp md5 blurb ok hshoexer | |||
2006-09-07 | note that we can filter ipsec traffic on the enc interface; | Jason McIntyre | |
2006-09-07 | improve the tcpmd5 section; ok claudio hshoexer | Jason McIntyre | |
2006-09-07 | move all the auth/enc/group stuff into one definitive section; | Jason McIntyre | |
help from ho hshoexer | |||
2006-09-06 | start to group the parameters for AUTOMATIC KEYING in a more logical way; | Jason McIntyre | |
ok hshoexer | |||
2006-09-05 | knock out a ton of Aq/Xo/Xc that was either unneeded, or just plain wrong; | Jason McIntyre | |
2006-09-05 | document line splitting using `\'; | Jason McIntyre | |
2006-09-05 | slight text shuffle, and make the isakmpd bits clearer; | Jason McIntyre | |
ok hshoexer | |||
2006-09-04 | some wording fixes for the section headers and minor tweaks; | Jason McIntyre | |