summaryrefslogtreecommitdiff
path: root/sbin/ipsecctl
AgeCommit message (Collapse)Author
2007-01-10allow rule if there is at least _one_ matching address family combination.Markus Friedl
this allows 'flow from lo0 to 127.0.0.1' if lo0 has an ipv6 address. ok itojun@, hshoexer@
2007-01-10add -k to usage();Jason McIntyre
2007-01-04don't pass -1 as a netmask; report vicviq at gmail.comMarkus Friedl
2007-01-03do not print secret keys by default, -k restores old behaviour; ok hshoexerMarkus Friedl
2007-01-02better support for IPv6 hostname/numeric representation.Jun-ichiro itojun Hagino
hostname/prefixlen works only for IPv4-only hostname. markus ok (regress tested)
2006-12-18call ike_setup_ids from a more appropriate location.Mathieu Sauve-Frankel
ok hshoexer@
2006-12-12a rewrite of enc.4, hopefully a little more useful than what we previouslyJason McIntyre
had; more can go in here, so feel free... many thanks to ho for feedback, and angelos and cedric who i harangued endlessly to explain nat/ipsec to me; the ipsec.conf.5 change just moves some stuff more appropriate to enc.4; ok hshoexer
2006-12-06SAD -> SADB; ok hshoexerJason McIntyre
2006-11-30typo: wrong rid for protocolMarkus Friedl
2006-11-30use rmv to unregister ipsec connections; ok hshoexer, hoMarkus Friedl
2006-11-30handle multiple SAs with different same src/dst but different port;Markus Friedl
store IKE connection string and phase2 IDs in the ipsec rule; cleanup internal API: pass rules around instead of rule members; report Brian Candler; fix with hshoexer, msf; ok hshoexer
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-24fix typo for remote port; from Brian CandlerMarkus Friedl
2006-11-21do not delete sections that might be shared with other connectionsMarkus Friedl
however, this workaround might leak config entries in isakmpd; ok (for now) hshoexer
2006-11-13briefly describe phases 1 and 2, and use these terms moreJason McIntyre
consistently in the rest of the page; help/ok hshoexer
2006-11-13previous was not quite right;Jason McIntyre
2006-11-13fix a macro mistake;Jason McIntyre
2006-11-13Handle rules with addresses from mismatched address families correctly.Ryan Thomas McBride
ok msf@
2006-11-10check both rule sourace and destination when grouping sa'sMathieu Sauve-Frankel
fixes PR5262 ok hshoexer@
2006-11-10When using -vv, also show grouped SAs.Hans-Joerg Hoexer
2006-11-10Fix grouping for SAs. Now all combinations of SAs are possible,Hans-Joerg Hoexer
not only ESP+AH (ie. ESP inside AH).
2006-11-10Do not count sa, ike and tcpmd5 rules twice. Fixes PR 5263.Hans-Joerg Hoexer
2006-11-01KNF unrelated to previous commit.Ryan Thomas McBride
2006-11-01Add support for aggressive mode (from the k2k6 IPsec hackathon).Ryan Thomas McBride
ok hshoexer
2006-10-19note that all rules using enc0 should specify: keep state (if-bound)Jason McIntyre
2006-09-29add a new section header, since DESCRIPTION is getting so large...Jason McIntyre
2006-09-29make it clearer what needs to be run, and how; push manual keying downJason McIntyre
the list; move the rc stuff from ipsecctl to ipsec.conf; ok hshoexer
2006-09-26a better description of what our automatic keying example is up to;Jason McIntyre
ok hshoexer
2006-09-22- document which parts need to be packet filtered, and whyJason McIntyre
- move example ruleset into a more logical order - correct the if-bound example (spotted by hshoexer) help/ok markus hshoexer
2006-09-22typo in err(); from bret.lambert@gmail.com, thanks!Hans-Joerg Hoexer
2006-09-19sort SAs by spi; ok hshoexerMarkus Friedl
2006-09-18KNF and clean some trailing white spaces, no binary change.Hans-Joerg Hoexer
2006-09-15reorganise the sections to make more sense;Jason McIntyre
ok hshoexer ho
2006-09-15clarification;Jason McIntyre
2006-09-15add in filtering rules to allow keying daemons to talk;Jason McIntyre
help/ok markus
2006-09-14simplify an example. ok jmc@Hans-Joerg Hoexer
2006-09-13use "proto ipencap" for the gateway filter rules;Jason McIntyre
pointed out by msf; explained by markus
2006-09-12note that enc traffic is unecrypted; from mpfJason McIntyre
2006-09-12no need to Xr isakmpd.conf.5;Jason McIntyre
2006-09-12add a section on packet filtering ipsec traffic;Jason McIntyre
input henning markus mcbride ok mcbride hshoexer
2006-09-11improvememnts for `local', `peer', and `psk'; ok hshoexerJason McIntyre
2006-09-11- document how to set ipsec stuff running at bootJason McIntyre
- remove hazy tcp md5 blurb ok hshoexer
2006-09-07note that we can filter ipsec traffic on the enc interface;Jason McIntyre
2006-09-07improve the tcpmd5 section; ok claudio hshoexerJason McIntyre
2006-09-07move all the auth/enc/group stuff into one definitive section;Jason McIntyre
help from ho hshoexer
2006-09-06start to group the parameters for AUTOMATIC KEYING in a more logical way;Jason McIntyre
ok hshoexer
2006-09-05knock out a ton of Aq/Xo/Xc that was either unneeded, or just plain wrong;Jason McIntyre
2006-09-05document line splitting using `\';Jason McIntyre
2006-09-05slight text shuffle, and make the isakmpd bits clearer;Jason McIntyre
ok hshoexer
2006-09-04some wording fixes for the section headers and minor tweaks;Jason McIntyre