| Age | Commit message (Collapse) | Author |
|---|
|
with Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@
|
|
ok ho@
|
|
|
|
- remove some unnecessary .Pp's
- mdoc a list
ok ho@
|
|
Niels Provos.
|
|
- some mdoc fixes
|
|
ok ho@
|
|
HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs,
i.e all connections.
ok niklas@, tested and ok kjell@.
|
|
|
|
|
|
ok deraadt@
|
|
in the same proposal. This time, mention that this also applies to mixing
PFS and non-PFS suites.
|
|
and I forgot all about it.
|
|
|
|
reordering.
|
|
|
|
pointed out by Aref Taidi. Replace this with a "Default-Phase-1-Configuration"
that will be used if this tag is missing from the peer. Update manpage
accordingly. niklas@ ok.
|
|
|
|
Some style mods, and checks added for OpenSSL version 0.9.7 or later.
Currently CRLs are not supported for earlier versions.
Manual pages updated.
|
|
|
|
|
|
|
|
section.
|
|
Powered by @mantoya:
o) kill extra line in the end of file;
o) kill extra space in the end of line;
o) replace blank lines with .Pp;
millert@ ok
|
|
o) wrap long lines;
o) fix bogus .Xr usage;
o) we don't like blank lines;
o) always close .Bl tags;
o) OpenBSD -> .Ox;
o) don't like .Pp before .Ss;
millert@ ok;
|
|
|
|
"pregenerated", so indicate which aren't. 'Default-phase-N-lifetime'
replaces LIFE_nnn_SECS.
|
|
Also add a BUGS section describing why combining predefined MD5 and
SHA suites in the same quick-mode proposal will currently not work.
|
|
|
|
|
|
|
|
|
|
earlier today :-)
|
|
|
|
|
|
|
|
|
|
|
|
author: ho
Lifetime is KILOBYTES not BYTES. Noticed by <jj@dynarc.se>
|
|
this is consistent.
|
|
author: angelos
Add Default-phase-1-ID tag in [General], and document its use.
author: angelos
isakmpd can now negotiate transport protocol/ports (either through the
configuration file or through kernel ACQUIREs).
|
|
author: niklas
sync with OpenBSD
|
|
|
|
author: niklas
heh, backspace as a continuation character, yeah right!
author: angelos
Mention Remote-ID tag in ISAKMP-peer section, and also that it doesn't
currently work.
author: angelos
It's "Local-address", not "Listen-address" in the ISAKMP-peer section.
author: angelos
Mention RIPEMD.
|
|
samples/VPN-east.conf: Merge with EOM 1.12
samples/VPN-west.conf: Merge with EOM 1.13
samples/policy: Merge with EOM 1.6
samples/singlehost-west.conf: Merge with EOM 1.9
samples/singlehost-east.conf: Merge with EOM 1.9
conf.c: Merge with EOM 1.37
ipsec.c: Merge with EOM 1.133
ipsec_num.cst: Merge with EOM 1.4
isakmpd.conf.5: Merge with EOM 1.48
isakmpd.policy.5: Merge with EOM 1.21
policy.c: Merge with EOM 1.46
author: angelos
AES support.
|
|
gmp_util.c: Merge with EOM 1.7
isakmpd.conf.5: Merge with EOM 1.47
author: ho
(c)-2000
|
|
author: ho
Mention 'Default' tag in Phase 1 section, modify peer tag descriptions
to match. Phase 1 peer transport 'udp' is now a default value. The
'Stayalive' flag died long ago, remove it from the example. Also
remove reference to the likewise dead 'Next-hop' tag. Some minor cleanup.
|
|
author: angelos
Some more text.
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: ho
Update re DOI:IPSEC and default p1/p2 lifetimes.
|
|
author: ho
Add initial text on auto-generated parts of the configuration.
Reorder example somewhat.
author: niklas
Doc fixes from OpenBSD
|
|
|
