summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/sa.h
AgeCommit message (Collapse)Author
2004-08-10Better implementation of the Dead Peer Detection protocol, RFC 3706.Hakan Olsson
hshoexer@ ok.
2004-06-21Implement NAT-T keepalive messages.Hakan Olsson
2004-06-21Port floating (500->4500) for p1 and p2 exchanges.Hakan Olsson
2004-06-20A start towards Dead Peer Detection (DPD) support, as specified in RFC 3706Hakan Olsson
2004-05-23More KNF. Mainly spaces and line-wraps, no binary change.Hans-Joerg Hoexer
ok ho@
2004-05-13Extensions to the FIFO interface:Hakan Olsson
"C get [section]:tag" fetches a configuration value. "C add [section]:tag=value" adds 'value' to a list, typically for the [Phase 2]:Connections tag. FIFO "S" command destination file changed. Various KNF cleanups. hshoexer@ ok.
2004-04-15partial move to KNF. More to come. This has happened because thereTheo de Raadt
are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
2004-02-27(C)-2004Hakan Olsson
2004-02-27Follow RFC 2408 more closely regarding how to better check the proposalHakan Olsson
returned by the other peer (the responder). Some implementations (notably the Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. With certain proposal combinations this caused us to setup the wrong SA resulting in us being unable to process incoming IPsec traffic (over this tunnel). Tested against a number of different IKE implementations. hshoexer@ ok.
2003-06-04Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, AngelosHakan Olsson
D. Keromytis and Niels Provos.
2003-05-16If the "Renegotiate-on-HUP" tag is defined in the [General] section, aHakan Olsson
HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs, i.e all connections. ok niklas@, tested and ok kjell@.
2003-05-15Cleanup. Do not store the private key in either the exchange or sa structs.Hakan Olsson
2002-06-09rm trailing whitespaceTodd T. Fries
2002-06-07Add 'ikecfg' as a valid Flags= value.Hakan Olsson
2002-03-17Move SA_FILE definition to sa.h.Angelos D. Keromytis
2002-03-17Add 'T' and 'S' commands (for tearing-down and reporting all Phase 2Angelos D. Keromytis
SAs), from bdallen@nps.navy.mil
2002-01-25no static for sa_dump, explicit log cls/levelHakan Olsson
2001-06-27Keep track of the ACQUIRE sequence number, and pass it to the kernelAngelos D. Keromytis
along with the ADD message.
2001-06-12comment styleNiklas Hallqvist
2001-05-31Get rid of recv_certlen, add sent_* and keynote_key fields,Angelos D. Keromytis
explanations added.
2001-04-24Correct SA refcounting. Fixes a bug where isakmpd could die when a peer wasNiklas Hallqvist
discovered to have rebooted, and old now invalid SAs had to be garbage- collected.
2001-01-27(c) 2001Niklas Hallqvist
2001-01-14Handling of Phase 1 DELETE and Phase 2 INVALID_SPI messagesAngelos D. Keromytis
(newsham@lava.net)
2000-10-10Merge with EOM 1.58Niklas Hallqvist
author: provos increase size of refcnt. okay niklas@
2000-08-03Merge with EOM 1.57Niklas Hallqvist
author: angelos Add sa_enter() prototype.
2000-06-08Merge with EOM 1.56Niklas Hallqvist
author: angelos Allow exchange of KeyNote credentials over IKE. Multiple credentials may be passed in a single CERT payload. KeyNote is used if a directory named as the local ID we use in an exchange exists in the KeyNote directory (default: /etc/isakmpd/keynote/). Note that asymmetric credentials are possible (use KeyNote in one direction and X509 in the other); such authentication is envisioned to be the most common: the clients will use KeyNote credentials to authenticate and authorize with a server, whilst the server will just provide an X509 certificate proving its binding to the IP address or ID. Totally asymmetric authentication (e.g., shared key in one direction, RSA in the other) is not supported by the IKE protocol. author: angelos Begin support for KeyNote credentials exchanged.
2000-02-01apps/certpatch/certpatch.8: Merge with EOM 1.4Niklas Hallqvist
apps/certpatch/certpatch.c: Merge with EOM 1.6 exchange.c: Merge with EOM 1.114 ike_quick_mode.c: Merge with EOM 1.110 ike_phase_1.c: Merge with EOM 1.16 ike_auth.c: Merge with EOM 1.41 ike_aggressive.c: Merge with EOM 1.4 libcrypto.c: Merge with EOM 1.10 libcrypto.h: Merge with EOM 1.10 isakmpd.8: Merge with EOM 1.19 isakmpd.c: Merge with EOM 1.42 ipsec.h: Merge with EOM 1.40 init.c: Merge with EOM 1.22 message.c: Merge with EOM 1.143 message.h: Merge with EOM 1.49 sa.c: Merge with EOM 1.98 sa.h: Merge with EOM 1.54 policy.c: Merge with EOM 1.14 pf_key_v2.c: Merge with EOM 1.36 x509.c: Merge with EOM 1.32 x509.h: Merge with EOM 1.9 udp.c: Merge with EOM 1.46 author: niklas Angelos copyrights
1999-08-26ike_phase_1.c: Merge with EOM 1.8Niklas Hallqvist
message.c: Merge with EOM 1.135 message.h: Merge with EOM 1.48 sa.c: Merge with EOM 1.97 sa.h: Merge with EOM 1.53 author: angelos Complete policy work; tested for the shared-key case. Documentation needed.
1999-06-02Merge with EOM 1.52Niklas Hallqvist
author: ho New flag
1999-04-27sa.c: Merge with EOM 1.88Niklas Hallqvist
sa.h: Merge with EOM 1.51 author: niklas Handle leftover payloads, esp INITIAL CONTACT notifications. Factor out SA expiration setting. Add commentary. author: ho Keep track of trailing retransmissions by keeping exchanges around longer. Removed references to sa->last_sent_in_setup, use last_sent and last_received in exchange instead. Free setup exchanges by expiration only. author: ho Backout last change. (Go with exchange directly instead of sa->msg) author: ho Handle phase 2 late retransmissions.
1999-04-19./sa.h: Merge with EOM 1.47Niklas Hallqvist
Remove SA_FLAG_REPLACED settings from various parts in preparation of a grand unified setting in exchange_finalize. Fix sa_mark_replaced to not release a referance to the sa, and adjust the API as it won't get called as a finalize func anymore.
1999-04-05Merge with EOM 1.46Niklas Hallqvist
New finalize API. Free keystate. 1999 copyrights
1999-03-31Merge with EOM 1.44Niklas Hallqvist
Add refcounting to SA's. Make phase 1 expirations be able to cause renegotiations if configured to.
1999-03-31Merge with EOM 1.43Niklas Hallqvist
the SA replace flag
1999-03-02sa.c: Merge with EOM 1.67Niklas Hallqvist
Add SA attributes, specifically stayalive sa.h: Merge with EOM 1.42 Add SA attributes, specifically stayalive pf_encap.c: Merge with EOM 1.46 Add SA attributes, specifically stayalive exchange.c: Merge with EOM 1.65 Add SA attributes, specifically stayalive
1999-02-27ipsec.c: Merge with EOM 1.83Niklas Hallqvist
Only accept IPsec SAs when searching for such sa.h: Merge with EOM 1.41 Stayalive connections as a default for now, init pf_encap_socket pf_encap.c: Merge with EOM 1.45 Stayalive connections as a default for now, init pf_encap_socket
1999-02-26Merge from the Ericsson repositoryNiklas Hallqvist
| revision 1.40 | date: 1999/02/14 00:11:40; author: niklas; state: Exp; lines: +7 -4 | Generalize how to find SAs with given attributes. Do SA expiration both hard | and soft, and do not rekey automatically anymore. We will revisit this by | adding some kind of policy what to do at these times. Improve commentary | ----------------------------
1998-12-21Last months worth of work on isakmpd, lots doneNiklas Hallqvist
1998-11-17Add RCS Ids from the EOM repositoryNiklas Hallqvist
1998-11-15openBSD RCS IDsNiklas Hallqvist
1998-11-15Initial import of isakmpd, an IKE (ISAKMP/Oakley) implementation for theNiklas Hallqvist
OpenBSD IPSEC stack by me, Niklas Hallqvist and Niels Provos, funded by Ericsson Radio Systems. It is not yet complete or usable in a real scenario but the missing pieces will soon be there. The early commit is for people who wants early access and who are not afraid of looking at source. isakmpd interops with Cisco, Timestep, SSH & Pluto (Linux FreeS/WAN) so far, so it is not that incomplete. It is really mostly configuration that is lacking.
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-18 22:00:51 +0000