Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
SAs), from bdallen@nps.navy.mil
|
|
|
|
along with the ADD message.
|
|
|
|
explanations added.
|
|
discovered to have rebooted, and old now invalid SAs had to be garbage-
collected.
|
|
|
|
(newsham@lava.net)
|
|
author: provos
increase size of refcnt. okay niklas@
|
|
author: angelos
Add sa_enter() prototype.
|
|
author: angelos
Allow exchange of KeyNote credentials over IKE. Multiple credentials
may be passed in a single CERT payload. KeyNote is used if a
directory named as the local ID we use in an exchange exists in the
KeyNote directory (default: /etc/isakmpd/keynote/). Note that
asymmetric credentials are possible (use KeyNote in one direction and
X509 in the other); such authentication is envisioned to be the most
common: the clients will use KeyNote credentials to authenticate and
authorize with a server, whilst the server will just provide an X509
certificate proving its binding to the IP address or ID.
Totally asymmetric authentication (e.g., shared key in one direction,
RSA in the other) is not supported by the IKE protocol.
author: angelos
Begin support for KeyNote credentials exchanged.
|
|
apps/certpatch/certpatch.c: Merge with EOM 1.6
exchange.c: Merge with EOM 1.114
ike_quick_mode.c: Merge with EOM 1.110
ike_phase_1.c: Merge with EOM 1.16
ike_auth.c: Merge with EOM 1.41
ike_aggressive.c: Merge with EOM 1.4
libcrypto.c: Merge with EOM 1.10
libcrypto.h: Merge with EOM 1.10
isakmpd.8: Merge with EOM 1.19
isakmpd.c: Merge with EOM 1.42
ipsec.h: Merge with EOM 1.40
init.c: Merge with EOM 1.22
message.c: Merge with EOM 1.143
message.h: Merge with EOM 1.49
sa.c: Merge with EOM 1.98
sa.h: Merge with EOM 1.54
policy.c: Merge with EOM 1.14
pf_key_v2.c: Merge with EOM 1.36
x509.c: Merge with EOM 1.32
x509.h: Merge with EOM 1.9
udp.c: Merge with EOM 1.46
author: niklas
Angelos copyrights
|
|
message.c: Merge with EOM 1.135
message.h: Merge with EOM 1.48
sa.c: Merge with EOM 1.97
sa.h: Merge with EOM 1.53
author: angelos
Complete policy work; tested for the shared-key case. Documentation needed.
|
|
author: ho
New flag
|
|
sa.h: Merge with EOM 1.51
author: niklas
Handle leftover payloads, esp INITIAL CONTACT notifications.
Factor out SA expiration setting. Add commentary.
author: ho
Keep track of trailing retransmissions by keeping exchanges around longer.
Removed references to sa->last_sent_in_setup, use last_sent and
last_received in exchange instead. Free setup exchanges by expiration only.
author: ho
Backout last change. (Go with exchange directly instead of sa->msg)
author: ho
Handle phase 2 late retransmissions.
|
|
Remove SA_FLAG_REPLACED settings from various parts in preparation of a
grand unified setting in exchange_finalize. Fix sa_mark_replaced to not
release a referance to the sa, and adjust the API as it won't get called
as a finalize func anymore.
|
|
New finalize API. Free keystate.
1999 copyrights
|
|
Add refcounting to SA's. Make phase 1 expirations be able to cause
renegotiations if configured to.
|
|
the SA replace flag
|
|
Add SA attributes, specifically stayalive
sa.h: Merge with EOM 1.42
Add SA attributes, specifically stayalive
pf_encap.c: Merge with EOM 1.46
Add SA attributes, specifically stayalive
exchange.c: Merge with EOM 1.65
Add SA attributes, specifically stayalive
|
|
Only accept IPsec SAs when searching for such
sa.h: Merge with EOM 1.41
Stayalive connections as a default for now, init pf_encap_socket
pf_encap.c: Merge with EOM 1.45
Stayalive connections as a default for now, init pf_encap_socket
|
|
| revision 1.40
| date: 1999/02/14 00:11:40; author: niklas; state: Exp; lines: +7 -4
| Generalize how to find SAs with given attributes. Do SA expiration both hard
| and soft, and do not rekey automatically anymore. We will revisit this by
| adding some kind of policy what to do at these times. Improve commentary
| ----------------------------
|
|
|
|
|
|
|
|
OpenBSD IPSEC stack by me, Niklas Hallqvist and Niels Provos, funded by
Ericsson Radio Systems. It is not yet complete or usable in a real scenario
but the missing pieces will soon be there. The early commit is for people
who wants early access and who are not afraid of looking at source.
isakmpd interops with Cisco, Timestep, SSH & Pluto (Linux FreeS/WAN) so
far, so it is not that incomplete. It is really mostly configuration that
is lacking.
|