Age | Commit message (Collapse) | Author |
|
Most of the patch from Arto Jonsson <ajonsson at kapsi dot fi>.
jmc@ agrees in principle that .Lk is the right macro to use.
While here, update a few broken links,
and add missing markup at a few places.
|
|
lteo@ noticed that ipsecctl allowed them within the ike rules
while isakmpd failed to load the generated configuration.
The fix was verified by hshoexer, ok naddy
|
|
ok mikeb@
|
|
has implications when dealing with leading zeroes. Prevent an incorrect
conversion of the EC point to the binary representation by inferring the
X and Y components' lengths from the EC group length and zeroing out the
appropriate chunks of the target buffer. From hshoexer@
|
|
|
|
It is going to get removed from libc and this file is the only
one using it.
discussed with deraadt@ guenther@
ok deraadt@
|
|
uses the FQDN type in NAT-T with transport mode.
ok markus
|
|
flow instead of the ID payload. This will fix a part of problems of
L2TP/IPsec from NAT'd clients.
ok markus@
tested by markus@ and myself.
|
|
isakmpd.8: rsa:1024 -> rsa:2048 (ok markus)
all: X509 -> X.509
from Lawrence Teo
|
|
ok mikeb@
|
|
the standard OpenBSD-style parse.y handle continuing lines with backslashes,
paying particular attention to how comments are handled (which can cause
nasty side-effects if you're not expecting it).
Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey,
patrick keshishian and Florian Obser, ok jmc@.
|
|
it skips leading zeroes if there are any. To accommodate the
difference with the protocol we need to prepend those zeroes
ourselves.
Fixes PR 6601, tested by Pawel Wieleba, sthen, otto.
Huge thanks to Pawel for spending nearly a week testing diffs.
ok sthen
|
|
ok sthen
|
|
|
|
ok sthen@ markus@
|
|
Previously, a specific check was made for any -D log option being
used and, if so, *no* -v log entries are made, losing potentially
useful log entries. ok lum@
|
|
for chars.
|
|
routing domain.
While here, update comment on what the ioctl is used for (from sthen@).
OK mikeb@, sthen@
|
|
number. Without this, isakmpd deletes SAs from the same IP on an
INITIAL-CONTACT message, possibly deleting unrelated NATed tunnels.
Fixes PR 5562. Verified by Mikolaj Kucharski.
ok mikeb@
|
|
ok mikeb@, djm@
|
|
blambert, ok jsg, "seems ok" todd
|
|
so, copy a small bit of logic to make DPD interop with FortiGate function
tested by me, ok mikeb@, silence from 'the usual suspects'
|
|
telnet portion partially from the latest heimdal.
ok mikeb@
|
|
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
|
from mikeb
|
|
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).
ok deraadt@
|
|
ok reyk
|
|
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8)
is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8)
and not worked on, but maybe in the future - I want to get IKEv2 support
first done right. So keep on using isakmpd(8) for IKEv1 for now...
ok deraadt@
|
|
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.
|
|
ok ho@ mpf@ krw@ sthen@ kjell@
|
|
ratchov, to avoid messing up his current diff...
|
|
|
|
|
|
and/or ASN1-DNs get not parsed correctly; with and ok krw@; ok reyk@
|
|
instead, .It is required. Thus, move .Pp and text before the .Bl,
and remove the .Pp altogether where it is not needed.
Syntax errors found by mandoc(1), also required to fix the mandoc build;
feedback and ok jmc@, and sobrado@ also supports the direction.
|
|
|
|
from routing messages retrieved via routing socket or sysctl.
Tested and OK sthen@, OK henning@
|
|
ok claudio@, henning@
|
|
- in ipsec_delete_spi_list() a log_verbose is added, when a remote peer
sends us a delete message for an SA. However, to avoid spamming the log
when SAs are deleted during re-keying, I only log_verbose, when the soft
timeout of the SA is not expired yet. Thus only deletion of live SAs
gets logged.
- in ipsec_decode_ids() I remove the additonal printing of IP-Adresses in
hex as the addresses are already printed in CIDR.
- while there, apply some KNF
ok todd@, mpf@, bluhm@
|
|
|
|
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
|
|
|
not valid during phase 2.
From Dirk Mast <condor2k at googlemail dot com>, thanks!
ok markus@
|
|
detached addresses. bind(2) will not allow this. ok hshoexer, fries
|
|
|
|
|
|
return NULL. This happens if isakmpd is configured for the other
address family. Add a NULL pointer check and initialize rv.
ok hshoexer
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
short for IPv6. Increase the buffer size from 80 to 200 where
appropriate. For the M command a buffer for 10 bytes is sufficient.
ok hshoexer@ mpf@ grunk@
|