summaryrefslogtreecommitdiff
path: root/sbin/isakmpd
AgeCommit message (Collapse)Author
2006-09-19Use S_IS* macros insted of masking with S_IF* flags. The latter mayOtto Moerbeek
have multiple bits set, which leads to surprising results. Spotted by/partly from Paul Stoeber, more to come. ok ho@ miod@ hshoexer@
2006-09-15Remove "Delete-SAs" config option. This was needed for interactionHans-Joerg Hoexer
with sasyncd(8). Now sasyncd(8) controls isakmpd(8) regarding SA deletion so this option is obsolete. ok mpf jmc
2006-09-09point people towards ipsec.conf.5; after some discussion w/ reykJason McIntyre
ok hshoexer reyk
2006-09-01use shell-independent examples;Jason McIntyre
2006-09-01Add a new UI command to force isakmpd into passive only mode.Marco Pfatschbacher
Will be used by sasyncd to prevent two talking isakmpd's in an HA setup. Based on a diff by ho@. OK ho@, hshoexer@, deraadt@
2006-08-31document an issue with subjectAltName found by reyk;Jason McIntyre
ok hshoexer ho reyk
2006-08-31remove a confusing sentence; ok hshoexer hoJason McIntyre
2006-08-30fix isakmpd -Ka, as used by bgpd, or acquire flows set up via ipsecctl.Henning Brauer
acquire flows need to be recorded on the fly via connection_record_passive(), otherwise later lookups fail and the policy check fails. ok hshoexer ho markus msf deraadt
2006-08-30rewording; from reyk cloder hshoexerJason McIntyre
ok ho
2006-08-30need to retry writing to pfkey socket on EAGAIN, ok theo hshoexerHenning Brauer
2006-08-30Make SA deletion on shutdown the default again. Use -S for failoverHans-Joerg Hoexer
situations where you do not want this. Discussed and agreed on with ho, mcbride, markus, cloder,... We will have to teach sasyncd to deal with this. Testing by msf and hshoexer with help from mtu ok markus cloder
2006-08-30Back out r1.103, which caused SA's to leak until memory was exhausted.Chad Loder
OK hshoexer, nathanael, mpf, "get that in" deraadt
2006-08-30do not call pf_key_v2_disable_sa twice; ok hshoexer, hoMarkus Friedl
2006-08-29Properly define quick mode suites for AH. With naddy.Hans-Joerg Hoexer
ok ho
2006-08-22correct function name in log message.Hans-Joerg Hoexer
2006-07-24Style; return is not a function. hshoexer@ ok.Hakan Olsson
2006-07-02Let isakmpd send out a vendor ID announcing isamkpds release version.Hans-Joerg Hoexer
Will be handy for release specific bug fixes, etc. Suggested by markus@ quite some time ago. ok markus@
2006-06-29Document that pcap files can only be writen to the /var/run directory.Hans-Joerg Hoexer
2006-06-18clean up some gotos. Originally from Andrey Matveev <evol at onlineHans-Joerg Hoexer
dot ptt dot ru>. Ok and help moritz@
2006-06-17Do not leak file descriptor in error path. From Andrey MatveevHans-Joerg Hoexer
<evol at online dot ptt dot ru>, thanks!
2006-06-14indentation.Hans-Joerg Hoexer
2006-06-11Document AESCTR for quick mode and SHA2-* for main mode. Help by jmc.Hans-Joerg Hoexer
ok jmc@
2006-06-11tweaks;Jason McIntyre
2006-06-10Document -S and the "Delete-SAs" tag. Those will enable SA deletionHans-Joerg Hoexer
on shutdown.
2006-06-10Make deletion of SAs on shutdown optional. The default behaviourHans-Joerg Hoexer
now is to not delete SAs. Needed for reliable ipsec failover. Suggested by mtu@. Moreover, this ensures that packets do not leak when isakmpd is shutdown. ok mcbride@, testing mtu@
2006-06-10Allow isakmpd to use a different private rsa key per isakmp ID. Hans wrote ↵Mathieu Sauve-Frankel
this a long time ago, I synced it to -current and tested. ok hshoexer@
2006-06-10This shouldn't have been commited yet.Hans-Joerg Hoexer
2006-06-10support sha2 for main mode hmacs and aesctr for quick mode encryption.Hans-Joerg Hoexer
ok markus@ ho@
2006-06-09Allow for AH the use of the authentication algorithms added a while ago.Christian Weisgerber
Fix the indentation while we're here. ok hshoexer@
2006-06-02Big spelling cleanup, no binary change. From david@Hans-Joerg Hoexer
2006-06-02Big whitespace cleanup.Hans-Joerg Hoexer
2006-06-01Fix a commentHans-Joerg Hoexer
2006-05-31tiny KNFHans-Joerg Hoexer
2006-05-31Make sure, that phase 1 SAs of active connections stay alive. Fixes a DPDHans-Joerg Hoexer
breakage noticed and reported by Mitja Muzenic. ok markus@ ho@, testing by Mitja and cloder@, discussed with Nathanael.
2006-05-30fix SA grouping. Now, esp+ah and ah+esp works again.Hans-Joerg Hoexer
ok markus@
2006-05-29Do not use C++ comments. Noticed by markus.Hans-Joerg Hoexer
2006-05-29export pf_key_v2_disable_sa() (unbreaks build)Markus Friedl
2006-05-29Oops, return after calling sa_release()Ryan Thomas McBride
2006-05-29Fix broken merge of patch. Pointed out by nathanael at polymorpheus dot com.Ryan Thomas McBride
2006-05-28Assign a finalization event to the exchange initiated on soft expiry.Ryan Thomas McBride
If the exchange fails, the existing phase 1 SA is invalidated and the exchange is retried at the Exchange-Max-Time interval until the SA hard timeout expires. Another sasyncd-related fix from nathanael at polymorpheous dot com ok ho@ hshoexer@
2006-05-28also report SA flags.Hans-Joerg Hoexer
2006-05-28Change the default replay window for SAs created by the isakmpd responderRyan Thomas McBride
to be DEFAULT_REPLAY_WINDOW instead of zero. The default replay window is then the same for both initiator and receiver. Fix from nathanael at polymorpheous dot com. ok hshoexer@
2006-05-27document modp3072.Hans-Joerg Hoexer
2006-05-27add group15/modp3072 to default configurations.Hans-Joerg Hoexer
2006-05-26ipsectl -> ipsecctlJason McIntyre
2006-05-26vpn.8 removal;Jason McIntyre
2006-05-26let us not talk about ipsecadm and vpn anymore; ok reykTheo de Raadt
2006-05-05correct correct rfc referenceDamien Miller
2006-05-05correct rfc referenceDamien Miller
2006-05-04check for degenerate Diffie-Hellman public exponents;Damien Miller
ok markus@ hshoexer@ deraadt@