| Age | Commit message (Collapse) | Author |
|---|
|
(as AESGMAC) ciphers in the ISAKMP Phase 2 (aka Quick Mode).
Thoroughly tested by me and naddy. Works fine with Linux.
Requires updated pfkeyv2.h include file.
ok naddy
|
|
from mikeb
|
|
the smaller implementation from iked that is using libcrypto instead.
This allows to remove a lot of code (which is always good), get rid of
some custom crypto code by using libcrypto, theoretically adds
support for many new MODP and EC2N/ECP modes (but it is not configurable
yet), and allows to share the dh.c/dh.h code in different codebases
(it is identical in isakmpd and iked, but could also be used elsewhere).
ok deraadt@
|
|
ok reyk
|
|
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8)
is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8)
and not worked on, but maybe in the future - I want to get IKEv2 support
first done right. So keep on using isakmpd(8) for IKEv1 for now...
ok deraadt@
|
|
'possibility', 'optins' -> 'options', 'resposne' -> 'response', 'unecessary' -> 'unnecessary', 'desination' -> 'destination'. Collected from various misc@
and tech@ postings, many by Brad Tilley.
|
|
ok ho@ mpf@ krw@ sthen@ kjell@
|
|
ratchov, to avoid messing up his current diff...
|
|
|
|
|
|
and/or ASN1-DNs get not parsed correctly; with and ok krw@; ok reyk@
|
|
instead, .It is required. Thus, move .Pp and text before the .Bl,
and remove the .Pp altogether where it is not needed.
Syntax errors found by mandoc(1), also required to fix the mandoc build;
feedback and ok jmc@, and sobrado@ also supports the direction.
|
|
|
|
from routing messages retrieved via routing socket or sysctl.
Tested and OK sthen@, OK henning@
|
|
ok claudio@, henning@
|
|
- in ipsec_delete_spi_list() a log_verbose is added, when a remote peer
sends us a delete message for an SA. However, to avoid spamming the log
when SAs are deleted during re-keying, I only log_verbose, when the soft
timeout of the SA is not expired yet. Thus only deletion of live SAs
gets logged.
- in ipsec_decode_ids() I remove the additonal printing of IP-Adresses in
hex as the addresses are already printed in CIDR.
- while there, apply some KNF
ok todd@, mpf@, bluhm@
|
|
|
|
|
|
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
|
|
|
|
not valid during phase 2.
From Dirk Mast <condor2k at googlemail dot com>, thanks!
ok markus@
|
|
detached addresses. bind(2) will not allow this. ok hshoexer, fries
|
|
|
|
|
|
return NULL. This happens if isakmpd is configured for the other
address family. Add a NULL pointer check and initialize rv.
ok hshoexer
|
|
ipsec.conf. The config created by isakmpd dynamically was different
from the config that ipsecctl generated out of ipsec.conf.
Both config formats are changed so that they match. One needs a
passive ike line and a require flow line with the same parameters
in the ipsec.conf. Then the acquire message generated by the kernel
will trigger isakmpd to generate a config that matches the one that
ipsecctl generated from the ike line.
ok hshoexer, 'sounds good' todd
|
|
short for IPv6. Increase the buffer size from 80 to 200 where
appropriate. For the M command a buffer for 10 bytes is sufficient.
ok hshoexer@ mpf@ grunk@
|
|
instead of IPV6_ADDR_SUBNET where appropriate. Then isakmpd has
the same behaviour for IPv6 and IPv4.
ok markus@
|
|
option parsing. Found out the hard way by jdixon on ifstated.
ok sobrado@, jdixon@, millert@
|
|
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis
|
|
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer
|
|
an extensive discussion with otto, kettenis, millert, and hshoexer
|
|
ok deraadt
|
|
<mitja at muzenic dot net>, diff provided already quite some time ago,
many many thanks. This should have gone in months ago but I was slacking,
sorry for that.
|
|
From Igor Zinovik <zinovik@cs.karelia.ru>
ok hshoexer@
|
|
|
|
|
|
|
|
|
|
glitch introduced by previous commit.
ok markus@
|
|
is not passed over NFS (unless readdir+ is used). fixes pr 5557
with and ok hshoexer@
|
|
Cisco IOS and other initiators that only send their certs in response
to CERT_REQUEST.
With input and help from cloder@, Stuart Henderson, mpf@, and several
others who did lots of testing - thanks to all.
ok hshoexer@
|
|
zinovik@cs.karelia.ru. Thanks!
|
|
ok millert
|
|
have to expose the node to the outside.
Without this, conf_trans_node() created a node, linked it into the
conf_trans queue and returned it to the caller. If something failed
in one of the callers, the half-initialized node would still be
linked in the queue and could get accessed later on.
ok hshoexer@
|
|
|
|
|
|
ok and prodding @jmc
|
|
level 30. This was a huge cause of log spam at level 30 and below, and is
really not that useful.
|
|
mismatch without any log message stating so. This diff makes sure that
all phase 1 negotiation failures due to proposal attribute mismatch are
logged. Also change these messages from LOG_NEGOTIATION debug level 70 to
always be logged (not just with debug).
General idea OK hshoexer, tested here in production.
|
