| Age | Commit message (Collapse) | Author |
|---|
|
ok patrick@
|
|
|
|
filters in userland. But the packet type check was placed at the
wrong place so the hoplimit check was done against every icmpv6 packet
but no all of them have a hoplimit constraint.
tested and ok by me, committed on behalf of florian@
|
|
ok kn
|
|
the replacement.
ok markus@
|
|
ok markus@
|
|
config. work with and diff from kn
ok kn
|
|
cases.
|
|
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.
Tested with iOS, Stronswan and Windows
ok patrick@ sthen@
|
|
request. The locally configured request is used as fallback to find a
certificate or key to send. The local auth method for MSCHAP-V2 should
be IKEV2_AUTH_SIG_ANY, which defaults to X509 certificates, instead of
raw rsa keys.
Tested with Strongswan, iPhone and Windows
Found by and ok sthen@
ok patrick@
|
|
sufficient space to display v4 addresses cleanly, but which truncate v6
addresses. The -n flag on each already provides additional column width
for IPv6 addresses. Make this formatting the default.
OK phessler kn
|
|
OK kettenis@
|
|
Make setsockopt non-fatal in this case and just ignore the request.
Spotted in a diff by reyk for rad(8); discussed with claudio
|
|
Suggested by claudio and matthieu
Testing matthieu
Putting it in now to get enough testing before release so that there
is enough time to back it out, suggested by deraadt
|
|
resolvers.
OK kn
|
|
|
|
the CERTREQ is found, don't wait for more requests.
Correctly set type if cert was found as fallback.
ok patrick@
|
|
|
|
|
|
on acquire.
|
|
same time.
|
|
|
|
ok patrick@
|
|
|
|
|
|
|
|
is owned by ocsp_req and is cleaned up automatically.
|
|
responses. This fixes concurrent OCSP requests for different IKE SAs.
From Hans-Joerg Hoexer
ok patrick@
|
|
Lets unwind(8) run when another name server listens on the wildcard
address. Conflict with unbound(8) spotted by sthen@, ok florian@ deraadt@
|
|
Reported upstream.
|
|
all heavy lifting done by sthen in unbound
testing benno
|
|
ok patrick@
|
|
ikev2_log_cert_info().
ok patrick@
|
|
ok patrick@
|
|
|
|
or IKE message has been received within the specified time interval,
iked will start sending DPD messages.
ok patrick@
|
|
grouping fixed-size values in 'struct iked_static' which is sent in
a single message.
ok patrick@
|
|
i replaced the suggested Cm/Ql mix with simple Dq;
|
|
ifconfig(8)'s TRUNK (LINK AGGREGATION) nicely combines the two drivers, so
omit common stuff from the drives specific manuals.
This aids in the overall design of having options documented in ifconfig(8)
alone unless they're inherently driver specific, e.g. "trunkproto" which
stays in trunk(4).
OK jmc
|
|
each peer (identified by their 'dstid'). When 'set enforcesingleikesa'
is enabled, each peer can only have one active IKE SA at a time.
On successful authentication of a new connection, the old IKE SA is
automatically deleted.
ok patrick@
|
|
|
|
Make sure not to initiate new exchanges while waiting for an INFORMATIONAL
response.
ok markus@
|
|
/etc/iked/ocsp/issuer.crt.
Try to get the OCSP url from the CA/issuer certificate, otherwise
use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
|
|
|
|
sanity checks.
Feedback and ok patrick@
|
|
the outgoing interface in the source link-layer address ICMPv6 option
instead of the address of the last configured autoconf interface.
It is not the most efficient way to first transform an if_index into
and interface name and then iterate over all addresses but this is
also not in the hot path. Under normal operations slaacd will send
one solicitation when an interface is set to autoconf and then
never again because it will see unsolicitated router advertisements
before addresses expire.
OK kn
|
|
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.
ok patrick@
|
|
ok patrick@
|
|
|
|
|
