summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2006-06-11the default encryption algorithm with static keying is AES-CBC now; ok hshoexer@Christian Weisgerber
2006-06-11As naddy@ pointed out RFC 3686 discourages use of AESCTR for staticHans-Joerg Hoexer
keying. markus@ seconds this, so use AES CBC as default. ok naddy@
2006-06-11simplify usage(); ok krw deraadtJason McIntyre
2006-06-11options are optional ;)Jason McIntyre
2006-06-11split this page up into sections: it was getting too messy to read;Jason McIntyre
feedback/ok deraadt beck krw
2006-06-11Adopt to recent changes (mopd3072 is not the default anymore).Hans-Joerg Hoexer
Prodded by david@, thanks!
2006-06-11Document AESCTR for quick mode and SHA2-* for main mode. Help by jmc.Hans-Joerg Hoexer
ok jmc@
2006-06-11tweaks;Jason McIntyre
2006-06-10Document -S and the "Delete-SAs" tag. Those will enable SA deletionHans-Joerg Hoexer
on shutdown.
2006-06-10Make deletion of SAs on shutdown optional. The default behaviourHans-Joerg Hoexer
now is to not delete SAs. Needed for reliable ipsec failover. Suggested by mtu@. Moreover, this ensures that packets do not leak when isakmpd is shutdown. ok mcbride@, testing mtu@
2006-06-10Allow isakmpd to use a different private rsa key per isakmp ID. Hans wrote ↵Mathieu Sauve-Frankel
this a long time ago, I synced it to -current and tested. ok hshoexer@
2006-06-10This shouldn't have been commited yet.Hans-Joerg Hoexer
2006-06-10support sha2 for main mode hmacs and aesctr for quick mode encryption.Hans-Joerg Hoexer
ok markus@ ho@
2006-06-10Better error message when a key file can not be opened or the provided key isHans-Joerg Hoexer
not of correct size. Suggested by david@
2006-06-10switch back to original defaults regarding DH groups. modp3072 is toHans-Joerg Hoexer
heavyweight. Testing by Jason George, thanks!
2006-06-10knf & careful data freeing, regression tested by toddTheo de Raadt
2006-06-09Allow for AH the use of the authentication algorithms added a while ago.Christian Weisgerber
Fix the indentation while we're here. ok hshoexer@
2006-06-09EFI partition types; didickman@yahoo.comTheo de Raadt
2006-06-09Xo/Xc not needed here; from davidJason McIntyre
2006-06-09simplify previous;Jason McIntyre
2006-06-08fix usage, make synopsis more pretty. noticed by david@Hans-Joerg Hoexer
2006-06-08fix some indentation, noticed by david@Hans-Joerg Hoexer
2006-06-08Add a transport mode specifier to ike rules. Tunnel mode remains the default.Christian Weisgerber
"looks right" hshoexer@
2006-06-08allocate enough storage via sockaddr_storage for sockaddr_in6,Todd T. Fries
fixes ike29.in in regress looks right hshoexer@, ok naddy@
2006-06-08Fix a typo: When testing for quick mode lifetimes, make sure toHans-Joerg Hoexer
reference quick mode lifetimes, too, not main mode lifetimes. Otherwise we might dereference a NULL pointer...
2006-06-08turns out this really doesn't break what is in the tree; ok hshoexer@Todd T. Fries
2006-06-07make sure, we initialize unspecified keys and spis. Noticed byHans-Joerg Hoexer
naddy@, ok naddy@.
2006-06-07Do not yet expand the "any" keyword to v6 addresses. ok todd@Hans-Joerg Hoexer
2006-06-07remove unused prototype, ok todd@Hans-Joerg Hoexer
2006-06-06oopsTheo de Raadt
2006-06-06System build pieces for armish arch.Dale Rahn
2006-06-05Simpler code for printing time sensors: no leak and no floatingOtto Moerbeek
point. ok deraadt@
2006-06-04print time offsets much nicerTheo de Raadt
2006-06-03Use ifconfig delete/alias conforming with the man page.Marco Pfatschbacher
OK krw@
2006-06-03better synopsis for -g; ok mpfJason McIntyre
2006-06-03groups are specified using -g, not -m; ok mpfJason McIntyre
2006-06-03Do not set newaddr to 1 if "delete" was specified beforhands. In this caseClaudio Jeker
doalias is < 0. This fixes the problem where ifconfig em0 delete 10.0.0.1 created a 0.0.0.0/0 route entry and created a total mess because of that. Diff from markus@ OK beck@ markus@
2006-06-03kill trailing whitespace;Jason McIntyre
2006-06-02Introduce attributes to interface groups.Marco Pfatschbacher
As a first user, move the global carp(4) demotion counter into the interface group. Thus we have the possibility to define which carp interfaces are demoted together. Put the demotion counter into the reserved field of the carp header. With this, we can have carp act smarter if multiple errors occur. It now always takes over other carp peers, that are advertising with a higher demote count. As a side effect, we can also have group failovers without the need of running in preempt mode. The protocol change does not break compability with older implementations. Collaborative work with mcbride@ OK mcbride@, henning@
2006-06-02Big spelling cleanup, no binary change. From david@Hans-Joerg Hoexer
2006-06-02correct spelling of specifiedDavid Krause
2006-06-02Big whitespace cleanup.Hans-Joerg Hoexer
2006-06-02exit(2) when loading of rules did work partially. ok markus@Hans-Joerg Hoexer
2006-06-02document port modifiers in ike rulesChristian Weisgerber
2006-06-02support tcp/udp port modifiers in ike rulesChristian Weisgerber
"put it in if it doesn't break regress" hshoexer@
2006-06-02backoff-cutoff defaults to 15 seconds; ok henning@Kevin Steves
2006-06-02print full information about tcpmd5 and ipcomp SAs, tooMarkus Friedl
2006-06-02add trailing \ when printing multiple lines for an SA, this wayMarkus Friedl
the output of ispecctl matches its input
2006-06-02- sort optionsJason McIntyre
- sync usage() - clean up
2006-06-02mark up keywords using .Ic; ok hshoexerJason McIntyre