Age | Commit message (Collapse) | Author | |
---|---|---|---|
2010-06-14 | Initial support for initiator mode which allows to run iked as a | Reyk Floeter | |
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs. It currently only supports psk (pre-shared keys) and no certificates, doesn't do any rekeying or SA timeouts, and needs more cleanup. So it is not quite production ready yet - but ready for simple tests... | |||
2010-06-14 | the ikesa prf config option is currently broken | Reyk Floeter | |
2010-06-14 | fix block length for AES | Reyk Floeter | |
2010-06-14 | fix EAP responder mode | Reyk Floeter | |
2010-06-14 | NAT detection again: make it work in initiator and responder mode | Reyk Floeter | |
2010-06-14 | remove policy lookup debug message | Reyk Floeter | |
2010-06-14 | NAT detection with SPIr is always 0 | Reyk Floeter | |
2010-06-14 | restructure code a bit to move closer to initiator mode: | Reyk Floeter | |
- split responder/initiator- specific code into different functions and use shared functions for common stuff. - first parse the received message and store information in the temporary message struct instead of modifying the ike sa in the parsing code directly. | |||
2010-06-14 | cleanup messages and parsed information correctly | Reyk Floeter | |
2010-06-14 | add define for saproto 0 | Reyk Floeter | |
2010-06-14 | More code for initiator mode (not finished yet) | Reyk Floeter | |
2010-06-11 | add some infrastructure to support timers and initiator mode later. | Reyk Floeter | |
2010-06-11 | tweak the code slightly so we can remove -lssl | Jonathan Gray | |
ok reyk@ | |||
2010-06-10 | don't print keywords as underlined arguments. | Reyk Floeter | |
2010-06-10 | update usage() | Reyk Floeter | |
2010-06-10 | Add the -S flag which does the same as "set passive" but matches the | Reyk Floeter | |
isakmpd flag. | |||
2010-06-10 | move a bzero of the x509 store context higher up so the | Jonathan Gray | |
cert validation does something useful. ok reyk@ | |||
2010-06-10 | add new commands: the couple/decouple commands will set loading of the | Reyk Floeter | |
learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet. | |||
2010-06-10 | Add another tree to lookup policy SAs by peer address. | Reyk Floeter | |
2010-06-10 | simplify the pfkey code by adding a pfkey_write() function | Reyk Floeter | |
2010-06-10 | small fix for sockaddr_cmp() | Reyk Floeter | |
2010-06-10 | i don't like splitting source code in too many source files but ikev2.c | Reyk Floeter | |
has grown too large, so split it in 3 files and rename a few functions to organize the code a bit better. | |||
2010-06-10 | only call RB_REMOVE once when removing an SA. | Reyk Floeter | |
2010-06-09 | add missing headers needed for opendev() and close() | Charles Longeau | |
ok jsing@ krw@ | |||
2010-06-07 | $OpenBSD$ | Jonathan Gray | |
ok claudio@ | |||
2010-06-07 | Oups, an unused prototype sneaked into ifconfig. Found by jsg@ | Claudio Jeker | |
2010-06-07 | switch iked pki files to /etc/iked, discussed with reyk. | Jonathan Gray | |
2010-06-07 | various small tweaks; ok reyk | Jason McIntyre | |
2010-06-07 | various tweaks; ok reyk | Jason McIntyre | |
2010-06-07 | Enable iked/ikectl in the builds. iked is still in an early stage, | Reyk Floeter | |
but it helps people to get used to it and to start testing. requested by deraadt@ | |||
2010-06-07 | make clearer the relationship between isakmpd and ikev1; and iked and ikev2; | Jason McIntyre | |
ok reyk | |||
2010-06-07 | fix a quoting wobble for the srcnat keyword; verified by reyk | Jason McIntyre | |
2010-06-05 | Switch fsck_ffs(8) and fsdb(8) to opendev(3) so that they will soon be able | Joel Sing | |
to operate with disklabel UIDs. ok marco@ krw@ otto@ | |||
2010-06-04 | Fix NAT-T detection to enable UDP encapsulation. It was done before, | Reyk Floeter | |
but not in the right order to run the IKEv2 NAT detection and check the source port of the last IKE message which should be the NAT-T port 4500. Tested with iked running on sparc64 and a NAT'ed windows box. | |||
2010-06-04 | Merge interface flags and xflags before printing them. So it is possible to | Claudio Jeker | |
see if a interface is using the INET6_PRIVACY or is MPLS enabled. If xflags uses more then 16 flags something else must be figured out. OK stsp@ deraadt@ | |||
2010-06-03 | manpage tweaks | Reyk Floeter | |
2010-06-03 | Stop requiring the 'inet6' keyword when the 'autoconfprivacy' option is used. | Stefan Sperling | |
Simplifies enabling autoconf privacy from hostname.if files. A line such as 'rtsol autoconfprivacy' will now work, as documented in ifconfig(8). Pointed out by steven@. ok deraadt@ steven@ todd@ | |||
2010-06-03 | Add a new _iked user with uid 101 instead of (ab)using the _isakmpd user. | Reyk Floeter | |
ok deraadt@ | |||
2010-06-03 | remove my BINDIR override, pointed out by deraadt@ | Reyk Floeter | |
2010-06-03 | update the manpages for isakmpd(8) and ipsec.conf(5) to point to iked(8) | Reyk Floeter | |
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8) is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8) and not worked on, but maybe in the future - I want to get IKEv2 support first done right. So keep on using isakmpd(8) for IKEv1 for now... ok deraadt@ | |||
2010-06-03 | Import iked, a new implementation of the IKEv2 protocol. | Reyk Floeter | |
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@ | |||
2010-06-02 | Have dhclient obey the interface's rdomain, instead of doing routes on | Peter Hessler | |
rdomain 0. OK krw@, claudio@ sharp stick prodding from claudio@ | |||
2010-05-28 | tweak previous; | Jason McIntyre | |
2010-05-28 | Add mpls/-mpls commands to enable MPLS label switching on an interface. | Claudio Jeker | |
2010-05-25 | no Pp before/after Sh/Ss; | Jason McIntyre | |
2010-05-25 | use opendev(), as requested in 6373. document this using text borrowed from | Theo de Raadt | |
disklabel(8), and while at it, fix the usage code to not be utterly distasteful ok drahn | |||
2010-05-25 | match usage to the manual page, and borrow the description of 'disk' | Theo de Raadt | |
from disklabel(8), since it describes the effect of using opendev() | |||
2010-05-20 | document the optional arg to "flag", as requested by Thomas Pfaff; | Jason McIntyre | |
this version after some feedback from krw and otto; ok otto krw | |||
2010-05-19 | Use the newly committed version of strnlen from libc. ok millert@ kettenis@ | Dale Rahn | |
2010-05-19 | Set RTF_MPLS when playing with MPLS routes since this is now required. | Claudio Jeker | |
OK michele@ |