summaryrefslogtreecommitdiff
path: root/sbin
AgeCommit message (Collapse)Author
2010-06-14Initial support for initiator mode which allows to run iked as aReyk Floeter
"client" or to configure iked to iked (OpenBSD to OpenBSD) IKEv2 VPNs. It currently only supports psk (pre-shared keys) and no certificates, doesn't do any rekeying or SA timeouts, and needs more cleanup. So it is not quite production ready yet - but ready for simple tests...
2010-06-14the ikesa prf config option is currently brokenReyk Floeter
2010-06-14fix block length for AESReyk Floeter
2010-06-14fix EAP responder modeReyk Floeter
2010-06-14NAT detection again: make it work in initiator and responder modeReyk Floeter
2010-06-14remove policy lookup debug messageReyk Floeter
2010-06-14NAT detection with SPIr is always 0Reyk Floeter
2010-06-14restructure code a bit to move closer to initiator mode:Reyk Floeter
- split responder/initiator- specific code into different functions and use shared functions for common stuff. - first parse the received message and store information in the temporary message struct instead of modifying the ike sa in the parsing code directly.
2010-06-14cleanup messages and parsed information correctlyReyk Floeter
2010-06-14add define for saproto 0Reyk Floeter
2010-06-14More code for initiator mode (not finished yet)Reyk Floeter
2010-06-11add some infrastructure to support timers and initiator mode later.Reyk Floeter
2010-06-11tweak the code slightly so we can remove -lsslJonathan Gray
ok reyk@
2010-06-10don't print keywords as underlined arguments.Reyk Floeter
2010-06-10update usage()Reyk Floeter
2010-06-10Add the -S flag which does the same as "set passive" but matches theReyk Floeter
isakmpd flag.
2010-06-10move a bzero of the x509 store context higher up so theJonathan Gray
cert validation does something useful. ok reyk@
2010-06-10add new commands: the couple/decouple commands will set loading of theReyk Floeter
learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
2010-06-10Add another tree to lookup policy SAs by peer address.Reyk Floeter
2010-06-10simplify the pfkey code by adding a pfkey_write() functionReyk Floeter
2010-06-10small fix for sockaddr_cmp()Reyk Floeter
2010-06-10i don't like splitting source code in too many source files but ikev2.cReyk Floeter
has grown too large, so split it in 3 files and rename a few functions to organize the code a bit better.
2010-06-10only call RB_REMOVE once when removing an SA.Reyk Floeter
2010-06-09add missing headers needed for opendev() and close()Charles Longeau
ok jsing@ krw@
2010-06-07$OpenBSD$Jonathan Gray
ok claudio@
2010-06-07Oups, an unused prototype sneaked into ifconfig. Found by jsg@Claudio Jeker
2010-06-07switch iked pki files to /etc/iked, discussed with reyk.Jonathan Gray
2010-06-07various small tweaks; ok reykJason McIntyre
2010-06-07various tweaks; ok reykJason McIntyre
2010-06-07Enable iked/ikectl in the builds. iked is still in an early stage,Reyk Floeter
but it helps people to get used to it and to start testing. requested by deraadt@
2010-06-07make clearer the relationship between isakmpd and ikev1; and iked and ikev2;Jason McIntyre
ok reyk
2010-06-07fix a quoting wobble for the srcnat keyword; verified by reykJason McIntyre
2010-06-05Switch fsck_ffs(8) and fsdb(8) to opendev(3) so that they will soon be ableJoel Sing
to operate with disklabel UIDs. ok marco@ krw@ otto@
2010-06-04Fix NAT-T detection to enable UDP encapsulation. It was done before,Reyk Floeter
but not in the right order to run the IKEv2 NAT detection and check the source port of the last IKE message which should be the NAT-T port 4500. Tested with iked running on sparc64 and a NAT'ed windows box.
2010-06-04Merge interface flags and xflags before printing them. So it is possible toClaudio Jeker
see if a interface is using the INET6_PRIVACY or is MPLS enabled. If xflags uses more then 16 flags something else must be figured out. OK stsp@ deraadt@
2010-06-03manpage tweaksReyk Floeter
2010-06-03Stop requiring the 'inet6' keyword when the 'autoconfprivacy' option is used.Stefan Sperling
Simplifies enabling autoconf privacy from hostname.if files. A line such as 'rtsol autoconfprivacy' will now work, as documented in ifconfig(8). Pointed out by steven@. ok deraadt@ steven@ todd@
2010-06-03Add a new _iked user with uid 101 instead of (ab)using the _isakmpd user.Reyk Floeter
ok deraadt@
2010-06-03remove my BINDIR override, pointed out by deraadt@Reyk Floeter
2010-06-03update the manpages for isakmpd(8) and ipsec.conf(5) to point to iked(8)Reyk Floeter
for IKEv2 and to clarify that a) isakmpd is IKEv1/ISAKMP only and b) iked(8) is IKEv2 only. ISAKMP/IKEv1 support is currently not supported by iked(8) and not worked on, but maybe in the future - I want to get IKEv2 support first done right. So keep on using isakmpd(8) for IKEv1 for now... ok deraadt@
2010-06-03Import iked, a new implementation of the IKEv2 protocol.Reyk Floeter
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder. with lots of help and debugging by jsg@ ok deraadt@
2010-06-02Have dhclient obey the interface's rdomain, instead of doing routes onPeter Hessler
rdomain 0. OK krw@, claudio@ sharp stick prodding from claudio@
2010-05-28tweak previous;Jason McIntyre
2010-05-28Add mpls/-mpls commands to enable MPLS label switching on an interface.Claudio Jeker
2010-05-25no Pp before/after Sh/Ss;Jason McIntyre
2010-05-25use opendev(), as requested in 6373. document this using text borrowed fromTheo de Raadt
disklabel(8), and while at it, fix the usage code to not be utterly distasteful ok drahn
2010-05-25match usage to the manual page, and borrow the description of 'disk'Theo de Raadt
from disklabel(8), since it describes the effect of using opendev()
2010-05-20document the optional arg to "flag", as requested by Thomas Pfaff;Jason McIntyre
this version after some feedback from krw and otto; ok otto krw
2010-05-19Use the newly committed version of strnlen from libc. ok millert@ kettenis@Dale Rahn
2010-05-19Set RTF_MPLS when playing with MPLS routes since this is now required.Claudio Jeker
OK michele@