#
3a5505f2 |
| 13-Apr-2024 |
jmc <jmc@openbsd.org> |
document "psk file path" notation; from josh rickmar ok tobhe
|
#
dd682bce |
| 22-Jul-2022 |
jmc <jmc@openbsd.org> |
add missing full stop;
|
#
87148674 |
| 22-Jul-2022 |
tobhe <tobhe@openbsd.org> |
Include an OpenIKED Vendor ID payload in the initial handshake. This will make it easier to handle interoperability problems with older versions in the future. The ID is constructed from the string
Include an OpenIKED Vendor ID payload in the initial handshake. This will make it easier to handle interoperability problems with older versions in the future. The ID is constructed from the string "OpenIKED-" followed by the version number. Sending of the vendor ID payload can be disabled by specifying "set novendorid" in iked.conf(5).
ok markus@ bluhm@
show more ...
|
#
aba4e7a5 |
| 13-Apr-2022 |
tobhe <tobhe@openbsd.org> |
Document sntrup761x25519 key exchange.
|
#
a4e61cf2 |
| 06-Feb-2022 |
jsg <jsg@openbsd.org> |
remove please from manual pages ok jmc@ sthen@ millert@
|
#
4cfb6c95 |
| 13-Nov-2021 |
tobhe <tobhe@openbsd.org> |
The key/nonce disclaimers were copied from ipsec.conf.5 but aren't relevant to iked. Encryption keys and nonces are generated by the handshake and don't have to be supplied in the config.
|
#
37fdffd8 |
| 09-Nov-2021 |
tobhe <tobhe@openbsd.org> |
Use more sensible transforms in example config.
|
#
a96cfcaa |
| 05-Nov-2021 |
tobhe <tobhe@openbsd.org> |
Clarify iface option.
|
#
439349a5 |
| 04-Nov-2021 |
yasuoka <yasuoka@openbsd.org> |
Clarify "aes" will accept keys which length is in 128:256 bits. Also correct "cast" in ipsec.conf.5 to "cast128", add missing "chacha20-poly1305", and sync iked.conf.5 and ipsec.conf.5 some places.
Clarify "aes" will accept keys which length is in 128:256 bits. Also correct "cast" in ipsec.conf.5 to "cast128", add missing "chacha20-poly1305", and sync iked.conf.5 and ipsec.conf.5 some places.
ok jmc sthen
show more ...
|
#
fc3e0ec8 |
| 26-Oct-2021 |
tobhe <tobhe@openbsd.org> |
Make proto config option accept a list to allow specifying multiple protocols for a single policy, e.g. "proto { ipencap, ipv6 }".
feedback and ok benno@ ok patrick@
|
#
bc917594 |
| 03-Aug-2021 |
tobhe <tobhe@openbsd.org> |
Increase default data bytes limit for Child SAs to 4 GB. Lower limits lead to excessive rekeying and lost data in high performance setups without much benefit.
Brought up by mvs@ ok patrick@ sthen@
|
#
04d11f74 |
| 11-Apr-2021 |
tobhe <tobhe@openbsd.org> |
Document 'request' option to request additional configuration payloads.
ok patrick@
|
#
264f8b22 |
| 13-Feb-2021 |
tobhe <tobhe@openbsd.org> |
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically
Add dynamic address configuration for roadwarrior clients. The new 'iface' config option can be used to specify an interface for the virtual addresses received from the peer. Routes are automatically added based on the configured flows.
Input from sthen@ and claudio@ ok patrick@
show more ...
|
#
6168d348 |
| 24-Jan-2021 |
tobhe <tobhe@openbsd.org> |
hmac-sha2-384 and hmac-sha2-512 are enabled by default.
|
#
fc01d564 |
| 23-Jan-2021 |
tobhe <tobhe@openbsd.org> |
Fix typos.
From Ryan Kavanagh ok patrick@
|
#
5f79cf97 |
| 28-Dec-2020 |
tobhe <tobhe@openbsd.org> |
Add back keyword "any" to match any IP address, which actually works after recent fixes.
|
#
c96fecc9 |
| 11-Dec-2020 |
tobhe <tobhe@openbsd.org> |
The keyword "any" does not actually work properly for traffic selectors. To match all traffic use 0.0.0.0/0 or ::/0.
ok patrick@
|
#
662e8c5a |
| 15-Nov-2020 |
tobhe <tobhe@openbsd.org> |
Document new 'dynamic' keyword to create flows from or to a dynamically assigned address.
|
#
dacabe47 |
| 23-Sep-2020 |
tobhe <tobhe@openbsd.org> |
Add new 'set cert_partial_chain' config option to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca/.
ok patrick@
|
#
12ba51d6 |
| 26-Aug-2020 |
tobhe <tobhe@openbsd.org> |
Allow disabling DPD liveness checks by setting dpd_check_interval to 0.
ok patrick@
|
#
43d162a4 |
| 25-Aug-2020 |
tobhe <tobhe@openbsd.org> |
Add dpd_check_interval configuration option. If for any IKE SA no IPsec or IKE message has been received within the specified time interval, iked will start sending DPD messages.
ok patrick@
|
#
729f601b |
| 23-Aug-2020 |
tobhe <tobhe@openbsd.org> |
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at
Add a new configuration option to limit the number of connections for each peer (identified by their 'dstid'). When 'set enforcesingleikesa' is enabled, each peer can only have one active IKE SA at a time. On successful authentication of a new connection, the old IKE SA is automatically deleted.
ok patrick@
show more ...
|
#
4f9da335 |
| 21-Aug-2020 |
tobhe <tobhe@openbsd.org> |
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in ike
Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of /etc/iked/ocsp/issuer.crt. Try to get the OCSP url from the CA/issuer certificate, otherwise use the URL configured in 'set ocsp' in iked.conf.
ok patrick@
show more ...
|
#
c973c574 |
| 18-Aug-2020 |
tobhe <tobhe@openbsd.org> |
Add optional time-stamp validaten for ocsp. The new optional 'tolerate' parameter specifies how many seconds leeway are allowed in the check. The optional maxage parameter indicates the allowed maxi
Add optional time-stamp validaten for ocsp. The new optional 'tolerate' parameter specifies how many seconds leeway are allowed in the check. The optional maxage parameter indicates the allowed maximum age of the `thisUpdate' OCSP attribute value.
ok patrick@
show more ...
|
#
0db29f55 |
| 21-Jul-2020 |
kn <kn@openbsd.org> |
Provide GRE over transport mode example
First transport mode for child SAs was implemented, then a few interoperability issues have been identified with peers other than iked, now tobhe fixed pubkey
Provide GRE over transport mode example
First transport mode for child SAs was implemented, then a few interoperability issues have been identified with peers other than iked, now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this so this "just works".
Feedback tobhe deraadt sthen OK tobhe
show more ...
|