document "psk file path" notation; from josh rickmar
ok tobhe

add missing full stop;

Include an OpenIKED Vendor ID payload in the initial handshake. This will
make it easier to handle interoperability problems with older versions in
the future. The ID is constructed from the string

Include an OpenIKED Vendor ID payload in the initial handshake. This will
make it easier to handle interoperability problems with older versions in
the future. The ID is constructed from the string "OpenIKED-" followed by
the version number.
Sending of the vendor ID payload can be disabled by specifying
"set novendorid" in iked.conf(5).

ok markus@ bluhm@

show more ...

Document sntrup761x25519 key exchange.

remove please from manual pages
ok jmc@ sthen@ millert@

The key/nonce disclaimers were copied from ipsec.conf.5 but aren't relevant
to iked. Encryption keys and nonces are generated by the handshake and don't
have to be supplied in the config.

Use more sensible transforms in example config.

Clarify iface option.

Clarify "aes" will accept keys which length is in 128:256 bits. Also
correct "cast" in ipsec.conf.5 to "cast128", add missing
"chacha20-poly1305", and sync iked.conf.5 and ipsec.conf.5 some
places.

Clarify "aes" will accept keys which length is in 128:256 bits. Also
correct "cast" in ipsec.conf.5 to "cast128", add missing
"chacha20-poly1305", and sync iked.conf.5 and ipsec.conf.5 some
places.

ok jmc sthen

show more ...

Make proto config option accept a list to allow specifying multiple
protocols for a single policy, e.g. "proto { ipencap, ipv6 }".

feedback and ok benno@
ok patrick@

Increase default data bytes limit for Child SAs to 4 GB.
Lower limits lead to excessive rekeying and lost data in high performance
setups without much benefit.

Brought up by mvs@
ok patrick@ sthen@

Document 'request' option to request additional configuration payloads.

ok patrick@

Add dynamic address configuration for roadwarrior clients.
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically

Add dynamic address configuration for roadwarrior clients.
The new 'iface' config option can be used to specify an interface
for the virtual addresses received from the peer.
Routes are automatically added based on the configured flows.

Input from sthen@ and claudio@
ok patrick@

show more ...

hmac-sha2-384 and hmac-sha2-512 are enabled by default.

Fix typos.

From Ryan Kavanagh
ok patrick@

Add back keyword "any" to match any IP address, which actually works
after recent fixes.

The keyword "any" does not actually work properly for traffic selectors.
To match all traffic use 0.0.0.0/0 or ::/0.

ok patrick@

Document new 'dynamic' keyword to create flows from or to a dynamically
assigned address.

Add new 'set cert_partial_chain' config option to allow verification of
partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.

ok patrick@

Allow disabling DPD liveness checks by setting dpd_check_interval to 0.

ok patrick@

Add dpd_check_interval configuration option. If for any IKE SA no IPsec
or IKE message has been received within the specified time interval,
iked will start sending DPD messages.

ok patrick@

Add a new configuration option to limit the number of connections for
each peer (identified by their 'dstid'). When 'set enforcesingleikesa'
is enabled, each peer can only have one active IKE SA at

Add a new configuration option to limit the number of connections for
each peer (identified by their 'dstid'). When 'set enforcesingleikesa'
is enabled, each peer can only have one active IKE SA at a time.
On successful authentication of a new connection, the old IKE SA is
automatically deleted.

ok patrick@

show more ...

Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of
/etc/iked/ocsp/issuer.crt.
Try to get the OCSP url from the CA/issuer certificate, otherwise
use the URL configured in 'set ocsp' in ike

Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid of
/etc/iked/ocsp/issuer.crt.
Try to get the OCSP url from the CA/issuer certificate, otherwise
use the URL configured in 'set ocsp' in iked.conf.

ok patrick@

show more ...

Add optional time-stamp validaten for ocsp. The new optional 'tolerate'
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maxi

Add optional time-stamp validaten for ocsp. The new optional 'tolerate'
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.

ok patrick@

show more ...

Provide GRE over transport mode example

First transport mode for child SAs was implemented, then a few
interoperability issues have been identified with peers other than iked,
now tobhe fixed pubkey

Provide GRE over transport mode example

First transport mode for child SAs was implemented, then a few
interoperability issues have been identified with peers other than iked,
now tobhe fixed pubkey (`rsa' ikeauth, default) usage based on this so this
"just works".

Feedback tobhe deraadt sthen
OK tobhe

show more ...