#
ff79c4f0 |
| 10-Jul-2020 |
jmc <jmc@openbsd.org> |
table fix;
|
#
0811f1a5 |
| 10-Jul-2020 |
tobhe <tobhe@openbsd.org> |
Document which crypto transforms are enabled by default.
|
#
15863c3a |
| 26-May-2020 |
tobhe <tobhe@openbsd.org> |
Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2. They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
Tested with Strongswan by
Add AES-GCM mode ciphers (IANA IDs 19 and 20) for IKEv2. They can be configured with the new ikesa enc options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
Tested with Strongswan by Stephan Mendling and myself Tested with Juniper SRX by remi@ ok sthen@, patrick@
show more ...
|
#
75a6c83b |
| 01-May-2020 |
tobhe <tobhe@openbsd.org> |
Clarify global 'set active' and 'set passive' options and how they interact with the per-policy active/passive options.
ok kn@
|
#
bc77414b |
| 28-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Remove support for insecure EC2N groups. Clarify which Diffie-Hellman groups are not recommended to use and are only supported for backwards compatibility.
Feedback from sthen@ ok kn@
|
#
f4138986 |
| 27-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Add curve25519 IANA group number.
|
#
48c01a1f |
| 23-Apr-2020 |
jmc <jmc@openbsd.org> |
ce examples of "Ar arg Ar arg" with "Ar arg arg" and stop the spread;
|
#
0347364b |
| 23-Apr-2020 |
tobhe <tobhe@openbsd.org> |
Add support for switching rdomain on IPsec encryption/decryption. It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be conf
Add support for switching rdomain on IPsec encryption/decryption. It can be configured per policy with the new 'rdomain' option (see iked.conf(5)). Only the unencrypted (inner) rdomain has to be configured, the encrypted rdomain is always the one the responsible iked instance is running in.
The configured rdomain must exist before iked activates the IPsec SAs, otherwise pfkey will return an error.
ok markus@, patrick@
show more ...
|
#
1565ef62 |
| 21-Feb-2020 |
tobhe <tobhe@openbsd.org> |
Add transport mode for child SAs. This is useful for GRE over IPsec and similar settings to prevent double encapsulation.
ok kn@
|
#
521965d7 |
| 16-Feb-2020 |
kn <kn@openbsd.org> |
Quote variables in pf tag strings
Macros are expanded by the parser at parse time, whereas variables are read as ordinary strings and left unmodified; hence, quoted `"$domain"' gets passed to the d
Quote variables in pf tag strings
Macros are expanded by the parser at parse time, whereas variables are read as ordinary strings and left unmodified; hence, quoted `"$domain"' gets passed to the daemon as is, which substitutes proper values before passing it to the kernel. `$domain' without quotes never makes it to the daemon, that is with `domain = foo' somewhere else "foo" is being eventually passed unmodified to the kernel.
jmc prompted for a proper explanation and provided the final wording.
OK tobhe jmc
show more ...
|
#
c9d6433d |
| 10-Feb-2020 |
schwarze <schwarze@openbsd.org> |
briefly mention /etc/examples/ in the FILES section of all the manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
|
#
7b6d306a |
| 01-Dec-2019 |
tobhe <tobhe@openbsd.org> |
Explain how ipcomp can be enabled.
ok reyk@
|
#
0950f681 |
| 12-Nov-2019 |
jmc <jmc@openbsd.org> |
fix a formatting warning;
|
#
8ef05ea2 |
| 12-Nov-2019 |
tobhe <tobhe@openbsd.org> |
Add configuration options to explicitly specify ESN support for child SAs. The default behaviour remains unchanged.
ok mikeb@ bluhm@
|
#
1507cfe1 |
| 24-Aug-2019 |
tobhe <tobhe@openbsd.org> |
Clarify "protected-subnet" option.
Explain the use of the option (according to the RFC) and make clear it is not usually needed for subnets specified in "from" and "to" options.
ok sthen@
|
#
fa068206 |
| 16-Aug-2019 |
tobhe <tobhe@openbsd.org> |
Add explanation for the [IKE/ESP only] column of the transform table.
Ok kn@
|
#
65c540d0 |
| 11-May-2019 |
patrick <patrick@openbsd.org> |
Add support for IKEv2 Message Fragmentation as defined in RFC 7383.
ok sthen@
|
#
337280ec |
| 02-Apr-2019 |
sthen <sthen@openbsd.org> |
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is t
When curve25519 was added to iked, it was based on the internet-draft and used a private-use group number. Switch to the group number assigned in RFC8031 as used in other implementations.
"this is the right time" deraadt@ "I like the idea" reyk@
If you use iked<>iked and have configured curve25519 in iked.conf (this is not the default), you can switch to another PFS group before updating then switch back. OpenBSD 6.3+ allows multiple "ikesa" lines so the initiator can choose which to use.
show more ...
|
#
05f43d8f |
| 31-Jan-2018 |
patrick <patrick@openbsd.org> |
Add support for specifying multiple transforms within a single proposal. This gives us more flexibilty for negotiating with other IKEv2 setups.
Tested by and ok sthen@
|
#
ebfe4fe0 |
| 24-Jan-2018 |
patrick <patrick@openbsd.org> |
Implement support for specifying multiple proposals. This means we can have a higher flexibility in negotiating with other peers, or even ease migration from one proposal to a more secure one.
ok s
Implement support for specifying multiple proposals. This means we can have a higher flexibility in negotiating with other peers, or even ease migration from one proposal to a more secure one.
ok sthen@
show more ...
|
#
c0b327e6 |
| 27-Nov-2017 |
patrick <patrick@openbsd.org> |
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their exte
Implement MOBIKE (RFC 4555) support in iked(8), with us acting as responder. In practice this support means that clients like iPhones can roam in different networks (LTE, WiFi) and change their external addresses without having to re-do the whole handshake. It allows the client to choose how and when to change the external tunnel endpoint addresses on demand, depending on which network is better or even is connected at all.
ok sthen@ tweaks from jmc@ tested by a handful
show more ...
|
#
8b2a2c17 |
| 01-Jun-2017 |
sthen <sthen@openbsd.org> |
Expand $eapid in iked tags, allowing PF rules to be written based on EAP identity (username). OK mikeb@
|
#
7251b63c |
| 27-Mar-2017 |
jmc <jmc@openbsd.org> |
correct verb pattern;
|
#
5e4d3a37 |
| 27-Mar-2017 |
reyk <reyk@openbsd.org> |
Add support for RFC4754 (ECDSA) and RFC7427 authentication.
These modes provide stronger and more flexible ways for authentication: while RSA public key auth relies on SHA-1 hashes, the news modes u
Add support for RFC4754 (ECDSA) and RFC7427 authentication.
These modes provide stronger and more flexible ways for authentication: while RSA public key auth relies on SHA-1 hashes, the news modes use SHA2-256 and up to SHA2-512 hashes.
Original diff from markus@ with patches from mikeb@ and me.
OK mikeb@ patrick@
show more ...
|
#
87dd344f |
| 13-Mar-2017 |
patrick <patrick@openbsd.org> |
Clarify iked.conf(5) manpage in regards to IP compression.
ok markus@ reyk@
|