#
0c1280a3 |
| 07-Aug-2023 |
dlg <dlg@openbsd.org> |
support configuring interface SAs for route-based ipsec vpns.
add "Interface NUMBER" to the config parser to specify that once SAs have been negotiated with a peer, install the SAs with the sadb_x_i
support configuring interface SAs for route-based ipsec vpns.
add "Interface NUMBER" to the config parser to specify that once SAs have been negotiated with a peer, install the SAs with the sadb_x_iface extension set up, but skip installing the flows/SPD entries.
this allows for the negotiation of multiple esp tunnels covering all traffic between 0.0.0.0/0 to 0.0.0.0/0, and then being able to do something useful with them using the routing table and sec(4) interfaces instead of having SPD entries fight over those packets in the kernel.
this in turn allows interoperation with other ipsec/vpn solutions that require the negotiation of such tunnels.
support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
show more ...
|
#
2f1aa25b |
| 15-Jan-2018 |
mpi <mpi@openbsd.org> |
Spacing, no object change.
|
#
c03203f3 |
| 04-Jan-2018 |
mpi <mpi@openbsd.org> |
space -> tab
No object change.
|
#
e1e3bc4f |
| 26-Mar-2015 |
mikeb <mikeb@openbsd.org> |
Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone? ok markus, hshoexer
|
#
b9fc9a72 |
| 16-Jan-2015 |
deraadt <deraadt@openbsd.org> |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
show more ...
|
#
deca7043 |
| 21-Nov-2013 |
yasuoka <yasuoka@openbsd.org> |
Keep the flow until last IPsec SA is deleted, if the flow is shared by multiple IPsec SAs in NAT-T case.
This fixes a problem that L2TP/IPsec connections are disconnected improper in case multiple W
Keep the flow until last IPsec SA is deleted, if the flow is shared by multiple IPsec SAs in NAT-T case.
This fixes a problem that L2TP/IPsec connections are disconnected improper in case multiple Windows clients are connected from behind one NAT.
ok markus
show more ...
|
#
aa920ac7 |
| 24-Nov-2006 |
reyk <reyk@openbsd.org> |
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and i
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback, but it is safe to put it in now.
ok hshoexer@
show more ...
|
#
5678a57a |
| 02-Jun-2006 |
hshoexer <hshoexer@openbsd.org> |
Big spelling cleanup, no binary change. From david@
|
#
86ba8605 |
| 23-Sep-2005 |
hshoexer <hshoexer@openbsd.org> |
Provide UI commands to delete phase 1 SAs.
Looks good mortiz@
|
#
77825d14 |
| 08-Apr-2005 |
deraadt <deraadt@openbsd.org> |
always enable aggressive, dpd, and isakmp_cfg
|
#
e08f7a80 |
| 08-Apr-2005 |
deraadt <deraadt@openbsd.org> |
nat-traversal always
|
#
8cd03bd8 |
| 04-Apr-2005 |
deraadt <deraadt@openbsd.org> |
spacing; ok cloder
|
#
41885db1 |
| 04-Mar-2005 |
hshoexer <hshoexer@openbsd.org> |
remove unused stuff.
ok ho@
|
#
d650961e |
| 08-Dec-2004 |
markus <markus@openbsd.org> |
1. allow up to DPD_RETRANS_MAX retransmitted R_U_THERE messages. 2. reset dpd_failcount when switching to DPD_TIMER_NORMAL. 3. ignore DPD timeouts on SAs that are marked SA_FLAG_REPLACED. ok hshoexer
1. allow up to DPD_RETRANS_MAX retransmitted R_U_THERE messages. 2. reset dpd_failcount when switching to DPD_TIMER_NORMAL. 3. ignore DPD timeouts on SAs that are marked SA_FLAG_REPLACED. ok hshoexer, ho
show more ...
|
#
e0d722f1 |
| 10-Aug-2004 |
ho <ho@openbsd.org> |
Better implementation of the Dead Peer Detection protocol, RFC 3706. hshoexer@ ok.
|
#
adfd2491 |
| 21-Jun-2004 |
ho <ho@openbsd.org> |
Implement NAT-T keepalive messages.
|
#
aa584aac |
| 21-Jun-2004 |
ho <ho@openbsd.org> |
Port floating (500->4500) for p1 and p2 exchanges.
|
#
c7adf84c |
| 20-Jun-2004 |
ho <ho@openbsd.org> |
A start towards Dead Peer Detection (DPD) support, as specified in RFC 3706
|
#
12f43dab |
| 23-May-2004 |
hshoexer <hshoexer@openbsd.org> |
More KNF. Mainly spaces and line-wraps, no binary change.
ok ho@
|
#
d2a2baa1 |
| 13-May-2004 |
ho <ho@openbsd.org> |
Extensions to the FIFO interface: "C get [section]:tag" fetches a configuration value. "C add [section]:tag=value" adds 'value' to a list, typically for the [Phase 2]:Connections tag. FIFO "S" comman
Extensions to the FIFO interface: "C get [section]:tag" fetches a configuration value. "C add [section]:tag=value" adds 'value' to a list, typically for the [Phase 2]:Connections tag. FIFO "S" command destination file changed. Various KNF cleanups. hshoexer@ ok.
show more ...
|
#
fb9475d6 |
| 15-Apr-2004 |
deraadt <deraadt@openbsd.org> |
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our
partial move to KNF. More to come. This has happened because there are a raft of source code auditors who are willing to help improve this code only if this is done, and hey, isakmpd does need our standard auditing process. ok ho hshoexer
show more ...
|
#
f770aef6 |
| 27-Feb-2004 |
ho <ho@openbsd.org> |
(C)-2004
|
#
3f6b6c52 |
| 27-Feb-2004 |
ho <ho@openbsd.org> |
Follow RFC 2408 more closely regarding how to better check the proposal returned by the other peer (the responder). Some implementations (notably the Cisco PIX) does not follow a SHOULD in section 4.
Follow RFC 2408 more closely regarding how to better check the proposal returned by the other peer (the responder). Some implementations (notably the Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. With certain proposal combinations this caused us to setup the wrong SA resulting in us being unable to process incoming IPsec traffic (over this tunnel).
Tested against a number of different IKE implementations. hshoexer@ ok.
show more ...
|
#
f3571e78 |
| 04-Jun-2003 |
ho <ho@openbsd.org> |
Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. Keromytis and Niels Provos.
|
#
4d27bb0f |
| 16-May-2003 |
ho <ho@openbsd.org> |
If the "Renegotiate-on-HUP" tag is defined in the [General] section, a HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs, i.e all connections. ok niklas@, tested and ok kjell@.
|