support configuring interface SAs for route-based ipsec vpns.

add "Interface NUMBER" to the config parser to specify that once
SAs have been negotiated with a peer, install the SAs with the
sadb_x_i

support configuring interface SAs for route-based ipsec vpns.

add "Interface NUMBER" to the config parser to specify that once
SAs have been negotiated with a peer, install the SAs with the
sadb_x_iface extension set up, but skip installing the flows/SPD
entries.

this allows for the negotiation of multiple esp tunnels covering
all traffic between 0.0.0.0/0 to 0.0.0.0/0, and then being able to
do something useful with them using the routing table and sec(4)
interfaces instead of having SPD entries fight over those packets
in the kernel.

this in turn allows interoperation with other ipsec/vpn solutions
that require the negotiation of such tunnels.

support from many including markus@ tobhe@ claudio@ sthen@ patrick@
now is a good time deraadt@

show more ...

Spacing, no object change.

space -> tab

No object change.

Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?
ok markus, hshoexer

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

Keep the flow until last IPsec SA is deleted, if the flow is shared by
multiple IPsec SAs in NAT-T case.

This fixes a problem that L2TP/IPsec connections are disconnected
improper in case multiple W

Keep the flow until last IPsec SA is deleted, if the flow is shared by
multiple IPsec SAs in NAT-T case.

This fixes a problem that L2TP/IPsec connections are disconnected
improper in case multiple Windows clients are connected from behind
one NAT.

ok markus

show more ...

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
i

add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

show more ...

Big spelling cleanup, no binary change. From david@

Provide UI commands to delete phase 1 SAs.

Looks good mortiz@

always enable aggressive, dpd, and isakmp_cfg

nat-traversal always

spacing; ok cloder

remove unused stuff.

ok ho@

1. allow up to DPD_RETRANS_MAX retransmitted R_U_THERE messages.
2. reset dpd_failcount when switching to DPD_TIMER_NORMAL.
3. ignore DPD timeouts on SAs that are marked SA_FLAG_REPLACED.
ok hshoexer

1. allow up to DPD_RETRANS_MAX retransmitted R_U_THERE messages.
2. reset dpd_failcount when switching to DPD_TIMER_NORMAL.
3. ignore DPD timeouts on SAs that are marked SA_FLAG_REPLACED.
ok hshoexer, ho

show more ...

Better implementation of the Dead Peer Detection protocol, RFC 3706.
hshoexer@ ok.

Implement NAT-T keepalive messages.

Port floating (500->4500) for p1 and p2 exchanges.

A start towards Dead Peer Detection (DPD) support, as specified in RFC 3706

More KNF. Mainly spaces and line-wraps, no binary change.

ok ho@

Extensions to the FIFO interface:
"C get [section]:tag" fetches a configuration value.
"C add [section]:tag=value" adds 'value' to a list, typically for the
[Phase 2]:Connections tag. FIFO "S" comman

Extensions to the FIFO interface:
"C get [section]:tag" fetches a configuration value.
"C add [section]:tag=value" adds 'value' to a list, typically for the
[Phase 2]:Connections tag. FIFO "S" command destination file changed.
Various KNF cleanups. hshoexer@ ok.

show more ...

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our

partial move to KNF. More to come. This has happened because there
are a raft of source code auditors who are willing to help improve this
code only if this is done, and hey, isakmpd does need our standard
auditing process. ok ho hshoexer

show more ...

(C)-2004

Follow RFC 2408 more closely regarding how to better check the proposal
returned by the other peer (the responder). Some implementations (notably
the Cisco PIX) does not follow a SHOULD in section 4.

Follow RFC 2408 more closely regarding how to better check the proposal
returned by the other peer (the responder). Some implementations (notably
the Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. With
certain proposal combinations this caused us to setup the wrong SA
resulting in us being unable to process incoming IPsec traffic (over this
tunnel).

Tested against a number of different IKE implementations.
hshoexer@ ok.

show more ...

Remove the rest of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos
D. Keromytis and Niels Provos.

If the "Renegotiate-on-HUP" tag is defined in the [General] section, a
HUP signal (or "R" to the FIFO) will also renegotiate all Phase 2 SAs,
i.e all connections.
ok niklas@, tested and ok kjell@.