Up to [local] / src / sbin / ipsecctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.84 / (download) - annotate - [select for diffs], Mon Aug 7 04:10:08 2023 UTC (10 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.83: +29 -16 lines
Diff to previous 1.83 (colored)
add support route based ipsec vpn negotiation with sec(4) via isakmpd. this adds "interface secX" to the grammar that you can use instead of specifying tunnel/transport modes and traffic selectors. if you have config like "ike interface sec0 local ... peer ...", ipsecctl will generate the right config for isakmpd to negotiate esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however, this also specifies that they should be set up as interface SAs in the kernel for use with sec(4). this supports route-based instead of policy based ipsec encapsulation, and allows us to more easily operate with other vendors and products that also offer route-based vpns with opinions about the negotiated policy that doesnt fit with the SPD. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Revision 1.83 / (download) - annotate - [select for diffs], Sat Jun 25 20:33:40 2022 UTC (23 months, 2 weeks ago) by mbuhl
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored)
Use in_addr for AF_INET. OK bluhm
Revision 1.82 / (download) - annotate - [select for diffs], Fri Oct 27 08:29:32 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.81: +72 -18 lines
Diff to previous 1.81 (colored)
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does. ok visa@, markus@
Revision 1.81 / (download) - annotate - [select for diffs], Wed Dec 9 21:41:50 2015 UTC (8 years, 6 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.80: +1 -7 lines
Diff to previous 1.80 (colored)
Remove plain DES encryption from IPsec. DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
Revision 1.80 / (download) - annotate - [select for diffs], Mon May 25 19:29:36 2015 UTC (9 years ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.79: +3 -3 lines
Diff to previous 1.79 (colored)
bump up the default Diffie-Hellman group to modp3072; ok mikeb@ djm@
Revision 1.79 / (download) - annotate - [select for diffs], Fri Jan 16 06:39:58 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.78: +3 -2 lines
Diff to previous 1.78 (colored)
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
Revision 1.78 / (download) - annotate - [select for diffs], Sun Aug 25 23:15:20 2013 UTC (10 years, 9 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.77: +2 -1 lines
Diff to previous 1.77 (colored)
the comment that comma characters cannot be used in transform names in ike_section_p2 applies to phase-1 transforms as well.
Revision 1.77 / (download) - annotate - [select for diffs], Mon Sep 17 20:38:28 2012 UTC (11 years, 8 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.76: +14 -7 lines
Diff to previous 1.76 (colored)
unbreak the last commit by making sure that the transform name does not include a "," character. ok otto@
Revision 1.76 / (download) - annotate - [select for diffs], Sat Sep 15 13:17:48 2012 UTC (11 years, 8 months ago) by markus
Branch: MAIN
Changes since 1.75: +162 -163 lines
Diff to previous 1.75 (colored)
Encode the transform parameters in the transform name, too. Only using p1name or p2name as a transform identifier (as in rev 1.74) breaks setups that allow multiple transforms for a connection, e.g. in ike passive esp from any to 1.1.1.1 quick enc aes-128 ike passive esp from any to 1.1.1.1 quick enc aes-192 the aes-128 will be overwritten. ok and feedback mikeb@
Revision 1.75 / (download) - annotate - [select for diffs], Thu Aug 30 20:03:18 2012 UTC (11 years, 9 months ago) by naddy
Branch: MAIN
Changes since 1.74: +34 -34 lines
Diff to previous 1.74 (colored)
Do not issue a spurious "force" when "group none" is specified. Tweaked from his fix and ok mikeb@
Revision 1.74 / (download) - annotate - [select for diffs], Fri Jul 13 19:36:07 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.73: +188 -80 lines
Diff to previous 1.73 (colored)
Change the configuration format fed to the isakmpd FIFO to be able to specify extended options like SA Lifetime. All the hard work was done by lteo@, while naddy@ and me have made sure that defaults and AH still work; sthen and jmc have looked over the diffs as well.
Revision 1.73 / (download) - annotate - [select for diffs], Tue Jul 10 13:58:33 2012 UTC (11 years, 11 months ago) by lteo
Branch: MAIN
Changes since 1.72: +5 -5 lines
Diff to previous 1.72 (colored)
Rename "life" to "lifetime" to match iked. ok mikeb naddy sthen; procedures ok henning
Revision 1.72 / (download) - annotate - [select for diffs], Mon Jul 9 21:06:51 2012 UTC (11 years, 11 months ago) by lteo
Branch: MAIN
Changes since 1.71: +2 -2 lines
Diff to previous 1.71 (colored)
Fix typo in warning message. ok mikeb sthen haesbaert henning
Revision 1.71 / (download) - annotate - [select for diffs], Sat Jun 30 14:51:31 2012 UTC (11 years, 11 months ago) by naddy
Branch: MAIN
Changes since 1.70: +10 -1 lines
Diff to previous 1.70 (colored)
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP ok mikeb@
Revision 1.70 / (download) - annotate - [select for diffs], Tue Nov 8 13:26:06 2011 UTC (12 years, 7 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.69: +8 -10 lines
Diff to previous 1.69 (colored)
allow the path to isakmpd's fifo to be specified (aka changed) on the command line, ok mikeb sthen
Revision 1.69 / (download) - annotate - [select for diffs], Fri Oct 15 12:11:10 2010 UTC (13 years, 7 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.68: +11 -11 lines
Diff to previous 1.68 (colored)
fixup generation of suites string for isakmpd wrt "group none" bug noticed and fix tested by robert
Revision 1.68 / (download) - annotate - [select for diffs], Wed Sep 22 14:04:09 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.67: +39 -12 lines
Diff to previous 1.67 (colored)
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5). Available "enc" arguments denoting use of 1) AES-GCM-16: aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce) 2) ENCR_NULL_AUTH_AES_GMAC: aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce) Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support). Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only. Example configuration: ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. OK naddy
Revision 1.67 / (download) - annotate - [select for diffs], Sun Oct 4 11:39:32 2009 UTC (14 years, 8 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8,
OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.66: +2 -1 lines
Diff to previous 1.66 (colored)
When IKE is operating in dynamic mode and no srcid is given, the hostname is used as the srcid, however the srcid type is not specified. Rectify this by explicitly setting the srcid type to FQDN after successfully retrieving the hostname. This worked prior to the addition of IPV4_ADDR/IPV6_ADDR support since get_id_type() returned ID_FQDN even when presented with a null pointer. Issue reported by Mikolaj Kucharski.
Revision 1.66 / (download) - annotate - [select for diffs], Tue Aug 4 15:05:50 2009 UTC (14 years, 10 months ago) by jsing
Branch: MAIN
Changes since 1.65: +17 -5 lines
Diff to previous 1.65 (colored)
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN. ok hshoexer@ markus@ todd@
Revision 1.65 / (download) - annotate - [select for diffs], Tue Jan 20 14:36:19 2009 UTC (15 years, 4 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.64: +66 -67 lines
Diff to previous 1.64 (colored)
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
Revision 1.64 / (download) - annotate - [select for diffs], Tue Jul 1 15:00:53 2008 UTC (15 years, 11 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.63: +103 -138 lines
Diff to previous 1.63 (colored)
Isakmpd acquire mode did not work with a config generated from ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
Revision 1.63 / (download) - annotate - [select for diffs], Fri Feb 22 23:51:31 2008 UTC (16 years, 3 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.62: +19 -1 lines
Diff to previous 1.62 (colored)
Support for specifying aes-{128,192,256}. Originial idea by Prabhu Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks guys! ok todd@
Revision 1.62 / (download) - annotate - [select for diffs], Fri Jan 4 11:06:02 2008 UTC (16 years, 5 months ago) by hshoexer
Branch: MAIN
Changes since 1.61: +5 -1 lines
Diff to previous 1.61 (colored)
Strip off trailing '/32' when address type is IPV4_ADDR as isakmpd does not accept the trailing '/32'. Diff from Mitja Muzenic <mitja@muzenic.net>, thanks!
Revision 1.61 / (download) - annotate - [select for diffs], Fri Mar 16 20:51:01 2007 UTC (17 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.60: +4 -18 lines
Diff to previous 1.60 (colored)
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
Revision 1.60 / (download) - annotate - [select for diffs], Mon Feb 19 09:00:46 2007 UTC (17 years, 3 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.59: +4 -1 lines
Diff to previous 1.59 (colored)
Bits for ESP+NULL encryption. This is useful, when AH can not be used (when being behind NAT). With Martin Hedenfalk <martin.hedenfalk at gmail.com>, thanks! ok markus@
Revision 1.59 / (download) - annotate - [select for diffs], Mon Dec 18 00:08:04 2006 UTC (17 years, 5 months ago) by msf
Branch: MAIN
Changes since 1.58: +3 -2 lines
Diff to previous 1.58 (colored)
call ike_setup_ids from a more appropriate location. ok hshoexer@
Revision 1.58 / (download) - annotate - [select for diffs], Thu Nov 30 21:35:34 2006 UTC (17 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)
typo: wrong rid for protocol
Revision 1.57 / (download) - annotate - [select for diffs], Thu Nov 30 16:17:58 2006 UTC (17 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.56: +14 -1 lines
Diff to previous 1.56 (colored)
use rmv to unregister ipsec connections; ok hshoexer, ho
Revision 1.56 / (download) - annotate - [select for diffs], Thu Nov 30 15:51:28 2006 UTC (17 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.55: +178 -162 lines
Diff to previous 1.55 (colored)
handle multiple SAs with different same src/dst but different port; store IKE connection string and phase2 IDs in the ipsec rule; cleanup internal API: pass rules around instead of rule members; report Brian Candler; fix with hshoexer, msf; ok hshoexer
Revision 1.55 / (download) - annotate - [select for diffs], Fri Nov 24 13:52:13 2006 UTC (17 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.54: +8 -4 lines
Diff to previous 1.54 (colored)
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
Revision 1.54 / (download) - annotate - [select for diffs], Fri Nov 24 08:07:18 2006 UTC (17 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)
fix typo for remote port; from Brian Candler
Revision 1.53 / (download) - annotate - [select for diffs], Tue Nov 21 13:51:17 2006 UTC (17 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.52: +7 -1 lines
Diff to previous 1.52 (colored)
do not delete sections that might be shared with other connections however, this workaround might leak config entries in isakmpd; ok (for now) hshoexer
Revision 1.52 / (download) - annotate - [select for diffs], Wed Nov 1 03:12:14 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.51: +5 -3 lines
Diff to previous 1.51 (colored)
KNF unrelated to previous commit.
Revision 1.51 / (download) - annotate - [select for diffs], Wed Nov 1 03:10:02 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.50: +76 -42 lines
Diff to previous 1.50 (colored)
Add support for aggressive mode (from the k2k6 IPsec hackathon). ok hshoexer
Revision 1.50 / (download) - annotate - [select for diffs], Mon Sep 18 13:45:45 2006 UTC (17 years, 8 months ago) by hshoexer
Branch: MAIN
Changes since 1.49: +7 -5 lines
Diff to previous 1.49 (colored)
KNF and clean some trailing white spaces, no binary change.
Revision 1.49 / (download) - annotate - [select for diffs], Wed Aug 30 12:18:10 2006 UTC (17 years, 9 months ago) by msf
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored)
actually use the right value for USER_FQDN ok hshoexer@
Revision 1.48 / (download) - annotate - [select for diffs], Tue Aug 29 18:10:31 2006 UTC (17 years, 9 months ago) by msf
Branch: MAIN
Changes since 1.47: +21 -5 lines
Diff to previous 1.47 (colored)
add support for ufqdn ids in ike rules ok hshoexer@
Revision 1.47 / (download) - annotate - [select for diffs], Tue Aug 29 17:52:40 2006 UTC (17 years, 9 months ago) by naddy
Branch: MAIN
Changes since 1.46: +33 -24 lines
Diff to previous 1.46 (colored)
Add support for IKE AH rules to ipsecctl. Man page input by jmc@. ok hshoexer@
Revision 1.46 / (download) - annotate - [select for diffs], Fri Jul 21 12:34:52 2006 UTC (17 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.45: +15 -7 lines
Diff to previous 1.45 (colored)
When no peer is specified, no peer address is defined, thus do not use it. Noticed by Alexey E. Suslikov <cruel@texnika.com.ua>, thanks!
Revision 1.45 / (download) - annotate - [select for diffs], Sun Jun 18 18:18:01 2006 UTC (17 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.44: +5 -2 lines
Diff to previous 1.44 (colored)
add group "none"; when choosen, pfs will be disabled. ok david msf
Revision 1.44 / (download) - annotate - [select for diffs], Fri Jun 16 18:46:26 2006 UTC (17 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.43: +3 -2 lines
Diff to previous 1.43 (colored)
add a missing "force"
Revision 1.43 / (download) - annotate - [select for diffs], Thu Jun 15 16:57:24 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.42: +5 -3 lines
Diff to previous 1.42 (colored)
be careful when touch the peer component of a rule. It is not necessarily set anymore, as now the peer can be left out.
Revision 1.42 / (download) - annotate - [select for diffs], Tue Jun 13 16:13:41 2006 UTC (18 years ago) by naddy
Branch: MAIN
Changes since 1.41: +13 -1 lines
Diff to previous 1.41 (colored)
For IKE, allow main mode SHA2 and quick mode AESCTR transforms, which were recently added to isakmpd. ok hshoexer@, markus@
Revision 1.41 / (download) - annotate - [select for diffs], Sat Jun 10 19:21:10 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.40: +19 -23 lines
Diff to previous 1.40 (colored)
switch back to original defaults regarding DH groups. modp3072 is to heavyweight. Testing by Jason George, thanks!
Revision 1.40 / (download) - annotate - [select for diffs], Thu Jun 8 22:34:30 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)
fix some indentation, noticed by david@
Revision 1.39 / (download) - annotate - [select for diffs], Thu Jun 8 21:15:21 2006 UTC (18 years ago) by naddy
Branch: MAIN
Changes since 1.38: +17 -5 lines
Diff to previous 1.38 (colored)
Add a transport mode specifier to ike rules. Tunnel mode remains the default. "looks right" hshoexer@
Revision 1.38 / (download) - annotate - [select for diffs], Thu Jun 8 20:52:43 2006 UTC (18 years ago) by todd
Branch: MAIN
Changes since 1.37: +17 -16 lines
Diff to previous 1.37 (colored)
allocate enough storage via sockaddr_storage for sockaddr_in6, fixes ike29.in in regress looks right hshoexer@, ok naddy@
Revision 1.37 / (download) - annotate - [select for diffs], Thu Jun 8 18:25:50 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)
Fix a typo: When testing for quick mode lifetimes, make sure to reference quick mode lifetimes, too, not main mode lifetimes. Otherwise we might dereference a NULL pointer...
Revision 1.36 / (download) - annotate - [select for diffs], Fri Jun 2 15:43:37 2006 UTC (18 years ago) by naddy
Branch: MAIN
Changes since 1.35: +11 -5 lines
Diff to previous 1.35 (colored)
support tcp/udp port modifiers in ike rules "put it in if it doesn't break regress" hshoexer@
Revision 1.35 / (download) - annotate - [select for diffs], Fri Jun 2 05:59:31 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.34: +7 -1 lines
Diff to previous 1.34 (colored)
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
Revision 1.34 / (download) - annotate - [select for diffs], Fri Jun 2 03:40:26 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.33: +7 -7 lines
Diff to previous 1.33 (colored)
Simplify main/quick mode parsing and generation of the actual ike config.
Revision 1.33 / (download) - annotate - [select for diffs], Thu Jun 1 18:03:40 2006 UTC (18 years ago) by msf
Branch: MAIN
Changes since 1.32: +5 -5 lines
Diff to previous 1.32 (colored)
change the local-ID section name to always be unique as we may want to use more than one ISAKMP ID on the local peer. ok hshoexer@
Revision 1.32 / (download) - annotate - [select for diffs], Thu Jun 1 06:46:35 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.31: +21 -15 lines
Diff to previous 1.31 (colored)
knf
Revision 1.31 / (download) - annotate - [select for diffs], Thu Jun 1 06:14:05 2006 UTC (18 years ago) by todd
Branch: MAIN
Changes since 1.30: +48 -12 lines
Diff to previous 1.30 (colored)
permit feeding isakmpd.fifo IPv6 addresses ok hshoexer@
Revision 1.30 / (download) - annotate - [select for diffs], Thu Jun 1 02:19:22 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.29: +13 -8 lines
Diff to previous 1.29 (colored)
Generate correct configuration for default peers.
Revision 1.29 / (download) - annotate - [select for diffs], Wed May 31 02:28:35 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.28: +5 -5 lines
Diff to previous 1.28 (colored)
Small function header knf.
Revision 1.28 / (download) - annotate - [select for diffs], Wed May 31 02:26:41 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.27: +44 -14 lines
Diff to previous 1.27 (colored)
Prepare for handling unnamed remote peers.
Revision 1.27 / (download) - annotate - [select for diffs], Sun May 28 08:30:04 2006 UTC (18 years ago) by todd
Branch: MAIN
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
matching brackets are useful ok dlg@
Revision 1.26 / (download) - annotate - [select for diffs], Sat May 27 17:21:40 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.25: +70 -2 lines
Diff to previous 1.25 (colored)
allow to specify groups to be used IKE
Revision 1.25 / (download) - annotate - [select for diffs], Mon May 15 07:50:26 2006 UTC (18 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.24: +6 -6 lines
Diff to previous 1.24 (colored)
delete weird C
Revision 1.24 / (download) - annotate - [select for diffs], Thu Apr 13 11:55:07 2006 UTC (18 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.23: +9 -5 lines
Diff to previous 1.23 (colored)
Add support for "local" to ike rules. Allows to specify the local IP to be used on a multi-homed machine. Also, relax order of peer/local keywords. ok markus@
Revision 1.23 / (download) - annotate - [select for diffs], Fri Mar 31 14:11:39 2006 UTC (18 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.22: +2 -1 lines
Diff to previous 1.22 (colored)
allow do delete dynamic rules ok reyk@
Revision 1.22 / (download) - annotate - [select for diffs], Fri Mar 31 14:02:08 2006 UTC (18 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.21: +9 -5 lines
Diff to previous 1.21 (colored)
allow specification of encapsulated protocol for ike; ok hshoexer
Revision 1.21 / (download) - annotate - [select for diffs], Fri Mar 31 13:13:51 2006 UTC (18 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.20: +5 -5 lines
Diff to previous 1.20 (colored)
allow specification of encapsulated protocol for flows; ok hshoexer
Revision 1.20 / (download) - annotate - [select for diffs], Mon Mar 20 17:09:38 2006 UTC (18 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.19: +5 -3 lines
Diff to previous 1.19 (colored)
When being verbose while deleting ike rules (-dv), print deletions instead of additions. Suggested by david@
Revision 1.19 / (download) - annotate - [select for diffs], Mon Mar 20 16:49:12 2006 UTC (18 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.18: +1 -3 lines
Diff to previous 1.18 (colored)
When adding a connection, do not explicitly start that connection using "t" and "c" fifo commands. This is prone to a race when adding several tunnels between the same peers. Just let isakmpd start that connection on its own (using the connection checker).
Revision 1.18 / (download) - annotate - [select for diffs], Tue Mar 7 00:19:58 2006 UTC (18 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.17: +30 -4 lines
Diff to previous 1.17 (colored)
add an ike option for road warrior setups (hosts with dynamic ip addresses). "ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines). ok hshoexer@, looks fine markus@, jmc@
Revision 1.17 / (download) - annotate - [select for diffs], Fri Feb 3 13:39:29 2006 UTC (18 years, 4 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)
override authentication tag as well; ok hshoexer@
Revision 1.16 / (download) - annotate - [select for diffs], Thu Feb 2 14:42:23 2006 UTC (18 years, 4 months ago) by hshoexer
Branch: MAIN
Changes since 1.15: +3 -7 lines
Diff to previous 1.15 (colored)
Two fixes: generate default main mode config when using PSK, added missing force (with naddy@) ok reyk@ naddy@
Revision 1.15 / (download) - annotate - [select for diffs], Tue Jan 17 00:05:42 2006 UTC (18 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
spacing
Revision 1.14 / (download) - annotate - [select for diffs], Mon Jan 16 23:57:20 2006 UTC (18 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.13: +15 -8 lines
Diff to previous 1.13 (colored)
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default. ok hshoexer@, manpage ok jmc@
Revision 1.13 / (download) - annotate - [select for diffs], Wed Dec 28 19:18:43 2005 UTC (18 years, 5 months ago) by naddy
Branch: MAIN
Changes since 1.12: +1 -2 lines
Diff to previous 1.12 (colored)
no close() after fdopen(); ok hshoexer@
Revision 1.12 / (download) - annotate - [select for diffs], Wed Dec 28 10:53:12 2005 UTC (18 years, 5 months ago) by hshoexer
Branch: MAIN
Changes since 1.11: +21 -9 lines
Diff to previous 1.11 (colored)
make sure isakmpd fifo is actually a fifo.
Revision 1.11 / (download) - annotate - [select for diffs], Mon Dec 12 09:44:06 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
use err() instead of errx()
Revision 1.10 / (download) - annotate - [select for diffs], Thu Nov 24 11:52:07 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.9: +1 -5 lines
Diff to previous 1.9 (colored)
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
Revision 1.9 / (download) - annotate - [select for diffs], Sat Nov 12 16:41:39 2005 UTC (18 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.8: +3 -3 lines
Diff to previous 1.8 (colored)
spacing
Revision 1.8 / (download) - annotate - [select for diffs], Sun Nov 6 22:51:51 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.7: +24 -22 lines
Diff to previous 1.7 (colored)
Improved address and address mask handling, derived from pfctl stuff.
Revision 1.7 / (download) - annotate - [select for diffs], Sun Nov 6 10:52:27 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.6: +3 -3 lines
Diff to previous 1.6 (colored)
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
Revision 1.6 / (download) - annotate - [select for diffs], Fri Oct 28 07:18:47 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
more error message cleanup
Revision 1.5 / (download) - annotate - [select for diffs], Sun Oct 16 19:52:19 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.4: +3 -3 lines
Diff to previous 1.4 (colored)
cleanup messages generated by err(3)
Revision 1.4 / (download) - annotate - [select for diffs], Thu Sep 22 15:07:29 2005 UTC (18 years, 8 months ago) by hshoexer
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
use "force" keyword when adding to Phase 1 section, otherwise isakmpd will write some annyoing warning to the logs...
Revision 1.3 / (download) - annotate - [select for diffs], Tue Sep 20 17:30:58 2005 UTC (18 years, 8 months ago) by hshoexer
Branch: MAIN
Changes since 1.2: +1 -0 lines
Diff to previous 1.2 (colored)
add an entry to "Phase 1" section for each remote peer.
Revision 1.2 / (download) - annotate - [select for diffs], Tue Sep 20 17:29:19 2005 UTC (18 years, 8 months ago) by hshoexer
Branch: MAIN
Changes since 1.1: +3 -1 lines
Diff to previous 1.1 (colored)
add a "Connection=..." entry for active connections
Revision 1.1 / (download) - annotate - [select for diffs], Mon Aug 22 17:26:46 2005 UTC (18 years, 9 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Teach ipsecctl to control isakmpd. ok deraadt