![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sbin / ipsecctl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.77 / (download) - annotate - [select for diffs], Mon Oct 9 15:32:14 2023 UTC (7 months, 3 weeks ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.76: +3 -2 lines
Diff to previous 1.76 (colored)
Add pledge("stdio") before parsing pfkey messages. This applies to
ipsecctl -m and ipsecctl -s. Refactor ipsecctl_show_*() to setup all
sysctls first before dropping privileges and finally parsing and
printing IPsec SAs and flows.
feedback and ok mbuhl@
ok deraadt@
Revision 1.76 / (download) - annotate - [select for diffs], Mon Aug 7 04:10:08 2023 UTC (9 months, 3 weeks ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.75: +5 -1 lines
Diff to previous 1.75 (colored)
add support route based ipsec vpn negotiation with sec(4) via isakmpd. this adds "interface secX" to the grammar that you can use instead of specifying tunnel/transport modes and traffic selectors. if you have config like "ike interface sec0 local ... peer ...", ipsecctl will generate the right config for isakmpd to negotiate esp tunnels for all traffic between 0.0.0.0/0 and 0.0.0.0/0. however, this also specifies that they should be set up as interface SAs in the kernel for use with sec(4). this supports route-based instead of policy based ipsec encapsulation, and allows us to more easily operate with other vendors and products that also offer route-based vpns with opinions about the negotiated policy that doesnt fit with the SPD. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Revision 1.75 / (download) - annotate - [select for diffs], Fri Oct 22 12:30:54 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.74: +2 -2 lines
Diff to previous 1.74 (colored)
After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@
Revision 1.74 / (download) - annotate - [select for diffs], Fri Feb 7 13:01:34 2020 UTC (4 years, 3 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.73: +3 -1 lines
Diff to previous 1.73 (colored)
Extend the ipsecctl(8) parser to set the udpencap flag and port number of an SA. This will be useful to test IPsec with NAT-T. OK sthen@ tobhe@
Revision 1.73 / (download) - annotate - [select for diffs], Mon Nov 20 10:51:24 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.72: +4 -1 lines
Diff to previous 1.72 (colored)
Support collapsing flow outputs. Makes it easier to check live status of complex setups. ok hshoexer@
Revision 1.72 / (download) - annotate - [select for diffs], Fri Oct 27 08:29:32 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.71: +5 -3 lines
Diff to previous 1.71 (colored)
Support DH groups 19 to 21 and 25 to 30, just like iked(8) does. ok visa@, markus@
Revision 1.71 / (download) - annotate - [select for diffs], Wed Apr 19 15:59:38 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.70: +8 -8 lines
Diff to previous 1.70 (colored)
Rename all SA groups to bundles consistently. The first kernel commit in 2000 that introduced the features already called them SA bundles. The word group is taken by Diffie-Hellman, reusing it causes confusion. OK hshoexer@
Revision 1.70 / (download) - annotate - [select for diffs], Fri Apr 14 18:06:28 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.69: +2 -1 lines
Diff to previous 1.69 (colored)
Up to now ipsecctl(8) grouped SAs with identical src and dst to the flow which the first SA matched by the flow type. This behaviour was mostly undocumented and unexpected. Make SA bundles explicit in ipsec.conf(5). Only group SAs that have the same src and dst and also the same bundle identifier. OK hshoexer@
Revision 1.69 / (download) - annotate - [select for diffs], Wed Dec 9 21:41:50 2015 UTC (8 years, 5 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored)
Remove plain DES encryption from IPsec. DES is insecure since brute force attacks are practical due to its short key length. This removes support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8). ok mikeb@
Revision 1.68 / (download) - annotate - [select for diffs], Wed Nov 4 12:46:13 2015 UTC (8 years, 7 months ago) by mikeb
Branch: MAIN
Changes since 1.67: +2 -2 lines
Diff to previous 1.67 (colored)
Decode Chacha20-Poly1305 when dumping SAs; ok reyk, naddy
Revision 1.67 / (download) - annotate - [select for diffs], Tue Jul 10 13:58:33 2012 UTC (11 years, 10 months ago) by lteo
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7,
OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5,
OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3,
OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.66: +7 -7 lines
Diff to previous 1.66 (colored)
Rename "life" to "lifetime" to match iked. ok mikeb naddy sthen; procedures ok henning
Revision 1.66 / (download) - annotate - [select for diffs], Sun Jul 8 17:51:51 2012 UTC (11 years, 10 months ago) by naddy
Branch: MAIN
Changes since 1.65: +3 -2 lines
Diff to previous 1.65 (colored)
Disallow manual security associations that use AES-CTR, AES-GCM, or AES-GMAC. These algorithms cannot be used safely with static keys and RFCs 3686, 4106, and 4543 expressly forbid such configurations. Also include a tweak (with jmc@) to the key size explanation, for completeness sake. ok mikeb@
Revision 1.65 / (download) - annotate - [select for diffs], Thu Jul 5 09:02:20 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.64: +1 -2 lines
Diff to previous 1.64 (colored)
don't output "esn" string in the rule section as we can't use the keyword in the grammar to create a esn-enabled rule (no reason to do so for manual sa configuration). instead decode sa flags so that we can also watch changes happening in the realtime with the monitor mode. prompted and ok by naddy
Revision 1.64 / (download) - annotate - [select for diffs], Sat Jun 30 14:51:31 2012 UTC (11 years, 11 months ago) by naddy
Branch: MAIN
Changes since 1.63: +2 -1 lines
Diff to previous 1.63 (colored)
enable use of AES-{192,256}-CTR, and explicitly of AES-128-CTR, for IPsec ESP
ok mikeb@
Revision 1.63 / (download) - annotate - [select for diffs], Fri Jun 29 15:01:07 2012 UTC (11 years, 11 months ago) by mikeb
Branch: MAIN
Changes since 1.62: +2 -1 lines
Diff to previous 1.62 (colored)
Print esn flag when dumping SAs with ESN enabled
Revision 1.62 / (download) - annotate - [select for diffs], Tue Nov 8 13:26:06 2011 UTC (12 years, 6 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.61: +2 -2 lines
Diff to previous 1.61 (colored)
allow the path to isakmpd's fifo to be specified (aka changed) on the command line, ok mikeb sthen
Revision 1.61 / (download) - annotate - [select for diffs], Wed Oct 6 22:19:20 2010 UTC (13 years, 7 months ago) by mikeb
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.60: +2 -2 lines
Diff to previous 1.60 (colored)
Retire Skipjack There's not much use for the declassified cipher from the 80's with a questionable license these days. According to the FIPS drafts, Skipjack reaches its EOL in December 2010. The libc portion will be removed after the ports hackathon. djm and thib agree, no objections from deraadt Thanks to jsg for digging up FIPS drafts.
Revision 1.60 / (download) - annotate - [select for diffs], Wed Sep 22 14:04:09 2010 UTC (13 years, 8 months ago) by mikeb
Branch: MAIN
Changes since 1.59: +5 -2 lines
Diff to previous 1.59 (colored)
Support AES-GCM-16 (as aes-gcm) and ENCR_NULL_AUTH_AES_GMAC (as aes-gmac) encryption transformations in the ipsec.conf(5). Available "enc" arguments denoting use of 1) AES-GCM-16: aes-128-gcm for 160 bit key (128+nonce) aes-192-gcm for 224 bit key (192+nonce) aes-256-gcm for 288 bit key (256+nonce) 2) ENCR_NULL_AUTH_AES_GMAC: aes-128-gmac for 160 bit key (128+nonce) aes-192-gmac for 224 bit key (192+nonce) aes-256-gmac for 288 bit key (256+nonce) Please note that aes-gmac family performs no encryption and provides no confidentiality and is intended for cases in which confidentiality is not desired (it can be thought of as AH with NAT-T support). Also, although this implementation supports manual keying, it's use is strictly discouraged as AES-GCM security depends on frequent re-keying. So it can be thought of as a debug facility only. Example configuration: ike esp from 172.23.61.36 to 172.23.61.156 \ quick enc aes-256-gcm \ psk humppa Thoroughly tested by me and naddy. Works fine with Linux. Requires updated pfkeyv2.h include file. OK naddy
Revision 1.59 / (download) - annotate - [select for diffs], Tue Aug 4 15:05:50 2009 UTC (14 years, 10 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8,
OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.58: +1 -1 lines
Diff to previous 1.58 (colored)
Specify an ID-type of IPV4_ADDR or IPV6_ADDR if the srcid or dstid is given as an IPv4 or IPv6 address, rather than treating the IP address as a FQDN. ok hshoexer@ markus@ todd@
Revision 1.58 / (download) - annotate - [select for diffs], Tue Jan 20 14:36:19 2009 UTC (15 years, 4 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.57: +3 -1 lines
Diff to previous 1.57 (colored)
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
Revision 1.57 / (download) - annotate - [select for diffs], Tue Jul 1 15:00:53 2008 UTC (15 years, 11 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.56: +2 -1 lines
Diff to previous 1.56 (colored)
Isakmpd acquire mode did not work with a config generated from ipsec.conf. The config created by isakmpd dynamically was different from the config that ipsecctl generated out of ipsec.conf. Both config formats are changed so that they match. One needs a passive ike line and a require flow line with the same parameters in the ipsec.conf. Then the acquire message generated by the kernel will trigger isakmpd to generate a config that matches the one that ipsecctl generated from the ike line. ok hshoexer, 'sounds good' todd
Revision 1.56 / (download) - annotate - [select for diffs], Fri Feb 22 23:51:31 2008 UTC (16 years, 3 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.55: +3 -2 lines
Diff to previous 1.55 (colored)
Support for specifying aes-{128,192,256}. Originial idea by Prabhu
Gurumurthy, tweaks and commit-ready diff by Mitja Muzenic! Thanks
guys!
ok todd@
Revision 1.55 / (download) - annotate - [select for diffs], Sat Oct 13 16:35:18 2007 UTC (16 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored)
in all these programs using the same pfctl-derived parse.y, re-unify the yylex implementation and the code which interacts with yylex. this also brings the future potential for include support to all of the parsers. in the future please do not silly modifications to one of these files without checking if you are de-unifying the code. checked by developers in all these areas.
Revision 1.54 / (download) - annotate - [select for diffs], Fri Mar 16 20:51:01 2007 UTC (17 years, 2 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.53: +3 -2 lines
Diff to previous 1.53 (colored)
move autodetection of the ID type to the parser. this way the static flows have the correct ID, too. ok hshoexer, reyk
Revision 1.53 / (download) - annotate - [select for diffs], Wed Jan 3 12:17:43 2007 UTC (17 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.52: +2 -1 lines
Diff to previous 1.52 (colored)
do not print secret keys by default, -k restores old behaviour; ok hshoexer
Revision 1.52 / (download) - annotate - [select for diffs], Thu Nov 30 15:51:28 2006 UTC (17 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.51: +4 -1 lines
Diff to previous 1.51 (colored)
handle multiple SAs with different same src/dst but different port; store IKE connection string and phase2 IDs in the ipsec rule; cleanup internal API: pass rules around instead of rule members; report Brian Candler; fix with hshoexer, msf; ok hshoexer
Revision 1.51 / (download) - annotate - [select for diffs], Fri Nov 24 13:52:13 2006 UTC (17 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.50: +2 -1 lines
Diff to previous 1.50 (colored)
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
Revision 1.50 / (download) - annotate - [select for diffs], Wed Nov 1 03:10:02 2006 UTC (17 years, 7 months ago) by mcbride
Branch: MAIN
Changes since 1.49: +12 -5 lines
Diff to previous 1.49 (colored)
Add support for aggressive mode (from the k2k6 IPsec hackathon). ok hshoexer
Revision 1.49 / (download) - annotate - [select for diffs], Sun Jun 18 18:18:01 2006 UTC (17 years, 11 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.48: +3 -3 lines
Diff to previous 1.48 (colored)
add group "none"; when choosen, pfs will be disabled. ok david msf
Revision 1.48 / (download) - annotate - [select for diffs], Fri Jun 2 12:29:43 2006 UTC (18 years ago) by markus
Branch: MAIN
Changes since 1.47: +2 -1 lines
Diff to previous 1.47 (colored)
print full information about tcpmd5 and ipcomp SAs, too
Revision 1.47 / (download) - annotate - [select for diffs], Fri Jun 2 05:59:31 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.46: +3 -1 lines
Diff to previous 1.46 (colored)
allow to specify phase 1 and 2 lifetimes. Right now, these values can only be set globally (ie. Default-phase-[12]-lifetime).
Revision 1.46 / (download) - annotate - [select for diffs], Fri Jun 2 04:51:55 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.45: +8 -1 lines
Diff to previous 1.45 (colored)
put src and dst host in dedicated structure. Make the API more compact which will soon simplify my life.
Revision 1.45 / (download) - annotate - [select for diffs], Fri Jun 2 03:31:20 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.44: +6 -1 lines
Diff to previous 1.44 (colored)
Generalize parsing of main/quick mode specification. Preparation for lifetime support.
Revision 1.44 / (download) - annotate - [select for diffs], Fri Jun 2 00:33:47 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.43: +6 -1 lines
Diff to previous 1.43 (colored)
Prepare for parsing lifetimes for ike main and quick mode. Not enabled yet.
Revision 1.43 / (download) - annotate - [select for diffs], Thu Jun 1 17:32:20 2006 UTC (18 years ago) by naddy
Branch: MAIN
Changes since 1.42: +3 -1 lines
Diff to previous 1.42 (colored)
Support flows with port modifiers for proto tcp/udp, e.g. flow proto udp from 1.2.3.4 port ntp to 5.6.7.8 ok hshoexer@ msf@
Revision 1.42 / (download) - annotate - [select for diffs], Thu Jun 1 16:13:01 2006 UTC (18 years ago) by markus
Branch: MAIN
Changes since 1.41: +2 -1 lines
Diff to previous 1.41 (colored)
convert pfkey to ipsec_rule and use ipsecctl_print_rule() when dumping the in-kernel SAs. this way we produce the same output as rule loading ok hshoexer
Revision 1.41 / (download) - annotate - [select for diffs], Thu Jun 1 15:53:39 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.40: +5 -1 lines
Diff to previous 1.40 (colored)
Add members dst2, proto2 and spi2 to struct ipsec_rule and define rule type "group". Needed for grouping.
Revision 1.40 / (download) - annotate - [select for diffs], Thu Jun 1 15:47:26 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.39: +9 -1 lines
Diff to previous 1.39 (colored)
Prepare for SA grouping.
Revision 1.39 / (download) - annotate - [select for diffs], Thu Jun 1 04:12:34 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)
rename list link for ipsec_rule structures from "entries" to "rule_entry".
Revision 1.38 / (download) - annotate - [select for diffs], Wed May 31 14:38:31 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.37: +3 -3 lines
Diff to previous 1.37 (colored)
white spaces
Revision 1.37 / (download) - annotate - [select for diffs], Tue May 30 21:56:05 2006 UTC (18 years ago) by msf
Branch: MAIN
Changes since 1.36: +2 -1 lines
Diff to previous 1.36 (colored)
implement monitor mode for ipsecctl. worked on with markus@ ok hshoexer@
Revision 1.36 / (download) - annotate - [select for diffs], Mon May 29 18:52:56 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.35: +3 -2 lines
Diff to previous 1.35 (colored)
Need protoype for ipsecctl_free_rule(). While around clean up prototype for ipsecctl_add_rule.
Revision 1.35 / (download) - annotate - [select for diffs], Sun May 28 21:05:09 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.34: +2 -1 lines
Diff to previous 1.34 (colored)
whoops, undo last commit. Of course, set_ipmask() is needed...
Revision 1.34 / (download) - annotate - [select for diffs], Sun May 28 20:59:23 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.33: +3 -9 lines
Diff to previous 1.33 (colored)
this one not needed yet.
Revision 1.33 / (download) - annotate - [select for diffs], Sun May 28 20:58:24 2006 UTC (18 years ago) by todd
Branch: MAIN
Changes since 1.32: +2 -1 lines
Diff to previous 1.32 (colored)
fill in AF_INET6 cases this does not complete v6 support for ipsecctl, but makes progress ok hshoexer@
Revision 1.32 / (download) - annotate - [select for diffs], Sat May 27 17:21:40 2006 UTC (18 years ago) by hshoexer
Branch: MAIN
Changes since 1.31: +6 -1 lines
Diff to previous 1.31 (colored)
allow to specify groups to be used IKE
Revision 1.31 / (download) - annotate - [select for diffs], Fri Mar 31 13:13:51 2006 UTC (18 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.30: +3 -2 lines
Diff to previous 1.30 (colored)
allow specification of encapsulated protocol for flows; ok hshoexer
Revision 1.30 / (download) - annotate - [select for diffs], Thu Mar 30 12:44:20 2006 UTC (18 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.29: +2 -1 lines
Diff to previous 1.29 (colored)
allow specification of outer local ips in flows (SADB_EXT_ADDRESS_SRC); ok hshoexer, reyk
Revision 1.29 / (download) - annotate - [select for diffs], Wed Mar 22 16:01:23 2006 UTC (18 years, 2 months ago) by reyk
Branch: MAIN
Changes since 1.28: +2 -1 lines
Diff to previous 1.28 (colored)
add support for macros in ipsec.conf(5). some bits have already been there. requested by david@ ok hshoexer@, msf@
Revision 1.28 / (download) - annotate - [select for diffs], Tue Mar 7 00:19:58 2006 UTC (18 years, 3 months ago) by reyk
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)
add an ike option for road warrior setups (hosts with dynamic ip addresses). "ike dynamic esp" will use the system's hostname as the fqdn source id (instead of the ip address) by default and enable dpd (dead peer detection) to allow smooth reconnects after an ip address change (i.e. forced reconnect with consumer adsl lines). ok hshoexer@, looks fine markus@, jmc@
Revision 1.27 / (download) - annotate - [select for diffs], Tue Jan 17 00:05:39 2006 UTC (18 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)
no , after last element in enum
Revision 1.26 / (download) - annotate - [select for diffs], Mon Jan 16 23:57:20 2006 UTC (18 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.25: +11 -5 lines
Diff to previous 1.25 (colored)
add support for pre-shared keys with "ike esp" using the new keyword "psk". rsa-sig is recommended and will still be used by default. ok hshoexer@, manpage ok jmc@
Revision 1.25 / (download) - annotate - [select for diffs], Tue Dec 6 14:27:57 2005 UTC (18 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.24: +3 -2 lines
Diff to previous 1.24 (colored)
ipip support: ip-in-ip w/o gif(4); ok hshoexer
Revision 1.24 / (download) - annotate - [select for diffs], Thu Nov 24 11:52:07 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)
Remove old-style keyed sha1/md5. We only support hmac-sha1/md5. Noticed the hard way by <raff at brodewicz dot pl>
Revision 1.23 / (download) - annotate - [select for diffs], Sat Nov 12 21:49:38 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.22: +8 -1 lines
Diff to previous 1.22 (colored)
add support for interface names as host specifications
Revision 1.22 / (download) - annotate - [select for diffs], Sat Nov 12 16:43:11 2005 UTC (18 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)
spacing
Revision 1.21 / (download) - annotate - [select for diffs], Sat Nov 12 12:00:53 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.20: +5 -1 lines
Diff to previous 1.20 (colored)
handle transport/tunnel mode
Revision 1.20 / (download) - annotate - [select for diffs], Sun Nov 6 22:51:51 2005 UTC (18 years, 6 months ago) by hshoexer
Branch: MAIN
Changes since 1.19: +23 -15 lines
Diff to previous 1.19 (colored)
Improved address and address mask handling, derived from pfctl stuff.
Revision 1.19 / (download) - annotate - [select for diffs], Sun Nov 6 10:52:27 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.18: +9 -5 lines
Diff to previous 1.18 (colored)
better handling of ip addresses, prepare for v6. Partially derived from diff by todd@. Work in progress.
Revision 1.18 / (download) - annotate - [select for diffs], Sun Oct 30 19:50:23 2005 UTC (18 years, 7 months ago) by hshoexer
Branch: MAIN
Changes since 1.17: +7 -3 lines
Diff to previous 1.17 (colored)
add support for ipcomp.
Revision 1.17 / (download) - annotate - [select for diffs], Mon Aug 22 17:26:46 2005 UTC (18 years, 9 months ago) by hshoexer
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.16: +19 -5 lines
Diff to previous 1.16 (colored)
Teach ipsecctl to control isakmpd. ok deraadt
Revision 1.16 / (download) - annotate - [select for diffs], Tue Aug 9 12:37:45 2005 UTC (18 years, 9 months ago) by hshoexer
Branch: MAIN
Changes since 1.15: +7 -3 lines
Diff to previous 1.15 (colored)
Rewrite handling of transforms. Now both ah and esp can be specified and validated correctly. Unbreaks ah.
Revision 1.15 / (download) - annotate - [select for diffs], Mon Aug 8 13:29:00 2005 UTC (18 years, 9 months ago) by hshoexer
Branch: MAIN
Changes since 1.14: +18 -3 lines
Diff to previous 1.14 (colored)
add crypto transforms and static keying rules
Revision 1.14 / (download) - annotate - [select for diffs], Mon Aug 8 09:15:09 2005 UTC (18 years, 9 months ago) by hshoexer
Branch: MAIN
Changes since 1.13: +8 -2 lines
Diff to previous 1.13 (colored)
prepare for static keying
Revision 1.13 / (download) - annotate - [select for diffs], Fri Aug 5 14:39:02 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.12: +3 -2 lines
Diff to previous 1.12 (colored)
prepare for authentication and encryption keys, not used yet.
Revision 1.12 / (download) - annotate - [select for diffs], Tue Aug 2 15:47:25 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
Make use of struct ipsec_auth dynamic. Do not pass IDs to kernel when deleting flows.
Revision 1.11 / (download) - annotate - [select for diffs], Sun Jul 24 10:06:38 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.10: +4 -4 lines
Diff to previous 1.10 (colored)
prepare for combining SAs and flows in one single rule, no functional change yet.
Revision 1.10 / (download) - annotate - [select for diffs], Sat Jul 9 21:05:02 2005 UTC (18 years, 10 months ago) by hshoexer
Branch: MAIN
Changes since 1.9: +9 -2 lines
Diff to previous 1.9 (colored)
Provide infrastructure for adding/deleting SAs, will be used by tcpmd5 and manual keying. Not used yet.
Revision 1.9 / (download) - annotate - [select for diffs], Thu Jul 7 21:13:00 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.8: +4 -2 lines
Diff to previous 1.8 (colored)
Do not mix rule types with flow types
Revision 1.8 / (download) - annotate - [select for diffs], Thu Jul 7 21:00:08 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.7: +4 -1 lines
Diff to previous 1.7 (colored)
add type for rules; will need this for tcpmd5
Revision 1.7 / (download) - annotate - [select for diffs], Thu Jun 30 19:05:27 2005 UTC (18 years, 11 months ago) by hshoexer
Branch: MAIN
Changes since 1.6: +2 -1 lines
Diff to previous 1.6 (colored)
add -d flag for flow deletion. Enable flow deletion.
Revision 1.6 / (download) - annotate - [select for diffs], Fri May 27 19:55:21 2005 UTC (19 years ago) by hshoexer
Branch: MAIN
Changes since 1.5: +6 -1 lines
Diff to previous 1.5 (colored)
show flow type (require, use, etc.)
Revision 1.5 / (download) - annotate - [select for diffs], Fri May 27 05:19:55 2005 UTC (19 years ago) by hshoexer
Branch: MAIN
Changes since 1.4: +2 -1 lines
Diff to previous 1.4 (colored)
Support for dumping the SADB.
Revision 1.4 / (download) - annotate - [select for diffs], Wed May 25 17:10:26 2005 UTC (19 years ago) by hshoexer
Branch: MAIN
Changes since 1.3: +1 -4 lines
Diff to previous 1.3 (colored)
prepare for new sysctl interface, not used yet
Revision 1.3 / (download) - annotate - [select for diffs], Mon May 23 20:25:54 2005 UTC (19 years ago) by kjell
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
tap. tap. is this thing on? KNF, Fix a typo in an ENUM, Xr to ipsec.conf no binary change ok hshoexer@
Revision 1.2 / (download) - annotate - [select for diffs], Mon Apr 4 22:22:55 2005 UTC (19 years, 2 months ago) by hshoexer
Branch: MAIN
Changes since 1.1: +1 -1 lines
Diff to previous 1.1 (colored)
fix cvs id tags
Revision 1.1 / (download) - annotate - [select for diffs], Mon Apr 4 22:19:50 2005 UTC (19 years, 2 months ago) by hshoexer
Branch: MAIN
Add ipsecctl utility, work in progress ok deraadt