Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
Anouncing DH group in esp transform proposals will enable PFS which is
not suppored now. This fixes issue during rekey when using strongswan as
responder.
Change-Id: Ib9f586113ae0ab9dc67e6ceadff43f8aac463820
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
* initiator behind NAT supported
* tested with static NAT mappings
* works only with pre-configured tunnels
The pre-configured tunnel has to be defined as follows:
initiator (i) side: src=ip(i) dst=ip(r)
responder (r) side: src=ip(r) dst=ip(nat)
Change-Id: Ia9f79ddbbcc3f7dc8fde6bbeca2a433e3b784e94
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: If240bd8b3579678c0a6b5ea723946a35b53e5c31
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Introduce new cli for setting liveness check period and max retries for
a peer to consider its partner dead.
ikev2 set liveness <period-in-seconds> <max-retires>
Type: improvement
Change-Id: Iadae1de245d34fe3ee85e09b570f9df8c401772b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
This patch makes configuring integration algorithm optional. This is
useful when using AEAD cipher (in fact when using such
cipher, integ algo is ignored anyway).
Change-Id: I5891db5c0433afb85ae2d9084d45b89ec1133178
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: I081dec2dc0c2bd0845dd4638b7b2f12806594112
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Iee84f94c617c53658f13c5430b945568c5e06ce9
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
... rather than always creating a new interface.
Change-Id: If8a22ad5a8a3a4e511bea7cab7d8bbf7e6af9433
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: refactor
Change-Id: Iedcb24684c54f4d78583ab3aa3db1097e73df248
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
The vlib init function subsystem now supports a mix of procedural and
formally-specified ordering constraints. We should eliminate procedural
knowledge wherever possible.
The following schemes are *roughly* equivalent:
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
clib_error_t *error;
... do some stuff...
if ((error = vlib_call_init_function (init_runs_next)))
return error;
...
}
VLIB_INIT_FUNCTION (init_runs_first);
and
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
... do some stuff...
}
VLIB_INIT_FUNCTION (init_runs_first) =
{
.runs_before = VLIB_INITS("init_runs_next"),
};
The first form will [most likely] call "init_runs_next" on the
spot. The second form means that "init_runs_first" runs before
"init_runs_next," possibly much earlier in the sequence.
Please DO NOT construct sets of init functions where A before B
actually means A *right before* B. It's not necessary - simply combine
A and B - and it leads to hugely annoying debugging exercises when
trying to switch from ad-hoc procedural ordering constraints to formal
ordering constraints.
Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
for easy integration with ptoducts running their own Ike stack.
Without the VPP IKE plugin loaded, the product is free to handle
IKE packets as it pleases.
Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f
Signed-off-by: Neale Ranns <nranns@cisco.com>
|