Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
Anouncing DH group in esp transform proposals will enable PFS which is
not suppored now. This fixes issue during rekey when using strongswan as
responder.
Change-Id: Ib9f586113ae0ab9dc67e6ceadff43f8aac463820
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I3198461f3dfc13cd3cedf2b8611dc80bb6f959c8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: I99c2383dd0d30efd1837f3d10ff2e4cf3a784283
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
* initiator behind NAT supported
* tested with static NAT mappings
* works only with pre-configured tunnels
The pre-configured tunnel has to be defined as follows:
initiator (i) side: src=ip(i) dst=ip(r)
responder (r) side: src=ip(r) dst=ip(nat)
Change-Id: Ia9f79ddbbcc3f7dc8fde6bbeca2a433e3b784e94
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: If240bd8b3579678c0a6b5ea723946a35b53e5c31
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Idf9b0ffb4e3a0113bece80d1195192bdf46feb89
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
thus allowing NAT traversal,
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie8650ceeb5074f98c68d2d90f6adc2f18afeba08
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: fix
Change-Id: Ib73ce48552cfa9e825a6833f5594650783d82f3b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
key file name should be a string and not array of u8.
Change-Id: I7d280d2397030e73732b374ad9d3146fad0bb19f
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I8e4a47bd16fa8475ef695c09e3487eabf08faabe
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Introduce new cli for setting liveness check period and max retries for
a peer to consider its partner dead.
ikev2 set liveness <period-in-seconds> <max-retires>
Type: improvement
Change-Id: Iadae1de245d34fe3ee85e09b570f9df8c401772b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Ia7b07b4ec9e5681946f3f5c01c230c1f814e2cf6
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Fix crash when peer tries to build INFO req before key exchange which
results using NULL key pointers for crypto operations.
Type: fix
Change-Id: I20aaf1ce769e4bfb45235047c2dd38307b4e0b59
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
This patch fixes 2 different crashes:
1) BN_bn2bin() returns bytes written, not actual key length. Use
BN_bn2binpad() instead which adds padding.
2) Initiator may receive multiple sa-init responses for the same ispi
which may result in crash. Remember first response and ignore any
subsequent ones.
Type: fix
Change-Id: Ia1eac9167e3100a6894c0563ee70bab04f6a5f4f
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ibc65d739583dc11735f993f4c7e7ee6d3c8f5b0a
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I746b94f494d059d2db5f47638c9f4e6bc4eb4045
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: style
Change-Id: Ie81eb7e3d872923daaa8ae8dad060a4da85349c5
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
Type: fix
Change-Id: Ic6457da31846721e334f144f15d404575eeb73e5
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ifee2b3dca85ea915067b9285e3636802bf0c19a8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I2c89accddf2307fa975b71e974d4091499f104ed
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: Id8fc6750e856862157917587234a6b7b03531b13
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
This patch makes configuring integration algorithm optional. This is
useful when using AEAD cipher (in fact when using such
cipher, integ algo is ignored anyway).
Change-Id: I5891db5c0433afb85ae2d9084d45b89ec1133178
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: I081dec2dc0c2bd0845dd4638b7b2f12806594112
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Idd679885f42de45429a1dcbf3b0af1037dc54d2b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type:fix
Change-Id: I01ac57f6186b20d8ab4070b7259a82a150f0ae9a
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
Change-Id: Ib474dabb745bc2034d8d60261c095e35a8fff277
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: Ifb675c7783f03de4db8147858dd93d9687176f40
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I44e51bc37ff43999290d97fceb5f94b7c64041ec
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Iaba2ab11bfaa1c8db4023434e3043ac39500f938
|
|
Type: fix
Change-Id: I76bed5ce2df897d0e8e822ee1244018b0e39494d
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: improvement
IKE will bring the tunnel up ince the negociation is complete and bring
it down when the session ends. It is the clinets responsibility to
manage the state of the tunnel before and after these events. So to
prevent any unencrpyted traffic egressing the tunnel before the session
is negpciated, the tunnel should be in the down state when it a
associated with the IKE session.
Change-Id: I8aee593c79ca006d6ab08f9fa560fbbf6f8dcc16
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Change-Id: Iee84f94c617c53658f13c5430b945568c5e06ce9
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
... rather than always creating a new interface.
Change-Id: If8a22ad5a8a3a4e511bea7cab7d8bbf7e6af9433
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: refactor
Change-Id: Iedcb24684c54f4d78583ab3aa3db1097e73df248
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
plus fixes for gre
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I0eca5f94b8b8ea0fcfb058162cafea4491708db6
|
|
Type: refactor
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I18dcdb7af3e327f6cacdbcb1e52b89f13d6ba6e2
|
|
Type: fix
Change-Id: Ib00ab9b2f28c0f4d85e96bf95697f61b8e415f37
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I2171ef678ecad12d681668257498a5a62004152f
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I9467f11775936754406892b8e9e275f989ac9b30
|
|
Type: fix
Change-Id: I5ad27b05c34494c5a2ea28706130612b547aaf67
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
traffic selector vector isn't freed when freeing child SA
Type: fix
Change-Id: Icf6c240db5093f45d141451bad6f6627a61821cf
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Signed-off-by: Aleksander Djuric <aleksander.djuric@gmail.com>
Change-Id: I2fe36e2e4e8ce2906a6573301c7fca3cbab571c3
|
|
Type: fix
Signed-off-by: Aleksander Djuric <aleksander.djuric@gmail.com>
Change-Id: I186286b8959ae138528a5171c22d3e1b00f46baf
Signed-off-by: Aleksander Djuric <aleksander.djuric@gmail.com>
|
|
Type: fix
Change-Id: I81ab3dcd03f397b3d275da6cfa094e048ad92f95
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I382499061ff4b1c2cc1b70ebbf9725ff0e1be325
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I8aa9029e0a5cf21aa24a90b39eb2787653f65abb
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
- set msgid to 0 not random.
- allow for no DH in ESP child SA
Ticket: VPP-1781
Type: fix
Signed-off-by: Christian E. Hopps <chopps@chopps.org>
Change-Id: Ibe26009d38f444eeaec5b042097f145d161c7672
|
|
- Need to always free created contexts
- Always pair init with cleanup for older openssl API.
Type: fix
Signed-off-by: Christian E. Hopps <chopps@chopps.org>
Change-Id: Ie8840403bcac500c20085d57240401ad39d119f8
|
|
Type: refactor
Change-Id: Ib46ed3e65e75a97995a3e251d87324fec6595024
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: feature
Change-Id: Ic703015b55f0ae947e5e44b10b74b3c79efe7da6
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|