[Swan-commit] Changes to ref refs/heads/audit
Paul Wouters
paul at vault.libreswan.fi
Sun Jan 27 01:05:10 EET 2013
New commits:
commit 33074f586e57d847f42b72e983d04a1d5f9c6b88
Merge: ab50f0e 9ac4101
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jan 26 18:05:04 2013 -0500
Merge branch 'master' into audit
commit 9ac4101fe819d73dac1097bf88396452dd2169ee
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 26 11:59:20 2013 -0500
* status: slight change in output of ipsec auto --status
We used to only display metric and mtu when one of these were set.
We now always display these. The prio and interface were moved on
their own line with metric and mtu. This gives us more space for
our ever increasing list of POLICY bits to be displayed.
old:
000 "redhat": policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG; prio: 32,32; interface: virbr0;
new:
000 "redhat": policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG;
000 "redhat": prio: 32,32; interface: virbr0; metric:0, mtu:unset;
For OE, the DNS policies (+lKOD and +rKOD) are added to the policy line, but after the ";"
to avoid confusing thinking these are c->policy bits.
commit c4b8b3dd170f7b80458be857dfa8d18c24971af0
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 26 11:56:45 2013 -0500
* libipsecconf: Do not set key_from_DNS_on_demand = TRUE per default
For RSA connections, the OE settings turn this to TRUE if OE was
used, and false otherwise. However, for PSK connections this was left
at TRUE as well. Although it caused no harm it could confusingly
state "+lKOD+rKOD" in the policy for PSK connections.
commit a769227f37e8c320a3276e311aeb2b4c58b2abd2
Merge: 9ea8310 3b0d6c9
Author: Paul Wouters <paul at libreswan.org>
Date: Sat Jan 26 11:04:50 2013 -0500
Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation
commit 3b0d6c99385d8b97efc75e5be52231353fdf0652
Author: Antony Antony <antony at phenome.org>
Date: Fri Jan 25 14:59:46 2013 +0100
*debug: add debug lines in set_cur_state macro
commit 84172f1a521f778f72f69bb0f4e1ed83409b18d5
Author: Antony Antony <antony at phenome.org>
Date: Fri Jan 25 14:59:05 2013 +0100
*plutodebug: add debug lines debug racoon MODECFG situations
commit 93454a6630726e35df3f57c80b798e4e957bce2a
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 23 21:00:12 2013 -0500
* ike frags: Only log for controlmore, define MAX_IKE_FRAGMENTS 16
commit 5b7a8c3b8868be619742362c02b81820ecb2b203
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jan 23 20:58:52 2013 -0500
* ipsec: Add "ipsec start|stop|restart" as aliases to "ipsec setup"
commit 9ea831051e3aa50b3a8a23bf36ac6aa028d725e7
Merge: b29ddb4 6d27b65
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 23 17:11:46 2013 -0500
Merge branch 'master' into fragmentation
commit b29ddb46a32acee5523a806f9c3dcde476aa7dad
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 23:54:25 2013 -0500
* updated changes
commit b9d8758fc681b317e92bcce49e5956a6d0e6902f
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 23:23:21 2013 -0500
* testing: added interop-racoon-iphone5-nonat
This test, once completed, will test interop with iphone5's racoon
using the Apple default of ike_frag force; on the racoon side.
commit 88e33b64be8a5c439d51ac75f5a243bbabf989e4
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 23:16:36 2013 -0500
* IKEv1: Support for receiving IKEv1 fragments (not RFC)
added support for incoming fragmented ike packets to solve iOS6 (iphone)
problems. This is often the case when large X.509 certificates are used.
Some third-party vendor devices, such as firewalls configured for stateful
packet inspection, do not permit the passthrough of User Datagram Protocol
(UDP) fragments in case they are part of a fragmentation attack. If
fragments are not passed through, Internet Key Exchange (IKE) negotiation
fails because the intended responder for the virtual private network (VPN)
tunnel cannot reconstruct the IKE packet and proceed with establishment
of the tunnel.
This feature provides for the fragmentation of large IKE packets into a series
of smaller IKE packets to avoid fragmentation at the UDP layer.
This feature provides support for Cisco IOS in terms of being a responder in an
IKEv1 main mode exchange.
Signed-off-by: Paul Wouters <pwouters at redhat.com>
commit 326d7fa345c73eae94041c2db634290688153ffe
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 22:54:06 2013 -0500
* pluto: Add support for ike_frag=yes|no|force keyword
This adds the option to the parser, along with two policy flags
POLICY_IKE_FRAG_ALLOW and POLICY_IKE_FRAG_FORCE
We send the fragmentation vendorid except when ike_frag=no
Processing of fragments and sending of fragments are not yet
implemented with this commit.
VID_MISC_FRAGMENTATION renamed to VID_IKE_FRAGMENTATION
commit 4e78b421379a9c34f78a015b328395230c199374
Merge: de2f1f5 a38479b
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 22:18:01 2013 -0500
Merge branch 'master' into fragmentation
commit de2f1f5dc3d6ef9dccb3fdffad976a115b9b9f0d
Merge: 7c3ba62 32dc901
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jan 21 17:14:43 2013 -0500
Merge branch 'master' into fragmentation
commit 7c3ba626f9fee80e08ecdc28f226b4445acb79a6
Author: Paul Wouters <paul at libreswan.org>
Date: Wed Jan 16 13:22:13 2013 -0500
* IKE: Add cisco IKE fragmentation next payload pointer
This also renames the NAT draft payloads in their proper name,
and clarifies the 'relocation' comment, which is really about
the payload number change between draft (130,131) and RFC-3947 (20,21)
More information about the Swan-commit
mailing list