[Swan-commit] Changes to ref refs/heads/audit

Paul Wouters paul at vault.libreswan.fi
Sun Jan 27 01:05:10 EET 2013 

New commits:
commit 33074f586e57d847f42b72e983d04a1d5f9c6b88
Merge: ab50f0e 9ac4101
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jan 26 18:05:04 2013 -0500

    Merge branch 'master' into audit

commit 9ac4101fe819d73dac1097bf88396452dd2169ee
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 26 11:59:20 2013 -0500

    * status: slight change in output of ipsec auto --status
    
    We used to only display metric and mtu when one of these were set.
    We now always display these. The prio and interface were moved on
    their own line with metric and mtu. This gives us more space for
    our ever increasing list of POLICY bits to be displayed.
    
    old:
    000 "redhat":   policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG; prio: 32,32; interface: virbr0;
    
    new:
    
    000 "redhat":   policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+XAUTH+AGGRESSIVE+IKEv2ALLOW+IKE_FRAG;
    000 "redhat":   prio: 32,32; interface: virbr0; metric:0, mtu:unset;
    
    For OE, the DNS policies (+lKOD and +rKOD) are added to the policy line, but after the ";"
    to avoid confusing thinking these are c->policy bits.

commit c4b8b3dd170f7b80458be857dfa8d18c24971af0
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 26 11:56:45 2013 -0500

    * libipsecconf: Do not set key_from_DNS_on_demand = TRUE per default
    
    For RSA connections, the OE settings turn this to TRUE if OE was
    used, and false otherwise. However, for PSK connections this was left
    at TRUE as well. Although it caused no harm it could confusingly
    state "+lKOD+rKOD" in the policy for PSK connections.

commit a769227f37e8c320a3276e311aeb2b4c58b2abd2
Merge: 9ea8310 3b0d6c9
Author: Paul Wouters <paul at libreswan.org>
Date:   Sat Jan 26 11:04:50 2013 -0500

    Merge branch 'fragmentation' of vault.foobar.fi:/srv/src/libreswan into fragmentation

commit 3b0d6c99385d8b97efc75e5be52231353fdf0652
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jan 25 14:59:46 2013 +0100

    *debug: add debug lines in set_cur_state macro

commit 84172f1a521f778f72f69bb0f4e1ed83409b18d5
Author: Antony Antony <antony at phenome.org>
Date:   Fri Jan 25 14:59:05 2013 +0100

    *plutodebug: add debug lines debug racoon MODECFG situations

commit 93454a6630726e35df3f57c80b798e4e957bce2a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 23 21:00:12 2013 -0500

    * ike frags: Only log for controlmore, define MAX_IKE_FRAGMENTS 16

commit 5b7a8c3b8868be619742362c02b81820ecb2b203
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jan 23 20:58:52 2013 -0500

    * ipsec: Add "ipsec start|stop|restart" as aliases to "ipsec setup"

commit 9ea831051e3aa50b3a8a23bf36ac6aa028d725e7
Merge: b29ddb4 6d27b65
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 23 17:11:46 2013 -0500

    Merge branch 'master' into fragmentation

commit b29ddb46a32acee5523a806f9c3dcde476aa7dad
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 23:54:25 2013 -0500

    * updated changes

commit b9d8758fc681b317e92bcce49e5956a6d0e6902f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 23:23:21 2013 -0500

    * testing: added interop-racoon-iphone5-nonat
    
    This test, once completed, will test interop with iphone5's racoon
    using the Apple default of ike_frag force; on the racoon side.

commit 88e33b64be8a5c439d51ac75f5a243bbabf989e4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 23:16:36 2013 -0500

    * IKEv1: Support for receiving IKEv1 fragments (not RFC)
    
    added support for incoming fragmented ike packets to solve iOS6 (iphone)
    problems. This is often the case when large X.509 certificates are used.
    
    Some third-party vendor devices, such as firewalls configured for stateful
    packet inspection, do not permit the passthrough of User Datagram Protocol
    (UDP) fragments in case they are part of a fragmentation attack. If
    fragments are not passed through, Internet Key Exchange (IKE) negotiation
    fails because the intended responder for the virtual private network (VPN)
    tunnel cannot reconstruct the IKE packet and proceed with establishment
    of the tunnel.
    
    This feature provides for the fragmentation of large IKE packets into a series
    of smaller IKE packets to avoid fragmentation at the UDP layer.
    
    This feature provides support for Cisco IOS in terms of being a responder in an
    IKEv1 main mode exchange.
    
    Signed-off-by: Paul Wouters <pwouters at redhat.com>

commit 326d7fa345c73eae94041c2db634290688153ffe
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 22:54:06 2013 -0500

    * pluto: Add support for ike_frag=yes|no|force keyword
    
    This adds the option to the parser, along with two policy flags
    POLICY_IKE_FRAG_ALLOW and POLICY_IKE_FRAG_FORCE
    
    We send the fragmentation vendorid except when ike_frag=no
    
    Processing of fragments and sending of fragments are not yet
    implemented with this commit.
    
    VID_MISC_FRAGMENTATION renamed to VID_IKE_FRAGMENTATION

commit 4e78b421379a9c34f78a015b328395230c199374
Merge: de2f1f5 a38479b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 22:18:01 2013 -0500

    Merge branch 'master' into fragmentation

commit de2f1f5dc3d6ef9dccb3fdffad976a115b9b9f0d
Merge: 7c3ba62 32dc901
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jan 21 17:14:43 2013 -0500

    Merge branch 'master' into fragmentation

commit 7c3ba626f9fee80e08ecdc28f226b4445acb79a6
Author: Paul Wouters <paul at libreswan.org>
Date:   Wed Jan 16 13:22:13 2013 -0500

    * IKE: Add cisco IKE fragmentation next payload pointer
    
    This also renames the NAT draft payloads in their proper name,
    and clarifies the 'relocation' comment, which is really about
    the payload number change between draft (130,131) and RFC-3947 (20,21)

More information about the Swan-commit mailing list