[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Wed Dec 30 00:01:53 UTC 2015
New commits:
commit be6d3e6bddaafda7e1fa67c147e4b5fd37e65616
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Dec 29 19:00:21 2015 -0500
testing: update reference output for VID/NAT/DPD/AGG output changes
commit d4a9b0898d3b879e7d8b432bab57bb5d234d952a
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Dec 29 18:54:09 2015 -0500
IKEv2: VID support including VID_OPPO and new keyword drop-oppo-null=yes|no
- Add Vendor ID support for IKEv2
- Send VID_OPPORTUNISTIC when doing Opportunistc IPsec with AUTH-NULL
- Minor logging changes for DPD/NAT-T/AGGR
- Don't assume there is a struct st when processing VIDs
- Add drop-oppo-null=yes|no option and --drop-oppo-null pluto flag
This config setup option can be used to drop packets that have
the VID_OPPORTUNISTIC payload that signifies an AUTH-NULL attempt.
This is so VPN servers that don't want to responder to these kind
of requests can silently drop them. The default is no, meaning
a response will be sent (most likely NO_PROPOSAL_CHOSEN or
AUTHENTICATION_FAILED in IKE_AUTH_REPLY)
- Add ikev2_out_generic{_raw}() functions.
- Prefix a few functons with ikev1_* where not obvious
out_generic() and out_generic_raw() use "generic" struct and
then passert()s on the right fields being there. This does not
work for ikev1 because it uses ikev1 structs (struct isakmp_generic
and isag_fields). Therefor, these are split into ikev1/ikev2
functions where the ikev2 ones use struct ikev2_generic and
ikev2generic_fields. A more elegant method might be possible.
Due to out_generic() and out_generic_raw() being ikev1/ikev2
specific, some of the callers have become ikev1 specific too:
justship_nonce() -> ikev1_justship_nonce()
ship_nonce() -> ikev1_ship_nonce()
justship_KE() -> ikev1_justship_KE()
ship_KE() -> ikev1_ship_KE()
nat_traversal_add_natd() -> ikev1_nat_traversal_add_natd()
More information about the Swan-commit
mailing list