summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-11-13Set the architecture to 'all' since this package has no ↵Daniil Baturin
architecture-dependent files.
2018-11-13T1006: replace the is_valid_address.pl script with ipaddrcheck.Daniil Baturin
2018-09-28New branch.Daniil Baturin
2018-08-27Add plugins to dependencies.Daniil Baturin
2018-08-20Merge pull request #19 from runborg/currentDaniil Baturin
T787: Make sure dmvpn config is generated after ipsec config.
2018-08-19T787: Make sure dmvpn config is generated after ipsec config. this one needs ↵Runar Borge
more testing to test for breakages on ipsec
2018-08-08T767: cleanup vpn-config.pl - removal of KLIPSChristian Poessinger
Two IPsec kernel stacks are currently available: KLIPS and NETKEY. The Linux kernel NETKEY code is a rewrite from scratch of the KAME IPsec code. The KAME Project was a group effort of six companies in Japan to provide a free IPv6 and IPsec (for both IPv4 and IPv6) protocol stack implementation for variants of the BSD UNIX computer operating system. KLIPS is not a part of the Linux kernel. When using KLIPS, you must apply a patch to the kernel to support NAT-T. When using NETKEY, NAT-T support is already inside the kernel, and there is no need to patch the kernel. [1] KLIPS part has been removed as we always used the NETKEY path in the Perl script. [1]: https://www.linuxjournal.com/article/9916
2018-08-08T767: remove IPSEC deprecated keyword 'interfaces'Christian Poessinger
'interfaces' option no longer available in StrongSWAN as of their Wiki [1]. [1]: https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
2018-08-05T71: call the ipsec-settings.py script in VPN.Daniil Baturin
2018-08-05T628: delete the default route from the StrongSWAN table (220 hardcoded) for ↵Daniil Baturin
VTI connections
2018-06-03T674: set DH group default in IKE groups to 2.Daniil Baturin
Using the default: tag in the template for now, this issue should be addressed properly when we get to rewriting IPsec scripts.
2018-06-02Merge branch 'current' of github.com:vyos/vyatta-cfg-vpn into currentDaniil Baturin
2018-06-02T675: for downgrading strongswan to 5.5, remove explicit dependency on libvici.Daniil Baturin
In 5.5 from stretch, it's inside the swanctl package. In 5.6 from sid, the swanctl package depends on it so we don't need to mention it explicitly anyway.
2018-02-27Merge pull request #18 from unixninja92/T542Kim
Lowered minimum DPD interval and timeout as per T542
2018-02-20Lowered minimum DPD interval and timeout as per T542unixninja92
2017-10-31Merge pull request #17 from Taniadz/currentDaniil Baturin
T126: charon listening on ALL interfaces
2017-10-31T126: charon listening on ALL interfaces(correct sorting)Taniadz
2017-10-27T126: charon listening on ALL interfaces(add ipsec restart)Taniadz
2017-10-25T126: charon listening on ALL interfaces( fix the style issues)Taniadz
2017-10-24T126: charon listening on ALL interfacesTaniadz
2017-10-13T423: use listNodes rather than listActiveNodes to enable completion for ↵Daniil Baturin
uncommited IKE and ESP groups.
2017-04-25Merge pull request #15 from smunaut/T137Kim
Fix VTI interface configuration to set both ikey and okey
2017-03-23Fix VTI interface configuration to set both ikey and okeySylvain Munaut
Without this, the outgoing traffic is marked and encrypted but incoming traffic isn't properly forwarded to the VTI and just gets dropped. Partially Fixes T137 Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
2017-03-04T287: Merge pull request #14 from paulgear/patch-1Daniil Baturin
T287: Add missingok to logrotate for ipsec
2017-03-02Add missingok to logrotate for ipsecPaul Gear
If this is not present, it causes hourly messages in /var/log/messages like this: Mar 2 19:17:01 vyos /USR/SBIN/CRON[9140]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Mar 2 19:17:01 vyos /USR/SBIN/CRON[9138]: (CRON) error (grandchild #9140 failed with exit status 1) Mar 2 19:17:01 vyos /USR/SBIN/CRON[9138]: (CRON) info (No MTA installed, discarding output) This is because cron wants to produce output like the following when ipsec.log is not present: /etc/cron.hourly/vyatta-logrotate-hourly: error: stat of /var/log/vyatta/ipsec.log failed: No such file or directory run-parts: /etc/cron.hourly/vyatta-logrotate-hourly exited with return code 1
2016-03-23load swanctl configuration on ipsec startUnicronNL
2016-03-16use 'dh-group' for first ike proposalUnicronNL
enable config for dead peer detection
2016-03-08add secret from config to swanctl.confUnicronNL
2016-03-07add dependencies needed for dmvpn configurationKim Hagen
2016-02-25add libcrypt-openssl-rsa-perl dependencyKim Hagen
2016-02-24First version of new dmvpn script rewrite.Kim Hagen
2016-02-24remove reference to dmvpn.secrets and chang dmvpn.conf to swanctl.confKim Hagen
2016-02-23Update vpn check file from "charon.ctl" to "charon.pid".Kim Hagen
2016-02-11Update the changelog.Daniil Baturin
2016-02-11Merge branch 'lithium-strongswan5' of ↵Daniil Baturin
https://github.com/TriJetScud/vyatta-cfg-vpn into current
2016-02-11Revert "Remove charonstart an interfaces from ipsec.conf file, they are ↵Kim Hagen
depricated." This reverts commit fbddff7f2b6b485c93b5d3cf4d60a75f84c3a2b6.
2016-02-11Revert "Set default pfs and ike dh group. (required by strongswan charon)"Kim Hagen
This reverts commit 8353f0f8fc746c69d6006e5bba9baf45afe16385.
2016-02-11Set default pfs and ike dh group. (required by strongswan charon)Kim Hagen
2016-02-11Remove charonstart an interfaces from ipsec.conf file, they are depricated.Kim Hagen
2016-02-09Merge branch 'current' of github.com:vyos/vyatta-cfg-vpn into currentKim Hagen
2016-02-09Use dhcp instead of dhcp3.Kim Hagen
2016-01-29vyatta-cfg-vpn: Properly implement force-encapsulation and fix descriptionsJeff Leung
2016-01-250.12.105+vyos2+current2debian/0.12.105+vyos2+current2Daniil Baturin
2016-01-25Remove dependency on vyatta-ipsec for migration to upstream strongswan.Daniil Baturin
Update standards version and description.
2016-01-240.12.105+vyos2+current1debian/0.12.105+vyos2+current1Kim Hagen
2015-12-16Fix build depends.Thomas Jepp
2015-12-06Merge branch 'lithium' into lithium-strongswan5Jeff Leung
Conflicts: templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def Get the GCM and ChaCha20+Poly1305 ciphers to play nice with each other
2015-12-05vyatta-cfg-vpn: validate peer address for vti based vpn connectionsAlex Harpin
Validate the peer address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for peer addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #359 http://bugzilla.vyos.net/show_bug.cgi?id=359
2015-12-05vyatta-cfg-vpn: validate local address for vti based vpn connectionsAlex Harpin
Validate the local address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for local addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #213 http://bugzilla.vyos.net/show_bug.cgi?id=213
2015-12-05vyatta-cfg-vpn: vti interfaces remain link down after ipsec sa renewalAlex Harpin
VTI interfaces can remain link down after IPSec SA expiry and renewal, leaving the actual IPSec tunnel up and active but the route relating to this VTI interface absent from the routing table; with the end result of no traffic passing through it without manual intervention. Earlier fixes for this issue in both bug #183 and bug #291 fixed one issue but introduced another, this commit fixes both scenarios. Bug #568 http://bugzilla.vyos.net/show_bug.cgi?id=568
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-30 08:11:29 +0000