summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-06-24Merge branch 'current' into lithiumlithiumDaniil Baturin
Conflicts: scripts/vpn-config.pl
2018-06-03T674: set DH group default in IKE groups to 2.Daniil Baturin
Using the default: tag in the template for now, this issue should be addressed properly when we get to rewriting IPsec scripts.
2018-06-02Merge branch 'current' of github.com:vyos/vyatta-cfg-vpn into currentDaniil Baturin
2018-06-02T675: for downgrading strongswan to 5.5, remove explicit dependency on libvici.Daniil Baturin
In 5.5 from stretch, it's inside the swanctl package. In 5.6 from sid, the swanctl package depends on it so we don't need to mention it explicitly anyway.
2018-02-27Merge pull request #18 from unixninja92/T542Kim
Lowered minimum DPD interval and timeout as per T542
2018-02-20Lowered minimum DPD interval and timeout as per T542unixninja92
2017-10-31Merge pull request #17 from Taniadz/currentDaniil Baturin
T126: charon listening on ALL interfaces
2017-10-31T126: charon listening on ALL interfaces(correct sorting)Taniadz
2017-10-27T126: charon listening on ALL interfaces(add ipsec restart)Taniadz
2017-10-25T126: charon listening on ALL interfaces( fix the style issues)Taniadz
2017-10-24T126: charon listening on ALL interfacesTaniadz
2017-10-13T423: use listNodes rather than listActiveNodes to enable completion for ↵Daniil Baturin
uncommited IKE and ESP groups.
2017-09-06T334 setting ESP DH Group properly on "esp=" line in ipsec.confKim
2017-04-25Merge pull request #15 from smunaut/T137Kim
Fix VTI interface configuration to set both ikey and okey
2017-03-23Fix VTI interface configuration to set both ikey and okeySylvain Munaut
Without this, the outgoing traffic is marked and encrypted but incoming traffic isn't properly forwarded to the VTI and just gets dropped. Partially Fixes T137 Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
2017-03-04T287: Merge pull request #14 from paulgear/patch-1Daniil Baturin
T287: Add missingok to logrotate for ipsec
2017-03-02Add missingok to logrotate for ipsecPaul Gear
If this is not present, it causes hourly messages in /var/log/messages like this: Mar 2 19:17:01 vyos /USR/SBIN/CRON[9140]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Mar 2 19:17:01 vyos /USR/SBIN/CRON[9138]: (CRON) error (grandchild #9140 failed with exit status 1) Mar 2 19:17:01 vyos /USR/SBIN/CRON[9138]: (CRON) info (No MTA installed, discarding output) This is because cron wants to produce output like the following when ipsec.log is not present: /etc/cron.hourly/vyatta-logrotate-hourly: error: stat of /var/log/vyatta/ipsec.log failed: No such file or directory run-parts: /etc/cron.hourly/vyatta-logrotate-hourly exited with return code 1
2016-03-23load swanctl configuration on ipsec startUnicronNL
2016-03-16use 'dh-group' for first ike proposalUnicronNL
enable config for dead peer detection
2016-03-08add secret from config to swanctl.confUnicronNL
2016-03-07add dependencies needed for dmvpn configurationKim Hagen
2016-02-25add libcrypt-openssl-rsa-perl dependencyKim Hagen
2016-02-24First version of new dmvpn script rewrite.Kim Hagen
2016-02-24remove reference to dmvpn.secrets and chang dmvpn.conf to swanctl.confKim Hagen
2016-02-23Update vpn check file from "charon.ctl" to "charon.pid".Kim Hagen
2016-02-11Update the changelog.Daniil Baturin
2016-02-11Merge branch 'lithium-strongswan5' of ↵Daniil Baturin
https://github.com/TriJetScud/vyatta-cfg-vpn into current
2016-02-11Revert "Remove charonstart an interfaces from ipsec.conf file, they are ↵Kim Hagen
depricated." This reverts commit fbddff7f2b6b485c93b5d3cf4d60a75f84c3a2b6.
2016-02-11Revert "Set default pfs and ike dh group. (required by strongswan charon)"Kim Hagen
This reverts commit 8353f0f8fc746c69d6006e5bba9baf45afe16385.
2016-02-11Set default pfs and ike dh group. (required by strongswan charon)Kim Hagen
2016-02-11Remove charonstart an interfaces from ipsec.conf file, they are depricated.Kim Hagen
2016-02-09Merge branch 'current' of github.com:vyos/vyatta-cfg-vpn into currentKim Hagen
2016-02-09Use dhcp instead of dhcp3.Kim Hagen
2016-01-29vyatta-cfg-vpn: Properly implement force-encapsulation and fix descriptionsJeff Leung
2016-01-250.12.105+vyos2+current2debian/0.12.105+vyos2+current2Daniil Baturin
2016-01-25Remove dependency on vyatta-ipsec for migration to upstream strongswan.Daniil Baturin
Update standards version and description.
2016-01-240.12.105+vyos2+current1debian/0.12.105+vyos2+current1Kim Hagen
2015-12-16Fix build depends.Thomas Jepp
2015-12-06Merge branch 'lithium' into lithium-strongswan5Jeff Leung
Conflicts: templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def Get the GCM and ChaCha20+Poly1305 ciphers to play nice with each other
2015-12-05vyatta-cfg-vpn: validate peer address for vti based vpn connectionsAlex Harpin
Validate the peer address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for peer addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #359 http://bugzilla.vyos.net/show_bug.cgi?id=359
2015-12-05vyatta-cfg-vpn: validate local address for vti based vpn connectionsAlex Harpin
Validate the local address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for local addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #213 http://bugzilla.vyos.net/show_bug.cgi?id=213
2015-12-05vyatta-cfg-vpn: vti interfaces remain link down after ipsec sa renewalAlex Harpin
VTI interfaces can remain link down after IPSec SA expiry and renewal, leaving the actual IPSec tunnel up and active but the route relating to this VTI interface absent from the routing table; with the end result of no traffic passing through it without manual intervention. Earlier fixes for this issue in both bug #183 and bug #291 fixed one issue but introduced another, this commit fixes both scenarios. Bug #568 http://bugzilla.vyos.net/show_bug.cgi?id=568
2015-12-05vyatta-cfg-vpn: further tidy up of vyatta-vti-config.plAlex Harpin
Remove old comments and other minor tidying up / rearranging of scripts/vyatta-vti-config.pl
2015-12-05vyatta-cfg-vpn: formatting changes for style consistencyAlex Harpin
Perltidy run on scripts/vyatta-vti-config.pl to have consistent identation levels and style throughout.
2015-12-05Bug #469: add options for AES-128/256-GCM mode.Daniil Baturin
2015-12-05Move execution of nhrp script to "end" of ipsec config so it executes on all ↵Kim Hagen
changes made to the ipsec config
2015-12-05Add ChaCha20 Poly1305 cipher as an available cipher for IKE exchanges.Jeff Leung
Starting with strongSwan 5.3.3, chacha20poly1305 is a supported cipher for IKE and ESP configurations with an IKEv2 configuration.
2015-11-04Whitespace fixesJeff Leung
2015-11-04Allow the user to include a custom ipsec.secrets file.Jeff Leung
This may be useful for scenarios where a user prefers to use an ECDSA key or implement an xauth IPSec RA server without having to code for the VyOS/EdgeOS platform.
2015-11-04Actually implement custom ipsec.conf filesJeff Leung
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-09 06:41:46 +0000