| Age | Commit message (Collapse) | Author |
|---|
|
strongSwan's charon by design maintains all established connections
regardless, even if the connection's profile has been deleted from
ipsec.conf.
This change will grab a list of old tunnels from the old configuration
and clean up old tunnels that are not present in the new configuration.
|
|
This needs to be updated or VPN configurations won't be properly
handled on subsequent updates.
|
|
Setting this to a default value breaks ikev2 configurations since
aggressive mode is only applicable for ikev1 tunnels
|
|
For some odd reason doing an ipsec update does not make charon
pick up any newly created tunnels. However doing an ipsec reload
updates all newly created tunnels correctly.
|
|
log-modes now expose charon's keywords instead of pluto's keywords.
Refer to the strongSwan's manual to see what each specific logger does.
|
|
|
|
Although strongly not recommended by the developers of strongSwan,
sometimes remote VPN gateways requires this because of interop
reasons or a network admin who doesn't have an idea on why
aggressive mode is bad.
|
|
|
|
In strongSwan 5.0.0 and later series, pfs= and pfsgroup= parameters have
now been removed.
|
|
Since strongSwan 5.0.0, defining the PFS group settings has moved in the
esp= parameter.
If PFS is simply enabled, it will use the first IKE proposal's dh-group as
the PFS group.
|
|
The IKE parameter parser now uses the new get_dh_cipher_result submodule
instead of the old if/else/elseif logic that was hardcoded to the parser.
This should help ease developers adding new Diffie-Hellman groups if there
are any in the future.
|
|
By adding this submodule we can reduce the amount of code we need to
maintain by having a single submodule that takes in a Diffie-Hellman group
number and translates it to what strongSwan expects.
|
|
In preperation of moving towards the strongSwan 5.x series, we are
removing the legacy charonstart=yes parameter in ipsec.conf.
Since strongSwan 5.0.0 pluto has been removed from the codebase and charon
is now the main daemon that handles IKEv1 and IKEv2 connections.
|
|
|
|
|
|
|
|
|
|
|
|
Updated the help for pre-shared secret key usage when special
characters are used. These need to be enclosed in single quotes
to stop them being expanded by the bash shell.
Bug #451 http://bugzilla.vyos.net/show_bug.cgi?id=451
|
|
|
|
|
|
|
|
|
|
characters.
|
|
Ikev2 reauth option
|
|
|
|
The cfgvti helper program was originally added for configuring VTIs.
The functionality it provided is now included upstream in iproute, so
it is no longer required following the previous commits for Bug #358.
Bug #358 http://bugzilla.vyos.net/show_bug.cgi?id=358
|
|
|
|
Update lib/Vyatta/VPN/vtiIntf.pm to have consistent identation levels
and style throughout.
|
|
Reduce the vtiMarkBase value to prevent integer overflow on the created
ip xfrm states and policies.
|
|
Update the VTI creation process to go along with the changes added to
the vyatta-strongswan package, due to changes in the kernel vti module.
This also removes the need for additional netfilter rules to ensure that
packets are directed to the corresponding VTI.
Bug #358 http://bugzilla.vyos.net/show_bug.cgi?id=358
|
|
Update the parseVtiTun function to account for the new way of
configuring VTIs.
Bug #358 http://bugzilla.vyos.net/show_bug.cgi?id=358
|
|
Move vtiIntf.pm to a more logical place, in line with all the other
packages.
|
|
per-tunnel ikev2-reauth node
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commits for Bug #291 and Bug #332
|
|
Prevent duplicate include statements, for the local rsa keys, being
added to the ipsec.secrets file when more than one VPN connection is
configured.
Bug #332 http://bugzilla.vyos.net/show_bug.cgi?id=332
|
|
Update scripts/vpn-config.pl to have consistent identation levels and
style throughout.
|
|
Rename vti-up-down.sh to vti-up-down to be consistent with others.
|
|
Revert the fix put in place for Bug #183 as this causes multiple routes
to be installed when more than one VTI routes to the same subnet (in
the case of failure over routing etc). As it stands, when one of these
interfaces goes down, the additional route remains active, resulting in
this route still being used even though no traffic can pass.
Removing the up-client fix proposed for Bug #183 fixes this issue and
doesn't affect the normal operation of these VTIs.
Bug #291 http://bugzilla.vyos.net/show_bug.cgi?id=291
|
|
vyatta-cfg-vpn: add libnfnetlink-dev to build dependencies
|
|
|
|
Add libnfnetlink-dev to the list of build dependencies, required for
compiling src/cfgcti.
Bug #317 http://bugzilla.vyos.net/show_bug.cgi?id=317
|
|
|
|
|
