summaryrefslogtreecommitdiff
path: root/scripts
AgeCommit message (Collapse)Author
2015-02-02Bug #367 - DMVPN Testing, but I do not see ESP traffic.Kim Hagen
2014-12-19Bug #415: use remote-id for peer ID unconditionally if it's set.Daniil Baturin
2014-12-19Bug #414: quote the leftid value to avoid problems with non-alphanumeric ↵Daniil Baturin
characters.
2014-12-18Merge pull request #11 from jhendryUK/ikev2_reauth_optionDaniil Baturin
Ikev2 reauth option
2014-12-04vyatta-cfg-vpn: update vti creation in line with changes to strongswanAlex Harpin
Update the VTI creation process to go along with the changes added to the vyatta-strongswan package, due to changes in the kernel vti module. This also removes the need for additional netfilter rules to ensure that packets are directed to the corresponding VTI. Bug #358 http://bugzilla.vyos.net/show_bug.cgi?id=358
2014-12-04vyatta-cfg-vpn: move scripts/vtiIntf.pm to lib/Vyatta/VPN/vtiIntf.pmAlex Harpin
Move vtiIntf.pm to a more logical place, in line with all the other packages.
2014-12-01Fixing syntax error in vpn-config.pl, fixing allowed parameters in the ↵Jason Hendry
per-tunnel ikev2-reauth node
2014-12-01Exposing ikev2 reauth option in CLI, defaulting to 'no'Jason Hendry
2014-10-19Remove the VTI script after use.Daniil Baturin
2014-10-05vyatta-cfg-vpn: prevent duplicate local rsa key includesAlex Harpin
Prevent duplicate include statements, for the local rsa keys, being added to the ipsec.secrets file when more than one VPN connection is configured. Bug #332 http://bugzilla.vyos.net/show_bug.cgi?id=332
2014-10-05vyatta-cfg-vpn: formatting changes for style consistencyAlex Harpin
Update scripts/vpn-config.pl to have consistent identation levels and style throughout.
2014-10-05vyatta-cfg-vpn: rename vti-up-down.sh to vti-up-downAlex Harpin
Rename vti-up-down.sh to vti-up-down to be consistent with others.
2014-10-05vyatta-cfg-vpn: fix for vti interface going down remains routedAlex Harpin
Revert the fix put in place for Bug #183 as this causes multiple routes to be installed when more than one VTI routes to the same subnet (in the case of failure over routing etc). As it stands, when one of these interfaces goes down, the additional route remains active, resulting in this route still being used even though no traffic can pass. Removing the up-client fix proposed for Bug #183 fixes this issue and doesn't affect the normal operation of these VTIs. Bug #291 http://bugzilla.vyos.net/show_bug.cgi?id=291
2014-08-03Bug #224: rename "enabled|disabled" to "enable|disable" for consistency.Daniil Baturin
2014-06-17Bug 241: Use auto=route for connection-type respond.Ryan Riske
2014-05-26Merge pull request #4 from TriJetScud/heliumDaniil Baturin
Remove automatic IKE version negoiation.
2014-05-25Initial MOBIKE Configuration SupportJeff Leung
For IKEv2, there is support for MOBIKE which basically allows IPSec connections to roam from interface to interface. When MOBIKE is used, the IKE negoiation phase uses UDP port 4500 rather than using proto-51. In strongSwan 4.5.x MOBIKE is automatically enabled for IKEv2 connections. We expose the ability to enable/disable MOBIKE to the user.
2014-05-25Bug 197: Add back support for groups 22-24 for phase2 pfsRyan Riske
2014-05-25Remove automatic IKE version negoiation.Jeff Leung
According to the strongSwan 4.5.x documentation, the keyexchange configuration value "ike" is a synonym to "ikev2". In strongSwan 5.0.0 however, the configuration value "ike" will try to negoiate IKEv2 connections but will accept IKEv1 connections if the remote peer sends an IKEv1 request.
2014-05-24Add support for DH groups 14-26Ryan Riske
2014-05-21Adding initial support for IKEv2/IKEv1 Site-to-Site VPN's by adding the ↵Jeff Leung
optional "vpn ipsec ike-group <IKEGROUP> key-exchange" parameter.
2014-04-27Bug #183: Add up-client action to the interface up/down script.Daniil Baturin
Patch by Masakazu Asama.
2014-01-29Fix vpn ppp up scriptStig Thormodsrud
Signed-off-by: Daniil Baturin <daniil@baturin.org>
2014-01-29Move %any peers to the end in ipsec.secretsStig Thormodsrud
Signed-off-by: Daniil Baturin <daniil@baturin.org>
2013-02-19perltidy run for vyatta-cfg-vpnSaurabh Mohan
2013-02-12mGRE support for change of local-ip addr change.Saurabh Mohan
VYATTA-118: workaround added to update ipsec settings when tunnel local-ip is modified.
2013-02-05Bug 8666: merged.Saurabh Mohan
2013-01-22Dmvpn merge with mirantis jan22-2013Saurabh Mohan
2012-12-27DMVPN support with profiles.Saurabh Mohan
2012-09-18Bugfix 8358: Handle vti tunnel src, dst changing while the bind tunnel name ↵Saurabh Mohan
stays the same. Fix the case when case the <peer,local-address> pairing changes but the tunnel is still bound to the same vti tunnel interface name(vtiXX). In that case when doing the cleanup do not delete the vti tunnel of the same name. Also fixed 8264: When the vti bind interface name is deleted.
2012-09-10Bugfix 8289: Vti mark values should be implicitSaurabh Mohan
Vti tunnel uses fwmark from the kernel skbuff. This value is now internally allocated instead of getting it from the configuration. Also fixed 8286 where configuration was allowing both a tunnel and VTI between the same vpn src/dst.
2012-09-04Bugfix 8277: For connection type respond do not attempt keying foreverSaurabh Mohan
When a connection-type is respond (configured using: set vpn ipsec site-to-site peer <ip-addr> connection-type [initiate | respond]), the device should not keep trying to key forever.
2012-08-09Bugfix 8264: Check if the intf name is defined before using it in the script.Saurabh Mohan
Fix the error message for undefined intf name in error message. Also, add changes to incorporate mark's from range 0-2047. Print warning if a vti interface is defined but not used. Hopefully this will help users understand that they have a partial configuration.
2012-07-25Bugfix 8222: deletion and adding bind parameter under vti deletes vti ↵Saurabh Mohan
interface in show interfaces output though vti configuration exists The bind, mark parameters can be changed individually but the vti script runs at the vpn node level. By that time the old value is not known. With this change now I find out the exisiting vti tunnels from the kernel and discover the old vti-name, and mark setting from there. After that it is possible to figure out if a. No change was done to a VTI: In that case do not do any config. b. If a tunnel was changed: Delete and create the tunnel again. c. If a tunnel was deleted: Remove the tunnel config from the kernel. d. If the tunnel was added: Configure it. Also, configure the vti interface prior to the strongswan configuration. This way if the ipsec tunnel comes up then we can bring the interface up/down (see Bug 8219). Remove the disable configuration param (see Bug 8221).
2012-07-16Workaround to setup vti ko and cleaner error message.Saurabh Mohan
2012-06-18Bugfix: 8015: supress perl warnings.Saurabh Mohan
2012-06-11VTI: Add support call for checking for vti interface name.Saurabh Mohan
2012-06-04VTI bring tunnel based on ipsec-sa state.Saurabh Mohan
2012-05-18VTI: cfg mark/bind change handlers.Saurabh Mohan
2012-05-17Merge branch 'pacifica' of http://git.vyatta.com/vyatta-cfg-vpn into pacificaSaurabh Mohan
2012-05-17Default keyexchange ikev1.Saurabh Mohan
2012-05-16Vti config support.Saurabh Mohan
2012-03-29Add commit-time config validation.Daniil Baturin
2012-03-29Add any special case for local-address instead of 0.0.0.0.Daniil Baturin
2012-03-29Rename "local/remote subnet" to "local/remote prefix".Daniil Baturin
2012-03-29Rename local-ip option to local-address.Daniil Baturin
2012-03-29Add a script for validating single IPv4 or IPv6 address with no prefixDaniil Baturin
length.
2012-02-29Fix uninitilized bugJohn Southworth
2012-02-28Bugfix 6839: Warn that pre-shared key changes aren't loaded until a rekey ↵John Southworth
interval
2011-06-15Bugfix 6767: Move /tmp/ipsec.log to /var/log/vyatta and rotate it.Bob Gilligan
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-01 09:23:15 +0000