vyatta-cfg-vpn.git - Vyatta VPN configuration (mirror of https://github.com/vyos/vyatta-cfg-vpn.git)

Age	Commit message (Collapse)	Author
2016-02-24	remove reference to dmvpn.secrets and chang dmvpn.conf to swanctl.conf	Kim Hagen

2016-02-11	Merge branch 'lithium-strongswan5' of ↵	Daniil Baturin
	https://github.com/TriJetScud/vyatta-cfg-vpn into current
2016-02-11	Revert "Set default pfs and ike dh group. (required by strongswan charon)"	Kim Hagen
	This reverts commit 8353f0f8fc746c69d6006e5bba9baf45afe16385.
2016-02-11	Set default pfs and ike dh group. (required by strongswan charon)	Kim Hagen

2016-02-09	Use dhcp instead of dhcp3.	Kim Hagen

2016-01-29	vyatta-cfg-vpn: Properly implement force-encapsulation and fix descriptions	Jeff Leung

2015-12-06	Merge branch 'lithium' into lithium-strongswan5	Jeff Leung
	Conflicts: templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def Get the GCM and ChaCha20+Poly1305 ciphers to play nice with each other
2015-12-05	Bug #469: add options for AES-128/256-GCM mode.	Daniil Baturin

2015-12-05	Move execution of nhrp script to "end" of ipsec config so it executes on all ↵	Kim Hagen
	changes made to the ipsec config
2015-12-05	Add ChaCha20 Poly1305 cipher as an available cipher for IKE exchanges.	Jeff Leung
	Starting with strongSwan 5.3.3, chacha20poly1305 is a supported cipher for IKE and ESP configurations with an IKEv2 configuration.
2015-11-04	Allow the user to include a custom ipsec.secrets file.	Jeff Leung
	This may be useful for scenarios where a user prefers to use an ECDSA key or implement an xauth IPSec RA server without having to code for the VyOS/EdgeOS platform.
2015-06-14	Bug #504: add an option for pulling IPsec local id from the cert.	Daniil Baturin

2015-05-04	Bug #469: add options for AES-128/256-GCM mode.	Daniil Baturin

2015-02-16	Move execution of nhrp script to "end" of ipsec config so it executes on all ↵	Kim Hagen
	changes made to the ipsec config
2015-02-10	Allow the user to force UDP encapsulation for a named peer	Jeff Leung
	This might help with strongSwan traversing through firewalls that filter proto 51, but not UDP traffic.
2015-02-08	Correct typo'd aggressive option	Jeff Leung
	Originally we meant aggressive, not ikev2
2015-02-07	Remove the default value in ipsec ike-group $name mode	Jeff Leung
	Setting this to a default value breaks ikev2 configurations since aggressive mode is only applicable for ikev1 tunnels
2015-02-05	Update ipsec logging log-modes to point towards charon's loggers	Jeff Leung
	log-modes now expose charon's keywords instead of pluto's keywords. Refer to the strongSwan's manual to see what each specific logger does.
2015-02-05	Allow users to specify a custom file to be included with ipsec.conf	Jeff Leung

2015-02-05	Allow users to specify aggressive mode for IKEv1 key exchanges	Jeff Leung
	Although strongly not recommended by the developers of strongSwan, sometimes remote VPN gateways requires this because of interop reasons or a network admin who doesn't have an idea on why aggressive mode is bad.
2015-01-19	Remove @ from the id/remote-id help string. It was never required.	Daniil Baturin

2015-01-19	Bug #348: remove unnecessary restrictions on the PSK format.	Daniil Baturin

2015-01-17	vyatta-cfg-vpn: update pre-shared secret key help for single quotes	Alex Harpin
	Updated the help for pre-shared secret key usage when special characters are used. These need to be enclosed in single quotes to stop them being expanded by the bash shell. Bug #451 http://bugzilla.vyos.net/show_bug.cgi?id=451
2014-12-01	Fixing syntax error in vpn-config.pl, fixing allowed parameters in the ↵	Jason Hendry
	per-tunnel ikev2-reauth node
2014-12-01	Exposing ikev2 reauth option in CLI, defaulting to 'no'	Jason Hendry

2014-09-10	Remove gre-multipoint reference	Kim Hagen

2014-08-23	Rename vyatta-update-nhrp.pl to vyos-update-nhrp.pl and change options	Kim Hagen

2014-08-03	Bug #224: rename "enabled\|disabled" to "enable\|disable" for consistency.	Daniil Baturin

2014-05-26	Merge pull request #4 from TriJetScud/helium	Daniil Baturin
	Remove automatic IKE version negoiation.
2014-05-25	Initial MOBIKE Configuration Support	Jeff Leung
	For IKEv2, there is support for MOBIKE which basically allows IPSec connections to roam from interface to interface. When MOBIKE is used, the IKE negoiation phase uses UDP port 4500 rather than using proto-51. In strongSwan 4.5.x MOBIKE is automatically enabled for IKEv2 connections. We expose the ability to enable/disable MOBIKE to the user.
2014-05-25	Bug 197: Add back support for groups 22-24 for phase2 pfs	Ryan Riske

2014-05-25	Merge pull request #3 from ryanriske/helium-sha2	Daniil Baturin
	Bug 220: Add support for SHA2 hashes
2014-05-25	Remove automatic IKE version negoiation.	Jeff Leung
	According to the strongSwan 4.5.x documentation, the keyexchange configuration value "ike" is a synonym to "ikev2". In strongSwan 5.0.0 however, the configuration value "ike" will try to negoiate IKEv2 connections but will accept IKEv1 connections if the remote peer sends an IKEv1 request.
2014-05-25	Bug 220: Add support for SHA2 hashes	Ryan Riske

2014-05-24	Add support for DH groups 14-26	Ryan Riske

2014-05-21	Adding initial support for IKEv2/IKEv1 Site-to-Site VPN's by adding the ↵	Jeff Leung
	optional "vpn ipsec ike-group <IKEGROUP> key-exchange" parameter.
2013-01-22	Dmvpn merge with mirantis jan22-2013	Saurabh Mohan

2012-12-27	DMVPN support with profiles.	Saurabh Mohan

2012-10-04	Bug 8200: Changed grep to not display shim6	Bharat

2012-09-10	Bugfix 8289: Vti mark values should be implicit	Saurabh Mohan
	Vti tunnel uses fwmark from the kernel skbuff. This value is now internally allocated instead of getting it from the configuration. Also fixed 8286 where configuration was allowing both a tunnel and VTI between the same vpn src/dst.
2012-08-09	Bugfix 8264: Check if the intf name is defined before using it in the script.	Saurabh Mohan
	Fix the error message for undefined intf name in error message. Also, add changes to incorporate mark's from range 0-2047. Print warning if a vti interface is defined but not used. Hopefully this will help users understand that they have a partial configuration.
2012-07-25	Bugfix 8222: deletion and adding bind parameter under vti deletes vti ↵	Saurabh Mohan
	interface in show interfaces output though vti configuration exists The bind, mark parameters can be changed individually but the vti script runs at the vpn node level. By that time the old value is not known. With this change now I find out the exisiting vti tunnels from the kernel and discover the old vti-name, and mark setting from there. After that it is possible to figure out if a. No change was done to a VTI: In that case do not do any config. b. If a tunnel was changed: Delete and create the tunnel again. c. If a tunnel was deleted: Remove the tunnel config from the kernel. d. If the tunnel was added: Configure it. Also, configure the vti interface prior to the strongswan configuration. This way if the ipsec tunnel comes up then we can bring the interface up/down (see Bug 8219). Remove the disable configuration param (see Bug 8221).
2012-06-11	VTI: Add support call for checking for vti interface name.	Saurabh Mohan

2012-05-31	Bugfix 8100: Be flexible in char accepted in id field.	Saurabh Mohan

2012-05-18	VTI: cfg mark/bind change handlers.	Saurabh Mohan

2012-05-16	Vti config support.	Saurabh Mohan

2012-03-29	Add any special case for local-address instead of 0.0.0.0.	Daniil Baturin

2012-03-29	Rename "local/remote subnet" to "local/remote prefix".	Daniil Baturin

2012-03-29	Fix protocol help string capitalization.	Daniil Baturin

2012-03-29	Add IPv6 address completion for peer.	Daniil Baturin