New upstream version 5.6.3

author: Yves-Alexis Perez <corsac@debian.org> 2018-06-04 09:59:21 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2018-06-04 09:59:21 +0200
commit: 51a71ee15c1bcf0e82f363a16898f571e211f9c3 (patch)
tree: 2a03e117d072c55cfe2863d26b73e64d933e7ad8 /conf
parent: 7793611ee71b576dd9c66dee327349fa64e38740 (diff)
download: vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.tar.gz
vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.zip
6 files changed, 29 insertions, 4 deletions
diff --git a/conf/plugins/dhcp.conf b/conf/plugins/dhcp.conf
index b0e8c84c8..88bbe36e3 100644
--- a/conf/plugins/dhcp.conf
+++ b/conf/plugins/dhcp.conf
@@ -3,7 +3,8 @@ dhcp {
     # Always use the configured server address.
     # force_server_address = no
 
-    # Derive user-defined MAC address from hash of IKE identity.
+    # Derive user-defined MAC address from hash of IKE identity and send client
+    # identity DHCP option.
     # identity_lease = no
 
     # Interface name the plugin uses for address allocation.
diff --git a/conf/plugins/dhcp.opt b/conf/plugins/dhcp.opt
index 9c7b86091..6b337bc34 100644
--- a/conf/plugins/dhcp.opt
+++ b/conf/plugins/dhcp.opt
@@ -9,7 +9,8 @@ charon.plugins.dhcp.force_server_address = no
 	192.168.0.255) as server address might work.
 
 charon.plugins.dhcp.identity_lease = no
-	Derive user-defined MAC address from hash of IKE identity.
+	Derive user-defined MAC address from hash of IKE identity and send client
+	identity DHCP option.
 
 charon.plugins.dhcp.server = 255.255.255.255
 	DHCP server unicast or broadcast IP address.
diff --git a/conf/plugins/kernel-pfkey.conf b/conf/plugins/kernel-pfkey.conf
index 2d4733e74..f4340e7fe 100644
--- a/conf/plugins/kernel-pfkey.conf
+++ b/conf/plugins/kernel-pfkey.conf
@@ -7,5 +7,8 @@ kernel-pfkey {
     # priority of this plugin.
     load = yes
 
+    # Whether to use the internal or external interface in installed routes.
+    # route_via_internal = no
+
 }
 
diff --git a/conf/plugins/kernel-pfkey.opt b/conf/plugins/kernel-pfkey.opt
index ec05215d3..0e347bebb 100644
--- a/conf/plugins/kernel-pfkey.opt
+++ b/conf/plugins/kernel-pfkey.opt
@@ -5,3 +5,13 @@ charon.plugins.kernel-pfkey.events_buffer_size = 0
 	Because events are received asynchronously installing e.g. lots of policies
 	may require a larger buffer than the default on certain platforms in order
 	to receive all messages.
+
+charon.plugins.kernel-pfkey.route_via_internal = no
+	Whether to use the internal or external interface in installed routes.
+
+	Whether to use the internal or external interface in installed routes.
+	The internal interface is the one where the IP address contained in the
+	local traffic selector is located, the external interface is the one over
+	which the destination address of the IPsec tunnel can be reached.
+	This is not relevant if virtual IPs are used, for which a TUN device is
+	created that's used in the routes.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 977403e91..f83211805 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -542,7 +542,8 @@ this option to yes and configuring the local broadcast address (e.g.
 
 .TP
 .BR charon.plugins.dhcp.identity_lease " [no]"
-Derive user\-defined MAC address from hash of IKE identity.
+Derive user\-defined MAC address from hash of IKE identity and send client
+identity DHCP option.
 
 .TP
 .BR charon.plugins.dhcp.interface " []"
@@ -1107,6 +1108,15 @@ a larger buffer than the default on certain platforms in order to receive all
 messages.
 
 .TP
+.BR charon.plugins.kernel-pfkey.route_via_internal " [no]"
+Whether to use the internal or external interface in installed routes. The
+internal interface is the one where the IP address contained in the local
+traffic selector is located, the external interface is the one over which the
+destination address of the IPsec tunnel can be reached. This is not relevant if
+virtual IPs are used, for which a TUN device is created that's used in the
+routes.
+
+.TP
 .BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
 Time in ms to wait until virtual IP addresses appear/disappear before failing.
 
diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
index f428fc323..a93fe020a 100644
--- a/conf/strongswan.conf.5.tail.in
+++ b/conf/strongswan.conf.5.tail.in
@@ -93,7 +93,7 @@ Absolutely silent
 Very basic auditing logs, (e.g. SA up/SA down)
 .TP
 .B 1
-Generic control flow with errors, a good default to see whats going on
+Generic control flow with errors, a good default to see what's going on
 .TP
 .B 2
 More detailed debugging control flow
author	Yves-Alexis Perez <corsac@debian.org>	2018-06-04 09:59:21 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2018-06-04 09:59:21 +0200
commit	51a71ee15c1bcf0e82f363a16898f571e211f9c3 (patch)
tree	2a03e117d072c55cfe2863d26b73e64d933e7ad8 /conf
parent	7793611ee71b576dd9c66dee327349fa64e38740 (diff)
download	vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.tar.gz vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.zip