| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
strongswan: add kernel module dependency on chapoly
|
| | |
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| |
| |
| |
| | |
This adds support for the child SA to be rekeyed through the byte/packet
threshold. The default is blank (which disables the byte/packet thresholds).
Signed-off-by: Joel Low <joel@joelsplace.sg>
|
| |\ \
| | |
| | | |
strongswan: add wolfssl plugin
|
| | | |
| | |
| | |
| | |
| | | |
Signed-off-by: Derek Yerger <derek@altdevs.net>
Signed-off-by: Joel Low <joel@joelsplace.sg>
|
| |\ \ \
| |_|/
|/| | |
strongswan: Update to 5.9.6
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| | |
The default firewall is the fw4, which uses nft. In order to not
install the legacy implementation when installing strongswan, the build
system should decide which firewall backend to use.
While we are at it, I have also added the dependency packages for IPV6.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| | |
| |
| |
| |
| |
| |
| | |
The forecast plugin does not require the iptables binary, it uses
libiptc instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| | |
| |
| |
| |
| |
| |
| | |
The connmark plugin does not require the iptables binary, it uses
libiptc instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |/
|
|
|
|
|
|
|
| |
Let's move the iptables IPsec dependencies out of the strongswan package
and into the plugin package that actually depends on it,
strongswan-mod-updown. As the default updown script calls the iptables
binary, also add a dependency on the iptables-legacy package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
|
|
| |
Most usages seem to be outdated and fixed a long time ago.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix the following build failures by adding the missing dependencies:
Package strongswan-mod-connmark is missing dependencies for the following libraries:
libip4tc.so.2
Package strongswan-mod-forecast is missing dependencies for the following libraries:
libip4tc.so.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
| |
This option sets the interface of the policy.
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
| |
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use list's where appropriate for multi-value config variables.
Forbid absolute/relative paths for certificate and key files.
Get rid of last remnants of left/right naming.
Factor invariant code paths.
Drop redundant secrets.rsa.filename section.
Thanks to Vincent Wiemann <vincent.wiemann@ironai.com> for calling
out many of these improvements.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
| |
There were closing curly braces missing and it was checking for empty
strings while it should have been checking for non-empty strings.
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
| |
Variables set in config_ipsec() need to be shared with do_postamble()
function, so change scoping to parent (prepare_env()).
Also, remove unused settings like "remote_sourceip", "reqid", and
"packet_marker".
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ipsec uses starter, and reads /etc/ipsec.conf (which then includes
/var/ipsec/ipsec.conf, etc). This is overly complicated, and can
be problematic if you're using both swanctl and ipsec for migration.
Running charon directly from procd via the init.d script avoid
all of this.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |\
| |
| | |
strongswan: make default bundle use swanctl
|
| | |
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |/
|
|
|
|
| |
Fixes issue #15446
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
| |
chacha20policy1305 is also an AEAD cipher, and hence does not
permit a hash algorithm.
Fixes issue #15397.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
| |
A subshell caused by $(...) can't persistently modify globals as a
side-effect.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
| |
The strongswan-libnttfft package should not select the strongswan
package, but should depend on it instead. Otherwise a circular
dependency is created.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| |\
| |
| | |
strongswan: add more crypto plugins
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Adds modules for BLISS signature scheme, NTRU and New Hope key
exchange algorithms, and dependencies ChaCha20-Poly1305 AEAD,
ChaCha20 XOF, MGF1 mask generation function, SHA3 hasher SHAKE
XOF, and the Number Theoretic Transform library.
Signed-off-by: Derek Yerger <derek@altdevs.net>
|
| | |
| |
| |
| |
| |
| | |
Retire weak algorithms like MD5 and 3DES.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Derived from the ipsec initd script, with the following changes:
(1) various code improvements, corrections (get rid of left/right
updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;
and other minor changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If you shutdown ipsec service, and it doesn't clean up
/var/ipsec/ipsec.conf, then when you start swanctl service it
might see an incompatible file on startup. Remedy is to
remove unneeded files when shutting down the service. They
can always be regenerated when the service starts again.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |/
|
|
|
|
|
| |
These config files are only used by the ipsec interface to charon,
and shouldn't be part of the base package.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having scripts diddle user written config files seems potentially
dangerous. Plus there's really no downside to including some
empty files. Best to just make the includes be permanent.
Additional feature suggested by Luiz: if a -opkg version of the
config file was created unnecessarily, remove it as part of the
upgrade process since changes won't be happening to that file
as an artifact of the service starting. The include lines are
now permanent, which means that (1) additional configuration
synthesized by UCI won't be anywhere that opkg (or sysupgrade,
for that matter) cares about since it won't be persistent, and
(2) if changes are being made, then they're being done by a
person with an editor and they really should be distinguished.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
| |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has been observed by myself and @luizluca: ip route get is
appending uid0 to the output, as seen from:
root@OpenWrt2:~# ip route get 1.1.1.1
1.1.1.1 via 174.27.160.1 dev eth3 src 174.27.182.184 uid 0
cache
root@OpenWrt2:~#
so the fix is an anchored match, discarding all else. Also, using
ip -o means never having to do multiline matches...
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|
| |\
| |
| | |
strongswan: create /etc/swanctl/conf.d directory
|
| | |
| |
| |
| | |
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
|