summaryrefslogtreecommitdiffstats
path: root/etc/inc/ipsec.inc
Commit message (Collapse)AuthorAgeFilesLines
* Try to remove as much as possible _stf special case through the codeErmal2013-03-181-5/+5
|
* Fixes IPSec Status for natted tunnelsMichele Di Maria2013-03-151-1/+1
| | | | | See http://redmine.pfsense.org/issues/2884 for details. Thanks, Michele
* IPsec status corrections, should fix #2861jim-p2013-03-061-3/+3
|
* When auth algorithm is hmac-sha512, it produces long lines and wrap them, ↵Renato Botelho2013-02-261-1/+1
| | | | what breaks the parser. Ignore lines that starts with a space to fix it. Fixes #2842
* Make function return correct address info for respective familyErmal2013-02-111-42/+59
|
* Correct function nameErmal2013-02-071-4/+4
|
* Fix IPsec status when using interface macros (e.g. "LAN subnet") and handle ↵jim-p2013-02-061-16/+35
| | | | matching better when IPs may not match up due to IPv6 formatting/compression.
* Correct displaying of ipsec status for natted networks.Ermal2013-01-271-1/+1
|
* This should fix ipsec status for natted tunnel(s).Ermal2012-10-051-3/+8
|
* Activate more Hash, DH, and PFS options that are available in racoon now. ↵jim-p2012-08-021-6/+31
| | | | Note that SHA256-512 are RFC4868 compliant in FreeBSD, may break with other incompatible stacks.
* Add Gateway Group support to the IPsec interface drop down.smos2012-06-031-1/+1
| | | | | | Edit of gateway group correctly reflects the new IP Address. We need to make a blacklist for interface names in the gateway group edit page. Redmine ticket #1965
* Don't display a "mobile" user without a username.jim-p2012-05-301-1/+2
|
* List logged-in IPsec xauth users and provide a mechanism to disconnect them. ↵jim-p2012-05-251-0/+37
| | | | Implements #1986
* Don't do resolve_retry on ipsec_get_phase1_dst() results, because ↵jim-p2012-05-241-1/+1
| | | | ipsec_get_phase1_dst() already does that before returning output.
* Test for empty here, rather than !, so a blank value (as from mobile ↵jim-p2012-05-241-1/+1
| | | | clients) doesn't fall to the other tests.
* Merge remote-tracking branch 'upstream/master'jim-p2011-07-121-15/+15
|\ | | | | | | | | | | | | | | | | | | | | Conflicts: etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/interfaces.inc etc/inc/services.inc etc/inc/xmlrpc_client.inc usr/local/www/fbegin.inc usr/local/www/services_dhcp.php
| * Merge remote-tracking branch 'mainline/master' into incVinicius Coque2011-06-281-1/+2
| |\
| * \ Merge remote-tracking branch 'mainline/master' into incVinicius Coque2011-06-071-0/+4
| |\ \ | | | | | | | | | | | | | | | | | | | | Conflicts: etc/inc/voucher.inc usr/local/www/fbegin.inc
| * \ \ Merge remote-tracking branch 'mainline/master' into incVinicius Coque2011-03-251-3/+5
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc etc/inc/priv.defs.inc etc/inc/services.inc etc/inc/shaper.inc etc/inc/voucher.inc etc/inc/vpn.inc usr/local/www/fbegin.inc
| * \ \ \ Merge branch 'master' into incVinicius Coque2011-01-281-0/+17
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: etc/inc/captiveportal.inc etc/inc/config.console.inc etc/inc/config.lib.inc etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/ipsec.inc etc/inc/pkg-utils.inc etc/inc/shaper.inc etc/inc/system.inc etc/inc/voucher.inc
| * \ \ \ \ Merge remote branch 'mainline/master' into incVinicius Coque2010-12-141-5/+11
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/gwlb.inc etc/inc/interfaces.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc etc/inc/shaper.inc etc/inc/upgrade_config.inc etc/inc/xmlparse.inc usr/local/www/fbegin.inc
| * | | | | | Implement gettext() calls on ipsec.incCarlos Eduardo Ramos2010-08-161-15/+15
| | | | | | |
* | | | | | | Merge remote branch 'upstream/master'jim-p2011-06-271-1/+2
|\ \ \ \ \ \ \ | | |_|_|_|_|/ | |/| | | | |
| * | | | | | Bail out of ipsec_get_phase1_dst if there is no remote gateway, else it ↵jim-p2011-06-271-1/+2
| | |_|_|_|/ | |/| | | | | | | | | | | | | | | | falls into running resolve_retry() with invalid parameters causing a long delay in returning.
* | | | | | Merge remote branch 'upstream/master'jim-p2011-06-031-0/+4
|\ \ \ \ \ \ | |/ / / / / | | | | | | | | | | | | | | | | | | Conflicts: etc/inc/openvpn.inc
| * | | | | Show how much data has passed on an SAD entry.jim-p2011-06-021-0/+4
| | |_|_|/ | |/| | |
* | | | | Try to make IPv6 feature complete for IPv6 support. Looks like ipsec-tools ↵Seth Mos2011-03-151-19/+42
| | | | | | | | | | | | | | | | | | | | was built without v6 support, make sure you have a newer build
* | | | | Extend the IPsec configuration with a protocol family for the phase 1Seth Mos2011-03-141-4/+11
| | | | |
* | | | | Make sure to note the limitations to gethostbyname, it does not work for ↵Seth Mos2011-03-141-1/+1
| | | | | | | | | | | | | | | | | | | | Quad A records. Fix resolve_retry in the process, use that.
* | | | | Add the ability to differentiate between v4 and v6 tunnels. Bill says he can ↵Seth Mos2011-03-111-1/+2
|/ / / / | | | | | | | | | | | | test
* | | | Don't forget to include $g, otherwise the check will fail and still perform ↵smos2011-02-211-0/+1
| | | | | | | | | | | | | | | | a DNS resolve
* | | | Hold off on resolve_retry during boot. The rest of the IPsec config is ↵smos2011-02-211-3/+4
| |_|/ |/| | | | | | | | already delayed during boot for tunnels with hostnames
* | | Ticket #1116: anonymous sainfo may be used only for single phase2 ipsec VPN'sPierre POMES2010-12-281-1/+18
| |/ |/|
* | Add IPSec 'ipalias' VIP support. Ticket #1041Pierre POMES2010-12-101-5/+11
| |
* | Remove trailing carriage returnScott Ullrich2010-11-101-1/+1
|/
* Bring back IPsec PSK Tab/Edit. Part of ticket #108. Still needs backend code ↵jim-p2010-05-061-0/+10
| | | | to use the resulting keys.
* Ticket #430. Give a none option to allow for roadwarriors configs.Ermal Luçi2010-03-161-3/+7
|
* Revert "Turn off xauth by default. Ticket #108"sullrich2009-12-021-2/+2
| | | | This reverts commit 7998c3f280370991beca62c6a99ae6dd6051228a.
* Turn off xauth by default. Ticket #108sullrich2009-12-021-2/+2
|
* Add pfSense_BUILDER_BINARIES: and pfSense_MODULE: additionsScott Ullrich2009-09-121-0/+4
|
* * Make the carp ip fix for ipsec more general so other services that use the ↵Ermal Luçi2009-04-221-4/+1
| | | | | | | | same methodology work. - Basically get_interface_ip() now knows how to handle carp(4). * Move interface related function from pfsense-utils.inc to interfaces.inc that is their place. - More will come after the schedules fixes.
* * Fix ipsec over carp handling.Ermal Luçi2009-04-221-3/+5
| | | | | * do not useinterface in Upper case when working on the backends. * Do not print Configuring IPSec during bootup if there is nothing configured.
* * Hide interfaces internals to other code and use the propper interfaces.Ermal Luçi2009-03-301-5/+5
| | | | | | | Basically use get_interface*() functions instead of accessing fields like 'ipaddr'/'descr' etc... * Make get_interfaces_with_gateway less heavyweight by getting information from the configuration stored in config.xml * Some other missed custom interface list building and substituing with propper get_configured_interface*() NOTE: This should give indipendce on dynamic interfaces on some services that before could not be used on top of this type of interfaces.
* Modify IPsec code to allow for transport mode. All existing configurations aremgrooms2009-03-151-0/+4
| | | | | marked as tunnel for backwards compatibility. There are problems with the spd read code which Will likely choke on transport entries. We can fix this later.
* fix display of ipsec tunnel status when using DNS entries for the endpointsBill Marquette2009-02-271-1/+1
|
* Correctly return phase2 status for tunnels with hostnamesSeth Mos2009-01-161-1/+1
|
* Rework most of the OpenVPN support. The interfaces have been updated toMatthew Grooms2008-08-261-0/+23
| | | | | | | | | | not use the pkg system and the configuration has been migrated to an openvpn prefix. The centralized user and certificate manager is now used to support the openvpn configurations. Most of the files removed in this commit were not being referenced. This commit also splits out the certificate management components into a new system menu item.
* Remove the vpn_endpoint_determine function. It did not work properly whenMatthew Grooms2008-08-021-0/+3
| | | | CARP devices were in use. Use the newer ipsec_get_phase1_src instead.
* Introduce a new and improved version of IPsec mobile client support. TheMatthew Grooms2008-07-131-0/+75
| | | | | | | mobile client tab is now used to configure user authentication (Xauth) and client configuration (mode-cfg) options. User authentication is currently limited to system password file entries. This will be extended to support external RADIUS and LDAP account DBs in a follow up comiit.
* Overhaul IPsec related code. Shared functions have been consolidated intoMatthew Grooms2008-07-111-0/+344
a new file named /etc/ipsec.inc. Tunnel definitions have been split into phase1 and phase2. This allows any number of phase2 definitions to be created for a single phase1 definition. Several facets of configuration have also been improved. The key size for variable length algorithms can now be selected and the phase1 ID options have been extended to allow for more flexible configuration. Several NAT-T related issues have also been resolved. Please note, IPsec remote access functionality has been temporarily disabled. An improved implementation will be included in a follow up commit.
OpenPOWER on IntegriCloud