When support for send_cert was added in 4b9453b9a4, the $send_cert
variable was inadvertently global. Make it local to avoid polluting the
global namespace and make the code easier to reason about.
Fixes: 4b9453b9a4 ("strongswan: Add support for send_cert option")
Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
Support for EAP-MSCHAPv2 authentication scheme is added.
Different from the previously supported schemes, this one is
usually asymmetric in the way that server auth method (pubkey) is
different from the client auth method (eap-mschapv2).
The code handles this asymmetry automatically.
A new UCI config section mschapv2_secrets is added where the user
can specify the EAP identities and their passwords that are
accepted by the server. AFAIK, there is no way to select which
EAP IDs should be accepted by which remote, except setting
`eap_id` to something different than `%any`. But `eap_id`
does not support template matching, so either only a single
identity or all can be configured for one remote. This is why
the EAP identities are not subsections of remotes, but are
a standalone section.
Signed-off-by: Martin Pecka <peci1@seznam.cz>
Signed-off-by: Martin Pecka <peckama2@fel.cvut.cz>
Before this commit, if a user configures multiple remotes in UCI,
each remote generates one output section of pools.
This doesn't hurt because swanctl just merges all of them,
but it is apparently not needed to have N copies of the same.
This commit changes the behavior to only create one pools
section at the end of the generated swanctl config.
Signed-off-by: Martin Pecka <peci1@seznam.cz>
Signed-off-by: Martin Pecka <peckama2@fel.cvut.cz>
Fixes#20848
Add interface triggers if interfaces to listen to are specified in
`/etc/config/ipsec`. This fixes the "running with no instances" scenario
after rebooting a router.
Signed-off-by: Joel Low <joel@joelsplace.sg>
This adds support for the child SA to be rekeyed through the byte/packet
threshold. The default is blank (which disables the byte/packet thresholds).
Signed-off-by: Joel Low <joel@joelsplace.sg>
This option sets the interface of the policy.
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Use list's where appropriate for multi-value config variables.
Forbid absolute/relative paths for certificate and key files.
Get rid of last remnants of left/right naming.
Factor invariant code paths.
Drop redundant secrets.rsa.filename section.
Thanks to Vincent Wiemann <vincent.wiemann@ironai.com> for calling
out many of these improvements.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
There were closing curly braces missing and it was checking for empty
strings while it should have been checking for non-empty strings.
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
Variables set in config_ipsec() need to be shared with do_postamble()
function, so change scoping to parent (prepare_env()).
Also, remove unused settings like "remote_sourceip", "reqid", and
"packet_marker".
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
ipsec uses starter, and reads /etc/ipsec.conf (which then includes
/var/ipsec/ipsec.conf, etc). This is overly complicated, and can
be problematic if you're using both swanctl and ipsec for migration.
Running charon directly from procd via the init.d script avoid
all of this.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
chacha20policy1305 is also an AEAD cipher, and hence does not
permit a hash algorithm.
Fixes issue #15397.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Derived from the ipsec initd script, with the following changes:
(1) various code improvements, corrections (get rid of left/right
updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;
and other minor changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Kevin Locke