r644 | mgrooms | 2009-11-15 18:20:04 +0000 (Sun, 15 Nov 2009) | 1 line

Branch for 2.1.5 release.
r643 | mgrooms | 2009-11-15 18:14:18 +0000 (Sun, 15 Nov 2009) | 2 lines

Update the version to 2009 and the release to 2.1.5.

r641 | mgrooms | 2009-11-15 18:11:17 +0000 (Sun, 15 Nov 2009) | 2 lines

Modify some iked state flag definitions. Some 32bit values were being
defined using 9 hex digits instead of 8.

r639 | mgrooms | 2009-10-01 05:26:19 +0000 (Thu, 01 Oct 2009) | 3 lines

Add support to iked for the XAuth Radius CHAP authentication method. The
use of CHAP vs generic authentication is determined automatically by
examining the XAuth authentication type. This also includes a work
around for an issue with CHAP and Adtran gateways

Add support to iked for the XAuth Passcode attribute. This change has
been reported to fix external user authentication with Juniper gateways.
r637 | mgrooms | 2009-09-03 05:05:37 +0000 (Thu, 03 Sep 2009) | 1 line

Modify iked to only send the Xauth status attribute in the result
response when our gateway identifies itself as checkpoint compatible.
This corrects a regression that prevented negotiations from succeeding
with Adtran devices.
r635 | mgrooms | 2009-08-19 06:14:49 +0000 (Wed, 19 Aug 2009) | 1 line

Correct an issue in iked that caused the remote identity value to be
compared to nothing when it should have been ignored. This was causing
many imported PCF site configurations to fail negotiations.
r633 | mgrooms | 2009-08-19 06:08:58 +0000 (Wed, 19 Aug 2009) | 2 lines

Fix a few bugs related to pcf import on unix platforms. Ignore any
leading exclamation marks for pcf file lines. This is intended to denote
the data should be read-only after import but we currently have no way
to enforce this. Use a default value of auto for phase2 PFS.

r631 | mgrooms | 2009-07-13 04:25:51 +0000 (Mon, 13 Jul 2009) | 7 lines

Correct a regression in iked that caused negotiations with Checkpoint
VPN-1 gateways to fail.

Rework a few functions that are used to support RSA based certificate
authentication. When a gateway sends more than one certificate during
phase1, we need to determine which certificate is the leaf certificate
being used to generate the signature for authentication. It would be
good if we could just match the remote ID to the subject name in the
certificate, but many gateways support non ASN1 DN based identities with
certificate authentication. Instead, we attempt to build a certificate
chain by examining the certificate list sent. We search for a
certificate that was not used to sign any other received certificate and
use its public key to perform authentication. This method was tested
with several Cisco, Checkpoint and ipsec-tools gateways. Many thanks to
Daniel Sabanes Bove who identified and reported this and other issues.

Correct a potential buffer overflow issue related to extracting a human
readable RSA key subject used in debug level output.

Increase the maximum packet length from 4k to 8k. This is necessary to
support large certificate chains.
r629 | mgrooms | 2009-07-11 16:37:25 +0000 (Sat, 11 Jul 2009) | 2 lines

Correct a typo in the Unix Access Manager application that prevented the
Cisco hybrid group authentication from working correctly. Also, commit a
few changes that were missed in a previous commit that prevented the
remote ID any keywork from being accepted.

r628 | mgrooms | 2009-06-29 06:24:35 +0000 (Mon, 29 Jun 2009) | 2 lines

Add a missing library dependency for the unix ikec build.

r627 | mgrooms | 2009-06-29 02:14:34 +0000 (Mon, 29 Jun 2009) | 6 lines

Add support to unix gui components for importing cisco PCF files. For
PSK based modes, this is a one step process. For RSA based modes, the
certificate info must be assigned manually in a second step. Cisco PCF
files don't contain certificate data so this cannot be automated.

Modify unix gui to support a new option that allows any remote id and
value to be accepted. Although this option should generally be avoided,
it was added to help the Cisco PCF import process as they rarely contain
remote ID information.

Modify unix gui to support non-address identity types in main mode.
Although this option has been requested several times, it technically
violates RFCs so I have been reluctant to add it. Now that it is an
option, we warn the user when appropriate.

r626 | mgrooms | 2009-06-29 01:31:44 +0000 (Mon, 29 Jun 2009) | 2 lines

Correct the bison 2.3 compile. When correcting the bison 2.4 compile, a
last minute change in head branch was not replicated to the 2.1 branch
before the commit.

r623 | mgrooms | 2009-06-28 23:06:53 +0000 (Sun, 28 Jun 2009) | 4 lines

Add support for encoding and decoding hex values to the libidb BDATA
class. This was required to support cisco PCF import.

Modify iked to optionally bypass remote id checking. This was added to
support the 'Any' remote ID site configuration option.

r622 | mgrooms | 2009-05-02 08:16:20 +0000 (Sat, 02 May 2009) | 2 lines

Cleanup the include statements and forward definitions for files related
to bison generated configuration parser. We now compile cleanly using
bison version 2.4.x.

r620 | mgrooms | 2009-04-29 05:58:13 +0000 (Wed, 29 Apr 2009) | 2 lines

Add the Unix UI support for Cisco Hybrid Authentication.

r618 | mgrooms | 2009-04-29 05:18:24 +0000 (Wed, 29 Apr 2009) | 1 line

Add support for the Cisco Hybrid authentication mode. This is a variant
of the draft standard Hybrid authentication mode but augments it by
sending the group name as a key identifier identity and an additional
password hash notification payload. Support for this would have taken
much longer if this had not already been worked out by the good folks
over at the vpnc project.
r615 | mgrooms | 2009-04-26 20:18:26 +0000 (Sun, 26 Apr 2009) | 2 lines

Modify the iked unix resolve.conf writer to be more intelligent. When a
resolve.conf option does not exist, inherit the option from the current
system resolv.conf file.

r613 | mgrooms | 2009-04-11 19:02:29 +0000 (Sat, 11 Apr 2009) | 1 line

Revert the Cisco unity version number sent in our vendor ID. The
ipsec-tools racoon daemon only understands a single version so using
another version breaks compatibility. This problem was reported by
Tai-hwa Liang.
r610 | mgrooms | 2009-02-12 01:59:40 +0000 (Thu, 12 Feb 2009) | 1 line

Correct a bug in iked where the generic exchange handle resend event was
not being initialized properly. This caused the tunnel to hang under a
failure condition under some rare circumstances.
r606 | mgrooms | 2009-02-04 05:10:21 +0000 (Wed, 04 Feb 2009) | 2 lines

Cleanup some faulty NAT-T port value handling in iked. Instead of
blindly assigning the remote NAT-T port value to the local socket
address, lookup the value instead. This should avoid issues when the
remote NAT-T port does not match the local NAT-T port.

r604 | mgrooms | 2009-01-29 04:20:41 +0000 (Thu, 29 Jan 2009) | 2 lines

Update the libip route code for Linux to not include the RTM_TABLE
definition. This was only for debugging purposes and it appears to not
be defined in newer versions of the Linux netlink headers.

r597 | mgrooms | 2008-11-28 05:17:58 +0000 (Fri, 28 Nov 2008) | 1 line

Use the localtime_s instead of the localtime function in liblog on
windows platforms. This is mostly just to silence the compiler warning.
r595 | mgrooms | 2008-11-28 05:07:40 +0000 (Fri, 28 Nov 2008) | 4 lines

Silence some build warnings that occur with newer versions of gcc.

Add some statements to the main CMakeLists file. These are required by
newer versions of cmake or build warnings are displayed.

r593 | mgrooms | 2008-11-28 04:18:53 +0000 (Fri, 28 Nov 2008) | 1 line

Add support to iked for multiple certificate request payloads. Right now
we can only deal with X.509 certificate types but a peer may send
multiple certificate requests that specify unique certificate types. We
now store these requests in a list for inspection. Thanks to Mark
Seamans and Jay Pfeifer for identifying the problem and testing these
changes with StrongSWAN.