child-sa: Allow requesting different unique marks for in/out
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
trap-manager: Don't require that remote is resolvable during installation
Initiation might later fail, of course, but we don't really
require an IP address when installing, that is, unless the remote
traffic selector is dynamic. As that would result in installing a
0.0.0.0/0 remote TS which is not ideal when a single IP is expected as
remote.
Tobias Brunner [Mon, 7 Aug 2017 08:46:45 +0000 (10:46 +0200)]
Merge commit 'child-sa-rekey-tkm'
This fixes CHILD_SA rekeying with TKM and changes how we switch to the
outbound IPsec SA with Netlink/XFRM (using SPIs on the outbound policy
instead of installing the outbound SA delayed).
For charon-tkm it changes when esa_select() and esa_reset() are called,
now with the outbound policy and the inbound SA, respectively, instead
of the outbound SA in both cases.
Also fixed is a potential traffic loss when a rekey collision is lost.
Tobias Brunner [Fri, 4 Aug 2017 12:02:42 +0000 (14:02 +0200)]
charon-tkm: Call esa_reset() when the inbound SA is deleted
After a rekeying the outbound SA and policy is deleted immediately, however,
the inbound SA is not removed until a few seconds later, so delayed packets
can still be processed.
This adds a flag to get_esa_id() that specifies the location of the
given SPI.
Tobias Brunner [Fri, 4 Aug 2017 11:12:57 +0000 (13:12 +0200)]
child-rekey: Don't install outbound SA in case of lost collisions
This splits the SA installation also on the initiator, so we can avoid
installing the outbound SA if we lost a rekey collision, which might
have caused traffic loss depending on the timing of the DELETEs that are
sent in both directions.
charon-tkm: Don't select new outbound SA until the policy is installed
This tries to avoid packet loss during rekeying by delaying the usage of
the new outbound IKE_SA until the old one is deleted.
Note that esa_select() is a no-op in the current TKM implementation. And
the implementation also doesn't benefit from the delayed deletion of the
inbound SA as it calls esa_reset() when the outbound SA is deleted.
peer-cfg: Use an rwlock instead of a mutex to safely access child-cfgs
If multiple threads want to enumerate child-cfgs and potentially lock
other locks (e.g. check out IKE_SAs) while doing so a deadlock could
be caused (as was the case with VICI configs with start_action=start).
It should also improve performance for roadwarrior connections and lots
of clients connecting concurrently.
error-notify: Don't stop sending notifies after removing a disconnected listener
This prevented new listeners from receiving notifies if they joined
after another listener disconnected previously, and if they themselves
disconnected their old connection would prevent them again from getting
notifies.
Multiple CHILD_SAs sharing the same traffic selectors (e.g. during
make-before-break reauthentication) also have the same reqid assigned.
If all matching entries are removed we could end up without entry even
though an SA exists that still uses these traffic selectors.
Tobias Brunner [Tue, 20 Jun 2017 10:01:24 +0000 (12:01 +0200)]
ike: Trigger CHILD_INSTALLED state change after corresponding log message
This way we get the log message in stroke and swanctl as last message
when establishing a connection. It's already like this for the IKE_SA
where IKE_ESTABLISHED is set after the corresponding log message.
Andreas Steffen [Sat, 8 Jul 2017 21:21:56 +0000 (23:21 +0200)]
Version bump to 5.6.0dr1
This major version includes the new SWIMA IMC/IMV pair which
implements the "draft-ietf-sacm-nea-swima-patnc" Internet Draft.
Full compliance to the ISO 19770-2:2015 SWID tag standard has
been achieved.
Tobias Brunner [Thu, 15 Jun 2017 12:36:40 +0000 (14:36 +0200)]
pki: Load pubkey plugin to print public keys
Since 3317d0e77b1a the public keys are printed via certificate printer,
but that only works if the public key is actually wrapped, which
requires the pubkey plugin.
Fixes: 3317d0e77b1a ("Standardized printing of certificate information")
Tobias Brunner [Tue, 16 May 2017 15:34:02 +0000 (17:34 +0200)]
eap-aka-3gpp: Add plugin that implements 3GPP MILENAGE algorithm in software
This is similar to the eap-aka-3gpp2 plugin. K (optionally concatenated
with OPc) may be configured as binary EAP secret in ipsec.secrets or
swanctl.conf.