| c91307af2622f6625525f3c1f9c954376df950ad |
|
26-Mar-2012 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: back-port 0.7.3 to Android.
Lots of checks and features were added to ipsec-tools 0.8.0.
However, they broke the compatibility with existing VPN servers.
I was unable to fix all of them in 0.8.0, so I chose to port
0.7.3 back with the new VPN types we added in ICS release.
Bug: 6191668
Change-Id: I86a7218f7f5146d4a9b129d46c89839a82b0008f
/external/ipsec-tools/setup.c
|
| e761171cf8053d42449f8a65aa33f716cbc53813 |
|
30-Dec-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: exit when the first phase 1 cannot be completed.
This makes IPSec VPN fail-fast instead of waiting for the time out.
Change-Id: Ie14a1ff12cccf0447516d513761e4105c6641921
/external/ipsec-tools/setup.c
|
| fdbd82ddd72c22e0ec446b1e30ab8a2146d7bdf6 |
|
07-Dec-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: add support for server certificates.
Bug: 5714397
Change-Id: Ia201254f6a9f32ddc575887a8e40c0aa7239ba61
/external/ipsec-tools/setup.c
|
| 2871f2f1bd4e22a5ac3a3d2b2c4fe0d581c3aa74 |
|
10-Aug-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: always create the inbound policy explicitly.
Racoon automatically generates the inbound policy for transport mode.
In tunnel mode, we have to create it by ourselves. Otherwise the
kernel will not handle the incoming packets correctly.
Change-Id: Id658e0e548ee104f667dd322056fd4698613d460
/external/ipsec-tools/setup.c
|
| 71076533ea2d32b0573b30b6f9507b88cd3a95f3 |
|
08-Aug-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: use aggressive mode when identifier is set.
From RFC 2409 section 5.4,
When using pre-shared key authentication with Main Mode the key can
only be identified by the IP address of the peers since HASH_I must
be computed before the initiator has processed IDir. Aggressive Mode
allows for a wider range of identifiers of the pre-shared secret to
be used. In addition, Aggressive Mode allows two parties to maintain
multiple, different pre-shared keys and identify the correct one for
a particular exchange.
From draft-ietf-ipsec-isakmp-xauth-06 section 8,
When using XAUTH with Pre-Shared keys, where the peer's IP address
is dynamic, Main Mode SHOULD NOT be used, and is STRONGLY
DISCOURAGED. In this particular scenario, the phase 1
authentication becomes suspect as the administrator has little
choice but to use one single Shared-Key for all users, and group-
shared keys are susceptible to social engineering attacks.
Change-Id: I2b414098ebb7624e4dc1be1416f746c523952d06
/external/ipsec-tools/setup.c
|
| a9a07aca7cd1e611f2d73582f20623cd62b917ba |
|
20-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: slightly improve the security.
If racoon is running as a service, do not trust
the script passed from the control socket.
Change-Id: I8e0115848cd4fa865d68452c9ecab20f6eac0921
/external/ipsec-tools/setup.c
|
| dc6f5b944434891dabd1aed297676349b58cb893 |
|
15-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: fix a bug of modifying envp directly.
Change-Id: I739af06314245a99121704647521c311e79d2653
/external/ipsec-tools/setup.c
|
| f82b8262b2f1f72a4361878acfa07161bed78f9a |
|
14-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: update parameters to provide more secured connections.
Change-Id: I6cd6e31810bfad16bc15b83ba49647fd96ba9794
/external/ipsec-tools/setup.c
|
| cfc417e4c9268b46d71d2fe17aa9ad21bde23f39 |
|
13-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Do not run the phase1-up script more than once.
Racoon executes phase1-up or phase1-down when phase 1 is established or
destroyed. Combining with the usage of mode-cfg, phase1-up generates the
SPD policy and sets the internal network, and phase1-down reverts what
phase1-up does. However, a new phase 1 may be established before the
previous one is destroyed, so phase1-down may be executed after the new
phase1-up, which causes some difficulties to maintain the state.
It can be solved in several ways, such as disabling phase 1 rekeying or
carefully updating the internal network. The former limits the lifetime
of a VPN connection, and the latter complicates the VPN on Android. We
can also disable mode-cfg or skip the phase1-up script after the first
phase 1 is established. It is hard to tell which one is the best. Just
try one and see if we need to switch to another.
Change-Id: Icd010c3242b2f66651e1332f819fb5f274c9fc45
/external/ipsec-tools/setup.c
|
| 1070097bb11002f8b5e289982cee9e324ea2f153 |
|
13-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: create a TUN interface for internal network.
Assume that the interface with default route is eth0. There are at
least three different ways to setup internal network.
1. Set internal IP and routes with default gateway on eth0:1.
2. Add a host route on eth0. Set internal IP and direct routes on eth0:1.
3. Add a host route on eth0. Set internal IP and direct routes on tun0.
SPD is set to send all packets from internel IP through the tunnel. Packets
are encapsulated and the final destination is always the VPN server. The
kernel will re-route the packets after re-writing them.
In the first method, the kernel always gets the default gateway as all the
routing rules are added with it. In the second method, internal routes do
not need a gateway since packets will hit the host route after re-routing.
The third method pushes even further since packet will never reach tun0.
In Android, we use the third method for two reasons, easier to clean up
and monitor. The first method has the advantage of not using a host route.
However, it cannot be cleaned up by simply shutting down eth0:1 because
routing rules might stay. The other methods do not have this problem. They
need to handle the host route, but that is much easier. When racoon dies,
tun0 goes away and posts an netlink event, but eth0:1 does not. Therefore,
the third method is much easier to monitor since it gives us the same
behavior with other VPN types.
Change-Id: I0a6eeef471b5a64de39a907f4f4428e86c0b2484
/external/ipsec-tools/setup.c
|
| e4b124759603438394e1cc42734d8a6388a3a7e4 |
|
13-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: generate policy when phase 1 is up.
Change-Id: Ieb9c571324a2a11f9d2d729b0f7623eff54ee3f5
/external/ipsec-tools/setup.c
|
| b0d8f175b6317669d3b43b7032b1c3aadb65c524 |
|
13-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: flush SPD and SAD for tunnel mode.
In tunnel mode, policies in SPD and SAD have different addresses.
The one in SPD has internal address from mode-cfg, and others in
SAD bind interface address and remote address. Thus we need to use
the internal address and remote address to filter SPD and SAD.
This fix also rename myaddrs to sources.
Change-Id: I39995ed8e94d355866fd0c95cd939bad8150a0bf
/external/ipsec-tools/setup.c
|
| 0ed32716f2689c53fe9884c1fa0f917acb9f113f |
|
12-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: revise log messages and reorder some functions.
Change-Id: If5dfb1bbf949982418115b90c2390e9608daf04d
/external/ipsec-tools/setup.c
|
| dbbbd5f297294b2b1ff02b8fd578c8c677879a19 |
|
12-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Add arguments for XAUTH.
Change-Id: I26ee73fac600864aaf50dfbfe98588a84e5f0819
/external/ipsec-tools/setup.c
|
| 03177458c167f55b5289d738aae210a64b87e92d |
|
07-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
Merge "ipsec-tools: enable DPD and XAUTH."
|
| 514ffe2b8b4236d53f584fcd8382dd65bc4df532 |
|
07-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: enable DPD and XAUTH.
Also silent tons of compile warnings.
Change-Id: Ia670102b40d6a46a17de5c413a9e444bd26be136
/external/ipsec-tools/setup.c
|
| 8f3b38855d8849959825acc45dd11144adc7d862 |
|
07-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: use pname instead of lcconf->chroot for the android magic.
Change-Id: Id62ce8de798389d9a6504d436a15317a4127ffb8
/external/ipsec-tools/setup.c
|
| fd76ec530c3f9cd0b9cc03501d02b6cb3ba705ed |
|
07-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Use getpathname() to get the right path.
Change-Id: I169b0ea84113234875c9c0be436384365f95dd89
/external/ipsec-tools/setup.c
|
| e9fc376dc7e9ee22358b872c3eb2808fa42160f0 |
|
07-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Support IPSec RSA sessions again.
This change supports command-line usage and android service at
the same time. It also removes the access to native keystore.
Change-Id: Ia3d931b0ba8f83624d668de97c9dfc10280bef3b
/external/ipsec-tools/setup.c
|
| f8a6a7636d53a5730c58ae041e4e09ae12e1657c |
|
05-Jul-2011 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Update to 0.8.0.
This change updates ipsec-tools to 0.8.0. However, a quick test reveals
a regression in IPSec PSK sessions. The server rejects the first packet
of phase 2 negotiation with INVALID-ID-INFORMATION error. After testing
files one by one, it turns out that using the old ipsec_doi.c fixes the
problem. Then the next error shows that identity check is failed. This
can be fixed by marking few lines in isakmp_quick.c just like 0.7.3.
This change adds ipsec_doi-0.7.3.c as a temporary fix. I will come back
and see if I can find the real problem. IPSec RSA sessions will be
covered in the next change.
Change-Id: I48f0026c3be07f506b3901b59202081bf88f41c9
/external/ipsec-tools/setup.c
|
| 3473d8ebd2f370edcc83c7455c76cf3b2daef4ae |
|
31-May-2011 |
Chia-chi Yeh <chiachi@android.com> |
Only remove entries to the VPN server on exit.
We might have other IPSec users, and flushing everything causes problems.
Bug: 4171459
Change-Id: Icebd4a04f9b88890ac1cfd587673fcf906a00aa5
/external/ipsec-tools/setup.c
|
| f5d0d0919f6c0b82611c1f8ad0cb6023a78b6ce0 |
|
30-Sep-2010 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Use IDTYPE_ASN1DN for certificate-based IPSec tunnels.
Change-Id: I589c18af8095a4461ef9cc52489a2d0864872762
/external/ipsec-tools/setup.c
|
| 9d271b685df5830e92a789119fe9b908da2f6c78 |
|
30-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Minor performance tuning.
/external/ipsec-tools/setup.c
|
| c454954382b81262dc81ac54e147f4dc7fc0af75 |
|
22-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Some fixes for rekeying.
Bind sockets to proper interface in order to avoid using host routes.
Rewrite a part of sockmisc.c to work around the ipi_ifindex bug in linux kernel.
Enable policy generating when responding to phase 2 negotiation.
Reduce the executable size about 4KB by simplifying some functions.
/external/ipsec-tools/setup.c
|
| 4754a116408a7ad661bb573f6ecc8ff3d83bf6d9 |
|
16-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Fix a compile warning.
/external/ipsec-tools/setup.c
|
| 7197eb77ef21feeedc5a47de31ded3a19c2af021 |
|
13-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Find local address automatically.
/external/ipsec-tools/setup.c
|
| bd5fa3c99638830d3fa1ae5b4fc4988de5ee0f4d |
|
07-Jul-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Get pre-shared key from keystore after setuid(AID_VPN).
/external/ipsec-tools/setup.c
|
| 837a1c77bab77bd62cccb33a15163a962f8dfb97 |
|
26-Jun-2009 |
Chia-chi Yeh <chiachi@android.com> |
ipsec-tools: Make racoon an easy-to-use command line tool and reduce its size.
The original executable is ~350KB and now it is ~160KB.
Removing debug messages reduces about 20KB.
Others are mainly contributed by removing lex/yacc generated code,
which was used to parse configuration files.
/external/ipsec-tools/setup.c
|