Introduces a new priority class for policies, which allows us to install
passthrough policies with a strictly higher priority than IPsec
policies, which was not the case previously depending on the traffic
selectors.
Instead of using the first address we find on an interface we should
consider properties like an address' scope or whether it is temporary
or public.
Fixes#543.
Replaces the ipsec.conf parser in starter. The new parser is also based
on flex/bison but it simply returns key/value collections of all sections.
It already resolves also= and allows overriding options in all included
sections (not only %default), options set in included section can also
be cleared again (key=). It provides other improvements too, like quoted
strings (with escape sequences), unlimited includes and better
whitespace/comment handling.
Fixes#423.
Fixes#560.
The parser simply returns key/value pairs of all sections, it already
resolves also= and allows overriding options in all included sections
(not only %default), options set in included section can also be cleared
again (key=).
It provides other improvements too, like quoted strings (with escape
sequences), unlimited includes and better whitespace/comment handling.
As we later potentially use args again, we can't consume it with printf
functions without copying it first. Clone list before passing it to any
consuming function.
Fixes#621.
While the outbound SA actually does not need a replay window, the kernel rejects
zero replay windows on SAs using ESN. The ESN flag is required to use the full
sequence number in ICV calculation, hence we set the replay window.
This restores the behavior we had before 30c009c2.
Trying to disable replay windows using the ESN attribute fails with EINVAL.
Use non-ESN legacy format to disable replay windows, even if ESN has been
negotiated over IKE.
While there is no real security benefit of storing private keys encrypted if
the passphrase is stored along with it, there still seems to be demand for this
functionality. We add it for compatibility with ipsec.secrets, even if it is
not really recommended.
Introduces a connection specific replay_window option, overriding the global
charon.replay_window strongswan.conf option. Original patch courtesy of
Zheng Zhong and Christophe Gouault from 6Wind.
