1. 17 Sep, 2018 7 commits
  2. 07 Sep, 2018 1 commit
  3. 05 Sep, 2018 1 commit
  4. 01 Sep, 2018 1 commit
  5. 28 Aug, 2018 1 commit
  6. 27 Aug, 2018 1 commit
  7. 21 Aug, 2018 1 commit
  8. 13 Aug, 2018 1 commit
  9. 12 Aug, 2018 1 commit
  10. 10 Aug, 2018 14 commits
    • Francesco Giudici's avatar
    • Francesco Giudici's avatar
      all: expose IKEv2 mode in GUI · 6874028d
      Francesco Giudici authored
      Not all the single options will be available (yet), just expose a simple
      certificate-based IKEv2 template on the UI.
      6874028d
    • Francesco Giudici's avatar
      utils: add "nm-configured=yes" in Libreswan configuration · 0a9d2285
      Francesco Giudici authored
      When writing Libreswan configuration, add the nm-configured paramter to
      let Libreswan know that NetworkManager is taking care of the connection.
      0a9d2285
    • Francesco Giudici's avatar
      all: add support to the "left" libreswan option · c5b5c7a6
      Francesco Giudici authored
      Till now the value "%defaultroute" was always enforced. Let it be the
      default but allow also to specify a different one if needed.
      c5b5c7a6
    • Francesco Giudici's avatar
      utils: add intial support to rsasigkeys and certificates · 392fd894
      Francesco Giudici authored
      Introduce support to the 'leftrsasigkey', 'rightrsasigkey' and
      'leftcert' libreswan options.
      The certificate or the RSA private key referenced in the options should
      be already installed in the NSS database in order to allow the plugin to
      connect successfully.
      392fd894
    • Francesco Giudici's avatar
      utils: change the default crypto · b527765e
      Francesco Giudici authored
      When the esp and ike options were not specified, we forced
      ike=aes-sha1 and esp=aes-sha1;modp1024
      These ciphers today are quite a low security standard. In particular the
      DH group 2 (modp1024) has been downgraded to "SHOULD NOT" in RFC 8247 and
      will be completely removed from libreswan 3.26.
      So, we need to update the default crypto, also if it will affect existing
      connections.
      
      Let the default crypto be unspecified: this will allow libreswan to use
      as default many sets of crypto proposals, to be negotiated with the remote
      peer. Do this for IKEv2 and IKEv1 in main mode.
      An exception should be made for IKEv1 connections in aggressive mode:
      there the DH group in the crypto phase1 proposal must be just one; moreover
      a total of 4 proposal only may be specified.
      So, when IKEv1 aggressive mode is configured, use "ike=aes256-sha1;modp1536"
      and "esp=aes256-sha1", that should be accepted by all obsolete VPN SW/HW
      acting as a remote access VPN server and is supported in the forthcoming
      version of libreswan.
      b527765e
    • Francesco Giudici's avatar
      utils: don't set defaults to ikelifetime/salifetime for IKEv2 · 4d0be63c
      Francesco Giudici authored
      The defaults we enforced for ikelifetime/salifetime when not specified
      were taken to match default IKEv1 Cisco VPN client configurations (or so
      I guess). Anyway, 24h is really a bad default from a security PoV. This
      does not make any sense for newer IKEv2 configurations: better to let
      Libreswan to pick its own defaults (currently 1h).
      4d0be63c
    • Francesco Giudici's avatar
      all: add support to more Libreswan options · ff914857
      Francesco Giudici authored
      Add support to the 'rightid', 'narrowing', 'rekey', 'fragmentation' and
      'mobike' Libreswan options
      ff914857
    • Francesco Giudici's avatar
      all: add support to IKEv2 · 8738470c
      Francesco Giudici authored
      Add the brand new option 'ikev2', which maps the libreswan option of the
      same name. When the option is found and is set with a value that enables
      IKEv2, the option itself is passed as-is to libreswan while all the
      XAUTH options are skipped (they are still added when the configuration is
      IKEv1 based).
      The configuration passed to libreswan will be of type IRAC (IPsec Remote
      Access Client), enforcing CP mode. Anyway, no EAP method will be used as
      it is not yet available in libreswan.
      8738470c
    • Francesco Giudici's avatar
      utils: change the order of the options passed to libreswan · 697b3c6b
      Francesco Giudici authored
      Group all the options related to XAUTH in the configuration passed to
      libreswan. This shouldn't cause any change in behavior.
      This change will allow to easily skip all XAUTH related configuration
      when enabling the IKEv2 support.
      IKEv2 support will be added in the following commit.
      697b3c6b
    • Francesco Giudici's avatar
      utils: use 'phase2alg' instead of 'esp' in libreswan configuration · c4d1ee35
      Francesco Giudici authored
      'esp' has been made obsolete 8 years ago: let's start to use the "new"
      'phase2alg' option.
      c4d1ee35
    • Francesco Giudici's avatar
      man: add man page for nm-settings-libreswan · 797e9d5e
      Francesco Giudici authored
      document the available options for vpn.data and vpn.secrets for the
      NetworkManager-libreswan plugin.
      797e9d5e
    • Francesco Giudici's avatar
      service/trivial: fix spacing · f49dcbaa
      Francesco Giudici authored
      f49dcbaa
    • Francesco Giudici's avatar
      751912fb
  11. 22 Jul, 2018 1 commit
  12. 28 Jun, 2018 1 commit
    • Francesco Giudici's avatar
      all: fix IPsec capitalization · 8531a1f7
      Francesco Giudici authored
      "IPSec" was still present in very few places. Let us be coherent and
      always use the preferred "IPsec" capitalization.
      
      Quote from RFC 4301:
      'The spelling "IPsec" is preferred and used throughout this and all
      related IPsec standards.  All other capitalizations of IPsec (e.g.,
      IPSEC, IPSec, ipsec) are deprecated.'
      8531a1f7
  13. 21 Jun, 2018 2 commits
  14. 19 Jun, 2018 1 commit
  15. 11 Jun, 2018 3 commits
  16. 07 Jun, 2018 3 commits
    • Lubomir Rintel's avatar
      build: add GNOME GitLab CI configuration · 7db0ebfb
      Lubomir Rintel authored
      The pipeline begins with "build" stage doing a distcheck on Fedora 28
      (which is still known to ship libnm-glib) and outputting a tarball
      artifact.
      
      The output is then used in the "test" stage.
      
      In future, builds on some older platforms, CentOS and Ubuntu and clang
      builds would be nice. Not implemented at this point, but it should be
      straightforward enough.
      
      Maybe a build with a Git snapshot of NetworkManager and/or
      network-manager-applet would be useful at some point, but that's not
      implemented either.
      7db0ebfb
    • Lubomir Rintel's avatar
      build: find is required by libtool · f885a737
      Lubomir Rintel authored
      It's not necessarily present among the packages in a minimal
      installation (such as Fedora's docker image). Worse even, libtool just
      ends up not linking to some .la libraries.
      
      Don't assume it's there.
      f885a737
    • Lubomir Rintel's avatar
      build: file is required by configure · 254eee47
      Lubomir Rintel authored
      It's a not necessarily present among the packages in a minimal
      installation (such as Fedora's docker image). Worse even, configure just
      ends up passing wrong linker flags on some architectures, without a word
      of complain.
      
      Don't assume it's there.
      254eee47