#
1.18 |
|
19-Sep-2022 |
tobhe |
Add iked connection statistics for successful and failed connections, common error types and other events that help analyze errors in larger setups. The counters can be printed with 'ikectl show stats'.
ok bluhm@ patrick@ from and ok markus@
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.17 |
|
21-Nov-2021 |
tobhe |
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates.
ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.16 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.15 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.14 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.13 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.12 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.11 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.10 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.9 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.8 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.7 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.6 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.5 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.4 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.3 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.17 |
|
21-Nov-2021 |
tobhe |
Add 'ikectl show certinfo' to show trusted CAs and certificates. This helps debug authentication issues with x509 certificates.
ok markus@
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.16 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.15 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.14 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.13 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.12 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.11 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.10 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.9 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.8 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.7 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.6 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.5 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.4 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.3 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.16 |
|
22-Mar-2020 |
tobhe |
Add 'ikectl show sa' command to print information about the state of negotiated IKE SAs, their Child SAs and resulting IPsec flows.
ok patrick@
|
#
1.15 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.14 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.13 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.12 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.11 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.10 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.9 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.8 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.7 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.6 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.5 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.4 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.3 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
#
1.15 |
|
18-Mar-2020 |
tobhe |
Add 'ikectl reset id <ID>' command to reset all SAs from policies with matching destination ID.
ok patrick@ markus@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE
|
#
1.14 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.13 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.12 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.11 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.10 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.9 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.8 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.7 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.6 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.5 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.4 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.3 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.14 |
|
02-Nov-2015 |
jsg |
Accept an ocsp option when creating certificates to set the extended key usage for OCSP signing.
Requested by and ok reyk@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.13 |
|
11-Jun-2015 |
reyk |
Use "compliant" header guards by avoiding the reserved '_' namespace.
Pointed out by Markus Elfring
OK mikeb@ millert@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE
|
#
1.12 |
|
08-Jan-2013 |
reyk |
Remove private CVS tag from an obsolete repository and bump copyright to 2013 while I'm here... this is my way of saying "happy new year!".
|
#
1.11 |
|
18-Sep-2012 |
reyk |
update email addresses to match reality. sure jsg@ mikeb@
|
Revision tags: OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE
|
#
1.10 |
|
27-May-2011 |
reyk |
spacing
|
Revision tags: OPENBSD_4_9_BASE
|
#
1.9 |
|
08-Oct-2010 |
jsg |
allow optional paths for the install commands so we can install into the isakmpd directory hierarchy for example.
|
#
1.8 |
|
08-Oct-2010 |
reyk |
Allow to show certificate details (show ca x cert [y]).
|
#
1.7 |
|
07-Oct-2010 |
reyk |
Allow to specify the export password on the command line (optionally, for scripting). The "peer" argument now needs to be preceded with the "peer" keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.
|
#
1.6 |
|
07-Oct-2010 |
reyk |
- add a -q (quiet) command line option that will be used by ikeca to set openssl batch mode: don't ask for x509 options, use the defaults. - allow to specify the initial ca password on the command line to also make it scriptable. - allow to create certificates for clientAuth or serverAuth only (eg. ikectl ca foo certificate bar server). - cosmetics: move double declarations of ca_*() functions to parser.h.
ok phessler@
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.5 |
|
23-Jun-2010 |
jsg |
Add a ca export command for EAP mode where we only require the CA cert, and make both export commands optionally take an argument that will be added to a peer.txt file in the exported output. Additionally include any site specific notes from /usr/share/iked if present.
man page bits and help with the parser from reyk
|
#
1.4 |
|
14-Jun-2010 |
jsg |
Add commands to create/delete/install/import keys without involving certificates as suggested by reyk and don't recreate private keys if a key already exists.
ok reyk@
|
#
1.3 |
|
10-Jun-2010 |
jsg |
Add a command to revoke a certificate and generate a CRL; make the ca install command install the CRL as well.
discussed with reyk@
|
#
1.2 |
|
10-Jun-2010 |
reyk |
add new commands: the couple/decouple commands will set loading of the learned flows and SAs to the kernel which is useful for testing and debugging. the active/passive commands are required to use iked with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or send the appropriate imsg to support iked but this is not implemented yet.
|
#
1.1 |
|
03-Jun-2010 |
reyk |
Import iked, a new implementation of the IKEv2 protocol.
iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8) implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The daemon is still work-in-progress and not enabled in the builds, but is already able to establish IKEv2 sessions with some other IKEv2 implementations as a responder.
with lots of help and debugging by jsg@ ok deraadt@
|