Add iked connection statistics for successful and failed connections, common
error types and other events that help analyze errors in larger setups.
The counters can be printed with 'ikectl show stats'.

ok bluhm@ patrick@
from and ok markus@

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Accept an ocsp option when creating certificates to set the extended
key usage for OCSP signing.

Requested by and ok reyk@

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

spacing

allow optional paths for the install commands so we can
install into the isakmpd directory hierarchy for example.

Allow to show certificate details (show ca x cert [y]).

Allow to specify the export password on the command line (optionally, for
scripting). The "peer" argument now needs to be preceded with the "peer"
keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.

- add a -q (quiet) command line option that will be used by ikeca to
set openssl batch mode: don't ask for x509 options, use the defaults.
- allow to specify the initial ca password on the command line to also
make it scriptable.
- allow to create certificates for clientAuth or serverAuth only
(eg. ikectl ca foo certificate bar server).
- cosmetics: move double declarations of ca_*() functions to parser.h.

ok phessler@

Add a ca export command for EAP mode where we only require the CA cert,
and make both export commands optionally take an argument that will be
added to a peer.txt file in the exported output. Additionally
include any site specific notes from /usr/share/iked if present.

man page bits and help with the parser from reyk

Add commands to create/delete/install/import keys without
involving certificates as suggested by reyk and don't
recreate private keys if a key already exists.

ok reyk@

Add a command to revoke a certificate and generate a CRL;
make the ca install command install the CRL as well.

discussed with reyk@

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add 'ikectl show certinfo' to show trusted CAs and certificates.
This helps debug authentication issues with x509 certificates.

ok markus@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Accept an ocsp option when creating certificates to set the extended
key usage for OCSP signing.

Requested by and ok reyk@

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

spacing

allow optional paths for the install commands so we can
install into the isakmpd directory hierarchy for example.

Allow to show certificate details (show ca x cert [y]).

Allow to specify the export password on the command line (optionally, for
scripting). The "peer" argument now needs to be preceded with the "peer"
keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.

- add a -q (quiet) command line option that will be used by ikeca to
set openssl batch mode: don't ask for x509 options, use the defaults.
- allow to specify the initial ca password on the command line to also
make it scriptable.
- allow to create certificates for clientAuth or serverAuth only
(eg. ikectl ca foo certificate bar server).
- cosmetics: move double declarations of ca_*() functions to parser.h.

ok phessler@

Add a ca export command for EAP mode where we only require the CA cert,
and make both export commands optionally take an argument that will be
added to a peer.txt file in the exported output. Additionally
include any site specific notes from /usr/share/iked if present.

man page bits and help with the parser from reyk

Add commands to create/delete/install/import keys without
involving certificates as suggested by reyk and don't
recreate private keys if a key already exists.

ok reyk@

Add a command to revoke a certificate and generate a CRL;
make the ca install command install the CRL as well.

discussed with reyk@

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add 'ikectl show sa' command to print information about the state of
negotiated IKE SAs, their Child SAs and resulting IPsec flows.

ok patrick@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Accept an ocsp option when creating certificates to set the extended
key usage for OCSP signing.

Requested by and ok reyk@

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

spacing

allow optional paths for the install commands so we can
install into the isakmpd directory hierarchy for example.

Allow to show certificate details (show ca x cert [y]).

Allow to specify the export password on the command line (optionally, for
scripting). The "peer" argument now needs to be preceded with the "peer"
keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.

- add a -q (quiet) command line option that will be used by ikeca to
set openssl batch mode: don't ask for x509 options, use the defaults.
- allow to specify the initial ca password on the command line to also
make it scriptable.
- allow to create certificates for clientAuth or serverAuth only
(eg. ikectl ca foo certificate bar server).
- cosmetics: move double declarations of ca_*() functions to parser.h.

ok phessler@

Add a ca export command for EAP mode where we only require the CA cert,
and make both export commands optionally take an argument that will be
added to a peer.txt file in the exported output. Additionally
include any site specific notes from /usr/share/iked if present.

man page bits and help with the parser from reyk

Add commands to create/delete/install/import keys without
involving certificates as suggested by reyk and don't
recreate private keys if a key already exists.

ok reyk@

Add a command to revoke a certificate and generate a CRL;
make the ca install command install the CRL as well.

discussed with reyk@

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Add 'ikectl reset id <ID>' command to reset all SAs from policies with
matching destination ID.

ok patrick@ markus@

Accept an ocsp option when creating certificates to set the extended
key usage for OCSP signing.

Requested by and ok reyk@

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

spacing

allow optional paths for the install commands so we can
install into the isakmpd directory hierarchy for example.

Allow to show certificate details (show ca x cert [y]).

Allow to specify the export password on the command line (optionally, for
scripting). The "peer" argument now needs to be preceded with the "peer"
keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.

- add a -q (quiet) command line option that will be used by ikeca to
set openssl batch mode: don't ask for x509 options, use the defaults.
- allow to specify the initial ca password on the command line to also
make it scriptable.
- allow to create certificates for clientAuth or serverAuth only
(eg. ikectl ca foo certificate bar server).
- cosmetics: move double declarations of ca_*() functions to parser.h.

ok phessler@

Add a ca export command for EAP mode where we only require the CA cert,
and make both export commands optionally take an argument that will be
added to a peer.txt file in the exported output. Additionally
include any site specific notes from /usr/share/iked if present.

man page bits and help with the parser from reyk

Add commands to create/delete/install/import keys without
involving certificates as suggested by reyk and don't
recreate private keys if a key already exists.

ok reyk@

Add a command to revoke a certificate and generate a CRL;
make the ca install command install the CRL as well.

discussed with reyk@

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@

Accept an ocsp option when creating certificates to set the extended
key usage for OCSP signing.

Requested by and ok reyk@

Use "compliant" header guards by avoiding the reserved '_' namespace.

Pointed out by Markus Elfring

OK mikeb@ millert@

Remove private CVS tag from an obsolete repository and bump copyright
to 2013 while I'm here... this is my way of saying "happy new year!".

update email addresses to match reality.
sure jsg@ mikeb@

spacing

allow optional paths for the install commands so we can
install into the isakmpd directory hierarchy for example.

Allow to show certificate details (show ca x cert [y]).

Allow to specify the export password on the command line (optionally, for
scripting). The "peer" argument now needs to be preceded with the "peer"
keyword, eg. ... export peer 10.1.1.1 instead of export 10.1.1.1.

- add a -q (quiet) command line option that will be used by ikeca to
set openssl batch mode: don't ask for x509 options, use the defaults.
- allow to specify the initial ca password on the command line to also
make it scriptable.
- allow to create certificates for clientAuth or serverAuth only
(eg. ikectl ca foo certificate bar server).
- cosmetics: move double declarations of ca_*() functions to parser.h.

ok phessler@

Add a ca export command for EAP mode where we only require the CA cert,
and make both export commands optionally take an argument that will be
added to a peer.txt file in the exported output. Additionally
include any site specific notes from /usr/share/iked if present.

man page bits and help with the parser from reyk

Add commands to create/delete/install/import keys without
involving certificates as suggested by reyk and don't
recreate private keys if a key already exists.

ok reyk@

Add a command to revoke a certificate and generate a CRL;
make the ca install command install the CRL as well.

discussed with reyk@

add new commands: the couple/decouple commands will set loading of the
learned flows and SAs to the kernel which is useful for testing and
debugging. the active/passive commands are required to use iked
with sasyncd(8); sasyncd just needs to call "ikectl active/passive" or
send the appropriate imsg to support iked but this is not implemented yet.

Import iked, a new implementation of the IKEv2 protocol.

iked(8) is an automatic keying daemon for IPsec, like isakmpd(8), that
IPsec creates flows and SAs automatically. Unlike isakmpd, iked(8)
implements the newer IKEv2 protocol instead of IKEv1/ISAKMP. The
daemon is still work-in-progress and not enabled in the builds, but is
already able to establish IKEv2 sessions with some other IKEv2
implementations as a responder.

with lots of help and debugging by jsg@
ok deraadt@