Support for configuring EAP-TLS authentication scheme is added.
Similar to EAP-MSCHAPv2, this one is usually asymmetric
in the way that server auth method (pubkey) is different from
the client auth method (eap-tls).
The code handles this asymmetry automatically.
Signed-off-by: Torbjorn Tyridal <torbjorn@tyridal.no>
Before:
checking for python... /myworkingdir/build/staging_dir/host/bin/python
checking for python version... xcode-select: Failed to locate 'python', requesting installation of command line developer tools.
checking for python platform... xcode-select: Failed to locate 'python', requesting installation of command line developer tools.
checking for GNU default python prefix... ${prefix}
checking for GNU default python exec_prefix... ${exec_prefix}
checking for python script directory (pythondir)... xcode-select: Failed to locate 'python', requesting installation of command line developer tools.
checking for python extension module directory (pyexecdir)... xcode-select: Failed to locate 'python', requesting installation of command line developer tools.
After:
checking for python version... 3.11
checking for python platform... darwin
checking for GNU default python prefix... ${prefix}
checking for GNU default python exec_prefix... ${exec_prefix}
checking for python script directory (pythondir)... ${PYTHON_PREFIX}/lib/python3.11/site-packages
checking for python extension module directory (pyexecdir)... ${PYTHON_EXEC_PREFIX}/lib/python3.11/site-packages
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This symbol is an enum defined both in wolfssl and strongswan. This
creates a clash in C's flat namespace. A workaround is to redefine it
when we include wolfssl headers, but really one of the other should
pick a better name.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
UCI plugin in strongswan has been broken for years, and now its causing
strongswan to fail compilation.
So, instead of the whole strongswan package to be failing and missing from
feeds simply make UCI plug depend on @BROKEN.
Signed-off-by: Robert Marko <robimarko@gmail.com>
After reinstalling the packages with the preserved configuration files
after a sysupgrade, the reinstalled package config files overwrite what
is on disk rather than being placed as conf-opkg. Defining these config
files will preserve them appropriately.
Signed-off-by: Joel Low <joel@joelsplace.sg>
$overtime has been used since swanctl.init was added in f9d91f1f47.
However, there's no need for it to be global. Make it local like the
other config variables to avoid polluting the global namespace and make
the code easier to reason about.
Fixes: f9d91f1f47 ("strongswan: migrate to swanctl configs")
Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
When support for send_cert was added in 4b9453b9a4, the $send_cert
variable was inadvertently global. Make it local to avoid polluting the
global namespace and make the code easier to reason about.
Fixes: 4b9453b9a4 ("strongswan: Add support for send_cert option")
Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
Support for EAP-MSCHAPv2 authentication scheme is added.
Different from the previously supported schemes, this one is
usually asymmetric in the way that server auth method (pubkey) is
different from the client auth method (eap-mschapv2).
The code handles this asymmetry automatically.
A new UCI config section mschapv2_secrets is added where the user
can specify the EAP identities and their passwords that are
accepted by the server. AFAIK, there is no way to select which
EAP IDs should be accepted by which remote, except setting
`eap_id` to something different than `%any`. But `eap_id`
does not support template matching, so either only a single
identity or all can be configured for one remote. This is why
the EAP identities are not subsections of remotes, but are
a standalone section.
Signed-off-by: Martin Pecka <peci1@seznam.cz>
Signed-off-by: Martin Pecka <peckama2@fel.cvut.cz>
Before this commit, if a user configures multiple remotes in UCI,
each remote generates one output section of pools.
This doesn't hurt because swanctl just merges all of them,
but it is apparently not needed to have N copies of the same.
This commit changes the behavior to only create one pools
section at the end of the generated swanctl config.
Signed-off-by: Martin Pecka <peci1@seznam.cz>
Signed-off-by: Martin Pecka <peckama2@fel.cvut.cz>
Without it, using uci to manipulate ipsec config can result in errors,
making it much difficult to use in uci-defaults for example.
Signed-off-by: Glen Huang <me@glenhuang.com>
Fixes#20848
Add interface triggers if interfaces to listen to are specified in
`/etc/config/ipsec`. This fixes the "running with no instances" scenario
after rebooting a router.
Signed-off-by: Joel Low <joel@joelsplace.sg>
This plugin acts as a proxy that dynamically selects an EAP method that is
supported/preferred by the client. If the original EAP method initiated by
the plugin is rejected with an EAP-NAK message, it will select a different
method that is supported/requested by the client.
For example it is possible to configure eap-tls as preferred
authentication method for your connection while still allow eap-mschapv2.
Signed-off-by: Tarvi Pillessaar <tarvip@gmail.com>
Without these charon will warn with messages like:
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available
Signed-off-by: Glen Huang <me@glenhuang.com>
Without nonce, charon won't start, so it's not an optional plugin. I
asked one of the strongSwan maintainers (ecdsa), and he confirmed this:
> It definitely has to be enabled unconditionally. The only other
> provider for the NONCE_GEN plugin feature is in charon-tkm, so
> completely irrelevant on OpenWrt
Signed-off-by: Glen Huang <me@glenhuang.com>
Yanase Yuki
Philip Prindeville
Torbjorn Tyridal
Josef Schlehofer
Kevin Locke
Robert Marko
Joel Low
Matt Eaton
Martin Pecka
Stephen Baker
Glen Huang
Tiago Gaspar
Tarvi Pillessaar
Stijn Tintel