.BR reqid " = <number>"
sets the reqid for a given connection to a pre-configured fixed value.
.TP
+.BR sha256_96 " = " no " | yes"
+HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility
+with implementations that incorrectly use 96-bit truncation this option may be
+enabled to configure the shorter truncation length in the kernel. This is not
+negotiated, so this only works with peers that use the incorrect truncation
+length (or have this option enabled).
+.TP
.BR tfc " = <value>"
number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
is currently supported in IKEv2 and applies to outgoing packets only. The
.options = (msg->add_conn.proxy_mode ? OPT_PROXY_MODE : 0) |
(msg->add_conn.ipcomp ? OPT_IPCOMP : 0) |
(msg->add_conn.me.hostaccess ? OPT_HOSTACCESS : 0) |
- (msg->add_conn.install_policy ? 0 : OPT_NO_POLICIES),
+ (msg->add_conn.install_policy ? 0 : OPT_NO_POLICIES) |
+ (msg->add_conn.sha256_96 ? OPT_SHA256_96 : 0),
.tfc = msg->add_conn.tfc,
.inactivity = msg->add_conn.inactivity,
.dpd_action = map_action(msg->add_conn.dpd.action),
DBG_OPT(" dpdtimeout=%d", msg->add_conn.dpd.timeout);
DBG_OPT(" dpdaction=%d", msg->add_conn.dpd.action);
DBG_OPT(" closeaction=%d", msg->add_conn.close_action);
+ DBG_OPT(" sha256_96=%s", msg->add_conn.sha256_96 ? "yes" : "no");
DBG_OPT(" mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
DBG_OPT(" mediated_by=%s", msg->add_conn.ikeme.mediated_by);
DBG_OPT(" me_peerid=%s", msg->add_conn.ikeme.peerid);
{ ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL },
{ ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action },
{ ARG_ENUM, offsetof(starter_conn_t, close_action), LST_dpd_action },
+ { ARG_ENUM, offsetof(starter_conn_t, sha256_96), LST_bool },
{ ARG_TIME, offsetof(starter_conn_t, inactivity), NULL },
{ ARG_MISC, 0, NULL /* KW_MODECONFIG */ },
{ ARG_MISC, 0, NULL /* KW_XAUTH */ },
dpd_action_t close_action;
+ bool sha256_96;
+
time_t inactivity;
bool me_mediation;
KW_DPDTIMEOUT,
KW_DPDACTION,
KW_CLOSEACTION,
+ KW_SHA256_96,
KW_INACTIVITY,
KW_MODECONFIG,
KW_XAUTH,
dpdtimeout, KW_DPDTIMEOUT
dpdaction, KW_DPDACTION
closeaction, KW_CLOSEACTION
+sha256_96, KW_SHA256_96
inactivity, KW_INACTIVITY
modeconfig, KW_MODECONFIG
xauth, KW_XAUTH
msg->add_conn.dpd.timeout = conn->dpd_timeout;
msg->add_conn.dpd.action = conn->dpd_action;
msg->add_conn.close_action = conn->close_action;
+ msg->add_conn.sha256_96 = conn->sha256_96;
msg->add_conn.inactivity = conn->inactivity;
msg->add_conn.ikeme.mediation = conn->me_mediation;
push_string(&msg, add_conn.ikeme.mediated_by, conn->me_mediated_by);
} mark_in, mark_out;
stroke_end_t me, other;
uint32_t replay_window;
+ bool sha256_96;
} add_conn;
/* data for STR_ADD_CA */