peer_cfg_t *peer_cfg;
certificate_t *cert;
time_t not_before, not_after;
+ int num;
if (!this->socket->has_listeners(this->socket))
{
break;
case ALERT_LOCAL_AUTH_FAILED:
msg.type = htonl(ERROR_NOTIFY_LOCAL_AUTH_FAILED);
- snprintf(msg.str, sizeof(msg.str),
- "creating local authentication data failed");
+ snprintf(msg.str, sizeof(msg.str), "local authentication failed");
break;
case ALERT_PEER_AUTH_FAILED:
msg.type = htonl(ERROR_NOTIFY_PEER_AUTH_FAILED);
snprintf(msg.str, sizeof(msg.str), "peer authentication failed");
break;
+ case ALERT_PEER_ADDR_FAILED:
+ msg.type = htonl(ERROR_NOTIFY_PEER_ADDR_FAILED);
+ snprintf(msg.str, sizeof(msg.str), "failed to resolve peer address");
+ break;
+ case ALERT_PEER_INIT_UNREACHABLE:
+ msg.type = htonl(ERROR_NOTIFY_PEER_INIT_UNREACHABLE);
+ num = va_arg(args, int) + 1;
+ snprintf(msg.str, sizeof(msg.str), "peer did not respond to initial "
+ "message, try %d", num);
+ break;
+ case ALERT_INVALID_IKE_SPI:
+ msg.type = htonl(ERROR_NOTIFY_INVALID_IKE_SPI);
+ message = va_arg(args, message_t*);
+ snprintf(msg.str, sizeof(msg.str), "received IKE message with unknown "
+ "SPI from %#H", message->get_source(message));
+ break;
case ALERT_PARSE_ERROR_HEADER:
msg.type = htonl(ERROR_NOTIFY_PARSE_ERROR_HEADER);
message = va_arg(args, message_t*);
break;
case ALERT_RETRANSMIT_SEND:
msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND);
+ va_arg(args, packet_t*);
snprintf(msg.str, sizeof(msg.str), "IKE message retransmission "
"number %u", va_arg(args, u_int));
break;
+ case ALERT_RETRANSMIT_SEND_CLEARED:
+ msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_CLEARED);
+ snprintf(msg.str, sizeof(msg.str), "IKE response received after "
+ "retransmission");
+ break;
case ALERT_RETRANSMIT_SEND_TIMEOUT:
msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_SEND_TIMEOUT);
snprintf(msg.str, sizeof(msg.str),
"IKE message retransmission timed out");
break;
+ case ALERT_RETRANSMIT_RECEIVE:
+ msg.type = htonl(ERROR_NOTIFY_RETRANSMIT_RECEIVE);
+ message = va_arg(args, message_t*);
+ snprintf(msg.str, sizeof(msg.str), "received retransmit of request "
+ "with ID %d from %#H", message->get_message_id(message),
+ message->get_source(message));
+ break;
case ALERT_HALF_OPEN_TIMEOUT:
msg.type = htonl(ERROR_NOTIFY_HALF_OPEN_TIMEOUT);
snprintf(msg.str, sizeof(msg.str), "IKE_SA timed out before it "
snprintf(msg.str, sizeof(msg.str), "the received traffic selectors "
"did not match: %#R === %#R", list, list2);
break;
+ case ALERT_TS_NARROWED:
+ msg.type = htonl(ERROR_NOTIFY_TS_NARROWED);
+ num = va_arg(args, int);
+ list = va_arg(args, linked_list_t*);
+ snprintf(msg.str, sizeof(msg.str), "%s traffic selectors narrowed "
+ "to %#R", num ? "local" : "remote", list);
+ break;
case ALERT_INSTALL_CHILD_SA_FAILED:
msg.type = htonl(ERROR_NOTIFY_INSTALL_CHILD_SA_FAILED);
snprintf(msg.str, sizeof(msg.str), "installing IPsec SA failed");
snprintf(msg.str, sizeof(msg.str), "keep existing in favor of "
"rejected new IKE_SA due to uniqueness policy");
break;
+ case ALERT_KEEP_ON_CHILD_SA_FAILURE:
+ msg.type = htonl(ERROR_NOTIFY_KEEP_ON_CHILD_SA_FAILURE);
+ num = va_arg(args, int);
+ snprintf(msg.str, sizeof(msg.str), "keeping IKE_SA after failing to "
+ "establish %sCHILD_SA", num ? "first " : "");
+ break;
case ALERT_VIP_FAILURE:
msg.type = htonl(ERROR_NOTIFY_VIP_FAILURE);
list = va_arg(args, linked_list_t*);
snprintf(msg.str, sizeof(msg.str), "an authorization plugin "
"prevented establishment of an IKE_SA");
break;
+ case ALERT_IKE_SA_EXPIRED:
+ msg.type = htonl(ERROR_NOTIFY_IKE_SA_EXPIRED);
+ snprintf(msg.str, sizeof(msg.str), "IKE_SA expired without "
+ "replacement");
+ break;
case ALERT_CERT_EXPIRED:
msg.type = htonl(ERROR_NOTIFY_CERT_EXPIRED);
cert = va_arg(args, certificate_t*);
snprintf(msg.str, sizeof(msg.str), "certificate revoked: '%Y'",
cert->get_subject(cert));
break;
+ case ALERT_CERT_VALIDATION_FAILED:
+ msg.type = htonl(ERROR_NOTIFY_CERT_VALIDATION_FAILED);
+ cert = va_arg(args, certificate_t*);
+ snprintf(msg.str, sizeof(msg.str), "failed to validate certificate "
+ "status: '%Y'", cert->get_subject(cert));
+ break;
case ALERT_CERT_NO_ISSUER:
msg.type = htonl(ERROR_NOTIFY_NO_ISSUER_CERT);
cert = va_arg(args, certificate_t*);
snprintf(msg.str, sizeof(msg.str), "no trusted issuer certificate "
"found: '%Y'", cert->get_issuer(cert));
break;
- default:
+ case ALERT_CERT_UNTRUSTED_ROOT:
+ msg.type = htonl(ERROR_NOTIFY_UNTRUSTED_ROOT_CERT);
+ cert = va_arg(args, certificate_t*);
+ snprintf(msg.str, sizeof(msg.str), "self-signed issuer certificate "
+ "is not trusted: '%Y'", cert->get_issuer(cert));
+ break;
+ case ALERT_CERT_EXCEEDED_PATH_LEN:
+ msg.type = htonl(ERROR_NOTIFY_CERT_EXCEEDED_PATH_LEN);
+ cert = va_arg(args, certificate_t*);
+ snprintf(msg.str, sizeof(msg.str), "maximum path length in trust "
+ "chain exceeded: '%Y'", cert->get_issuer(cert));
+ break;
+ case ALERT_CERT_POLICY_VIOLATION:
+ msg.type = htonl(ERROR_NOTIFY_CERT_POLICY_VIOLATION);
+ cert = va_arg(args, certificate_t*);
+ snprintf(msg.str, sizeof(msg.str), "certificate rejected because of "
+ "policy violation: '%Y'", cert->get_issuer(cert));
+ break;
+ case ALERT_SHUTDOWN_SIGNAL:
return TRUE;
}