charon-nm: Add support for custom server ports

[thirdparty/strongswan.git] / src / charon-nm / nm / nm_service.c

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index ca608b12fa980a6d18c36a1620fc8dc45cd8af4b..706e482a21700e649fc9a85adf6646090595360a 100644 (file)
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -447,6 +447,11 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
                                        "Gateway address missing.");
                return FALSE;
        }
+       str = nm_setting_vpn_get_data_item(vpn, "server-port");
+       if (str && strlen(str))
+       {
+               ike.remote_port = settings_value_as_int((char*)str, ike.remote_port);
+       }
        str = nm_setting_vpn_get_data_item(vpn, "virtual");
        virtual = streq(str, "yes");
        str = nm_setting_vpn_get_data_item(vpn, "encap");
@@ -492,14 +497,6 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
                        return FALSE;
                }
                priv->creds->add_certificate(priv->creds, cert);
-
-               x509 = (x509_t*)cert;
-               if (!(x509->get_flags(x509) & X509_CA))
-               {       /* For a gateway certificate, we use the cert subject as identity. */
-                       gateway = cert->get_subject(cert);
-                       gateway = gateway->clone(gateway);
-                       DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
-               }
        }
        else
        {
@@ -507,16 +504,29 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
                priv->creds->load_ca_dir(priv->creds, lib->settings->get_str(
                                                                 lib->settings, "charon-nm.ca_dir", NM_CA_DIR));
        }
-       if (!gateway)
+
+       str = nm_setting_vpn_get_data_item(vpn, "remote-identity");
+       if (str)
+       {
+               gateway = identification_create_from_string((char*)str);
+       }
+       else if (cert)
+       {
+               x509 = (x509_t*)cert;
+               if (!(x509->get_flags(x509) & X509_CA))
+               {       /* for server certificates, we use the subject as identity */
+                       gateway = cert->get_subject(cert);
+                       gateway = gateway->clone(gateway);
+               }
+       }
+       if (!gateway || gateway->get_type(gateway) == ID_ANY)
        {
-               /* If the user configured a CA certificate, we use the IP/DNS
-                * of the gateway as its identity. This identity will be used for
-                * certificate lookup and requires the configured IP/DNS to be
-                * included in the gateway certificate. */
+               /* if the user configured a CA certificate (or an invalid identity),
+                * we use the IP/hostname of the server */
                gateway = identification_create_from_string(ike.remote);
-               DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
                loose_gateway_id = TRUE;
        }
+       DBG1(DBG_CFG, "using gateway identity '%Y'", gateway);
 
        if (auth_class == AUTH_CLASS_EAP ||
                auth_class == AUTH_CLASS_PSK)
@@ -561,7 +571,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
                                return FALSE;
                        }
                }
-               /* ... or certificate/private key authenitcation */
+               /* ... or certificate/private key authentication */
                else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
                {
                        public_key_t *public;