parameter is present then the peer must be a member of at least one
of the groups defined by the parameter.
.TP
+.BR leftgroups2 " = <group list>"
+Same as
+.B leftgroups,
+but for the second authentication round defined with
+.B leftauth2.
+.TP
.BR lefthostaccess " = yes | " no
inserts a pair of INPUT and OUTPUT iptables rules using the default
\fBipsec _updown\fR script, thus allowing access to the host itself
{
identification_t *identity;
certificate_t *certificate;
- char *auth, *id, *pubkey, *cert, *ca;
+ char *auth, *id, *pubkey, *cert, *ca, *groups;
stroke_end_t *end, *other_end;
auth_cfg_t *cfg;
}
/* groups */
- if (end->groups)
+ groups = primary ? end->groups : end->groups2;
+ if (groups)
{
enumerator_t *enumerator;
char *group;
- enumerator = enumerator_create_token(end->groups, ",", " ");
+ enumerator = enumerator_create_token(groups, ",", " ");
while (enumerator->enumerate(enumerator, &group))
{
cfg->add(cfg, AUTH_RULE_GROUP,
pop_string(msg, &end->ca);
pop_string(msg, &end->ca2);
pop_string(msg, &end->groups);
+ pop_string(msg, &end->groups2);
pop_string(msg, &end->cert_policy);
pop_string(msg, &end->updown);
DBG2(DBG_CFG, " %sca=%s", label, end->ca);
DBG2(DBG_CFG, " %sca2=%s", label, end->ca2);
DBG2(DBG_CFG, " %sgroups=%s", label, end->groups);
+ DBG2(DBG_CFG, " %sgroups2=%s", label, end->groups2);
DBG2(DBG_CFG, " %supdown=%s", label, end->updown);
}
{ ARG_STR, offsetof(starter_end_t, ca), NULL },
{ ARG_STR, offsetof(starter_end_t, ca2), NULL },
{ ARG_STR, offsetof(starter_end_t, groups), NULL },
+ { ARG_STR, offsetof(starter_end_t, groups2), NULL },
{ ARG_MISC, 0, NULL /* KW_END_DEPRECATED */ },
};
char *ca;
char *ca2;
char *groups;
+ char *groups2;
char *cert_policy;
char *host;
u_int ikeport;
KW_CA,
KW_CA2,
KW_GROUPS,
+ KW_GROUPS2,
KW_END_DEPRECATED,
#define KW_END_FIRST KW_HOST
KW_LEFTCA,
KW_LEFTCA2,
KW_LEFTGROUPS,
+ KW_LEFTGROUPS2,
KW_LEFT_DEPRECATED,
#define KW_LEFT_FIRST KW_LEFT
KW_RIGHTCA,
KW_RIGHTCA2,
KW_RIGHTGROUPS,
+ KW_RIGHTGROUPS2,
KW_RIGHT_DEPRECATED,
#define KW_RIGHT_FIRST KW_RIGHT
leftca, KW_LEFTCA
leftca2, KW_LEFTCA2
leftgroups, KW_LEFTGROUPS
+leftgroups2, KW_LEFTGROUPS2
right, KW_RIGHT
rightikeport, KW_RIGHTIKEPORT
rightsubnet, KW_RIGHTSUBNET
rightca, KW_RIGHTCA
rightca2, KW_RIGHTCA2
rightgroups, KW_RIGHTGROUPS
+rightgroups2, KW_RIGHTGROUPS2
also, KW_ALSO
auto, KW_AUTO
# deprecated/removed keywords
msg_end->ca = push_string(msg, conn_end->ca);
msg_end->ca2 = push_string(msg, conn_end->ca2);
msg_end->groups = push_string(msg, conn_end->groups);
+ msg_end->groups2 = push_string(msg, conn_end->groups2);
msg_end->updown = push_string(msg, conn_end->updown);
if (conn_end->host)
{
char *ca;
char *ca2;
char *groups;
+ char *groups2;
char *cert_policy;
char *updown;
char *address;