this might conflict with plugins that later need access to e.g. the used
certificates.
+charon.follow_redirects = yes
+ Whether to follow IKEv2 redirects (RFC 5685).
+
charon.fragment_size = 0
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
* Maximum length of a single fragment, 0 for address-specific defaults
*/
size_t fragment_size;
+
+ /**
+ * Whether to follow IKEv2 redirects
+ */
+ bool follow_redirects;
};
/**
host_t *other;
DBG1(DBG_IKE, "redirected to %Y", gateway);
+ if (!this->follow_redirects)
+ {
+ DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
+ return FALSE;
+ }
snprintf(gw, sizeof(gw), "%Y", gateway);
gw[sizeof(gw)-1] = '\0';
"%s.flush_auth_cfg", FALSE, lib->ns),
.fragment_size = lib->settings->get_int(lib->settings,
"%s.fragment_size", 0, lib->ns),
+ .follow_redirects = lib->settings->get_bool(lib->settings,
+ "%s.follow_redirects", TRUE, lib->ns),
);
if (version == IKEV2)
* Whether to use Signature Authentication as per RFC 7427
*/
bool signature_authentication;
+
+ /**
+ * Whether to follow IKEv2 redirects as per RFC 5685
+ */
+ bool follow_redirects;
};
/**
}
}
/* notify other peer if we support redirection */
- if (!this->old_sa && this->initiator)
+ if (!this->old_sa && this->initiator && this->follow_redirects)
{
message->add_notify(message, FALSE, REDIRECT_SUPPORTED, chunk_empty);
}
.old_sa = old_sa,
.signature_authentication = lib->settings->get_bool(lib->settings,
"%s.signature_authentication", TRUE, lib->ns),
+ .follow_redirects = lib->settings->get_bool(lib->settings,
+ "%s.follow_redirects", TRUE, lib->ns),
);
this->nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);