charon.plugins.kernel-netlink.roam_events = yes
Whether to trigger roam events when interfaces, addresses or routes change.
+charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
+ Whether to set protocol and ports in the selector installed on transport
+ mode IPsec SAs in the kernel.
+
+ Whether to set protocol and ports in the selector installed on transport
+ mode IPsec SAs in the kernel. While doing so enforces policies for inbound
+ traffic, it also prevents the use of a single IPsec SA by more than one
+ traffic selector.
+
charon.plugins.kernel-netlink.xfrm_acq_expires = 165
Lifetime of XFRM acquire state in kernel.
*/
bool install_routes;
+ /**
+ * Whether to set protocol and ports on selector installed with transport
+ * mode IPsec SAs
+ */
+ bool proto_port_transport;
+
/**
* Whether to track the history of a policy
*/
if (src_ts && dst_ts)
{
sa->sel = ts2selector(src_ts, dst_ts);
- /* don't install proto/port on SA. This would break
- * potential secondary SAs for the same address using a
- * different prot/port. */
- sa->sel.proto = 0;
- sa->sel.dport = sa->sel.dport_mask = 0;
- sa->sel.sport = sa->sel.sport_mask = 0;
+ if (!this->proto_port_transport)
+ {
+ /* don't install proto/port on SA. This would break
+ * potential secondary SAs for the same address using a
+ * different prot/port. */
+ sa->sel.proto = 0;
+ sa->sel.dport = sa->sel.dport_mask = 0;
+ sa->sel.sport = sa->sel.sport_mask = 0;
+ }
}
break;
default:
.policy_history = TRUE,
.install_routes = lib->settings->get_bool(lib->settings,
"%s.install_routes", TRUE, lib->ns),
+ .proto_port_transport = lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-netlink.set_proto_port_transport_sa",
+ FALSE, lib->ns),
);
if (streq(lib->ns, "starter"))
projects / thirdparty / strongswan.git / commitdiff
