Adds a %opaque port option and support for port ranges in left/rightprotoport.
Currently not supported by any of our kernel backends.
exclamation mark) can be used, e.g:
.BR aes256-sha512-modp4096!
.TP
+.BR ikedscp " = " 000000 " | <DSCP field>"
+Differentiated Services Field Codepoint to set on outgoing IKE packets sent
+from this connection. The value is a six digit binary encoded string defining
+the Codepoint to set, as defined in RFC 2474.
+.TP
.BR ikelifetime " = " 3h " | <time>"
how long the keying channel of a connection (ISAKMP or IKE SA)
should last before being renegotiated. Also see EXPIRY/REKEY below.
.B leftprotoport=udp/%any
or
.BR leftprotoport=%any/53 .
+
+ The port value can alternatively take the value
+ .B %opaque
+ for RFC 4301 OPAQUE selectors, or a numerical range in the form
+ .BR 1024-65535 .
+ None of the kernel backends currently supports opaque or port ranges and uses
+ .B %any
+ for policy installation instead.
.TP
.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
the left participant's public key for RSA signature authentication, in RFC 2537
settings->get_int(settings, "configs.%s.lport", 500, config),
settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE,
settings->get_int(settings, "configs.%s.rport", 500, config),
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
token = settings->get_str(settings, "configs.%s.proposal", NULL, config);
if (token)
{
enumerator = enumerator_create_token(token, ",", " ");
while (enumerator->enumerate(enumerator, &token))
{
- ts = traffic_selector_create_from_cidr(token, 0, 0);
+ ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
if (ts)
{
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
enumerator = enumerator_create_token(token, ",", " ");
while (enumerator->enumerate(enumerator, &token))
{
- ts = traffic_selector_create_from_cidr(token, 0, 0);
+ ts = traffic_selector_create_from_cidr(token, 0, 0, 65535);
if (ts)
{
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
if (string)
{
- ts = traffic_selector_create_from_cidr(string, 0, 0);
+ ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
if (!ts)
{
DBG1(DBG_CFG, "parsing TS string '%s' failed", string);
ike_cfg = ike_cfg_create(this->version, TRUE, FALSE,
local, FALSE, this->port + num - 1,
remote, FALSE, IKEV2_NATT_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
}
else
{
local, FALSE,
charon->socket->get_port(charon->socket, FALSE),
remote, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
}
ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
peer_cfg = peer_cfg_create("load-test", ike_cfg,
{
traffic_selector_t *ts;
- ts = traffic_selector_create_from_cidr(str, 0, 0);
+ ts = traffic_selector_create_from_cidr(str, 0, 0, 65535);
if (ts)
{
return ts;
ike_cfg = ike_cfg_create(IKEV2, FALSE, FALSE,
"0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
- address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO);
+ address, FALSE, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
med_cfg = peer_cfg_create(
"mediation", ike_cfg,
"0.0.0.0", FALSE,
charon->socket->get_port(charon->socket, FALSE),
"0.0.0.0", FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO),
+ FRAGMENTATION_NO, 0),
);
this->ike->add_proposal(this->ike, proposal_create_default(PROTO_IKE));
msg->add_conn.other.address,
msg->add_conn.other.allow_any,
msg->add_conn.other.ikeport,
- msg->add_conn.fragmentation);
+ msg->add_conn.fragmentation,
+ msg->add_conn.ikedscp);
add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
return ike_cfg;
}
if (end->tohost)
{
ts = traffic_selector_create_dynamic(end->protocol,
- end->port ? end->port : 0, end->port ? end->port : 65535);
+ end->from_port, end->to_port);
child_cfg->add_traffic_selector(child_cfg, local, ts);
}
else
if (net)
{
ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
- end->port);
+ end->from_port, end->to_port);
child_cfg->add_traffic_selector(child_cfg, local, ts);
}
}
enumerator = enumerator_create_token(end->subnets, ",", " ");
while (enumerator->enumerate(enumerator, &subnet))
{
- ts = traffic_selector_create_from_cidr(subnet,
- end->protocol, end->port);
+ ts = traffic_selector_create_from_cidr(subnet, end->protocol,
+ end->from_port, end->to_port);
if (ts)
{
child_cfg->add_traffic_selector(child_cfg, local, ts);
{
traffic_selector_t *ts;
- ts = traffic_selector_create_from_cidr(string, 0, 0);
+ ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
if (ts)
{
return ts;
local_addr, FALSE,
charon->socket->get_port(charon->socket, FALSE),
remote_addr, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
this->peer_cfg = peer_cfg_create(
name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
local_addr, FALSE,
charon->socket->get_port(charon->socket, FALSE),
remote_addr, FALSE, IKEV2_UDP_PORT,
- FRAGMENTATION_NO);
+ FRAGMENTATION_NO, 0);
this->ike_cfg->add_proposal(this->ike_cfg,
create_proposal(ike_proposal, PROTO_IKE));
if (host)
{
return traffic_selector_create_from_subnet(host, prefixlen,
- sel->proto, port);
+ sel->proto, port, port ?: 65535);
}
return NULL;
}
return JOB_REQUEUE_DIRECT;
}
+METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
+ private_kernel_netlink_ipsec_t *this)
+{
+ return KERNEL_ESP_V3_TFC;
+}
+
/**
* Get an SPI for a specific protocol from the kernel.
*/
INIT(this,
.public = {
.interface = {
+ .get_features = _get_features,
.get_spi = _get_spi,
.get_cpi = _get_cpi,
.add_sa = _add_sa,
bool hostaccess;
bool allow_any;
char *updown;
- u_int16_t port;
+ u_int16_t from_port;
+ u_int16_t to_port;
u_int8_t protocol;
char *sourceip;
char *dns;
ipsec_mode_t mode;
bool proxy_mode;
fragmentation_t fragmentation;
+ u_int ikedscp;
sa_option_t options;
time_t sa_ike_life_seconds;
time_t sa_ipsec_life_seconds;
msg_end->tohost = !conn_end->subnet;
msg_end->allow_any = conn_end->allow_any;
msg_end->protocol = conn_end->protocol;
- msg_end->port = conn_end->port;
+ msg_end->from_port = conn_end->from_port;
+ msg_end->to_port = conn_end->to_port;
}
int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
msg.add_conn.fragmentation = conn->fragmentation;
+ msg.add_conn.ikedscp = conn->ikedscp;
msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
msg.add_conn.install_policy = conn->install_policy;
msg.add_conn.aggressive = conn->aggressive;
int tohost;
int allow_any;
u_int8_t protocol;
- u_int16_t port;
+ u_int16_t from_port;
+ u_int16_t to_port;
};
typedef struct stroke_msg_t stroke_msg_t;
int close_action;
u_int32_t reqid;
u_int32_t tfc;
+ u_int8_t ikedscp;
crl_policy_t crl_policy;
int unique;