uint64_t dpd_delay;
uint64_t dpd_timeout;
fragmentation_t fragmentation;
+ childless_t childless;
unique_policy_t unique;
uint32_t keyingtries;
uint32_t local_port;
DBG2(DBG_CFG, " dpd_delay = %llu", data->dpd_delay);
DBG2(DBG_CFG, " dpd_timeout = %llu", data->dpd_timeout);
DBG2(DBG_CFG, " fragmentation = %u", data->fragmentation);
+ DBG2(DBG_CFG, " childless = %u", data->childless);
DBG2(DBG_CFG, " unique = %N", unique_policy_names, data->unique);
DBG2(DBG_CFG, " keyingtries = %u", data->keyingtries);
DBG2(DBG_CFG, " reauth_time = %llu", data->reauth_time);
return FALSE;
}
+/**
+ * Parse a childless_t
+ */
+CALLBACK(parse_childless, bool,
+ childless_t *out, chunk_t v)
+{
+ enum_map_t map[] = {
+ { "allow", CHILDLESS_ALLOW },
+ { "never", CHILDLESS_NEVER },
+ { "force", CHILDLESS_FORCE },
+ };
+ int d;
+
+ if (parse_map(map, countof(map), &d, v))
+ {
+ *out = d;
+ return TRUE;
+ }
+ return FALSE;
+}
+
/**
* Parse a cert_policy_t
*/
{ "dpd_delay", parse_time, &peer->dpd_delay },
{ "dpd_timeout", parse_time, &peer->dpd_timeout },
{ "fragmentation", parse_frag, &peer->fragmentation },
+ { "childless", parse_childless, &peer->childless },
{ "send_certreq", parse_bool, &peer->send_certreq },
{ "send_cert", parse_send_cert, &peer->send_cert },
{ "keyingtries", parse_uint32, &peer->keyingtries },
.no_certreq = !peer.send_certreq,
.force_encap = peer.encap,
.fragmentation = peer.fragmentation,
+ .childless = peer.childless,
.dscp = peer.dscp,
};
ike_cfg = ike_cfg_create(&ike);
specified; this option has no effect on connections using IKE2.
connections.<conn>.fragmentation = yes
- Use IKE UDP datagram fragmentation. (_yes_, _accept_, _no_ or _force_).
+ Use IKE UDP datagram fragmentation (_yes_, _accept_, _no_ or _force_).
Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
fragmentation). Acceptable values are _yes_ (the default), _accept_,
Note that fragmented IKE messages sent by a peer are always accepted
irrespective of the value of this option (even when set to _no_).
+connections.<conn>.childless = allow
+ Use childless IKE_SA initiation (_allow_, _force_ or _never_).
+
+ Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values
+ are _allow_ (the default), _force_ and _never_. If set to _allow_,
+ responders will accept childless IKE_SAs (as indicated via notify in the
+ IKE_SA_INIT response) while initiators continue to create regular IKE_SAs
+ with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is
+ initiated explicitly without any children (which will fail if the responder
+ does not support or has disabled this extension). If set to _force_, only
+ childless initiation is accepted and the first CHILD_SA is created with a
+ separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange
+ for all CHILD_SAs). Finally, setting the option to _never_ disables support
+ for childless IKE_SAs as responder.
+
connections.<conn>.send_certreq = yes
Send certificate requests payloads (_yes_ or _no_).