peer_cfg_t *peer_cfg;
uint16_t local_port, remote_port = IKEV2_UDP_PORT;
ike_version_t version = IKE_ANY;
- bool aggressive = FALSE;
proposal_t *proposal;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_SEND_IF_ASKED,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = 36000, /* 10h */
+ .jitter_time = 600, /* 10min */
+ .over_time = 600, /* 10min */
+ .dpd = 30,
+ };
switch (this->profile)
{
case PROF_V1_XAUTH_AM:
case PROF_V1_XAUTH_PSK_AM:
case PROF_V1_HYBRID_AM:
- aggressive = TRUE;
+ peer.aggressive = TRUE;
/* FALL */
case PROF_V1_PUB:
case PROF_V1_XAUTH:
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
}
- peer_cfg = peer_cfg_create("cmd", ike_cfg,
- CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
- 36000, 0, /* rekey 10h, reauth none */
- 600, 600, /* jitter, over 10min */
- TRUE, aggressive, TRUE, /* mobike, aggressive, pull */
- 30, 0, /* DPD delay, timeout */
- FALSE, NULL, NULL); /* mediation */
+ peer_cfg = peer_cfg_create("cmd", ike_cfg, &peer);
return peer_cfg;
}
certificate_t *cert = NULL;
x509_t *x509;
bool agent = FALSE, smartcard = FALSE, loose_gateway_id = FALSE;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_SEND_IF_ASKED,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = 36000, /* 10h */
+ .jitter_time = 600, /* 10min */
+ .over_time = 600, /* 10min */
+ };
child_cfg_create_t child = {
.lifetime = {
.time = {
FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
- peer_cfg = peer_cfg_create(priv->name, ike_cfg,
- CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
- 36000, 0, /* rekey 10h, reauth none */
- 600, 600, /* jitter, over 10min */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- 0, 0, /* DPD delay, timeout */
- FALSE, NULL, NULL); /* mediation */
+
+ peer_cfg = peer_cfg_create(priv->name, ike_cfg, &peer);
if (virtual)
{
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
identification_t *lid, *rid;
char *child, *policy, *pool;
uintptr_t strength;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_ALWAYS_SEND,
+ .unique = UNIQUE_NO,
+ .keyingtries = 1,
+ .no_mobike = TRUE,
+ };
ike_cfg = load_ike_config(this, settings, config);
- peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND,
- UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, TRUE,
- 0, 0, FALSE, NULL, NULL);
+ peer_cfg = peer_cfg_create(config, ike_cfg, &peer);
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
traffic_selector_t *ts;
ike_sa_t *ike_sa;
auth_cfg_t *auth;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_SEND_IF_ASKED,
+ .unique = UNIQUE_REPLACE,
+ .rekey_time = 36000, /* 10h */
+ .jitter_time = 600, /* 10min */
+ .over_time = 600, /* 10min */
+ };
child_cfg_create_t child = {
.lifetime = {
.time = {
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
- peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
- UNIQUE_REPLACE, 0, /* keyingtries */
- 36000, 0, /* rekey 10h, reauth none */
- 600, 600, /* jitter, over 10min */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- 0, 0, /* DPD delay, timeout */
- FALSE, NULL, NULL); /* mediation */
+ peer_cfg = peer_cfg_create("android", ike_cfg, &peer);
peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET));
peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET6));
ike_cfg_t *ike_cfg;
peer_cfg_t *peer_cfg;
uint16_t local_port, remote_port = IKEV2_UDP_PORT;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_SEND_IF_ASKED,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = 36000, /* 10h */
+ .jitter_time = 600, /* 10min */
+ .over_time = 600, /* 10min */
+ .dpd = 30,
+ };
local_port = charon->socket->get_port(charon->socket, FALSE);
if (local_port != IKEV2_UDP_PORT)
host, remote_port, FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
- peer_cfg = peer_cfg_create(name, ike_cfg,
- CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
- 36000, 0, /* rekey 10h, reauth none */
- 600, 600, /* jitter, over 10min */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- 30, 0, /* DPD delay, timeout */
- FALSE, NULL, NULL); /* mediation */
+ peer_cfg = peer_cfg_create(name, ike_cfg, &peer);
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
return peer_cfg;
/*
- * Copyright (C) 2007-2015 Tobias Brunner
+ * Copyright (C) 2007-2016 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
/*
* Described in header-file
*/
-peer_cfg_t *peer_cfg_create(char *name,
- ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
- unique_policy_t unique, uint32_t keyingtries,
- uint32_t rekey_time, uint32_t reauth_time,
- uint32_t jitter_time, uint32_t over_time,
- bool mobike, bool aggressive, bool pull_mode,
- uint32_t dpd, uint32_t dpd_timeout,
- bool mediation, peer_cfg_t *mediated_by,
- identification_t *peer_id)
+peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
+ peer_cfg_create_t *data)
{
private_peer_cfg_t *this;
- if (rekey_time && jitter_time > rekey_time)
+ if (data->rekey_time && data->jitter_time > data->rekey_time)
{
- jitter_time = rekey_time;
+ data->jitter_time = data->rekey_time;
}
- if (reauth_time && jitter_time > reauth_time)
+ if (data->reauth_time && data->jitter_time > data->reauth_time)
{
- jitter_time = reauth_time;
+ data->jitter_time = data->reauth_time;
}
- if (dpd && dpd_timeout && dpd > dpd_timeout)
+ if (data->dpd && data->dpd_timeout && data->dpd > data->dpd_timeout)
{
- dpd_timeout = dpd;
+ data->dpd_timeout = data->dpd;
}
INIT(this,
.ike_cfg = ike_cfg,
.child_cfgs = linked_list_create(),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- .cert_policy = cert_policy,
- .unique = unique,
- .keyingtries = keyingtries,
- .rekey_time = rekey_time,
- .reauth_time = reauth_time,
- .jitter_time = jitter_time,
- .over_time = over_time,
- .use_mobike = mobike,
- .aggressive = aggressive,
- .pull_mode = pull_mode,
- .dpd = dpd,
- .dpd_timeout = dpd_timeout,
+ .cert_policy = data->cert_policy,
+ .unique = data->unique,
+ .keyingtries = data->keyingtries,
+ .rekey_time = data->rekey_time,
+ .reauth_time = data->reauth_time,
+ .jitter_time = data->jitter_time,
+ .over_time = data->over_time,
+ .use_mobike = !data->no_mobike,
+ .aggressive = data->aggressive,
+ .pull_mode = !data->push_mode,
+ .dpd = data->dpd,
+ .dpd_timeout = data->dpd_timeout,
.vips = linked_list_create(),
.pools = linked_list_create(),
.local_auth = linked_list_create(),
.remote_auth = linked_list_create(),
.refcount = 1,
- );
-
#ifdef ME
- this->mediation = mediation;
- this->mediated_by = mediated_by;
- this->peer_id = peer_id;
-#else /* ME */
- DESTROY_IF(mediated_by);
- DESTROY_IF(peer_id);
+ .mediation = data->mediation,
+ .mediated_by = data->mediated_by,
+ .peer_id = data->peer_id,
#endif /* ME */
+ );
return &this->public;
}
/*
- * Copyright (C) 2007-2015 Tobias Brunner
+ * Copyright (C) 2007-2016 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
typedef enum cert_policy_t cert_policy_t;
typedef enum unique_policy_t unique_policy_t;
typedef struct peer_cfg_t peer_cfg_t;
+typedef struct peer_cfg_create_t peer_cfg_create_t;
#include <library.h>
#include <utils/identification.h>
void (*destroy) (peer_cfg_t *this);
};
+/**
+ * Data passed to the constructor of a peer_cfg_t object.
+ */
+struct peer_cfg_create_t {
+ /** Whether to send a certificate payload */
+ cert_policy_t cert_policy;
+ /** Uniqueness of an IKE_SA */
+ unique_policy_t unique;
+ /** How many keying tries should be done before giving up */
+ uint32_t keyingtries;
+ /** Timeout in seconds before starting rekeying */
+ uint32_t rekey_time;
+ /** Timeout in seconds before starting reauthentication */
+ uint32_t reauth_time;
+ /** Time range in seconds to randomly subtract from rekey/reauth time */
+ uint32_t jitter_time;
+ /** Maximum overtime in seconds before closing a rekeying/reauth SA */
+ uint32_t over_time;
+ /** Disable MOBIKE (RFC4555) */
+ bool no_mobike;
+ /** Use/accept aggressive mode with IKEv1 */
+ bool aggressive;
+ /** TRUE to use modeconfig push, FALSE for pull */
+ bool push_mode;
+ /** DPD check interval, 0 to disable */
+ uint32_t dpd;
+ /** DPD timeout interval (IKEv1 only), if 0 default applies */
+ uint32_t dpd_timeout;
+#ifdef ME
+ /** TRUE if this is a mediation connection */
+ bool mediation;
+ /** peer_cfg_t of the mediation connection to mediate through (adopted) */
+ peer_cfg_t *mediated_by;
+ /** ID that identifies our peer at the mediation server (adopted) */
+ identification_t *peer_id;
+#endif /* ME */
+};
+
/**
* Create a configuration object for IKE_AUTH and later.
*
- * name-string gets cloned, ID's not.
- * Virtual IPs are used if they are != NULL. A %any host means the virtual
- * IP should be obtained from the other peer.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeylifetime - random(0, jitter)).
- *
- * @param name name of the peer_cfg
- * @param ike_cfg IKE config to use when acting as initiator
- * @param cert_policy should we send a certificate payload?
- * @param unique uniqueness of an IKE_SA
- * @param keyingtries how many keying tries should be done before giving up
- * @param rekey_time timeout before starting rekeying
- * @param reauth_time timeout before starting reauthentication
- * @param jitter_time timerange to randomly subtract from rekey/reauth time
- * @param over_time maximum overtime before closing a rekeying/reauth SA
- * @param mobike use MOBIKE (RFC4555) if peer supports it
- * @param aggressive use/accept aggressive mode with IKEv1
- * @param pull_mode TRUE to use modeconfig pull, FALSE for push
- * @param dpd DPD check interval, 0 to disable
- * @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies
- * @param mediation TRUE if this is a mediation connection
- * @param mediated_by peer_cfg_t of the mediation connection to mediate through
- * @param peer_id ID that identifies our peer at the mediation server
+ * @param name name of the peer_cfg (cloned)
+ * @param ike_cfg IKE config to use when acting as initiator (adopted)
+ * @param data data for this peer_cfg
* @return peer_cfg_t object
*/
-peer_cfg_t *peer_cfg_create(char *name,
- ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
- unique_policy_t unique, uint32_t keyingtries,
- uint32_t rekey_time, uint32_t reauth_time,
- uint32_t jitter_time, uint32_t over_time,
- bool mobike, bool aggressive, bool pull_mode,
- uint32_t dpd, uint32_t dpd_timeout,
- bool mediation, peer_cfg_t *mediated_by,
- identification_t *peer_id);
+peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
+ peer_cfg_create_t *data);
#endif /** PEER_CFG_H_ @}*/
auth_cfg_t *auth_cfg;
child_cfg_t *child_cfg;
traffic_selector_t *ts;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_NEVER_SEND,
+ .unique = UNIQUE_KEEP,
+ .rekey_time = 86400, /* 24h */
+ .jitter_time = 7200, /* 2h */
+ .over_time = 3600, /* 1h */
+ .no_mobike = TRUE,
+ .dpd = 30,
+ };
child_cfg_create_t child = {
.lifetime = {
.time = {
remote, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
- peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
- UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE,
- TRUE, 30, 0, FALSE, NULL, NULL);
+ peer_cfg = peer_cfg_create("ha", ike_cfg, &peer);
auth_cfg = auth_cfg_create();
auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
peer_cfg_t *peer_cfg;
char local[32], *remote;
host_t *addr;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_SEND_IF_ASKED,
+ .unique = UNIQUE_NO,
+ .keyingtries = 1,
+ .rekey_time = this->ike_rekey,
+ .over_time = this->ike_rekey,
+ .no_mobike = TRUE,
+ .dpd = this->dpd_delay,
+ .dpd_timeout = this->dpd_timeout,
+ };
child_cfg_create_t child = {
.lifetime = {
.time = {
FRAGMENTATION_NO, 0);
}
ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
- peer_cfg = peer_cfg_create("load-test", ike_cfg,
- CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
- this->ike_rekey, 0, /* rekey, reauth */
- 0, this->ike_rekey, /* jitter, overtime */
- FALSE, FALSE, TRUE, /* mobike, aggressive, pull */
- this->dpd_delay, /* dpd_delay */
- this->dpd_timeout, /* dpd_timeout */
- FALSE, NULL, NULL);
+ peer_cfg = peer_cfg_create("load-test", ike_cfg, &peer);
+
if (this->vip)
{
peer_cfg->add_virtual_ip(peer_cfg, this->vip->clone(this->vip));
traffic_selector_t *ts;
auth_cfg_t *auth;
certificate_t *cert;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_SEND_IF_ASKED,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = 36000, /* 10h */
+ .jitter_time = 600, /* 10min */
+ .over_time = 600, /* 10min */
+ };
child_cfg_create_t child = {
.lifetime = {
.time = {
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
- peer_cfg = peer_cfg_create(this->current, ike_cfg,
- CERT_SEND_IF_ASKED,
- UNIQUE_REPLACE, 1, /* keyingtries */
- 36000, 0, /* rekey 10h, reauth none */
- 600, 600, /* jitter, over 10min */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- 0, 0, /* DPD delay, timeout */
- FALSE, NULL, NULL); /* mediation */
+ peer_cfg = peer_cfg_create(this->current, ike_cfg, &peer);
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
auth = auth_cfg_create();
child_cfg_t *child_cfg;
chunk_t me, other;
char *address, *local_net, *remote_net;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_NEVER_SEND,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = this->rekey * 60,
+ .jitter_time = this->rekey * 5,
+ .over_time = this->rekey * 3,
+ .dpd = this->dpd,
+ .mediation = TRUE,
+ };
child_cfg_create_t child = {
.lifetime = {
.time = {
address, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
- med_cfg = peer_cfg_create(
- "mediation", ike_cfg,
- CERT_NEVER_SEND, UNIQUE_REPLACE,
- 1, this->rekey*60, 0, /* keytries, rekey, reauth */
- this->rekey*5, this->rekey*3, /* jitter, overtime */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- this->dpd, 0, /* DPD delay, timeout */
- TRUE, NULL, NULL); /* mediation, med by, peer id */
+ med_cfg = peer_cfg_create("mediation", ike_cfg, &peer);
e->destroy(e);
auth = auth_cfg_create();
DESTROY_IF(e);
return NULL;
}
- peer_cfg = peer_cfg_create(
- name, this->ike->get_ref(this->ike),
- CERT_NEVER_SEND, UNIQUE_REPLACE,
- 1, this->rekey*60, 0, /* keytries, rekey, reauth */
- this->rekey*5, this->rekey*3, /* jitter, overtime */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- this->dpd, 0, /* DPD delay, timeout */
- FALSE, med_cfg, /* mediation, med by */
- identification_create_from_encoding(ID_KEY_ID, other));
+ peer.mediation = FALSE;
+ peer.mediated_by = med_cfg;
+ peer.peer_id = identification_create_from_encoding(ID_KEY_ID, other);
+ peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer);
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
chunk_t me, other;
child_cfg_t *child_cfg;
auth_cfg_t *auth;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_NEVER_SEND,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = this->rekey * 60,
+ .jitter_time = this->rekey * 5,
+ .over_time = this->rekey * 3,
+ .dpd = this->dpd,
+ };
child_cfg_create_t child = {
.lifetime = {
.time = {
this->current = NULL;
return FALSE;
}
- this->current = peer_cfg_create(
- name, this->ike->get_ref(this->ike),
- CERT_NEVER_SEND, UNIQUE_REPLACE,
- 1, this->rekey*60, 0, /* keytries, rekey, reauth */
- this->rekey*5, this->rekey*3, /* jitter, overtime */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- this->dpd, 0, /* DPD delay, timeout */
- FALSE, NULL, NULL); /* mediation, med by, peer id */
+ this->current = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer);
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
if (e->enumerate(e, &name))
{
- peer_cfg = peer_cfg_create(
- name, this->ike->get_ref(this->ike),
- CERT_NEVER_SEND, UNIQUE_REPLACE,
- 1, this->rekey*60, 0, /* keytries, rekey, reauth */
- this->rekey*5, this->rekey*3, /* jitter, overtime */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- this->dpd, 0, /* DPD delay, timeout */
- TRUE, NULL, NULL); /* mediation, med by, peer id */
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_NEVER_SEND,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = this->rekey * 60,
+ .jitter_time = this->rekey * 5,
+ .over_time = this->rekey * 3,
+ .dpd = this->dpd,
+ .mediation = TRUE,
+ };
+ peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike),
+ &peer);
e->destroy(e);
auth = auth_cfg_create();
return ike_cfg;
}
+#ifdef ME
/**
* Query a peer config by its id
*/
}
return peer_cfg;
}
+#endif /* ME */
/**
* Check if the two IDs match (the first one is optional)
&mediation, &mediated_by, &p_type, &p_data))
{
identification_t *local_id, *remote_id, *peer_id = NULL;
- peer_cfg_t *peer_cfg, *mediated_cfg;
+ peer_cfg_t *peer_cfg, *mediated_cfg = NULL;
ike_cfg_t *ike;
host_t *vip = NULL;
auth_cfg_t *auth;
continue;
}
ike = get_ike_cfg_by_id(this, ike_cfg);
+
+#ifdef ME
mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by) : NULL;
if (p_type)
{
peer_id = identification_create_from_encoding(p_type, p_data);
}
+#endif
if (virtual)
{
vip = host_create_from_string(virtual, 0);
}
if (ike)
{
- peer_cfg = peer_cfg_create(
- name, ike, cert_policy, uniqueid,
- keyingtries, rekeytime, reauthtime, jitter, overtime,
- mobike, FALSE, TRUE, dpd_delay, 0,
- mediation, mediated_cfg, peer_id);
+ peer_cfg_create_t peer = {
+ .cert_policy = cert_policy,
+ .unique = uniqueid,
+ .keyingtries = keyingtries,
+ .rekey_time = rekeytime,
+ .reauth_time = reauthtime,
+ .jitter_time = jitter,
+ .over_time = overtime,
+ .no_mobike = !mobike,
+ .dpd = dpd_delay,
+#ifdef ME
+ .mediation = mediation,
+ .mediated_by = mediated_cfg,
+ .peer_id = peer_id,
+#endif /* ME */
+ };
+
+ peer_cfg = peer_cfg_create(name, ike, &peer);
if (vip)
{
peer_cfg->add_virtual_ip(peer_cfg, vip);
static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
stroke_msg_t *msg, ike_cfg_t *ike_cfg)
{
- identification_t *peer_id = NULL;
- peer_cfg_t *mediated_by = NULL;
- unique_policy_t unique;
- uint32_t rekey = 0, reauth = 0, over, jitter;
peer_cfg_t *peer_cfg;
auth_cfg_t *auth_cfg;
+ peer_cfg_create_t peer = {
+ .cert_policy = msg->add_conn.me.sendcert,
+ .keyingtries = msg->add_conn.rekey.tries,
+ .no_mobike = !msg->add_conn.mobike,
+ .aggressive = msg->add_conn.aggressive,
+ .push_mode = msg->add_conn.pushmode,
+ .dpd = msg->add_conn.dpd.delay,
+ .dpd_timeout = msg->add_conn.dpd.timeout,
+ };
#ifdef ME
if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
if (msg->add_conn.ikeme.mediation)
{
+ peer.mediation = TRUE;
/* force unique connections for mediation connections */
msg->add_conn.unique = 1;
}
if (msg->add_conn.ikeme.mediated_by)
{
- mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
- msg->add_conn.ikeme.mediated_by);
+ peer_cfg_t *mediated_by;
+
+ mediated_by = charon->backends->get_peer_cfg_by_name(
+ charon->backends, msg->add_conn.ikeme.mediated_by);
if (!mediated_by)
{
DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
mediated_by->destroy(mediated_by);
return NULL;
}
+ peer.mediated_by = mediated_by;
if (msg->add_conn.ikeme.peerid)
{
- peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
+ peer.peer_id = identification_create_from_string(
+ msg->add_conn.ikeme.peerid);
}
else if (msg->add_conn.other.id)
{
- peer_id = identification_create_from_string(msg->add_conn.other.id);
+ peer.peer_id = identification_create_from_string(
+ msg->add_conn.other.id);
}
}
#endif /* ME */
- jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
- over = msg->add_conn.rekey.margin;
+ peer.jitter_time = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
+ peer.over_time = msg->add_conn.rekey.margin;
if (msg->add_conn.rekey.reauth)
{
- reauth = msg->add_conn.rekey.ike_lifetime - over;
+ peer.reauth_time = msg->add_conn.rekey.ike_lifetime - peer.over_time;
}
else
{
- rekey = msg->add_conn.rekey.ike_lifetime - over;
+ peer.rekey_time = msg->add_conn.rekey.ike_lifetime - peer.over_time;
}
switch (msg->add_conn.unique)
{
case 1: /* yes */
case 2: /* replace */
- unique = UNIQUE_REPLACE;
+ peer.unique = UNIQUE_REPLACE;
break;
case 3: /* keep */
- unique = UNIQUE_KEEP;
+ peer.unique = UNIQUE_KEEP;
break;
case 4: /* never */
- unique = UNIQUE_NEVER;
+ peer.unique = UNIQUE_NEVER;
break;
default: /* no */
- unique = UNIQUE_NO;
+ peer.unique = UNIQUE_NO;
break;
}
if (msg->add_conn.dpd.action == 0)
{ /* dpdaction=none disables DPD */
- msg->add_conn.dpd.delay = 0;
+ peer.dpd = 0;
}
/* other.sourceip is managed in stroke_attributes. If it is set, we define
* the pool name as the connection name, which the attribute provider
* uses to serve pool addresses. */
- peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg,
- msg->add_conn.me.sendcert, unique,
- msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
- msg->add_conn.mobike, msg->add_conn.aggressive,
- msg->add_conn.pushmode == 0,
- msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
- msg->add_conn.ikeme.mediation, mediated_by, peer_id);
+ peer_cfg = peer_cfg_create(msg->add_conn.name, ike_cfg, &peer);
if (msg->add_conn.other.sourceip)
{
child_cfg_t *child_cfg;
ike_cfg_t *ike_cfg;
auth_cfg_t *auth;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_SEND_IF_ASKED,
+ .unique = UNIQUE_NO,
+ .keyingtries = 1,
+ .jitter_time = 1800,
+ .over_time = 900,
+ .dpd = 60,
+ };
child_cfg_create_t child = {
.lifetime = {
.time = {
remote_addr, IKEV2_UDP_PORT,
FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
- this->peer_cfg = peer_cfg_create(
- name, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
- 1, create_rekey(ike_rekey), 0, /* keytries, rekey, reauth */
- 1800, 900, /* jitter, overtime */
- TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
- 60, 0, /* DPD delay, timeout */
- FALSE, NULL, NULL); /* mediation, med by, peer id */
+ peer.rekey_time = create_rekey(ike_rekey);
+ this->peer_cfg = peer_cfg_create(name, ike_cfg, &peer);
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
auth->add(auth, AUTH_RULE_IDENTITY,
.rand_time = LFT_UNDEFINED,
};
enumerator_t *enumerator;
+ peer_cfg_create_t cfg;
peer_cfg_t *peer_cfg;
ike_cfg_t *ike_cfg;
child_cfg_t *child_cfg;
peer.local_addrs, peer.local_port,
peer.remote_addrs, peer.remote_port,
peer.fragmentation, 0);
- peer_cfg = peer_cfg_create(name, ike_cfg, peer.send_cert, peer.unique,
- peer.keyingtries, peer.rekey_time, peer.reauth_time,
- peer.rand_time, peer.over_time, peer.mobike,
- peer.aggressive, peer.pull,
- peer.dpd_delay, peer.dpd_timeout,
- FALSE, NULL, NULL);
+
+ cfg = (peer_cfg_create_t){
+ .cert_policy = peer.send_cert,
+ .unique = peer.unique,
+ .keyingtries = peer.keyingtries,
+ .rekey_time = peer.rekey_time,
+ .reauth_time = peer.reauth_time,
+ .jitter_time = peer.rand_time,
+ .over_time = peer.over_time,
+ .no_mobike = !peer.mobike,
+ .aggressive = peer.aggressive,
+ .push_mode = !peer.pull,
+ .dpd = peer.dpd_delay,
+ .dpd_timeout = peer.dpd_timeout,
+ };
+ peer_cfg = peer_cfg_create(name, ike_cfg, &cfg);
while (peer.local->remove_first(peer.local,
(void**)&auth) == SUCCESS)
projects / thirdparty / strongswan.git / commitdiff
