cfg->conn_default.startup = STARTUP_NO;
cfg->conn_default.state = STATE_IGNORE;
cfg->conn_default.mode = MODE_TUNNEL;
- cfg->conn_default.policy = POLICY_MOBIKE;
+ cfg->conn_default.options = SA_OPTION_MOBIKE;
cfg->conn_default.ike = strdupnull(ike_defaults);
cfg->conn_default.esp = strdupnull(esp_defaults);
cfg->ca_default.seen = SEEN_NONE;
}
-#define KW_POLICY_FLAG(sy, sn, fl) \
- if (streq(kw->value, sy)) { conn->policy |= fl; } \
- else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
- else { DBG1(DBG_APP, "# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
+#define KW_SA_OPTION_FLAG(sy, sn, fl) \
+ if (streq(kw->value, sy)) { conn->options |= fl; } \
+ else if (streq(kw->value, sn)) { conn->options &= ~fl; } \
+ else { DBG1(DBG_APP, "# bad option value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
{
}
break;
case KW_COMPRESS:
- KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
+ KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_COMPRESS)
break;
case KW_AUTH:
- KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
+ KW_SA_OPTION_FLAG("ah", "esp", SA_OPTION_AUTHENTICATE)
break;
case KW_MARK:
if (!handle_mark(kw->value, &conn->mark_in))
}
break;
case KW_REKEY:
- KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
+ KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REKEY)
break;
case KW_REAUTH:
- KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
+ KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REAUTH)
break;
case KW_MOBIKE:
- KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE)
+ KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_MOBIKE)
break;
case KW_FORCEENCAPS:
- KW_POLICY_FLAG("yes", "no", POLICY_FORCE_ENCAP)
+ KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_FORCE_ENCAP)
break;
case KW_MODECONFIG:
- KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
+ KW_SA_OPTION_FLAG("push", "pull", SA_OPTION_MODECFG_PUSH)
break;
case KW_XAUTH:
- KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER)
+ KW_SA_OPTION_FLAG("server", "client", SA_OPTION_XAUTH_SERVER)
break;
default:
break;
STRICT_IFURI
} strict_t;
+typedef enum {
+ /* IPsec options */
+ SA_OPTION_AUTHENTICATE = 1 << 0, /* use AH instead of ESP? */
+ SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */
+
+ /* IKE and other other options */
+ SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */
+ SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */
+ SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */
+ SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */
+ SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */
+ SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */
+} sa_option_t;
+
typedef struct starter_end starter_end_t;
struct starter_end {
char *authby;
ipsec_mode_t mode;
bool proxy_mode;
- lset_t policy;
+ sa_option_t options;
time_t sa_ike_life_seconds;
time_t sa_ipsec_life_seconds;
time_t sa_rekey_margin;
msg.add_conn.mode = conn->mode;
msg.add_conn.proxy_mode = conn->proxy_mode;
- if (!(conn->policy & POLICY_DONT_REKEY))
+ if (!(conn->options & SA_OPTION_DONT_REKEY))
{
- msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
+ msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
msg.add_conn.rekey.margin = conn->sa_rekey_margin;
msg.add_conn.rekey.tries = conn->sa_keying_tries;
msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
}
- msg.add_conn.mobike = (conn->policy & POLICY_MOBIKE) != 0;
- msg.add_conn.force_encap = (conn->policy & POLICY_FORCE_ENCAP) != 0;
- msg.add_conn.ipcomp = (conn->policy & POLICY_COMPRESS) != 0;
+ msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
+ msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
+ msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
msg.add_conn.install_policy = conn->install_policy;
msg.add_conn.aggressive = conn->aggressive;
msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
{
msg.add_conn.me.auth = push_string(&msg, "pubkey");
msg.add_conn.other.auth = push_string(&msg, "pubkey");
- if (conn->policy & POLICY_XAUTH_SERVER)
+ if (conn->options & SA_OPTION_XAUTH_SERVER)
{
msg.add_conn.other.auth2 = push_string(&msg, "xauth");
}
{
msg.add_conn.me.auth = push_string(&msg, "psk");
msg.add_conn.other.auth = push_string(&msg, "psk");
- if (conn->policy & POLICY_XAUTH_SERVER)
+ if (conn->options & SA_OPTION_XAUTH_SERVER)
{
msg.add_conn.other.auth2 = push_string(&msg, "xauth");
}
projects / thirdparty / strongswan.git / commitdiff
