.B leftcert,
but for the second authentication round (IKEv2 only).
.TP
+.BR leftcertpolicy " = <OIDs>"
+Comma separated list of certificate policy OIDs the peers certificate must have.
+OIDs are specified using the numerical dotted representation (IKEv2 only).
+.TP
.BR leftfirewall " = yes | " no
whether the left participant is doing forwarding-firewalling
(including masquerading) using iptables for traffic from \fIleftsubnet\fR,
enumerator->destroy(enumerator);
}
+ /* certificatePolicies */
+ if (end->cert_policy)
+ {
+ enumerator_t *enumerator;
+ char *policy;
+
+ enumerator = enumerator_create_token(end->cert_policy, ",", " ");
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy));
+ }
+ enumerator->destroy(enumerator);
+ }
+
/* authentication metod (class, actually) */
if (streq(auth, "pubkey") ||
streq(auth, "rsasig") || streq(auth, "rsa") ||
pop_string(msg, &end->ca);
pop_string(msg, &end->ca2);
pop_string(msg, &end->groups);
+ pop_string(msg, &end->cert_policy);
pop_string(msg, &end->updown);
DBG2(DBG_CFG, " %s=%s", label, end->address);
{ ARG_STR, offsetof(starter_end_t, rsakey), NULL },
{ ARG_STR, offsetof(starter_end_t, cert), NULL },
{ ARG_STR, offsetof(starter_end_t, cert2), NULL },
+ { ARG_STR, offsetof(starter_end_t, cert_policy), NULL },
{ ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert },
{ ARG_STR, offsetof(starter_end_t, ca), NULL },
{ ARG_STR, offsetof(starter_end_t, ca2), NULL },
char *ca;
char *ca2;
char *groups;
+ char *cert_policy;
char *iface;
ip_address addr;
u_int ikeport;
KW_RSASIGKEY,
KW_CERT,
KW_CERT2,
+ KW_CERTPOLICY,
KW_SENDCERT,
KW_CA,
KW_CA2,
KW_LEFTRSASIGKEY,
KW_LEFTCERT,
KW_LEFTCERT2,
+ KW_LEFTCERTPOLICY,
KW_LEFTSENDCERT,
KW_LEFTCA,
KW_LEFTCA2,
KW_RIGHTRSASIGKEY,
KW_RIGHTCERT,
KW_RIGHTCERT2,
+ KW_RIGHTCERTPOLICY,
KW_RIGHTSENDCERT,
KW_RIGHTCA,
KW_RIGHTCA2,
leftauth, KW_LEFTAUTH
leftauth2, KW_LEFTAUTH2
leftrsasigkey, KW_LEFTRSASIGKEY
-leftcert, KW_LEFTCERT,
-leftcert2, KW_LEFTCERT2,
+leftcert, KW_LEFTCERT
+leftcert2, KW_LEFTCERT2
+leftcertpolicy, KW_LEFTCERTPOLICY
leftsendcert, KW_LEFTSENDCERT
leftca, KW_LEFTCA
leftca2, KW_LEFTCA2
rightrsasigkey, KW_RIGHTRSASIGKEY
rightcert, KW_RIGHTCERT
rightcert2, KW_RIGHTCERT2
+rightcertpolicy, KW_RIGHTCERTPOLICY
rightsendcert, KW_RIGHTSENDCERT
rightca, KW_RIGHTCA
rightca2, KW_RIGHTCA2
msg_end->id2 = push_string(msg, conn_end->id2);
msg_end->cert = push_string(msg, conn_end->cert);
msg_end->cert2 = push_string(msg, conn_end->cert2);
+ msg_end->cert_policy = push_string(msg, conn_end->cert_policy);
msg_end->ca = push_string(msg, conn_end->ca);
msg_end->ca2 = push_string(msg, conn_end->ca2);
msg_end->groups = push_string(msg, conn_end->groups);
char *ca;
char *ca2;
char *groups;
+ char *cert_policy;
char *updown;
char *address;
u_int16_t ikeport;
projects / thirdparty / strongswan.git / commitdiff
