Added left-/rightikeport ipsec.conf options to use custom IKE ports

diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index bfb39008e2046651675cb5f9fe8d1611b2447816..bbc1e7a31ec94e115034ef033937221a7ac9925e 100644 (file)
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -232,9 +232,9 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
                }
        }
        ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
-                                                        msg->add_conn.force_encap,
-                                                        msg->add_conn.me.address, IKEV2_UDP_PORT,
-                                                        msg->add_conn.other.address, IKEV2_UDP_PORT);
+                                       msg->add_conn.force_encap,
+                                       msg->add_conn.me.address, msg->add_conn.me.ikeport,
+                                       msg->add_conn.other.address, msg->add_conn.other.ikeport);
        add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
        return ike_cfg;
 }

diff --git a/src/starter/args.c b/src/starter/args.c
index ebbd42cc87243579b47d409518c688abee20badc..c2614cd1486eb061535d2e44a25094526852e6cd 100644 (file)
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -248,6 +248,7 @@ static const token_info_t token_info[] =
 
        /* end keywords */
        { ARG_MISC, 0, NULL  /* KW_HOST */                                             },
+       { ARG_UINT, offsetof(starter_end_t, ikeport), NULL                             },
        { ARG_MISC, 0, NULL  /* KW_NEXTHOP */                                          },
        { ARG_STR, offsetof(starter_end_t, subnet), NULL                               },
        { ARG_MISC, 0, NULL  /* KW_SUBNETWITHIN */                                     },

diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 8462a4819ce0ae90539142c6a50654a2ec4cfefb..33a057b4478c7575569476e065b058fc28a6c49c 100644 (file)
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -43,6 +43,7 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
        {
                ADDCMP(addr);
        }
+       VARCMP(ikeport);
        ADDCMP(nexthop);
        VARCMP(has_client);
        VARCMP(has_client_wildcard);

diff --git a/src/starter/confread.c b/src/starter/confread.c
index 07cc1150331805add102284274be2465b77033f5..f71d9b46f0c09969fdc5b2fe6b962f90c0d3111f 100644 (file)
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -96,6 +96,8 @@ static void default_values(starter_config_t *cfg)
        anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
        anyaddr(AF_INET, &cfg->conn_default.right.addr);
        anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
+       cfg->conn_default.left.ikeport = 500;
+       cfg->conn_default.right.ikeport = 500;
 
        cfg->ca_default.seen = LEMPTY;
 }

diff --git a/src/starter/confread.h b/src/starter/confread.h
index 7f321162825b718e174093d55ffc4d8a87ca2234..e7072794ce7b9bb21746fa4ff9a93f022766dfaa 100644 (file)
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -66,6 +66,7 @@ struct starter_end {
                char            *groups;
                char            *iface;
                ip_address      addr;
+               u_int16_t       ikeport;
                ip_address      nexthop;
                char            *subnet;
                bool            has_client;

diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index d4dd7238f4bb779ee7045bbc42dabf2d74a60aa8..4cb1cb0fc1c8d1d195049d253e68eb39f8cb638d 100644 (file)
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -604,6 +604,13 @@ identity to use for a second authentication for the left participant
 (IKEv2 only); defaults to
 .BR leftid .
 .TP
+.B leftikeport
+UDP port the left participant uses for IKE communication. Currently supported in
+IKEv2 connections only. If unspecified, port 500 is used with port floating to
+4500 if NAT is detected or MOBIKE enabled. Specifying a local IKE port
+different from the default additionally requires a socket implementation that
+listens to this port.
+.TP
 .B leftnexthop
 this parameter is not needed any more because the NETKEY IPsec stack does
 not require explicit routing entries for the traffic to be tunneled.

diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 8be31d1480b096f6062acb9dc640e29b5e47ad2a..10951f35bb2241f3a246f6b80af8f84eaacaafed 100644 (file)
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -145,6 +145,7 @@ typedef enum {
 
    /* left end keywords */
        KW_LEFT,
+       KW_LEFTIKEPORT,
        KW_LEFTNEXTHOP,
        KW_LEFTSUBNET,
        KW_LEFTSUBNETWITHIN,
@@ -172,6 +173,7 @@ typedef enum {
 
    /* right end keywords */
        KW_RIGHT,
+       KW_RIGHTIKEPORT,
        KW_RIGHTNEXTHOP,
        KW_RIGHTSUBNET,
        KW_RIGHTSUBNETWITHIN,

diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index adf3069bfe5b6b4430e26ee25db5b6022df7faba..12037a68578ccbf65b21e9604808b8ff4d2baecd 100644 (file)
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -98,6 +98,7 @@ ocspuri1,          KW_OCSPURI
 ocspuri2,          KW_OCSPURI2
 certuribase,       KW_CERTURIBASE
 left,              KW_LEFT
+leftikeport,       KW_LEFTIKEPORT
 leftnexthop,       KW_LEFTNEXTHOP
 leftsubnet,        KW_LEFTSUBNET
 leftsubnetwithin,  KW_LEFTSUBNETWITHIN
@@ -120,6 +121,7 @@ leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
 leftgroups,        KW_LEFTGROUPS
 right,             KW_RIGHT
+rightikeport,      KW_RIGHTIKEPORT
 rightnexthop,      KW_RIGHTNEXTHOP
 rightsubnet,       KW_RIGHTSUBNET
 rightsubnetwithin, KW_RIGHTSUBNETWITHIN

diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 665350c00bc8d70fe00649098e113aa366ce31c3..d877661ec8f8f5ab7f1f39eb9b92d2098b5589d4 100644 (file)
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -186,6 +186,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
        msg_end->updown = push_string(msg, conn_end->updown);
        ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
        msg_end->address = push_string(msg, buffer);
+       msg_end->ikeport = conn_end->ikeport;
        msg_end->subnets = push_string(msg, conn_end->subnet);
        msg_end->sourceip = push_string(msg, conn_end->sourceip);
        msg_end->sourceip_mask = conn_end->sourceip_mask;

diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 955e4953595e9e20b2998f101efff6539d34ed56..c195c09a9dffdd1c5dc05a286d4d9182fc7c1a45 100644 (file)
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -129,11 +129,13 @@ static int add_connection(char *name,
 
        msg.add_conn.me.id = push_string(&msg, my_id);
        msg.add_conn.me.address = push_string(&msg, my_addr);
+       msg.add_conn.me.ikeport = 500;
        msg.add_conn.me.subnets = push_string(&msg, my_nets);
        msg.add_conn.me.sendcert = 1;
 
        msg.add_conn.other.id = push_string(&msg, other_id);
        msg.add_conn.other.address = push_string(&msg, other_addr);
+       msg.add_conn.other.ikeport = 500;
        msg.add_conn.other.subnets = push_string(&msg, other_nets);
        msg.add_conn.other.sendcert = 1;
 

diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 56a7a158f160d686395e6494085a1834ddc184fa..ffc67039ec8ff3b079a3a952d3e4436bedfe9054 100644 (file)
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -137,6 +137,7 @@ struct stroke_end_t {
        char *groups;
        char *updown;
        char *address;
+       u_int16_t ikeport;
        char *sourceip;
        int sourceip_mask;
        char *subnets;