From: Martin Willi Date: Fri, 31 Aug 2012 10:55:56 +0000 (+0200) Subject: Merge branch 'multi-vip' X-Git-Tag: 5.0.1~153 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1323dc1138246a6e2819bcc20b167b75d52e6d7c;p=thirdparty%2Fstrongswan.git Merge branch 'multi-vip' Brings support for multiple virtual IPs and multiple pools in left/rigthsourceip definitions. Also introduces the new left/rightdns options to configure requested DNS server address family and respond with multiple connection specific servers. --- 1323dc1138246a6e2819bcc20b167b75d52e6d7c diff --cc NEWS index fb963fce78,1fbe6cceff..de8afdb900 --- a/NEWS +++ b/NEWS @@@ -20,15 -20,20 +20,29 @@@ strongswan-5.0. PAM directly anymore, but can use any XAuth backend to verify credentials, including xauth-pam. +- An EAP-Nak payload is returned by clients if the gateway requests an EAP + method that the client does not support. Clients can also request a specific + EAP method by configuring that method with leftauth. + +- The eap-dynamic plugin handles EAP-Nak payloads returned by clients and uses + these to select a different EAP method supported/requested by the client. + The plugin initially requests the first registered method or the first method + configured with charon.plugins.eap-dynamic.preferred. + + - The new left/rightdns options specify connection specific DNS servers to + request/respond in IKEv2 configuration payloads or IKEv2 mode config. leftdns + can be any (comma separated) combination of %config4 and %config6 to request + multiple servers, both for IPv4 and IPv6. rightdns takes a list of DNS server + IP addresses to return. + + - The left/rightsourceip options now accept multiple addresses or pools. + leftsourceip can be any (comma separated) combination of %config4, %config6 + or fixed IP addresses to request. rightsourceip accepts multiple explicitly + specified or referenced named pools. + + - Multiple connections can now share a single address pool when they use the + same definition in one of the rightsourceip pools. + - The autotools build has been migrated to use a config.h header. strongSwan development headers will get installed during "make install" if --with-dev-headers has been passed to ./configure. diff --cc src/libcharon/sa/ikev1/phase1.c index e5a48ec491,fea2f2c607..4096141ec4 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@@ -593,22 -592,39 +593,50 @@@ METHOD(phase1_t, get_id, identification auth = get_auth_cfg(peer_cfg, local); if (auth) { - return auth->get(auth, AUTH_RULE_IDENTITY); + id = auth->get(auth, AUTH_RULE_IDENTITY); + if (local && (!id || id->get_type(id) == ID_ANY)) + { /* no ID configured, use local IP address */ + host_t *me; + + me = this->ike_sa->get_my_host(this->ike_sa); + if (!me->is_anyaddr(me)) + { + id = identification_create_from_sockaddr(me->get_sockaddr(me)); + auth->add(auth, AUTH_RULE_IDENTITY, id); + } + } } - return NULL; + return id; } + METHOD(phase1_t, has_virtual_ip, bool, + private_phase1_t *this, peer_cfg_t *peer_cfg) + { + enumerator_t *enumerator; + bool found = FALSE; + host_t *host; + + enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg); + found = enumerator->enumerate(enumerator, &host); + enumerator->destroy(enumerator); + + return found; + } + + METHOD(phase1_t, has_pool, bool, + private_phase1_t *this, peer_cfg_t *peer_cfg) + { + enumerator_t *enumerator; + bool found = FALSE; + char *pool; + + enumerator = peer_cfg->create_pool_enumerator(peer_cfg); + found = enumerator->enumerate(enumerator, &pool); + enumerator->destroy(enumerator); + + return found; + } + METHOD(phase1_t, save_sa_payload, bool, private_phase1_t *this, message_t *message) {