From: Tobias Brunner Date: Fri, 29 Mar 2019 16:13:49 +0000 (+0100) Subject: vici: Make childless initiation of IKE_SAs configurable X-Git-Tag: 5.8.0rc1~24^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2889b77da29c8c10fe9ab83aa636c21128a80a80;p=thirdparty%2Fstrongswan.git vici: Make childless initiation of IKE_SAs configurable --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 59aadfd915..1ff0754f44 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -310,6 +310,7 @@ typedef struct { uint64_t dpd_delay; uint64_t dpd_timeout; fragmentation_t fragmentation; + childless_t childless; unique_policy_t unique; uint32_t keyingtries; uint32_t local_port; @@ -416,6 +417,7 @@ static void log_peer_data(peer_data_t *data) DBG2(DBG_CFG, " dpd_delay = %llu", data->dpd_delay); DBG2(DBG_CFG, " dpd_timeout = %llu", data->dpd_timeout); DBG2(DBG_CFG, " fragmentation = %u", data->fragmentation); + DBG2(DBG_CFG, " childless = %u", data->childless); DBG2(DBG_CFG, " unique = %N", unique_policy_names, data->unique); DBG2(DBG_CFG, " keyingtries = %u", data->keyingtries); DBG2(DBG_CFG, " reauth_time = %llu", data->reauth_time); @@ -1561,6 +1563,27 @@ CALLBACK(parse_frag, bool, return FALSE; } +/** + * Parse a childless_t + */ +CALLBACK(parse_childless, bool, + childless_t *out, chunk_t v) +{ + enum_map_t map[] = { + { "allow", CHILDLESS_ALLOW }, + { "never", CHILDLESS_NEVER }, + { "force", CHILDLESS_FORCE }, + }; + int d; + + if (parse_map(map, countof(map), &d, v)) + { + *out = d; + return TRUE; + } + return FALSE; +} + /** * Parse a cert_policy_t */ @@ -1777,6 +1800,7 @@ CALLBACK(peer_kv, bool, { "dpd_delay", parse_time, &peer->dpd_delay }, { "dpd_timeout", parse_time, &peer->dpd_timeout }, { "fragmentation", parse_frag, &peer->fragmentation }, + { "childless", parse_childless, &peer->childless }, { "send_certreq", parse_bool, &peer->send_certreq }, { "send_cert", parse_send_cert, &peer->send_cert }, { "keyingtries", parse_uint32, &peer->keyingtries }, @@ -2519,6 +2543,7 @@ CALLBACK(config_sn, bool, .no_certreq = !peer.send_certreq, .force_encap = peer.encap, .fragmentation = peer.fragmentation, + .childless = peer.childless, .dscp = peer.dscp, }; ike_cfg = ike_cfg_create(&ike); diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 460e17b09a..6765e9d411 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -154,7 +154,7 @@ connections..dpd_timeout = 0s specified; this option has no effect on connections using IKE2. connections..fragmentation = yes - Use IKE UDP datagram fragmentation. (_yes_, _accept_, _no_ or _force_). + Use IKE UDP datagram fragmentation (_yes_, _accept_, _no_ or _force_). Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 fragmentation). Acceptable values are _yes_ (the default), _accept_, @@ -168,6 +168,21 @@ connections..fragmentation = yes Note that fragmented IKE messages sent by a peer are always accepted irrespective of the value of this option (even when set to _no_). +connections..childless = allow + Use childless IKE_SA initiation (_allow_, _force_ or _never_). + + Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values + are _allow_ (the default), _force_ and _never_. If set to _allow_, + responders will accept childless IKE_SAs (as indicated via notify in the + IKE_SA_INIT response) while initiators continue to create regular IKE_SAs + with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is + initiated explicitly without any children (which will fail if the responder + does not support or has disabled this extension). If set to _force_, only + childless initiation is accepted and the first CHILD_SA is created with a + separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange + for all CHILD_SAs). Finally, setting the option to _never_ disables support + for childless IKE_SAs as responder. + connections..send_certreq = yes Send certificate requests payloads (_yes_ or _no_).