From: Tobias Brunner Date: Thu, 12 Mar 2015 10:50:20 +0000 (+0100) Subject: trap-manager: Add option to ignore traffic selectors from acquire events X-Git-Tag: 5.3.0rc1~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fa03b308cb73c68ea7e944fcbc19073d3a3f5fa;p=thirdparty%2Fstrongswan.git trap-manager: Add option to ignore traffic selectors from acquire events The specific traffic selectors from the acquire events, which are derived from the triggering packet, are usually prepended to those from the config. Some implementations might not be able to handle these properly. References #860. --- diff --git a/conf/options/charon.opt b/conf/options/charon.opt index c8e7316657..bbc50ba373 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no charon.ignore_routing_tables A space-separated list of routing tables to be excluded from route lookups. +charon.ignore_acquire_ts = no + Whether to ignore the traffic selectors from the kernel's acquire events for + IKEv2 connections (they are not used for IKEv1). + + If this is disabled the traffic selectors from the kernel's acquire events, + which are derived from the triggering packet, are prepended to the traffic + selectors from the configuration for IKEv2 connection. By enabling this, + such specific traffic selectors will be ignored and only the ones in the + config will be sent. This always happens for IKEv1 connections as the + protocol only supports one set of traffic selectors per CHILD_SA. + charon.ikesa_limit = 0 Maximum number of IKE_SAs that can be established at the same time before new connection attempts are blocked. diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 534d4d5ff9..d6ff3c8c5d 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -65,6 +65,11 @@ struct private_trap_manager_t { * listener to track acquiring IKE_SAs */ trap_listener_t listener; + + /** + * Whether to ignore traffic selectors from acquires + */ + bool ignore_acquire_ts; }; /** @@ -353,7 +358,7 @@ METHOD(trap_manager_t, acquire, void, { ike_sa->set_peer_cfg(ike_sa, peer); } - if (ike_sa->get_version(ike_sa) == IKEV1) + if (this->ignore_acquire_ts || ike_sa->get_version(ike_sa) == IKEV1) { /* in IKEv1, don't prepend the acquiring packet TS, as we only * have a single TS that we can establish in a Quick Mode. */ src = dst = NULL; @@ -484,6 +489,8 @@ trap_manager_t *trap_manager_create(void) }, .traps = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .ignore_acquire_ts = lib->settings->get_bool(lib->settings, + "%s.ignore_acquire_ts", FALSE, lib->ns), ); charon->bus->add_listener(charon->bus, &this->listener.listener);