wip: fixup: ike-init: Negotiate support for Child SA KE negotiation during IKE_AUTH

wip: reference in comment, possibly rename config option/variable

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 2f95552f7b0fe022a2849fc60d4f992c57da4f51..c7b9ee3e735dfc2500172552dfe70922c5a38713 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -52,6 +52,15 @@ charon.check_current_path = no
        connectivity.  It will also trigger a MOBIKE update if NAT mappings were
        removed during the downtime.
 
+charon.child_sa_pfs_info = yes
+       Whether to support negotiating KE methods during the IKE_AUTH exchange to
+       reveal config mismatches that affect the rekeying of the initial Child SA.
+
+       Whether to support negotiating KE methods during the IKE_AUTH exchange. The
+       selected KE methods are not used for the key derivation of the initial Child
+       SA. But the negotiation will reveal configuration mismatches that cause a
+       later rekeying to fail.
+
 charon.cisco_flexvpn = no
        Send the Cisco FlexVPN vendor ID payload (IKEv2 only).
 

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 1d309c8db4a6aad92a87b80b73b2301cfc3bc811..dc831b32e700846b40c90a9c82c6ea176c8dac66 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -139,6 +139,11 @@ struct private_ike_init_t {
         */
        bool signature_authentication;
 
+       /**
+        * Whether to support KE negotiation during IKE_AUTH per draft-ietf-ipsecme-child-pfs-info
+        */
+       bool child_sa_pfs_info;
+
        /**
         * Whether to follow IKEv2 redirects as per RFC 5685
         */
@@ -483,7 +488,8 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
                message->add_notify(message, FALSE, INTERMEDIATE_EXCHANGE_SUPPORTED,
                                                        chunk_empty);
        }
-       if (initiator_or_extension(this, EXT_CHILD_SA_PFS_INFO))
+       if (this->child_sa_pfs_info &&
+               initiator_or_extension(this, EXT_CHILD_SA_PFS_INFO))
        {
                message->add_notify(message, FALSE, CHILD_SA_PFS_INFO_SUPPORTED,
                                                        chunk_empty);
@@ -755,7 +761,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                                                }
                                                break;
                                        case CHILD_SA_PFS_INFO_SUPPORTED:
-                                               if (!this->old_sa)
+                                               if (!this->old_sa && this->child_sa_pfs_info)
                                                {
                                                        this->ike_sa->enable_extension(this->ike_sa,
                                                                                                                   EXT_CHILD_SA_PFS_INFO);
@@ -1547,6 +1553,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
                .old_sa = old_sa,
                .signature_authentication = lib->settings->get_bool(lib->settings,
                                                                "%s.signature_authentication", TRUE, lib->ns),
+               .child_sa_pfs_info = lib->settings->get_bool(lib->settings,
+                                                               "%s.child_sa_pfs_info", TRUE, lib->ns),
                .follow_redirects = lib->settings->get_bool(lib->settings,
                                                                "%s.follow_redirects", TRUE, lib->ns),
        );