wip: ike-init: Negotiate support for Child SA KE negotiation during IKE_AUTH

wip: add a global config option for testing the classic negotiation

diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index ca938c605b4dfd327bf69be67b54c28c345a451d..1d309c8db4a6aad92a87b80b73b2301cfc3bc811 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -483,6 +483,11 @@ static bool build_payloads(private_ike_init_t *this, message_t *message)
                message->add_notify(message, FALSE, INTERMEDIATE_EXCHANGE_SUPPORTED,
                                                        chunk_empty);
        }
+       if (initiator_or_extension(this, EXT_CHILD_SA_PFS_INFO))
+       {
+               message->add_notify(message, FALSE, CHILD_SA_PFS_INFO_SUPPORTED,
+                                                       chunk_empty);
+       }
        return TRUE;
 }
 
@@ -749,6 +754,13 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                                                                                                                   EXT_IKE_INTERMEDIATE);
                                                }
                                                break;
+                                       case CHILD_SA_PFS_INFO_SUPPORTED:
+                                               if (!this->old_sa)
+                                               {
+                                                       this->ike_sa->enable_extension(this->ike_sa,
+                                                                                                                  EXT_CHILD_SA_PFS_INFO);
+                                               }
+                                               break;
                                        default:
                                                /* other notifies are handled elsewhere */
                                                break;