From: Tobias Brunner Date: Fri, 5 May 2017 13:48:14 +0000 (+0200) Subject: Add an option to announce support for IKE fragmentation but not sending fragments X-Git-Tag: 5.5.3~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=46a3f92a76b748a3086912215e14a3c9f1a5a98b;p=thirdparty%2Fstrongswan.git Add an option to announce support for IKE fragmentation but not sending fragments --- diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 5d1c63916d..ee7d860895 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -445,22 +445,31 @@ force UDP encapsulation for ESP packets even if no NAT situation is detected. This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked. .TP -.BR fragmentation " = " yes " | force | no" +.BR fragmentation " = " yes " | accept | force | no" whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per RFC 7383). Acceptable values are .B yes (the default), +.BR accept , .B force and .BR no . -Fragmented IKE messages sent by a peer are always accepted -irrespective of the value of this option. If set to -.BR yes , -and the peer supports it, larger IKE messages will be sent in fragments. If set to +.BR yes , +and the peer supports it, oversized IKE messages will be sent in fragments. If +set to +.BR accept , +support for fragmentation is announced to the peer but the daemon does not send +its own messages in fragments. If set to .B force (only supported for IKEv1) the initial IKE message will already be fragmented -if required. +if required. Finally, setting the option to +.B no +will disable announcing support for this feature. + +Note that fragmented IKE messages sent by a peer are always accepted +irrespective of the value of this option (even when set to +.BR no ). .TP .BR ike " = " comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index 4d37264f60..034996f601 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -47,14 +47,16 @@ enum ike_version_t { }; /** - * Proprietary IKEv1 fragmentation + * Proprietary IKEv1 fragmentation and IKEv2 fragmentation */ enum fragmentation_t { /** disable fragmentation */ FRAGMENTATION_NO, - /** enable fragmentation if supported by peer */ + /** announce support, but don't send any fragments */ + FRAGMENTATION_ACCEPT, + /** enable fragmentation, if supported by peer */ FRAGMENTATION_YES, - /** force use of fragmentation (even for the first message) */ + /** force use of fragmentation (even for the first message for IKEv1) */ FRAGMENTATION_FORCE, }; diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 12497ec5ee..baa3507841 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1336,6 +1336,7 @@ CALLBACK(parse_frag, bool, { enum_map_t map[] = { { "yes", FRAGMENTATION_YES }, + { "accept", FRAGMENTATION_ACCEPT }, { "no", FRAGMENTATION_NO }, { "force", FRAGMENTATION_FORCE }, }; diff --git a/src/starter/args.c b/src/starter/args.c index 0874cc7e5a..7f010d3503 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -110,6 +110,7 @@ static const char *LST_authby[] = { static const char *LST_fragmentation[] = { "no", + "accept", "yes", "force", NULL diff --git a/src/starter/confread.h b/src/starter/confread.h index 45f34ce235..2b974d1bca 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -65,6 +65,7 @@ typedef enum { typedef enum { /* same as in ike_cfg.h */ FRAGMENTATION_NO, + FRAGMENTATION_ACCEPT, FRAGMENTATION_YES, FRAGMENTATION_FORCE, } fragmentation_t; diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index bdd92177ff..96dfd3a613 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -154,15 +154,19 @@ connections..dpd_timeout = 0s specified; this option has no effect on connections using IKE2. connections..fragmentation = yes - Use IKE UDP datagram fragmentation. (_yes_, _no_ or _force_). + Use IKE UDP datagram fragmentation. (_yes_, _accept_, _no_ or _force_). Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 - fragmentation). Acceptable values are _yes_ (the default), _force_ and - _no_. Fragmented IKE messages sent by a peer are always accepted - irrespective of the value of this option. If set to _yes_, and the peer - supports it, oversized IKE messages will be sent in fragments. If set to - _force_ (only supported for IKEv1) the initial IKE message will already - be fragmented if required. + fragmentation). Acceptable values are _yes_ (the default), _accept_, + _force_ and _no_. If set to _yes_, and the peer supports it, oversized IKE + messages will be sent in fragments. If set to _accept_, support for + fragmentation is announced to the peer but the daemon does not send its own + messages in fragments. If set to _force_ (only supported for IKEv1) the + initial IKE message will already be fragmented if required. Finally, setting + the option to _no_ will disable announcing support for this feature. + + Note that fragmented IKE messages sent by a peer are always accepted + irrespective of the value of this option (even when set to _no_). connections..send_certreq = yes Send certificate requests payloads (_yes_ or _no_).