diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2012-09-10 17:24:21 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2012-09-10 17:37:18 +0200 |
| commit | f4cc7ea11b742dbd97b380b4aee032b38a6c00cf (patch) | |
| tree | 62ee6537bd0bb8e9ab518ace0499c0b7a36462a2 | |
| parent | c51af950b1ede996ca5f04c1f5a425527a00227f (diff) | |
| download | strongswan-f4cc7ea11b742dbd97b380b4aee032b38a6c00cf.tar.bz2 strongswan-f4cc7ea11b742dbd97b380b4aee032b38a6c00cf.tar.xz | |
Add uniqueids=never to ignore INITIAL_CONTACT notifies
With uniqueids=no the daemon still deletes any existing IKE_SA with the
same peer if an INITIAL_CONTACT notify is received. With this new option
it also ignores these notifies.
| -rw-r--r-- | man/ipsec.conf.5.in | 25 | ||||
| -rw-r--r-- | src/libcharon/config/peer_cfg.h | 8 | ||||
| -rw-r--r-- | src/libcharon/plugins/stroke/stroke_config.c | 3 | ||||
| -rw-r--r-- | src/libcharon/sa/ike_sa_manager.c | 2 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/tasks/ike_auth.c | 3 | ||||
| -rw-r--r-- | src/starter/args.c | 1 |
6 files changed, 28 insertions, 14 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 7c336c451..73db23511 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -1035,19 +1035,26 @@ if at least one CRL URI is defined and to .B no if no URI is known. .TP -.BR uniqueids " = " yes " | no | replace | keep" +.BR uniqueids " = " yes " | no | never | replace | keep" whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; +with any new IKE_SA using an ID deemed to replace all old ones using that ID; acceptable values are -.B yes +.BR yes , (the default) +.B no and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. +.BR never . +Participant IDs normally \fIare\fR unique, so a new IKE_SA using the same ID is +almost invariably intended to replace an old one. The difference between +.B no +and +.B never +is that the daemon will replace old IKE_SAs when receving an INITIAL_CONTACT +notify when the option is +.B no +but will ignore these notifies if +.B never +is configured. The daemon also accepts the value .B replace which is identical to diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index f65b91258..418e45532 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -81,11 +81,13 @@ extern enum_name_t *cert_policy_names; * Uniqueness of an IKE_SA, used to drop multiple connections with one peer. */ enum unique_policy_t { - /** do not check for client uniqueness */ + /** never check for client uniqueness */ + UNIQUE_NEVER, + /** only check for client uniqueness when receiving an INITIAL_CONTACT */ UNIQUE_NO, - /** replace unique IKE_SAs if new ones get established */ + /** replace existing IKE_SAs when new ones get established by a client */ UNIQUE_REPLACE, - /** keep existing IKE_SAs, close the new ones on connection attept */ + /** keep existing IKE_SAs, close the new ones on connection attempt */ UNIQUE_KEEP, }; diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index e3c78f750..fd1182619 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -690,6 +690,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, case 3: /* keep */ unique = UNIQUE_KEEP; break; + case 4: /* never */ + unique = UNIQUE_NEVER; + break; default: /* no */ unique = UNIQUE_NO; break; diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index b707b6a0b..a396235c2 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1711,7 +1711,7 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, peer_cfg = ike_sa->get_peer_cfg(ike_sa); policy = peer_cfg->get_unique_policy(peer_cfg); - if (policy == UNIQUE_NO && !force_replace) + if (policy == UNIQUE_NEVER || (policy == UNIQUE_NO && !force_replace)) { return FALSE; } diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index 36f8acfd1..7d462f1a7 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -435,7 +435,8 @@ METHOD(task_t, build_i, status_t, message->add_payload(message, (payload_t*)id_payload); if (idr && message->get_message_id(message) == 1 && - this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO) + this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO && + this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER) { host_t *host; diff --git a/src/starter/args.c b/src/starter/args.c index eb25b2abb..2416960bd 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -61,6 +61,7 @@ static const char *LST_unique[] = { "yes", "replace", "keep", + "never", NULL }; |