diff options
author | Tobias Brunner <tobias@strongswan.org> | 2016-06-01 12:18:56 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2016-06-17 18:48:07 +0200 |
commit | 0a954d678979624806a2d250208530291da34e32 (patch) | |
tree | 96daddf9186cb030b621fdf8bd5ba5e750994aa3 | |
parent | f2ea230b91d050a4fddc84a55068107046b1708f (diff) | |
download | strongswan-0a954d678979624806a2d250208530291da34e32.tar.bz2 strongswan-0a954d678979624806a2d250208530291da34e32.tar.xz |
ike: Add configuration option to switch to preferring supplied proposals over local ones
-rw-r--r-- | conf/options/charon.opt | 5 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/aggressive_mode.c | 5 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/main_mode.c | 8 | ||||
-rw-r--r-- | src/libcharon/sa/ikev1/tasks/quick_mode.c | 6 | ||||
-rw-r--r-- | src/libcharon/sa/ikev2/tasks/child_create.c | 6 | ||||
-rw-r--r-- | src/libcharon/sa/ikev2/tasks/ike_init.c | 6 |
6 files changed, 26 insertions, 10 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 86279ec83..3970012d2 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -253,6 +253,11 @@ charon.port_nat_t = 4500 allocated. Has to be different from **charon.port**, otherwise a random port will be allocated. +charon.prefer_configured_proposals = yes + Prefer locally configured proposals for IKE/IPsec over supplied ones as + responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD + notifies). + charon.prefer_temporary_addrs = no By default public IPv6 addresses are preferred over temporary ones (RFC 4941), to make connections more stable. Enable this option to reverse this. diff --git a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c index 9bc6a6e35..9b5f676a3 100644 --- a/src/libcharon/sa/ikev1/tasks/aggressive_mode.c +++ b/src/libcharon/sa/ikev1/tasks/aggressive_mode.c @@ -378,6 +378,7 @@ METHOD(task_t, process_r, status_t, identification_t *id; linked_list_t *list; uint16_t group; + bool prefer_configured; this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); DBG0(DBG_IKE, "%H is initiating a Aggressive Mode IKE_SA", @@ -401,8 +402,10 @@ METHOD(task_t, process_r, status_t, } list = sa_payload->get_proposals(sa_payload); + prefer_configured = lib->settings->get_bool(lib->settings, + "%s.prefer_configured_proposals", TRUE, lib->ns); this->proposal = this->ike_cfg->select_proposal(this->ike_cfg, - list, FALSE, TRUE); + list, FALSE, prefer_configured); list->destroy_offset(list, offsetof(proposal_t, destroy)); if (!this->proposal) { diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c index e702b61c1..628ea0de8 100644 --- a/src/libcharon/sa/ikev1/tasks/main_mode.c +++ b/src/libcharon/sa/ikev1/tasks/main_mode.c @@ -367,7 +367,7 @@ METHOD(task_t, process_r, status_t, { linked_list_t *list; sa_payload_t *sa_payload; - bool private; + bool private, prefer_configured; this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa); DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA", @@ -392,9 +392,11 @@ METHOD(task_t, process_r, status_t, list = sa_payload->get_proposals(sa_payload); private = this->ike_sa->supports_extension(this->ike_sa, - EXT_STRONGSWAN); + EXT_STRONGSWAN); + prefer_configured = lib->settings->get_bool(lib->settings, + "%s.prefer_configured_proposals", TRUE, lib->ns); this->proposal = this->ike_cfg->select_proposal(this->ike_cfg, - list, private, TRUE); + list, private, prefer_configured); list->destroy_offset(list, offsetof(proposal_t, destroy)); if (!this->proposal) { diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 70bc37016..bbd1cb09f 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -1051,7 +1051,7 @@ METHOD(task_t, process_r, status_t, linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL; peer_cfg_t *peer_cfg; uint16_t group; - bool private; + bool private, prefer_configured; sa_payload = (sa_payload_t*)message->get_payload(message, PLV1_SECURITY_ASSOCIATION); @@ -1109,8 +1109,10 @@ METHOD(task_t, process_r, status_t, } private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN); + prefer_configured = lib->settings->get_bool(lib->settings, + "%s.prefer_configured_proposals", TRUE, lib->ns); this->proposal = this->config->select_proposal(this->config, list, - FALSE, private, TRUE); + FALSE, private, prefer_configured); list->destroy_offset(list, offsetof(proposal_t, destroy)); get_lifetimes(this); diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 79208dbdf..13064e32b 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -464,7 +464,7 @@ static status_t select_and_install(private_child_create_t *this, chunk_t integ_i = chunk_empty, integ_r = chunk_empty; linked_list_t *my_ts, *other_ts; host_t *me, *other; - bool private; + bool private, prefer_configured; if (this->proposals == NULL) { @@ -481,8 +481,10 @@ static status_t select_and_install(private_child_create_t *this, other = this->ike_sa->get_other_host(this->ike_sa); private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN); + prefer_configured = lib->settings->get_bool(lib->settings, + "%s.prefer_configured_proposals", TRUE, lib->ns); this->proposal = this->config->select_proposal(this->config, - this->proposals, no_dh, private, TRUE); + this->proposals, no_dh, private, prefer_configured); if (this->proposal == NULL) { DBG1(DBG_IKE, "no acceptable proposal found"); diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index cb51cfe25..801b6d8f3 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -373,13 +373,15 @@ static void process_payloads(private_ike_init_t *this, message_t *message) { sa_payload_t *sa_payload = (sa_payload_t*)payload; linked_list_t *proposal_list; - bool private; + bool private, prefer_configured; proposal_list = sa_payload->get_proposals(sa_payload); private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN); + prefer_configured = lib->settings->get_bool(lib->settings, + "%s.prefer_configured_proposals", TRUE, lib->ns); this->proposal = this->config->select_proposal(this->config, - proposal_list, private, TRUE); + proposal_list, private, prefer_configured); if (!this->proposal) { charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE, |