diff options
| author | Martin Willi <martin@strongswan.org> | 2007-08-29 12:11:25 +0000 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2007-08-29 12:11:25 +0000 |
| commit | 9164e49ac096db02e6bf9ac92bfbc52af6f90ae8 (patch) | |
| tree | 757e57f36100cca7bda77d665e13f39dc6216fda | |
| parent | c5dfb88ab8bb1f745bbc7bd6509f4481ba04bcf3 (diff) | |
| download | strongswan-9164e49ac096db02e6bf9ac92bfbc52af6f90ae8.tar.bz2 strongswan-9164e49ac096db02e6bf9ac92bfbc52af6f90ae8.tar.xz | |
added mobike=yes|no connection option
yes: include mobike support notifies as initiator
no: only enable mobike as responder when initiator supports it
default: yes
| -rw-r--r-- | src/charon/config/peer_cfg.c | 19 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.h | 11 | ||||
| -rwxr-xr-x | src/charon/control/interfaces/stroke_interface.c | 4 | ||||
| -rw-r--r-- | src/charon/sa/ike_sa.c | 21 | ||||
| -rw-r--r-- | src/charon/sa/tasks/ike_natd.c | 29 | ||||
| -rw-r--r-- | src/pluto/constants.h | 1 | ||||
| -rw-r--r-- | src/starter/args.c | 1 | ||||
| -rw-r--r-- | src/starter/confread.c | 6 | ||||
| -rw-r--r-- | src/starter/keywords.h | 1 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 1 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 1 | ||||
| -rw-r--r-- | src/stroke/stroke.c | 1 | ||||
| -rw-r--r-- | src/stroke/stroke.h | 1 |
13 files changed, 74 insertions, 23 deletions
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index 1d9176e0d..4a802d551 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -130,6 +130,11 @@ struct private_peer_cfg_t { bool use_reauth; /** + * enable support for MOBIKE + */ + bool use_mobike; + + /** * Time before an SA gets invalid */ u_int32_t lifetime; @@ -330,10 +335,18 @@ static u_int32_t get_lifetime(private_peer_cfg_t *this, bool rekey) /** * Implementation of peer_cfg_t.use_reauth. */ -static bool use_reauth(private_peer_cfg_t *this, bool rekey) +static bool use_reauth(private_peer_cfg_t *this) { return this->use_reauth; } + +/** + * Implementation of peer_cfg_t.use_mobike. + */ +static bool use_mobike(private_peer_cfg_t *this) +{ + return this->use_mobike; +} /** * Implements peer_cfg_t.get_dpd_delay @@ -421,7 +434,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, cert_policy_t cert_policy, auth_method_t auth_method, eap_type_t eap_type, u_int32_t keyingtries, u_int32_t lifetime, u_int32_t rekeytime, - u_int32_t jitter, bool reauth, + u_int32_t jitter, bool reauth, bool mobike, u_int32_t dpd_delay, dpd_action_t dpd_action, host_t *my_virtual_ip, host_t *other_virtual_ip) { @@ -444,6 +457,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries; this->public.get_lifetime = (u_int32_t (*) (peer_cfg_t *, bool rekey))get_lifetime; this->public.use_reauth = (bool (*) (peer_cfg_t *))use_reauth; + this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike; this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay; this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action; this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip; @@ -469,6 +483,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->rekeytime = rekeytime; this->jitter = jitter; this->use_reauth = reauth; + this->use_mobike = mobike; this->dpd_delay = dpd_delay; this->dpd_action = dpd_action; this->my_virtual_ip = my_virtual_ip; diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h index 63c87674c..edbcd956c 100644 --- a/src/charon/config/peer_cfg.h +++ b/src/charon/config/peer_cfg.h @@ -257,6 +257,14 @@ struct peer_cfg_t { bool (*use_reauth) (peer_cfg_t *this); /** + * @brief Use MOBIKE (RFC4555) if peer supports it? + * + * @param this calling object + * @return TRUE to enable MOBIKE support + */ + bool (*use_mobike) (peer_cfg_t *this); + + /** * @brief Get the DPD check interval. * * @param this calling object @@ -347,6 +355,7 @@ struct peer_cfg_t { * @param rekeytime lifetime before rekeying an SA * @param jitter range of random to substract from rekeytime * @param use_reauth sould be done reauthentication instead of rekeying? + * @param use_mobike use MOBIKE (RFC4555) if peer supports it * @param dpd_delay after how many seconds of inactivity to check DPD * @param dpd_action what to do with CHILD_SAs when detected a dead peer * @param my_virtual_ip virtual IP for local host, or NULL @@ -361,7 +370,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg, cert_policy_t cert_policy, auth_method_t auth_method, eap_type_t eap_type, u_int32_t keyingtries, u_int32_t lifetime, u_int32_t rekeytime, - u_int32_t jitter, bool use_reauth, + u_int32_t jitter, bool use_reauth, bool use_mobike, u_int32_t dpd_delay, dpd_action_t dpd_action, host_t *my_virtual_ip, host_t *other_virtual_ip); diff --git a/src/charon/control/interfaces/stroke_interface.c b/src/charon/control/interfaces/stroke_interface.c index 588bcd768..7350c11d2 100755 --- a/src/charon/control/interfaces/stroke_interface.c +++ b/src/charon/control/interfaces/stroke_interface.c @@ -559,8 +559,8 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out) msg->add_conn.rekey.tries, msg->add_conn.rekey.ike_lifetime, msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin, msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, - msg->add_conn.rekey.reauth, msg->add_conn.dpd.delay, - msg->add_conn.dpd.action,my_vip, other_vip); + msg->add_conn.rekey.reauth, msg->add_conn.mobike, + msg->add_conn.dpd.delay, msg->add_conn.dpd.action, my_vip, other_vip); } child_cfg = child_cfg_create( diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index d50aec6e5..4822c840d 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -878,8 +878,11 @@ static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg) this->task_manager->queue_task(this->task_manager, task); task = (task_t*)ike_config_create(&this->public, TRUE); this->task_manager->queue_task(this->task_manager, task); - task = (task_t*)ike_mobike_create(&this->public, TRUE); - this->task_manager->queue_task(this->task_manager, task); + if (this->peer_cfg->use_mobike(this->peer_cfg)) + { + task = (task_t*)ike_mobike_create(&this->public, TRUE); + this->task_manager->queue_task(this->task_manager, task); + } } task = (task_t*)child_create_create(&this->public, child_cfg); @@ -940,8 +943,11 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid) this->task_manager->queue_task(this->task_manager, task); task = (task_t*)ike_config_create(&this->public, TRUE); this->task_manager->queue_task(this->task_manager, task); - task = (task_t*)ike_mobike_create(&this->public, TRUE); - this->task_manager->queue_task(this->task_manager, task); + if (this->peer_cfg->use_mobike(this->peer_cfg)) + { + task = (task_t*)ike_mobike_create(&this->public, TRUE); + this->task_manager->queue_task(this->task_manager, task); + } } child_cfg = child_sa->get_config(child_sa); @@ -1330,9 +1336,12 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) { task = (task_t*)child_create_create(&new->public, child_cfg); new->task_manager->queue_task(new->task_manager, task); + } + if (this->peer_cfg->use_mobike(this->peer_cfg)) + { + task = (task_t*)ike_mobike_create(&new->public, TRUE); + new->task_manager->queue_task(new->task_manager, task); } - task = (task_t*)ike_mobike_create(&new->public, TRUE); - new->task_manager->queue_task(new->task_manager, task); new->task_manager->initiate(new->task_manager); } charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public); diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c index 84a28d024..9af12e395 100644 --- a/src/charon/sa/tasks/ike_natd.c +++ b/src/charon/sa/tasks/ike_natd.c @@ -26,6 +26,7 @@ #include <string.h> #include <daemon.h> +#include <config/peer_cfg.h> #include <crypto/hashers/hasher.h> #include <encoding/payloads/notify_payload.h> @@ -218,18 +219,24 @@ static void process_payloads(private_ike_natd_t *this, message_t *message) static status_t process_i(private_ike_natd_t *this, message_t *message) { process_payloads(this, message); - - /* if peer supports NAT-T, we switch to port 4500 even - * if no NAT is detected. MOBIKE requires this. */ - if (message->get_exchange_type(message) == IKE_SA_INIT && - this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)) - { - host_t *me, *other; - me = this->ike_sa->get_my_host(this->ike_sa); - me->set_port(me, IKEV2_NATT_PORT); - other = this->ike_sa->get_other_host(this->ike_sa); - other->set_port(other, IKEV2_NATT_PORT); + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + + if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) || + /* if peer supports NAT-T, we switch to port 4500 even + * if no NAT is detected. MOBIKE requires this. */ + (peer_cfg->use_mobike(peer_cfg) && + this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))) + { + host_t *me, *other; + + me = this->ike_sa->get_my_host(this->ike_sa); + me->set_port(me, IKEV2_NATT_PORT); + other = this->ike_sa->get_other_host(this->ike_sa); + other->set_port(other, IKEV2_NATT_PORT); + } } return SUCCESS; diff --git a/src/pluto/constants.h b/src/pluto/constants.h index 3ab10be61..b869992e1 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -875,6 +875,7 @@ extern const char *prettypolicy(lset_t policy); #define POLICY_XAUTH_SERVER LELEM(20) /* are we an XAUTH server? */ #define POLICY_DONT_REAUTH LELEM(21) /* don't reauthenticate on rekeying, IKEv2 only */ #define POLICY_BEET LELEM(22) /* bound end2end tunnel, IKEv2 */ +#define POLICY_MOBIKE LELEM(23) /* enable MOBIKE for IKEv2 */ /* Any IPsec policy? If not, a connection description * is only for ISAKMP SA, not IPSEC SA. (A pun, I admit.) diff --git a/src/starter/args.c b/src/starter/args.c index 605794281..bfb71470d 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -193,6 +193,7 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_AUTH */ }, { ARG_MISC, 0, NULL /* KW_AUTHBY */ }, { ARG_MISC, 0, NULL /* KW_EAP */ }, + { ARG_MISC, 0, NULL /* KW_MOBIKE */ }, { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL }, { ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL }, { ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL }, diff --git a/src/starter/confread.c b/src/starter/confread.c index f754f267f..8ef115f52 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -67,7 +67,8 @@ static void default_values(starter_config_t *cfg) cfg->conn_default.seen = LEMPTY; cfg->conn_default.startup = STARTUP_NO; cfg->conn_default.state = STATE_IGNORE; - cfg->conn_default.policy = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG | POLICY_PFS ; + cfg->conn_default.policy = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG | + POLICY_PFS | POLICY_MOBIKE; cfg->conn_default.ike = clone_str(ike_defaults, "ike_defaults"); cfg->conn_default.esp = clone_str(esp_defaults, "esp_defaults"); @@ -550,6 +551,9 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg) case KW_REAUTH: KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH) break; + case KW_MOBIKE: + KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE) + break; case KW_MODECONFIG: KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH) break; diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 8f5108ad8..69a4b6d86 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -70,6 +70,7 @@ typedef enum { KW_AUTH, KW_AUTHBY, KW_EAP, + KW_MOBIKE, KW_IKELIFETIME, KW_KEYLIFE, KW_REKEYMARGIN, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 573a2389a..5deecff90 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -49,6 +49,7 @@ keep_alive, KW_KEEP_ALIVE virtual_private, KW_VIRTUAL_PRIVATE eap, KW_EAP eapdir, KW_EAPDIR +mobike, KW_MOBIKE pkcs11module, KW_PKCS11MODULE pkcs11initargs, KW_PKCS11INITARGS pkcs11keepstate, KW_PKCS11KEEPSTATE diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 13c2f4326..69b5e5085 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -227,6 +227,7 @@ int starter_stroke_add_conn(starter_conn_t *conn) msg.add_conn.rekey.tries = conn->sa_keying_tries; msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz; } + msg.add_conn.mobike = conn->policy & POLICY_MOBIKE; msg.add_conn.algorithms.ike = push_string(&msg, conn->ike); msg.add_conn.algorithms.esp = push_string(&msg, conn->esp); msg.add_conn.dpd.delay = conn->dpd_delay; diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index f1cbf397d..14f2e548f 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -109,6 +109,7 @@ static int add_connection(char *name, msg.add_conn.auth_method = 2; msg.add_conn.eap_type = 0; msg.add_conn.mode = 1; + msg.add_conn.mobike = 1; msg.add_conn.rekey.reauth = 0; msg.add_conn.rekey.ipsec_lifetime = 0; diff --git a/src/stroke/stroke.h b/src/stroke/stroke.h index b610678fa..f903379cd 100644 --- a/src/stroke/stroke.h +++ b/src/stroke/stroke.h @@ -182,6 +182,7 @@ struct stroke_msg_t { int auth_method; int eap_type; int mode; + int mobike; struct { char *ike; char *esp; |