diff options
| author | Martin Willi <martin@revosec.ch> | 2013-07-25 15:37:13 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2013-09-04 10:38:37 +0200 |
| commit | 3070697f9f7cc87e5abd9924dccedda9b2656100 (patch) | |
| tree | 37ed9ecd70ba236de9a02ec45262256b24a62579 /src/libcharon/config/ike_cfg.h | |
| parent | beffdc6ab8cb5139c9e0b0ee2e7585c5262e702f (diff) | |
| download | strongswan-3070697f9f7c.tar.bz2 strongswan-3070697f9f7c.tar.xz | |
ike: support multiple addresses, ranges and subnets in IKE address config
Replace the allowany semantic by a more powerful subnet and IP range matching.
Multiple addresses, DNS names, subnets and ranges can be specified in a comma
separated list. Initiators ignore the ranges/subnets, responders match
configurations against all addresses, ranges and subnets.
Diffstat (limited to 'src/libcharon/config/ike_cfg.h')
| -rw-r--r-- | src/libcharon/config/ike_cfg.h | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index 0540e93f3..f9e4fbebc 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -230,24 +230,27 @@ struct ike_cfg_t { /** * Creates a ike_cfg_t object. * - * Supplied hosts become owned by ike_cfg, the name gets cloned. + * Supplied hosts become owned by ike_cfg, strings get cloned. + * + * me and other are comma separated lists of IP addresses, DNS names, IP ranges + * or subnets. When initiating, the first non-range/subnet address is used + * as address. When responding, a match is performed against all items in the + * list. * * @param version IKE major version to use for this config * @param certreq TRUE to send a certificate request * @param force_encap enforce UDP encapsulation by faking NATD notify * @param me address/DNS name of local peer - * @param my_allow_any allow override of local address by any address * @param my_port IKE port to use as source, 500 uses IKEv2 port floating * @param other address/DNS name of remote peer - * @param other_allow_any allow override of remote address by any address * @param other_port IKE port to use as dest, 500 uses IKEv2 port floating * @param fragmentation use IKEv1 fragmentation * @param dscp DSCP value to send IKE packets with * @return ike_cfg_t object. */ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap, - char *me, bool my_allow_any, u_int16_t my_port, - char *other, bool other_allow_any, u_int16_t other_port, + char *me, u_int16_t my_port, + char *other, u_int16_t other_port, fragmentation_t fragmentation, u_int8_t dscp); #endif /** IKE_CFG_H_ @}*/ |