implementation of an CFG attribute framework, currently supporting virtual IPs

updated ipsec.conf sourceip parameter to support
	CIDR notatation to serve from a pool
	%poolname to query a separate (database?) pool

19 files changed, 466 insertions, 145 deletions

diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index b0404ea3b..7a1c2e52f 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -10,6 +10,8 @@ config/ike_cfg.c config/ike_cfg.h \
 config/peer_cfg.c config/peer_cfg.h \
 config/proposal.c config/proposal.h \
 config/traffic_selector.c config/traffic_selector.h \
+config/attributes/attribute_provider.h \
+config/attributes/attribute_manager.c config/attributes/attribute_manager.h \
 control/controller.c control/controller.h \
 daemon.c daemon.h \
 encoding/generator.c encoding/generator.h \
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
new file mode 100644
index 000000000..0ec84c7be
--- /dev/null
+++ b/src/charon/config/attributes/attribute_manager.c
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+#include "attribute_manager.h"
+
+#include <utils/linked_list.h>
+#include <utils/mutex.h>
+
+typedef struct private_attribute_manager_t private_attribute_manager_t;
+
+/**
+ * private data of attribute_manager
+ */
+struct private_attribute_manager_t {
+
+	/**
+	 * public functions
+	 */
+	attribute_manager_t public;
+	
+	/**
+	 * list of registered providers
+	 */
+	linked_list_t *providers;
+	
+	/**
+	 * mutex to lock provider list
+	 */
+	mutex_t *mutex;
+};
+
+/**
+ * Implementation of attribute_manager_t.acquire_address.
+ */
+static host_t* acquire_address(private_attribute_manager_t *this,
+							   char *pool, identification_t *id,
+							   auth_info_t *auth, host_t *requested)
+{
+	enumerator_t *enumerator;
+	attribute_provider_t *current;
+	host_t *host = NULL;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		host = current->acquire_address(current, pool, id, auth, requested);
+		if (host)
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+	
+	return host;
+}
+
+/**
+ * Implementation of attribute_manager_t.release_address.
+ */
+static void release_address(private_attribute_manager_t *this,
+							char *pool, host_t *address)
+{
+	enumerator_t *enumerator;
+	attribute_provider_t *current;
+
+	this->mutex->lock(this->mutex);
+	enumerator = this->providers->create_enumerator(this->providers);
+	while (enumerator->enumerate(enumerator, &current))
+	{
+		if (current->release_address(current, pool, address))
+		{
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of attribute_manager_t.add_provider.
+ */
+static void add_provider(private_attribute_manager_t *this,
+						 attribute_provider_t *provider)
+{
+	this->mutex->lock(this->mutex);
+	this->providers->insert_last(this->providers, provider);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of attribute_manager_t.remove_provider.
+ */
+static void remove_provider(private_attribute_manager_t *this,
+							attribute_provider_t *provider)
+{
+	this->mutex->lock(this->mutex);
+	this->providers->remove(this->providers, provider, NULL);
+	this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of attribute_manager_t.destroy
+ */
+static void destroy(private_attribute_manager_t *this)
+{
+	this->providers->destroy(this->providers);
+	this->mutex->destroy(this->mutex);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+attribute_manager_t *attribute_manager_create()
+{
+	private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
+	
+	this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,auth_info_t*,host_t*))acquire_address;
+	this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*))release_address;
+	this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
+	this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
+	this->public.destroy = (void(*)(attribute_manager_t*))destroy;
+	
+	this->providers = linked_list_create();
+	this->mutex = mutex_create(MUTEX_DEFAULT);
+	
+	return &this->public;
+}
+
diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h
new file mode 100644
index 000000000..540e054fd
--- /dev/null
+++ b/src/charon/config/attributes/attribute_manager.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup attribute_manager attribute_manager
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_MANAGER_H_
+#define ATTRIBUTE_MANAGER_H_
+
+#include <config/attributes/attribute_provider.h>
+
+typedef struct attribute_manager_t attribute_manager_t;
+
+/**
+ * Provide configuration attributes to include in CFG Payloads.
+ */
+struct attribute_manager_t {
+
+	/**
+	 * Acquire a virtual IP address to assign to a peer.
+	 *
+	 * @param pool			pool name to acquire address from
+	 * @param id			peer identity to get address for
+	 * @param auth			authorization infos of peer
+	 * @param requested		IP in configuration request
+	 * @return				allocated address, NULL to serve none
+	 */
+	host_t* (*acquire_address)(attribute_manager_t *this,
+							   char *pool, identification_t *id,
+							   auth_info_t *auth, host_t *requested);
+	
+	/**
+	 * Release a previously acquired address.
+	 *
+	 * @param pool			pool name from which the address was acquired
+	 * @param address		address to release
+	 */
+	void (*release_address)(attribute_manager_t *this,
+							char *pool, host_t *address);
+	
+	/**
+	 * Register an attribute provider to the manager.
+	 *
+	 * @param provider		attribute provider to register
+	 */
+	void (*add_provider)(attribute_manager_t *this,
+						 attribute_provider_t *provider);
+	/**
+	 * Unregister an attribute provider from the manager.
+	 *
+	 * @param provider		attribute provider to unregister
+	 */
+	void (*remove_provider)(attribute_manager_t *this,
+							attribute_provider_t *provider);
+	/**
+     * Destroy a attribute_manager instance.
+     */
+    void (*destroy)(attribute_manager_t *this);
+};
+
+/**
+ * Create a attribute_manager instance.
+ */
+attribute_manager_t *attribute_manager_create();
+
+#endif /* ATTRIBUTE_MANAGER_H_ @}*/
diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h
new file mode 100644
index 000000000..1712bd188
--- /dev/null
+++ b/src/charon/config/attributes/attribute_provider.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * $Id$
+ */
+
+/**
+ * @defgroup attribute_provider attribute_provider
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_PROVIDER_H_
+#define ATTRIBUTE_PROVIDER_H_
+
+#include <library.h>
+#include <utils/host.h>
+#include <credentials/auth_info.h>
+
+typedef struct attribute_provider_t attribute_provider_t;
+
+/**
+ * Interface to provide attributes to peers through attribute manager.
+ */
+struct attribute_provider_t {
+
+	/**
+	 * Acquire a virtual IP address to assign to a peer.
+	 *
+	 * @param pool			name of the pool to acquire address from
+	 * @param id			peer ID
+	 * @param auth			authorization infos
+	 * @param requested		IP in configuration request
+	 * @return				allocated address, NULL to serve none
+	 */
+	host_t* (*acquire_address)(attribute_provider_t *this,
+							   char *pool, identification_t *id, 
+							   auth_info_t *auth, host_t *requested);
+	/**
+	 * Release a previously acquired address.
+	 *
+	 * @param pool			name of the pool this address was acquired from
+	 * @param address		address to release
+	 * @return				TRUE if the address has been released by the provider
+	 */
+	bool (*release_address)(attribute_provider_t *this,
+							char *pool, host_t *address);
+};
+
+#endif /* ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index d85935c60..f0804d93f 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -153,12 +153,12 @@ struct private_peer_cfg_t {
 	/**
 	 * virtual IP to use locally
 	 */
-	host_t *my_virtual_ip;
+	host_t *virtual_ip;
 	
 	/**
-	 * virtual IP to use remotly
+	 * pool to acquire configuration attributes from
 	 */
-	host_t *other_virtual_ip;
+	char *pool;
 	
 	/**
 	 * required authorization constraints
@@ -396,35 +396,19 @@ static dpd_action_t get_dpd_action(private_peer_cfg_t *this)
 }
 
 /**
- * Implementation of peer_cfg_t.get_my_virtual_ip.
+ * Implementation of peer_cfg_t.get_virtual_ip.
  */
-static host_t* get_my_virtual_ip(private_peer_cfg_t *this)
+static host_t* get_virtual_ip(private_peer_cfg_t *this)
 {
-	if (this->my_virtual_ip == NULL)
-	{
-		return NULL;
-	}
-	return this->my_virtual_ip->clone(this->my_virtual_ip);
+	return this->virtual_ip;
 }
-
+	
 /**
- * Implementation of peer_cfg_t.get_other_virtual_ip.
+ * Implementation of peer_cfg_t.get_pool.
  */
-static host_t* get_other_virtual_ip(private_peer_cfg_t *this, host_t *suggestion)
+static char* get_pool(private_peer_cfg_t *this)
 {
-	if (this->other_virtual_ip == NULL)
-	{	/* disallow */
-		return NULL;
-	}
-	if (!this->other_virtual_ip->is_anyaddr(this->other_virtual_ip))
-	{	/* force own configuration */
-		return this->other_virtual_ip->clone(this->other_virtual_ip);
-	}
-	if (suggestion == NULL || suggestion->is_anyaddr(suggestion))
-	{
-		return NULL;
-	}
-	return suggestion->clone(suggestion);
+	return this->pool;
 }
 	
 /**
@@ -491,12 +475,10 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
 		this->over_time == other->over_time &&
 		this->dpd_delay == other->dpd_delay &&
 		this->dpd_action == other->dpd_action &&
-		(this->my_virtual_ip == other->my_virtual_ip ||
-		 (this->my_virtual_ip && other->my_virtual_ip &&
-		  this->my_virtual_ip->equals(this->my_virtual_ip, other->my_virtual_ip))) &&
-		(this->other_virtual_ip == other->other_virtual_ip ||
-		 (this->other_virtual_ip && other->other_virtual_ip &&
-		  this->other_virtual_ip->equals(this->other_virtual_ip, other->other_virtual_ip))) &&
+		(this->virtual_ip == other->virtual_ip ||
+		 (this->virtual_ip && other->virtual_ip &&
+		  this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
+		(this->pool == other->pool || streq(this->pool, other->pool)) &&
 		this->auth->equals(this->auth, other->auth) 
 #ifdef ME
 		&& this->mediation == other->mediation &&
@@ -527,14 +509,14 @@ static void destroy(private_peer_cfg_t *this)
 		this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy));
 		this->my_id->destroy(this->my_id);
 		this->other_id->destroy(this->other_id);
-		DESTROY_IF(this->my_virtual_ip);
-		DESTROY_IF(this->other_virtual_ip);
+		DESTROY_IF(this->virtual_ip);
 		this->auth->destroy(this->auth);
 #ifdef ME
 		DESTROY_IF(this->mediated_by);
 		DESTROY_IF(this->peer_id);
 #endif /* ME */
 		free(this->name);
+		free(this->pool);
 		free(this);
 	}
 }
@@ -551,7 +533,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 							u_int32_t reauth_time, u_int32_t jitter_time,
 							u_int32_t over_time, bool mobike,
 							u_int32_t dpd_delay, dpd_action_t dpd_action,
-							host_t *my_virtual_ip, host_t *other_virtual_ip,
+							host_t *virtual_ip, char *pool,
 							bool mediation, peer_cfg_t *mediated_by,
 							identification_t *peer_id)
 {
@@ -577,8 +559,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike;
 	this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay;
 	this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action;
-	this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip;
-	this->public.get_other_virtual_ip = (host_t* (*) (peer_cfg_t *, host_t *))get_other_virtual_ip;
+	this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip;
+	this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool;
 	this->public.get_auth = (auth_info_t*(*)(peer_cfg_t*))get_auth;
 	this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals;
 	this->public.get_ref = (void(*)(peer_cfg_t *))get_ref;
@@ -617,8 +599,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
 	this->use_mobike = mobike;
 	this->dpd_delay = dpd_delay;
 	this->dpd_action = dpd_action;
-	this->my_virtual_ip = my_virtual_ip;
-	this->other_virtual_ip = other_virtual_ip;
+	this->virtual_ip = virtual_ip;
+	this->pool = pool ? strdup(pool) : NULL;
 	this->auth = auth_info_create();
 	this->refcount = 1;
 #ifdef ME
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 43bcb8ef6..dedabf07d 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -276,21 +276,16 @@ struct peer_cfg_t {
 	 * used for a request and may be changed by the server.
 	 *
 	 * @param suggestion	NULL, %any or specific
-	 * @return				clone of an IP, %any or NULL
+	 * @return				virtual IP, %any or NULL
 	 */
-	host_t* (*get_my_virtual_ip) (peer_cfg_t *this);
+	host_t* (*get_virtual_ip) (peer_cfg_t *this);
 	
 	/**
-	 * Get a virtual IP for the remote peer.
+	 * Get the name of the pool to acquire configuration attributes from.
 	 *
-	 * An IP may be supplied, if one was requested by the initiator. However,
-	 * the suggestion is not more as it says, any address may be returned, even
-	 * NULL to not use virtual IPs.
-	 *
-	 * @param suggestion	NULL, %any or specific
-	 * @return				clone of an IP to use
+	 * @return				pool name, NULL if none defined
 	 */
-	host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion);
+	char* (*get_pool)(peer_cfg_t *this);
 	
 #ifdef ME
 	/**
@@ -378,8 +373,8 @@ struct peer_cfg_t {
  * @param mobike			use MOBIKE (RFC4555) if peer supports it
  * @param dpd_delay			after how many seconds of inactivity to check DPD
  * @param dpd_action		what to do with CHILD_SAs when detected a dead peer
- * @param my_virtual_ip		virtual IP for local host, or NULL
- * @param other_virtual_ip	virtual IP for remote host, or NULL
+ * @param virtual_ip		virtual IP for local host, or NULL
+ * @param pool				pool name to get configuration attributes from, or NULL
  * @param mediation			TRUE if this is a mediation connection
  * @param mediated_by		peer_cfg_t of the mediation connection to mediate through
  * @param peer_id			ID that identifies our peer at the mediation server
@@ -394,7 +389,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
 							u_int32_t reauth_time, u_int32_t jitter_time,
 							u_int32_t over_time, bool mobike,
 							u_int32_t dpd_delay, dpd_action_t dpd_action,
-							host_t *my_virtual_ip, host_t *other_virtual_ip,
+							host_t *virtual_ip, char *pool,
 							bool mediation, peer_cfg_t *mediated_by,
 							identification_t *peer_id);
 
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 689bad9fe..e1e9a71e7 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -35,8 +35,6 @@
 #include "daemon.h"
 
 #include <library.h>
-#include <credentials/credential_manager.h>
-#include <config/backend_manager.h>
 #include <config/traffic_selector.h>
 
 /* on some distros, a capset definition is missing */
@@ -185,6 +183,7 @@ static void destroy(private_daemon_t *this)
 	DESTROY_IF(this->public.mediation_manager);
 #endif /* ME */
 	DESTROY_IF(this->public.backends);
+	DESTROY_IF(this->public.attributes);
 	DESTROY_IF(this->public.credentials);
 	DESTROY_IF(this->public.sender);
 	DESTROY_IF(this->public.receiver);
@@ -338,6 +337,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
 	this->public.controller = controller_create();
 	this->public.eap = eap_manager_create();
 	this->public.backends = backend_manager_create();
+	this->public.attributes = attribute_manager_create();
 	this->public.plugins = plugin_loader_create();
 	this->public.kernel_interface = kernel_interface_create();
 	this->public.socket = socket_create();
@@ -408,6 +408,7 @@ private_daemon_t *daemon_create(void)
 	this->public.ike_sa_manager = NULL;
 	this->public.credentials = NULL;
 	this->public.backends = NULL;
+	this->public.attributes = NULL;
 	this->public.sender= NULL;
 	this->public.receiver = NULL;
 	this->public.scheduler = NULL;
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index 9da7953f0..5d590754b 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -30,6 +30,9 @@
  * @defgroup config config
  * @ingroup charon
  *
+ * @defgroup attributes attributes
+ * @ingroup config
+ *
  * @defgroup control control
  * @ingroup charon
  *
@@ -157,6 +160,7 @@ typedef struct daemon_t daemon_t;
 #include <bus/listeners/sys_logger.h>
 #include <sa/ike_sa_manager.h>
 #include <config/backend_manager.h>
+#include <config/attributes/attribute_manager.h>
 #include <credentials/credential_manager.h>
 #include <sa/authenticators/eap/eap_manager.h>
 #include <plugins/plugin_loader.h>
@@ -213,6 +217,11 @@ struct daemon_t {
 	backend_manager_t *backends;
 	
 	/**
+	 * Manager IKEv2 cfg payload attributes
+	 */
+	attribute_manager_t *attributes;
+	
+	/**
 	 * Manager for the credential backends
 	 */
 	credential_manager_t *credentials;
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index ef8ceed91..f4f3dbc99 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -354,7 +354,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 {
 	identification_t *me, *other, *peer_id = NULL;
 	peer_cfg_t *mediated_by = NULL;
-	host_t *my_vip = NULL, *other_vip = NULL;
+	host_t *vip = NULL;
 	certificate_t *cert;
 	u_int32_t rekey = 0, reauth = 0, over, jitter;
 	
@@ -457,21 +457,43 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 	{
 		rekey = msg->add_conn.rekey.ike_lifetime - over;
 	}	
-	if (msg->add_conn.me.virtual_ip && msg->add_conn.me.sourceip)
+	if (msg->add_conn.me.sourceip_size)
 	{
-		my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
-	}
-	if (msg->add_conn.other.virtual_ip && msg->add_conn.other.sourceip)
-	{
-		other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0);
+		if (msg->add_conn.me.sourceip)
+		{
+			vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
+		}
+		if (!vip)
+		{	/* if it is set to something like %poolname, request an address */
+			if (msg->add_conn.me.subnet)
+			{	/* use the same addreass as in subnet, if any */
+				if (strchr(msg->add_conn.me.subnet, '.'))
+				{
+					vip = host_create_any(AF_INET);
+				}
+				else
+				{
+					vip = host_create_any(AF_INET6);
+				}
+			}
+			else
+			{
+				host_t* my_host = ike_cfg->get_my_host(ike_cfg);
+				vip = host_create_any(my_host->get_family(my_host));
+			}
+		}
 	}
+	/* other.sourceip is managed in stroke_attributes. If it is set, we define
+	 * the pool name as the connection name, which the attribute provider
+	 * uses to serve pool addresses. */
 	return peer_cfg_create(msg->add_conn.name,
 		msg->add_conn.ikev2 ? 2 : 1, ike_cfg, me, other,
 		msg->add_conn.me.sendcert, msg->add_conn.auth_method,
 		msg->add_conn.eap_type,	msg->add_conn.eap_vendor,
 		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
 		msg->add_conn.mobike, msg->add_conn.dpd.delay, msg->add_conn.dpd.action,
-		my_vip, other_vip, msg->add_conn.ikeme.mediation, mediated_by, peer_id);
+		vip, msg->add_conn.other.sourceip ? msg->add_conn.name : NULL,
+		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
 }
 
 /**
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 14200793f..20bbd06af 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -2315,7 +2315,16 @@ static void destroy(private_ike_sa_t *this)
 										 this->my_virtual_ip);
 		this->my_virtual_ip->destroy(this->my_virtual_ip);
 	}
-	DESTROY_IF(this->other_virtual_ip);
+	if (this->other_virtual_ip)
+	{
+		if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
+		{
+			charon->attributes->release_address(charon->attributes,
+									this->peer_cfg->get_pool(this->peer_cfg),
+									this->other_virtual_ip);
+		}
+		this->other_virtual_ip->destroy(this->other_virtual_ip);
+	}
 	
 	remove_dns_servers(this);
 	this->dns_servers->destroy_offset(this->dns_servers,
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index 8b711e8f3..f4f814308 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -535,11 +535,10 @@ static status_t build_i(private_child_create_t *this, message_t *message)
 	if (!this->reqid)
 	{
 		peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-		vip = peer_cfg->get_my_virtual_ip(peer_cfg);
+		vip = peer_cfg->get_virtual_ip(peer_cfg);
 		if (vip)
 		{
 			propose_all = TRUE;
-			vip->destroy(vip);
 		}
 	}
 	
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
index 2af0aed96..7bd214f01 100644
--- a/src/charon/sa/tasks/ike_config.c
+++ b/src/charon/sa/tasks/ike_config.c
@@ -261,14 +261,14 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
 		
 		/* reuse virtual IP if we already have one */
 		vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
-		if (vip)
+		if (!vip)
 		{
-			this->virtual_ip = vip->clone(vip);
+			config = this->ike_sa->get_peer_cfg(this->ike_sa);
+			vip = config->get_virtual_ip(config);
 		}
-		else
+		if (vip)
 		{
-			config = this->ike_sa->get_peer_cfg(this->ike_sa);
-			this->virtual_ip = config->get_my_virtual_ip(config);
+			this->virtual_ip = vip->clone(vip);
 		}
 		
 		build_payloads(this, message, CFG_REQUEST);
@@ -305,11 +305,14 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 			host_t *ip;
 			
 			DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
-			ip = config->get_other_virtual_ip(config, this->virtual_ip);
-			if (ip == NULL || ip->is_anyaddr(ip))
+			ip = charon->attributes->acquire_address(charon->attributes, 
+									config->get_pool(config),
+									this->ike_sa->get_other_id(this->ike_sa),
+									this->ike_sa->get_other_auth(this->ike_sa),
+									this->virtual_ip);
+			if (ip == NULL)
 			{
 				DBG1(DBG_IKE, "not assigning a virtual IP to peer");
-				DESTROY_IF(ip);
 				return SUCCESS;
 			}
 			DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip);
@@ -318,16 +321,6 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
 			this->virtual_ip->destroy(this->virtual_ip);
 			this->virtual_ip = ip;
 			
-			/* DNS testing values
-			if (this->dns->remove_last(this->dns, (void**)&ip) == SUCCESS)
-			{
-				ip->destroy(ip);
-				ip = host_create_from_string("10.3.0.1", 0);
-				this->dns->insert_last(this->dns, ip);
-				ip = host_create_from_string("10.3.0.2", 0);
-				this->dns->insert_last(this->dns, ip);
-			} */
-			
 			build_payloads(this, message, CFG_REPLY);
 		}
 		return SUCCESS;
@@ -354,7 +347,11 @@ static status_t process_i(private_ike_config_t *this, message_t *message)
 		if (this->virtual_ip == NULL)
 		{	/* force a configured virtual IP, even server didn't return one */
 			config = this->ike_sa->get_peer_cfg(this->ike_sa);
-			this->virtual_ip = config->get_my_virtual_ip(config);
+			this->virtual_ip = config->get_virtual_ip(config);
+			if (this->virtual_ip)
+			{
+				this->virtual_ip = this->virtual_ip->clone(this->virtual_ip);
+			}
 		}
 
 		if (this->virtual_ip && !this->virtual_ip->is_anyaddr(this->virtual_ip))
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 03d98cbd7..610b08960 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -29,6 +29,7 @@
 #define VARCMP(obj) if (c1->obj != c2->obj) return FALSE
 #define ADDCMP(obj) if (!sameaddr(&c1->obj,&c2->obj)) return FALSE
 #define SUBCMP(obj) if (!samesubnet(&c1->obj,&c2->obj)) return FALSE
+#define STRCMP(obj) if (strcmp(c1->obj,c2->obj)) return FALSE
 
 static bool
 starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
@@ -45,12 +46,11 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
 	ADDCMP(addr);
     }
     ADDCMP(nexthop);
-    ADDCMP(srcip);
+    STRCMP(srcip);
     SUBCMP(subnet);
     VARCMP(has_client);
     VARCMP(has_client_wildcard);
     VARCMP(has_port_wildcard);
-    VARCMP(has_srcip);
     VARCMP(modecfg);
     VARCMP(port);
     VARCMP(protocol);
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 0c188ee2c..bae343719 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -88,10 +88,8 @@ static void default_values(starter_config_t *cfg)
 
 	anyaddr(AF_INET, &cfg->conn_default.left.addr);
 	anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
-	anyaddr(AF_INET, &cfg->conn_default.left.srcip);
 	anyaddr(AF_INET, &cfg->conn_default.right.addr);
 	anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
-	anyaddr(AF_INET, &cfg->conn_default.right.srcip);
 
 	cfg->ca_default.seen = LEMPTY;
 }
@@ -284,28 +282,41 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		}
 		else
 		{
+			ip_address addr;
+			ip_subnet net;
+		
 			conn->tunnel_addr_family = ip_version(value);
-			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
+			if (strchr(value, '/'))
+			{	/* CIDR notation, address pool */
+				ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
+			}
+			else if (value[0] != '%')
+			{	/* old style fixed srcip, a %poolname otherwise */
+				ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
+			}
 			if (ugh != NULL)
 			{
 				plog("# bad addr: %s=%s [%s]", name, value, ugh);
 				goto err;
 			}
-			end->has_srcip = TRUE;
+			end->srcip = clone_str(value, "srcip");
 		}
 		conn->policy |= POLICY_TUNNEL;
 		break;
 	case KW_NATIP:
-		if (end->has_srcip)
+		if (end->srcip)
 		{
 			plog("# natip and sourceip cannot be defined at the same time");
 			goto err;
 		}
 		if (streq(value, "%defaultroute"))
 		{
+			char buf[64];
+		
 			if (cfg->defaultroute.defined)
 			{
-				end->srcip    = cfg->defaultroute.addr;
+				addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
+				end->srcip = clone_str(buf, "natip");
 			}
 			else
 			{
@@ -315,13 +326,16 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		}
 		else
 		{
+			ip_address addr;
+			
 			conn->tunnel_addr_family = ip_version(value);
-			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
+			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
 			if (ugh != NULL)
 			{
 				plog("# bad addr: %s=%s [%s]", name, value, ugh);
 				goto err;
 			}
+			end->srcip = clone_str(value, "srcip");
 		}
 		end->has_natip = TRUE;
 		conn->policy |= POLICY_TUNNEL;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 4ccf6284c..ae25a0843 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -67,12 +67,10 @@ struct starter_end {
 	char		*iface;
 	ip_address	addr;
 	ip_address	nexthop;
-	ip_address	srcip;
 	ip_subnet	subnet;
 	bool		has_client;
 	bool		has_client_wildcard;
 	bool		has_port_wildcard;
-	bool		has_srcip;
 	bool		has_natip;
 	bool		modecfg;
 	certpolicy_t	sendcert;
@@ -84,6 +82,7 @@ struct starter_end {
 	u_int16_t	port;
 	u_int8_t	protocol;
 	char		*virt;
+	char		*srcip;
 };
 
 typedef struct also also_t;
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 83db1430c..025cd66f4 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -170,15 +170,47 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->tohost = !conn_end->has_client;
 	msg_end->protocol = conn_end->protocol;
 	msg_end->port = conn_end->port;
-	msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip;
-	ip_address2string(&conn_end->srcip, buffer, sizeof(buffer));
-	msg_end->sourceip = push_string(msg, buffer);
+	if (conn_end->srcip)
+	{
+		if (conn_end->srcip[0] == '%')
+		{	/* %poolname, strip % */
+			msg_end->sourceip_size = 0;
+			msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
+		}
+		else
+		{
+			char *pos = strchr(conn_end->srcip, '/');
+			if (pos)
+			{	/* CIDR subnet definition */
+				snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
+				msg_end->sourceip = push_string(msg, buffer);
+				msg_end->sourceip_size = atoi(pos + 1);
+			}
+			else
+			{	/* a sigle address */
+				msg_end->sourceip = push_string(msg, conn_end->srcip);
+				if (strchr(conn_end->srcip, ':'))
+				{	/* IPv6 */
+					msg_end->sourceip_size = 128;
+				}
+				else
+				{	/* IPv4 */
+					msg_end->sourceip_size = 32;
+				}
+			}
+		}
+	}
+	else if (conn_end->modecfg)
+	{
+		msg_end->sourceip_size = 1;
+	}
 }
 
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 {
 	stroke_msg_t msg;
 
+	memset(&msg, 0, sizeof(msg));
 	msg.type = STR_ADD_CONN;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
@@ -213,15 +245,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 		msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
 	}
  
-	if (conn->policy & POLICY_DONT_REKEY)
-	{
-		msg.add_conn.rekey.ipsec_lifetime = 0;
-		msg.add_conn.rekey.ike_lifetime = 0;
-		msg.add_conn.rekey.margin = 0;
-		msg.add_conn.rekey.tries = 0;
-		msg.add_conn.rekey.fuzz = 0;
-	}
-	else
+	if (!(conn->policy & POLICY_DONT_REKEY))
 	{
 		msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
 		msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 019489eec..970c74d20 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -149,13 +149,28 @@ connection_name(starter_conn_t *conn)
 
 static void
 set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
-{
+{   
+    if (end->srcip && end->srcip[0] != '%')
+    {
+	int len = 0;
+	char *pos, *v6;
+
+	pos = strchr(end->srcip, '/');
+	v6 = strchr(end->srcip, ':');
+	if (pos)
+	{
+	    /* use first address only for pluto */
+	    len = pos - end->srcip;
+	}
+	w->has_srcip = 1;
+	ttoaddr(end->srcip, len, v6 ? AF_INET6 : AF_INET, &w->host_srcip);
+    }
+    
     w->id                  = end->id;
     w->cert                = end->cert;
     w->ca                  = end->ca;
     w->groups              = end->groups;
     w->host_addr           = end->addr;
-    w->host_srcip          = end->srcip;
     w->has_client          = end->has_client;
 
     if (family == AF_INET6 && isanyaddr(&end->nexthop))
@@ -171,7 +186,6 @@ set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
 
     w->has_client_wildcard = end->has_client_wildcard;
     w->has_port_wildcard   = end->has_port_wildcard;
-    w->has_srcip           = end->has_srcip;
     w->has_natip           = end->has_natip;
     w->allow_any           = end->allow_any && !end->dns_failed;
     w->modecfg             = end->modecfg;
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 3f2a661ba..77436801c 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -105,61 +105,28 @@ static int add_connection(char *name,
 {
 	stroke_msg_t msg;
 	
+	memset(&msg, 0, sizeof(msg));
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.type = STR_ADD_CONN;
 	
 	msg.add_conn.name = push_string(&msg, name);
 	msg.add_conn.ikev2 = 1;
 	msg.add_conn.auth_method = 2;
-	msg.add_conn.eap_type = 0;
 	msg.add_conn.mode = 1;
 	msg.add_conn.mobike = 1;
-	msg.add_conn.force_encap = 0;
-	
-	msg.add_conn.rekey.reauth = 0;
-	msg.add_conn.rekey.ipsec_lifetime = 0;
-	msg.add_conn.rekey.ike_lifetime = 0;
-	msg.add_conn.rekey.margin = 0;
-	msg.add_conn.rekey.tries = 0;
-	msg.add_conn.rekey.fuzz = 0;
-	
-	msg.add_conn.algorithms.ike = NULL;
-	msg.add_conn.algorithms.esp = NULL;
-	
-	msg.add_conn.dpd.delay = 0;
 	msg.add_conn.dpd.action = 1;
 	
-	msg.add_conn.ikeme.mediation = 0;
-	msg.add_conn.ikeme.mediated_by = NULL;
-	msg.add_conn.ikeme.peerid = NULL;
-	
 	msg.add_conn.me.id = push_string(&msg, my_id);
 	msg.add_conn.me.address = push_string(&msg, my_addr);
 	msg.add_conn.me.subnet = push_string(&msg, my_net);
 	msg.add_conn.me.subnet_mask = my_netmask;
-	msg.add_conn.me.sourceip = NULL;
-	msg.add_conn.me.virtual_ip = 0;
-	msg.add_conn.me.cert = NULL;
-	msg.add_conn.me.ca = NULL;
 	msg.add_conn.me.sendcert = 1;
-	msg.add_conn.me.hostaccess = 0;
-	msg.add_conn.me.tohost = 0;
-	msg.add_conn.me.protocol = 0;
-	msg.add_conn.me.port = 0;
 	
 	msg.add_conn.other.id = push_string(&msg, other_id);
 	msg.add_conn.other.address = push_string(&msg, other_addr);
 	msg.add_conn.other.subnet = push_string(&msg, other_net);
 	msg.add_conn.other.subnet_mask = other_netmask;
-	msg.add_conn.other.sourceip = NULL;
-	msg.add_conn.other.virtual_ip = 0;
-	msg.add_conn.other.cert = NULL;
-	msg.add_conn.other.ca = NULL;
 	msg.add_conn.other.sendcert = 1;
-	msg.add_conn.other.hostaccess = 0;
-	msg.add_conn.other.tohost = 0;
-	msg.add_conn.other.protocol = 0;
-	msg.add_conn.other.port = 0;
 	
 	return send_stroke_msg(&msg);
 }
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index c48ebe812..4ba4b5da9 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -126,7 +126,7 @@ struct stroke_end_t {
 	char *updown;
 	char *address;
 	char *sourceip;
-	u_int8_t virtual_ip;
+	int sourceip_size;
 	char *subnet;
 	int subnet_mask;
 	int sendcert;