diff options
| -rw-r--r-- | src/charon/plugins/stroke/stroke_config.c | 6 | ||||
| -rw-r--r-- | src/starter/args.c | 1 | ||||
| -rw-r--r-- | src/starter/cmp.c | 1 | ||||
| -rw-r--r-- | src/starter/confread.c | 2 | ||||
| -rw-r--r-- | src/starter/confread.h | 1 | ||||
| -rw-r--r-- | src/starter/ipsec.conf.5 | 7 | ||||
| -rw-r--r-- | src/starter/keywords.h | 2 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 2 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 1 | ||||
| -rw-r--r-- | src/stroke/stroke.c | 2 | ||||
| -rw-r--r-- | src/stroke/stroke_msg.h | 1 |
11 files changed, 23 insertions, 3 deletions
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index bfb39008e..bbc1e7a31 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -232,9 +232,9 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg } } ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND, - msg->add_conn.force_encap, - msg->add_conn.me.address, IKEV2_UDP_PORT, - msg->add_conn.other.address, IKEV2_UDP_PORT); + msg->add_conn.force_encap, + msg->add_conn.me.address, msg->add_conn.me.ikeport, + msg->add_conn.other.address, msg->add_conn.other.ikeport); add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL); return ike_cfg; } diff --git a/src/starter/args.c b/src/starter/args.c index ebbd42cc8..c2614cd14 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -248,6 +248,7 @@ static const token_info_t token_info[] = /* end keywords */ { ARG_MISC, 0, NULL /* KW_HOST */ }, + { ARG_UINT, offsetof(starter_end_t, ikeport), NULL }, { ARG_MISC, 0, NULL /* KW_NEXTHOP */ }, { ARG_STR, offsetof(starter_end_t, subnet), NULL }, { ARG_MISC, 0, NULL /* KW_SUBNETWITHIN */ }, diff --git a/src/starter/cmp.c b/src/starter/cmp.c index 8462a4819..33a057b44 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -43,6 +43,7 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2) { ADDCMP(addr); } + VARCMP(ikeport); ADDCMP(nexthop); VARCMP(has_client); VARCMP(has_client_wildcard); diff --git a/src/starter/confread.c b/src/starter/confread.c index 07cc11503..f71d9b46f 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -96,6 +96,8 @@ static void default_values(starter_config_t *cfg) anyaddr(AF_INET, &cfg->conn_default.left.nexthop); anyaddr(AF_INET, &cfg->conn_default.right.addr); anyaddr(AF_INET, &cfg->conn_default.right.nexthop); + cfg->conn_default.left.ikeport = 500; + cfg->conn_default.right.ikeport = 500; cfg->ca_default.seen = LEMPTY; } diff --git a/src/starter/confread.h b/src/starter/confread.h index 7f3211628..e7072794c 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -66,6 +66,7 @@ struct starter_end { char *groups; char *iface; ip_address addr; + u_int16_t ikeport; ip_address nexthop; char *subnet; bool has_client; diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index d4dd7238f..4cb1cb0fc 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -604,6 +604,13 @@ identity to use for a second authentication for the left participant (IKEv2 only); defaults to .BR leftid . .TP +.B leftikeport +UDP port the left participant uses for IKE communication. Currently supported in +IKEv2 connections only. If unspecified, port 500 is used with port floating to +4500 if NAT is detected or MOBIKE enabled. Specifying a local IKE port +different from the default additionally requires a socket implementation that +listens to this port. +.TP .B leftnexthop this parameter is not needed any more because the NETKEY IPsec stack does not require explicit routing entries for the traffic to be tunneled. diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 8be31d148..10951f35b 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -145,6 +145,7 @@ typedef enum { /* left end keywords */ KW_LEFT, + KW_LEFTIKEPORT, KW_LEFTNEXTHOP, KW_LEFTSUBNET, KW_LEFTSUBNETWITHIN, @@ -172,6 +173,7 @@ typedef enum { /* right end keywords */ KW_RIGHT, + KW_RIGHTIKEPORT, KW_RIGHTNEXTHOP, KW_RIGHTSUBNET, KW_RIGHTSUBNETWITHIN, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index adf3069bf..12037a685 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -98,6 +98,7 @@ ocspuri1, KW_OCSPURI ocspuri2, KW_OCSPURI2 certuribase, KW_CERTURIBASE left, KW_LEFT +leftikeport, KW_LEFTIKEPORT leftnexthop, KW_LEFTNEXTHOP leftsubnet, KW_LEFTSUBNET leftsubnetwithin, KW_LEFTSUBNETWITHIN @@ -120,6 +121,7 @@ leftca, KW_LEFTCA leftca2, KW_LEFTCA2 leftgroups, KW_LEFTGROUPS right, KW_RIGHT +rightikeport, KW_RIGHTIKEPORT rightnexthop, KW_RIGHTNEXTHOP rightsubnet, KW_RIGHTSUBNET rightsubnetwithin, KW_RIGHTSUBNETWITHIN diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 665350c00..d877661ec 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -186,6 +186,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->updown = push_string(msg, conn_end->updown); ip_address2string(&conn_end->addr, buffer, sizeof(buffer)); msg_end->address = push_string(msg, buffer); + msg_end->ikeport = conn_end->ikeport; msg_end->subnets = push_string(msg, conn_end->subnet); msg_end->sourceip = push_string(msg, conn_end->sourceip); msg_end->sourceip_mask = conn_end->sourceip_mask; diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 955e49535..c195c09a9 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -129,11 +129,13 @@ static int add_connection(char *name, msg.add_conn.me.id = push_string(&msg, my_id); msg.add_conn.me.address = push_string(&msg, my_addr); + msg.add_conn.me.ikeport = 500; msg.add_conn.me.subnets = push_string(&msg, my_nets); msg.add_conn.me.sendcert = 1; msg.add_conn.other.id = push_string(&msg, other_id); msg.add_conn.other.address = push_string(&msg, other_addr); + msg.add_conn.other.ikeport = 500; msg.add_conn.other.subnets = push_string(&msg, other_nets); msg.add_conn.other.sendcert = 1; diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index 56a7a158f..ffc67039e 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -137,6 +137,7 @@ struct stroke_end_t { char *groups; char *updown; char *address; + u_int16_t ikeport; char *sourceip; int sourceip_mask; char *subnets; |