diff options
| -rw-r--r-- | man/strongswan.conf.5.in | 7 | ||||
| -rw-r--r-- | src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c | 11 |
2 files changed, 16 insertions, 2 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 783f16c2c..e8dbe63f8 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -623,6 +623,13 @@ Number of ipsecN devices .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" Set MTU of ipsecN device .TP +.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]" +Allow that the remote traffic selector equals the IKE peer. The route installed +for such traffic (via TUN device) usually prevents further IKE traffic. The +fwmark options for the \fIkernel-netlink\fR and \fIsocket-default\fR plugins can +be used to circumvent that problem. +to +.TP .BR charon.plugins.kernel-netlink.fwmark Firewall mark to set on the routing rule that directs traffic to our own routing table. The format is [!]mark[/mask], where the optional exclamation mark inverts diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c index 9d95aa7fd..8458cd1cf 100644 --- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c +++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c @@ -50,6 +50,11 @@ struct private_kernel_libipsec_ipsec_t { * List of exclude routes (exclude_route_t) */ linked_list_t *excludes; + + /** + * Whether the remote TS may equal the IKE peer + */ + bool allow_peer_ts; }; typedef struct exclude_route_t exclude_route_t; @@ -465,7 +470,7 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this, policy->route = NULL; } - if (dst_ts->is_host(dst_ts, dst)) + if (!this->allow_peer_ts && dst_ts->is_host(dst_ts, dst)) { DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts with " "IKE traffic", src_ts, dst_ts, policy_dir_names, @@ -475,7 +480,7 @@ static bool install_route(private_kernel_libipsec_ipsec_t *this, return FALSE; } /* if remote traffic selector covers the IKE peer, add an exclude route */ - if (dst_ts->includes(dst_ts, dst)) + if (!this->allow_peer_ts && dst_ts->includes(dst_ts, dst)) { /* add exclude route for peer */ add_exclude_route(this, route, src, dst); @@ -694,6 +699,8 @@ kernel_libipsec_ipsec_t *kernel_libipsec_ipsec_create() .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .policies = linked_list_create(), .excludes = linked_list_create(), + .allow_peer_ts = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-libipsec.allow_peer_ts", FALSE, hydra->daemon), ); ipsec->events->register_listener(ipsec->events, &this->ipsec_listener); |