5 files changed, 77 insertions, 26 deletions

diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index 03d98cbd7..610b08960 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -29,6 +29,7 @@
 #define VARCMP(obj) if (c1->obj != c2->obj) return FALSE
 #define ADDCMP(obj) if (!sameaddr(&c1->obj,&c2->obj)) return FALSE
 #define SUBCMP(obj) if (!samesubnet(&c1->obj,&c2->obj)) return FALSE
+#define STRCMP(obj) if (strcmp(c1->obj,c2->obj)) return FALSE
 
 static bool
 starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
@@ -45,12 +46,11 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
 	ADDCMP(addr);
     }
     ADDCMP(nexthop);
-    ADDCMP(srcip);
+    STRCMP(srcip);
     SUBCMP(subnet);
     VARCMP(has_client);
     VARCMP(has_client_wildcard);
     VARCMP(has_port_wildcard);
-    VARCMP(has_srcip);
     VARCMP(modecfg);
     VARCMP(port);
     VARCMP(protocol);
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 0c188ee2c..bae343719 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -88,10 +88,8 @@ static void default_values(starter_config_t *cfg)
 
 	anyaddr(AF_INET, &cfg->conn_default.left.addr);
 	anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
-	anyaddr(AF_INET, &cfg->conn_default.left.srcip);
 	anyaddr(AF_INET, &cfg->conn_default.right.addr);
 	anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
-	anyaddr(AF_INET, &cfg->conn_default.right.srcip);
 
 	cfg->ca_default.seen = LEMPTY;
 }
@@ -284,28 +282,41 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		}
 		else
 		{
+			ip_address addr;
+			ip_subnet net;
+		
 			conn->tunnel_addr_family = ip_version(value);
-			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
+			if (strchr(value, '/'))
+			{	/* CIDR notation, address pool */
+				ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
+			}
+			else if (value[0] != '%')
+			{	/* old style fixed srcip, a %poolname otherwise */
+				ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
+			}
 			if (ugh != NULL)
 			{
 				plog("# bad addr: %s=%s [%s]", name, value, ugh);
 				goto err;
 			}
-			end->has_srcip = TRUE;
+			end->srcip = clone_str(value, "srcip");
 		}
 		conn->policy |= POLICY_TUNNEL;
 		break;
 	case KW_NATIP:
-		if (end->has_srcip)
+		if (end->srcip)
 		{
 			plog("# natip and sourceip cannot be defined at the same time");
 			goto err;
 		}
 		if (streq(value, "%defaultroute"))
 		{
+			char buf[64];
+		
 			if (cfg->defaultroute.defined)
 			{
-				end->srcip    = cfg->defaultroute.addr;
+				addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf));
+				end->srcip = clone_str(buf, "natip");
 			}
 			else
 			{
@@ -315,13 +326,16 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
 		}
 		else
 		{
+			ip_address addr;
+			
 			conn->tunnel_addr_family = ip_version(value);
-			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
+			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
 			if (ugh != NULL)
 			{
 				plog("# bad addr: %s=%s [%s]", name, value, ugh);
 				goto err;
 			}
+			end->srcip = clone_str(value, "srcip");
 		}
 		end->has_natip = TRUE;
 		conn->policy |= POLICY_TUNNEL;
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 4ccf6284c..ae25a0843 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -67,12 +67,10 @@ struct starter_end {
 	char		*iface;
 	ip_address	addr;
 	ip_address	nexthop;
-	ip_address	srcip;
 	ip_subnet	subnet;
 	bool		has_client;
 	bool		has_client_wildcard;
 	bool		has_port_wildcard;
-	bool		has_srcip;
 	bool		has_natip;
 	bool		modecfg;
 	certpolicy_t	sendcert;
@@ -84,6 +82,7 @@ struct starter_end {
 	u_int16_t	port;
 	u_int8_t	protocol;
 	char		*virt;
+	char		*srcip;
 };
 
 typedef struct also also_t;
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 83db1430c..025cd66f4 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -170,15 +170,47 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
 	msg_end->tohost = !conn_end->has_client;
 	msg_end->protocol = conn_end->protocol;
 	msg_end->port = conn_end->port;
-	msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip;
-	ip_address2string(&conn_end->srcip, buffer, sizeof(buffer));
-	msg_end->sourceip = push_string(msg, buffer);
+	if (conn_end->srcip)
+	{
+		if (conn_end->srcip[0] == '%')
+		{	/* %poolname, strip % */
+			msg_end->sourceip_size = 0;
+			msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
+		}
+		else
+		{
+			char *pos = strchr(conn_end->srcip, '/');
+			if (pos)
+			{	/* CIDR subnet definition */
+				snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
+				msg_end->sourceip = push_string(msg, buffer);
+				msg_end->sourceip_size = atoi(pos + 1);
+			}
+			else
+			{	/* a sigle address */
+				msg_end->sourceip = push_string(msg, conn_end->srcip);
+				if (strchr(conn_end->srcip, ':'))
+				{	/* IPv6 */
+					msg_end->sourceip_size = 128;
+				}
+				else
+				{	/* IPv4 */
+					msg_end->sourceip_size = 32;
+				}
+			}
+		}
+	}
+	else if (conn_end->modecfg)
+	{
+		msg_end->sourceip_size = 1;
+	}
 }
 
 int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 {
 	stroke_msg_t msg;
 
+	memset(&msg, 0, sizeof(msg));
 	msg.type = STR_ADD_CONN;
 	msg.length = offsetof(stroke_msg_t, buffer);
 	msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
@@ -213,15 +245,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 		msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
 	}
  
-	if (conn->policy & POLICY_DONT_REKEY)
-	{
-		msg.add_conn.rekey.ipsec_lifetime = 0;
-		msg.add_conn.rekey.ike_lifetime = 0;
-		msg.add_conn.rekey.margin = 0;
-		msg.add_conn.rekey.tries = 0;
-		msg.add_conn.rekey.fuzz = 0;
-	}
-	else
+	if (!(conn->policy & POLICY_DONT_REKEY))
 	{
 		msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
 		msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c
index 019489eec..970c74d20 100644
--- a/src/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -149,13 +149,28 @@ connection_name(starter_conn_t *conn)
 
 static void
 set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
-{
+{   
+    if (end->srcip && end->srcip[0] != '%')
+    {
+	int len = 0;
+	char *pos, *v6;
+
+	pos = strchr(end->srcip, '/');
+	v6 = strchr(end->srcip, ':');
+	if (pos)
+	{
+	    /* use first address only for pluto */
+	    len = pos - end->srcip;
+	}
+	w->has_srcip = 1;
+	ttoaddr(end->srcip, len, v6 ? AF_INET6 : AF_INET, &w->host_srcip);
+    }
+    
     w->id                  = end->id;
     w->cert                = end->cert;
     w->ca                  = end->ca;
     w->groups              = end->groups;
     w->host_addr           = end->addr;
-    w->host_srcip          = end->srcip;
     w->has_client          = end->has_client;
 
     if (family == AF_INET6 && isanyaddr(&end->nexthop))
@@ -171,7 +186,6 @@ set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
 
     w->has_client_wildcard = end->has_client_wildcard;
     w->has_port_wildcard   = end->has_port_wildcard;
-    w->has_srcip           = end->has_srcip;
     w->has_natip           = end->has_natip;
     w->allow_any           = end->allow_any && !end->dns_failed;
     w->modecfg             = end->modecfg;