From e3d98f2c4c9d65c17ce066b8c1c7a3ef29353f49 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 9 Oct 2012 14:01:33 +0200 Subject: android: Don't use the default ESP proposal as it includes unsupported algorithms --- src/frontends/android/jni/libandroidbridge/backend/android_service.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src/frontends/android/jni/libandroidbridge/backend/android_service.c') diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index 2a115d2f9..0361b86da 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -540,7 +540,10 @@ static job_requeue_t initiate(private_android_service_t *this) child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + /* create an ESP proposal with the algorithms currently supported by + * libipsec, no PFS for now */ + child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, + "aes128-aes192-aes256-sha1-sha256-sha384-sha512")); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", -- cgit v1.2.3 From 38bbca587fab96550005fc06eaabecd2d4dd0507 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 10 Oct 2012 12:26:51 +0200 Subject: android: Determine source address dynamically --- .../android/jni/libandroidbridge/backend/android_service.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) (limited to 'src/frontends/android/jni/libandroidbridge/backend/android_service.c') diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index 0361b86da..1e9d246ce 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -58,11 +58,6 @@ struct private_android_service_t { */ char *type; - /** - * local ipv4 address - */ - char *local_address; - /** * gateway */ @@ -480,7 +475,7 @@ static job_requeue_t initiate(private_android_service_t *this) } }; - ike_cfg = ike_cfg_create(TRUE, TRUE, this->local_address, FALSE, + ike_cfg = ike_cfg_create(TRUE, TRUE, "0.0.0.0", FALSE, charon->socket->get_port(charon->socket, FALSE), this->gateway, FALSE, IKEV2_UDP_PORT); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); @@ -591,7 +586,6 @@ METHOD(android_service_t, destroy, void, close_tun_device(this); this->lock->destroy(this->lock); free(this->type); - free(this->local_address); free(this->gateway); free(this->username); if (this->password) @@ -606,8 +600,8 @@ METHOD(android_service_t, destroy, void, * See header */ android_service_t *android_service_create(android_creds_t *creds, char *type, - char *local_address, char *gateway, - char *username, char *password) + char *gateway, char *username, + char *password) { private_android_service_t *this; @@ -624,7 +618,6 @@ android_service_t *android_service_create(android_creds_t *creds, char *type, .destroy = _destroy, }, .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - .local_address = local_address, .username = username, .password = password, .gateway = gateway, -- cgit v1.2.3 From b00806cf858c630fd715dc07d4723e5185e8deb7 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 15 Oct 2012 11:02:18 +0200 Subject: android: Use 0.0.0.0/0 as local traffic selector This is helpful if the responder also wants to tunnel e.g. multicast packages. --- src/frontends/android/jni/libandroidbridge/backend/android_service.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/frontends/android/jni/libandroidbridge/backend/android_service.c') diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index 1e9d246ce..fbf5d981a 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -539,7 +539,8 @@ static job_requeue_t initiate(private_android_service_t *this) * libipsec, no PFS for now */ child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, "aes128-aes192-aes256-sha1-sha256-sha384-sha512")); - ts = traffic_selector_create_dynamic(0, 0, 65535); + ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", + 0, "255.255.255.255", 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", 0, "255.255.255.255", 65535); -- cgit v1.2.3 From 272ce5b5804fcaa4b9ca4b3c1f1f2e313cd22da3 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 15 Oct 2012 14:50:22 +0200 Subject: android: Handle unreachable peers via alert --- .../jni/libandroidbridge/backend/android_service.c | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) (limited to 'src/frontends/android/jni/libandroidbridge/backend/android_service.c') diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index fbf5d981a..83eed02b9 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -357,7 +357,6 @@ METHOD(listener_t, child_updown, bool, { /* disable the hooks registered to catch initiation failures */ this->public.listener.ike_updown = NULL; - this->public.listener.ike_state_change = NULL; if (!setup_tun_device(this, ike_sa, child_sa)) { DBG1(DBG_DMN, "failed to setup TUN device"); @@ -398,19 +397,6 @@ METHOD(listener_t, ike_updown, bool, return TRUE; } -METHOD(listener_t, ike_state_change, bool, - private_android_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) -{ - /* this call back is only registered during initiation */ - if (this->ike_sa == ike_sa && state == IKE_DESTROYING) - { - charonservice->update_status(charonservice, - CHARONSERVICE_UNREACHABLE_ERROR); - return FALSE; - } - return TRUE; -} - METHOD(listener_t, alert, bool, private_android_service_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args) @@ -427,6 +413,10 @@ METHOD(listener_t, alert, bool, charonservice->update_status(charonservice, CHARONSERVICE_PEER_AUTH_ERROR); break; + case ALERT_PEER_INIT_UNREACHABLE: + charonservice->update_status(charonservice, + CHARONSERVICE_UNREACHABLE_ERROR); + break; default: break; } @@ -450,9 +440,8 @@ METHOD(listener_t, ike_reestablish, bool, if (this->ike_sa == old) { this->ike_sa = new; - /* re-register hooks to detect initiation failures */ + /* re-register hook to detect initiation failures */ this->public.listener.ike_updown = _ike_updown; - this->public.listener.ike_state_change = _ike_state_change; /* the TUN device will be closed when the new CHILD_SA is established */ } return TRUE; @@ -612,7 +601,6 @@ android_service_t *android_service_create(android_creds_t *creds, char *type, .ike_rekey = _ike_rekey, .ike_reestablish = _ike_reestablish, .ike_updown = _ike_updown, - .ike_state_change = _ike_state_change, .child_updown = _child_updown, .alert = _alert, }, -- cgit v1.2.3 From 8658e87b35ce9daf9df23403e65025417fc06697 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 16 Oct 2012 11:50:53 +0200 Subject: android: Use keyingtries=%forever and dpd|closeaction=restart We also ignore the CHILD_SA_DOWN event. This should allow us to keep the connection up as long as the user does not manually disconnect. --- .../android/jni/libandroidbridge/backend/android_service.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/frontends/android/jni/libandroidbridge/backend/android_service.c') diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index 83eed02b9..d451a3d94 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -470,7 +470,7 @@ static job_requeue_t initiate(private_android_service_t *this) ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); peer_cfg = peer_cfg_create("android", IKEV2, ike_cfg, CERT_SEND_IF_ASKED, - UNIQUE_REPLACE, 1, /* keyingtries */ + UNIQUE_REPLACE, 0, /* keyingtries */ 36000, 0, /* rekey 10h, reauth none */ 600, 600, /* jitter, over 10min */ TRUE, FALSE, /* mobike, aggressive */ @@ -522,8 +522,8 @@ static job_requeue_t initiate(private_android_service_t *this) peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, - 0, 0, NULL, NULL, 0); + ACTION_NONE, ACTION_RESTART, ACTION_RESTART, + FALSE, 0, 0, NULL, NULL, 0); /* create an ESP proposal with the algorithms currently supported by * libipsec, no PFS for now */ child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP, -- cgit v1.2.3 From 2b6088c7187f30479ef20d305e1972abe3d5a40a Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 16 Oct 2012 13:41:02 +0200 Subject: android: Ignore if peer is unreachable when reestablishing an SA --- .../android/jni/libandroidbridge/backend/android_service.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'src/frontends/android/jni/libandroidbridge/backend/android_service.c') diff --git a/src/frontends/android/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/jni/libandroidbridge/backend/android_service.c index d451a3d94..b00567f60 100644 --- a/src/frontends/android/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/jni/libandroidbridge/backend/android_service.c @@ -414,8 +414,13 @@ METHOD(listener_t, alert, bool, CHARONSERVICE_PEER_AUTH_ERROR); break; case ALERT_PEER_INIT_UNREACHABLE: - charonservice->update_status(charonservice, - CHARONSERVICE_UNREACHABLE_ERROR); + this->lock->read_lock(this->lock); + if (this->tunfd < 0) + { /* only handle this if we are not reestablishing the SA */ + charonservice->update_status(charonservice, + CHARONSERVICE_UNREACHABLE_ERROR); + } + this->lock->unlock(this->lock); break; default: break; -- cgit v1.2.3