Use AUTH_RULE_IDENTITY_LOOSE in NetworkManager backend
[strongswan.git] / src / charon-nm / nm / nm_service.c
index 61b6a6c..fd96f43 100644 (file)
@@ -89,11 +89,12 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
        me = ike_sa->get_my_host(ike_sa);
        handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
 
-       /* NM requires a tundev, but netkey does not use one. Passing an invalid
-        * iface makes NM complain, but it accepts it without fiddling on eth0. */
+       /* NM requires a tundev, but netkey does not use one. Passing the physical
+        * interface does not work, as NM fiddles around with it. Passing the
+        * loopback seems to work, though... */
        val = g_slice_new0 (GValue);
        g_value_init (val, G_TYPE_STRING);
-       g_value_set_string (val, "none");
+       g_value_set_string (val, "lo");
        g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
 
        val = g_slice_new0(GValue);
@@ -276,7 +277,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        auth_class_t auth_class = AUTH_CLASS_EAP;
        certificate_t *cert = NULL;
        x509_t *x509;
-       bool agent = FALSE, smartcard = FALSE;
+       bool agent = FALSE, smartcard = FALSE, loose_gateway_id = FALSE;
        lifetime_cfg_t lifetime = {
                .time = {
                        .life = 10800 /* 3h */,
@@ -379,6 +380,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
                 * included in the gateway certificate. */
                gateway = identification_create_from_string((char*)address);
                DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
+               loose_gateway_id = TRUE;
        }
 
        if (auth_class == AUTH_CLASS_EAP)
@@ -496,8 +498,9 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        /**
         * Set up configurations
         */
-       ike_cfg = ike_cfg_create(TRUE, encap,
-                                       "0.0.0.0", IKEV2_UDP_PORT, (char*)address, IKEV2_UDP_PORT);
+       ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", FALSE,
+                                                        charon->socket->get_port(charon->socket, FALSE),
+                                                       (char*)address, FALSE, IKEV2_UDP_PORT);
        ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
        peer_cfg = peer_cfg_create(priv->name, IKEV2, ike_cfg,
                                        CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
@@ -505,8 +508,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
                                        600, 600, /* jitter, over 10min */
                                        TRUE, FALSE, /* mobike, aggressive */
                                        0, 0, /* DPD delay, timeout */
-                                       virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
-                                       NULL, FALSE, NULL, NULL); /* pool, mediation */
+                                       FALSE, NULL, NULL); /* mediation */
+       if (virtual)
+       {
+               peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
+       }
        auth = auth_cfg_create();
        auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
        auth->add(auth, AUTH_RULE_IDENTITY, user);
@@ -514,6 +520,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        auth = auth_cfg_create();
        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
        auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+       auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
        peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
 
        child_cfg = child_cfg_create(priv->name, &lifetime,