ike: Add configuration option to switch to preferring supplied proposals over local...
authorTobias Brunner <tobias@strongswan.org>
Wed, 1 Jun 2016 10:18:56 +0000 (12:18 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 17 Jun 2016 16:48:07 +0000 (18:48 +0200)
conf/options/charon.opt
src/libcharon/sa/ikev1/tasks/aggressive_mode.c
src/libcharon/sa/ikev1/tasks/main_mode.c
src/libcharon/sa/ikev1/tasks/quick_mode.c
src/libcharon/sa/ikev2/tasks/child_create.c
src/libcharon/sa/ikev2/tasks/ike_init.c

index 86279ec..3970012 100644 (file)
@@ -253,6 +253,11 @@ charon.port_nat_t = 4500
        allocated.  Has to be different from **charon.port**, otherwise a random
        port will be allocated.
 
+charon.prefer_configured_proposals = yes
+       Prefer locally configured proposals for IKE/IPsec over supplied ones as
+       responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
+       notifies).
+
 charon.prefer_temporary_addrs = no
        By default public IPv6 addresses are preferred over temporary ones (RFC
        4941), to make connections more stable. Enable this option to reverse this.
index 9bc6a6e..9b5f676 100644 (file)
@@ -378,6 +378,7 @@ METHOD(task_t, process_r, status_t,
                        identification_t *id;
                        linked_list_t *list;
                        uint16_t group;
+                       bool prefer_configured;
 
                        this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
                        DBG0(DBG_IKE, "%H is initiating a Aggressive Mode IKE_SA",
@@ -401,8 +402,10 @@ METHOD(task_t, process_r, status_t,
                        }
 
                        list = sa_payload->get_proposals(sa_payload);
+                       prefer_configured = lib->settings->get_bool(lib->settings,
+                                                       "%s.prefer_configured_proposals", TRUE, lib->ns);
                        this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
-                                                                                                                       list, FALSE, TRUE);
+                                                                                               list, FALSE, prefer_configured);
                        list->destroy_offset(list, offsetof(proposal_t, destroy));
                        if (!this->proposal)
                        {
index e702b61..628ea0d 100644 (file)
@@ -367,7 +367,7 @@ METHOD(task_t, process_r, status_t,
                {
                        linked_list_t *list;
                        sa_payload_t *sa_payload;
-                       bool private;
+                       bool private, prefer_configured;
 
                        this->ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
                        DBG0(DBG_IKE, "%H is initiating a Main Mode IKE_SA",
@@ -392,9 +392,11 @@ METHOD(task_t, process_r, status_t,
 
                        list = sa_payload->get_proposals(sa_payload);
                        private = this->ike_sa->supports_extension(this->ike_sa,
-                                                                                                                  EXT_STRONGSWAN);
+                                                                                                          EXT_STRONGSWAN);
+                       prefer_configured = lib->settings->get_bool(lib->settings,
+                                                       "%s.prefer_configured_proposals", TRUE, lib->ns);
                        this->proposal = this->ike_cfg->select_proposal(this->ike_cfg,
-                                                                                                                       list, private, TRUE);
+                                                                                       list, private, prefer_configured);
                        list->destroy_offset(list, offsetof(proposal_t, destroy));
                        if (!this->proposal)
                        {
index 70bc370..bbd1cb0 100644 (file)
@@ -1051,7 +1051,7 @@ METHOD(task_t, process_r, status_t,
                        linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL;
                        peer_cfg_t *peer_cfg;
                        uint16_t group;
-                       bool private;
+                       bool private, prefer_configured;
 
                        sa_payload = (sa_payload_t*)message->get_payload(message,
                                                                                                        PLV1_SECURITY_ASSOCIATION);
@@ -1109,8 +1109,10 @@ METHOD(task_t, process_r, status_t,
                        }
                        private = this->ike_sa->supports_extension(this->ike_sa,
                                                                                                           EXT_STRONGSWAN);
+                       prefer_configured = lib->settings->get_bool(lib->settings,
+                                                       "%s.prefer_configured_proposals", TRUE, lib->ns);
                        this->proposal = this->config->select_proposal(this->config, list,
-                                                                                                               FALSE, private, TRUE);
+                                                                                       FALSE, private, prefer_configured);
                        list->destroy_offset(list, offsetof(proposal_t, destroy));
 
                        get_lifetimes(this);
index 79208db..13064e3 100644 (file)
@@ -464,7 +464,7 @@ static status_t select_and_install(private_child_create_t *this,
        chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
        linked_list_t *my_ts, *other_ts;
        host_t *me, *other;
-       bool private;
+       bool private, prefer_configured;
 
        if (this->proposals == NULL)
        {
@@ -481,8 +481,10 @@ static status_t select_and_install(private_child_create_t *this,
        other = this->ike_sa->get_other_host(this->ike_sa);
 
        private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+       prefer_configured = lib->settings->get_bool(lib->settings,
+                                                       "%s.prefer_configured_proposals", TRUE, lib->ns);
        this->proposal = this->config->select_proposal(this->config,
-                                                                               this->proposals, no_dh, private, TRUE);
+                                                       this->proposals, no_dh, private, prefer_configured);
        if (this->proposal == NULL)
        {
                DBG1(DBG_IKE, "no acceptable proposal found");
index cb51cfe..801b6d8 100644 (file)
@@ -373,13 +373,15 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
                        {
                                sa_payload_t *sa_payload = (sa_payload_t*)payload;
                                linked_list_t *proposal_list;
-                               bool private;
+                               bool private, prefer_configured;
 
                                proposal_list = sa_payload->get_proposals(sa_payload);
                                private = this->ike_sa->supports_extension(this->ike_sa,
                                                                                                                   EXT_STRONGSWAN);
+                               prefer_configured = lib->settings->get_bool(lib->settings,
+                                                       "%s.prefer_configured_proposals", TRUE, lib->ns);
                                this->proposal = this->config->select_proposal(this->config,
-                                                                                               proposal_list, private, TRUE);
+                                                                       proposal_list, private, prefer_configured);
                                if (!this->proposal)
                                {
                                        charon->bus->alert(charon->bus, ALERT_PROPOSAL_MISMATCH_IKE,