vici: Make childless initiation of IKE_SAs configurable
authorTobias Brunner <tobias@strongswan.org>
Fri, 29 Mar 2019 16:13:49 +0000 (17:13 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 25 Apr 2019 13:23:19 +0000 (15:23 +0200)
src/libcharon/plugins/vici/vici_config.c
src/swanctl/swanctl.opt

index 59aadfd..1ff0754 100644 (file)
@@ -310,6 +310,7 @@ typedef struct {
        uint64_t dpd_delay;
        uint64_t dpd_timeout;
        fragmentation_t fragmentation;
+       childless_t childless;
        unique_policy_t unique;
        uint32_t keyingtries;
        uint32_t local_port;
@@ -416,6 +417,7 @@ static void log_peer_data(peer_data_t *data)
        DBG2(DBG_CFG, "  dpd_delay = %llu", data->dpd_delay);
        DBG2(DBG_CFG, "  dpd_timeout = %llu", data->dpd_timeout);
        DBG2(DBG_CFG, "  fragmentation = %u",  data->fragmentation);
+       DBG2(DBG_CFG, "  childless = %u",  data->childless);
        DBG2(DBG_CFG, "  unique = %N", unique_policy_names, data->unique);
        DBG2(DBG_CFG, "  keyingtries = %u", data->keyingtries);
        DBG2(DBG_CFG, "  reauth_time = %llu", data->reauth_time);
@@ -1562,6 +1564,27 @@ CALLBACK(parse_frag, bool,
 }
 
 /**
+ * Parse a childless_t
+ */
+CALLBACK(parse_childless, bool,
+       childless_t *out, chunk_t v)
+{
+       enum_map_t map[] = {
+               { "allow",              CHILDLESS_ALLOW         },
+               { "never",              CHILDLESS_NEVER         },
+               { "force",              CHILDLESS_FORCE         },
+       };
+       int d;
+
+       if (parse_map(map, countof(map), &d, v))
+       {
+               *out = d;
+               return TRUE;
+       }
+       return FALSE;
+}
+
+/**
  * Parse a cert_policy_t
  */
 CALLBACK(parse_send_cert, bool,
@@ -1777,6 +1800,7 @@ CALLBACK(peer_kv, bool,
                { "dpd_delay",          parse_time,                     &peer->dpd_delay                        },
                { "dpd_timeout",        parse_time,                     &peer->dpd_timeout                      },
                { "fragmentation",      parse_frag,                     &peer->fragmentation            },
+               { "childless",          parse_childless,        &peer->childless                        },
                { "send_certreq",       parse_bool,                     &peer->send_certreq                     },
                { "send_cert",          parse_send_cert,        &peer->send_cert                        },
                { "keyingtries",        parse_uint32,           &peer->keyingtries                      },
@@ -2519,6 +2543,7 @@ CALLBACK(config_sn, bool,
                .no_certreq = !peer.send_certreq,
                .force_encap = peer.encap,
                .fragmentation = peer.fragmentation,
+               .childless = peer.childless,
                .dscp = peer.dscp,
        };
        ike_cfg = ike_cfg_create(&ike);
index 460e17b..6765e9d 100644 (file)
@@ -154,7 +154,7 @@ connections.<conn>.dpd_timeout = 0s
        specified; this option has no effect on connections using IKE2.
 
 connections.<conn>.fragmentation = yes
-       Use IKE UDP datagram fragmentation (_yes_, _accept_, _no_ or _force_).
+       Use IKE UDP datagram fragmentation (_yes_, _accept_, _no_ or _force_).
 
        Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
        fragmentation).  Acceptable  values  are _yes_ (the     default), _accept_,
@@ -168,6 +168,21 @@ connections.<conn>.fragmentation = yes
        Note that fragmented IKE messages sent by a peer are always accepted
        irrespective of the value of this option (even when set to _no_).
 
+connections.<conn>.childless = allow
+       Use childless IKE_SA initiation (_allow_, _force_ or _never_).
+
+       Use childless IKE_SA initiation (RFC 6023) for IKEv2.  Acceptable values
+       are _allow_ (the default), _force_ and _never_. If set to _allow_,
+       responders will accept childless IKE_SAs (as indicated via notify in the
+       IKE_SA_INIT response) while initiators continue to create regular IKE_SAs
+       with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is
+       initiated explicitly without any children (which will fail if the responder
+       does not support or has disabled this extension).  If set to _force_, only
+       childless initiation is accepted and the first CHILD_SA is created with a
+       separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange
+       for all CHILD_SAs).  Finally, setting the option to _never_ disables support
+       for childless IKE_SAs as responder.
+
 connections.<conn>.send_certreq = yes
        Send certificate requests payloads (_yes_ or _no_).