Added support for the ipsec.conf aaa_identity keyword
authorMartin Willi <martin@revosec.ch>
Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 31 Aug 2010 15:52:52 +0000 (17:52 +0200)
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/plugins/stroke/stroke_socket.c
src/starter/args.c
src/starter/confread.h
src/starter/ipsec.conf.5.in
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterstroke.c
src/stroke/stroke_msg.h

index 6170694..b35bbbf 100644 (file)
@@ -502,6 +502,11 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
                        }
                        cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
                }
+               if (msg->add_conn.aaa_identity)
+               {
+                       cfg->add(cfg, AUTH_RULE_AAA_IDENTITY,
+                               identification_create_from_string(msg->add_conn.aaa_identity));
+               }
        }
        else
        {
index 974dbd5..06a636a 100644 (file)
@@ -180,11 +180,13 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
        pop_end(msg, "left", &msg->add_conn.me);
        pop_end(msg, "right", &msg->add_conn.other);
        pop_string(msg, &msg->add_conn.eap_identity);
+       pop_string(msg, &msg->add_conn.aaa_identity);
        pop_string(msg, &msg->add_conn.algorithms.ike);
        pop_string(msg, &msg->add_conn.algorithms.esp);
        pop_string(msg, &msg->add_conn.ikeme.mediated_by);
        pop_string(msg, &msg->add_conn.ikeme.peerid);
        DBG2(DBG_CFG, "  eap_identity=%s", msg->add_conn.eap_identity);
+       DBG2(DBG_CFG, "  aaa_identity=%s", msg->add_conn.aaa_identity);
        DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
        DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
        DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
index ab6b605..37d6002 100644 (file)
@@ -208,6 +208,7 @@ static const token_info_t token_info[] =
        { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
        { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
        { ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
+       { ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
        { ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
        { ARG_MISC, 0, NULL  /* KW_FORCEENCAPS */                                      },
        { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
index 5e4356e..3bbff64 100644 (file)
@@ -117,6 +117,7 @@ struct starter_conn {
                u_int32_t       eap_type;
                u_int32_t       eap_vendor;
                char            *eap_identity;
+               char            *aaa_identity;
                char            *xauth_identity;
                lset_t          policy;
                time_t          sa_ike_life_seconds;
index 0f87f6b..de19cec 100644 (file)
@@ -228,6 +228,11 @@ Unless otherwise noted, for a connection to work,
 in general it is necessary for the two ends to agree exactly
 on the values of these parameters.
 .TP 14
+.B aaa_identity
+defines the identity of the AAA backend used during IKEv2 EAP authentication.
+This is required if the EAP client uses a method that verifies the server
+identity (such as EAP-TLS), but it does not match the IKEv2 gateway identity.
+.TP
 .B ah
 AH authentication algorithm to be used
 for the connection, e.g.
index 25d2ce4..0c78b8c 100644 (file)
@@ -71,6 +71,7 @@ typedef enum {
        KW_AUTHBY,
        KW_EAP,
        KW_EAP_IDENTITY,
+       KW_AAA_IDENTITY,
        KW_MOBIKE,
        KW_FORCEENCAPS,
        KW_IKELIFETIME,
index fcdc60c..0670563 100644 (file)
@@ -49,6 +49,7 @@ force_keepalive,   KW_FORCE_KEEPALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
 eap,               KW_EAP
 eap_identity,      KW_EAP_IDENTITY
+aaa_identity,      KW_AAA_IDENTITY
 mobike,                   KW_MOBIKE
 forceencaps,       KW_FORCEENCAPS
 pkcs11module,      KW_PKCS11MODULE
index 9c69ab9..32b373b 100644 (file)
@@ -223,6 +223,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
        msg.add_conn.eap_type = conn->eap_type;
        msg.add_conn.eap_vendor = conn->eap_vendor;
        msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
+       msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
 
        if (conn->policy & POLICY_TUNNEL)
        {
index 9e2300d..9466cf0 100644 (file)
@@ -232,6 +232,7 @@ struct stroke_msg_t {
                        u_int32_t eap_type;
                        u_int32_t eap_vendor;
                        char *eap_identity;
+                       char *aaa_identity;
                        int mode;
                        int mobike;
                        int force_encap;