- applied patch from andreas
authorMartin Willi <martin@strongswan.org>
Sat, 6 May 2006 07:09:45 +0000 (07:09 -0000)
committerMartin Willi <martin@strongswan.org>
Sat, 6 May 2006 07:09:45 +0000 (07:09 -0000)
  - added charonstart option to config
  - new ikev2 tests for UML

16 files changed:
INSTALL
Makefile.inc
src/Makefile
src/charon/doc/Todo-list.txt
src/starter/Makefile
src/starter/args.c
src/starter/confread.c
src/starter/confread.h
src/starter/files.h
src/starter/keywords.c
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starter.c
testing/tests/ikev2-net2net/description.txt
testing/tests/ikev2-net2net/hosts/moon/etc/ipsec.conf
testing/tests/ikev2-net2net/hosts/sun/etc/ipsec.conf

diff --git a/INSTALL b/INSTALL
index df334ff..40060d1 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -152,7 +152,7 @@ Contents
          o esp4
          o ipcomp
          o xfrm_user
-         o xfrm_tunnel
+         o xfrm4_tunnel
 
      Also the built-in kernel Cryptoapi modules with selected encryption and 
      hash algorithms should be available.
index 670bf12..d4d38f0 100644 (file)
@@ -211,9 +211,6 @@ LDAP_VERSION=3
 # include PKCS11-based smartcard support
 USE_SMARTCARD?=false
 
-# support IKEv2 via charon
-USE_IKEV2?=true
-
 # Default PKCS11 library
 # Uncomment this line if using OpenSC <= 0.9.6
 #PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
index 5d167b8..59b4e18 100644 (file)
 FREESWANSRCDIR=..
 include ${FREESWANSRCDIR}/Makefile.inc
 
-SUBDIRS=_copyright _updown _updown_espmark ipsec starter openac scepclient pluto
-
-ifeq ($(USE_IKEV2),true)
-SUBDIRS+=charon
-endif
+SUBDIRS=_copyright _updown _updown_espmark ipsec starter openac scepclient pluto charon
 
 def:
        @echo "Please read doc/intro.html or INSTALL before running make"
index 11b30fb..2c4d163 100644 (file)
   - certificate validation/chaining
   - certificate exchange
 
+- stroke status should show configured connections
+- stroke loglevel update
+- stroke argument parsing via getopts/gperf?
+
 - implement 3DES to load encrypted pem files
 - ipsec.secrets parsing
 
index 0aeceb6..a0ff51b 100644 (file)
@@ -34,11 +34,6 @@ ifeq ($(USE_LEAK_DETECTIVE),true)
   DEFINES+= -DLEAK_DETECTIVE
 endif
 
-# Enable charon support
-ifeq ($(USE_IKEV2),true)
-  DEFINES+= -DIKEV2
-endif
-
 INCLUDES=-I${FREESWANDIR}/linux/include
 CFLAGS=$(DEFINES) $(INCLUDES) -Wall
 CFLAGS+=-DIPSEC_EXECDIR=\"${FINALLIBEXECDIR}\" -DIPSEC_CONFDDIR=\"${FINALCONFDDIR}\"
@@ -52,9 +47,7 @@ OBJS=starter.o parser.tab.o lex.yy.o keywords.o args.o invokepluto.o \
      loglite.o ${PLUTO_OBJS}
 
 # Build charon-only objs
-ifeq ($(USE_IKEV2),true)
-  OBJS+= invokecharon.o starterstroke.o
-endif
+OBJS+= invokecharon.o starterstroke.o
 
 DISTSRC=$(OBJS:.o=.c)
 DISTSRC+=cmp.h confread.h confwrite.h exec.h files.h interfaces.h netkey.h
index 56b286b..a473cf6 100644 (file)
@@ -86,10 +86,8 @@ static const char *LST_packetdefault[] = {
 
 static const char *LST_keyexchange[] = {
     "ike",
-#ifdef IKEV2
     "ikev1",
     "ikev2",
-#endif /* IKEV2 */
      NULL
 };
 
@@ -150,6 +148,8 @@ static const token_info_t token_info[] =
     /* config setup keywords */
     { ARG_LST,  offsetof(starter_config_t, setup.interfaces), NULL                 },
     { ARG_STR,  offsetof(starter_config_t, setup.dumpdir), NULL                    },
+    { ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool            },
+    { ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool             },
 
     /* pluto keywords */
     { ARG_LST,  offsetof(starter_config_t, setup.plutodebug), LST_plutodebug       },
index cf12d05..cd7a6f2 100644 (file)
@@ -39,54 +39,55 @@ static const char firewall_defaults[] = "ipsec _updown iptables";
 static void
 default_values(starter_config_t *cfg)
 {
-    if (cfg == NULL)
-       return;
+       if (cfg == NULL)
+               return;
 
-    memset(cfg, 0, sizeof(struct starter_config));
+       memset(cfg, 0, sizeof(struct starter_config));
 
     /* is there enough space for all seen flags? */
-    assert(KW_SETUP_LAST - KW_SETUP_FIRST <
-       sizeof(cfg->setup.seen) * BITS_PER_BYTE);
-    assert(KW_CONN_LAST  - KW_CONN_FIRST <
-       sizeof(cfg->conn_default.seen) * BITS_PER_BYTE);
-    assert(KW_END_LAST - KW_END_FIRST <
-       sizeof(cfg->conn_default.right.seen) * BITS_PER_BYTE);
-    assert(KW_CA_LAST - KW_CA_FIRST <
-       sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
-
-    cfg->setup.seen       = LEMPTY;
-    cfg->setup.fragicmp   = TRUE;
-    cfg->setup.hidetos    = TRUE;
-    cfg->setup.uniqueids  = TRUE;
-    cfg->setup.interfaces = new_list("%defaultroute");
-
-    cfg->conn_default.seen    = LEMPTY;
-    cfg->conn_default.startup = STARTUP_NO;
-    cfg->conn_default.state   = STATE_IGNORE;
-    cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG
-                             | POLICY_PFS;
-
-    cfg->conn_default.ike                   = clone_str(ike_defaults, "ike_defaults");
-    cfg->conn_default.esp                   = clone_str(esp_defaults, "esp_defaults");
-    cfg->conn_default.sa_ike_life_seconds   = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
-    cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
-    cfg->conn_default.sa_rekey_margin       = SA_REPLACEMENT_MARGIN_DEFAULT;
-    cfg->conn_default.sa_rekey_fuzz         = SA_REPLACEMENT_FUZZ_DEFAULT;
-    cfg->conn_default.sa_keying_tries       = SA_REPLACEMENT_RETRIES_DEFAULT;
-    cfg->conn_default.addr_family           = AF_INET;
-    cfg->conn_default.tunnel_addr_family    = AF_INET;
-
-    cfg->conn_default.left.seen  = LEMPTY;
-    cfg->conn_default.right.seen = LEMPTY;
-
-    anyaddr(AF_INET, &cfg->conn_default.left.addr);
-    anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
-    anyaddr(AF_INET, &cfg->conn_default.left.srcip);
-    anyaddr(AF_INET, &cfg->conn_default.right.addr);
-    anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
-    anyaddr(AF_INET, &cfg->conn_default.right.srcip);
-
-    cfg->ca_default.seen = LEMPTY;
+       assert(KW_SETUP_LAST - KW_SETUP_FIRST <
+               sizeof(cfg->setup.seen) * BITS_PER_BYTE);
+       assert(KW_CONN_LAST  - KW_CONN_FIRST <
+               sizeof(cfg->conn_default.seen) * BITS_PER_BYTE);
+       assert(KW_END_LAST - KW_END_FIRST <
+               sizeof(cfg->conn_default.right.seen) * BITS_PER_BYTE);
+       assert(KW_CA_LAST - KW_CA_FIRST <
+               sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
+
+       cfg->setup.seen        = LEMPTY;
+       cfg->setup.fragicmp    = TRUE;
+       cfg->setup.hidetos     = TRUE;
+       cfg->setup.uniqueids   = TRUE;
+       cfg->setup.interfaces  = new_list("%defaultroute");
+       cfg->setup.charonstart = TRUE;
+       cfg->setup.plutostart  = TRUE;
+
+       cfg->conn_default.seen    = LEMPTY;
+       cfg->conn_default.startup = STARTUP_NO;
+       cfg->conn_default.state   = STATE_IGNORE;
+       cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG | POLICY_PFS;
+
+       cfg->conn_default.ike                   = clone_str(ike_defaults, "ike_defaults");
+       cfg->conn_default.esp                   = clone_str(esp_defaults, "esp_defaults");
+       cfg->conn_default.sa_ike_life_seconds   = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
+       cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
+       cfg->conn_default.sa_rekey_margin       = SA_REPLACEMENT_MARGIN_DEFAULT;
+       cfg->conn_default.sa_rekey_fuzz         = SA_REPLACEMENT_FUZZ_DEFAULT;
+       cfg->conn_default.sa_keying_tries       = SA_REPLACEMENT_RETRIES_DEFAULT;
+       cfg->conn_default.addr_family           = AF_INET;
+       cfg->conn_default.tunnel_addr_family    = AF_INET;
+
+       cfg->conn_default.left.seen  = LEMPTY;
+       cfg->conn_default.right.seen = LEMPTY;
+
+       anyaddr(AF_INET, &cfg->conn_default.left.addr);
+       anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
+       anyaddr(AF_INET, &cfg->conn_default.left.srcip);
+       anyaddr(AF_INET, &cfg->conn_default.right.addr);
+       anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
+       anyaddr(AF_INET, &cfg->conn_default.right.srcip);
+
+       cfg->ca_default.seen = LEMPTY;
 }
 
 #define KW_POLICY_FLAG(sy, sn, fl) \
@@ -97,173 +98,172 @@ default_values(starter_config_t *cfg)
 static void
 load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
 {
-    kw_list_t *kw;
+       kw_list_t *kw;
 
-    DBG(DBG_CONTROL,
-       DBG_log("Loading config setup")
+       DBG(DBG_CONTROL,
+               DBG_log("Loading config setup")
     )
 
-    for (kw = cfgp->config_setup; kw; kw = kw->next)
-    {
-       bool assigned = FALSE;
+       for (kw = cfgp->config_setup; kw; kw = kw->next)
+       {
+               bool assigned = FALSE;
 
-       kw_token_t token = kw->entry->token;
+               kw_token_t token = kw->entry->token;
  
-       if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
-       {
-           plog("# unsupported keyword '%s' in config setup", kw->entry->name);
-           cfg->err++;
-           continue;
-       }
+               if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
+               {
+                       plog("# unsupported keyword '%s' in config setup", kw->entry->name);
+                       cfg->err++;
+                       continue;
+               }
 
-       if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
-       {
-           plog("  bad argument value in config setup");
-           cfg->err++;
-           continue;
+               if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
+               {
+                       plog("  bad argument value in config setup");
+                       cfg->err++;
+                       continue;
+               }
        }
-    }
 }
 
 static void
 kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
     , kw_list_t *kw, char *conn_name, starter_config_t *cfg)
 {
-    err_t ugh = NULL;
-    bool assigned = FALSE;
-    int has_port_wildcard;        /* set if port is %any */
-
-    char *name  = kw->entry->name;
-    char *value = kw->value;
-
-    if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
-       goto err;
+       err_t ugh = NULL;
+       bool assigned = FALSE;
+       int has_port_wildcard;        /* set if port is %any */
 
-    if (token == KW_SENDCERT)
-    {
-       if (end->sendcert == CERT_YES_SEND)
-           end->sendcert = CERT_ALWAYS_SEND;
-       else if (end->sendcert == CERT_NO_SEND)
-           end->sendcert = CERT_NEVER_SEND;
-    }
+       char *name  = kw->entry->name;
+       char *value = kw->value;
 
-    if (assigned)
-       return;
-
-    switch (token)
-    {
-    case KW_HOST:
-       if (streq(value, "%defaultroute"))
-       {
-           if (cfg->defaultroute.defined)
-           {
-               end->addr    = cfg->defaultroute.addr;
-               end->nexthop = cfg->defaultroute.nexthop;
-           }
-           else
-           {
-               plog("# default route not known: %s=%s", name, value);
-               goto err;
-           }
-       }
-       else if (streq(value,"%any"))
-        {
-           anyaddr(conn->addr_family, &end->addr);
-       }
-       else if (value[0] == '%')
-       {
-           if (end->iface)
-               pfree(end->iface);
-           end->iface = clone_str(value+1, "iface");
-           if (starter_iface_find(end->iface, conn->addr_family, &end->addr,
-               &end->nexthop) == -1)
-           {
-               conn->state = STATE_INVALID;
-           }
-       }
-       else
-       {
-           ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
-           if (ugh != NULL)
-           {
-               plog("# bad addr: %s=%s [%s]", name, value, ugh);
-               goto err;
-           }
-       }
-       break;
-    case KW_NEXTHOP:
-       if (streq(value, "%defaultroute"))
-       {
-           if (cfg->defaultroute.defined)
-               end->nexthop = cfg->defaultroute.nexthop;
-           else
-           {
-               plog("# default route not known: %s=%s", name, value);
+       if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
                goto err;
-           }
-       }
-       else if (streq(value, "%direct"))
-           ugh = anyaddr(conn->addr_family, &end->nexthop);
-       else
-           ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
 
-       if (ugh != NULL)
+       if (token == KW_SENDCERT)
        {
-           plog("# bad addr: %s=%s [%s]", name, value, ugh);
-           goto err;
+               if (end->sendcert == CERT_YES_SEND)
+                       end->sendcert = CERT_ALWAYS_SEND;
+               else if (end->sendcert == CERT_NO_SEND)
+                       end->sendcert = CERT_NEVER_SEND;
        }
-       break;
-    case KW_SUBNET:
-       if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
-       ||  (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
-       {
-           end->virt = clone_str(value, "virt");
-       }
-       else
-       {
-           end->has_client = TRUE;
-           ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
-           if (ugh != NULL)
-           {
-               plog("# bad subnet: %s=%s [%s]", name, value, ugh);
-               goto err;
-           }
-       }
-       break;
-    case KW_SUBNETWITHIN:
-       end->has_client = TRUE;
-       end->has_client_wildcard = TRUE;
-       ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
-       break;
-    case KW_PROTOPORT:
-       ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
-       end->has_port_wildcard = has_port_wildcard;
-       break;
-    case KW_SOURCEIP:
-       if (streq(value, "%modeconfig") || streq(value, "%modecfg"))
-       {
-           end->modecfg = TRUE;
-       }
-       else
+
+       if (assigned)
+               return;
+
+       switch (token)
        {
-           ugh = ttoaddr(value, 0, conn->addr_family, &end->srcip);
-           if (ugh != NULL)
-           {
-               plog("# bad addr: %s=%s [%s]", name, value, ugh);
-               goto err;
-           }
-           end->has_srcip = TRUE;
+       case KW_HOST:
+               if (streq(value, "%defaultroute"))
+               {
+                       if (cfg->defaultroute.defined)
+                       {
+                               end->addr    = cfg->defaultroute.addr;
+                               end->nexthop = cfg->defaultroute.nexthop;
+                       }
+                       else
+                       {
+                               plog("# default route not known: %s=%s", name, value);
+                               goto err;
+                       }
+               }
+               else if (streq(value,"%any"))
+               {
+                       anyaddr(conn->addr_family, &end->addr);
+               }
+               else if (value[0] == '%')
+               {
+                       if (end->iface)
+                               pfree(end->iface);
+                       end->iface = clone_str(value+1, "iface");
+                       if (starter_iface_find(end->iface, conn->addr_family, &end->addr, &end->nexthop) == -1)
+                       {
+                               conn->state = STATE_INVALID;
+                       }
+               }
+               else
+               {
+                       ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
+                       if (ugh != NULL)
+                       {
+                               plog("# bad addr: %s=%s [%s]", name, value, ugh);
+                               goto err;
+                       }
+               }
+               break;
+       case KW_NEXTHOP:
+               if (streq(value, "%defaultroute"))
+               {
+                       if (cfg->defaultroute.defined)
+                               end->nexthop = cfg->defaultroute.nexthop;
+                       else
+                       {
+                               plog("# default route not known: %s=%s", name, value);
+                               goto err;
+                       }
+               }
+               else if (streq(value, "%direct"))
+                       ugh = anyaddr(conn->addr_family, &end->nexthop);
+               else
+                       ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
+
+               if (ugh != NULL)
+               {
+                       plog("# bad addr: %s=%s [%s]", name, value, ugh);
+                       goto err;
+               }
+               break;
+       case KW_SUBNET:
+               if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
+               ||  (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
+               {
+                       end->virt = clone_str(value, "virt");
+               }
+               else
+               {
+                       end->has_client = TRUE;
+                       ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
+                       if (ugh != NULL)
+                       {
+                               plog("# bad subnet: %s=%s [%s]", name, value, ugh);
+                               goto err;
+                       }
+               }
+               break;
+       case KW_SUBNETWITHIN:
+               end->has_client = TRUE;
+               end->has_client_wildcard = TRUE;
+               ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
+               break;
+       case KW_PROTOPORT:
+               ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
+               end->has_port_wildcard = has_port_wildcard;
+               break;
+       case KW_SOURCEIP:
+               if (streq(value, "%modeconfig") || streq(value, "%modecfg"))
+               {
+                       end->modecfg = TRUE;
+               }
+               else
+               {
+                       ugh = ttoaddr(value, 0, conn->addr_family, &end->srcip);
+                       if (ugh != NULL)
+                       {
+                               plog("# bad addr: %s=%s [%s]", name, value, ugh);
+                               goto err;
+                       }
+                       end->has_srcip = TRUE;
+               }
+               conn->policy |= POLICY_TUNNEL;
+               break;
+       default:
+               break;
        }
-       conn->policy |= POLICY_TUNNEL;
-       break;
-    default:
-       break;
-    }
-    return;
+       return;
 
 err:
-    plog("  bad argument value in conn '%s'", conn_name);
-    cfg->err++;
+       plog("  bad argument value in conn '%s'", conn_name);
+       cfg->err++;
 }
 
 /*
@@ -272,19 +272,19 @@ err:
 static void
 handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
 {
-    if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
-    {
-       if (end->updown != NULL)
+       if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
        {
-           plog("# cannot have both %sfirewall and %supdown", label, label);
-           cfg->err++;
-       }
-       else
-       {
-           end->updown = clone_str(firewall_defaults, "firewall_defaults");
-           end->firewall = FALSE;
+               if (end->updown != NULL)
+               {
+                       plog("# cannot have both %sfirewall and %supdown", label, label);
+                       cfg->err++;
+               }
+               else
+               {
+                       end->updown = clone_str(firewall_defaults, "firewall_defaults");
+                       end->firewall = FALSE;
+               }
        }
-    }
 }
 
 /*
@@ -293,133 +293,133 @@ handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
 static void
 load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 {
-    char *conn_name = (conn->name == NULL)? "%default":conn->name;
+       char *conn_name = (conn->name == NULL)? "%default":conn->name;
 
-    for ( ; kw; kw = kw->next)
-    {
-       bool assigned = FALSE;
-
-       kw_token_t token = kw->entry->token;
-
-       if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
+       for ( ; kw; kw = kw->next)
        {
-           kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST
-                 , kw, conn_name, cfg);
-           continue;
-       }
-       else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
-       {
-           kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST
-                 , kw, conn_name, cfg);
-           continue;
-       }
+               bool assigned = FALSE;
 
-       if (token == KW_AUTO)
-       {
-           token = KW_CONN_SETUP;
-       }
-       else if (token == KW_ALSO)
-       {
-           if (cfg->parse_also)
-           {
-               also_t *also = alloc_thing(also_t, "also_t");
+               kw_token_t token = kw->entry->token;
 
-               also->name = clone_str(kw->value, "also");
-               also->next = conn->also;
-               conn->also = also;
+               if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
+               {
+                       kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST
+                               ,  kw, conn_name, cfg);
+                       continue;
+               }
+               else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
+               {
+                       kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST
+                                , kw, conn_name, cfg);
+                       continue;
+               }
 
-               DBG(DBG_CONTROL,
-                   DBG_log("  also=%s", kw->value)
-               )
-           }
-           continue;
-       }
+               if (token == KW_AUTO)
+               {
+                       token = KW_CONN_SETUP;
+               }
+               else if (token == KW_ALSO)
+               {
+                       if (cfg->parse_also)
+                       {
+                               also_t *also = alloc_thing(also_t, "also_t");
+
+                               also->name = clone_str(kw->value, "also");
+                               also->next = conn->also;
+                               conn->also = also;
+
+                               DBG(DBG_CONTROL,
+                                       DBG_log("  also=%s", kw->value)
+                               )
+                       }
+                       continue;
+               }
 
-       if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
-       {
-           plog("# unsupported keyword '%s' in conn '%s'"
-               , kw->entry->name, conn_name);
-           cfg->err++;
-           continue;
-       }
+               if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
+               {
+                       plog("# unsupported keyword '%s' in conn '%s'"
+                               , kw->entry->name, conn_name);
+                       cfg->err++;
+                       continue;
+               }
 
-       if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
-       {
-           plog("  bad argument value in conn '%s'", conn_name);
-           cfg->err++;
-           continue;
-       }
+               if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
+               {
+                       plog("  bad argument value in conn '%s'", conn_name);
+                       cfg->err++;
+                       continue;
+               }
 
-       if (assigned)
-           continue;
+               if (assigned)
+                       continue;
 
-       switch (token)
-       {
-       case KW_TYPE:
-           conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
-           if (streq(kw->value, "tunnel"))
-               conn->policy |= POLICY_TUNNEL;
-           else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
-               conn->policy |= POLICY_SHUNT_PASS;
-           else if (streq(kw->value, "drop"))
-               conn->policy |= POLICY_SHUNT_DROP;
-           else if (streq(kw->value, "reject"))
-               conn->policy |= POLICY_SHUNT_REJECT;
-           else if (strcmp(kw->value, "transport") != 0)
-           {
-               plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
-               cfg->err++;
-           }
-          break;
-       case KW_PFS:
-           KW_POLICY_FLAG("yes", "no", POLICY_PFS)
-           break;
-       case KW_COMPRESS:
-           KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
-           break; 
-       case KW_AUTH:
-           KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
-           break; 
-       case KW_AUTHBY:
-           conn->policy &= ~(POLICY_RSASIG | POLICY_PSK | POLICY_ENCRYPT);
-
-           if (strcmp(kw->value, "never") != 0)
-           {
-               char *value = kw->value;
-               char *second = strchr(kw->value, '|');
-
-               if (second != NULL)
-                   *second = '\0';
-
-               /* also handles the cases secret|rsasig and rsasig|secret */
-               for (;;)
-               {
-                   if (streq(value, "rsasig"))
-                       conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
-                   else if (streq(value, "secret"))
-                       conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
-                   else
-                   {
-                       plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
-                       cfg->err++;
+               switch (token)
+               {
+               case KW_TYPE:
+                       conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
+                       if (streq(kw->value, "tunnel"))
+                               conn->policy |= POLICY_TUNNEL;
+                       else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
+                               conn->policy |= POLICY_SHUNT_PASS;
+                       else if (streq(kw->value, "drop"))
+                               conn->policy |= POLICY_SHUNT_DROP;
+                       else if (streq(kw->value, "reject"))
+                               conn->policy |= POLICY_SHUNT_REJECT;
+                       else if (strcmp(kw->value, "transport") != 0)
+                       {
+                               plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
+                               cfg->err++;
+                       }
                        break;
-                   }
-                   if (second == NULL)
+               case KW_PFS:
+                       KW_POLICY_FLAG("yes", "no", POLICY_PFS)
                        break;
-                   value = second;
-                   second = NULL; /* traverse the loop no more than twice */
-               }
-           }
-           break;
-       case KW_REKEY:
-           KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
-           break;
-       default:
-           break;
+               case KW_COMPRESS:
+                       KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
+                       break; 
+               case KW_AUTH:
+                       KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
+                       break; 
+               case KW_AUTHBY:
+                       conn->policy &= ~(POLICY_RSASIG | POLICY_PSK | POLICY_ENCRYPT);
+
+                       if (strcmp(kw->value, "never") != 0)
+                       {
+                               char *value = kw->value;
+                               char *second = strchr(kw->value, '|');
+
+                               if (second != NULL)
+                                       *second = '\0';
+
+                               /* also handles the cases secret|rsasig and rsasig|secret */
+                               for (;;)
+                               {
+                                       if (streq(value, "rsasig"))
+                                               conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
+                                       else if (streq(value, "secret"))
+                                               conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
+                                       else
+                                       {
+                                               plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
+                                               cfg->err++;
+                                               break;
+                                       }
+                                       if (second == NULL)
+                                               break;
+                                       value = second;
+                                       second = NULL; /* traverse the loop no more than twice */
+                               }
+                       }
+                       break;
+               case KW_REKEY:
+                       KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
+                       break;
+               default:
+                       break;
+               }
        }
-    }
-    handle_firewall("left", &conn->left, cfg);
-    handle_firewall("right", &conn->right, cfg);
+       handle_firewall("left", &conn->left, cfg);
+       handle_firewall("right", &conn->right, cfg);
 }
 
 /*
@@ -428,15 +428,12 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
 static void
 conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
 {
-    memcpy(conn, def, sizeof(starter_conn_t));
-    conn->name = clone_str(name, "conn name");
-
-    clone_args(KW_CONN_FIRST, KW_CONN_LAST
-            , (char *)conn, (char *)def);
-    clone_args(KW_END_FIRST, KW_END_LAST
-            , (char *)&conn->left, (char *)&def->left);
-    clone_args(KW_END_FIRST, KW_END_LAST
-           , (char *)&conn->right, (char *)&def->right);
+       memcpy(conn, def, sizeof(starter_conn_t));
+       conn->name = clone_str(name, "conn name");
+
+       clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def);
+       clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left);
+       clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right, (char *)&def->right);
 }
 
 /*
@@ -445,53 +442,52 @@ conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
 static void
 load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 {
-    char *ca_name = (ca->name == NULL)? "%default":ca->name;
-
-    for ( ; kw; kw = kw->next)
-    {
-       bool assigned = FALSE;
+       char *ca_name = (ca->name == NULL)? "%default":ca->name;
 
-       kw_token_t token = kw->entry->token;
-
-       if (token == KW_AUTO)
-       {
-           token = KW_CA_SETUP;
-       }
-       else if (token == KW_ALSO)
+       for ( ; kw; kw = kw->next)
        {
-           if (cfg->parse_also)
-           {
-               also_t *also = alloc_thing(also_t, "also_t");
+               bool assigned = FALSE;
 
-               also->name = clone_str(kw->value, "also");
-               also->next = ca->also;
-               ca->also = also;
+               kw_token_t token = kw->entry->token;
 
-               DBG(DBG_CONTROL,
-                   DBG_log("  also=%s", kw->value)
-               )
-           }
-           continue;
-       }
+               if (token == KW_AUTO)
+               {
+                       token = KW_CA_SETUP;
+               }
+               else if (token == KW_ALSO)
+               {
+                       if (cfg->parse_also)
+                       {
+                               also_t *also = alloc_thing(also_t, "also_t");
+
+                               also->name = clone_str(kw->value, "also");
+                               also->next = ca->also;
+                               ca->also = also;
+
+                               DBG(DBG_CONTROL,
+                                       DBG_log("  also=%s", kw->value)
+                               )
+               }
+                       continue;
+               }
 
-       if (token < KW_CA_FIRST || token > KW_CA_LAST)
-       {
-           plog("# unsupported keyword '%s' in ca '%s'"
-                    , kw->entry->name, ca_name);
-           cfg->err++;
-           continue;
-       }
+               if (token < KW_CA_FIRST || token > KW_CA_LAST)
+               {
+                       plog("# unsupported keyword '%s' in ca '%s'", kw->entry->name, ca_name);
+                       cfg->err++;
+                       continue;
+               }
 
-       if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
-       {
-           plog("  bad argument value in ca '%s'", ca_name);
-           cfg->err++;
+               if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
+               {
+                       plog("  bad argument value in ca '%s'", ca_name);
+                       cfg->err++;
+               }
        }
-    }
 
-    /* treat 'route' and 'start' as 'add' */
-    if (ca->startup != STARTUP_NO)
-       ca->startup = STARTUP_ADD;
+       /* treat 'route' and 'start' as 'add' */
+       if (ca->startup != STARTUP_NO)
+               ca->startup = STARTUP_ADD;
 }
 
 /*
@@ -500,10 +496,10 @@ load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
 static void
 ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
 {
-    memcpy(ca, def, sizeof(starter_ca_t));
-    ca->name = clone_str(name, "ca name");
+       memcpy(ca, def, sizeof(starter_ca_t));
+       ca->name = clone_str(name, "ca name");
 
-    clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
+       clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
 }
 
 static kw_list_t*
@@ -512,25 +508,25 @@ find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg);
 static void
 load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
 {
-    while (also != NULL)
-    {
-       kw_list_t *kw = find_also_conn(also->name, conn, cfg);
-
-       if (kw == NULL)
-       {
-           plog("  conn '%s' cannot include '%s'", conn->name, also->name);
-       }
-       else
+       while (also != NULL)
        {
-           DBG(DBG_CONTROL,
-               DBG_log("conn '%s' includes '%s'", conn->name, also->name)
-           )
-           /* only load if no error occurred in the first round */
-           if (cfg->err == 0)
-               load_conn(conn, kw, cfg);
+               kw_list_t *kw = find_also_conn(also->name, conn, cfg);
+
+               if (kw == NULL)
+               {
+                       plog("  conn '%s' cannot include '%s'", conn->name, also->name);
+               }
+               else
+               {
+                       DBG(DBG_CONTROL,
+                               DBG_log("conn '%s' includes '%s'", conn->name, also->name)
+                       )
+                       /* only load if no error occurred in the first round */
+                       if (cfg->err == 0)
+                               load_conn(conn, kw, cfg);
+               }
+               also = also->next;
        }
-       also = also->next;
-    }
 }
 
 /*
@@ -539,28 +535,28 @@ load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
 static kw_list_t*
 find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg)
 {
-    starter_conn_t *c = cfg->conn_first;
+       starter_conn_t *c = cfg->conn_first;
 
-    while (c != NULL)
-    {
-       if (streq(name, c->name))
+       while (c != NULL)
        {
-           if (conn->visit == c->visit)
-           {
-               plog("# detected also loop");
-               cfg->err++;
-               return NULL;
-           }
-           c->visit = conn->visit;
-           load_also_conns(conn, c->also, cfg);
-           return c->kw;
+               if (streq(name, c->name))
+               {
+                       if (conn->visit == c->visit)
+                       {
+                               plog("# detected also loop");
+                               cfg->err++;
+                               return NULL;
+                       }
+                       c->visit = conn->visit;
+                       load_also_conns(conn, c->also, cfg);
+                       return c->kw;
+               }
+               c = c->next;
        }
-       c = c->next;
-    }
 
-    plog("# also '%s' not found", name);
-    cfg->err++;
-    return NULL;
+       plog("# also '%s' not found", name);
+       cfg->err++;
+       return NULL;
 }
 
 static kw_list_t*
@@ -569,25 +565,25 @@ find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg);
 static void
 load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
 {
-    while (also != NULL)
-    {
-       kw_list_t *kw = find_also_ca(also->name, ca, cfg);
-
-       if (kw == NULL)
-       {
-           plog("  ca '%s' cannot include '%s'", ca->name, also->name);
-       }
-       else
+       while (also != NULL)
        {
-           DBG(DBG_CONTROL,
-               DBG_log("ca '%s' includes '%s'", ca->name, also->name)
-           )
-           /* only load if no error occurred in the first round */
-           if (cfg->err == 0)
-               load_ca(ca, kw, cfg);
+               kw_list_t *kw = find_also_ca(also->name, ca, cfg);
+
+               if (kw == NULL)
+               {
+                       plog("  ca '%s' cannot include '%s'", ca->name, also->name);
+               }
+               else
+               {
+                       DBG(DBG_CONTROL,
+                               DBG_log("ca '%s' includes '%s'", ca->name, also->name)
+                       )
+                       /* only load if no error occurred in the first round */
+                       if (cfg->err == 0)
+                       load_ca(ca, kw, cfg);
+               }
+               also = also->next;
        }
-       also = also->next;
-    }
 }
 
 /*
@@ -596,28 +592,28 @@ load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
 static kw_list_t*
 find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
 {
-    starter_ca_t *c = cfg->ca_first;
+       starter_ca_t *c = cfg->ca_first;
 
-    while (c != NULL)
-    {
-       if (streq(name, c->name))
+       while (c != NULL)
        {
-           if (ca->visit == c->visit)
-           {
-               plog("# detected also loop");
-               cfg->err++;
-               return NULL;
-           }
-           c->visit = ca->visit;
-           load_also_cas(ca, c->also, cfg);
-           return c->kw;
+               if (streq(name, c->name))
+               {
+                       if (ca->visit == c->visit)
+                       {
+                               plog("# detected also loop");
+                               cfg->err++;
+                               return NULL;
+                       }
+                       c->visit = ca->visit;
+                       load_also_cas(ca, c->also, cfg);
+                       return c->kw;
+               }
+               c = c->next;
        }
-       c = c->next;
-    }
 
-    plog("# also '%s' not found", name);
-    cfg->err++;
-    return NULL;
+       plog("# also '%s' not found", name);
+       cfg->err++;
+       return NULL;
 }
 
 
@@ -628,162 +624,162 @@ find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
 starter_config_t *
 confread_load(const char *file)
 {
-    starter_config_t *cfg = NULL;
-    config_parsed_t  *cfgp;
-    section_list_t   *sconn, *sca;
-    starter_conn_t   *conn;
-    starter_ca_t     *ca;
+       starter_config_t *cfg = NULL;
+       config_parsed_t  *cfgp;
+       section_list_t   *sconn, *sca;
+       starter_conn_t   *conn;
+       starter_ca_t     *ca;
 
-    u_int visit        = 0;
+       u_int visit     = 0;
 
-    /* load IPSec configuration file  */
-    cfgp = parser_load_conf(file);
-    if (!cfgp)
-       return NULL;
+       /* load IPSec configuration file  */
+       cfgp = parser_load_conf(file);
+       if (!cfgp)
+               return NULL;
 
-    cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
+       cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
 
-    /* set default values */
-    default_values(cfg);
+       /* set default values */
+       default_values(cfg);
 
-    /* determine default route */
-    get_defaultroute(&cfg->defaultroute);
-    /* load config setup section */
-    load_setup(cfg, cfgp);
+       /* determine default route */
+       get_defaultroute(&cfg->defaultroute);
 
-    /* in the first round parse also statements */
-    cfg->parse_also = TRUE;
+       /* load config setup section */
+       load_setup(cfg, cfgp);
 
-     /* find %default ca section */
-    for (sca = cfgp->ca_first; sca; sca = sca->next)
-    {
-       if (streq(sca->name, "%default"))
+       /* in the first round parse also statements */
+       cfg->parse_also = TRUE;
+
+       /* find %default ca section */
+       for (sca = cfgp->ca_first; sca; sca = sca->next)
        {
-           DBG(DBG_CONTROL,
-               DBG_log("Loading ca %%default")
-           )
-           load_ca(&cfg->ca_default, sca->kw, cfg);
+               if (streq(sca->name, "%default"))
+               {
+                       DBG(DBG_CONTROL,
+                               DBG_log("Loading ca %%default")
+                       )
+                       load_ca(&cfg->ca_default, sca->kw, cfg);
+               }
        }
-    }
 
-    /* parameters defined in ca %default sections can be overloads */
-    cfg->ca_default.seen = LEMPTY;
+       /* parameters defined in ca %default sections can be overloads */
+       cfg->ca_default.seen = LEMPTY;
 
-    /* load other ca sections */
-    for (sca = cfgp->ca_first; sca; sca = sca->next)
-    {
-       /* skip %default ca section */
-       if (streq(sca->name, "%default"))
-           continue;
-
-       DBG(DBG_CONTROL,
-           DBG_log("Loading ca '%s'", sca->name)
-       )
-       ca = (starter_ca_t *)alloc_thing(starter_ca_t, "starter_ca_t");
-
-       ca_default(sca->name, ca, &cfg->ca_default);
-       ca->kw =  sca->kw;
-       ca->next = NULL;
-
-       if (cfg->ca_last)
-           cfg->ca_last->next = ca;
-       cfg->ca_last = ca;
-       if (!cfg->ca_first)
-           cfg->ca_first = ca;
-
-       load_ca(ca, ca->kw, cfg);
-    }
-
-    for (ca = cfg->ca_first; ca; ca = ca->next)
-    {
-       also_t *also = ca->also;
-       
-       while (also != NULL)
+       /* load other ca sections */
+       for (sca = cfgp->ca_first; sca; sca = sca->next)
        {
-           kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
+               /* skip %default ca section */
+               if (streq(sca->name, "%default"))
+                       continue;
+
+               DBG(DBG_CONTROL,
+                       DBG_log("Loading ca '%s'", sca->name)
+               )
+               ca = (starter_ca_t *)alloc_thing(starter_ca_t, "starter_ca_t");
 
-           load_ca(ca, kw, cfg);
-           also = also->next;
+               ca_default(sca->name, ca, &cfg->ca_default);
+               ca->kw =  sca->kw;
+               ca->next = NULL;
+
+               if (cfg->ca_last)
+                       cfg->ca_last->next = ca;
+               cfg->ca_last = ca;
+               if (!cfg->ca_first)
+                       cfg->ca_first = ca;
+
+               load_ca(ca, ca->kw, cfg);
        }
 
-       if (ca->startup != STARTUP_NO)
-           ca->state = STATE_TO_ADD;
-    }
+       for (ca = cfg->ca_first; ca; ca = ca->next)
+       {
+               also_t *also = ca->also;
+       
+               while (also != NULL)
+               {
+                       kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
 
-    /* find %default conn sections */
-    for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
-    {
-       if (streq(sconn->name, "%default"))
+                       load_ca(ca, kw, cfg);
+                       also = also->next;
+               }
+
+               if (ca->startup != STARTUP_NO)
+                       ca->state = STATE_TO_ADD;
+       }
+
+       /* find %default conn sections */
+       for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
        {
-           DBG(DBG_CONTROL,
-               DBG_log("Loading conn %%default")
-           )
-           load_conn(&cfg->conn_default, sconn->kw, cfg);
+               if (streq(sconn->name, "%default"))
+               {
+                       DBG(DBG_CONTROL,
+                               DBG_log("Loading conn %%default")
+                       )
+                       load_conn(&cfg->conn_default, sconn->kw, cfg);
+               }
        }
-    }
 
-    /* parameter defined in conn %default sections can be overloaded */
-    cfg->conn_default.seen       = LEMPTY;
-    cfg->conn_default.right.seen = LEMPTY;
-    cfg->conn_default.left.seen  = LEMPTY;
+       /* parameter defined in conn %default sections can be overloaded */
+       cfg->conn_default.seen       = LEMPTY;
+       cfg->conn_default.right.seen = LEMPTY;
+       cfg->conn_default.left.seen  = LEMPTY;
 
-    /* load other conn sections */
-    for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
-    {
-       /* skip %default conn section */
-       if (streq(sconn->name, "%default"))
-           continue;
+       /* load other conn sections */
+       for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
+       {
+               /* skip %default conn section */
+               if (streq(sconn->name, "%default"))
+                       continue;
 
-       DBG(DBG_CONTROL,
-           DBG_log("Loading conn '%s'", sconn->name)
-       )
-       conn = (starter_conn_t *)alloc_thing(starter_conn_t, "starter_conn_t");
+               DBG(DBG_CONTROL,
+                       DBG_log("Loading conn '%s'", sconn->name)
+               )
+               conn = (starter_conn_t *)alloc_thing(starter_conn_t, "starter_conn_t");
 
-       conn_default(sconn->name, conn, &cfg->conn_default);
-       conn->kw =  sconn->kw;
-       conn->next = NULL;
+               conn_default(sconn->name, conn, &cfg->conn_default);
+               conn->kw =  sconn->kw;
+               conn->next = NULL;
 
-       if (cfg->conn_last)
-           cfg->conn_last->next = conn;
-       cfg->conn_last = conn;
-       if (!cfg->conn_first)
-           cfg->conn_first = conn;
+               if (cfg->conn_last)
+                       cfg->conn_last->next = conn;
+               cfg->conn_last = conn;
+               if (!cfg->conn_first)
+                       cfg->conn_first = conn;
 
-       load_conn(conn, conn->kw, cfg);
-    }
+               load_conn(conn, conn->kw, cfg);
+       }
 
-    /* in the second round do not parse also statements */
-    cfg->parse_also = FALSE;
+       /* in the second round do not parse also statements */
+       cfg->parse_also = FALSE;
 
-    for (ca = cfg->ca_first; ca; ca = ca->next)
-    {
-       ca->visit = ++visit;
-       load_also_cas(ca, ca->also, cfg);
+       for (ca = cfg->ca_first; ca; ca = ca->next)
+       {
+               ca->visit = ++visit;
+               load_also_cas(ca, ca->also, cfg);
 
-       if (ca->startup != STARTUP_NO)
-           ca->state = STATE_TO_ADD;
-    }
+               if (ca->startup != STARTUP_NO)
+                       ca->state = STATE_TO_ADD;
+       }
 
-    for (conn = cfg->conn_first; conn; conn = conn->next)
-    {
-       conn->visit = ++visit;
-       load_also_conns(conn, conn->also, cfg);
+       for (conn = cfg->conn_first; conn; conn = conn->next)
+       {
+               conn->visit = ++visit;
+               load_also_conns(conn, conn->also, cfg);
 
-       if (conn->startup != STARTUP_NO)
-           conn->state = STATE_TO_ADD;
-    }
+               if (conn->startup != STARTUP_NO)
+                       conn->state = STATE_TO_ADD;
+       }
 
-    parser_free_conf(cfgp);
+       parser_free_conf(cfgp);
 
-    if (cfg->err)
-    {
-       plog("### %d parsing error%s ###", cfg->err, (cfg->err > 1)?"s":"");
-       confread_free(cfg);
-       cfg = NULL;
-    }
+       if (cfg->err)
+       {
+               plog("### %d parsing error%s ###", cfg->err, (cfg->err > 1)?"s":"");
+               confread_free(cfg);
+               cfg = NULL;
+       }
 
-    return cfg;
+       return cfg;
 }
 
 /*
@@ -792,14 +788,14 @@ confread_load(const char *file)
 static void
 free_also(also_t *head)
 {
-    while (head != NULL)
-    {
-       also_t *also = head;
-
-       head = also->next;
-       pfree(also->name);
-       pfree(also);
-    }
+       while (head != NULL)
+       {
+               also_t *also = head;
+
+               head = also->next;
+               pfree(also->name);
+               pfree(also);
+       }
 }
 
 /*
@@ -808,10 +804,10 @@ free_also(also_t *head)
 static void
 confread_free_conn(starter_conn_t *conn)
 {
-    free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->left);
-    free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->right);
-    free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
-    free_also(conn->also);
+       free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->left);
+       free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->right);
+       free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
+       free_also(conn->also);
 }
 
 /*
@@ -820,8 +816,8 @@ confread_free_conn(starter_conn_t *conn)
 static void
 confread_free_ca(starter_ca_t *ca)
 {
-    free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
-    free_also(ca->also);
+       free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
+       free_also(ca->also);
 }
 
 /*
@@ -830,32 +826,32 @@ confread_free_ca(starter_ca_t *ca)
 void 
 confread_free(starter_config_t *cfg)
 {
-    starter_conn_t *conn = cfg->conn_first;
-    starter_ca_t   *ca   = cfg->ca_first;
+       starter_conn_t *conn = cfg->conn_first;
+       starter_ca_t   *ca   = cfg->ca_first;
 
-    free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
+       free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
 
-    confread_free_conn(&cfg->conn_default);
+       confread_free_conn(&cfg->conn_default);
 
-    while (conn != NULL)
-    {
-       starter_conn_t *conn_aux = conn;
+       while (conn != NULL)
+       {
+               starter_conn_t *conn_aux = conn;
 
-       conn = conn->next;
-       confread_free_conn(conn_aux);
-       pfree(conn_aux);
-    }
+               conn = conn->next;
+               confread_free_conn(conn_aux);
+               pfree(conn_aux);
+       }
 
-    confread_free_ca(&cfg->ca_default);
+       confread_free_ca(&cfg->ca_default);
 
-    while (ca != NULL)
-    {
-       starter_ca_t *ca_aux = ca;
+       while (ca != NULL)
+       {
+               starter_ca_t *ca_aux = ca;
 
-       ca = ca->next;
-       confread_free_ca(ca_aux);
-       pfree(ca_aux);
-    }
+               ca = ca->next;
+               confread_free_ca(ca_aux);
+               pfree(ca_aux);
+       }
 
-    pfree(cfg);
+       pfree(cfg);
 }
index 9793a55..051ce00 100644 (file)
@@ -151,6 +151,8 @@ struct starter_config {
                lset_t  seen;
                char    **interfaces;
                char    *dumpdir;
+               bool    charonstart;
+               bool    plutostart;
 
                /* pluto keywords */
                char    **plutodebug;
index 83d27e1..61f03b8 100644 (file)
 #define PLUTO_CTL_FILE  DEFAULT_CTLBASE CTL_SUFFIX
 #define PLUTO_PID_FILE  DEFAULT_CTLBASE PID_SUFFIX
 
-#ifdef IKEV2
 #define CHARON_CMD             IPSEC_EXECDIR"/charon"
 #define CHARON_BASE            "/var/run/charon"
 #define CHARON_CTL_FILE CHARON_BASE CTL_SUFFIX
 #define CHARON_PID_FILE CHARON_BASE PID_SUFFIX
-#endif /* IKEV2 */
 
 #define DYNIP_DIR       "/var/run/dynip"
 #define INFO_FILE       "/var/run/ipsec.info"
index 4cc5c03..12db4b7 100644 (file)
@@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.c,v 1.7 2006/04/17 10:32:48 as Exp $
+ * RCSID $Id: keywords.txt,v 1.6 2006/04/17 10:30:27 as Exp $
  */
 
 #include <string.h>
@@ -56,12 +56,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 77
+#define TOTAL_KEYWORDS 79
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
 #define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 146
-/* maximum key range = 138, duplicates = 0 */
+#define MAX_HASH_VALUE 156
+/* maximum key range = 148, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -77,32 +77,32 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-       15, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147,  85, 147,  40,
-       25,  25,   0,  10,   5,  80, 147,  35,  60,  35,
-       60,  55,  10, 147,  15,  20,   5,  65, 147, 147,
-      147,  35,   0, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147, 147, 147, 147, 147,
-      147, 147, 147, 147, 147, 147
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+       20, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157,  75, 157,  40,
+       25,  25,   0,  10,   5,  55, 157,  65,  60,  35,
+       80,  65,  10, 157,  15,  20,   5,  80, 157, 157,
+      157,  35,   5, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
+      157, 157, 157, 157, 157, 157
     };
   return len + asso_values[(unsigned char)str[2]] + asso_values[(unsigned char)str[len - 1]];
 }
@@ -142,7 +142,7 @@ static const struct kw_entry wordlist[] =
     {"rightgroups",       KW_RIGHTGROUPS},
     {"rightid",           KW_RIGHTID},
     {"pfs",               KW_PFS},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {""},
     {"righthostaccess",   KW_RIGHTHOSTACCESS},
     {"authby",            KW_AUTHBY},
     {""},
@@ -161,54 +161,62 @@ static const struct kw_entry wordlist[] =
     {"ikelifetime",       KW_IKELIFETIME},
     {""},
     {"compress",          KW_COMPRESS},
-    {"auto",              KW_AUTO},
+    {""},
     {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
     {"keyingtries",       KW_KEYINGTRIES},
     {"keylife",           KW_KEYLIFE},
     {"dpddelay",          KW_DPDDELAY},
     {"cachecrls",         KW_CACHECRLS},
-    {"leftupdown",        KW_LEFTUPDOWN},
+    {""},
     {"keyexchange",       KW_KEYEXCHANGE},
     {"leftfirewall",      KW_LEFTFIREWALL},
     {"nocrsend",          KW_NOCRSEND},
+    {"auto",              KW_AUTO},
+    {"klipsdebug",        KW_KLIPSDEBUG},
     {""},
-    {"rekey",             KW_REKEY},
-    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
     {"pkcs11module",      KW_PKCS11MODULE},
     {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"also",              KW_ALSO},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
     {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {"rightupdown",       KW_RIGHTUPDOWN},
-    {"crluri2",           KW_CRLURI2},
+    {"leftca",            KW_LEFTCA},
+    {"ocspuri",           KW_OCSPURI},
     {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"postpluto",         KW_POSTPLUTO},
-    {"plutodebug",        KW_PLUTODEBUG},
+    {"uniqueids",         KW_UNIQUEIDS},
+    {""},
     {"pkcs11proxy",       KW_PKCS11PROXY},
-    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"prepluto",          KW_PREPLUTO},
-    {""}, {""},
-    {"leftca",            KW_LEFTCA},
-    {""}, {""},
-    {"dpdaction",         KW_DPDACTION},
-    {""}, {""}, {""},
+    {"crluri2",           KW_CRLURI2},
     {"ldaphost",          KW_LDAPHOST},
-    {""},
-    {"klipsdebug",        KW_KLIPSDEBUG},
-    {"overridemtu",       KW_OVERRIDEMTU},
+    {"also",              KW_ALSO},
+    {"leftupdown",        KW_LEFTUPDOWN},
+    {"charonstart",       KW_CHARONSTART},
     {"rightca",           KW_RIGHTCA},
     {"fragicmp",          KW_FRAGICMP},
-    {""}, {""},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"ocspuri",           KW_OCSPURI},
+    {"postpluto",         KW_POSTPLUTO},
+    {"plutostart",        KW_PLUTOSTART},
+    {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
     {""},
-    {"uniqueids",         KW_UNIQUEIDS},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {"prepluto",          KW_PREPLUTO},
+    {""},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"rightupdown",       KW_RIGHTUPDOWN},
+    {""}, {""}, {""},
+    {"rekey",             KW_REKEY},
+    {""},
+    {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
     {"ldapbase",          KW_LDAPBASE},
+    {""}, {""}, {""}, {""}, {""},
+    {"dpdaction",         KW_DPDACTION},
+    {""},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {""}, {""}, {""}, {""},
+    {"crluri",            KW_CRLURI},
     {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {""}, {""}, {""}, {""}, {""},
     {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
     {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {"crluri",            KW_CRLURI}
+    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {""},
+    {"rekeymargin",       KW_REKEYMARGIN}
   };
 
 #ifdef __GNUC__
index 6542ae1..d62a83d 100644 (file)
@@ -22,6 +22,8 @@ typedef enum {
     /* config setup keywords */
     KW_INTERFACES,
     KW_DUMPDIR,
+    KW_CHARONSTART,
+    KW_PLUTOSTART,
 
     /* pluto keywords */
     KW_PLUTODEBUG,
index dcfdafc..789c8f3 100644 (file)
@@ -27,9 +27,11 @@ struct kw_entry {
 };
 %%
 interfaces,        KW_INTERFACES
+dumpdir,           KW_DUMPDIR
+charonstart,       KW_CHARONSTART
+plutostart,        KW_PLUTOSTART
 klipsdebug,        KW_KLIPSDEBUG
 plutodebug,        KW_PLUTODEBUG
-dumpdir,           KW_DUMPDIR
 prepluto,          KW_PREPLUTO
 postpluto,         KW_POSTPLUTO
 fragicmp,          KW_FRAGICMP
index 1f857ce..2806622 100644 (file)
@@ -67,10 +67,8 @@ fsig(int signal)
                {
                                if (pid == starter_pluto_pid())
                                name = " (Pluto)";
-#ifdef IKEV2
                                if (pid == starter_charon_pid())
                                        name = " (Charon)";
-#endif /* IKEV2 */
                                if (WIFSIGNALED(status))
                                        DBG(DBG_CONTROL,
                                                DBG_log("child %d%s has been killed by sig %d\n",
@@ -93,10 +91,8 @@ fsig(int signal)
 
                                if (pid == starter_pluto_pid())
                                        starter_pluto_sigchild(pid);
-#ifdef IKEV2
                                if (pid == starter_charon_pid())
                                        starter_charon_sigchild(pid);
-#endif /* IKEV2 */
                        }
                }
                break;
@@ -106,10 +102,8 @@ fsig(int signal)
                break;
 
     case SIGALRM:
-               _action_ |= FLAG_ACTION_START_PLUTO;
-#ifdef IKEV2
-               _action_ |= FLAG_ACTION_START_CHARON;
-#endif /* IKEV2 */
+                       _action_ |= FLAG_ACTION_START_PLUTO;
+                       _action_ |= FLAG_ACTION_START_CHARON;
                break;
 
     case SIGHUP:
@@ -223,7 +217,6 @@ int main (int argc, char **argv)
        {
                _action_ |= FLAG_ACTION_START_PLUTO;
        }
-#ifdef IKEV2
        if (stat(CHARON_PID_FILE, &stb) == 0)
        {
                plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
@@ -232,7 +225,6 @@ int main (int argc, char **argv)
        {
                _action_ |= FLAG_ACTION_START_CHARON;
        }
-#endif /* IKEV2 */
        if (stat(DEV_RANDOM, &stb) != 0)
        {
                plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
@@ -315,10 +307,8 @@ int main (int argc, char **argv)
                {
                        if (starter_pluto_pid())
                                starter_stop_pluto();
-#ifdef IKEV2
                        if (starter_charon_pid())
                                starter_stop_charon();
-#endif /* IKEV2 */
                        starter_netkey_cleanup();
                        confread_free(cfg);
                        unlink(MY_PID_FILE);
@@ -336,22 +326,16 @@ int main (int argc, char **argv)
                 */
                if (_action_ & FLAG_ACTION_RELOAD)
                {
-                       if (starter_pluto_pid())
+                       if (starter_pluto_pid() || starter_charon_pid())
                        {
                                for (conn = cfg->conn_first; conn; conn = conn->next)
                                {
                                        if (conn->state == STATE_ADDED)
                                        {
-#ifdef IKEV2
                                                if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                               {
                                                        starter_stroke_del_conn(conn);
-                                               }
-#endif /* IKEV2 */
                                                else
-                                               {
                                                        starter_whack_del_conn(conn);
-                                               }
                                                conn->state = STATE_TO_ADD;
                                }
                                }
@@ -423,16 +407,10 @@ int main (int argc, char **argv)
                                        {
                                                if (conn->state == STATE_ADDED)
                                                {
-#ifdef IKEV2
                                                        if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                                       {
                                                                starter_stroke_del_conn(conn);
-                                                       }
                                                        else
-#endif /* IKEV2 */
-                                                       {
                                                                starter_whack_del_conn(conn);
-                                                       }
                                                }
                                        }
 
@@ -477,7 +455,7 @@ int main (int argc, char **argv)
                 */
                if (_action_ & FLAG_ACTION_START_PLUTO)
                {
-                       if (starter_pluto_pid() == 0)
+                       if (cfg->setup.plutostart && !starter_pluto_pid())
                        {
                                DBG(DBG_CONTROL,
                                        DBG_log("Attempting to start pluto...")
@@ -508,18 +486,17 @@ int main (int argc, char **argv)
                        }
                }
        
-#ifdef IKEV2
                /*
                 * Start charon
                 */
                if (_action_ & FLAG_ACTION_START_CHARON)
                {
-                       if (starter_charon_pid() == 0)
+                       if (cfg->setup.charonstart && !starter_charon_pid())
                        {
                                DBG(DBG_CONTROL,
                                        DBG_log("Attempting to start charon...")
                                )
-                               if (starter_start_charon(cfg, no_fork) != 0)
+                               if (starter_start_charon(cfg, no_fork))
                                {
                                        /* schedule next try */
                                        alarm(PLUTO_RESTART_DELAY);
@@ -527,7 +504,6 @@ int main (int argc, char **argv)
                        }
                        _action_ &= ~FLAG_ACTION_START_CHARON;
                }
-#endif /* IKEV2 */
 
                /*
                 * Tell pluto to reread its interfaces
@@ -541,7 +517,7 @@ int main (int argc, char **argv)
                /*
                 * Add stale conn and ca sections
                 */
-               if (starter_pluto_pid() != 0)
+               if (starter_pluto_pid() || starter_charon_pid())
                {
                        for (ca = cfg->ca_first; ca; ca = ca->next)
                        {
@@ -561,43 +537,25 @@ int main (int argc, char **argv)
                                                /* affect new unique id */
                                                conn->id = id++;
                                }
-#ifdef IKEV2
                                        if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                       {
                                                starter_stroke_add_conn(conn);
-                                       }
                                        else
-#endif /* IKEV2 */
-                                       {
                                                starter_whack_add_conn(conn);
-                                       }
                                        conn->state = STATE_ADDED;
 
                                        if (conn->startup == STARTUP_START)
                                        {
-#ifdef IKEV2
                                                if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                               {
                                                        starter_stroke_initiate_conn(conn);
-                                               }
                                                else
-#endif /* IKEV2 */
-                                               {
                                                        starter_whack_initiate_conn(conn);
-                                               }
                                        }
                                        else if (conn->startup == STARTUP_ROUTE)
                                        {
-#ifdef IKEV2
                                                if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                               {
                                                        starter_stroke_route_conn(conn);
-                                               }
                                                else
-#endif /* IKEV2 */
-                                               {
                                                        starter_whack_route_conn(conn);
-                                               }
                                        }
                                }
                        }
index 7eea919..1f371c9 100644 (file)
@@ -1,6 +1,5 @@
-A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up using the IKEv2 key exchange protocol. The authentication is based on
+locally importerd <b>X.509 certificates</b>.
+In order to test the established tunnel, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
index 9a95d40..16f46cf 100644 (file)
@@ -2,6 +2,9 @@
 
 version        2.0     # conforms to second version of ipsec.conf specification
 
+config setup
+       plutostart=no
+
 conn net-net 
        left=192.168.0.1
        leftcert=moonCert.pem
index b2c2b71..a90a4ce 100644 (file)
@@ -2,6 +2,9 @@
 
 version        2.0     # conforms to second version of ipsec.conf specification
 
+config setup
+       plutostart=no
+
 conn net-net 
        left=192.168.0.2
        leftcert=sunCert.pem