Added left-/rightikeport ipsec.conf options to use custom IKE ports
authorMartin Willi <martin@revosec.ch>
Mon, 22 Feb 2010 18:26:25 +0000 (19:26 +0100)
committerMartin Willi <martin@revosec.ch>
Fri, 26 Feb 2010 10:44:33 +0000 (11:44 +0100)
src/charon/plugins/stroke/stroke_config.c
src/starter/args.c
src/starter/cmp.c
src/starter/confread.c
src/starter/confread.h
src/starter/ipsec.conf.5
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterstroke.c
src/stroke/stroke.c
src/stroke/stroke_msg.h

index bfb3900..bbc1e7a 100644 (file)
@@ -232,9 +232,9 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
                }
        }
        ike_cfg = ike_cfg_create(msg->add_conn.other.sendcert != CERT_NEVER_SEND,
-                                                        msg->add_conn.force_encap,
-                                                        msg->add_conn.me.address, IKEV2_UDP_PORT,
-                                                        msg->add_conn.other.address, IKEV2_UDP_PORT);
+                                       msg->add_conn.force_encap,
+                                       msg->add_conn.me.address, msg->add_conn.me.ikeport,
+                                       msg->add_conn.other.address, msg->add_conn.other.ikeport);
        add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
        return ike_cfg;
 }
index ebbd42c..c2614cd 100644 (file)
@@ -248,6 +248,7 @@ static const token_info_t token_info[] =
 
        /* end keywords */
        { ARG_MISC, 0, NULL  /* KW_HOST */                                             },
+       { ARG_UINT, offsetof(starter_end_t, ikeport), NULL                             },
        { ARG_MISC, 0, NULL  /* KW_NEXTHOP */                                          },
        { ARG_STR, offsetof(starter_end_t, subnet), NULL                               },
        { ARG_MISC, 0, NULL  /* KW_SUBNETWITHIN */                                     },
index 8462a48..33a057b 100644 (file)
@@ -43,6 +43,7 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2)
        {
                ADDCMP(addr);
        }
+       VARCMP(ikeport);
        ADDCMP(nexthop);
        VARCMP(has_client);
        VARCMP(has_client_wildcard);
index 07cc115..f71d9b4 100644 (file)
@@ -96,6 +96,8 @@ static void default_values(starter_config_t *cfg)
        anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
        anyaddr(AF_INET, &cfg->conn_default.right.addr);
        anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
+       cfg->conn_default.left.ikeport = 500;
+       cfg->conn_default.right.ikeport = 500;
 
        cfg->ca_default.seen = LEMPTY;
 }
index 7f32116..e707279 100644 (file)
@@ -66,6 +66,7 @@ struct starter_end {
                char            *groups;
                char            *iface;
                ip_address      addr;
+               u_int16_t       ikeport;
                ip_address      nexthop;
                char            *subnet;
                bool            has_client;
index d4dd723..4cb1cb0 100644 (file)
@@ -604,6 +604,13 @@ identity to use for a second authentication for the left participant
 (IKEv2 only); defaults to
 .BR leftid .
 .TP
+.B leftikeport
+UDP port the left participant uses for IKE communication. Currently supported in
+IKEv2 connections only. If unspecified, port 500 is used with port floating to
+4500 if NAT is detected or MOBIKE enabled. Specifying a local IKE port
+different from the default additionally requires a socket implementation that
+listens to this port.
+.TP
 .B leftnexthop
 this parameter is not needed any more because the NETKEY IPsec stack does
 not require explicit routing entries for the traffic to be tunneled.
index 8be31d1..10951f3 100644 (file)
@@ -145,6 +145,7 @@ typedef enum {
 
    /* left end keywords */
        KW_LEFT,
+       KW_LEFTIKEPORT,
        KW_LEFTNEXTHOP,
        KW_LEFTSUBNET,
        KW_LEFTSUBNETWITHIN,
@@ -172,6 +173,7 @@ typedef enum {
 
    /* right end keywords */
        KW_RIGHT,
+       KW_RIGHTIKEPORT,
        KW_RIGHTNEXTHOP,
        KW_RIGHTSUBNET,
        KW_RIGHTSUBNETWITHIN,
index adf3069..12037a6 100644 (file)
@@ -98,6 +98,7 @@ ocspuri1,          KW_OCSPURI
 ocspuri2,          KW_OCSPURI2
 certuribase,       KW_CERTURIBASE
 left,              KW_LEFT
+leftikeport,       KW_LEFTIKEPORT
 leftnexthop,       KW_LEFTNEXTHOP
 leftsubnet,        KW_LEFTSUBNET
 leftsubnetwithin,  KW_LEFTSUBNETWITHIN
@@ -120,6 +121,7 @@ leftca,            KW_LEFTCA
 leftca2,           KW_LEFTCA2
 leftgroups,        KW_LEFTGROUPS
 right,             KW_RIGHT
+rightikeport,      KW_RIGHTIKEPORT
 rightnexthop,      KW_RIGHTNEXTHOP
 rightsubnet,       KW_RIGHTSUBNET
 rightsubnetwithin, KW_RIGHTSUBNETWITHIN
index 665350c..d877661 100644 (file)
@@ -186,6 +186,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
        msg_end->updown = push_string(msg, conn_end->updown);
        ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
        msg_end->address = push_string(msg, buffer);
+       msg_end->ikeport = conn_end->ikeport;
        msg_end->subnets = push_string(msg, conn_end->subnet);
        msg_end->sourceip = push_string(msg, conn_end->sourceip);
        msg_end->sourceip_mask = conn_end->sourceip_mask;
index 955e495..c195c09 100644 (file)
@@ -129,11 +129,13 @@ static int add_connection(char *name,
 
        msg.add_conn.me.id = push_string(&msg, my_id);
        msg.add_conn.me.address = push_string(&msg, my_addr);
+       msg.add_conn.me.ikeport = 500;
        msg.add_conn.me.subnets = push_string(&msg, my_nets);
        msg.add_conn.me.sendcert = 1;
 
        msg.add_conn.other.id = push_string(&msg, other_id);
        msg.add_conn.other.address = push_string(&msg, other_addr);
+       msg.add_conn.other.ikeport = 500;
        msg.add_conn.other.subnets = push_string(&msg, other_nets);
        msg.add_conn.other.sendcert = 1;
 
index 56a7a15..ffc6703 100644 (file)
@@ -137,6 +137,7 @@ struct stroke_end_t {
        char *groups;
        char *updown;
        char *address;
+       u_int16_t ikeport;
        char *sourceip;
        int sourceip_mask;
        char *subnets;