traffic_selector_t *ts;
proposal_t *proposal;
bool has_v4 = FALSE, has_v6 = FALSE;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = 10800 /* 3h */,
- .rekey = 10200 /* 2h50min */,
- .jitter = 300 /* 5min */
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = 10800 /* 3h */,
+ .rekey = 10200 /* 2h50min */,
+ .jitter = 300 /* 5min */
+ }
+ },
+ .mode = MODE_TUNNEL,
};
- child_cfg = child_cfg_create("cmd", &lifetime,
- NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
- ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
- 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create("cmd", &child);
if (this->child_proposals->get_count(this->child_proposals))
{
while (this->child_proposals->remove_first(this->child_proposals,
NMSettingVPN *vpn;
identification_t *user = NULL, *gateway = NULL;
const char *address, *str;
- bool virtual, encap, ipcomp;
+ bool virtual, encap;
ike_cfg_t *ike_cfg;
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
certificate_t *cert = NULL;
x509_t *x509;
bool agent = FALSE, smartcard = FALSE, loose_gateway_id = FALSE;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = 10800 /* 3h */,
- .rekey = 10200 /* 2h50min */,
- .jitter = 300 /* 5min */
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = 10800 /* 3h */,
+ .rekey = 10200 /* 2h50min */,
+ .jitter = 300 /* 5min */
+ },
+ },
+ .mode = MODE_TUNNEL,
};
/**
return FALSE;
}
str = nm_setting_vpn_get_data_item(vpn, "virtual");
- virtual = str && streq(str, "yes");
+ virtual = streq(str, "yes");
str = nm_setting_vpn_get_data_item(vpn, "encap");
- encap = str && streq(str, "yes");
+ encap = streq(str, "yes");
str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
- ipcomp = str && streq(str, "yes");
+ child.ipcomp = streq(str, "yes");
str = nm_setting_vpn_get_data_item(vpn, "method");
- if (str)
+ if (streq(str, "psk"))
{
- if (streq(str, "psk"))
- {
- auth_class = AUTH_CLASS_PSK;
- }
- else if (streq(str, "agent"))
- {
- auth_class = AUTH_CLASS_PUBKEY;
- agent = TRUE;
- }
- else if (streq(str, "key"))
- {
- auth_class = AUTH_CLASS_PUBKEY;
- }
- else if (streq(str, "smartcard"))
- {
- auth_class = AUTH_CLASS_PUBKEY;
- smartcard = TRUE;
- }
+ auth_class = AUTH_CLASS_PSK;
+ }
+ else if (streq(str, "agent"))
+ {
+ auth_class = AUTH_CLASS_PUBKEY;
+ agent = TRUE;
+ }
+ else if (streq(str, "key"))
+ {
+ auth_class = AUTH_CLASS_PUBKEY;
+ }
+ else if (streq(str, "smartcard"))
+ {
+ auth_class = AUTH_CLASS_PUBKEY;
+ smartcard = TRUE;
}
/**
auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
- child_cfg = child_cfg_create(priv->name, &lifetime,
- NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
- ACTION_NONE, ACTION_NONE, ACTION_NONE, ipcomp,
- 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create(priv->name, &child);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
ts = traffic_selector_create_dynamic(0, 0, 65535);
static child_cfg_t *load_child_config(private_config_t *this,
settings_t *settings, char *config, char *child)
{
+ child_cfg_create_t data = {
+ .mode = MODE_TUNNEL,
+ };
child_cfg_t *child_cfg;
- lifetime_cfg_t lifetime = {};
enumerator_t *enumerator;
proposal_t *proposal;
traffic_selector_t *ts;
- ipsec_mode_t mode = MODE_TUNNEL;
char *token;
- uint32_t tfc;
if (settings->get_bool(settings, "configs.%s.%s.transport",
FALSE, config, child))
{
- mode = MODE_TRANSPORT;
+ data.mode = MODE_TRANSPORT;
}
- tfc = settings->get_int(settings, "configs.%s.%s.tfc_padding",
- 0, config, child);
- child_cfg = child_cfg_create(child, &lifetime, NULL, FALSE, mode,
- ACTION_NONE, ACTION_NONE, ACTION_NONE,
- FALSE, 0, 0, NULL, NULL, tfc);
+ data.tfc = settings->get_int(settings, "configs.%s.%s.tfc_padding",
+ 0, config, child);
+ child_cfg = child_cfg_create(child, &data);
token = settings->get_str(settings, "configs.%s.%s.proposal",
NULL, config, child);
traffic_selector_t *ts;
ike_sa_t *ike_sa;
auth_cfg_t *auth;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = 3600, /* 1h */
- .rekey = 3000, /* 50min */
- .jitter = 300 /* 5min */
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = 3600, /* 1h */
+ .rekey = 3000, /* 50min */
+ .jitter = 300 /* 5min */
+ },
+ },
+ .mode = MODE_TUNNEL,
+ .dpd_action = ACTION_RESTART,
+ .close_action = ACTION_RESTART,
};
char *type, *server;
int port;
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
- child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
- ACTION_NONE, ACTION_RESTART, ACTION_RESTART,
- FALSE, 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create("android", &child);
/* create ESP proposals with and without DH groups, let responder decide
* if PFS is used */
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
{
child_cfg_t *child_cfg;
traffic_selector_t *ts;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = 10800 /* 3h */,
- .rekey = 10200 /* 2h50min */,
- .jitter = 300 /* 5min */
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = 10800 /* 3h */,
+ .rekey = 10200 /* 2h50min */,
+ .jitter = 300 /* 5min */
+ },
+ },
+ .mode = MODE_TUNNEL,
};
- child_cfg = child_cfg_create(name, &lifetime,
- NULL, FALSE, MODE_TUNNEL, /* updown, hostaccess */
- ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
- 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create(name, &child);
child_cfg->add_proposal(child_cfg, proposal_create_from_string(PROTO_ESP,
"aes128gcm8-aes128gcm12-aes128gcm16-"
"aes256gcm8-aes256gcm12-aes256gcm16"));
/*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
this->replay_window = replay_window;
}
-METHOD(child_cfg_t, set_mipv6_options, void,
- private_child_cfg_t *this, bool proxy_mode, bool install_policy)
-{
- this->proxy_mode = proxy_mode;
- this->install_policy = install_policy;
-}
-
METHOD(child_cfg_t, use_proxy_mode, bool,
private_child_cfg_t *this)
{
/*
* Described in header-file
*/
-child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
- char *updown, bool hostaccess,
- ipsec_mode_t mode, action_t start_action,
- action_t dpd_action, action_t close_action,
- bool ipcomp, uint32_t inactivity, uint32_t reqid,
- mark_t *mark_in, mark_t *mark_out, uint32_t tfc)
+child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
{
private_child_cfg_t *this;
.get_close_action = _get_close_action,
.get_lifetime = _get_lifetime,
.get_dh_group = _get_dh_group,
- .set_mipv6_options = _set_mipv6_options,
.use_ipcomp = _use_ipcomp,
.get_inactivity = _get_inactivity,
.get_reqid = _get_reqid,
.destroy = _destroy,
},
.name = strdup(name),
- .updown = strdupnull(updown),
- .hostaccess = hostaccess,
- .mode = mode,
- .start_action = start_action,
- .dpd_action = dpd_action,
- .close_action = close_action,
- .use_ipcomp = ipcomp,
- .inactivity = inactivity,
- .reqid = reqid,
- .proxy_mode = FALSE,
- .install_policy = TRUE,
+ .updown = strdupnull(data->updown),
+ .hostaccess = data->hostaccess,
+ .reqid = data->reqid,
+ .mode = data->mode,
+ .proxy_mode = data->proxy_mode,
+ .start_action = data->start_action,
+ .dpd_action = data->dpd_action,
+ .close_action = data->close_action,
+ .mark_in = data->mark_in,
+ .mark_out = data->mark_out,
+ .lifetime = data->lifetime,
+ .inactivity = data->inactivity,
+ .use_ipcomp = data->ipcomp,
+ .tfc = data->tfc,
+ .install_policy = !data->suppress_policies,
.refcount = 1,
.proposals = linked_list_create(),
.my_ts = linked_list_create(),
.other_ts = linked_list_create(),
- .tfc = tfc,
.replay_window = lib->settings->get_int(lib->settings,
- "%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
+ "%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
);
- if (mark_in)
- {
- this->mark_in = *mark_in;
- }
- if (mark_out)
- {
- this->mark_out = *mark_out;
- }
- memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
-
return &this->public;
}
/*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
typedef enum action_t action_t;
typedef struct child_cfg_t child_cfg_t;
+typedef struct child_cfg_create_t child_cfg_create_t;
#include <library.h>
#include <selectors/traffic_selector.h>
void (*set_replay_window)(child_cfg_t *this, uint32_t window);
/**
- * Sets two options needed for Mobile IPv6 interoperability.
- *
- * @param proxy_mode use IPsec transport proxy mode (default FALSE)
- * @param install_policy install IPsec kernel policies (default TRUE)
- */
- void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
- bool install_policy);
-
- /**
* Check whether IPsec transport SA should be set up in proxy mode.
*
* @return TRUE, if proxy mode should be used
void (*destroy) (child_cfg_t *this);
};
+
+/**
+ * Data passed to the constructor of a child_cfg_t object.
+ */
+struct child_cfg_create_t {
+ /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
+ uint32_t reqid;
+ /** Optional inbound mark */
+ mark_t mark_in;
+ /** Optional outbound mark */
+ mark_t mark_out;
+ /** Mode to propose for CHILD_SA */
+ ipsec_mode_t mode;
+ /** Use IPsec transport proxy mode */
+ bool proxy_mode;
+ /** Use IPComp, if peer supports it */
+ bool ipcomp;
+ /** TFC padding size, 0 to disable, -1 to pad to PMTU */
+ uint32_t tfc;
+ /** lifetime_cfg_t for this child_cfg */
+ lifetime_cfg_t lifetime;
+ /** Inactivity timeout in s before closing a CHILD_SA */
+ uint32_t inactivity;
+ /** Start action */
+ action_t start_action;
+ /** DPD action */
+ action_t dpd_action;
+ /** Close action */
+ action_t close_action;
+ /** updown script to execute on up/down event (cloned) */
+ char *updown;
+ /** TRUE to allow access to the local host */
+ bool hostaccess;
+ /** Don't install IPsec policies */
+ bool suppress_policies;
+};
+
/**
* Create a configuration template for CHILD_SA setup.
*
- * The "name" string gets cloned.
- *
- * The lifetime_cfg_t object gets cloned.
- * To prevent two peers to start rekeying at the same time, a jitter may be
- * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
- *
* After a call to create, a reference is obtained (refcount = 1).
*
- * @param name name of the child_cfg
- * @param lifetime lifetime_cfg_t for this child_cfg
- * @param updown updown script to execute on up/down event
- * @param hostaccess TRUE to allow access to the local host
- * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
- * @param start_action start action
- * @param dpd_action DPD action
- * @param close_action close action
- * @param ipcomp use IPComp, if peer supports it
- * @param inactivity inactivity timeout in s before closing a CHILD_SA
- * @param reqid specific reqid to use for CHILD_SA, 0 for auto assign
- * @param mark_in optional inbound mark (can be NULL)
- * @param mark_out optional outbound mark (can be NULL)
- * @param tfc TFC padding size, 0 to disable, -1 to pad to PMTU
+ * @param name name of the child_cfg (cloned)
+ * @param data data for this child_cfg
* @return child_cfg_t object
*/
-child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
- char *updown, bool hostaccess,
- ipsec_mode_t mode, action_t start_action,
- action_t dpd_action, action_t close_action,
- bool ipcomp, uint32_t inactivity, uint32_t reqid,
- mark_t *mark_in, mark_t *mark_out, uint32_t tfc);
+child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
#endif /** CHILD_CFG_H_ @}*/
auth_cfg_t *auth_cfg;
child_cfg_t *child_cfg;
traffic_selector_t *ts;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = 21600, .rekey = 20400, .jitter = 400,
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = 21600, .rekey = 20400, .jitter = 400,
+ },
},
+ .mode = MODE_TRANSPORT,
};
/* setup credentials */
identification_create_from_string(remote));
peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
- child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT,
- ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
- 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create("ha", &child);
ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
peer_cfg_t *peer_cfg;
char local[32], *remote;
host_t *addr;
- ipsec_mode_t mode = MODE_TUNNEL;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = this->child_rekey * 2,
- .rekey = this->child_rekey,
- .jitter = 0
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = this->child_rekey * 2,
+ .rekey = this->child_rekey,
+ .jitter = 0
+ },
+ },
+ .mode = MODE_TUNNEL,
};
if (num)
{
if (streq(this->mode, "transport"))
{
- mode = MODE_TRANSPORT;
+ child.mode = MODE_TRANSPORT;
}
else if (streq(this->mode, "beet"))
{
- mode = MODE_BEET;
+ child.mode = MODE_BEET;
}
}
- child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, mode,
- ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
- 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create("load-test", &child);
child_cfg->add_proposal(child_cfg, this->esp->clone(this->esp));
if (num)
traffic_selector_t *ts;
auth_cfg_t *auth;
certificate_t *cert;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = 10800, /* 3h */
- .rekey = 10200, /* 2h50min */
- .jitter = 300 /* 5min */
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = 10800, /* 3h */
+ .rekey = 10200, /* 2h50min */
+ .jitter = 300 /* 5min */
+ },
+ },
+ .mode = MODE_TUNNEL,
};
if (this->status == VPN_STATUS_CONNECTED ||
auth->add(auth, AUTH_RULE_IDENTITY, gateway);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
- child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */,
- TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE,
- ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create(this->current, &child);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg_t *child_cfg;
chunk_t me, other;
char *address, *local_net, *remote_net;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = this->rekey * 60 + this->rekey,
- .rekey = this->rekey,
- .jitter = this->rekey
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = this->rekey * 60 + this->rekey,
+ .rekey = this->rekey,
+ .jitter = this->rekey
+ },
+ },
+ .mode = MODE_TUNNEL,
};
/* query mediation server config:
identification_create_from_encoding(ID_KEY_ID, other));
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
- child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
- ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
- 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create(name, &child);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
chunk_t me, other;
child_cfg_t *child_cfg;
auth_cfg_t *auth;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = this->rekey * 60 + this->rekey,
- .rekey = this->rekey,
- .jitter = this->rekey
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = this->rekey * 60 + this->rekey,
+ .rekey = this->rekey,
+ .jitter = this->rekey
+ },
+ },
+ .mode = MODE_TUNNEL,
};
DESTROY_IF(this->current);
identification_create_from_encoding(ID_KEY_ID, other));
this->current->add_auth_cfg(this->current, auth, FALSE);
- child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
- ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
- 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create(name, &child);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net));
if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, &updown,
&hostaccess, &mode, &start, &dpd, &close, &ipcomp, &reqid))
{
- lifetime_cfg_t lft = {
- .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter }
+ child_cfg_create_t child = {
+ .mode = mode,
+ .reqid = reqid,
+ .ipcomp = ipcomp,
+ .lifetime = {
+ .time = {
+ .life = lifetime, .rekey = rekeytime, .jitter = jitter
+ },
+ },
+ .start_action = start,
+ .dpd_action = dpd,
+ .close_action = close,
+ .updown = updown,
+ .hostaccess = hostaccess,
};
- child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode,
- start, dpd, close, ipcomp, 0, reqid,
- NULL, NULL, 0);
+ child_cfg = child_cfg_create(name, &child);
add_esp_proposals(this, child_cfg, id);
add_traffic_selectors(this, child_cfg, id);
return child_cfg;
stroke_msg_t *msg)
{
child_cfg_t *child_cfg;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = msg->add_conn.rekey.ipsec_lifetime,
- .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
- .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = msg->add_conn.rekey.ipsec_lifetime,
+ .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+ .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+ },
+ .bytes = {
+ .life = msg->add_conn.rekey.life_bytes,
+ .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
+ .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+ },
+ .packets = {
+ .life = msg->add_conn.rekey.life_packets,
+ .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
+ .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
+ },
},
- .bytes = {
- .life = msg->add_conn.rekey.life_bytes,
- .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
- .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+ .mark_in = {
+ .value = msg->add_conn.mark_in.value,
+ .mask = msg->add_conn.mark_in.mask
},
- .packets = {
- .life = msg->add_conn.rekey.life_packets,
- .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
- .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
- }
- };
- mark_t mark_in = {
- .value = msg->add_conn.mark_in.value,
- .mask = msg->add_conn.mark_in.mask
- };
- mark_t mark_out = {
- .value = msg->add_conn.mark_out.value,
- .mask = msg->add_conn.mark_out.mask
+ .mark_out = {
+ .value = msg->add_conn.mark_out.value,
+ .mask = msg->add_conn.mark_out.mask
+ },
+ .reqid = msg->add_conn.reqid,
+ .mode = msg->add_conn.mode,
+ .proxy_mode = msg->add_conn.proxy_mode,
+ .ipcomp = msg->add_conn.ipcomp,
+ .tfc = msg->add_conn.tfc,
+ .inactivity = msg->add_conn.inactivity,
+ .dpd_action = map_action(msg->add_conn.dpd.action),
+ .close_action = map_action(msg->add_conn.close_action),
+ .updown = msg->add_conn.me.updown,
+ .hostaccess = msg->add_conn.me.hostaccess,
+ .suppress_policies = !msg->add_conn.install_policy,
};
- child_cfg = child_cfg_create(
- msg->add_conn.name, &lifetime, msg->add_conn.me.updown,
- msg->add_conn.me.hostaccess, msg->add_conn.mode, ACTION_NONE,
- map_action(msg->add_conn.dpd.action),
- map_action(msg->add_conn.close_action), msg->add_conn.ipcomp,
- msg->add_conn.inactivity, msg->add_conn.reqid,
- &mark_in, &mark_out, msg->add_conn.tfc);
+ child_cfg = child_cfg_create(msg->add_conn.name, &child);
if (msg->add_conn.replay_window != -1)
{
child_cfg->set_replay_window(child_cfg, msg->add_conn.replay_window);
}
- child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
- msg->add_conn.install_policy);
add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
child_cfg_t *child_cfg;
ike_cfg_t *ike_cfg;
auth_cfg_t *auth;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = create_rekey(esp_rekey) + 300,
- .rekey = create_rekey(esp_rekey),
- .jitter = 300
- }
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = create_rekey(esp_rekey) + 300,
+ .rekey = create_rekey(esp_rekey),
+ .jitter = 300
+ },
+ },
+ .mode = MODE_TUNNEL,
};
/* defaults */
}
this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
- child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL,
- ACTION_NONE, ACTION_NONE, ACTION_NONE,
- FALSE, 0, 0, NULL, NULL, 0);
+ child_cfg = child_cfg_create(name, &child);
child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP));
child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
{
enumerator_t *enumerator;
child_cfg_t *child_cfg;
- lifetime_cfg_t lft = { .time = { .life = 0 } };
+ child_cfg_create_t child = {
+ .mode = MODE_PASS,
+ };
ike_sa_t *ike_sa;
char name[128];
host_t *host;
{
create_shunt_name(ike_sa, entry->ts, name, sizeof(name));
- child_cfg = child_cfg_create(name, &lft, NULL, TRUE, MODE_PASS,
- ACTION_NONE, ACTION_NONE, ACTION_NONE,
- FALSE, 0, 0, NULL, NULL, FALSE);
+ child_cfg = child_cfg_create(name, &child);
child_cfg->add_traffic_selector(child_cfg, FALSE,
entry->ts->clone(entry->ts));
host = ike_sa->get_my_host(ike_sa);
*/
typedef struct {
request_data_t *request;
- lifetime_cfg_t lft;
- char* updown;
- bool hostaccess;
- bool ipcomp;
- bool policies;
- ipsec_mode_t mode;
- uint32_t replay_window;
- action_t dpd_action;
- action_t start_action;
- action_t close_action;
- uint32_t reqid;
- uint32_t tfc;
- mark_t mark_in;
- mark_t mark_out;
- uint64_t inactivity;
linked_list_t *proposals;
linked_list_t *local_ts;
linked_list_t *remote_ts;
+ uint32_t replay_window;
+ bool policies;
+ child_cfg_create_t cfg;
} child_data_t;
/**
*/
static void log_child_data(child_data_t *data, char *name)
{
+ child_cfg_create_t *cfg = &data->cfg;
+
DBG2(DBG_CFG, " child %s:", name);
- DBG2(DBG_CFG, " rekey_time = %llu", data->lft.time.rekey);
- DBG2(DBG_CFG, " life_time = %llu", data->lft.time.life);
- DBG2(DBG_CFG, " rand_time = %llu", data->lft.time.jitter);
- DBG2(DBG_CFG, " rekey_bytes = %llu", data->lft.bytes.rekey);
- DBG2(DBG_CFG, " life_bytes = %llu", data->lft.bytes.life);
- DBG2(DBG_CFG, " rand_bytes = %llu", data->lft.bytes.jitter);
- DBG2(DBG_CFG, " rekey_packets = %llu", data->lft.packets.rekey);
- DBG2(DBG_CFG, " life_packets = %llu", data->lft.packets.life);
- DBG2(DBG_CFG, " rand_packets = %llu", data->lft.packets.jitter);
- DBG2(DBG_CFG, " updown = %s", data->updown);
- DBG2(DBG_CFG, " hostaccess = %u", data->hostaccess);
- DBG2(DBG_CFG, " ipcomp = %u", data->ipcomp);
- DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, data->mode);
+ DBG2(DBG_CFG, " rekey_time = %llu", cfg->lifetime.time.rekey);
+ DBG2(DBG_CFG, " life_time = %llu", cfg->lifetime.time.life);
+ DBG2(DBG_CFG, " rand_time = %llu", cfg->lifetime.time.jitter);
+ DBG2(DBG_CFG, " rekey_bytes = %llu", cfg->lifetime.bytes.rekey);
+ DBG2(DBG_CFG, " life_bytes = %llu", cfg->lifetime.bytes.life);
+ DBG2(DBG_CFG, " rand_bytes = %llu", cfg->lifetime.bytes.jitter);
+ DBG2(DBG_CFG, " rekey_packets = %llu", cfg->lifetime.packets.rekey);
+ DBG2(DBG_CFG, " life_packets = %llu", cfg->lifetime.packets.life);
+ DBG2(DBG_CFG, " rand_packets = %llu", cfg->lifetime.packets.jitter);
+ DBG2(DBG_CFG, " updown = %s", cfg->updown);
+ DBG2(DBG_CFG, " hostaccess = %u", cfg->hostaccess);
+ DBG2(DBG_CFG, " ipcomp = %u", cfg->ipcomp);
+ DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, cfg->mode);
DBG2(DBG_CFG, " policies = %u", data->policies);
if (data->replay_window != REPLAY_UNDEFINED)
{
DBG2(DBG_CFG, " replay_window = %u", data->replay_window);
}
- DBG2(DBG_CFG, " dpd_action = %N", action_names, data->dpd_action);
- DBG2(DBG_CFG, " start_action = %N", action_names, data->start_action);
- DBG2(DBG_CFG, " close_action = %N", action_names, data->close_action);
- DBG2(DBG_CFG, " reqid = %u", data->reqid);
- DBG2(DBG_CFG, " tfc = %d", data->tfc);
+ DBG2(DBG_CFG, " dpd_action = %N", action_names, cfg->dpd_action);
+ DBG2(DBG_CFG, " start_action = %N", action_names, cfg->start_action);
+ DBG2(DBG_CFG, " close_action = %N", action_names, cfg->close_action);
+ DBG2(DBG_CFG, " reqid = %u", cfg->reqid);
+ DBG2(DBG_CFG, " tfc = %d", cfg->tfc);
DBG2(DBG_CFG, " mark_in = %u/%u",
- data->mark_in.value, data->mark_in.mask);
+ cfg->mark_in.value, cfg->mark_in.mask);
DBG2(DBG_CFG, " mark_out = %u/%u",
- data->mark_out.value, data->mark_out.mask);
- DBG2(DBG_CFG, " inactivity = %llu", data->inactivity);
+ cfg->mark_out.value, cfg->mark_out.mask);
+ DBG2(DBG_CFG, " inactivity = %llu", cfg->inactivity);
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
DBG2(DBG_CFG, " local_ts = %#R", data->local_ts);
DBG2(DBG_CFG, " remote_ts = %#R", data->remote_ts);
offsetof(traffic_selector_t, destroy));
data->remote_ts->destroy_offset(data->remote_ts,
offsetof(traffic_selector_t, destroy));
- free(data->updown);
+ free(data->cfg.updown);
}
/**
child_data_t *child, vici_message_t *message, char *name, chunk_t value)
{
parse_rule_t rules[] = {
- { "updown", parse_string, &child->updown },
- { "hostaccess", parse_bool, &child->hostaccess },
- { "mode", parse_mode, &child->mode },
- { "policies", parse_bool, &child->policies },
- { "replay_window", parse_uint32, &child->replay_window },
- { "rekey_time", parse_time, &child->lft.time.rekey },
- { "life_time", parse_time, &child->lft.time.life },
- { "rand_time", parse_time, &child->lft.time.jitter },
- { "rekey_bytes", parse_bytes, &child->lft.bytes.rekey },
- { "life_bytes", parse_bytes, &child->lft.bytes.life },
- { "rand_bytes", parse_bytes, &child->lft.bytes.jitter },
- { "rekey_packets", parse_uint64, &child->lft.packets.rekey },
- { "life_packets", parse_uint64, &child->lft.packets.life },
- { "rand_packets", parse_uint64, &child->lft.packets.jitter },
- { "dpd_action", parse_action, &child->dpd_action },
- { "start_action", parse_action, &child->start_action },
- { "close_action", parse_action, &child->close_action },
- { "ipcomp", parse_bool, &child->ipcomp },
- { "inactivity", parse_time, &child->inactivity },
- { "reqid", parse_uint32, &child->reqid },
- { "mark_in", parse_mark, &child->mark_in },
- { "mark_out", parse_mark, &child->mark_out },
- { "tfc_padding", parse_tfc, &child->tfc },
+ { "updown", parse_string, &child->cfg.updown },
+ { "hostaccess", parse_bool, &child->cfg.hostaccess },
+ { "mode", parse_mode, &child->cfg.mode },
+ { "policies", parse_bool, &child->policies },
+ { "replay_window", parse_uint32, &child->replay_window },
+ { "rekey_time", parse_time, &child->cfg.lifetime.time.rekey },
+ { "life_time", parse_time, &child->cfg.lifetime.time.life },
+ { "rand_time", parse_time, &child->cfg.lifetime.time.jitter },
+ { "rekey_bytes", parse_bytes, &child->cfg.lifetime.bytes.rekey },
+ { "life_bytes", parse_bytes, &child->cfg.lifetime.bytes.life },
+ { "rand_bytes", parse_bytes, &child->cfg.lifetime.bytes.jitter },
+ { "rekey_packets", parse_uint64, &child->cfg.lifetime.packets.rekey },
+ { "life_packets", parse_uint64, &child->cfg.lifetime.packets.life },
+ { "rand_packets", parse_uint64, &child->cfg.lifetime.packets.jitter },
+ { "dpd_action", parse_action, &child->cfg.dpd_action },
+ { "start_action", parse_action, &child->cfg.start_action },
+ { "close_action", parse_action, &child->cfg.close_action },
+ { "ipcomp", parse_bool, &child->cfg.ipcomp },
+ { "inactivity", parse_time, &child->cfg.inactivity },
+ { "reqid", parse_uint32, &child->cfg.reqid },
+ { "mark_in", parse_mark, &child->cfg.mark_in },
+ { "mark_out", parse_mark, &child->cfg.mark_out },
+ { "tfc_padding", parse_tfc, &child->cfg.tfc },
};
return parse_rules(rules, countof(rules), name, value,
&peer->request->reply);
}
+/**
+ * Check and update lifetimes
+ */
+static void check_lifetimes(lifetime_cfg_t *lft)
+{
+ /* if no hard lifetime specified, add one at soft lifetime + 10% */
+ if (lft->time.life == LFT_UNDEFINED)
+ {
+ lft->time.life = lft->time.rekey * 110 / 100;
+ }
+ if (lft->bytes.life == LFT_UNDEFINED)
+ {
+ lft->bytes.life = lft->bytes.rekey * 110 / 100;
+ }
+ if (lft->packets.life == LFT_UNDEFINED)
+ {
+ lft->packets.life = lft->packets.rekey * 110 / 100;
+ }
+ /* if no soft lifetime specified, add one at hard lifetime - 10% */
+ if (lft->bytes.rekey == LFT_UNDEFINED)
+ {
+ lft->bytes.rekey = lft->bytes.life * 90 / 100;
+ }
+ if (lft->packets.rekey == LFT_UNDEFINED)
+ {
+ lft->packets.rekey = lft->packets.life * 90 / 100;
+ }
+ /* if no rand time defined, use difference of hard and soft */
+ if (lft->time.jitter == LFT_UNDEFINED)
+ {
+ lft->time.jitter = lft->time.life -
+ min(lft->time.life, lft->time.rekey);
+ }
+ if (lft->bytes.jitter == LFT_UNDEFINED)
+ {
+ lft->bytes.jitter = lft->bytes.life -
+ min(lft->bytes.life, lft->bytes.rekey);
+ }
+ if (lft->packets.jitter == LFT_UNDEFINED)
+ {
+ lft->packets.jitter = lft->packets.life -
+ min(lft->packets.life, lft->packets.rekey);
+ }
+}
+
CALLBACK(children_sn, bool,
peer_data_t *peer, vici_message_t *message, vici_parse_context_t *ctx,
char *name)
.proposals = linked_list_create(),
.local_ts = linked_list_create(),
.remote_ts = linked_list_create(),
- .mode = MODE_TUNNEL,
.policies = TRUE,
.replay_window = REPLAY_UNDEFINED,
- .dpd_action = ACTION_NONE,
- .start_action = ACTION_NONE,
- .close_action = ACTION_NONE,
- .lft = {
- .time = {
- .rekey = LFT_DEFAULT_CHILD_REKEY,
- .life = LFT_UNDEFINED,
- .jitter = LFT_UNDEFINED,
- },
- .bytes = {
- .rekey = LFT_UNDEFINED,
- .life = LFT_UNDEFINED,
- .jitter = LFT_UNDEFINED,
+ .cfg = {
+ .mode = MODE_TUNNEL,
+ .lifetime = {
+ .time = {
+ .rekey = LFT_DEFAULT_CHILD_REKEY,
+ .life = LFT_UNDEFINED,
+ .jitter = LFT_UNDEFINED,
+ },
+ .bytes = {
+ .rekey = LFT_UNDEFINED,
+ .life = LFT_UNDEFINED,
+ .jitter = LFT_UNDEFINED,
+ },
+ .packets = {
+ .rekey = LFT_UNDEFINED,
+ .life = LFT_UNDEFINED,
+ .jitter = LFT_UNDEFINED,
+ },
},
- .packets = {
- .rekey = LFT_UNDEFINED,
- .life = LFT_UNDEFINED,
- .jitter = LFT_UNDEFINED,
- },
- }
+ },
};
child_cfg_t *cfg;
proposal_t *proposal;
child.proposals->insert_last(child.proposals, proposal);
}
}
+ child.cfg.suppress_policies = !child.policies;
- /* if no hard lifetime specified, add one at soft lifetime + 10% */
- if (child.lft.time.life == LFT_UNDEFINED)
- {
- child.lft.time.life = child.lft.time.rekey * 110 / 100;
- }
- if (child.lft.bytes.life == LFT_UNDEFINED)
- {
- child.lft.bytes.life = child.lft.bytes.rekey * 110 / 100;
- }
- if (child.lft.packets.life == LFT_UNDEFINED)
- {
- child.lft.packets.life = child.lft.packets.rekey * 110 / 100;
- }
- /* if no soft lifetime specified, add one at hard lifetime - 10% */
- if (child.lft.bytes.rekey == LFT_UNDEFINED)
- {
- child.lft.bytes.rekey = child.lft.bytes.life * 90 / 100;
- }
- if (child.lft.packets.rekey == LFT_UNDEFINED)
- {
- child.lft.packets.rekey = child.lft.packets.life * 90 / 100;
- }
- /* if no rand time defined, use difference of hard and soft */
- if (child.lft.time.jitter == LFT_UNDEFINED)
- {
- child.lft.time.jitter = child.lft.time.life -
- min(child.lft.time.life, child.lft.time.rekey);
- }
- if (child.lft.bytes.jitter == LFT_UNDEFINED)
- {
- child.lft.bytes.jitter = child.lft.bytes.life -
- min(child.lft.bytes.life, child.lft.bytes.rekey);
- }
- if (child.lft.packets.jitter == LFT_UNDEFINED)
- {
- child.lft.packets.jitter = child.lft.packets.life -
- min(child.lft.packets.life, child.lft.packets.rekey);
- }
+ check_lifetimes(&child.cfg.lifetime);
log_child_data(&child, name);
- cfg = child_cfg_create(name, &child.lft, child.updown,
- child.hostaccess, child.mode, child.start_action,
- child.dpd_action, child.close_action, child.ipcomp,
- child.inactivity, child.reqid, &child.mark_in,
- &child.mark_out, child.tfc);
-
- cfg->set_mipv6_options(cfg, FALSE, child.policies);
+ cfg = child_cfg_create(name, &child.cfg);
if (child.replay_window != REPLAY_UNDEFINED)
{