added mobike=yes|no connection option
authorMartin Willi <martin@strongswan.org>
Wed, 29 Aug 2007 12:11:25 +0000 (12:11 -0000)
committerMartin Willi <martin@strongswan.org>
Wed, 29 Aug 2007 12:11:25 +0000 (12:11 -0000)
  yes: include mobike support notifies as initiator
  no: only enable mobike as responder when initiator supports it
  default: yes

13 files changed:
src/charon/config/peer_cfg.c
src/charon/config/peer_cfg.h
src/charon/control/interfaces/stroke_interface.c
src/charon/sa/ike_sa.c
src/charon/sa/tasks/ike_natd.c
src/pluto/constants.h
src/starter/args.c
src/starter/confread.c
src/starter/keywords.h
src/starter/keywords.txt
src/starter/starterstroke.c
src/stroke/stroke.c
src/stroke/stroke.h

index 1d9176e..4a802d5 100644 (file)
@@ -130,6 +130,11 @@ struct private_peer_cfg_t {
        bool use_reauth;
        
        /**
+        * enable support for MOBIKE
+        */
+       bool use_mobike;
+       
+       /**
         * Time before an SA gets invalid
         */
        u_int32_t lifetime;
@@ -330,10 +335,18 @@ static u_int32_t get_lifetime(private_peer_cfg_t *this, bool rekey)
 /**
  * Implementation of peer_cfg_t.use_reauth.
  */
-static bool use_reauth(private_peer_cfg_t *this, bool rekey)
+static bool use_reauth(private_peer_cfg_t *this)
 {
        return this->use_reauth;
 }
+       
+/**
+ * Implementation of peer_cfg_t.use_mobike.
+ */
+static bool use_mobike(private_peer_cfg_t *this)
+{
+       return this->use_mobike;
+}
 
 /**
  * Implements peer_cfg_t.get_dpd_delay
@@ -421,7 +434,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
                                                        cert_policy_t cert_policy, auth_method_t auth_method,
                                                        eap_type_t eap_type, u_int32_t keyingtries,
                                                        u_int32_t lifetime, u_int32_t rekeytime,
-                                                       u_int32_t jitter, bool reauth,
+                                                       u_int32_t jitter, bool reauth, bool mobike,
                                                        u_int32_t dpd_delay, dpd_action_t dpd_action,
                                                        host_t *my_virtual_ip, host_t *other_virtual_ip)
 {
@@ -444,6 +457,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
        this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
        this->public.get_lifetime = (u_int32_t (*) (peer_cfg_t *, bool rekey))get_lifetime;
        this->public.use_reauth = (bool (*) (peer_cfg_t *))use_reauth;
+       this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike;
        this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay;
        this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action;
        this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip;
@@ -469,6 +483,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
        this->rekeytime = rekeytime;
        this->jitter = jitter;
        this->use_reauth = reauth;
+       this->use_mobike = mobike;
        this->dpd_delay = dpd_delay;
        this->dpd_action = dpd_action;
        this->my_virtual_ip = my_virtual_ip;
index 63c8767..edbcd95 100644 (file)
@@ -257,6 +257,14 @@ struct peer_cfg_t {
        bool (*use_reauth) (peer_cfg_t *this);
        
        /**
+        * @brief Use MOBIKE (RFC4555) if peer supports it?
+        * 
+        * @param this          calling object
+        * @return                      TRUE to enable MOBIKE support
+        */
+       bool (*use_mobike) (peer_cfg_t *this);
+       
+       /**
         * @brief Get the DPD check interval.
         * 
         * @param this          calling object
@@ -347,6 +355,7 @@ struct peer_cfg_t {
  * @param rekeytime                    lifetime before rekeying an SA
  * @param jitter                       range of random to substract from rekeytime
  * @param use_reauth           sould be done reauthentication instead of rekeying?
+ * @param use_mobike           use MOBIKE (RFC4555) if peer supports it
  * @param dpd_delay                    after how many seconds of inactivity to check DPD
  * @param dpd_action           what to do with CHILD_SAs when detected a dead peer
  * @param my_virtual_ip                virtual IP for local host, or NULL
@@ -361,7 +370,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
                                                        cert_policy_t cert_policy, auth_method_t auth_method,
                                                        eap_type_t eap_type, u_int32_t keyingtries,
                                                        u_int32_t lifetime, u_int32_t rekeytime,
-                                                       u_int32_t jitter, bool use_reauth,
+                                                       u_int32_t jitter, bool use_reauth, bool use_mobike,
                                                        u_int32_t dpd_delay, dpd_action_t dpd_action,
                                                        host_t *my_virtual_ip, host_t *other_virtual_ip);
 
index 588bcd7..7350c11 100755 (executable)
@@ -559,8 +559,8 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out)
                                        msg->add_conn.rekey.tries, msg->add_conn.rekey.ike_lifetime,
                                        msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
                                        msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
-                                       msg->add_conn.rekey.reauth, msg->add_conn.dpd.delay,
-                                       msg->add_conn.dpd.action,my_vip, other_vip);
+                                       msg->add_conn.rekey.reauth, msg->add_conn.mobike,
+                                       msg->add_conn.dpd.delay, msg->add_conn.dpd.action, my_vip, other_vip);
        }
        
        child_cfg = child_cfg_create(
index d50aec6..4822c84 100644 (file)
@@ -878,8 +878,11 @@ static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
                this->task_manager->queue_task(this->task_manager, task);
                task = (task_t*)ike_config_create(&this->public, TRUE);
                this->task_manager->queue_task(this->task_manager, task);
-               task = (task_t*)ike_mobike_create(&this->public, TRUE);
-               this->task_manager->queue_task(this->task_manager, task);
+               if (this->peer_cfg->use_mobike(this->peer_cfg))
+               {
+                       task = (task_t*)ike_mobike_create(&this->public, TRUE);
+                       this->task_manager->queue_task(this->task_manager, task);
+               }
        }
        
        task = (task_t*)child_create_create(&this->public, child_cfg);
@@ -940,8 +943,11 @@ static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
                this->task_manager->queue_task(this->task_manager, task);
                task = (task_t*)ike_config_create(&this->public, TRUE);
                this->task_manager->queue_task(this->task_manager, task);
-               task = (task_t*)ike_mobike_create(&this->public, TRUE);
-               this->task_manager->queue_task(this->task_manager, task);
+               if (this->peer_cfg->use_mobike(this->peer_cfg))
+               {
+                       task = (task_t*)ike_mobike_create(&this->public, TRUE);
+                       this->task_manager->queue_task(this->task_manager, task);
+               }
        }
        
        child_cfg = child_sa->get_config(child_sa);
@@ -1330,9 +1336,12 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
                                {
                                        task = (task_t*)child_create_create(&new->public, child_cfg);
                                        new->task_manager->queue_task(new->task_manager, task);
+                               }               
+                               if (this->peer_cfg->use_mobike(this->peer_cfg))
+                               {
+                                       task = (task_t*)ike_mobike_create(&new->public, TRUE);
+                                       new->task_manager->queue_task(new->task_manager, task);
                                }
-                               task = (task_t*)ike_mobike_create(&new->public, TRUE);
-                               new->task_manager->queue_task(new->task_manager, task);
                                new->task_manager->initiate(new->task_manager);
                        }
                        charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
index 84a28d0..9af12e3 100644 (file)
@@ -26,6 +26,7 @@
 #include <string.h>
 
 #include <daemon.h>
+#include <config/peer_cfg.h>
 #include <crypto/hashers/hasher.h>
 #include <encoding/payloads/notify_payload.h>
 
@@ -218,18 +219,24 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
 static status_t process_i(private_ike_natd_t *this, message_t *message)
 {
        process_payloads(this, message);
-                       
-       /* if peer supports NAT-T, we switch to port 4500 even
-        * if no NAT is detected. MOBIKE requires this. */
-       if (message->get_exchange_type(message) == IKE_SA_INIT &&
-               this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))
-       {
-               host_t *me, *other;
        
-               me = this->ike_sa->get_my_host(this->ike_sa);
-               me->set_port(me, IKEV2_NATT_PORT);
-               other = this->ike_sa->get_other_host(this->ike_sa);
-               other->set_port(other, IKEV2_NATT_PORT);
+       if (message->get_exchange_type(message) == IKE_SA_INIT)
+       {
+               peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+                               
+               if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
+                       /* if peer supports NAT-T, we switch to port 4500 even
+                        * if no NAT is detected. MOBIKE requires this. */
+                       (peer_cfg->use_mobike(peer_cfg) &&
+                        this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
+               {
+                       host_t *me, *other;
+               
+                       me = this->ike_sa->get_my_host(this->ike_sa);
+                       me->set_port(me, IKEV2_NATT_PORT);
+                       other = this->ike_sa->get_other_host(this->ike_sa);
+                       other->set_port(other, IKEV2_NATT_PORT);
+               }
        }
        
        return SUCCESS;
index 3ab10be..b869992 100644 (file)
@@ -875,6 +875,7 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_XAUTH_SERVER    LELEM(20)       /* are we an XAUTH server? */
 #define POLICY_DONT_REAUTH     LELEM(21)       /* don't reauthenticate on rekeying, IKEv2 only */
 #define POLICY_BEET            LELEM(22)       /* bound end2end tunnel, IKEv2 */
+#define POLICY_MOBIKE          LELEM(23)       /* enable MOBIKE for IKEv2  */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
index 6057942..bfb7147 100644 (file)
@@ -193,6 +193,7 @@ static const token_info_t token_info[] =
     { ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
     { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
     { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
+    { ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
     { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
     { ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
     { ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
index f754f26..8ef115f 100644 (file)
@@ -67,7 +67,8 @@ static void default_values(starter_config_t *cfg)
        cfg->conn_default.seen    = LEMPTY;
        cfg->conn_default.startup = STARTUP_NO;
        cfg->conn_default.state   = STATE_IGNORE;
-       cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG | POLICY_PFS ;
+       cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG |
+                                                               POLICY_PFS | POLICY_MOBIKE;
 
        cfg->conn_default.ike                   = clone_str(ike_defaults, "ike_defaults");
        cfg->conn_default.esp                   = clone_str(esp_defaults, "esp_defaults");
@@ -550,6 +551,9 @@ load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
                case KW_REAUTH:
                        KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
                        break;
+               case KW_MOBIKE:
+                       KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE)
+                       break;
                case KW_MODECONFIG:
                        KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
                        break;
index 8f5108a..69a4b6d 100644 (file)
@@ -70,6 +70,7 @@ typedef enum {
     KW_AUTH,
     KW_AUTHBY,
     KW_EAP,
+    KW_MOBIKE,
     KW_IKELIFETIME,
     KW_KEYLIFE,
     KW_REKEYMARGIN,
index 573a238..5deecff 100644 (file)
@@ -49,6 +49,7 @@ keep_alive,        KW_KEEP_ALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
 eap,               KW_EAP
 eapdir,            KW_EAPDIR
+mobike,                   KW_MOBIKE
 pkcs11module,      KW_PKCS11MODULE
 pkcs11initargs,    KW_PKCS11INITARGS
 pkcs11keepstate,   KW_PKCS11KEEPSTATE
index 13c2f43..69b5e50 100644 (file)
@@ -227,6 +227,7 @@ int starter_stroke_add_conn(starter_conn_t *conn)
                msg.add_conn.rekey.tries = conn->sa_keying_tries;
                msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
        }
+       msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
        msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
        msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
        msg.add_conn.dpd.delay = conn->dpd_delay;
index f1cbf39..14f2e54 100644 (file)
@@ -109,6 +109,7 @@ static int add_connection(char *name,
        msg.add_conn.auth_method = 2;
        msg.add_conn.eap_type = 0;
        msg.add_conn.mode = 1;
+       msg.add_conn.mobike = 1;
        
        msg.add_conn.rekey.reauth = 0;
        msg.add_conn.rekey.ipsec_lifetime = 0;
index b610678..f903379 100644 (file)
@@ -182,6 +182,7 @@ struct stroke_msg_t {
                        int auth_method;
                        int eap_type;
                        int mode;
+                       int mobike;
                        struct {
                                char *ike;
                                char *esp;