New upstream version 5.5.2

4 files changed, 29 insertions, 9 deletions

diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf
deleted file mode 100644
index fd48f2c7a..000000000
--- a/conf/options/aikpub2.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-aikpub2 {
-
-    # Plugins to load in aikpub2 tool.
-    # load =
-
-}
-
diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt
deleted file mode 100644
index 6a755d211..000000000
--- a/conf/options/aikpub2.opt
+++ /dev/null
@@ -1,2 +0,0 @@
-aikpub2.load =
-	Plugins to load in aikpub2 tool.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index f72041e6a..1b5d52d02 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -164,6 +164,9 @@ charon {
     # will be allocated.
     # port_nat_t = 4500
 
+    # Wether to prefer updating SAs to the path with the best route.
+    # prefer_best_path = no
+
     # Prefer locally configured proposals for IKE/IPsec over supplied ones as
     # responder (disabling this can avoid keying retries due to
     # INVALID_KE_PAYLOAD notifies).
@@ -236,6 +239,12 @@ charon {
     # Whether to enable constraints against IKEv2 signature schemes.
     # signature_authentication_constraints = yes
 
+    # The upper limit for SPIs requested from the kernel for IPsec SAs.
+    # spi_max = 0xcfffffff
+
+    # The lower limit for SPIs requested from the kernel for IPsec SAs.
+    # spi_min = 0xc0000000
+
     # Number of worker threads in charon.
     # threads = 16
 
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 6e0b37c57..4c4311e81 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -260,6 +260,16 @@ charon.port_nat_t = 4500
 	allocated.  Has to be different from **charon.port**, otherwise a random
 	port will be allocated.
 
+charon.prefer_best_path = no
+	Wether to prefer updating SAs to the path with the best route.
+
+	By default, charon keeps SAs on the routing path with addresses it
+	previously used if that path is still usable. By setting this option to
+	yes, it tries more aggressively to update SAs with MOBIKE on routing
+	priority changes using the cheapest path. This adds more noise, but allows
+	to dynamically adapt SAs to routing priority changes. This option has no
+	effect if MOBIKE is not supported or disabled.
+
 charon.prefer_configured_proposals = yes
 	Prefer locally configured proposals for	IKE/IPsec over supplied ones as
 	responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
@@ -340,6 +350,16 @@ charon.signature_authentication_constraints = yes
 	certificate chain, are also used as constraints against the signature scheme
 	used by peers during IKEv2.
 
+charon.spi_min = 0xc0000000
+	The lower limit for SPIs requested from the kernel for IPsec SAs.
+
+	The lower limit for SPIs requested from the kernel for IPsec SAs. Should not
+	be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved
+	by IANA.
+
+charon.spi_max = 0xcfffffff
+	The upper limit for SPIs requested from the kernel for IPsec SAs.
+
 charon.start-scripts {}
 	Section containing a list of scripts (name = path) that are executed when
 	the daemon is started.