diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-11-28 12:11:49 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-11-28 12:11:49 +0000 |
| commit | 7b8b352039efd78338a7bf451a0550644ec8a8da (patch) | |
| tree | 62e0548df49dfb3ddacc8cac4309fa10f7b42610 /src/starter | |
| parent | 9587b8e553eda7b1b6fd48c77ebe4592e1e3532a (diff) | |
| download | vyos-strongswan-7b8b352039efd78338a7bf451a0550644ec8a8da.tar.gz vyos-strongswan-7b8b352039efd78338a7bf451a0550644ec8a8da.zip | |
New upstream version.
Diffstat (limited to 'src/starter')
| -rw-r--r-- | src/starter/Makefile.am | 11 | ||||
| -rw-r--r-- | src/starter/Makefile.in | 97 | ||||
| -rw-r--r-- | src/starter/README | 5 | ||||
| -rw-r--r-- | src/starter/args.c | 1 | ||||
| -rw-r--r-- | src/starter/confread.c | 37 | ||||
| -rw-r--r-- | src/starter/confread.h | 12 | ||||
| -rw-r--r-- | src/starter/interfaces.c | 4 | ||||
| -rw-r--r-- | src/starter/ipsec.conf.5 | 1330 | ||||
| -rw-r--r-- | src/starter/ipsec.conf.5.in | 1330 | ||||
| -rw-r--r-- | src/starter/keywords.c | 321 | ||||
| -rw-r--r-- | src/starter/keywords.h | 3 | ||||
| -rw-r--r-- | src/starter/keywords.txt | 1 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 12 | ||||
| -rw-r--r-- | src/starter/starterwhack.c | 2 |
14 files changed, 218 insertions, 2948 deletions
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 9813a0c06..75297f767 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -9,6 +9,7 @@ INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto \ -I$(top_srcdir)/src/whack \ -I$(top_srcdir)/src/stroke @@ -23,9 +24,8 @@ AM_CFLAGS = \ -DDEBUG starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in -dist_man_MANS = ipsec.conf.5 starter.8 -CLEANFILES = ipsec.conf.5 +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +dist_man_MANS = starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto @@ -43,11 +43,6 @@ if USE_LOAD_WARNING AM_CFLAGS += -DLOAD_WARNING endif -ipsec.conf.5: ipsec.conf.5.in - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - $(srcdir)/$@.in > $@ - lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index d06c8974d..446f183f1 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -49,14 +49,14 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/lt~obsolete.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \ - "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" PROGRAMS = $(ipsec_PROGRAMS) am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \ @@ -106,7 +106,6 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff MANS = $(dist_man_MANS) @@ -178,6 +177,8 @@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PTHREADLIB = @PTHREADLIB@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ @@ -209,14 +210,17 @@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ +c_plugins = @c_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ default_pkcs11 = @default_pkcs11@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ @@ -231,24 +235,31 @@ ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ pdfdir = @pdfdir@ piddir = @piddir@ +pki_plugins = @pki_plugins@ plugindir = @plugindir@ pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ @@ -256,7 +267,10 @@ random_device = @random_device@ resolv_conf = @resolv_conf@ routing_table = @routing_table@ routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ @@ -278,6 +292,7 @@ INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto \ -I$(top_srcdir)/src/whack \ -I$(top_srcdir)/src/stroke @@ -288,9 +303,8 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \ $(am__append_2) $(am__append_3) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in -dist_man_MANS = ipsec.conf.5 starter.8 -CLEANFILES = ipsec.conf.5 +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +dist_man_MANS = starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient @@ -424,44 +438,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man5: $(dist_man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" - @list=''; test -n "$(man5dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ - done; } - -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list=''; test -n "$(man5dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man5dir)" && rm -f $$files; } install-man8: $(dist_man_MANS) @$(NORMAL_INSTALL) test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" @@ -600,7 +576,7 @@ check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) $(MANS) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -620,7 +596,6 @@ install-strip: mostlyclean-generic: clean-generic: - -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -669,7 +644,7 @@ install-info: install-info-am install-info-am: -install-man: install-man5 install-man8 +install-man: install-man8 install-pdf: install-pdf-am @@ -701,7 +676,7 @@ ps-am: uninstall-am: uninstall-ipsecPROGRAMS uninstall-man -uninstall-man: uninstall-man5 uninstall-man8 +uninstall-man: uninstall-man8 .MAKE: install-am install-strip @@ -712,20 +687,14 @@ uninstall-man: uninstall-man5 uninstall-man8 install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-exec-local \ install-html install-html-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man5 install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \ - uninstall-man8 - - -ipsec.conf.5: ipsec.conf.5.in - sed \ - -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ - $(srcdir)/$@.in > $@ + install-ipsecPROGRAMS install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ + uninstall-man uninstall-man8 + lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/README b/src/starter/README index 12a60a11d..4aff64978 100644 --- a/src/starter/README +++ b/src/starter/README @@ -18,8 +18,6 @@ Usage: FEATURES -------- -o Load and unload KLIPS (ipsec.o kernel module) - o Load modules of the native Linux 2.6 IPsec stack o Launch and monitor pluto @@ -50,8 +48,7 @@ o /var/run/dynip/xxxx can be used to use a virtual interface name in o %auto can be used to automaticaly name the connections -o kill -TERM can be used to stop FS. pluto will be stopped and KLIPS unloaded - (if it has been loaded). +o kill -TERM can be used to stop FS. pluto will be stopped. o Can be used to start strongSwan and load lots of connections in a few seconds. diff --git a/src/starter/args.c b/src/starter/args.c index ab6b60509..37d600283 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -208,6 +208,7 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_AUTHBY */ }, { ARG_MISC, 0, NULL /* KW_EAP */ }, { ARG_STR, offsetof(starter_conn_t, eap_identity), NULL }, + { ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL }, { ARG_MISC, 0, NULL /* KW_MOBIKE */ }, { ARG_MISC, 0, NULL /* KW_FORCEENCAPS */ }, { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL }, diff --git a/src/starter/confread.c b/src/starter/confread.c index 399e17844..3367616ca 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -19,6 +19,8 @@ #include <freeswan.h> +#include <eap/eap.h> + #include "../pluto/constants.h" #include "../pluto/defs.h" #include "../pluto/log.h" @@ -461,7 +463,7 @@ static void handle_firewall(const char *label, starter_end_t *end, } } -static bool handle_mark(char *value, mark_t *mark) +static bool handle_mark(char *value, mark_t *mark) { char *pos, *endptr; @@ -671,31 +673,8 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg } break; } - if (streq(kw->value, "aka")) - { - conn->eap_type = 23; - } - else if (streq(kw->value, "sim")) - { - conn->eap_type = 18; - } - else if (streq(kw->value, "md5")) - { - conn->eap_type = 4; - } - else if (streq(kw->value, "gtc")) - { - conn->eap_type = 6; - } - else if (streq(kw->value, "mschapv2")) - { - conn->eap_type = 26; - } - else if (streq(kw->value, "radius")) - { /* pseudo-type */ - conn->eap_type = 253; - } - else + conn->eap_type = eap_type_from_string(kw->value); + if (conn->eap_type == 0) { conn->eap_type = atoi(kw->value); if (conn->eap_type == 0) @@ -739,7 +718,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg if (*endptr != '\0') { plog("# bad integer value: %s=%s", kw->entry->name, kw->value); - cfg->err++; + cfg->err++; } } break; @@ -815,7 +794,7 @@ static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg) DBG(DBG_CONTROL, DBG_log(" also=%s", kw->value) ) - } + } continue; } @@ -879,7 +858,7 @@ static void load_also_conns(starter_conn_t *conn, also_t *also, /* * find a conn included by also */ -static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, +static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg) { starter_conn_t *c = cfg->conn_first; diff --git a/src/starter/confread.h b/src/starter/confread.h index 5e4356ea3..982d1d206 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -95,13 +95,6 @@ struct also { also_t *next; }; -typedef struct mark_t mark_t; - -struct mark_t{ - u_int32_t value; - u_int32_t mask; -}; - typedef struct starter_conn starter_conn_t; struct starter_conn { @@ -117,6 +110,7 @@ struct starter_conn { u_int32_t eap_type; u_int32_t eap_vendor; char *eap_identity; + char *aaa_identity; char *xauth_identity; lset_t policy; time_t sa_ike_life_seconds; @@ -129,8 +123,8 @@ struct starter_conn { unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; u_int32_t reqid; - mark_t mark_in; - mark_t mark_out; + mark_t mark_in; + mark_t mark_out; sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c index 92b2c74a4..ef26cdce5 100644 --- a/src/starter/interfaces.c +++ b/src/starter/interfaces.c @@ -56,7 +56,7 @@ get_defaultroute(defaultroute_t *defaultroute) ssize_t msglen; int fd; - bzero(&rtu, sizeof(rtu)); + memset(&rtu, 0, sizeof(rtu)); rtu.m.nh.nlmsg_len = NLMSG_LENGTH(sizeof(rtu.m.rt)); rtu.m.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; rtu.m.nh.nlmsg_type = RTM_GETROUTE; @@ -142,7 +142,7 @@ get_defaultroute(defaultroute_t *defaultroute) plog("could not open AF_INET socket"); break; } - bzero(&req, sizeof(req)); + memset(&req, 0, sizeof(req)); req.ifr_ifindex = iface_idx; if (ioctl(fd, SIOCGIFNAME, &req) < 0 || ioctl(fd, SIOCGIFADDR, &req) < 0) diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 deleted file mode 100644 index e654ab66e..000000000 --- a/src/starter/ipsec.conf.5 +++ /dev/null @@ -1,1330 +0,0 @@ -.TH IPSEC.CONF 5 "2010-05-30" "4.4.1" "strongSwan" -.SH NAME -ipsec.conf \- IPsec configuration and connections -.SH DESCRIPTION -The optional -.I ipsec.conf -file -specifies most configuration and control information for the -strongSwan IPsec subsystem. -The major exception is secrets for authentication; -see -.IR ipsec.secrets (5). -Its contents are not security-sensitive. -.PP -The file is a text file, consisting of one or more -.IR sections . -White space followed by -.B # -followed by anything to the end of the line -is a comment and is ignored, -as are empty lines which are not within a section. -.PP -A line which contains -.B include -and a file name, separated by white space, -is replaced by the contents of that file, -preceded and followed by empty lines. -If the file name is not a full pathname, -it is considered to be relative to the directory containing the -including file. -Such inclusions can be nested. -Only a single filename may be supplied, and it may not contain white space, -but it may include shell wildcards (see -.IR sh (1)); -for example: -.PP -.B include -.B "ipsec.*.conf" -.PP -The intention of the include facility is mostly to permit keeping -information on connections, or sets of connections, -separate from the main configuration file. -This permits such connection descriptions to be changed, -copied to the other security gateways involved, etc., -without having to constantly extract them from the configuration -file and then insert them back into it. -Note also the -.B also -parameter (described below) which permits splitting a single logical -section (e.g. a connection description) into several actual sections. -.PP -A section -begins with a line of the form: -.PP -.I type -.I name -.PP -where -.I type -indicates what type of section follows, and -.I name -is an arbitrary name which distinguishes the section from others -of the same type. -Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens. -All subsequent non-empty lines -which begin with white space are part of the section; -comments within a section must begin with white space too. -There may be only one section of a given type with a given name. -.PP -Lines within the section are generally of the form -.PP -\ \ \ \ \ \fIparameter\fB=\fIvalue\fR -.PP -(note the mandatory preceding white space). -There can be white space on either side of the -.BR = . -Parameter names follow the same syntax as section names, -and are specific to a section type. -Unless otherwise explicitly specified, -no parameter name may appear more than once in a section. -.PP -An empty -.I value -stands for the system default value (if any) of the parameter, -i.e. it is roughly equivalent to omitting the parameter line entirely. -A -.I value -may contain white space only if the entire -.I value -is enclosed in double quotes (\fB"\fR); -a -.I value -cannot itself contain a double quote, -nor may it be continued across more than one line. -.PP -Numeric values are specified to be either an ``integer'' -(a sequence of digits) or a ``decimal number'' -(sequence of digits optionally followed by `.' and another sequence of digits). -.PP -There is currently one parameter which is available in any type of -section: -.TP -.B also -the value is a section name; -the parameters of that section are appended to this section, -as if they had been written as part of it. -The specified section must exist, must follow the current one, -and must have the same section type. -(Nesting is permitted, -and there may be more than one -.B also -in a single section, -although it is forbidden to append the same section more than once.) -.PP -A section with name -.B %default -specifies defaults for sections of the same type. -For each parameter in it, -any section of that type which does not have a parameter of the same name -gets a copy of the one from the -.B %default -section. -There may be multiple -.B %default -sections of a given type, -but only one default may be supplied for any specific parameter name, -and all -.B %default -sections of a given type must precede all non-\c -.B %default -sections of that type. -.B %default -sections may not contain the -.B also -parameter. -.PP -Currently there are three types of sections: -a -.B config -section specifies general configuration information for IPsec, a -.B conn -section specifies an IPsec connection, while a -.B ca -section specifies special properties of a certification authority. -.SH "CONN SECTIONS" -A -.B conn -section contains a -.IR "connection specification" , -defining a network connection to be made using IPsec. -The name given is arbitrary, and is used to identify the connection. -Here's a simple example: -.PP -.ne 10 -.nf -.ft B -.ta 1c -conn snt - left=192.168.0.1 - leftsubnet=10.1.0.0/16 - right=192.168.0.2 - rightsubnet=10.1.0.0/16 - keyingtries=%forever - auto=add -.ft -.fi -.PP -A note on terminology: There are two kinds of communications going on: -transmission of user IP packets, and gateway-to-gateway negotiations for -keying, rekeying, and general control. -The path to control the connection is called 'ISAKMP SA' in IKEv1 -and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel -level data path, is called 'IPsec SA' or 'Child SA'. -strongSwan currently uses two separate keying daemons. \fIpluto\fP handles -all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 -protocol. -.PP -To avoid trivial editing of the configuration file to suit it to each system -involved in a connection, -connection specifications are written in terms of -.I left -and -.I right -participants, -rather than in terms of local and remote. -Which participant is considered -.I left -or -.I right -is arbitrary; -for every connection description an attempt is made to figure out whether -the local endpoint should act as the -.I left -or -.I right -endpoint. This is done by matching the IP addresses defined for both endpoints -with the IP addresses assigned to local network interfaces. If a match is found -then the role (left or right) that matches is going to be considered local. -If no match is found during startup, -.I left -is considered local. -This permits using identical connection specifications on both ends. -There are cases where there is no symmetry; a good convention is to -use -.I left -for the local side and -.I right -for the remote side (the first letters are a good mnemonic). -.PP -Many of the parameters relate to one participant or the other; -only the ones for -.I left -are listed here, but every parameter whose name begins with -.B left -has a -.B right -counterpart, -whose description is the same but with -.B left -and -.B right -reversed. -.PP -Parameters are optional unless marked '(required)'. -.SS "CONN PARAMETERS" -Unless otherwise noted, for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP 14 -.B ah -AH authentication algorithm to be used -for the connection, e.g. -.B hmac-md5. -.TP -.B auth -whether authentication should be done as part of -ESP encryption, or separately using the AH protocol; -acceptable values are -.B esp -(the default) and -.BR ah . -.br -The IKEv2 daemon currently supports ESP only. -.TP -.B authby -how the two security gateways should authenticate each other; -acceptable values are -.B secret -or -.B psk -for pre-shared secrets, -.B pubkey -(the default) for public key signatures as well as the synonyms -.B rsasig -for RSA digital signatures and -.B ecdsasig -for Elliptic Curve DSA signatures. -.B never -can be used if negotiation is never to be attempted or accepted (useful for -shunt-only conns). -Digital signatures are superior in every way to shared secrets. -IKEv1 additionally supports the values -.B xauthpsk -and -.B xauthrsasig -that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode -based on shared secrets or digital RSA signatures, respectively. -IKEv2 additionally supports the value -.BR eap , -which indicates an initiator to request EAP authentication. The EAP method -to use is selected by the server (see -.BR eap ). -This parameter is deprecated for IKEv2 connections, as two peers do not need -to agree on an authentication method. Use the -.B leftauth -parameter instead to define authentication methods in IKEv2. -.TP -.B auto -what operation, if any, should be done automatically at IPsec startup; -currently-accepted values are -.BR add , -.BR route , -.B start -and -.B ignore -(the default). -.B add -loads a connection without starting it. -.B route -loads a connection and installs kernel traps. If traffic is detected between -.B leftsubnet -and -.B rightsubnet -, a connection is established. -.B start -loads a connection and brings it up immediatly. -.B ignore -ignores the connection. This is equal to delete a connection from the config -file. -Relevant only locally, other end need not agree on it -(but in general, for an intended-to-be-permanent connection, -both ends should use -.B auto=start -to ensure that any reboot causes immediate renegotiation). -.TP -.B compress -whether IPComp compression of content is proposed on the connection -(link-level compression does not work on encrypted data, -so to be effective, compression must be done \fIbefore\fR encryption); -acceptable values are -.B yes -and -.B no -(the default). A value of -.B yes -causes IPsec to propose both compressed and uncompressed, -and prefer compressed. -A value of -.B no -prevents IPsec from proposing compression; -a proposal to compress will still be accepted. -.TP -.B dpdaction -controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where -R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) -are periodically sent in order to check the -liveliness of the IPsec peer. The values -.BR clear , -.BR hold , -and -.B restart -all activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted -.RB ( clear ), -put in the hold state -.RB ( hold ) -or restarted -.RB ( restart ). -For IKEv1, the default is -.B none -which disables the active sending of R_U_THERE notifications. -Nevertheless pluto will always send the DPD Vendor ID during connection set up -in order to signal the readiness to act passively as a responder if the peer -wants to use DPD. For IKEv2, -.B none -does't make sense, since all messages are used to detect dead peers. If specified, -it has the same meaning as the default -.RB ( clear ). -.TP -.B dpddelay -defines the period time interval with which R_U_THERE messages/INFORMATIONAL -exchanges are sent to the peer. These are only sent if no other traffic is -received. In IKEv2, a value of 0 sends no additional INFORMATIONAL -messages and uses only standard messages (such as those to rekey) to detect -dead peers. -.TP -.B dpdtimeout -defines the timeout interval, after which all connections to a peer are deleted -in case of inactivity. This only applies to IKEv1, in IKEv2 the default -retransmission timeout applies, as every exchange is used to detect dead peers. -.TP -.B inactivity -defines the timeout interval, after which a CHILD_SA is closed if it did -not send or receive any traffic. Currently supported in IKEv2 connections only. -.TP -.B eap -defines the EAP type to propose as server if the client requests EAP -authentication. Currently supported values are -.B aka -for EAP-AKA, -.B gtc -for EAP-GTC, -.B md5 -for EAP-MD5, -.B mschapv2 -for EAP-MS-CHAPv2, -.B radius -for the EAP-RADIUS proxy and -.B sim -for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a -definition in the form -.B eap=type-vendor -(e.g. eap=7-12345) can be used to specify vendor specific EAP types. -This parameter is deprecated in the favour of -.B leftauth. - -To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, -set -.BR eap=radius . -.TP -.B eap_identity -defines the identity the client uses to reply to a EAP Identity request. -If defined on the EAP server, the defined identity will be used as peer -identity during EAP authentication. The special value -.B %identity -uses the EAP Identity method to ask the client for an EAP identity. If not -defined, the IKEv2 identity will be used as EAP identity. -.TP -.B esp -comma-separated list of ESP encryption/authentication algorithms to be used -for the connection, e.g. -.BR 3des-md5 . -The notation is -.BR encryption-integrity-[dh-group] . -.br -If -.B dh-group -is specified, CHILD_SA setup and rekeying include a separate diffe hellman -exchange (IKEv2 only). -.TP -.B forceencaps -Force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to surmount restrictive firewalls. In order to force the peer to -encapsulate packets, NAT detection payloads are faked (IKEv2 only). -.TP -.B ike -comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms -to be used, e.g. -.BR aes128-sha1-modp2048 . -The notation is -.BR encryption-integrity-dhgroup . -In IKEv2, multiple algorithms and proposals may be included, such as -.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. -.TP -.B ikelifetime -how long the keying channel of a connection (ISAKMP or IKE SA) -should last before being renegotiated. -.TP -.B installpolicy -decides whether IPsec policies are installed in the kernel by the IKEv2 -charon daemon for a given connection. Allows peaceful cooperation e.g. with -the Mobile IPv6 daemon mip6d who wants to control the kernel policies. -Acceptable values are -.B yes -(the default) and -.BR no . -.TP -.B keyexchange -method of key exchange; -which protocol should be used to initialize the connection. Connections marked with -.B ikev1 -are initiated with pluto, those marked with -.B ikev2 -with charon. An incoming request from the remote peer is handled by the correct -daemon, unaffected from the -.B keyexchange -setting. The default value -.B ike -currently is a synonym for -.BR ikev1 . -.TP -.B keyingtries -how many attempts (a whole number or \fB%forever\fP) should be made to -negotiate a connection, or a replacement for one, before giving up -(default -.BR %forever ). -The value \fB%forever\fP -means 'never give up'. -Relevant only locally, other end need not agree on it. -.TP -.B keylife -synonym for -.BR lifetime . -.TP -.B left -(required) -the IP address of the left participant's public-network interface -or one of several magic values. -If it is -.BR %defaultroute , -.B left -will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time and -during configuration update). -Either -.B left -or -.B right -may be -.BR %defaultroute , -but not both. -The prefix -.B % -in front of a fully-qualified domain name or an IP address will implicitly set -.B leftallowany=yes. -If the domain name cannot be resolved into an IP address at IPsec startup or -update time then -.B left=%any -and -.B leftallowany=no -will be assumed. - -In case of an IKEv2 connection, the value -.B %any -for the local endpoint signifies an address to be filled in (by automatic -keying) during negotiation. If the local peer initiates the connection setup -the routing table will be queried to determine the correct local IP address. -In case the local peer is responding to a connection setup then any IP address -that is assigned to a local interface will be accepted. -.br -Note that specifying -.B %any -for the local endpoint is not supported by the IKEv1 pluto daemon. - -If -.B %any -is used for the remote endpoint it literally means any IP address. - -Please note that with the usage of wildcards multiple connection descriptions -might match a given incoming connection attempt. The most specific description -is used in that case. -.TP -.B leftallowany -a modifier for -.B left -, making it behave as -.B %any -although a concrete IP address has been assigned. -Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec -startup or update time. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.B leftauth -Authentication method to use locally (left) or require from the remote (right) -side. -This parameter is supported in IKEv2 only. Acceptable values are -.B pubkey -for public key authentication (RSA/ECDSA), -.B psk -for pre-shared key authentication and -.B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of -.B eap, -an optional EAP method can be appended. Currently defined methods are -.BR eap-aka , -.BR eap-gtc , -.BR eap-md5 , -.B eap-mschapv2 -and -.BR eap-sim . -Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific -EAP methods are defined in the form -.B eap-type-vendor -.RB "(e.g. " eap-7-12345 ). -.TP -.B leftauth2 -Same as -.BR leftauth , -but defines an additional authentication exchange. IKEv2 supports multiple -authentication rounds using "Multiple Authentication Exchanges" defined -in RFC4739. This allows, for example, separated authentication -of host and user (IKEv2 only). -.TP -.B leftca -the distinguished name of a certificate authority which is required to -lie in the trust path going from the left participant's certificate up -to the root certification authority. -.TP -.B leftca2 -Same as -.B leftca, -but for the second authentication round (IKEv2 only). -.TP -.B leftcert -the path to the left participant's X.509 certificate. The file can be encoded -either in PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP -are accepted. By default -.B leftcert -sets -.B leftid -to the distinguished name of the certificate's subject and -.B leftca -to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a -.B leftid -value which must be certified by the certificate, though. -.TP -.B leftcert2 -Same as -.B leftcert, -but for the second authentication round (IKEv2 only). -.TP -.B leftfirewall -whether the left participant is doing forwarding-firewalling -(including masquerading) using iptables for traffic from \fIleftsubnet\fR, -which should be turned off (for traffic to the other subnet) -once the connection is established; -acceptable values are -.B yes -and -.B no -(the default). -May not be used in the same connection description with -.BR leftupdown . -Implemented as a parameter to the default \fBipsec _updown\fR script. -See notes below. -Relevant only locally, other end need not agree on it. - -If one or both security gateways are doing forwarding firewalling -(possibly including masquerading), -and this is specified using the firewall parameters, -tunnels established with IPsec are exempted from it -so that packets can flow unchanged through the tunnels. -(This means that all subnets connected in this manner must have -distinct, non-overlapping subnet address blocks.) -This is done by the default \fBipsec _updown\fR script (see -.IR pluto (8)). - -In situations calling for more control, -it may be preferable for the user to supply his own -.I updown -script, -which makes the appropriate adjustments for his system. -.TP -.B leftgroups -a comma separated list of group names. If the -.B leftgroups -parameter is present then the peer must be a member of at least one -of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has -been issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts/\fP. -.br -Attribute certificates are not supported in IKEv2 yet. -.TP -.B lefthostaccess -inserts a pair of INPUT and OUTPUT iptables rules using the default -\fBipsec _updown\fR script, thus allowing access to the host itself -in the case where the host's internal interface is part of the -negotiated client subnet. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.B leftid -how the left participant should be identified for authentication; -defaults to -.BR left . -Can be an IP address or a fully-qualified domain name preceded by -.B @ -(which is used as a literal string and not resolved). -.TP -.B leftid2 -identity to use for a second authentication for the left participant -(IKEv2 only); defaults to -.BR leftid . -.TP -.B leftikeport -UDP port the left participant uses for IKE communication. Currently supported in -IKEv2 connections only. If unspecified, port 500 is used with the port floating -to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port -different from the default additionally requires a socket implementation that -listens to this port. -.TP -.B leftnexthop -this parameter is usually not needed any more because the NETKEY IPsec stack -does not require explicit routing entries for the traffic to be tunneled. If -.B leftsourceip -is used with IKEv1 then -.B leftnexthop -must still be set in order for the source routes to work properly. -.TP -.B leftprotoport -restrict the traffic selector to a single protocol and/or port. -Examples: -.B leftprotoport=tcp/http -or -.B leftprotoport=6/80 -or -.B leftprotoport=udp -.TP -.B leftrsasigkey -the left participant's -public key for RSA signature authentication, -in RFC 2537 format using -.IR ttodata (3) -encoding. -The magic value -.B %none -means the same as not specifying a value (useful to override a default). -The value -.B %cert -(the default) -means that the key is extracted from a certificate. -The identity used for the left participant -must be a specific host, not -.B %any -or another magic value. -.B Caution: -if two connection descriptions -specify different public keys for the same -.BR leftid , -confusion and madness will ensue. -.TP -.B leftsendcert -Accepted values are -.B never -or -.BR no , -.B always -or -.BR yes , -and -.BR ifasked , -the latter meaning that the peer must send a certificate request payload in -order to get a certificate in return. -.TP -.B leftsourceip -The internal source IP to use in a tunnel, also known as virtual IP. If the -value is one of the synonyms -.BR %modeconfig , -.BR %modecfg , -.BR %config , -or -.BR %cfg , -an address is requested from the peer. In IKEv2, a statically defined address -is also requested, since the server may change it. -.TP -.B rightsourceip -The internal source IP to use in a tunnel for the remote peer. If the -value is -.B %config -on the responder side, the initiator must propose an address which is then -echoed back. Also supported are address pools expressed as -\fInetwork\fB/\fInetmask\fR -or the use of an external IP address pool using %\fIpoolname\fR, -where \fIpoolname\fR is the name of the IP address pool used for the lookup. -.TP -.B leftsubnet -private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR; -if omitted, essentially assumed to be \fIleft\fB/32\fR, -signifying that the left end of the connection goes to the left participant -only. When using IKEv2, the configured subnet of the peers may differ, the -protocol narrows it to the greatest common subnet. Further, IKEv2 supports -multiple subnets separated by commas. IKEv1 only interprets the first subnet -of such a definition. -.TP -.B leftsubnetwithin -the peer can propose any subnet or single IP address that fits within the -range defined by -.BR leftsubnetwithin. -Not relevant for IKEv2, as subnets are narrowed. -.TP -.B leftupdown -what ``updown'' script to run to adjust routing and/or firewalling -when the status of the connection -changes (default -.BR "ipsec _updown" ). -May include positional parameters separated by white space -(although this requires enclosing the whole string in quotes); -including shell metacharacters is unwise. -See -.IR pluto (8) -for details. -Relevant only locally, other end need not agree on it. IKEv2 uses the updown -script to insert firewall rules only, since routing has been implemented -directly into charon. -.TP -.B lifebytes -the number of bytes transmitted over an IPsec SA before it expires (IKEv2 -only). -.TP -.B lifepackets -the number of packets transmitted over an IPsec SA before it expires (IKEv2 -only). -.TP -.B lifetime -how long a particular instance of a connection -(a set of encryption/authentication keys for user packets) should last, -from successful negotiation to expiry; -acceptable values are an integer optionally followed by -.BR s -(a time in seconds) -or a decimal number followed by -.BR m , -.BR h , -or -.B d -(a time -in minutes, hours, or days respectively) -(default -.BR 1h , -maximum -.BR 24h ). -Normally, the connection is renegotiated (via the keying channel) -before it expires (see -.BR margintime ). -The two ends need not exactly agree on -.BR lifetime , -although if they do not, -there will be some clutter of superseded connections on the end -which thinks the lifetime is longer. -.TP -.B marginbytes -how many bytes before IPsec SA expiry (see -.BR lifebytes ) -should attempts to negotiate a replacement begin (IKEv2 only). -.TP -.B marginpackets -how many packets before IPsec SA expiry (see -.BR lifepackets ) -should attempts to negotiate a replacement begin (IKEv2 only). -.TP -.B margintime -how long before connection expiry or keying-channel expiry -should attempts to -negotiate a replacement -begin; acceptable values as for -.B lifetime -(default -.BR 9m ). -Relevant only locally, other end need not agree on it. -.TP -.B mark -sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound -IPsec SAs and policies (IKEv2 only). If the mask is missing then a default -mask of -.B 0xffffffff -is assumed. -.TP -.B mark_in -sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy -(IKEv2 only). If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.B mark_out -sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy -(IKEv2 only). If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.B mobike -enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are -.B yes -(the default) and -.BR no . -If set to -.BR no , -the IKEv2 charon daemon will not actively propose MOBIKE as initiator and -ignore the MOBIKE_SUPPORTED notify as responder. -.TP -.B modeconfig -defines which mode is used to assign a virtual IP. -Accepted values are -.B push -and -.B pull -(the default). -Currently relevant for IKEv1 only since IKEv2 always uses the configuration -payload in pull mode. Cisco VPN gateways usually operate in -.B push -mode. -.TP -.B pfs -whether Perfect Forward Secrecy of keys is desired on the connection's -keying channel -(with PFS, penetration of the key-exchange protocol -does not compromise keys negotiated earlier); -acceptable values are -.B yes -(the default) -and -.BR no. -IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying -PFS is enforced by defining a Diffie-Hellman modp group in the -.B esp -parameter. -.TP -.B pfsgroup -defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode -differing from the DH group used for IKEv1 Main Mode (IKEv1 only). -.TP -.B reauth -whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, -reauthentication is always done. In IKEv2, a value of -.B no -rekeys without uninstalling the IPsec SAs, a value of -.B yes -(the default) creates a new IKE_SA from scratch and tries to recreate -all IPsec SAs. -.TP -.B rekey -whether a connection should be renegotiated when it is about to expire; -acceptable values are -.B yes -(the default) -and -.BR no . -The two ends need not agree, but while a value of -.B no -prevents pluto/charon from requesting renegotiation, -it does not prevent responding to renegotiation requested from the other end, -so -.B no -will be largely ineffective unless both ends agree on it. -.TP -.B rekeyfuzz -maximum percentage by which -.BR marginbytes , -.B marginpackets -and -.B margintime -should be randomly increased to randomize rekeying intervals -(important for hosts with many connections); -acceptable values are an integer, -which may exceed 100, -followed by a `%' -(defaults to -.BR 100% ). -The value of -.BR marginTYPE , -after this random increase, -must not exceed -.B lifeTYPE -(where TYPE is one of -.IR bytes , -.I packets -or -.IR time ). -The value -.B 0% -will suppress randomization. -Relevant only locally, other end need not agree on it. -.TP -.B rekeymargin -synonym for -.BR margintime . -.TP -.B reqid -sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). -.TP -.B type -the type of the connection; currently the accepted values -are -.B tunnel -(the default) -signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; -.BR transport , -signifying host-to-host transport mode; -.BR transport_proxy , -signifying the special Mobile IPv6 transport proxy mode; -.BR passthrough , -signifying that no IPsec processing should be done at all; -.BR drop , -signifying that packets should be discarded; and -.BR reject , -signifying that packets should be discarded and a diagnostic ICMP returned. -The IKEv2 daemon charon currently supports -.BR tunnel , -.BR transport , -and -.BR tunnel_proxy -connection types, only. -.TP -.B xauth -specifies the role in the XAUTH protocol if activated by -.B authby=xauthpsk -or -.B authby=xauthrsasig. -Accepted values are -.B server -and -.B client -(the default). - -.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" -The following parameters are relevant to IKEv2 Mediation Extension -operation only. -.TP 14 -.B mediation -whether this connection is a mediation connection, ie. whether this -connection is used to mediate other connections. Mediation connections -create no child SA. Acceptable values are -.B no -(the default) and -.BR yes . -.TP -.B mediated_by -the name of the connection to mediate this connection through. If given, -the connection will be mediated through the named mediation connection. -The mediation connection must set -.BR mediation=yes . -.TP -.B me_peerid -ID as which the peer is known to the mediation server, ie. which the other -end of this connection uses as its -.B leftid -on its connection to the mediation server. This is the ID we request the -mediation server to mediate us with. If -.B me_peerid -is not given, the -.B rightid -of this connection will be used as peer ID. - -.SH "CA SECTIONS" -This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). -.TP 10 -.B auto -currently can have either the value -.B ignore -or -.B add -. -.TP -.B cacert -defines a path to the CA certificate either relative to -\fI/etc/ipsec.d/cacerts\fP or as an absolute path. -.TP -.B crluri -defines a CRL distribution point (ldap, http, or file URI) -.TP -.B crluri1 -synonym for -.B crluri. -.TP -.B crluri2 -defines an alternative CRL distribution point (ldap, http, or file URI) -.TP -.B ldaphost -defines an ldap host. Currently used by IKEv1 only. -.TP -.B ocspuri -defines an OCSP URI. -.TP -.B ocspuri1 -synonym for -.B ocspuri. -.TP -.B ocspuri2 -defines an alternative OCSP URI. Currently used by IKEv2 only. -.TP -.B certuribase -defines the base URI for the Hash and URL feature supported by IKEv2. -Instead of exchanging complete certificates, IKEv2 allows to send an URI -that resolves to the DER encoded certificate. The certificate URIs are built -by appending the SHA1 hash of the DER encoded certificates to this base URI. -.SH "CONFIG SECTIONS" -At present, the only -.B config -section known to the IPsec software is the one named -.BR setup , -which contains information used when the software is being started. -Here's an example: -.PP -.ne 8 -.nf -.ft B -.ta 1c -config setup - plutodebug=all - crlcheckinterval=10m - strictcrlpolicy=yes -.ft -.fi -.PP -Parameters are optional unless marked ``(required)''. -The currently-accepted -.I parameter -names in a -.B config -.B setup -section affecting both daemons are: -.TP 14 -.B cachecrls -certificate revocation lists (CRLs) fetched via http or ldap will be cached in -\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification -authority's public key. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B charonstart -whether to start the IKEv2 Charon daemon or not. -Accepted values are -.B yes -or -.BR no . -The default is -.B yes -if starter was compiled with IKEv2 support. -.TP -.B dumpdir -in what directory should things started by \fBipsec starter\fR -(notably the Pluto and Charon daemons) be allowed to dump core? -The empty value (the default) means they are not -allowed to. -This feature is currently not yet supported by \fBipsec starter\fR. -.TP -.B plutostart -whether to start the IKEv1 Pluto daemon or not. -Accepted values are -.B yes -or -.BR no . -The default is -.B yes -if starter was compiled with IKEv1 support. -.TP -.B strictcrlpolicy -defines if a fresh CRL must be available in order for the peer authentication based -on RSA signatures to succeed. -Accepted values are -.B yes -and -.B no -(the default). -IKEv2 additionally recognizes -.B ifuri -which reverts to -.B yes -if at least one CRL URI is defined and to -.B no -if no URI is known. -.TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. -The IKEv2 daemon also accepts the value -.B replace -wich is identical to -.B yes -and the value -.B keep -to reject new IKE_SA setups and keep the duplicate established earlier. -.PP -The following -.B config section -parameters are used by the IKEv1 Pluto daemon only: -.TP -.B crlcheckinterval -interval in seconds. CRL fetching is enabled if the value is greater than zero. -Asynchronous, periodic checking for fresh CRLs is currently done by the -IKEv1 Pluto daemon only. -.TP -.B keep_alive -interval in seconds between NAT keep alive packets, the default being 20 seconds. -.TP -.B nat_traversal -activates NAT traversal by accepting source ISAKMP ports different from udp/500 and -being able of floating to udp/4500 if a NAT situation is detected. -Accepted values are -.B yes -and -.B no -(the default). -Used by IKEv1 only, NAT traversal always being active in IKEv2. -.TP -.B nocrsend -no certificate request payloads will be sent. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B pkcs11initargs -non-standard argument string for PKCS#11 C_Initialize() function; -required by NSS softoken. -.TP -.B pkcs11module -defines the path to a dynamically loadable PKCS #11 library. -.TP -.B pkcs11keepstate -PKCS #11 login sessions will be kept during the whole lifetime of the keying -daemon. Useful with pin-pad smart card readers. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B pkcs11proxy -Pluto will act as a PKCS #11 proxy accessible via the whack interface. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B plutodebug -how much Pluto debugging output should be logged. -An empty value, -or the magic value -.BR none , -means no debugging output (the default). -The magic value -.B all -means full output. -Otherwise only the specified types of output -(a quoted list, names without the -.B \-\-debug\- -prefix, -separated by white space) are enabled; -for details on available debugging types, see -.IR pluto (8). -.TP -.B plutostderrlog -Pluto will not use syslog, but rather log to stderr, and redirect stderr -to the argument file. -.TP -.B postpluto -shell command to run after starting Pluto -(e.g., to remove a decrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B prepluto -shell command to run before starting Pluto -(e.g., to decrypt an encrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B virtual_private -defines private networks using a wildcard notation. -.PP -The following -.B config section -parameters are used by the IKEv2 Charon daemon only: -.TP -.B charondebug -how much Charon debugging output should be logged. -A comma separated list containing type level/pairs may -be specified, e.g: -.B dmn 3, ike 1, net -1. -Acceptable values for types are -.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib -and the level is one of -.B -1, 0, 1, 2, 3, 4 -(for silent, audit, control, controlmore, raw, private). -.PP -The following -.B config section -parameters only make sense if the KLIPS IPsec stack -is used instead of the default NETKEY stack of the Linux 2.6 kernel: -.TP -.B fragicmp -whether a tunnel's need to fragment a packet should be reported -back with an ICMP message, -in an attempt to make the sender lower his PMTU estimate; -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B hidetos -whether a tunnel packet's TOS field should be set to -.B 0 -rather than copied from the user packet inside; -acceptable values are -.B yes -(the default) -and -.BR no -.TP -.B interfaces -virtual and physical interfaces for IPsec to use: -a single -\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated -by white space, or -.BR %none . -One of the pairs may be written as -.BR %defaultroute , -which means: find the interface \fId\fR that the default route points to, -and then act as if the value was ``\fBipsec0=\fId\fR''. -.B %defaultroute -is the default; -.B %none -must be used to denote no interfaces. -.TP -.B overridemtu -value that the MTU of the ipsec\fIn\fR interface(s) should be set to, -overriding IPsec's (large) default. -.SH FILES -.nf -/etc/ipsec.conf -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts -/etc/ipsec.d/cacerts -/etc/ipsec.d/certs -/etc/ipsec.d/crls - -.SH SEE ALSO -ipsec(8), pluto(8), starter(8) -.SH HISTORY -Originally written for the FreeS/WAN project by Henry Spencer. -Updated and extended for the strongSwan project <http://www.strongswan.org> by -Tobias Brunner, Andreas Steffen and Martin Willi. -.SH BUGS -.PP -If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP -will fail. diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in deleted file mode 100644 index 3d2940a66..000000000 --- a/src/starter/ipsec.conf.5.in +++ /dev/null @@ -1,1330 +0,0 @@ -.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" -.SH NAME -ipsec.conf \- IPsec configuration and connections -.SH DESCRIPTION -The optional -.I ipsec.conf -file -specifies most configuration and control information for the -strongSwan IPsec subsystem. -The major exception is secrets for authentication; -see -.IR ipsec.secrets (5). -Its contents are not security-sensitive. -.PP -The file is a text file, consisting of one or more -.IR sections . -White space followed by -.B # -followed by anything to the end of the line -is a comment and is ignored, -as are empty lines which are not within a section. -.PP -A line which contains -.B include -and a file name, separated by white space, -is replaced by the contents of that file, -preceded and followed by empty lines. -If the file name is not a full pathname, -it is considered to be relative to the directory containing the -including file. -Such inclusions can be nested. -Only a single filename may be supplied, and it may not contain white space, -but it may include shell wildcards (see -.IR sh (1)); -for example: -.PP -.B include -.B "ipsec.*.conf" -.PP -The intention of the include facility is mostly to permit keeping -information on connections, or sets of connections, -separate from the main configuration file. -This permits such connection descriptions to be changed, -copied to the other security gateways involved, etc., -without having to constantly extract them from the configuration -file and then insert them back into it. -Note also the -.B also -parameter (described below) which permits splitting a single logical -section (e.g. a connection description) into several actual sections. -.PP -A section -begins with a line of the form: -.PP -.I type -.I name -.PP -where -.I type -indicates what type of section follows, and -.I name -is an arbitrary name which distinguishes the section from others -of the same type. -Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens. -All subsequent non-empty lines -which begin with white space are part of the section; -comments within a section must begin with white space too. -There may be only one section of a given type with a given name. -.PP -Lines within the section are generally of the form -.PP -\ \ \ \ \ \fIparameter\fB=\fIvalue\fR -.PP -(note the mandatory preceding white space). -There can be white space on either side of the -.BR = . -Parameter names follow the same syntax as section names, -and are specific to a section type. -Unless otherwise explicitly specified, -no parameter name may appear more than once in a section. -.PP -An empty -.I value -stands for the system default value (if any) of the parameter, -i.e. it is roughly equivalent to omitting the parameter line entirely. -A -.I value -may contain white space only if the entire -.I value -is enclosed in double quotes (\fB"\fR); -a -.I value -cannot itself contain a double quote, -nor may it be continued across more than one line. -.PP -Numeric values are specified to be either an ``integer'' -(a sequence of digits) or a ``decimal number'' -(sequence of digits optionally followed by `.' and another sequence of digits). -.PP -There is currently one parameter which is available in any type of -section: -.TP -.B also -the value is a section name; -the parameters of that section are appended to this section, -as if they had been written as part of it. -The specified section must exist, must follow the current one, -and must have the same section type. -(Nesting is permitted, -and there may be more than one -.B also -in a single section, -although it is forbidden to append the same section more than once.) -.PP -A section with name -.B %default -specifies defaults for sections of the same type. -For each parameter in it, -any section of that type which does not have a parameter of the same name -gets a copy of the one from the -.B %default -section. -There may be multiple -.B %default -sections of a given type, -but only one default may be supplied for any specific parameter name, -and all -.B %default -sections of a given type must precede all non-\c -.B %default -sections of that type. -.B %default -sections may not contain the -.B also -parameter. -.PP -Currently there are three types of sections: -a -.B config -section specifies general configuration information for IPsec, a -.B conn -section specifies an IPsec connection, while a -.B ca -section specifies special properties of a certification authority. -.SH "CONN SECTIONS" -A -.B conn -section contains a -.IR "connection specification" , -defining a network connection to be made using IPsec. -The name given is arbitrary, and is used to identify the connection. -Here's a simple example: -.PP -.ne 10 -.nf -.ft B -.ta 1c -conn snt - left=192.168.0.1 - leftsubnet=10.1.0.0/16 - right=192.168.0.2 - rightsubnet=10.1.0.0/16 - keyingtries=%forever - auto=add -.ft -.fi -.PP -A note on terminology: There are two kinds of communications going on: -transmission of user IP packets, and gateway-to-gateway negotiations for -keying, rekeying, and general control. -The path to control the connection is called 'ISAKMP SA' in IKEv1 -and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel -level data path, is called 'IPsec SA' or 'Child SA'. -strongSwan currently uses two separate keying daemons. \fIpluto\fP handles -all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 -protocol. -.PP -To avoid trivial editing of the configuration file to suit it to each system -involved in a connection, -connection specifications are written in terms of -.I left -and -.I right -participants, -rather than in terms of local and remote. -Which participant is considered -.I left -or -.I right -is arbitrary; -for every connection description an attempt is made to figure out whether -the local endpoint should act as the -.I left -or -.I right -endpoint. This is done by matching the IP addresses defined for both endpoints -with the IP addresses assigned to local network interfaces. If a match is found -then the role (left or right) that matches is going to be considered local. -If no match is found during startup, -.I left -is considered local. -This permits using identical connection specifications on both ends. -There are cases where there is no symmetry; a good convention is to -use -.I left -for the local side and -.I right -for the remote side (the first letters are a good mnemonic). -.PP -Many of the parameters relate to one participant or the other; -only the ones for -.I left -are listed here, but every parameter whose name begins with -.B left -has a -.B right -counterpart, -whose description is the same but with -.B left -and -.B right -reversed. -.PP -Parameters are optional unless marked '(required)'. -.SS "CONN PARAMETERS" -Unless otherwise noted, for a connection to work, -in general it is necessary for the two ends to agree exactly -on the values of these parameters. -.TP 14 -.B ah -AH authentication algorithm to be used -for the connection, e.g. -.B hmac-md5. -.TP -.B auth -whether authentication should be done as part of -ESP encryption, or separately using the AH protocol; -acceptable values are -.B esp -(the default) and -.BR ah . -.br -The IKEv2 daemon currently supports ESP only. -.TP -.B authby -how the two security gateways should authenticate each other; -acceptable values are -.B secret -or -.B psk -for pre-shared secrets, -.B pubkey -(the default) for public key signatures as well as the synonyms -.B rsasig -for RSA digital signatures and -.B ecdsasig -for Elliptic Curve DSA signatures. -.B never -can be used if negotiation is never to be attempted or accepted (useful for -shunt-only conns). -Digital signatures are superior in every way to shared secrets. -IKEv1 additionally supports the values -.B xauthpsk -and -.B xauthrsasig -that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode -based on shared secrets or digital RSA signatures, respectively. -IKEv2 additionally supports the value -.BR eap , -which indicates an initiator to request EAP authentication. The EAP method -to use is selected by the server (see -.BR eap ). -This parameter is deprecated for IKEv2 connections, as two peers do not need -to agree on an authentication method. Use the -.B leftauth -parameter instead to define authentication methods in IKEv2. -.TP -.B auto -what operation, if any, should be done automatically at IPsec startup; -currently-accepted values are -.BR add , -.BR route , -.B start -and -.B ignore -(the default). -.B add -loads a connection without starting it. -.B route -loads a connection and installs kernel traps. If traffic is detected between -.B leftsubnet -and -.B rightsubnet -, a connection is established. -.B start -loads a connection and brings it up immediatly. -.B ignore -ignores the connection. This is equal to delete a connection from the config -file. -Relevant only locally, other end need not agree on it -(but in general, for an intended-to-be-permanent connection, -both ends should use -.B auto=start -to ensure that any reboot causes immediate renegotiation). -.TP -.B compress -whether IPComp compression of content is proposed on the connection -(link-level compression does not work on encrypted data, -so to be effective, compression must be done \fIbefore\fR encryption); -acceptable values are -.B yes -and -.B no -(the default). A value of -.B yes -causes IPsec to propose both compressed and uncompressed, -and prefer compressed. -A value of -.B no -prevents IPsec from proposing compression; -a proposal to compress will still be accepted. -.TP -.B dpdaction -controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where -R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) -are periodically sent in order to check the -liveliness of the IPsec peer. The values -.BR clear , -.BR hold , -and -.B restart -all activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted -.RB ( clear ), -put in the hold state -.RB ( hold ) -or restarted -.RB ( restart ). -For IKEv1, the default is -.B none -which disables the active sending of R_U_THERE notifications. -Nevertheless pluto will always send the DPD Vendor ID during connection set up -in order to signal the readiness to act passively as a responder if the peer -wants to use DPD. For IKEv2, -.B none -does't make sense, since all messages are used to detect dead peers. If specified, -it has the same meaning as the default -.RB ( clear ). -.TP -.B dpddelay -defines the period time interval with which R_U_THERE messages/INFORMATIONAL -exchanges are sent to the peer. These are only sent if no other traffic is -received. In IKEv2, a value of 0 sends no additional INFORMATIONAL -messages and uses only standard messages (such as those to rekey) to detect -dead peers. -.TP -.B dpdtimeout -defines the timeout interval, after which all connections to a peer are deleted -in case of inactivity. This only applies to IKEv1, in IKEv2 the default -retransmission timeout applies, as every exchange is used to detect dead peers. -.TP -.B inactivity -defines the timeout interval, after which a CHILD_SA is closed if it did -not send or receive any traffic. Currently supported in IKEv2 connections only. -.TP -.B eap -defines the EAP type to propose as server if the client requests EAP -authentication. Currently supported values are -.B aka -for EAP-AKA, -.B gtc -for EAP-GTC, -.B md5 -for EAP-MD5, -.B mschapv2 -for EAP-MS-CHAPv2, -.B radius -for the EAP-RADIUS proxy and -.B sim -for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a -definition in the form -.B eap=type-vendor -(e.g. eap=7-12345) can be used to specify vendor specific EAP types. -This parameter is deprecated in the favour of -.B leftauth. - -To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, -set -.BR eap=radius . -.TP -.B eap_identity -defines the identity the client uses to reply to a EAP Identity request. -If defined on the EAP server, the defined identity will be used as peer -identity during EAP authentication. The special value -.B %identity -uses the EAP Identity method to ask the client for an EAP identity. If not -defined, the IKEv2 identity will be used as EAP identity. -.TP -.B esp -comma-separated list of ESP encryption/authentication algorithms to be used -for the connection, e.g. -.BR 3des-md5 . -The notation is -.BR encryption-integrity-[dh-group] . -.br -If -.B dh-group -is specified, CHILD_SA setup and rekeying include a separate diffe hellman -exchange (IKEv2 only). -.TP -.B forceencaps -Force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to surmount restrictive firewalls. In order to force the peer to -encapsulate packets, NAT detection payloads are faked (IKEv2 only). -.TP -.B ike -comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms -to be used, e.g. -.BR aes128-sha1-modp2048 . -The notation is -.BR encryption-integrity-dhgroup . -In IKEv2, multiple algorithms and proposals may be included, such as -.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. -.TP -.B ikelifetime -how long the keying channel of a connection (ISAKMP or IKE SA) -should last before being renegotiated. -.TP -.B installpolicy -decides whether IPsec policies are installed in the kernel by the IKEv2 -charon daemon for a given connection. Allows peaceful cooperation e.g. with -the Mobile IPv6 daemon mip6d who wants to control the kernel policies. -Acceptable values are -.B yes -(the default) and -.BR no . -.TP -.B keyexchange -method of key exchange; -which protocol should be used to initialize the connection. Connections marked with -.B ikev1 -are initiated with pluto, those marked with -.B ikev2 -with charon. An incoming request from the remote peer is handled by the correct -daemon, unaffected from the -.B keyexchange -setting. The default value -.B ike -currently is a synonym for -.BR ikev1 . -.TP -.B keyingtries -how many attempts (a whole number or \fB%forever\fP) should be made to -negotiate a connection, or a replacement for one, before giving up -(default -.BR %forever ). -The value \fB%forever\fP -means 'never give up'. -Relevant only locally, other end need not agree on it. -.TP -.B keylife -synonym for -.BR lifetime . -.TP -.B left -(required) -the IP address of the left participant's public-network interface -or one of several magic values. -If it is -.BR %defaultroute , -.B left -will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time and -during configuration update). -Either -.B left -or -.B right -may be -.BR %defaultroute , -but not both. -The prefix -.B % -in front of a fully-qualified domain name or an IP address will implicitly set -.B leftallowany=yes. -If the domain name cannot be resolved into an IP address at IPsec startup or -update time then -.B left=%any -and -.B leftallowany=no -will be assumed. - -In case of an IKEv2 connection, the value -.B %any -for the local endpoint signifies an address to be filled in (by automatic -keying) during negotiation. If the local peer initiates the connection setup -the routing table will be queried to determine the correct local IP address. -In case the local peer is responding to a connection setup then any IP address -that is assigned to a local interface will be accepted. -.br -Note that specifying -.B %any -for the local endpoint is not supported by the IKEv1 pluto daemon. - -If -.B %any -is used for the remote endpoint it literally means any IP address. - -Please note that with the usage of wildcards multiple connection descriptions -might match a given incoming connection attempt. The most specific description -is used in that case. -.TP -.B leftallowany -a modifier for -.B left -, making it behave as -.B %any -although a concrete IP address has been assigned. -Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec -startup or update time. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.B leftauth -Authentication method to use locally (left) or require from the remote (right) -side. -This parameter is supported in IKEv2 only. Acceptable values are -.B pubkey -for public key authentication (RSA/ECDSA), -.B psk -for pre-shared key authentication and -.B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of -.B eap, -an optional EAP method can be appended. Currently defined methods are -.BR eap-aka , -.BR eap-gtc , -.BR eap-md5 , -.B eap-mschapv2 -and -.BR eap-sim . -Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific -EAP methods are defined in the form -.B eap-type-vendor -.RB "(e.g. " eap-7-12345 ). -.TP -.B leftauth2 -Same as -.BR leftauth , -but defines an additional authentication exchange. IKEv2 supports multiple -authentication rounds using "Multiple Authentication Exchanges" defined -in RFC4739. This allows, for example, separated authentication -of host and user (IKEv2 only). -.TP -.B leftca -the distinguished name of a certificate authority which is required to -lie in the trust path going from the left participant's certificate up -to the root certification authority. -.TP -.B leftca2 -Same as -.B leftca, -but for the second authentication round (IKEv2 only). -.TP -.B leftcert -the path to the left participant's X.509 certificate. The file can be encoded -either in PEM or DER format. OpenPGP certificates are supported as well. -Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP -are accepted. By default -.B leftcert -sets -.B leftid -to the distinguished name of the certificate's subject and -.B leftca -to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a -.B leftid -value which must be certified by the certificate, though. -.TP -.B leftcert2 -Same as -.B leftcert, -but for the second authentication round (IKEv2 only). -.TP -.B leftfirewall -whether the left participant is doing forwarding-firewalling -(including masquerading) using iptables for traffic from \fIleftsubnet\fR, -which should be turned off (for traffic to the other subnet) -once the connection is established; -acceptable values are -.B yes -and -.B no -(the default). -May not be used in the same connection description with -.BR leftupdown . -Implemented as a parameter to the default \fBipsec _updown\fR script. -See notes below. -Relevant only locally, other end need not agree on it. - -If one or both security gateways are doing forwarding firewalling -(possibly including masquerading), -and this is specified using the firewall parameters, -tunnels established with IPsec are exempted from it -so that packets can flow unchanged through the tunnels. -(This means that all subnets connected in this manner must have -distinct, non-overlapping subnet address blocks.) -This is done by the default \fBipsec _updown\fR script (see -.IR pluto (8)). - -In situations calling for more control, -it may be preferable for the user to supply his own -.I updown -script, -which makes the appropriate adjustments for his system. -.TP -.B leftgroups -a comma separated list of group names. If the -.B leftgroups -parameter is present then the peer must be a member of at least one -of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has -been issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts/\fP. -.br -Attribute certificates are not supported in IKEv2 yet. -.TP -.B lefthostaccess -inserts a pair of INPUT and OUTPUT iptables rules using the default -\fBipsec _updown\fR script, thus allowing access to the host itself -in the case where the host's internal interface is part of the -negotiated client subnet. -Acceptable values are -.B yes -and -.B no -(the default). -.TP -.B leftid -how the left participant should be identified for authentication; -defaults to -.BR left . -Can be an IP address or a fully-qualified domain name preceded by -.B @ -(which is used as a literal string and not resolved). -.TP -.B leftid2 -identity to use for a second authentication for the left participant -(IKEv2 only); defaults to -.BR leftid . -.TP -.B leftikeport -UDP port the left participant uses for IKE communication. Currently supported in -IKEv2 connections only. If unspecified, port 500 is used with the port floating -to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port -different from the default additionally requires a socket implementation that -listens to this port. -.TP -.B leftnexthop -this parameter is usually not needed any more because the NETKEY IPsec stack -does not require explicit routing entries for the traffic to be tunneled. If -.B leftsourceip -is used with IKEv1 then -.B leftnexthop -must still be set in order for the source routes to work properly. -.TP -.B leftprotoport -restrict the traffic selector to a single protocol and/or port. -Examples: -.B leftprotoport=tcp/http -or -.B leftprotoport=6/80 -or -.B leftprotoport=udp -.TP -.B leftrsasigkey -the left participant's -public key for RSA signature authentication, -in RFC 2537 format using -.IR ttodata (3) -encoding. -The magic value -.B %none -means the same as not specifying a value (useful to override a default). -The value -.B %cert -(the default) -means that the key is extracted from a certificate. -The identity used for the left participant -must be a specific host, not -.B %any -or another magic value. -.B Caution: -if two connection descriptions -specify different public keys for the same -.BR leftid , -confusion and madness will ensue. -.TP -.B leftsendcert -Accepted values are -.B never -or -.BR no , -.B always -or -.BR yes , -and -.BR ifasked , -the latter meaning that the peer must send a certificate request payload in -order to get a certificate in return. -.TP -.B leftsourceip -The internal source IP to use in a tunnel, also known as virtual IP. If the -value is one of the synonyms -.BR %modeconfig , -.BR %modecfg , -.BR %config , -or -.BR %cfg , -an address is requested from the peer. In IKEv2, a statically defined address -is also requested, since the server may change it. -.TP -.B rightsourceip -The internal source IP to use in a tunnel for the remote peer. If the -value is -.B %config -on the responder side, the initiator must propose an address which is then -echoed back. Also supported are address pools expressed as -\fInetwork\fB/\fInetmask\fR -or the use of an external IP address pool using %\fIpoolname\fR, -where \fIpoolname\fR is the name of the IP address pool used for the lookup. -.TP -.B leftsubnet -private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR; -if omitted, essentially assumed to be \fIleft\fB/32\fR, -signifying that the left end of the connection goes to the left participant -only. When using IKEv2, the configured subnet of the peers may differ, the -protocol narrows it to the greatest common subnet. Further, IKEv2 supports -multiple subnets separated by commas. IKEv1 only interprets the first subnet -of such a definition. -.TP -.B leftsubnetwithin -the peer can propose any subnet or single IP address that fits within the -range defined by -.BR leftsubnetwithin. -Not relevant for IKEv2, as subnets are narrowed. -.TP -.B leftupdown -what ``updown'' script to run to adjust routing and/or firewalling -when the status of the connection -changes (default -.BR "ipsec _updown" ). -May include positional parameters separated by white space -(although this requires enclosing the whole string in quotes); -including shell metacharacters is unwise. -See -.IR pluto (8) -for details. -Relevant only locally, other end need not agree on it. IKEv2 uses the updown -script to insert firewall rules only, since routing has been implemented -directly into charon. -.TP -.B lifebytes -the number of bytes transmitted over an IPsec SA before it expires (IKEv2 -only). -.TP -.B lifepackets -the number of packets transmitted over an IPsec SA before it expires (IKEv2 -only). -.TP -.B lifetime -how long a particular instance of a connection -(a set of encryption/authentication keys for user packets) should last, -from successful negotiation to expiry; -acceptable values are an integer optionally followed by -.BR s -(a time in seconds) -or a decimal number followed by -.BR m , -.BR h , -or -.B d -(a time -in minutes, hours, or days respectively) -(default -.BR 1h , -maximum -.BR 24h ). -Normally, the connection is renegotiated (via the keying channel) -before it expires (see -.BR margintime ). -The two ends need not exactly agree on -.BR lifetime , -although if they do not, -there will be some clutter of superseded connections on the end -which thinks the lifetime is longer. -.TP -.B marginbytes -how many bytes before IPsec SA expiry (see -.BR lifebytes ) -should attempts to negotiate a replacement begin (IKEv2 only). -.TP -.B marginpackets -how many packets before IPsec SA expiry (see -.BR lifepackets ) -should attempts to negotiate a replacement begin (IKEv2 only). -.TP -.B margintime -how long before connection expiry or keying-channel expiry -should attempts to -negotiate a replacement -begin; acceptable values as for -.B lifetime -(default -.BR 9m ). -Relevant only locally, other end need not agree on it. -.TP -.B mark -sets an XFRM mark of the form <value>[/<mask>] in the inbound and outbound -IPsec SAs and policies (IKEv2 only). If the mask is missing then a default -mask of -.B 0xffffffff -is assumed. -.TP -.B mark_in -sets an XFRM mark of the form <value>[/<mask>] in the inbound IPsec SA and policy -(IKEv2 only). If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.B mark_out -sets an XFRM mark of the form <value>[/<mask>] in the outbound IPsec SA and policy -(IKEv2 only). If the mask is missing then a default mask of -.B 0xffffffff -is assumed. -.TP -.B mobike -enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are -.B yes -(the default) and -.BR no . -If set to -.BR no , -the IKEv2 charon daemon will not actively propose MOBIKE as initiator and -ignore the MOBIKE_SUPPORTED notify as responder. -.TP -.B modeconfig -defines which mode is used to assign a virtual IP. -Accepted values are -.B push -and -.B pull -(the default). -Currently relevant for IKEv1 only since IKEv2 always uses the configuration -payload in pull mode. Cisco VPN gateways usually operate in -.B push -mode. -.TP -.B pfs -whether Perfect Forward Secrecy of keys is desired on the connection's -keying channel -(with PFS, penetration of the key-exchange protocol -does not compromise keys negotiated earlier); -acceptable values are -.B yes -(the default) -and -.BR no. -IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying -PFS is enforced by defining a Diffie-Hellman modp group in the -.B esp -parameter. -.TP -.B pfsgroup -defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode -differing from the DH group used for IKEv1 Main Mode (IKEv1 only). -.TP -.B reauth -whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, -reauthentication is always done. In IKEv2, a value of -.B no -rekeys without uninstalling the IPsec SAs, a value of -.B yes -(the default) creates a new IKE_SA from scratch and tries to recreate -all IPsec SAs. -.TP -.B rekey -whether a connection should be renegotiated when it is about to expire; -acceptable values are -.B yes -(the default) -and -.BR no . -The two ends need not agree, but while a value of -.B no -prevents pluto/charon from requesting renegotiation, -it does not prevent responding to renegotiation requested from the other end, -so -.B no -will be largely ineffective unless both ends agree on it. -.TP -.B rekeyfuzz -maximum percentage by which -.BR marginbytes , -.B marginpackets -and -.B margintime -should be randomly increased to randomize rekeying intervals -(important for hosts with many connections); -acceptable values are an integer, -which may exceed 100, -followed by a `%' -(defaults to -.BR 100% ). -The value of -.BR marginTYPE , -after this random increase, -must not exceed -.B lifeTYPE -(where TYPE is one of -.IR bytes , -.I packets -or -.IR time ). -The value -.B 0% -will suppress randomization. -Relevant only locally, other end need not agree on it. -.TP -.B rekeymargin -synonym for -.BR margintime . -.TP -.B reqid -sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). -.TP -.B type -the type of the connection; currently the accepted values -are -.B tunnel -(the default) -signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; -.BR transport , -signifying host-to-host transport mode; -.BR transport_proxy , -signifying the special Mobile IPv6 transport proxy mode; -.BR passthrough , -signifying that no IPsec processing should be done at all; -.BR drop , -signifying that packets should be discarded; and -.BR reject , -signifying that packets should be discarded and a diagnostic ICMP returned. -The IKEv2 daemon charon currently supports -.BR tunnel , -.BR transport , -and -.BR tunnel_proxy -connection types, only. -.TP -.B xauth -specifies the role in the XAUTH protocol if activated by -.B authby=xauthpsk -or -.B authby=xauthrsasig. -Accepted values are -.B server -and -.B client -(the default). - -.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" -The following parameters are relevant to IKEv2 Mediation Extension -operation only. -.TP 14 -.B mediation -whether this connection is a mediation connection, ie. whether this -connection is used to mediate other connections. Mediation connections -create no child SA. Acceptable values are -.B no -(the default) and -.BR yes . -.TP -.B mediated_by -the name of the connection to mediate this connection through. If given, -the connection will be mediated through the named mediation connection. -The mediation connection must set -.BR mediation=yes . -.TP -.B me_peerid -ID as which the peer is known to the mediation server, ie. which the other -end of this connection uses as its -.B leftid -on its connection to the mediation server. This is the ID we request the -mediation server to mediate us with. If -.B me_peerid -is not given, the -.B rightid -of this connection will be used as peer ID. - -.SH "CA SECTIONS" -This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). -.TP 10 -.B auto -currently can have either the value -.B ignore -or -.B add -. -.TP -.B cacert -defines a path to the CA certificate either relative to -\fI/etc/ipsec.d/cacerts\fP or as an absolute path. -.TP -.B crluri -defines a CRL distribution point (ldap, http, or file URI) -.TP -.B crluri1 -synonym for -.B crluri. -.TP -.B crluri2 -defines an alternative CRL distribution point (ldap, http, or file URI) -.TP -.B ldaphost -defines an ldap host. Currently used by IKEv1 only. -.TP -.B ocspuri -defines an OCSP URI. -.TP -.B ocspuri1 -synonym for -.B ocspuri. -.TP -.B ocspuri2 -defines an alternative OCSP URI. Currently used by IKEv2 only. -.TP -.B certuribase -defines the base URI for the Hash and URL feature supported by IKEv2. -Instead of exchanging complete certificates, IKEv2 allows to send an URI -that resolves to the DER encoded certificate. The certificate URIs are built -by appending the SHA1 hash of the DER encoded certificates to this base URI. -.SH "CONFIG SECTIONS" -At present, the only -.B config -section known to the IPsec software is the one named -.BR setup , -which contains information used when the software is being started. -Here's an example: -.PP -.ne 8 -.nf -.ft B -.ta 1c -config setup - plutodebug=all - crlcheckinterval=10m - strictcrlpolicy=yes -.ft -.fi -.PP -Parameters are optional unless marked ``(required)''. -The currently-accepted -.I parameter -names in a -.B config -.B setup -section affecting both daemons are: -.TP 14 -.B cachecrls -certificate revocation lists (CRLs) fetched via http or ldap will be cached in -\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification -authority's public key. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B charonstart -whether to start the IKEv2 Charon daemon or not. -Accepted values are -.B yes -or -.BR no . -The default is -.B yes -if starter was compiled with IKEv2 support. -.TP -.B dumpdir -in what directory should things started by \fBipsec starter\fR -(notably the Pluto and Charon daemons) be allowed to dump core? -The empty value (the default) means they are not -allowed to. -This feature is currently not yet supported by \fBipsec starter\fR. -.TP -.B plutostart -whether to start the IKEv1 Pluto daemon or not. -Accepted values are -.B yes -or -.BR no . -The default is -.B yes -if starter was compiled with IKEv1 support. -.TP -.B strictcrlpolicy -defines if a fresh CRL must be available in order for the peer authentication based -on RSA signatures to succeed. -Accepted values are -.B yes -and -.B no -(the default). -IKEv2 additionally recognizes -.B ifuri -which reverts to -.B yes -if at least one CRL URI is defined and to -.B no -if no URI is known. -.TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. -The IKEv2 daemon also accepts the value -.B replace -wich is identical to -.B yes -and the value -.B keep -to reject new IKE_SA setups and keep the duplicate established earlier. -.PP -The following -.B config section -parameters are used by the IKEv1 Pluto daemon only: -.TP -.B crlcheckinterval -interval in seconds. CRL fetching is enabled if the value is greater than zero. -Asynchronous, periodic checking for fresh CRLs is currently done by the -IKEv1 Pluto daemon only. -.TP -.B keep_alive -interval in seconds between NAT keep alive packets, the default being 20 seconds. -.TP -.B nat_traversal -activates NAT traversal by accepting source ISAKMP ports different from udp/500 and -being able of floating to udp/4500 if a NAT situation is detected. -Accepted values are -.B yes -and -.B no -(the default). -Used by IKEv1 only, NAT traversal always being active in IKEv2. -.TP -.B nocrsend -no certificate request payloads will be sent. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B pkcs11initargs -non-standard argument string for PKCS#11 C_Initialize() function; -required by NSS softoken. -.TP -.B pkcs11module -defines the path to a dynamically loadable PKCS #11 library. -.TP -.B pkcs11keepstate -PKCS #11 login sessions will be kept during the whole lifetime of the keying -daemon. Useful with pin-pad smart card readers. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B pkcs11proxy -Pluto will act as a PKCS #11 proxy accessible via the whack interface. -Accepted values are -.B yes -and -.B no -(the default). -.TP -.B plutodebug -how much Pluto debugging output should be logged. -An empty value, -or the magic value -.BR none , -means no debugging output (the default). -The magic value -.B all -means full output. -Otherwise only the specified types of output -(a quoted list, names without the -.B \-\-debug\- -prefix, -separated by white space) are enabled; -for details on available debugging types, see -.IR pluto (8). -.TP -.B plutostderrlog -Pluto will not use syslog, but rather log to stderr, and redirect stderr -to the argument file. -.TP -.B postpluto -shell command to run after starting Pluto -(e.g., to remove a decrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B prepluto -shell command to run before starting Pluto -(e.g., to decrypt an encrypted copy of the -.I ipsec.secrets -file). -It's run in a very simple way; -complexities like I/O redirection are best hidden within a script. -Any output is redirected for logging, -so running interactive commands is difficult unless they use -.I /dev/tty -or equivalent for their interaction. -Default is none. -.TP -.B virtual_private -defines private networks using a wildcard notation. -.PP -The following -.B config section -parameters are used by the IKEv2 Charon daemon only: -.TP -.B charondebug -how much Charon debugging output should be logged. -A comma separated list containing type level/pairs may -be specified, e.g: -.B dmn 3, ike 1, net -1. -Acceptable values for types are -.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib -and the level is one of -.B -1, 0, 1, 2, 3, 4 -(for silent, audit, control, controlmore, raw, private). -.PP -The following -.B config section -parameters only make sense if the KLIPS IPsec stack -is used instead of the default NETKEY stack of the Linux 2.6 kernel: -.TP -.B fragicmp -whether a tunnel's need to fragment a packet should be reported -back with an ICMP message, -in an attempt to make the sender lower his PMTU estimate; -acceptable values are -.B yes -(the default) -and -.BR no . -.TP -.B hidetos -whether a tunnel packet's TOS field should be set to -.B 0 -rather than copied from the user packet inside; -acceptable values are -.B yes -(the default) -and -.BR no -.TP -.B interfaces -virtual and physical interfaces for IPsec to use: -a single -\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated -by white space, or -.BR %none . -One of the pairs may be written as -.BR %defaultroute , -which means: find the interface \fId\fR that the default route points to, -and then act as if the value was ``\fBipsec0=\fId\fR''. -.B %defaultroute -is the default; -.B %none -must be used to denote no interfaces. -.TP -.B overridemtu -value that the MTU of the ipsec\fIn\fR interface(s) should be set to, -overriding IPsec's (large) default. -.SH FILES -.nf -/etc/ipsec.conf -/etc/ipsec.d/aacerts -/etc/ipsec.d/acerts -/etc/ipsec.d/cacerts -/etc/ipsec.d/certs -/etc/ipsec.d/crls - -.SH SEE ALSO -ipsec(8), pluto(8), starter(8) -.SH HISTORY -Originally written for the FreeS/WAN project by Henry Spencer. -Updated and extended for the strongSwan project <http://www.strongswan.org> by -Tobias Brunner, Andreas Steffen and Martin Willi. -.SH BUGS -.PP -If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP -will fail. diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 1d7cae00b..0c24c7dcf 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -1,6 +1,6 @@ /* C code produced by gperf version 3.0.3 */ /* Command-line: /usr/bin/gperf -m 10 -C -G -D -t */ -/* Computed positions: -k'1-2,6,$' */ +/* Computed positions: -k'2-3,6,$' */ #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \ && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \ @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 126 +#define TOTAL_KEYWORDS 127 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 20 -#define MAX_HASH_VALUE 220 -/* maximum key range = 201, duplicates = 0 */ +#define MIN_HASH_VALUE 12 +#define MAX_HASH_VALUE 238 +/* maximum key range = 227, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 35, - 77, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 8, 221, 31, 221, 20, - 28, 5, 75, 26, 88, 5, 221, 97, 5, 50, - 39, 67, 29, 221, 7, 13, 6, 89, 15, 221, - 5, 24, 7, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, - 221, 221, 221, 221, 221, 221 + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 2, + 104, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 15, 239, 20, 14, 58, + 51, 1, 7, 1, 81, 1, 239, 132, 47, 4, + 1, 49, 10, 9, 23, 1, 20, 48, 4, 239, + 239, 35, 1, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, + 239, 239, 239, 239, 239, 239 }; register int hval = len; @@ -112,11 +112,10 @@ hash (str, len) case 5: case 4: case 3: + hval += asso_values[(unsigned char)str[2]]; + /*FALLTHROUGH*/ case 2: hval += asso_values[(unsigned char)str[1]]; - /*FALLTHROUGH*/ - case 1: - hval += asso_values[(unsigned char)str[0]]; break; } return hval + asso_values[(unsigned char)str[len - 1]]; @@ -124,159 +123,161 @@ hash (str, len) static const struct kw_entry wordlist[] = { - {"left", KW_LEFT}, - {"right", KW_RIGHT}, + {"pfs", KW_PFS}, + {"uniqueids", KW_UNIQUEIDS}, + {"rightgroups", KW_RIGHTGROUPS}, {"lifetime", KW_KEYLIFE}, + {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"rightnatip", KW_RIGHTNATIP}, + {"esp", KW_ESP}, + {"rightnexthop", KW_RIGHTNEXTHOP}, + {"rightsourceip", KW_RIGHTSOURCEIP}, + {"right", KW_RIGHT}, + {"leftupdown", KW_LEFTUPDOWN}, + {"leftnexthop", KW_LEFTNEXTHOP}, + {"left", KW_LEFT}, + {"keep_alive", KW_KEEP_ALIVE}, + {"rightsubnet", KW_RIGHTSUBNET}, + {"rightikeport", KW_RIGHTIKEPORT}, + {"rightsendcert", KW_RIGHTSENDCERT}, {"leftcert", KW_LEFTCERT,}, - {"leftfirewall", KW_LEFTFIREWALL}, + {"interfaces", KW_INTERFACES}, + {"lifepackets", KW_LIFEPACKETS}, {"leftsendcert", KW_LEFTSENDCERT}, - {"rightikeport", KW_RIGHTIKEPORT}, - {"leftprotoport", KW_LEFTPROTOPORT}, - {"type", KW_TYPE}, {"leftgroups", KW_LEFTGROUPS}, - {"rekey", KW_REKEY}, - {"rightsubnet", KW_RIGHTSUBNET}, - {"crluri", KW_CRLURI}, - {"rightsendcert", KW_RIGHTSENDCERT}, - {"reqid", KW_REQID}, - {"rightcert", KW_RIGHTCERT}, - {"certuribase", KW_CERTURIBASE}, - {"esp", KW_ESP}, - {"leftallowany", KW_LEFTALLOWANY}, - {"rightid", KW_RIGHTID}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, - {"leftnexthop", KW_LEFTNEXTHOP}, + {"eap", KW_EAP}, + {"rightprotoport", KW_RIGHTPROTOPORT}, + {"leftnatip", KW_LEFTNATIP}, + {"keyingtries", KW_KEYINGTRIES}, + {"type", KW_TYPE}, + {"keylife", KW_KEYLIFE}, + {"mark_in", KW_MARK_IN}, {"lifebytes", KW_LIFEBYTES}, - {"rightrsasigkey", KW_RIGHTRSASIGKEY}, + {"leftca", KW_LEFTCA}, + {"margintime", KW_REKEYMARGIN}, + {"marginbytes", KW_MARGINBYTES}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, - {"rightprotoport", KW_RIGHTPROTOPORT}, - {"rightgroups", KW_RIGHTGROUPS}, - {"plutostart", KW_PLUTOSTART}, - {"strictcrlpolicy", KW_STRICTCRLPOLICY}, - {"lifepackets", KW_LIFEPACKETS}, - {"rightsourceip", KW_RIGHTSOURCEIP}, - {"eap", KW_EAP}, - {"cacert", KW_CACERT}, - {"rightca", KW_RIGHTCA}, + {"marginpackets", KW_MARGINPACKETS}, + {"certuribase", KW_CERTURIBASE}, {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"leftid", KW_LEFTID}, - {"crluri1", KW_CRLURI}, - {"ldapbase", KW_LDAPBASE}, - {"leftca", KW_LEFTCA}, - {"leftnatip", KW_LEFTNATIP}, - {"rightallowany", KW_RIGHTALLOWANY}, - {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, - {"xauth_identity", KW_XAUTH_IDENTITY}, + {"rightid", KW_RIGHTID}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"compress", KW_COMPRESS}, + {"leftprotoport", KW_LEFTPROTOPORT}, + {"overridemtu", KW_OVERRIDEMTU}, + {"reqid", KW_REQID}, {"inactivity", KW_INACTIVITY}, - {"packetdefault", KW_PACKETDEFAULT}, - {"installpolicy", KW_INSTALLPOLICY}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"leftupdown", KW_LEFTUPDOWN}, - {"rightnatip", KW_RIGHTNATIP}, - {"rightnexthop", KW_RIGHTNEXTHOP}, - {"cachecrls", KW_CACHECRLS}, - {"dpddelay", KW_DPDDELAY}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"mediated_by", KW_MEDIATED_BY}, - {"me_peerid", KW_ME_PEERID}, - {"plutodebug", KW_PLUTODEBUG}, - {"eap_identity", KW_EAP_IDENTITY}, - {"leftcert2", KW_LEFTCERT2,}, - {"rightid2", KW_RIGHTID2}, - {"rekeyfuzz", KW_REKEYFUZZ}, - {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"leftfirewall", KW_LEFTFIREWALL}, {"rightfirewall", KW_RIGHTFIREWALL}, - {"ocspuri", KW_OCSPURI}, - {"also", KW_ALSO}, + {"rightallowany", KW_RIGHTALLOWANY}, + {"mobike", KW_MOBIKE}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"rightrsasigkey", KW_RIGHTRSASIGKEY}, + {"pfsgroup", KW_PFSGROUP}, + {"me_peerid", KW_ME_PEERID}, + {"crluri", KW_CRLURI}, + {"leftsourceip", KW_LEFTSOURCEIP}, + {"crluri1", KW_CRLURI}, {"mediation", KW_MEDIATION}, - {"ike", KW_IKE}, - {"dpdaction", KW_DPDACTION}, - {"rekeymargin", KW_REKEYMARGIN}, - {"compress", KW_COMPRESS}, - {"ldaphost", KW_LDAPHOST}, + {"dumpdir", KW_DUMPDIR}, + {"forceencaps", KW_FORCEENCAPS}, {"leftsubnet", KW_LEFTSUBNET}, - {"crluri2", KW_CRLURI2}, - {"rightca2", KW_RIGHTCA2}, - {"leftsourceip", KW_LEFTSOURCEIP}, - {"rightcert2", KW_RIGHTCERT2}, - {"pfs", KW_PFS}, - {"leftid2", KW_LEFTID2}, + {"rightca", KW_RIGHTCA}, + {"rightcert", KW_RIGHTCERT}, + {"ocspuri", KW_OCSPURI}, + {"dpdaction", KW_DPDACTION}, + {"ocspuri1", KW_OCSPURI}, {"dpdtimeout", KW_DPDTIMEOUT}, - {"leftikeport", KW_LEFTIKEPORT}, - {"leftca2", KW_LEFTCA2}, + {"installpolicy", KW_INSTALLPOLICY}, {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"xauth", KW_XAUTH}, - {"rightauth2", KW_RIGHTAUTH2}, - {"mark_in", KW_MARK_IN}, - {"mobike", KW_MOBIKE}, - {"margintime", KW_REKEYMARGIN}, - {"dumpdir", KW_DUMPDIR}, - {"ocspuri1", KW_OCSPURI}, + {"ldapbase", KW_LDAPBASE}, + {"also", KW_ALSO}, + {"leftallowany", KW_LEFTALLOWANY}, + {"force_keepalive", KW_FORCE_KEEPALIVE}, {"keyexchange", KW_KEYEXCHANGE}, - {"fragicmp", KW_FRAGICMP}, + {"hidetos", KW_HIDETOS}, + {"klipsdebug", KW_KLIPSDEBUG}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, {"rightauth", KW_RIGHTAUTH}, - {"interfaces", KW_INTERFACES}, - {"marginbytes", KW_MARGINBYTES}, - {"marginpackets", KW_MARGINPACKETS}, - {"nocrsend", KW_NOCRSEND}, - {"keep_alive", KW_KEEP_ALIVE}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"keyingtries", KW_KEYINGTRIES}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {"uniqueids", KW_UNIQUEIDS}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"charondebug", KW_CHARONDEBUG}, + {"rightid2", KW_RIGHTID2}, + {"leftid", KW_LEFTID}, + {"mediated_by", KW_MEDIATED_BY}, + {"fragicmp", KW_FRAGICMP}, {"mark_out", KW_MARK_OUT}, + {"auto", KW_AUTO}, + {"leftcert2", KW_LEFTCERT2,}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"cacert", KW_CACERT}, + {"plutostart", KW_PLUTOSTART}, + {"eap_identity", KW_EAP_IDENTITY}, + {"prepluto", KW_PREPLUTO}, + {"packetdefault", KW_PACKETDEFAULT}, + {"xauth_identity", KW_XAUTH_IDENTITY}, {"charonstart", KW_CHARONSTART}, - {"klipsdebug", KW_KLIPSDEBUG}, - {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"forceencaps", KW_FORCEENCAPS}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {"rightauth2", KW_RIGHTAUTH2}, + {"ike", KW_IKE}, + {"aaa_identity", KW_AAA_IDENTITY}, + {"leftca2", KW_LEFTCA2}, {"authby", KW_AUTHBY}, + {"leftauth", KW_LEFTAUTH}, + {"cachecrls", KW_CACHECRLS}, + {"ldaphost", KW_LDAPHOST}, + {"rekeymargin", KW_REKEYMARGIN}, + {"rekeyfuzz", KW_REKEYFUZZ}, + {"dpddelay", KW_DPDDELAY}, + {"ikelifetime", KW_IKELIFETIME}, + {"auth", KW_AUTH}, + {"xauth", KW_XAUTH}, {"postpluto", KW_POSTPLUTO}, - {"pkcs11module", KW_PKCS11MODULE}, - {"ocspuri2", KW_OCSPURI2}, - {"hidetos", KW_HIDETOS}, - {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"mark", KW_MARK}, - {"charondebug", KW_CHARONDEBUG}, + {"plutodebug", KW_PLUTODEBUG}, + {"modeconfig", KW_MODECONFIG}, + {"nocrsend", KW_NOCRSEND}, {"leftauth2", KW_LEFTAUTH2}, - {"overridemtu", KW_OVERRIDEMTU}, - {"pkcs11initargs", KW_PKCS11INITARGS}, - {"keylife", KW_KEYLIFE}, - {"auto", KW_AUTO}, - {"ikelifetime", KW_IKELIFETIME}, + {"leftid2", KW_LEFTID2}, + {"leftikeport", KW_LEFTIKEPORT}, + {"rightca2", KW_RIGHTCA2}, + {"rekey", KW_REKEY}, + {"rightcert2", KW_RIGHTCERT2}, + {"mark", KW_MARK}, + {"crluri2", KW_CRLURI2}, {"reauth", KW_REAUTH}, - {"leftauth", KW_LEFTAUTH}, - {"pkcs11proxy", KW_PKCS11PROXY}, - {"prepluto", KW_PREPLUTO}, - {"pfsgroup", KW_PFSGROUP}, - {"auth", KW_AUTH}, - {"modeconfig", KW_MODECONFIG} + {"ocspuri2", KW_OCSPURI2}, + {"pkcs11module", KW_PKCS11MODULE}, + {"pkcs11initargs", KW_PKCS11INITARGS}, + {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, + {"pkcs11proxy", KW_PKCS11PROXY} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, 0, 1, -1, 2, -1, -1, 3, -1, + -1, 4, -1, 5, 6, 7, 8, 9, -1, 10, + 11, -1, 12, 13, 14, 15, 16, 17, -1, 18, + 19, 20, 21, 22, -1, -1, 23, 24, -1, 25, + 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, + 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, + 46, 47, 48, 49, 50, 51, -1, 52, 53, 54, + 55, -1, 56, 57, -1, 58, 59, 60, -1, 61, + 62, 63, 64, -1, -1, 65, -1, 66, -1, 67, + 68, 69, 70, 71, -1, -1, 72, -1, -1, 73, + 74, 75, 76, 77, 78, 79, 80, -1, 81, 82, + 83, 84, 85, 86, 87, -1, 88, -1, 89, 90, + -1, 91, 92, 93, 94, -1, 95, 96, 97, 98, + -1, -1, -1, -1, 99, 100, 101, -1, 102, 103, + 104, 105, 106, 107, 108, 109, -1, 110, -1, -1, + 111, -1, -1, -1, -1, -1, -1, 112, -1, 113, + 114, 115, 116, 117, 118, -1, -1, -1, -1, 119, + -1, -1, 120, -1, -1, -1, -1, -1, -1, 121, + -1, -1, -1, -1, 122, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, 123, -1, 124, 125, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - 0, -1, -1, 1, -1, -1, -1, -1, 2, 3, - -1, -1, 4, 5, -1, 6, 7, -1, -1, 8, - 9, 10, 11, 12, 13, 14, -1, 15, 16, -1, - 17, 18, 19, 20, -1, 21, 22, 23, -1, -1, - 24, 25, 26, 27, 28, 29, -1, 30, 31, 32, - 33, 34, 35, -1, 36, -1, -1, 37, 38, 39, - 40, 41, 42, 43, -1, 44, 45, 46, 47, -1, - 48, -1, 49, 50, 51, 52, 53, 54, 55, -1, - 56, 57, 58, 59, 60, 61, 62, 63, -1, 64, - 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, - 75, -1, 76, 77, 78, 79, -1, -1, 80, 81, - 82, -1, 83, 84, -1, 85, 86, 87, 88, 89, - 90, -1, 91, -1, 92, -1, 93, 94, 95, -1, - -1, 96, 97, -1, 98, 99, -1, -1, -1, -1, - -1, -1, 100, -1, 101, -1, 102, -1, -1, -1, - 103, 104, -1, -1, 105, -1, -1, 106, 107, 108, - 109, 110, 111, -1, 112, 113, -1, 114, 115, 116, - -1, 117, -1, 118, 119, 120, 121, -1, -1, -1, - 122, -1, -1, -1, -1, -1, -1, -1, 123, -1, - -1, -1, 124, -1, -1, -1, -1, -1, -1, -1, - 125 + -1, -1, -1, -1, -1, -1, -1, -1, 126 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 25d2ce4b9..1dae65a99 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -71,6 +71,7 @@ typedef enum { KW_AUTHBY, KW_EAP, KW_EAP_IDENTITY, + KW_AAA_IDENTITY, KW_MOBIKE, KW_FORCEENCAPS, KW_IKELIFETIME, @@ -122,8 +123,8 @@ typedef enum { /* end keywords */ KW_HOST, - KW_NEXTHOP, KW_IKEPORT, + KW_NEXTHOP, KW_SUBNET, KW_SUBNETWITHIN, KW_PROTOPORT, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index fcdc60cff..06705635a 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -49,6 +49,7 @@ force_keepalive, KW_FORCE_KEEPALIVE virtual_private, KW_VIRTUAL_PRIVATE eap, KW_EAP eap_identity, KW_EAP_IDENTITY +aaa_identity, KW_AAA_IDENTITY mobike, KW_MOBIKE forceencaps, KW_FORCEENCAPS pkcs11module, KW_PKCS11MODULE diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 9c69ab9e5..9ba569d47 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -40,15 +40,6 @@ #define IPV6_LEN 16 /** - * Mode of an IPsec SA, must be the same as in charons kernel_ipsec.h - */ -enum ipsec_mode_t { - MODE_TRANSPORT = 1, - MODE_TUNNEL, - MODE_BEET -}; - -/** * Authentication methods, must be the same as in charons authenticator.h */ enum auth_method_t { @@ -204,7 +195,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) memset(&msg, 0, sizeof(msg)); msg.type = STR_ADD_CONN; msg.length = offsetof(stroke_msg_t, buffer); - msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2; + msg.add_conn.ikev2 = conn->keyexchange != KEY_EXCHANGE_IKEV1; msg.add_conn.name = push_string(&msg, connection_name(conn)); /* PUBKEY is preferred to PSK and EAP */ @@ -223,6 +214,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.eap_type = conn->eap_type; msg.add_conn.eap_vendor = conn->eap_vendor; msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity); + msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity); if (conn->policy & POLICY_TUNNEL) { diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 58034d96b..b7d916eae 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -277,7 +277,7 @@ int starter_whack_add_conn(starter_conn_t *conn) msg.whack_connection = TRUE; msg.name = connection_name(conn, name, sizeof(name)); - msg.ikev1 = conn->keyexchange != KEY_EXCHANGE_IKEV2; + msg.ikev1 = conn->keyexchange == KEY_EXCHANGE_IKEV1; msg.addr_family = conn->addr_family; msg.tunnel_addr_family = conn->tunnel_addr_family; msg.sa_ike_life_seconds = conn->sa_ike_life_seconds; |