New upstream version 5.5.1

author: Yves-Alexis Perez <corsac@debian.org> 2016-10-20 16:18:38 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2016-10-20 16:18:38 +0200
commit: 25663e04c3ab01ef8dc9f906608282319cfea2db (patch)
tree: a0ca5e70f66d74dbe552c996a4f3a285cdfc35e4 /src/swanctl
parent: bf372706c469764d59e9f29c39e3ecbebd72b8d2 (diff)
download: vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.tar.gz
vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.zip
11 files changed, 217 insertions, 40 deletions
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index 37a0224c3..9ca759ea3 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -13,6 +13,7 @@ swanctl_SOURCES = \
 	commands/list_certs.c \
 	commands/list_pools.c \
 	commands/list_algs.c \
+	commands/flush_certs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
@@ -69,6 +70,7 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
 	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
+	test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index ebe1aba0d..ff9dca09d 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -119,7 +119,7 @@ am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \
 	commands/list_authorities.$(OBJEXT) \
 	commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \
 	commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \
-	commands/load_all.$(OBJEXT) \
+	commands/flush_certs.$(OBJEXT) commands/load_all.$(OBJEXT) \
 	commands/load_authorities.$(OBJEXT) \
 	commands/load_conns.$(OBJEXT) commands/load_creds.$(OBJEXT) \
 	commands/load_pools.$(OBJEXT) commands/log.$(OBJEXT) \
@@ -370,7 +370,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -404,8 +403,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -459,6 +456,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
@@ -475,6 +474,7 @@ swanctl_SOURCES = \
 	commands/list_certs.c \
 	commands/list_pools.c \
 	commands/list_algs.c \
+	commands/flush_certs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
@@ -621,6 +621,8 @@ commands/list_pools.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/list_algs.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
+commands/flush_certs.$(OBJEXT): commands/$(am__dirstamp) \
+	commands/$(DEPDIR)/$(am__dirstamp)
 commands/load_all.$(OBJEXT): commands/$(am__dirstamp) \
 	commands/$(DEPDIR)/$(am__dirstamp)
 commands/load_authorities.$(OBJEXT): commands/$(am__dirstamp) \
@@ -653,6 +655,7 @@ distclean-compile:
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/command.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/flush_certs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_algs.Po@am__quote@
@@ -1037,6 +1040,7 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
 	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
+	test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
diff --git a/src/swanctl/command.h b/src/swanctl/command.h
index 8d0a2e6b9..7b92ae91a 100644
--- a/src/swanctl/command.h
+++ b/src/swanctl/command.h
@@ -27,7 +27,7 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 23
+#define MAX_COMMANDS 24
 
 /**
  * Maximum number of options in a command (+3)
diff --git a/src/swanctl/commands/flush_certs.c b/src/swanctl/commands/flush_certs.c
new file mode 100644
index 000000000..527419f88
--- /dev/null
+++ b/src/swanctl/commands/flush_certs.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+
+#include "command.h"
+
+static int flush_certs(vici_conn_t *conn)
+{
+	vici_req_t *req;
+	vici_res_t *res;
+	command_format_options_t format = COMMAND_FORMAT_NONE;
+	char *arg, *type = NULL;
+	int ret;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 't':
+				type = arg;
+				continue;
+			case 'P':
+				format |= COMMAND_FORMAT_PRETTY;
+				/* fall through to raw */
+			case 'r':
+				format |= COMMAND_FORMAT_RAW;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --flush-certs option");
+		}
+		break;
+	}
+	req = vici_begin("flush-certs");
+
+	if (type)
+	{
+		vici_add_key_valuef(req, "type", "%s", type);
+	}
+	res = vici_submit(req, conn);
+
+	if (!res)
+	{
+		ret = errno;
+		fprintf(stderr, "flush-certs request failed: %s\n", strerror(errno));
+		return ret;
+	}
+	if (format & COMMAND_FORMAT_RAW)
+	{
+		vici_dump(res, "flush-certs reply", format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+	}
+	vici_free_res(res);
+
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		flush_certs, 'f', "flush-certs", "flush cached certificates",
+		{"[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]",
+		 "[--raw|--pretty]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"type",		't', 1, "filter by certificate type"},
+			{"raw",			'r', 0, "dump raw response message"},
+			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+		}
+	});
+}
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index 87526bc79..2e443a94a 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -221,7 +221,7 @@ static bool load_conn(vici_conn_t *conn, settings_t *cfg,
 	vici_req_t *req;
 	vici_res_t *res;
 	bool ret = TRUE;
-	char buf[128];
+	char buf[BUF_LEN];
 
 	snprintf(buf, sizeof(buf), "%s.%s", "connections", section);
 
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 4647934f7..6278f66b4 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -2,6 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -128,7 +129,8 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
 
 	req = vici_begin("load-key");
 
-	if (streq(type, "pkcs8"))
+	if (streq(type, "private") ||
+		streq(type, "pkcs8"))
 	{	/* as used by vici */
 		vici_add_key_valuef(req, "type", "any");
 	}
@@ -251,6 +253,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
 		credential_type_t credtype;
 		int subtype;
 	} map[] = {
+		{ "private",		CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "pkcs8",			CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "rsa",			CRED_PRIVATE_KEY,		KEY_RSA,			},
 		{ "ecdsa",			CRED_PRIVATE_KEY,		KEY_ECDSA,			},
@@ -565,6 +568,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
 		"eap",
 		"xauth",
 		"ike",
+		"private",
 		"rsa",
 		"ecdsa",
 		"bliss",
@@ -700,10 +704,11 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
 	load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
 	load_certs(conn, format, "pubkey",   SWANCTL_PUBKEYDIR);
 
-	load_keys(conn, format, noprompt, cfg, "rsa",   SWANCTL_RSADIR);
-	load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
-	load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
-	load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
+	load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR);
+	load_keys(conn, format, noprompt, cfg, "rsa",     SWANCTL_RSADIR);
+	load_keys(conn, format, noprompt, cfg, "ecdsa",   SWANCTL_ECDSADIR);
+	load_keys(conn, format, noprompt, cfg, "bliss",   SWANCTL_BLISSDIR);
+	load_keys(conn, format, noprompt, cfg, "pkcs8",   SWANCTL_PKCS8DIR);
 
 	load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
 
diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in
index a3074601e..9c5a5a03d 100644
--- a/src/swanctl/swanctl.8.in
+++ b/src/swanctl/swanctl.8.in
@@ -38,11 +38,9 @@ output.
 initiate a connection
 .TP
 .B "\-t, \-\-terminate"
-\-\-terminate\fR
 terminate a connection
 .TP
 .B "\-d, \-\-redirect"
-\-\-redirect\fR
 redirect an IKE_SA
 .TP
 .B "\-p, \-\-install"
@@ -93,7 +91,10 @@ trace logging output
 .B "\-S, \-\-stats"
 show daemon infos and statistics
 .TP
-.B "\-r, \-\-reload-settings"
+.B "\-f, \-\-flush\-certs"
+flush cached certificates
+.TP
+.B "\-r, \-\-reload\-settings"
 reload strongswan.conf(5) configuration
 .TP
 .B "\-v, \-\-version"
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 6bc81becf..eb46005e1 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -44,7 +44,7 @@
         # dpd_timeout = 0s
 
         # Use IKE UDP datagram fragmentation.  (yes, no or force).
-        # fragmentation = no
+        # fragmentation = yes
 
         # Send certificate requests payloads (yes or no).
         # send_certreq = yes
@@ -201,6 +201,9 @@
                 # Whether to install IPsec policies or not.
                 # policies = yes
 
+                # Whether to install outbound FWD IPsec policies or not.
+                # policies_fwd_out = no
+
                 # Action to perform on DPD timeout (clear, trap or restart).
                 # dpd_action = clear
 
@@ -278,6 +281,18 @@
 
     # }
 
+    # Private key decryption passphrase for a key in the private folder.
+    # private<suffix> {
+
+        # File name in the private folder for which this passphrase should be
+        # used.
+        # file =
+
+        # Value of decryption passphrase for private key.
+        # secret =
+
+    # }
+
     # Private key decryption passphrase for a key in the rsa folder.
     # rsa<suffix> {
 
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 013e35fb7..697bd406a 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -151,22 +151,23 @@ compatibility reasons, with IKEv1 a custom interval may be specified; this
 option has no effect on connections using IKE2.
 
 .TP
-.BR connections.<conn>.fragmentation " [no]"
+.BR connections.<conn>.fragmentation " [yes]"
 Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
 fragmentation).  Acceptable  values  are
-.RI "" "yes" ","
+.RI "" "yes" ""
+(the        default),
 .RI "" "force" ""
 and
-.RI "" "no" ""
-(the default).
-Fragmented IKE messages sent by a peer are always accepted irrespective of  the
-value  of  this option. If set to
+.RI "" "no" "."
+Fragmented IKE messages sent by a peer are always accepted irrespective of
+the  value  of  this option. If set to
 .RI "" "yes" ","
-and the peer supports it, oversized IKE
-messages will be sent in fragments.  If set  to
+and the peer supports it,
+oversized IKE messages will be sent in fragments.  If set  to
 .RI "" "force" ""
-(only  supported  for
-IKEv1) the initial IKE message will already be fragmented if required.
+(only
+supported  for IKEv1) the initial IKE message will already be fragmented if
+required.
 
 .TP
 .BR connections.<conn>.send_certreq " [yes]"
@@ -594,7 +595,9 @@ the CHILD_SA configuration, which must be unique within the connection.
 AH proposals to offer for the CHILD_SA. A proposal is a set of algorithms. For
 AH, this includes an integrity algorithm and an optional Diffie\-Hellman group.
 If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation
-uses a separate Diffie\-Hellman exchange using the specified group.
+uses a separate Diffie\-Hellman exchange using the specified group (refer to
+.RI "" "esp_proposals" ""
+for details).
 
 In IKEv2, multiple algorithms of the same kind can be specified in a single
 proposal, from which one gets selected. In IKEv1, only one algorithm per kind is
@@ -617,14 +620,19 @@ algorithm, an optional Diffie\-Hellman group and an optional Extended Sequence
 Number Mode indicator. For AEAD proposals, a combined mode algorithm is used
 instead of the separate encryption/integrity algorithms.
 
-If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial (non
-IKE_AUTH piggybacked) negotiation uses a separate Diffie\-Hellman exchange using
-the specified group. Extended Sequence Number support may be indicated with the
+If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation
+use a separate Diffie\-Hellman exchange using the specified group. However, for
+IKEv2, the keys of the CHILD_SA created implicitly with the IKE_SA will always
+be derived from the IKE_SA's key material. So any DH group specified here will
+only apply when the CHILD_SA is later rekeyed or is created with a separate
+CREATE_CHILD_SA exchange. A proposal mismatch might, therefore, not immediately
+be noticed when the SA is established, but may later cause rekeying to fail.
+
+Extended Sequence Number support may be indicated with the
 .RI "" "esn" ""
 and
 .RI "" "noesn" ""
-values, both may be included to indicate support for both
-modes. If omitted,
+values, both may be included to indicate support for both modes. If omitted,
 .RI "" "noesn" ""
 is assumed.
 
@@ -821,6 +829,12 @@ Whether to install IPsec policies or not. Disabling this can be useful in some
 scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
 
 .TP
+.BR connections.<conn>.children.<child>.policies_fwd_out " [no]"
+Whether to install outbound FWD IPsec policies or not. Enabling this is required
+in case there is a drop policy that would match and block forwarded traffic for
+this CHILD_SA.
+
+.TP
 .BR connections.<conn>.children.<child>.dpd_action " [clear]"
 Action to perform for this CHILD_SA on DPD timeout. The default
 .RI "" "clear" ""
@@ -1022,6 +1036,23 @@ prefix, if a secret is shared between multiple
 peers.
 
 .TP
+.B secrets.private<suffix>
+.br
+Private key decryption passphrase for a key in the
+.RI "" "private" ""
+folder.
+
+.TP
+.BR secrets.private<suffix>.file " []"
+File name in the
+.RI "" "private" ""
+folder for which this passphrase should be used.
+
+.TP
+.BR secrets.private<suffix>.secret " []"
+Value of decryption passphrase for private key.
+
+.TP
 .B secrets.rsa<suffix>
 .br
 Private key decryption passphrase for a key in the
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index 560e89513..eac1fc6d0 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -2,6 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -65,6 +66,11 @@
 #define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
 
 /**
+ * Directory for private keys
+ */
+#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private"
+
+/**
  * Directory for RSA private keys
  */
 #define SWANCTL_RSADIR SWANCTLDIR "/rsa"
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index fe5b293fb..a7d6d9fc3 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -139,12 +139,12 @@ connections.<conn>.dpd_timeout = 0s
 	checking. For compatibility reasons, with IKEv1 a custom interval may be
 	specified; this option has no effect on connections using IKE2.
 
-connections.<conn>.fragmentation = no
+connections.<conn>.fragmentation = yes
 	Use IKE UDP datagram fragmentation.  (_yes_, _no_ or _force_).
 
 	Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
-	fragmentation).  Acceptable  values  are _yes_, _force_ and _no_ (the
-	default). Fragmented IKE messages sent by a peer are always accepted
+	fragmentation).  Acceptable  values  are _yes_ (the	default), _force_ and
+	_no_. Fragmented IKE messages sent by a peer are always accepted
 	irrespective of  the  value  of  this option. If set to _yes_, and the peer
 	supports it, oversized IKE messages will be sent in fragments.  If set  to
 	_force_  (only  supported  for IKEv1) the initial IKE message will already
@@ -472,7 +472,7 @@ connections.<conn>.children.<child>.ah_proposals =
 	For AH, this includes an integrity algorithm and an optional Diffie-Hellman
 	group. If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
 	negotiation uses a separate Diffie-Hellman exchange using the specified
-	group.
+	group (refer to _esp_proposals_ for details).
 
 	In IKEv2, multiple algorithms of the same kind can be specified in a single
 	proposal, from which one gets selected. In IKEv1, only one algorithm per
@@ -495,11 +495,18 @@ connections.<conn>.children.<child>.esp_proposals = default
 	mode algorithm is used instead of the separate encryption/integrity
 	algorithms.
 
-	If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial (non
-	IKE_AUTH piggybacked) negotiation uses a separate Diffie-Hellman exchange
-	using the specified group. Extended Sequence Number support may be indicated
-	with the _esn_ and _noesn_ values, both may be included to indicate support
-	for both modes. If omitted, _noesn_ is assumed.
+	If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial
+	negotiation use a separate Diffie-Hellman exchange using the specified
+	group. However, for IKEv2, the keys of the CHILD_SA created implicitly with
+	the IKE_SA will always be derived from the IKE_SA's key material. So any DH
+	group specified here will only apply when the CHILD_SA is later rekeyed or
+	is created with a separate CREATE_CHILD_SA exchange. A proposal mismatch
+	might, therefore, not immediately be noticed when the SA is established, but
+	may later cause rekeying to fail.
+
+	Extended Sequence Number support may be indicated with the _esn_ and _noesn_
+	values, both may be included to indicate support for both modes. If omitted,
+	_noesn_ is assumed.
 
 	In IKEv2, multiple algorithms of the same kind can be specified in a single
 	proposal, from which one gets selected. In IKEv1, only one algorithm per
@@ -652,6 +659,13 @@ connections.<conn>.children.<child>.policies = yes
 	Whether to install IPsec policies or not. Disabling this can be useful in
 	some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
 
+connections.<conn>.children.<child>.policies_fwd_out = no
+	Whether to install outbound FWD IPsec policies or not.
+
+	Whether to install outbound FWD IPsec policies or not. Enabling this is
+	required in case there is a drop policy that would match and block forwarded
+	traffic for this CHILD_SA.
+
 connections.<conn>.children.<child>.dpd_action = clear
 	Action to perform on DPD timeout (_clear_, _trap_ or _restart_).
 
@@ -821,6 +835,15 @@ secrets.ike<suffix>.id<suffix> =
 	may be specified, each having an _id_ prefix, if a secret is shared between
 	multiple peers.
 
+secrets.private<suffix> { # }
+	Private key decryption passphrase for a key in the _private_ folder.
+
+secrets.private<suffix>.file =
+	File name in the _private_ folder for which this passphrase should be used.
+
+secrets.private<suffix>.secret
+	Value of decryption passphrase for private key.
+
 secrets.rsa<suffix> { # }
 	Private key decryption passphrase for a key in the _rsa_ folder.
author	Yves-Alexis Perez <corsac@debian.org>	2016-10-20 16:18:38 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2016-10-20 16:18:38 +0200
commit	25663e04c3ab01ef8dc9f906608282319cfea2db (patch)
tree	a0ca5e70f66d74dbe552c996a4f3a285cdfc35e4 /src/swanctl
parent	bf372706c469764d59e9f29c39e3ecbebd72b8d2 (diff)
download	vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.tar.gz vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.zip