From b8064f4099997a9e2179f3ad4ace605f5ccac3a1 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Mon, 9 Aug 2010 08:09:54 +0000 Subject: [svn-upgrade] new version strongswan (4.4.1) --- src/starter/Makefile.am | 12 +- src/starter/Makefile.in | 14 +- src/starter/args.c | 5 + src/starter/cmp.c | 4 + src/starter/confread.c | 55 ++ src/starter/confread.h | 11 + src/starter/ipsec.conf.5 | 311 ++++++---- src/starter/ipsec.conf.5.in | 1330 +++++++++++++++++++++++++++++++++++++++++++ src/starter/keywords.c | 256 +++++---- src/starter/keywords.h | 7 +- src/starter/keywords.txt | 5 + src/starter/starter.c | 16 + src/starter/starterstroke.c | 5 + src/starter/starterwhack.c | 7 + 14 files changed, 1781 insertions(+), 257 deletions(-) create mode 100644 src/starter/ipsec.conf.5.in (limited to 'src/starter') diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index a235013f2..9813a0c06 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -23,8 +23,9 @@ AM_CFLAGS = \ -DDEBUG starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in dist_man_MANS = ipsec.conf.5 starter.8 +CLEANFILES = ipsec.conf.5 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto @@ -38,6 +39,15 @@ if USE_CHARON AM_CFLAGS += -DSTART_CHARON endif +if USE_LOAD_WARNING + AM_CFLAGS += -DLOAD_WARNING +endif + +ipsec.conf.5: ipsec.conf.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 11449f465..d06c8974d 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -37,6 +37,7 @@ host_triplet = @host@ ipsec_PROGRAMS = starter$(EXEEXT) @USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON +@USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING subdir = src/starter DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -285,10 +286,11 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \ -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \ - $(am__append_2) + $(am__append_2) $(am__append_3) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in dist_man_MANS = ipsec.conf.5 starter.8 +CLEANFILES = ipsec.conf.5 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient @@ -618,6 +620,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -719,6 +722,11 @@ uninstall-man: uninstall-man5 uninstall-man8 uninstall-man8 +ipsec.conf.5: ipsec.conf.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/args.c b/src/starter/args.c index 512f2f46f..ab6b60509 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -230,9 +230,14 @@ static const token_info_t token_info[] = { ARG_TIME, offsetof(starter_conn_t, inactivity), NULL }, { ARG_MISC, 0, NULL /* KW_MODECONFIG */ }, { ARG_MISC, 0, NULL /* KW_XAUTH */ }, + { ARG_STR, offsetof(starter_conn_t, xauth_identity), NULL }, { ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool }, { ARG_STR, offsetof(starter_conn_t, me_mediated_by), NULL }, { ARG_STR, offsetof(starter_conn_t, me_peerid), NULL }, + { ARG_UINT, offsetof(starter_conn_t, reqid), NULL }, + { ARG_MISC, 0, NULL /* KW_MARK */ }, + { ARG_MISC, 0, NULL /* KW_MARK_IN */ }, + { ARG_MISC, 0, NULL /* KW_MARK_OUT */ }, /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, diff --git a/src/starter/cmp.c b/src/starter/cmp.c index 33a057b44..0727cf5f0 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -66,6 +66,10 @@ starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2) VARCMP(policy); VARCMP(addr_family); VARCMP(tunnel_addr_family); + VARCMP(mark_in.value); + VARCMP(mark_in.mask); + VARCMP(mark_out.value); + VARCMP(mark_in.mask); if (!starter_cmp_end(&c1->left, &c2->left)) return FALSE; diff --git a/src/starter/confread.c b/src/starter/confread.c index e9b9028d5..399e17844 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -461,6 +461,41 @@ static void handle_firewall(const char *label, starter_end_t *end, } } +static bool handle_mark(char *value, mark_t *mark) +{ + char *pos, *endptr; + + pos = strchr(value, '/'); + if (pos) + { + *pos = '\0'; + mark->mask = strtoul(pos+1, &endptr, 0); + if (*endptr != '\0') + { + plog("# invalid mark mask: %s", pos+1); + return FALSE; + } + } + else + { + mark->mask = 0xffffffff; + } + if (value == '\0') + { + mark->value = 0; + } + else + { + mark->value = strtoul(value, &endptr, 0); + if (*endptr != '\0') + { + plog("# invalid mark value: %s", value); + return FALSE; + } + } + return TRUE; +} + /* * parse a conn section */ @@ -671,6 +706,26 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg } break; } + case KW_MARK: + if (!handle_mark(kw->value, &conn->mark_in)) + { + cfg->err++; + break; + } + conn->mark_out = conn->mark_in; + break; + case KW_MARK_IN: + if (!handle_mark(kw->value, &conn->mark_in)) + { + cfg->err++; + } + break; + case KW_MARK_OUT: + if (!handle_mark(kw->value, &conn->mark_out)) + { + cfg->err++; + } + break; case KW_KEYINGTRIES: if (streq(kw->value, "%forever")) { diff --git a/src/starter/confread.h b/src/starter/confread.h index 199fab642..5e4356ea3 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -95,6 +95,13 @@ struct also { also_t *next; }; +typedef struct mark_t mark_t; + +struct mark_t{ + u_int32_t value; + u_int32_t mask; +}; + typedef struct starter_conn starter_conn_t; struct starter_conn { @@ -110,6 +117,7 @@ struct starter_conn { u_int32_t eap_type; u_int32_t eap_vendor; char *eap_identity; + char *xauth_identity; lset_t policy; time_t sa_ike_life_seconds; time_t sa_ipsec_life_seconds; @@ -120,6 +128,9 @@ struct starter_conn { u_int64_t sa_ipsec_margin_packets; unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; + u_int32_t reqid; + mark_t mark_in; + mark_t mark_out; sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index 4cb1cb0fc..b1ae15825 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "27 Jun 2007" +.TH IPSEC.CONF 5 "2010-05-30" "4.4.1rc3" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -7,9 +7,9 @@ The optional file specifies most configuration and control information for the strongSwan IPsec subsystem. -(The major exception is secrets for authentication; +The major exception is secrets for authentication; see -.IR ipsec.secrets (5).) +.IR ipsec.secrets (5). Its contents are not security-sensitive. .PP The file is a text file, consisting of one or more @@ -61,8 +61,8 @@ indicates what type of section follows, and .I name is an arbitrary name which distinguishes the section from others of the same type. -(Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens.) +Names must start with a letter and may contain only +letters, digits, periods, underscores, and hyphens. All subsequent non-empty lines which begin with white space are part of the section; comments within a section must begin with white space too. @@ -169,12 +169,12 @@ conn snt A note on terminology: There are two kinds of communications going on: transmission of user IP packets, and gateway-to-gateway negotiations for keying, rekeying, and general control. -The path to control the connection is called 'ISAKMP SA' in IKEv1 and -'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel -level data path, is called 'IPsec SA'. -strongSwan currently uses two separate keying daemons. Pluto handles -all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol. -Charon does not support all keywords yet. +The path to control the connection is called 'ISAKMP SA' in IKEv1 +and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel +level data path, is called 'IPsec SA' or 'Child SA'. +strongSwan currently uses two separate keying daemons. \fIpluto\fP handles +all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 +protocol. .PP To avoid trivial editing of the configuration file to suit it to each system involved in a connection, @@ -189,7 +189,17 @@ Which participant is considered or .I right is arbitrary; -IPsec figures out which one it is being run on based on internal information. +for every connection description an attempt is made to figure out whether +the local endpoint should act as the +.I left +or +.I right +endpoint. This is done by matching the IP addresses defined for both endpoints +with the IP addresses assigned to local network interfaces. If a match is found +then the role (left or right) that matches is going to be considered local. +If no match is found during startup, +.I left +is considered local. This permits using identical connection specifications on both ends. There are cases where there is no symmetry; a good convention is to use @@ -230,7 +240,8 @@ acceptable values are .B esp (the default) and .BR ah . -The IKEv2 daemon currently supports only ESP. +.br +The IKEv2 daemon currently supports ESP only. .TP .B authby how the two security gateways should authenticate each other; @@ -255,6 +266,11 @@ and .B xauthrsasig that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode based on shared secrets or digital RSA signatures, respectively. +IKEv2 additionally supports the value +.BR eap , +which indicates an initiator to request EAP authentication. The EAP method +to use is selected by the server (see +.BR eap ). This parameter is deprecated for IKEv2 connections, as two peers do not need to agree on an authentication method. Use the .B leftauth @@ -263,13 +279,12 @@ parameter instead to define authentication methods in IKEv2. .B auto what operation, if any, should be done automatically at IPsec startup; currently-accepted values are -.B add -, -.B route -, +.BR add , +.BR route , .B start and -.BR ignore . +.B ignore +(the default). .B add loads a connection without starting it. .B route @@ -305,7 +320,6 @@ A value of .B no prevents IPsec from proposing compression; a proposal to compress will still be accepted. -IKEv2 does not support IP compression yet. .TP .B dpdaction controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where @@ -317,13 +331,12 @@ liveliness of the IPsec peer. The values and .B restart all activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted ( -.B clear -), put in the hold state ( -.B hold -) or restarted ( -.B restart -). +are stopped and unrouted +.RB ( clear ), +put in the hold state +.RB ( hold ) +or restarted +.RB ( restart ). For IKEv1, the default is .B none which disables the active sending of R_U_THERE notifications. @@ -332,9 +345,8 @@ in order to signal the readiness to act passively as a responder if the peer wants to use DPD. For IKEv2, .B none does't make sense, since all messages are used to detect dead peers. If specified, -it has the same meaning as the default ( -.B clear -). +it has the same meaning as the default +.RB ( clear ). .TP .B dpddelay defines the period time interval with which R_U_THERE messages/INFORMATIONAL @@ -354,47 +366,70 @@ not send or receive any traffic. Currently supported in IKEv2 connections only. .TP .B eap defines the EAP type to propose as server if the client requests EAP -authentication. This parameter is deprecated in the favour of +authentication. Currently supported values are +.B aka +for EAP-AKA, +.B gtc +for EAP-GTC, +.B md5 +for EAP-MD5, +.B mschapv2 +for EAP-MS-CHAPv2, +.B radius +for the EAP-RADIUS proxy and +.B sim +for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a +definition in the form +.B eap=type-vendor +(e.g. eap=7-12345) can be used to specify vendor specific EAP types. +This parameter is deprecated in the favour of .B leftauth. To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, set -.B eap=radius +.BR eap=radius . .TP .B eap_identity defines the identity the client uses to reply to a EAP Identity request. If defined on the EAP server, the defined identity will be used as peer identity during EAP authentication. The special value .B %identity -uses the EAP Identity method to ask the client for a EAP identity. If not +uses the EAP Identity method to ask the client for an EAP identity. If not defined, the IKEv2 identity will be used as EAP identity. .TP .B esp -ESP encryption/authentication algorithm to be used +comma-separated list of ESP encryption/authentication algorithms to be used for the connection, e.g. -.B 3des-md5 -(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup -and rekeying include a separate diffe hellman exchange (IKEv2 only). +.BR 3des-md5 . +The notation is +.BR encryption-integrity-[dh-group] . +.br +If +.B dh-group +is specified, CHILD_SA setup and rekeying include a separate diffe hellman +exchange (IKEv2 only). .TP .B forceencaps Force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to hurdle restrictive firewalls. To enforce the peer to +This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked (IKEv2 only). .TP .B ike -IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g. -.B aes128-sha1-modp2048 -(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals -may be included, such as +comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms +to be used, e.g. +.BR aes128-sha1-modp2048 . +The notation is +.BR encryption-integrity-dhgroup . +In IKEv2, multiple algorithms and proposals may be included, such as .B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. .TP .B ikelifetime -how long the keying channel of a connection ('ISAKMP/IKE SA') +how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated. .TP .B installpolicy decides whether IPsec policies are installed in the kernel by the IKEv2 -charon daemon for a given connection. Allows peaceful co-existence e.g. with +charon daemon for a given connection. Allows peaceful cooperation e.g. with the Mobile IPv6 daemon mip6d who wants to control the kernel policies. Acceptable values are .B yes @@ -412,8 +447,8 @@ daemon, unaffected from the .B keyexchange setting. The default value .B ike -currently behaves exactly as -.B ikev1. +currently is a synonym for +.BR ikev1 . .TP .B keyingtries how many attempts (a whole number or \fB%forever\fP) should be made to @@ -430,35 +465,51 @@ synonym for .TP .B left (required) -the IP address of the left participant's public-network interface, -in any form accepted by -.IR ttoaddr (3) +the IP address of the left participant's public-network interface or one of several magic values. If it is .BR %defaultroute , .B left will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time). -(Either +of the default-route interface (as determined at IPsec startup time and +during configuration update). +Either .B left or .B right may be .BR %defaultroute , -but not both.) -The value -.B %any -signifies an address to be filled in (by automatic keying) during -negotiation. The prefix +but not both. +The prefix .B % in front of a fully-qualified domain name or an IP address will implicitly set .B leftallowany=yes. -If the domain name cannot be resolved into an IP address at IPsec startup or update time -then +If the domain name cannot be resolved into an IP address at IPsec startup or +update time then .B left=%any and .B leftallowany=no will be assumed. + +In case of an IKEv2 connection, the value +.B %any +for the local endpoint signifies an address to be filled in (by automatic +keying) during negotiation. If the local peer initiates the connection setup +the routing table will be queried to determine the correct local IP address. +In case the local peer is responding to a connection setup then any IP address +that is assigned to a local interface will be accepted. +.br +Note that specifying +.B %any +for the local endpoint is not supported by the IKEv1 pluto daemon. + +If +.B %any +is used for the remote endpoint it literally means any IP address. + +Please note that with the usage of wildcards multiple connection descriptions +might match a given incoming connection attempt. The most specific description +is used in that case. .TP .B leftallowany a modifier for @@ -466,8 +517,8 @@ a modifier for , making it behave as .B %any although a concrete IP address has been assigned. -Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or -update time. +Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec +startup or update time. Acceptable values are .B yes and @@ -475,7 +526,8 @@ and (the default). .TP .B leftauth -Authentication method to use (local) or require (remote) in this connection. +Authentication method to use locally (left) or require from the remote (right) +side. This parameter is supported in IKEv2 only. Acceptable values are .B pubkey for public key authentication (RSA/ECDSA), @@ -486,19 +538,20 @@ to (require the) use of the Extensible Authentication Protocol. In the case of .B eap, an optional EAP method can be appended. Currently defined methods are -.B eap-aka, eap-sim, eap-gtc, eap-md5 +.BR eap-aka , +.BR eap-gtc , +.BR eap-md5 , +.B eap-mschapv2 and -.B eap-mschapv2. +.BR eap-sim . Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific EAP methods are defined in the form .B eap-type-vendor -(e.g. -.B eap-7-12345 -). +.RB "(e.g. " eap-7-12345 ). .TP .B leftauth2 Same as -.B leftauth, +.BR leftauth , but defines an additional authentication exchange. IKEv2 supports multiple authentication rounds using "Multiple Authentication Exchanges" defined in RFC4739. This allows, for example, separated authentication @@ -515,8 +568,8 @@ Same as but for the second authentication round (IKEv2 only). .TP .B leftcert -the path to the left participant's X.509 certificate. The file can be coded either in -PEM or DER format. OpenPGP certificates are supported as well. +the path to the left participant's X.509 certificate. The file can be encoded +either in PEM or DER format. OpenPGP certificates are supported as well. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP are accepted. By default .B leftcert @@ -571,9 +624,11 @@ a comma separated list of group names. If the .B leftgroups parameter is present then the peer must be a member of at least one of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has been -issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts/\fP. Attribute certificates are not supported in IKEv2 yet. +by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has +been issued to the peer by a trusted Authorization Authority stored in +\fI/etc/ipsec.d/aacerts/\fP. +.br +Attribute certificates are not supported in IKEv2 yet. .TP .B lefthostaccess inserts a pair of INPUT and OUTPUT iptables rules using the default @@ -587,15 +642,10 @@ and (the default). .TP .B leftid -how -the left participant -should be identified for authentication; +how the left participant should be identified for authentication; defaults to .BR left . -Can be an IP address (in any -.IR ttoaddr (3) -syntax) -or a fully-qualified domain name preceded by +Can be an IP address or a fully-qualified domain name preceded by .B @ (which is used as a literal string and not resolved). .TP @@ -606,14 +656,18 @@ identity to use for a second authentication for the left participant .TP .B leftikeport UDP port the left participant uses for IKE communication. Currently supported in -IKEv2 connections only. If unspecified, port 500 is used with port floating to -4500 if NAT is detected or MOBIKE enabled. Specifying a local IKE port +IKEv2 connections only. If unspecified, port 500 is used with the port floating +to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port different from the default additionally requires a socket implementation that listens to this port. .TP .B leftnexthop -this parameter is not needed any more because the NETKEY IPsec stack does -not require explicit routing entries for the traffic to be tunneled. +this parameter is usually not needed any more because the NETKEY IPsec stack +does not require explicit routing entries for the traffic to be tunneled. If +.B leftsourceip +is used with IKEv1 then +.B leftnexthop +must still be set in order for the source routes to work properly. .TP .B leftprotoport restrict the traffic selector to a single protocol and/or port. @@ -656,35 +710,34 @@ or or .BR yes , and -.BR ifasked . +.BR ifasked , +the latter meaning that the peer must send a certificate request payload in +order to get a certificate in return. .TP .B leftsourceip The internal source IP to use in a tunnel, also known as virtual IP. If the -value is +value is one of the synonyms .BR %modeconfig , .BR %modecfg , .BR %config , or -.B %cfg, -an address is requested from the peer. In IKEv2, a defined address is requested, -but the server may change it. If the server does not support it, the address -is enforced. +.BR %cfg , +an address is requested from the peer. In IKEv2, a statically defined address +is also requested, since the server may change it. .TP .B rightsourceip The internal source IP to use in a tunnel for the remote peer. If the value is .B %config -on the responder side, the initiator must propose a address which is then echoed -back. The IKEv2 daemon also supports address pools expressed as +on the responder side, the initiator must propose an address which is then +echoed back. Also supported are address pools expressed as \fInetwork\fB/\fInetmask\fR -or the use of an external IP address pool using %\fIpoolname\fR -, where \fIpoolname\fR is the name of the IP address pool used for the lookup. +or the use of an external IP address pool using %\fIpoolname\fR, +where \fIpoolname\fR is the name of the IP address pool used for the lookup. .TP .B leftsubnet private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR -(actually, any form acceptable to -.IR ttosubnet (3)); +\fInetwork\fB/\fInetmask\fR; if omitted, essentially assumed to be \fIleft\fB/32\fR, signifying that the left end of the connection goes to the left participant only. When using IKEv2, the configured subnet of the peers may differ, the @@ -710,8 +763,8 @@ See .IR pluto (8) for details. Relevant only locally, other end need not agree on it. IKEv2 uses the updown -script to insert firewall rules only. Routing is not support and will be -implemented directly into Charon. +script to insert firewall rules only, since routing has been implemented +directly into charon. .TP .B lifebytes the number of bytes transmitted over an IPsec SA before it expires (IKEv2 @@ -768,6 +821,25 @@ begin; acceptable values as for .BR 9m ). Relevant only locally, other end need not agree on it. .TP +.B mark +sets an XFRM mark of the form [/] in the inbound and outbound +IPsec SAs and policies (IKEv2 only). If the mask is missing then a default +mask of +.B 0xffffffff +is assumed. +.TP +.B mark_in +sets an XFRM mark of the form [/] in the inbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mark_out +sets an XFRM mark of the form [/] in the outbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP .B mobike enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are .B yes @@ -786,7 +858,9 @@ and .B pull (the default). Currently relevant for IKEv1 only since IKEv2 always uses the configuration -payload in pull mode. +payload in pull mode. Cisco VPN gateways usually operate in +.B push +mode. .TP .B pfs whether Perfect Forward Secrecy of keys is desired on the connection's @@ -825,7 +899,7 @@ and .BR no . The two ends need not agree, but while a value of .B no -prevents Pluto/Charon from requesting renegotiation, +prevents pluto/charon from requesting renegotiation, it does not prevent responding to renegotiation requested from the other end, so .B no @@ -863,6 +937,9 @@ Relevant only locally, other end need not agree on it. synonym for .BR margintime . .TP +.B reqid +sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). +.TP .B type the type of the connection; currently the accepted values are @@ -879,12 +956,12 @@ signifying that no IPsec processing should be done at all; signifying that packets should be discarded; and .BR reject , signifying that packets should be discarded and a diagnostic ICMP returned. -Charon currently supports +The IKEv2 daemon charon currently supports .BR tunnel , .BR transport , and .BR tunnel_proxy -connection types, only . +connection types, only. .TP .B xauth specifies the role in the XAUTH protocol if activated by @@ -928,8 +1005,7 @@ of this connection will be used as peer ID. .SH "CA SECTIONS" This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). These parameters are not -supported in IKEv2 yet. +parameters to a Certification Authority (CA). .TP 10 .B auto currently can have either the value @@ -964,6 +1040,7 @@ synonym for .TP .B ocspuri2 defines an alternative OCSP URI. Currently used by IKEv2 only. +.TP .B certuribase defines the base URI for the Hash and URL feature supported by IKEv2. Instead of exchanging complete certificates, IKEv2 allows to send an URI @@ -974,9 +1051,7 @@ At present, the only .B config section known to the IPsec software is the one named .BR setup , -which contains information used when the software is being started -(see -.IR starter (8)). +which contains information used when the software is being started. Here's an example: .PP .ne 8 @@ -1234,21 +1309,6 @@ must be used to denote no interfaces. .B overridemtu value that the MTU of the ipsec\fIn\fR interface(s) should be set to, overriding IPsec's (large) default. -.SH CHOOSING A CONNECTION -.PP -When choosing a connection to apply to an outbound packet caught with a -.BR %trap, -the system prefers the one with the most specific eroute that -includes the packet's source and destination IP addresses. -Source subnets are examined before destination subnets. -For initiating, only routed connections are considered. For responding, -unrouted but added connections are considered. -.PP -When choosing a connection to use to respond to a negotiation which -doesn't match an ordinary conn, an opportunistic connection -may be instantiated. Eventually, its instance will be /32 -> /32, but -for earlier stages of the negotiation, there will not be enough -information about the client subnets to complete the instantiation. .SH FILES .nf /etc/ipsec.conf @@ -1259,12 +1319,11 @@ information about the client subnets to complete the instantiation. /etc/ipsec.d/crls .SH SEE ALSO -ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3) +ipsec(8), pluto(8), starter(8) .SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. -Extended for the strongSwan project - -by Andreas Steffen. IKEv2-specific features by Martin Willi. +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project by +Tobias Brunner, Andreas Steffen and Martin Willi. .SH BUGS .PP If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in new file mode 100644 index 000000000..3d2940a66 --- /dev/null +++ b/src/starter/ipsec.conf.5.in @@ -0,0 +1,1330 @@ +.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" +.SH NAME +ipsec.conf \- IPsec configuration and connections +.SH DESCRIPTION +The optional +.I ipsec.conf +file +specifies most configuration and control information for the +strongSwan IPsec subsystem. +The major exception is secrets for authentication; +see +.IR ipsec.secrets (5). +Its contents are not security-sensitive. +.PP +The file is a text file, consisting of one or more +.IR sections . +White space followed by +.B # +followed by anything to the end of the line +is a comment and is ignored, +as are empty lines which are not within a section. +.PP +A line which contains +.B include +and a file name, separated by white space, +is replaced by the contents of that file, +preceded and followed by empty lines. +If the file name is not a full pathname, +it is considered to be relative to the directory containing the +including file. +Such inclusions can be nested. +Only a single filename may be supplied, and it may not contain white space, +but it may include shell wildcards (see +.IR sh (1)); +for example: +.PP +.B include +.B "ipsec.*.conf" +.PP +The intention of the include facility is mostly to permit keeping +information on connections, or sets of connections, +separate from the main configuration file. +This permits such connection descriptions to be changed, +copied to the other security gateways involved, etc., +without having to constantly extract them from the configuration +file and then insert them back into it. +Note also the +.B also +parameter (described below) which permits splitting a single logical +section (e.g. a connection description) into several actual sections. +.PP +A section +begins with a line of the form: +.PP +.I type +.I name +.PP +where +.I type +indicates what type of section follows, and +.I name +is an arbitrary name which distinguishes the section from others +of the same type. +Names must start with a letter and may contain only +letters, digits, periods, underscores, and hyphens. +All subsequent non-empty lines +which begin with white space are part of the section; +comments within a section must begin with white space too. +There may be only one section of a given type with a given name. +.PP +Lines within the section are generally of the form +.PP +\ \ \ \ \ \fIparameter\fB=\fIvalue\fR +.PP +(note the mandatory preceding white space). +There can be white space on either side of the +.BR = . +Parameter names follow the same syntax as section names, +and are specific to a section type. +Unless otherwise explicitly specified, +no parameter name may appear more than once in a section. +.PP +An empty +.I value +stands for the system default value (if any) of the parameter, +i.e. it is roughly equivalent to omitting the parameter line entirely. +A +.I value +may contain white space only if the entire +.I value +is enclosed in double quotes (\fB"\fR); +a +.I value +cannot itself contain a double quote, +nor may it be continued across more than one line. +.PP +Numeric values are specified to be either an ``integer'' +(a sequence of digits) or a ``decimal number'' +(sequence of digits optionally followed by `.' and another sequence of digits). +.PP +There is currently one parameter which is available in any type of +section: +.TP +.B also +the value is a section name; +the parameters of that section are appended to this section, +as if they had been written as part of it. +The specified section must exist, must follow the current one, +and must have the same section type. +(Nesting is permitted, +and there may be more than one +.B also +in a single section, +although it is forbidden to append the same section more than once.) +.PP +A section with name +.B %default +specifies defaults for sections of the same type. +For each parameter in it, +any section of that type which does not have a parameter of the same name +gets a copy of the one from the +.B %default +section. +There may be multiple +.B %default +sections of a given type, +but only one default may be supplied for any specific parameter name, +and all +.B %default +sections of a given type must precede all non-\c +.B %default +sections of that type. +.B %default +sections may not contain the +.B also +parameter. +.PP +Currently there are three types of sections: +a +.B config +section specifies general configuration information for IPsec, a +.B conn +section specifies an IPsec connection, while a +.B ca +section specifies special properties of a certification authority. +.SH "CONN SECTIONS" +A +.B conn +section contains a +.IR "connection specification" , +defining a network connection to be made using IPsec. +The name given is arbitrary, and is used to identify the connection. +Here's a simple example: +.PP +.ne 10 +.nf +.ft B +.ta 1c +conn snt + left=192.168.0.1 + leftsubnet=10.1.0.0/16 + right=192.168.0.2 + rightsubnet=10.1.0.0/16 + keyingtries=%forever + auto=add +.ft +.fi +.PP +A note on terminology: There are two kinds of communications going on: +transmission of user IP packets, and gateway-to-gateway negotiations for +keying, rekeying, and general control. +The path to control the connection is called 'ISAKMP SA' in IKEv1 +and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel +level data path, is called 'IPsec SA' or 'Child SA'. +strongSwan currently uses two separate keying daemons. \fIpluto\fP handles +all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 +protocol. +.PP +To avoid trivial editing of the configuration file to suit it to each system +involved in a connection, +connection specifications are written in terms of +.I left +and +.I right +participants, +rather than in terms of local and remote. +Which participant is considered +.I left +or +.I right +is arbitrary; +for every connection description an attempt is made to figure out whether +the local endpoint should act as the +.I left +or +.I right +endpoint. This is done by matching the IP addresses defined for both endpoints +with the IP addresses assigned to local network interfaces. If a match is found +then the role (left or right) that matches is going to be considered local. +If no match is found during startup, +.I left +is considered local. +This permits using identical connection specifications on both ends. +There are cases where there is no symmetry; a good convention is to +use +.I left +for the local side and +.I right +for the remote side (the first letters are a good mnemonic). +.PP +Many of the parameters relate to one participant or the other; +only the ones for +.I left +are listed here, but every parameter whose name begins with +.B left +has a +.B right +counterpart, +whose description is the same but with +.B left +and +.B right +reversed. +.PP +Parameters are optional unless marked '(required)'. +.SS "CONN PARAMETERS" +Unless otherwise noted, for a connection to work, +in general it is necessary for the two ends to agree exactly +on the values of these parameters. +.TP 14 +.B ah +AH authentication algorithm to be used +for the connection, e.g. +.B hmac-md5. +.TP +.B auth +whether authentication should be done as part of +ESP encryption, or separately using the AH protocol; +acceptable values are +.B esp +(the default) and +.BR ah . +.br +The IKEv2 daemon currently supports ESP only. +.TP +.B authby +how the two security gateways should authenticate each other; +acceptable values are +.B secret +or +.B psk +for pre-shared secrets, +.B pubkey +(the default) for public key signatures as well as the synonyms +.B rsasig +for RSA digital signatures and +.B ecdsasig +for Elliptic Curve DSA signatures. +.B never +can be used if negotiation is never to be attempted or accepted (useful for +shunt-only conns). +Digital signatures are superior in every way to shared secrets. +IKEv1 additionally supports the values +.B xauthpsk +and +.B xauthrsasig +that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode +based on shared secrets or digital RSA signatures, respectively. +IKEv2 additionally supports the value +.BR eap , +which indicates an initiator to request EAP authentication. The EAP method +to use is selected by the server (see +.BR eap ). +This parameter is deprecated for IKEv2 connections, as two peers do not need +to agree on an authentication method. Use the +.B leftauth +parameter instead to define authentication methods in IKEv2. +.TP +.B auto +what operation, if any, should be done automatically at IPsec startup; +currently-accepted values are +.BR add , +.BR route , +.B start +and +.B ignore +(the default). +.B add +loads a connection without starting it. +.B route +loads a connection and installs kernel traps. If traffic is detected between +.B leftsubnet +and +.B rightsubnet +, a connection is established. +.B start +loads a connection and brings it up immediatly. +.B ignore +ignores the connection. This is equal to delete a connection from the config +file. +Relevant only locally, other end need not agree on it +(but in general, for an intended-to-be-permanent connection, +both ends should use +.B auto=start +to ensure that any reboot causes immediate renegotiation). +.TP +.B compress +whether IPComp compression of content is proposed on the connection +(link-level compression does not work on encrypted data, +so to be effective, compression must be done \fIbefore\fR encryption); +acceptable values are +.B yes +and +.B no +(the default). A value of +.B yes +causes IPsec to propose both compressed and uncompressed, +and prefer compressed. +A value of +.B no +prevents IPsec from proposing compression; +a proposal to compress will still be accepted. +.TP +.B dpdaction +controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where +R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) +are periodically sent in order to check the +liveliness of the IPsec peer. The values +.BR clear , +.BR hold , +and +.B restart +all activate DPD. If no activity is detected, all connections with a dead peer +are stopped and unrouted +.RB ( clear ), +put in the hold state +.RB ( hold ) +or restarted +.RB ( restart ). +For IKEv1, the default is +.B none +which disables the active sending of R_U_THERE notifications. +Nevertheless pluto will always send the DPD Vendor ID during connection set up +in order to signal the readiness to act passively as a responder if the peer +wants to use DPD. For IKEv2, +.B none +does't make sense, since all messages are used to detect dead peers. If specified, +it has the same meaning as the default +.RB ( clear ). +.TP +.B dpddelay +defines the period time interval with which R_U_THERE messages/INFORMATIONAL +exchanges are sent to the peer. These are only sent if no other traffic is +received. In IKEv2, a value of 0 sends no additional INFORMATIONAL +messages and uses only standard messages (such as those to rekey) to detect +dead peers. +.TP +.B dpdtimeout +defines the timeout interval, after which all connections to a peer are deleted +in case of inactivity. This only applies to IKEv1, in IKEv2 the default +retransmission timeout applies, as every exchange is used to detect dead peers. +.TP +.B inactivity +defines the timeout interval, after which a CHILD_SA is closed if it did +not send or receive any traffic. Currently supported in IKEv2 connections only. +.TP +.B eap +defines the EAP type to propose as server if the client requests EAP +authentication. Currently supported values are +.B aka +for EAP-AKA, +.B gtc +for EAP-GTC, +.B md5 +for EAP-MD5, +.B mschapv2 +for EAP-MS-CHAPv2, +.B radius +for the EAP-RADIUS proxy and +.B sim +for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a +definition in the form +.B eap=type-vendor +(e.g. eap=7-12345) can be used to specify vendor specific EAP types. +This parameter is deprecated in the favour of +.B leftauth. + +To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, +set +.BR eap=radius . +.TP +.B eap_identity +defines the identity the client uses to reply to a EAP Identity request. +If defined on the EAP server, the defined identity will be used as peer +identity during EAP authentication. The special value +.B %identity +uses the EAP Identity method to ask the client for an EAP identity. If not +defined, the IKEv2 identity will be used as EAP identity. +.TP +.B esp +comma-separated list of ESP encryption/authentication algorithms to be used +for the connection, e.g. +.BR 3des-md5 . +The notation is +.BR encryption-integrity-[dh-group] . +.br +If +.B dh-group +is specified, CHILD_SA setup and rekeying include a separate diffe hellman +exchange (IKEv2 only). +.TP +.B forceencaps +Force UDP encapsulation for ESP packets even if no NAT situation is detected. +This may help to surmount restrictive firewalls. In order to force the peer to +encapsulate packets, NAT detection payloads are faked (IKEv2 only). +.TP +.B ike +comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms +to be used, e.g. +.BR aes128-sha1-modp2048 . +The notation is +.BR encryption-integrity-dhgroup . +In IKEv2, multiple algorithms and proposals may be included, such as +.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. +.TP +.B ikelifetime +how long the keying channel of a connection (ISAKMP or IKE SA) +should last before being renegotiated. +.TP +.B installpolicy +decides whether IPsec policies are installed in the kernel by the IKEv2 +charon daemon for a given connection. Allows peaceful cooperation e.g. with +the Mobile IPv6 daemon mip6d who wants to control the kernel policies. +Acceptable values are +.B yes +(the default) and +.BR no . +.TP +.B keyexchange +method of key exchange; +which protocol should be used to initialize the connection. Connections marked with +.B ikev1 +are initiated with pluto, those marked with +.B ikev2 +with charon. An incoming request from the remote peer is handled by the correct +daemon, unaffected from the +.B keyexchange +setting. The default value +.B ike +currently is a synonym for +.BR ikev1 . +.TP +.B keyingtries +how many attempts (a whole number or \fB%forever\fP) should be made to +negotiate a connection, or a replacement for one, before giving up +(default +.BR %forever ). +The value \fB%forever\fP +means 'never give up'. +Relevant only locally, other end need not agree on it. +.TP +.B keylife +synonym for +.BR lifetime . +.TP +.B left +(required) +the IP address of the left participant's public-network interface +or one of several magic values. +If it is +.BR %defaultroute , +.B left +will be filled in automatically with the local address +of the default-route interface (as determined at IPsec startup time and +during configuration update). +Either +.B left +or +.B right +may be +.BR %defaultroute , +but not both. +The prefix +.B % +in front of a fully-qualified domain name or an IP address will implicitly set +.B leftallowany=yes. +If the domain name cannot be resolved into an IP address at IPsec startup or +update time then +.B left=%any +and +.B leftallowany=no +will be assumed. + +In case of an IKEv2 connection, the value +.B %any +for the local endpoint signifies an address to be filled in (by automatic +keying) during negotiation. If the local peer initiates the connection setup +the routing table will be queried to determine the correct local IP address. +In case the local peer is responding to a connection setup then any IP address +that is assigned to a local interface will be accepted. +.br +Note that specifying +.B %any +for the local endpoint is not supported by the IKEv1 pluto daemon. + +If +.B %any +is used for the remote endpoint it literally means any IP address. + +Please note that with the usage of wildcards multiple connection descriptions +might match a given incoming connection attempt. The most specific description +is used in that case. +.TP +.B leftallowany +a modifier for +.B left +, making it behave as +.B %any +although a concrete IP address has been assigned. +Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec +startup or update time. +Acceptable values are +.B yes +and +.B no +(the default). +.TP +.B leftauth +Authentication method to use locally (left) or require from the remote (right) +side. +This parameter is supported in IKEv2 only. Acceptable values are +.B pubkey +for public key authentication (RSA/ECDSA), +.B psk +for pre-shared key authentication and +.B eap +to (require the) use of the Extensible Authentication Protocol. In the case +of +.B eap, +an optional EAP method can be appended. Currently defined methods are +.BR eap-aka , +.BR eap-gtc , +.BR eap-md5 , +.B eap-mschapv2 +and +.BR eap-sim . +Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific +EAP methods are defined in the form +.B eap-type-vendor +.RB "(e.g. " eap-7-12345 ). +.TP +.B leftauth2 +Same as +.BR leftauth , +but defines an additional authentication exchange. IKEv2 supports multiple +authentication rounds using "Multiple Authentication Exchanges" defined +in RFC4739. This allows, for example, separated authentication +of host and user (IKEv2 only). +.TP +.B leftca +the distinguished name of a certificate authority which is required to +lie in the trust path going from the left participant's certificate up +to the root certification authority. +.TP +.B leftca2 +Same as +.B leftca, +but for the second authentication round (IKEv2 only). +.TP +.B leftcert +the path to the left participant's X.509 certificate. The file can be encoded +either in PEM or DER format. OpenPGP certificates are supported as well. +Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP +are accepted. By default +.B leftcert +sets +.B leftid +to the distinguished name of the certificate's subject and +.B leftca +to the distinguished name of the certificate's issuer. +The left participant's ID can be overriden by specifying a +.B leftid +value which must be certified by the certificate, though. +.TP +.B leftcert2 +Same as +.B leftcert, +but for the second authentication round (IKEv2 only). +.TP +.B leftfirewall +whether the left participant is doing forwarding-firewalling +(including masquerading) using iptables for traffic from \fIleftsubnet\fR, +which should be turned off (for traffic to the other subnet) +once the connection is established; +acceptable values are +.B yes +and +.B no +(the default). +May not be used in the same connection description with +.BR leftupdown . +Implemented as a parameter to the default \fBipsec _updown\fR script. +See notes below. +Relevant only locally, other end need not agree on it. + +If one or both security gateways are doing forwarding firewalling +(possibly including masquerading), +and this is specified using the firewall parameters, +tunnels established with IPsec are exempted from it +so that packets can flow unchanged through the tunnels. +(This means that all subnets connected in this manner must have +distinct, non-overlapping subnet address blocks.) +This is done by the default \fBipsec _updown\fR script (see +.IR pluto (8)). + +In situations calling for more control, +it may be preferable for the user to supply his own +.I updown +script, +which makes the appropriate adjustments for his system. +.TP +.B leftgroups +a comma separated list of group names. If the +.B leftgroups +parameter is present then the peer must be a member of at least one +of the groups defined by the parameter. Group membership must be certified +by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has +been issued to the peer by a trusted Authorization Authority stored in +\fI/etc/ipsec.d/aacerts/\fP. +.br +Attribute certificates are not supported in IKEv2 yet. +.TP +.B lefthostaccess +inserts a pair of INPUT and OUTPUT iptables rules using the default +\fBipsec _updown\fR script, thus allowing access to the host itself +in the case where the host's internal interface is part of the +negotiated client subnet. +Acceptable values are +.B yes +and +.B no +(the default). +.TP +.B leftid +how the left participant should be identified for authentication; +defaults to +.BR left . +Can be an IP address or a fully-qualified domain name preceded by +.B @ +(which is used as a literal string and not resolved). +.TP +.B leftid2 +identity to use for a second authentication for the left participant +(IKEv2 only); defaults to +.BR leftid . +.TP +.B leftikeport +UDP port the left participant uses for IKE communication. Currently supported in +IKEv2 connections only. If unspecified, port 500 is used with the port floating +to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port +different from the default additionally requires a socket implementation that +listens to this port. +.TP +.B leftnexthop +this parameter is usually not needed any more because the NETKEY IPsec stack +does not require explicit routing entries for the traffic to be tunneled. If +.B leftsourceip +is used with IKEv1 then +.B leftnexthop +must still be set in order for the source routes to work properly. +.TP +.B leftprotoport +restrict the traffic selector to a single protocol and/or port. +Examples: +.B leftprotoport=tcp/http +or +.B leftprotoport=6/80 +or +.B leftprotoport=udp +.TP +.B leftrsasigkey +the left participant's +public key for RSA signature authentication, +in RFC 2537 format using +.IR ttodata (3) +encoding. +The magic value +.B %none +means the same as not specifying a value (useful to override a default). +The value +.B %cert +(the default) +means that the key is extracted from a certificate. +The identity used for the left participant +must be a specific host, not +.B %any +or another magic value. +.B Caution: +if two connection descriptions +specify different public keys for the same +.BR leftid , +confusion and madness will ensue. +.TP +.B leftsendcert +Accepted values are +.B never +or +.BR no , +.B always +or +.BR yes , +and +.BR ifasked , +the latter meaning that the peer must send a certificate request payload in +order to get a certificate in return. +.TP +.B leftsourceip +The internal source IP to use in a tunnel, also known as virtual IP. If the +value is one of the synonyms +.BR %modeconfig , +.BR %modecfg , +.BR %config , +or +.BR %cfg , +an address is requested from the peer. In IKEv2, a statically defined address +is also requested, since the server may change it. +.TP +.B rightsourceip +The internal source IP to use in a tunnel for the remote peer. If the +value is +.B %config +on the responder side, the initiator must propose an address which is then +echoed back. Also supported are address pools expressed as +\fInetwork\fB/\fInetmask\fR +or the use of an external IP address pool using %\fIpoolname\fR, +where \fIpoolname\fR is the name of the IP address pool used for the lookup. +.TP +.B leftsubnet +private subnet behind the left participant, expressed as +\fInetwork\fB/\fInetmask\fR; +if omitted, essentially assumed to be \fIleft\fB/32\fR, +signifying that the left end of the connection goes to the left participant +only. When using IKEv2, the configured subnet of the peers may differ, the +protocol narrows it to the greatest common subnet. Further, IKEv2 supports +multiple subnets separated by commas. IKEv1 only interprets the first subnet +of such a definition. +.TP +.B leftsubnetwithin +the peer can propose any subnet or single IP address that fits within the +range defined by +.BR leftsubnetwithin. +Not relevant for IKEv2, as subnets are narrowed. +.TP +.B leftupdown +what ``updown'' script to run to adjust routing and/or firewalling +when the status of the connection +changes (default +.BR "ipsec _updown" ). +May include positional parameters separated by white space +(although this requires enclosing the whole string in quotes); +including shell metacharacters is unwise. +See +.IR pluto (8) +for details. +Relevant only locally, other end need not agree on it. IKEv2 uses the updown +script to insert firewall rules only, since routing has been implemented +directly into charon. +.TP +.B lifebytes +the number of bytes transmitted over an IPsec SA before it expires (IKEv2 +only). +.TP +.B lifepackets +the number of packets transmitted over an IPsec SA before it expires (IKEv2 +only). +.TP +.B lifetime +how long a particular instance of a connection +(a set of encryption/authentication keys for user packets) should last, +from successful negotiation to expiry; +acceptable values are an integer optionally followed by +.BR s +(a time in seconds) +or a decimal number followed by +.BR m , +.BR h , +or +.B d +(a time +in minutes, hours, or days respectively) +(default +.BR 1h , +maximum +.BR 24h ). +Normally, the connection is renegotiated (via the keying channel) +before it expires (see +.BR margintime ). +The two ends need not exactly agree on +.BR lifetime , +although if they do not, +there will be some clutter of superseded connections on the end +which thinks the lifetime is longer. +.TP +.B marginbytes +how many bytes before IPsec SA expiry (see +.BR lifebytes ) +should attempts to negotiate a replacement begin (IKEv2 only). +.TP +.B marginpackets +how many packets before IPsec SA expiry (see +.BR lifepackets ) +should attempts to negotiate a replacement begin (IKEv2 only). +.TP +.B margintime +how long before connection expiry or keying-channel expiry +should attempts to +negotiate a replacement +begin; acceptable values as for +.B lifetime +(default +.BR 9m ). +Relevant only locally, other end need not agree on it. +.TP +.B mark +sets an XFRM mark of the form [/] in the inbound and outbound +IPsec SAs and policies (IKEv2 only). If the mask is missing then a default +mask of +.B 0xffffffff +is assumed. +.TP +.B mark_in +sets an XFRM mark of the form [/] in the inbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mark_out +sets an XFRM mark of the form [/] in the outbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mobike +enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are +.B yes +(the default) and +.BR no . +If set to +.BR no , +the IKEv2 charon daemon will not actively propose MOBIKE as initiator and +ignore the MOBIKE_SUPPORTED notify as responder. +.TP +.B modeconfig +defines which mode is used to assign a virtual IP. +Accepted values are +.B push +and +.B pull +(the default). +Currently relevant for IKEv1 only since IKEv2 always uses the configuration +payload in pull mode. Cisco VPN gateways usually operate in +.B push +mode. +.TP +.B pfs +whether Perfect Forward Secrecy of keys is desired on the connection's +keying channel +(with PFS, penetration of the key-exchange protocol +does not compromise keys negotiated earlier); +acceptable values are +.B yes +(the default) +and +.BR no. +IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying +PFS is enforced by defining a Diffie-Hellman modp group in the +.B esp +parameter. +.TP +.B pfsgroup +defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode +differing from the DH group used for IKEv1 Main Mode (IKEv1 only). +.TP +.B reauth +whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, +reauthentication is always done. In IKEv2, a value of +.B no +rekeys without uninstalling the IPsec SAs, a value of +.B yes +(the default) creates a new IKE_SA from scratch and tries to recreate +all IPsec SAs. +.TP +.B rekey +whether a connection should be renegotiated when it is about to expire; +acceptable values are +.B yes +(the default) +and +.BR no . +The two ends need not agree, but while a value of +.B no +prevents pluto/charon from requesting renegotiation, +it does not prevent responding to renegotiation requested from the other end, +so +.B no +will be largely ineffective unless both ends agree on it. +.TP +.B rekeyfuzz +maximum percentage by which +.BR marginbytes , +.B marginpackets +and +.B margintime +should be randomly increased to randomize rekeying intervals +(important for hosts with many connections); +acceptable values are an integer, +which may exceed 100, +followed by a `%' +(defaults to +.BR 100% ). +The value of +.BR marginTYPE , +after this random increase, +must not exceed +.B lifeTYPE +(where TYPE is one of +.IR bytes , +.I packets +or +.IR time ). +The value +.B 0% +will suppress randomization. +Relevant only locally, other end need not agree on it. +.TP +.B rekeymargin +synonym for +.BR margintime . +.TP +.B reqid +sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). +.TP +.B type +the type of the connection; currently the accepted values +are +.B tunnel +(the default) +signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; +.BR transport , +signifying host-to-host transport mode; +.BR transport_proxy , +signifying the special Mobile IPv6 transport proxy mode; +.BR passthrough , +signifying that no IPsec processing should be done at all; +.BR drop , +signifying that packets should be discarded; and +.BR reject , +signifying that packets should be discarded and a diagnostic ICMP returned. +The IKEv2 daemon charon currently supports +.BR tunnel , +.BR transport , +and +.BR tunnel_proxy +connection types, only. +.TP +.B xauth +specifies the role in the XAUTH protocol if activated by +.B authby=xauthpsk +or +.B authby=xauthrsasig. +Accepted values are +.B server +and +.B client +(the default). + +.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" +The following parameters are relevant to IKEv2 Mediation Extension +operation only. +.TP 14 +.B mediation +whether this connection is a mediation connection, ie. whether this +connection is used to mediate other connections. Mediation connections +create no child SA. Acceptable values are +.B no +(the default) and +.BR yes . +.TP +.B mediated_by +the name of the connection to mediate this connection through. If given, +the connection will be mediated through the named mediation connection. +The mediation connection must set +.BR mediation=yes . +.TP +.B me_peerid +ID as which the peer is known to the mediation server, ie. which the other +end of this connection uses as its +.B leftid +on its connection to the mediation server. This is the ID we request the +mediation server to mediate us with. If +.B me_peerid +is not given, the +.B rightid +of this connection will be used as peer ID. + +.SH "CA SECTIONS" +This are optional sections that can be used to assign special +parameters to a Certification Authority (CA). +.TP 10 +.B auto +currently can have either the value +.B ignore +or +.B add +. +.TP +.B cacert +defines a path to the CA certificate either relative to +\fI/etc/ipsec.d/cacerts\fP or as an absolute path. +.TP +.B crluri +defines a CRL distribution point (ldap, http, or file URI) +.TP +.B crluri1 +synonym for +.B crluri. +.TP +.B crluri2 +defines an alternative CRL distribution point (ldap, http, or file URI) +.TP +.B ldaphost +defines an ldap host. Currently used by IKEv1 only. +.TP +.B ocspuri +defines an OCSP URI. +.TP +.B ocspuri1 +synonym for +.B ocspuri. +.TP +.B ocspuri2 +defines an alternative OCSP URI. Currently used by IKEv2 only. +.TP +.B certuribase +defines the base URI for the Hash and URL feature supported by IKEv2. +Instead of exchanging complete certificates, IKEv2 allows to send an URI +that resolves to the DER encoded certificate. The certificate URIs are built +by appending the SHA1 hash of the DER encoded certificates to this base URI. +.SH "CONFIG SECTIONS" +At present, the only +.B config +section known to the IPsec software is the one named +.BR setup , +which contains information used when the software is being started. +Here's an example: +.PP +.ne 8 +.nf +.ft B +.ta 1c +config setup + plutodebug=all + crlcheckinterval=10m + strictcrlpolicy=yes +.ft +.fi +.PP +Parameters are optional unless marked ``(required)''. +The currently-accepted +.I parameter +names in a +.B config +.B setup +section affecting both daemons are: +.TP 14 +.B cachecrls +certificate revocation lists (CRLs) fetched via http or ldap will be cached in +\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification +authority's public key. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B charonstart +whether to start the IKEv2 Charon daemon or not. +Accepted values are +.B yes +or +.BR no . +The default is +.B yes +if starter was compiled with IKEv2 support. +.TP +.B dumpdir +in what directory should things started by \fBipsec starter\fR +(notably the Pluto and Charon daemons) be allowed to dump core? +The empty value (the default) means they are not +allowed to. +This feature is currently not yet supported by \fBipsec starter\fR. +.TP +.B plutostart +whether to start the IKEv1 Pluto daemon or not. +Accepted values are +.B yes +or +.BR no . +The default is +.B yes +if starter was compiled with IKEv1 support. +.TP +.B strictcrlpolicy +defines if a fresh CRL must be available in order for the peer authentication based +on RSA signatures to succeed. +Accepted values are +.B yes +and +.B no +(the default). +IKEv2 additionally recognizes +.B ifuri +which reverts to +.B yes +if at least one CRL URI is defined and to +.B no +if no URI is known. +.TP +.B uniqueids +whether a particular participant ID should be kept unique, +with any new (automatically keyed) +connection using an ID from a different IP address +deemed to replace all old ones using that ID; +acceptable values are +.B yes +(the default) +and +.BR no . +Participant IDs normally \fIare\fR unique, +so a new (automatically-keyed) connection using the same ID is +almost invariably intended to replace an old one. +The IKEv2 daemon also accepts the value +.B replace +wich is identical to +.B yes +and the value +.B keep +to reject new IKE_SA setups and keep the duplicate established earlier. +.PP +The following +.B config section +parameters are used by the IKEv1 Pluto daemon only: +.TP +.B crlcheckinterval +interval in seconds. CRL fetching is enabled if the value is greater than zero. +Asynchronous, periodic checking for fresh CRLs is currently done by the +IKEv1 Pluto daemon only. +.TP +.B keep_alive +interval in seconds between NAT keep alive packets, the default being 20 seconds. +.TP +.B nat_traversal +activates NAT traversal by accepting source ISAKMP ports different from udp/500 and +being able of floating to udp/4500 if a NAT situation is detected. +Accepted values are +.B yes +and +.B no +(the default). +Used by IKEv1 only, NAT traversal always being active in IKEv2. +.TP +.B nocrsend +no certificate request payloads will be sent. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B pkcs11initargs +non-standard argument string for PKCS#11 C_Initialize() function; +required by NSS softoken. +.TP +.B pkcs11module +defines the path to a dynamically loadable PKCS #11 library. +.TP +.B pkcs11keepstate +PKCS #11 login sessions will be kept during the whole lifetime of the keying +daemon. Useful with pin-pad smart card readers. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B pkcs11proxy +Pluto will act as a PKCS #11 proxy accessible via the whack interface. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B plutodebug +how much Pluto debugging output should be logged. +An empty value, +or the magic value +.BR none , +means no debugging output (the default). +The magic value +.B all +means full output. +Otherwise only the specified types of output +(a quoted list, names without the +.B \-\-debug\- +prefix, +separated by white space) are enabled; +for details on available debugging types, see +.IR pluto (8). +.TP +.B plutostderrlog +Pluto will not use syslog, but rather log to stderr, and redirect stderr +to the argument file. +.TP +.B postpluto +shell command to run after starting Pluto +(e.g., to remove a decrypted copy of the +.I ipsec.secrets +file). +It's run in a very simple way; +complexities like I/O redirection are best hidden within a script. +Any output is redirected for logging, +so running interactive commands is difficult unless they use +.I /dev/tty +or equivalent for their interaction. +Default is none. +.TP +.B prepluto +shell command to run before starting Pluto +(e.g., to decrypt an encrypted copy of the +.I ipsec.secrets +file). +It's run in a very simple way; +complexities like I/O redirection are best hidden within a script. +Any output is redirected for logging, +so running interactive commands is difficult unless they use +.I /dev/tty +or equivalent for their interaction. +Default is none. +.TP +.B virtual_private +defines private networks using a wildcard notation. +.PP +The following +.B config section +parameters are used by the IKEv2 Charon daemon only: +.TP +.B charondebug +how much Charon debugging output should be logged. +A comma separated list containing type level/pairs may +be specified, e.g: +.B dmn 3, ike 1, net -1. +Acceptable values for types are +.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib +and the level is one of +.B -1, 0, 1, 2, 3, 4 +(for silent, audit, control, controlmore, raw, private). +.PP +The following +.B config section +parameters only make sense if the KLIPS IPsec stack +is used instead of the default NETKEY stack of the Linux 2.6 kernel: +.TP +.B fragicmp +whether a tunnel's need to fragment a packet should be reported +back with an ICMP message, +in an attempt to make the sender lower his PMTU estimate; +acceptable values are +.B yes +(the default) +and +.BR no . +.TP +.B hidetos +whether a tunnel packet's TOS field should be set to +.B 0 +rather than copied from the user packet inside; +acceptable values are +.B yes +(the default) +and +.BR no +.TP +.B interfaces +virtual and physical interfaces for IPsec to use: +a single +\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated +by white space, or +.BR %none . +One of the pairs may be written as +.BR %defaultroute , +which means: find the interface \fId\fR that the default route points to, +and then act as if the value was ``\fBipsec0=\fId\fR''. +.B %defaultroute +is the default; +.B %none +must be used to denote no interfaces. +.TP +.B overridemtu +value that the MTU of the ipsec\fIn\fR interface(s) should be set to, +overriding IPsec's (large) default. +.SH FILES +.nf +/etc/ipsec.conf +/etc/ipsec.d/aacerts +/etc/ipsec.d/acerts +/etc/ipsec.d/cacerts +/etc/ipsec.d/certs +/etc/ipsec.d/crls + +.SH SEE ALSO +ipsec(8), pluto(8), starter(8) +.SH HISTORY +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project by +Tobias Brunner, Andreas Steffen and Martin Willi. +.SH BUGS +.PP +If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP +will fail. diff --git a/src/starter/keywords.c b/src/starter/keywords.c index df39f0dc7..1d7cae00b 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 121 +#define TOTAL_KEYWORDS 126 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 11 -#define MAX_HASH_VALUE 230 -/* maximum key range = 220, duplicates = 0 */ +#define MIN_HASH_VALUE 20 +#define MAX_HASH_VALUE 220 +/* maximum key range = 201, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 26, - 75, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 2, 231, 25, 231, 40, - 61, 2, 114, 24, 3, 2, 231, 101, 2, 96, - 48, 35, 23, 231, 4, 10, 3, 69, 25, 231, - 2, 18, 16, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231 + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 35, + 77, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 8, 221, 31, 221, 20, + 28, 5, 75, 26, 88, 5, 221, 97, 5, 50, + 39, 67, 29, 221, 7, 13, 6, 89, 15, 221, + 5, 24, 7, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221 }; register int hval = len; @@ -128,7 +128,6 @@ static const struct kw_entry wordlist[] = {"right", KW_RIGHT}, {"lifetime", KW_KEYLIFE}, {"leftcert", KW_LEFTCERT,}, - {"reauth", KW_REAUTH}, {"leftfirewall", KW_LEFTFIREWALL}, {"leftsendcert", KW_LEFTSENDCERT}, {"rightikeport", KW_RIGHTIKEPORT}, @@ -137,142 +136,147 @@ static const struct kw_entry wordlist[] = {"leftgroups", KW_LEFTGROUPS}, {"rekey", KW_REKEY}, {"rightsubnet", KW_RIGHTSUBNET}, + {"crluri", KW_CRLURI}, {"rightsendcert", KW_RIGHTSENDCERT}, - {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"xauth", KW_XAUTH}, - {"leftallowany", KW_LEFTALLOWANY}, + {"reqid", KW_REQID}, + {"rightcert", KW_RIGHTCERT}, + {"certuribase", KW_CERTURIBASE}, {"esp", KW_ESP}, + {"leftallowany", KW_LEFTALLOWANY}, + {"rightid", KW_RIGHTID}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, {"leftnexthop", KW_LEFTNEXTHOP}, {"lifebytes", KW_LIFEBYTES}, {"rightrsasigkey", KW_RIGHTRSASIGKEY}, - {"rightauth", KW_RIGHTAUTH}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, {"rightprotoport", KW_RIGHTPROTOPORT}, + {"rightgroups", KW_RIGHTGROUPS}, {"plutostart", KW_PLUTOSTART}, {"strictcrlpolicy", KW_STRICTCRLPOLICY}, {"lifepackets", KW_LIFEPACKETS}, - {"rightgroups", KW_RIGHTGROUPS}, {"rightsourceip", KW_RIGHTSOURCEIP}, {"eap", KW_EAP}, - {"crluri", KW_CRLURI}, - {"hidetos", KW_HIDETOS}, - {"rightcert", KW_RIGHTCERT}, - {"certuribase", KW_CERTURIBASE}, - {"leftca", KW_LEFTCA}, - {"leftnatip", KW_LEFTNATIP}, - {"rightallowany", KW_RIGHTALLOWANY}, - {"lefthostaccess", KW_LEFTHOSTACCESS}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, - {"also", KW_ALSO}, - {"packetdefault", KW_PACKETDEFAULT}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"leftsourceip", KW_LEFTSOURCEIP}, - {"rightid", KW_RIGHTID}, {"cacert", KW_CACERT}, {"rightca", KW_RIGHTCA}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"leftid", KW_LEFTID}, {"crluri1", KW_CRLURI}, - {"inactivity", KW_INACTIVITY}, + {"ldapbase", KW_LDAPBASE}, + {"leftca", KW_LEFTCA}, + {"leftnatip", KW_LEFTNATIP}, + {"rightallowany", KW_RIGHTALLOWANY}, {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"xauth_identity", KW_XAUTH_IDENTITY}, + {"inactivity", KW_INACTIVITY}, + {"packetdefault", KW_PACKETDEFAULT}, {"installpolicy", KW_INSTALLPOLICY}, - {"leftauth", KW_LEFTAUTH}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, {"leftupdown", KW_LEFTUPDOWN}, - {"leftsubnet", KW_LEFTSUBNET}, {"rightnatip", KW_RIGHTNATIP}, - {"ocspuri", KW_OCSPURI}, {"rightnexthop", KW_RIGHTNEXTHOP}, + {"cachecrls", KW_CACHECRLS}, + {"dpddelay", KW_DPDDELAY}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"mediated_by", KW_MEDIATED_BY}, + {"me_peerid", KW_ME_PEERID}, + {"plutodebug", KW_PLUTODEBUG}, + {"eap_identity", KW_EAP_IDENTITY}, {"leftcert2", KW_LEFTCERT2,}, {"rightid2", KW_RIGHTID2}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"compress", KW_COMPRESS}, - {"ldapbase", KW_LDAPBASE}, - {"auth", KW_AUTH}, - {"postpluto", KW_POSTPLUTO}, - {"charonstart", KW_CHARONSTART}, + {"rekeyfuzz", KW_REKEYFUZZ}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"rightfirewall", KW_RIGHTFIREWALL}, + {"ocspuri", KW_OCSPURI}, + {"also", KW_ALSO}, + {"mediation", KW_MEDIATION}, {"ike", KW_IKE}, + {"dpdaction", KW_DPDACTION}, + {"rekeymargin", KW_REKEYMARGIN}, + {"compress", KW_COMPRESS}, {"ldaphost", KW_LDAPHOST}, - {"leftca2", KW_LEFTCA2}, - {"dpddelay", KW_DPDDELAY}, - {"ocspuri1", KW_OCSPURI}, - {"rightauth2", KW_RIGHTAUTH2}, - {"eap_identity", KW_EAP_IDENTITY}, - {"leftikeport", KW_LEFTIKEPORT}, - {"plutodebug", KW_PLUTODEBUG}, - {"cachecrls", KW_CACHECRLS}, - {"charondebug", KW_CHARONDEBUG}, + {"leftsubnet", KW_LEFTSUBNET}, {"crluri2", KW_CRLURI2}, {"rightca2", KW_RIGHTCA2}, - {"mediated_by", KW_MEDIATED_BY}, + {"leftsourceip", KW_LEFTSOURCEIP}, {"rightcert2", KW_RIGHTCERT2}, - {"leftid", KW_LEFTID}, - {"auto", KW_AUTO}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"rightfirewall", KW_RIGHTFIREWALL}, - {"authby", KW_AUTHBY}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {"uniqueids", KW_UNIQUEIDS}, - {"prepluto", KW_PREPLUTO}, - {"keep_alive", KW_KEEP_ALIVE}, + {"pfs", KW_PFS}, + {"leftid2", KW_LEFTID2}, + {"dpdtimeout", KW_DPDTIMEOUT}, + {"leftikeport", KW_LEFTIKEPORT}, + {"leftca2", KW_LEFTCA2}, + {"righthostaccess", KW_RIGHTHOSTACCESS}, + {"xauth", KW_XAUTH}, + {"rightauth2", KW_RIGHTAUTH2}, + {"mark_in", KW_MARK_IN}, {"mobike", KW_MOBIKE}, - {"overridemtu", KW_OVERRIDEMTU}, + {"margintime", KW_REKEYMARGIN}, {"dumpdir", KW_DUMPDIR}, - {"dpdaction", KW_DPDACTION}, - {"rekeyfuzz", KW_REKEYFUZZ}, - {"leftid2", KW_LEFTID2}, - {"keyingtries", KW_KEYINGTRIES}, - {"pfs", KW_PFS}, - {"nocrsend", KW_NOCRSEND}, + {"ocspuri1", KW_OCSPURI}, {"keyexchange", KW_KEYEXCHANGE}, - {"leftauth2", KW_LEFTAUTH2}, - {"mediation", KW_MEDIATION}, - {"rekeymargin", KW_REKEYMARGIN}, - {"ocspuri2", KW_OCSPURI2}, - {"pkcs11module", KW_PKCS11MODULE}, - {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"me_peerid", KW_ME_PEERID}, - {"forceencaps", KW_FORCEENCAPS}, - {"pkcs11initargs", KW_PKCS11INITARGS}, - {"pkcs11proxy", KW_PKCS11PROXY}, - {"margintime", KW_REKEYMARGIN}, - {"interfaces", KW_INTERFACES}, {"fragicmp", KW_FRAGICMP}, + {"rightauth", KW_RIGHTAUTH}, + {"interfaces", KW_INTERFACES}, {"marginbytes", KW_MARGINBYTES}, {"marginpackets", KW_MARGINPACKETS}, - {"dpdtimeout", KW_DPDTIMEOUT}, + {"nocrsend", KW_NOCRSEND}, + {"keep_alive", KW_KEEP_ALIVE}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"keyingtries", KW_KEYINGTRIES}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"uniqueids", KW_UNIQUEIDS}, + {"mark_out", KW_MARK_OUT}, + {"charonstart", KW_CHARONSTART}, {"klipsdebug", KW_KLIPSDEBUG}, - {"modeconfig", KW_MODECONFIG}, - {"pfsgroup", KW_PFSGROUP}, + {"force_keepalive", KW_FORCE_KEEPALIVE}, + {"forceencaps", KW_FORCEENCAPS}, + {"authby", KW_AUTHBY}, + {"postpluto", KW_POSTPLUTO}, + {"pkcs11module", KW_PKCS11MODULE}, + {"ocspuri2", KW_OCSPURI2}, + {"hidetos", KW_HIDETOS}, + {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, + {"mark", KW_MARK}, + {"charondebug", KW_CHARONDEBUG}, + {"leftauth2", KW_LEFTAUTH2}, + {"overridemtu", KW_OVERRIDEMTU}, + {"pkcs11initargs", KW_PKCS11INITARGS}, {"keylife", KW_KEYLIFE}, - {"ikelifetime", KW_IKELIFETIME} + {"auto", KW_AUTO}, + {"ikelifetime", KW_IKELIFETIME}, + {"reauth", KW_REAUTH}, + {"leftauth", KW_LEFTAUTH}, + {"pkcs11proxy", KW_PKCS11PROXY}, + {"prepluto", KW_PREPLUTO}, + {"pfsgroup", KW_PFSGROUP}, + {"auth", KW_AUTH}, + {"modeconfig", KW_MODECONFIG} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, 0, -1, -1, 1, -1, 2, 3, 4, -1, - 5, 6, -1, 7, 8, -1, -1, 9, 10, 11, - 12, -1, 13, -1, 14, 15, 16, -1, 17, -1, - 18, 19, 20, 21, -1, 22, 23, -1, 24, 25, - 26, 27, 28, 29, 30, -1, -1, 31, 32, 33, - 34, 35, 36, 37, 38, -1, 39, 40, -1, 41, - -1, -1, -1, 42, 43, -1, 44, 45, 46, 47, - 48, 49, -1, 50, 51, 52, 53, 54, 55, 56, - 57, 58, 59, -1, -1, 60, -1, -1, 61, -1, - -1, 62, -1, -1, 63, 64, -1, -1, 65, 66, - -1, 67, 68, 69, -1, -1, 70, -1, 71, 72, - 73, -1, -1, -1, 74, -1, 75, -1, 76, 77, - 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, - 88, 89, 90, 91, 92, 93, -1, 94, 95, -1, - 96, -1, -1, -1, 97, -1, 98, 99, 100, -1, - -1, 101, 102, -1, 103, -1, -1, 104, 105, -1, - 106, -1, 107, -1, 108, -1, -1, -1, -1, 109, - -1, 110, -1, -1, 111, -1, -1, -1, -1, 112, - 113, -1, 114, 115, -1, -1, -1, -1, 116, -1, - 117, -1, -1, 118, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, 119, -1, -1, -1, - 120 + 0, -1, -1, 1, -1, -1, -1, -1, 2, 3, + -1, -1, 4, 5, -1, 6, 7, -1, -1, 8, + 9, 10, 11, 12, 13, 14, -1, 15, 16, -1, + 17, 18, 19, 20, -1, 21, 22, 23, -1, -1, + 24, 25, 26, 27, 28, 29, -1, 30, 31, 32, + 33, 34, 35, -1, 36, -1, -1, 37, 38, 39, + 40, 41, 42, 43, -1, 44, 45, 46, 47, -1, + 48, -1, 49, 50, 51, 52, 53, 54, 55, -1, + 56, 57, 58, 59, 60, 61, 62, 63, -1, 64, + 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, + 75, -1, 76, 77, 78, 79, -1, -1, 80, 81, + 82, -1, 83, 84, -1, 85, 86, 87, 88, 89, + 90, -1, 91, -1, 92, -1, 93, 94, 95, -1, + -1, 96, 97, -1, 98, 99, -1, -1, -1, -1, + -1, -1, 100, -1, 101, -1, 102, -1, -1, -1, + 103, 104, -1, -1, 105, -1, -1, 106, 107, 108, + 109, 110, 111, -1, 112, 113, -1, 114, 115, 116, + -1, 117, -1, 118, 119, 120, 121, -1, -1, -1, + 122, -1, -1, -1, -1, -1, -1, -1, 123, -1, + -1, -1, 124, -1, -1, -1, -1, -1, -1, -1, + 125 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 6c3907a6a..25d2ce4b9 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -93,12 +93,17 @@ typedef enum { KW_INACTIVITY, KW_MODECONFIG, KW_XAUTH, + KW_XAUTH_IDENTITY, KW_MEDIATION, KW_MEDIATED_BY, KW_ME_PEERID, + KW_REQID, + KW_MARK, + KW_MARK_IN, + KW_MARK_OUT, #define KW_CONN_FIRST KW_CONN_SETUP -#define KW_CONN_LAST KW_ME_PEERID +#define KW_CONN_LAST KW_MARK_OUT /* ca section keywords */ KW_CA_NAME, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 12037a685..fcdc60cff 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -84,9 +84,14 @@ dpdaction, KW_DPDACTION inactivity, KW_INACTIVITY modeconfig, KW_MODECONFIG xauth, KW_XAUTH +xauth_identity, KW_XAUTH_IDENTITY mediation, KW_MEDIATION mediated_by, KW_MEDIATED_BY me_peerid, KW_ME_PEERID +reqid, KW_REQID +mark, KW_MARK +mark_in, KW_MARK_IN +mark_out, KW_MARK_OUT cacert, KW_CACERT ldaphost, KW_LDAPHOST ldapbase, KW_LDAPBASE diff --git a/src/starter/starter.c b/src/starter/starter.c index 50ef9c07b..c3ba54f1d 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -241,6 +241,7 @@ int main (int argc, char **argv) time_t last_reload; bool no_fork = FALSE; bool attach_gdb = FALSE; + bool load_warning = FALSE; /* global variables defined in log.h */ log_to_stderr = TRUE; @@ -300,6 +301,21 @@ int main (int argc, char **argv) plog("Starting strongSwan "VERSION" IPsec [starter]..."); +#ifdef LOAD_WARNING + load_warning = TRUE; +#endif + + if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning)) + { + if (lib->settings->get_str(lib->settings, "charon.load", NULL) || + lib->settings->get_str(lib->settings, "pluto.load", NULL)) + { + plog("!! Your strongswan.conf contains manual plugin load options for"); + plog("!! pluto and/or charon. This is recommended for experts only, see"); + plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad"); + } + } + /* verify that we can start */ if (getuid() != 0) { diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index d877661ec..9c69ab9e5 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -269,6 +269,11 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.ikeme.mediation = conn->me_mediation; msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid); + msg.add_conn.reqid = conn->reqid; + msg.add_conn.mark_in.value = conn->mark_in.value; + msg.add_conn.mark_in.mask = conn->mark_in.mask; + msg.add_conn.mark_out.value = conn->mark_out.value; + msg.add_conn.mark_out.mask = conn->mark_out.mask; starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 527142a4e..58034d96b 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -93,6 +93,7 @@ static int send_whack_msg (whack_message_t *msg) || !pack_str(&msg->sc_data, &str_next, &str_roof) || !pack_str(&msg->whack_lease_ip, &str_next, &str_roof) || !pack_str(&msg->whack_lease_id, &str_next, &str_roof) + || !pack_str(&msg->xauth_identity, &str_next, &str_roof) || (str_roof - str_next < msg->keyval.len)) { plog("send_wack_msg(): can't pack strings"); @@ -285,6 +286,12 @@ int starter_whack_add_conn(starter_conn_t *conn) msg.sa_rekey_fuzz = conn->sa_rekey_fuzz; msg.sa_keying_tries = conn->sa_keying_tries; msg.policy = conn->policy; + msg.xauth_identity = conn->xauth_identity; + msg.reqid = conn->reqid; + msg.mark_in.value = conn->mark_in.value; + msg.mark_in.mask = conn->mark_in.mask; + msg.mark_out.value = conn->mark_out.value; + msg.mark_out.mask = conn->mark_out.mask; /* * Make sure the IKEv2-only policy bits are unset for IKEv1 connections -- cgit v1.2.3