vici: Add support for interface ID configurable on IKE_SA

src/libcharon/plugins/vici/README.md

@@ -772,6 +772,8 @@ command.
 			nat-remote = <yes, if remote endpoint is behind a NAT>
 			nat-fake = <yes, if NAT situation has been faked as responder>
 			nat-any = <yes, if any endpoint is behind a NAT (also if faked)>
+			if-id-in = <hex encoded default inbound XFRM interface ID>
+			if-id-out = <hex encoded default outbound XFRM interface ID>
 			encr-alg = <IKE encryption algorithm string>
 			encr-keysize = <key size for encr-alg, if applicable>
 			integ-alg = <IKE integrity algorithm string>

src/libcharon/plugins/vici/vici_config.c

@@ -327,6 +327,8 @@ typedef struct {
 	uint64_t over_time;
 	uint64_t rand_time;
 	uint8_t dscp;
+	uint32_t if_id_in;
+	uint32_t if_id_out;
 #ifdef ME
 	bool mediation;
 	char *mediated_by;
@@ -421,6 +423,8 @@ static void log_peer_data(peer_data_t *data)
 	DBG2(DBG_CFG, "  over_time = %llu", data->over_time);
 	DBG2(DBG_CFG, "  rand_time = %llu", data->rand_time);
 	DBG2(DBG_CFG, "  proposals = %#P", data->proposals);
+	DBG2(DBG_CFG, "  if_id_in = %u", data->if_id_in);
+	DBG2(DBG_CFG, "  if_id_out = %u", data->if_id_out);
 #ifdef ME
 	DBG2(DBG_CFG, "  mediation = %u", data->mediation);
 	if (data->mediated_by)
@@ -1785,6 +1789,8 @@ CALLBACK(peer_kv, bool,
 		{ "rand_time",		parse_time,			&peer->rand_time			},
 		{ "ppk_id",			parse_peer_id,		&peer->ppk_id				},
 		{ "ppk_required",	parse_bool,			&peer->ppk_required			},
+		{ "if_id_in",		parse_if_id,		&peer->if_id_in				},
+		{ "if_id_out",		parse_if_id,		&peer->if_id_out			},
 #ifdef ME
 		{ "mediation",		parse_bool,			&peer->mediation			},
 		{ "mediated_by",	parse_string,		&peer->mediated_by			},
@@ -2523,6 +2529,8 @@ CALLBACK(config_sn, bool,
 		.dpd_timeout = peer.dpd_timeout,
 		.ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL,
 		.ppk_required = peer.ppk_required,
+		.if_id_in = peer.if_id_in,
+		.if_id_out = peer.if_id_out,
 	};
 #ifdef ME
 	cfg.mediation = peer.mediation;

src/libcharon/plugins/vici/vici_query.c

@@ -354,6 +354,7 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	ike_sa_id_t *id;
 	identification_t *eap;
 	proposal_t *proposal;
+	uint32_t if_id;
 	uint16_t alg, ks;
 	host_t *host;
 
@@ -400,6 +401,17 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE);
 	add_condition(b, ike_sa, "nat-any", COND_NAT_ANY);
 
+	if_id = ike_sa->get_if_id(ike_sa, TRUE);
+	if (if_id)
+	{
+		b->add_kv(b, "if-id-in", "%.8x", if_id);
+	}
+	if_id = ike_sa->get_if_id(ike_sa, FALSE);
+	if (if_id)
+	{
+		b->add_kv(b, "if-id-out", "%.8x", if_id);
+	}
+
 	proposal = ike_sa->get_proposal(ike_sa);
 	if (proposal)
 	{

src/swanctl/swanctl.opt

@@ -280,6 +280,18 @@ connections.<conn>.pools =
 	other configuration attributes from. Each name references a pool by name
 	from either the **pools** section or an external pool.
 
+connections.<conn>.if_id_in = 0
+	Default inbound XFRM interface ID for children.
+
+	XFRM interface ID set on inbound policies/SA, can be overridden by child
+	config, see there for details.
+
+connections.<conn>.if_id_out = 0
+	Default outbound XFRM interface ID for children.
+
+	XFRM interface ID set on outbound policies/SA, can be overridden by child
+	cofnig, see there for details.
+
 connections.<conn>.mediation = no
 	Whether this connection is a mediation connection.