diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index 2b0b7c2d5..61427d2b1 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -772,6 +772,8 @@ command. nat-remote = nat-fake = nat-any = + if-id-in = + if-id-out = encr-alg = encr-keysize = integ-alg = diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 5750d8741..f86d5c9cd 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -327,6 +327,8 @@ typedef struct { uint64_t over_time; uint64_t rand_time; uint8_t dscp; + uint32_t if_id_in; + uint32_t if_id_out; #ifdef ME bool mediation; char *mediated_by; @@ -421,6 +423,8 @@ static void log_peer_data(peer_data_t *data) DBG2(DBG_CFG, " over_time = %llu", data->over_time); DBG2(DBG_CFG, " rand_time = %llu", data->rand_time); DBG2(DBG_CFG, " proposals = %#P", data->proposals); + DBG2(DBG_CFG, " if_id_in = %u", data->if_id_in); + DBG2(DBG_CFG, " if_id_out = %u", data->if_id_out); #ifdef ME DBG2(DBG_CFG, " mediation = %u", data->mediation); if (data->mediated_by) @@ -1785,6 +1789,8 @@ CALLBACK(peer_kv, bool, { "rand_time", parse_time, &peer->rand_time }, { "ppk_id", parse_peer_id, &peer->ppk_id }, { "ppk_required", parse_bool, &peer->ppk_required }, + { "if_id_in", parse_if_id, &peer->if_id_in }, + { "if_id_out", parse_if_id, &peer->if_id_out }, #ifdef ME { "mediation", parse_bool, &peer->mediation }, { "mediated_by", parse_string, &peer->mediated_by }, @@ -2523,6 +2529,8 @@ CALLBACK(config_sn, bool, .dpd_timeout = peer.dpd_timeout, .ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL, .ppk_required = peer.ppk_required, + .if_id_in = peer.if_id_in, + .if_id_out = peer.if_id_out, }; #ifdef ME cfg.mediation = peer.mediation; diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index e00c1d87d..16e3c8b1f 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -354,6 +354,7 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, ike_sa_id_t *id; identification_t *eap; proposal_t *proposal; + uint32_t if_id; uint16_t alg, ks; host_t *host; @@ -400,6 +401,17 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE); add_condition(b, ike_sa, "nat-any", COND_NAT_ANY); + if_id = ike_sa->get_if_id(ike_sa, TRUE); + if (if_id) + { + b->add_kv(b, "if-id-in", "%.8x", if_id); + } + if_id = ike_sa->get_if_id(ike_sa, FALSE); + if (if_id) + { + b->add_kv(b, "if-id-out", "%.8x", if_id); + } + proposal = ike_sa->get_proposal(ike_sa); if (proposal) { diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index c02c5743a..460e17b09 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -280,6 +280,18 @@ connections..pools = other configuration attributes from. Each name references a pool by name from either the **pools** section or an external pool. +connections..if_id_in = 0 + Default inbound XFRM interface ID for children. + + XFRM interface ID set on inbound policies/SA, can be overridden by child + config, see there for details. + +connections..if_id_out = 0 + Default outbound XFRM interface ID for children. + + XFRM interface ID set on outbound policies/SA, can be overridden by child + cofnig, see there for details. + connections..mediation = no Whether this connection is a mediation connection.