vici: Add support for interface ID configurable on IKE_SA
This commit is contained in:
parent
fafa76984d
commit
0396969a36
|
@ -772,6 +772,8 @@ command.
|
|||
nat-remote = <yes, if remote endpoint is behind a NAT>
|
||||
nat-fake = <yes, if NAT situation has been faked as responder>
|
||||
nat-any = <yes, if any endpoint is behind a NAT (also if faked)>
|
||||
if-id-in = <hex encoded default inbound XFRM interface ID>
|
||||
if-id-out = <hex encoded default outbound XFRM interface ID>
|
||||
encr-alg = <IKE encryption algorithm string>
|
||||
encr-keysize = <key size for encr-alg, if applicable>
|
||||
integ-alg = <IKE integrity algorithm string>
|
||||
|
|
|
@ -327,6 +327,8 @@ typedef struct {
|
|||
uint64_t over_time;
|
||||
uint64_t rand_time;
|
||||
uint8_t dscp;
|
||||
uint32_t if_id_in;
|
||||
uint32_t if_id_out;
|
||||
#ifdef ME
|
||||
bool mediation;
|
||||
char *mediated_by;
|
||||
|
@ -421,6 +423,8 @@ static void log_peer_data(peer_data_t *data)
|
|||
DBG2(DBG_CFG, " over_time = %llu", data->over_time);
|
||||
DBG2(DBG_CFG, " rand_time = %llu", data->rand_time);
|
||||
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
|
||||
DBG2(DBG_CFG, " if_id_in = %u", data->if_id_in);
|
||||
DBG2(DBG_CFG, " if_id_out = %u", data->if_id_out);
|
||||
#ifdef ME
|
||||
DBG2(DBG_CFG, " mediation = %u", data->mediation);
|
||||
if (data->mediated_by)
|
||||
|
@ -1785,6 +1789,8 @@ CALLBACK(peer_kv, bool,
|
|||
{ "rand_time", parse_time, &peer->rand_time },
|
||||
{ "ppk_id", parse_peer_id, &peer->ppk_id },
|
||||
{ "ppk_required", parse_bool, &peer->ppk_required },
|
||||
{ "if_id_in", parse_if_id, &peer->if_id_in },
|
||||
{ "if_id_out", parse_if_id, &peer->if_id_out },
|
||||
#ifdef ME
|
||||
{ "mediation", parse_bool, &peer->mediation },
|
||||
{ "mediated_by", parse_string, &peer->mediated_by },
|
||||
|
@ -2523,6 +2529,8 @@ CALLBACK(config_sn, bool,
|
|||
.dpd_timeout = peer.dpd_timeout,
|
||||
.ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL,
|
||||
.ppk_required = peer.ppk_required,
|
||||
.if_id_in = peer.if_id_in,
|
||||
.if_id_out = peer.if_id_out,
|
||||
};
|
||||
#ifdef ME
|
||||
cfg.mediation = peer.mediation;
|
||||
|
|
|
@ -354,6 +354,7 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
|
|||
ike_sa_id_t *id;
|
||||
identification_t *eap;
|
||||
proposal_t *proposal;
|
||||
uint32_t if_id;
|
||||
uint16_t alg, ks;
|
||||
host_t *host;
|
||||
|
||||
|
@ -400,6 +401,17 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
|
|||
add_condition(b, ike_sa, "nat-fake", COND_NAT_FAKE);
|
||||
add_condition(b, ike_sa, "nat-any", COND_NAT_ANY);
|
||||
|
||||
if_id = ike_sa->get_if_id(ike_sa, TRUE);
|
||||
if (if_id)
|
||||
{
|
||||
b->add_kv(b, "if-id-in", "%.8x", if_id);
|
||||
}
|
||||
if_id = ike_sa->get_if_id(ike_sa, FALSE);
|
||||
if (if_id)
|
||||
{
|
||||
b->add_kv(b, "if-id-out", "%.8x", if_id);
|
||||
}
|
||||
|
||||
proposal = ike_sa->get_proposal(ike_sa);
|
||||
if (proposal)
|
||||
{
|
||||
|
|
|
@ -280,6 +280,18 @@ connections.<conn>.pools =
|
|||
other configuration attributes from. Each name references a pool by name
|
||||
from either the **pools** section or an external pool.
|
||||
|
||||
connections.<conn>.if_id_in = 0
|
||||
Default inbound XFRM interface ID for children.
|
||||
|
||||
XFRM interface ID set on inbound policies/SA, can be overridden by child
|
||||
config, see there for details.
|
||||
|
||||
connections.<conn>.if_id_out = 0
|
||||
Default outbound XFRM interface ID for children.
|
||||
|
||||
XFRM interface ID set on outbound policies/SA, can be overridden by child
|
||||
cofnig, see there for details.
|
||||
|
||||
connections.<conn>.mediation = no
|
||||
Whether this connection is a mediation connection.
|
||||
|
||||
|
|
Loading…
Reference in New Issue