Merge branch 'subnet-identities'

Implemented IKEv1 IPv4/IPv6 address subnet and range identities to
be used as owners for shared secrets.

swanctl supports configuration of traffic selectors with IPv4/IPv6
address ranges.

src/libcharon/plugins/updown/updown_listener.c

@@ -311,11 +311,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 			 ike_sa->get_unique_id(ike_sa));
 	push_env(envp, countof(envp), "PLUTO_ME=%H", me);
 	push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa));
-	if (my_ts->to_subnet(my_ts, &host, &mask))
+	if (!my_ts->to_subnet(my_ts, &host, &mask))
 	{
-		push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
+		DBG1(DBG_CHD, "updown approximates local TS %R "
-		host->destroy(host);
+					  "by next larger subnet", my_ts);
 	}
+	push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
+	host->destroy(host);
 	push_env(envp, countof(envp), "PLUTO_MY_PORT=%s",
 			 get_port(my_ts, other_ts, port_buf, TRUE));
 	push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u",
@@ -323,11 +325,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
 	push_env(envp, countof(envp), "PLUTO_PEER=%H", other);
 	push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y",
 			 ike_sa->get_other_id(ike_sa));
-	if (other_ts->to_subnet(other_ts, &host, &mask))
+	if (!other_ts->to_subnet(other_ts, &host, &mask))
 	{
-		push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
+		DBG1(DBG_CHD, "updown approximates remote TS %R "
-		host->destroy(host);
+					  "by next larger subnet", other_ts);
 	}
+	push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
+	host->destroy(host);
 	push_env(envp, countof(envp), "PLUTO_PEER_PORT=%s",
 			 get_port(my_ts, other_ts, port_buf, FALSE));
 	push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u",

src/libcharon/plugins/vici/vici_config.c

@@ -3,7 +3,7 @@
  * Copyright (C) 2014 revosec AG
  *
  * Copyright (C) 2015-2016 Tobias Brunner
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -646,6 +646,22 @@ CALLBACK(parse_ts, bool,
 	{
 		ts = traffic_selector_create_dynamic(proto, from, to);
 	}
+	else if (strchr(buf, '-'))
+	{
+		host_t *lower, *upper;
+		ts_type_t type;
+
+		if (host_create_from_range(buf, &lower, &upper))
+		{
+			type = (lower->get_family(lower) == AF_INET) ?
+						 		TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+			ts = traffic_selector_create_from_bytes(proto, type,
+								lower->get_address(lower), from,
+								upper->get_address(upper), to);
+			lower->destroy(lower);
+			upper->destroy(upper);
+		}
+	}
 	else
 	{
 		ts = traffic_selector_create_from_cidr(buf, proto, from, to);

src/libstrongswan/tests/suites/test_identification.c

@@ -1,7 +1,8 @@
 /*
  * Copyright (C) 2013-2015 Tobias Brunner
+ * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -122,67 +123,122 @@ static struct {
 		} data;
 	} result;
 } string_data[] = {
-	{NULL,						ID_ANY,			{ .type = ENC_CHUNK }},
+	{NULL,						ID_ANY,					{ .type = ENC_CHUNK  }},
-	{"",						ID_ANY,			{ .type = ENC_CHUNK }},
+	{"",						ID_ANY,					{ .type = ENC_CHUNK  }},
-	{"%any",					ID_ANY,			{ .type = ENC_CHUNK }},
+	{"%any",					ID_ANY,					{ .type = ENC_CHUNK  }},
-	{"%any6",					ID_ANY,			{ .type = ENC_CHUNK }},
+	{"%any6",					ID_ANY,					{ .type = ENC_CHUNK  }},
-	{"0.0.0.0",					ID_ANY,			{ .type = ENC_CHUNK }},
+	{"0.0.0.0",					ID_ANY,					{ .type = ENC_CHUNK  }},
-	{"0::0",					ID_ANY,			{ .type = ENC_CHUNK }},
+	{"0::0",					ID_ANY,					{ .type = ENC_CHUNK  }},
-	{"::",						ID_ANY,			{ .type = ENC_CHUNK }},
+	{"::",						ID_ANY,					{ .type = ENC_CHUNK  }},
-	{"*",						ID_ANY,			{ .type = ENC_CHUNK }},
+	{"*",						ID_ANY,					{ .type = ENC_CHUNK  }},
-	{"any",						ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"any",						ID_FQDN,				{ .type = ENC_SIMPLE }},
-	{"any6",					ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"any6",					ID_FQDN,				{ .type = ENC_SIMPLE }},
-	{"0",						ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"0",						ID_FQDN,				{ .type = ENC_SIMPLE }},
-	{"**",						ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"**",						ID_FQDN,				{ .type = ENC_SIMPLE }},
-	{"192.168.1.1",				ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{"192.168.1.1",				ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{"192.168.",				ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{"192.168.",				ID_FQDN,				{ .type = ENC_SIMPLE }},
-	{".",						ID_FQDN,		{ .type = ENC_SIMPLE }},
+	{".",						ID_FQDN,				{ .type = ENC_SIMPLE }},
-	{"fec0::1",					ID_IPV6_ADDR,	{ .type = ENC_CHUNK,
+	{"192.168.1.1/33",			ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"192.168.1.1/32",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01,0xff,0xff,0xff,0xff)  }},
+	{"192.168.1.1/31",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0xfe)  }},
+	{"192.168.1.8/30",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x08,0xff,0xff,0xff,0xfc)  }},
+	{"192.168.1.128/25",		ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x80,0xff,0xff,0xff,0x80)  }},
+	{"192.168.1.0/24",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0x00)  }},
+	{"192.168.1.0/23",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x00,0x00,0xff,0xff,0xfe,0x00)  }},
+	{"192.168.4.0/22",			ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x04,0x00,0xff,0xff,0xfc,0x00)  }},
+	{"0.0.0.0/0",				ID_IPV4_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)  }},
+	{"192.168.1.0-192.168.1.40",ID_IPV4_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xc0,0xa8,0x01,0x28)  }},
+	{"0.0.0.0-255.255.255.255",	ID_IPV4_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff)  }},
+	{"192.168.1.40-192.168.1.0",ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"fec0::1",					ID_IPV6_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
-								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01)  }},
-	{"fec0::",					ID_IPV6_ADDR,	{ .type = ENC_CHUNK,
+	{"fec0::",					ID_IPV6_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
-								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)  }},
-	{"fec0:",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"fec0:",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
-	{":",						ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{":",						ID_KEY_ID,				{ .type = ENC_SIMPLE }},
-	{"alice@strongswan.org",	ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
+	{"fec0::1/129",				ID_KEY_ID,				{ .type = ENC_SIMPLE }},
-	{"alice@strongswan",		ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
+	{"fec0::1/128",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
-	{"alice@",					ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
-	{"alice",					ID_FQDN,		{ .type = ENC_SIMPLE }},
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
-	{"@",						ID_FQDN,		{ .type = ENC_CHUNK }},
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
-	{" @",						ID_RFC822_ADDR,	{ .type = ENC_SIMPLE }},
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff ) }},
-	{"@strongswan.org",			ID_FQDN,		{ .type = ENC_STRING,
+	{"fec0::1/127",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe ) }},
+	{"fec0::4/126",				ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc ) }},
+	{"fec0::100/120",			ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+								   0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00 ) }},
+	{"::/0",					ID_IPV6_ADDR_SUBNET,	{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ) }},
+	{"fec0::1-fec0::4fff",		ID_IPV6_ADDR_RANGE,		{ .type = ENC_CHUNK,
+		.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
+								   0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+								   0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff ) }},
+	{"fec0::4fff-fec0::1",		ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"fec0::1-",				ID_KEY_ID,				{ .type = ENC_SIMPLE }},
+	{"alice@strongswan.org",	ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice@strongswan",		ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice@",					ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"alice",					ID_FQDN,				{ .type = ENC_SIMPLE }},
+	{"@",						ID_FQDN,				{ .type = ENC_CHUNK }},
+	{" @",						ID_RFC822_ADDR,			{ .type = ENC_SIMPLE }},
+	{"@strongswan.org",			ID_FQDN,				{ .type = ENC_STRING,
 		.data.s = "strongswan.org" }},
-	{"@#deadbeef",				ID_KEY_ID,		{ .type = ENC_CHUNK,
+	{"@#deadbeef",				ID_KEY_ID,				{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }},
-	{"@#deadbee",				ID_KEY_ID,		{ .type = ENC_CHUNK,
+	{"@#deadbee",				ID_KEY_ID,				{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }},
-	{"foo=bar",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"foo=bar",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
-	{"foo=",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"foo=",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
-	{"=bar",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"=bar",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
-	{"C=",						ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=",						ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x00) }},
-	{"C=CH",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH,",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH,",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH, ",					ID_DER_ASN1_DN,	{ .type = ENC_CHUNK,
+	{"C=CH, ",					ID_DER_ASN1_DN,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
 								   0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
-	{"C=CH, O",					ID_KEY_ID,		{ .type = ENC_SIMPLE }},
+	{"C=CH, O",					ID_KEY_ID,				{ .type = ENC_SIMPLE }},
-	{"IPv4:#c0a80101",			ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{"IPv4:#c0a80101",			ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{ "email:tester",			ID_RFC822_ADDR,	{ .type = ENC_STRING,
+	{ "email:tester",			ID_RFC822_ADDR,			{ .type = ENC_STRING,
 		.data.s = "tester" }},
-	{ "{1}:#c0a80101",			ID_IPV4_ADDR,	{ .type = ENC_CHUNK,
+	{ "{1}:#c0a80101",			ID_IPV4_ADDR,			{ .type = ENC_CHUNK,
 		.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
-	{ "{0x02}:tester",			ID_FQDN,		{ .type = ENC_STRING,
+	{ "{0x02}:tester",			ID_FQDN,				{ .type = ENC_STRING,
 		.data.s = "tester" }},
-	{ "{99}:somedata",			99,				{ .type = ENC_STRING,
+	{ "{99}:somedata",			99,						{ .type = ENC_STRING,
 		.data.s = "somedata" }},
 };
 
@@ -264,14 +320,33 @@ START_TEST(test_printf_hook)
 
 	string_equals("192.168.1.1", "192.168.1.1");
 	string_equals_id("(invalid ID_IPV4_ADDR)",
-				identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
+			identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
+	string_equals("192.168.1.1/32", "192.168.1.1/32");
+	string_equals("192.168.1.2/31", "192.168.1.2/31");
+	string_equals("192.168.1.0/24", "192.168.1.0/24");
+	string_equals("192.168.2.0/23", "192.168.2.0/23");
+	string_equals("0.0.0.0/0", "0.0.0.0/0");
+	string_equals_id("(invalid ID_IPV4_ADDR_SUBNET)",
+			identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty));
+	string_equals("192.168.1.1-192.168.1.254", "192.168.1.1-192.168.1.254");
+	string_equals("0.0.0.0-255.255.255.255", "0.0.0.0-255.255.255.255");
+	string_equals_id("(invalid ID_IPV4_ADDR_RANGE)",
+			identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty));
 	string_equals("fec0::1", "fec0::1");
 	string_equals("fec0::1", "fec0:0:0::1");
 	string_equals_id("(invalid ID_IPV6_ADDR)",
-				identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
+			identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
-
+	string_equals("fec0::1/128", "fec0::1/128");
+	string_equals("fec0::2/127", "fec0::2/127");
+	string_equals("fec0::100/120", "fec0::100/120");
+	string_equals("::/0", "::/0");
+	string_equals_id("(invalid ID_IPV6_ADDR_SUBNET)",
+			identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty));
+	string_equals("fec0::1-fec0::4fff", "fec0::1-fec0::4fff");
+	string_equals_id("(invalid ID_IPV6_ADDR_RANGE)",
+			identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty));
 	string_equals_id("(unknown ID type: 255)",
-				identification_create_from_encoding(255, chunk_empty));
+			identification_create_from_encoding(255, chunk_empty));
 
 	string_equals("moon@strongswan.org", "moon@strongswan.org");
 	string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG");
@@ -595,6 +670,89 @@ START_TEST(test_matches_binary)
 }
 END_TEST
 
+START_TEST(test_matches_range)
+{
+	identification_t *a, *b;
+
+	/* IPv4 addresses */
+	a = identification_create_from_string("192.168.1.1");
+	ck_assert(a->get_type(a) == ID_IPV4_ADDR);
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_MAX_WILDCARDS));
+	ck_assert(id_matches(a, "192.168.1.1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.2", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.1/32", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.0/32", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.0/24", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "192.168.0.0/24", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.1.1-192.168.1.1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "192.168.1.0-192.168.1.64", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "192.168.1.2-192.168.1.64", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "192.168.0.240-192.168.1.0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
+
+	/* Malformed IPv4 subnet and range encoding */
+	b = identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE,
+			chunk_from_chars(0xc0,0xa8,0x01,0x28,0xc0,0xa8,0x01,0x00));
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+
+	a->destroy(a);
+
+	/* IPv6 addresses */
+	a = identification_create_from_string("fec0::1");
+	ck_assert(a->get_type(a) == ID_IPV6_ADDR);
+	ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
+	ck_assert(id_matches(a, "::/0", ID_MATCH_MAX_WILDCARDS));
+	ck_assert(id_matches(a, "fec0::1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::2", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::1/128", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::/128", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::/120", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "fec0::100/120", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "fec0::1-fec0::1", ID_MATCH_PERFECT));
+	ck_assert(id_matches(a, "fec0::0-fec0::5", ID_MATCH_ONE_WILDCARD));
+	ck_assert(id_matches(a, "fec0::4001-fec0::4ffe", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "feb0::1-fec0::0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
+
+	/* Malformed IPv6 subnet and range encoding */
+	b = identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty);
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+	b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE,
+			chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+							 0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff,
+							 0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+							 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01 ));
+	ck_assert(a->matches(a, b) == ID_MATCH_NONE);
+	b->destroy(b);
+
+	a->destroy(a);
+
+	/* Malformed IPv4 address encoding */
+	a = identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty);
+	ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "0.0.0.0-255.255.255.255", ID_MATCH_NONE));
+	a->destroy(a);
+
+	/* Malformed IPv6 address encoding */
+	a = identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty);
+	ck_assert(id_matches(a, "::/0", ID_MATCH_NONE));
+	ck_assert(id_matches(a, "::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ID_MATCH_NONE));
+	a->destroy(a);
+}
+END_TEST
+
 START_TEST(test_matches_string)
 {
 	identification_t *a;
@@ -929,6 +1087,7 @@ Suite *identification_suite_create()
 	tcase_add_test(tc, test_matches);
 	tcase_add_test(tc, test_matches_any);
 	tcase_add_test(tc, test_matches_binary);
+	tcase_add_test(tc, test_matches_range);
 	tcase_add_test(tc, test_matches_string);
 	tcase_add_loop_test(tc, test_matches_empty, ID_ANY, ID_KEY_ID + 1);
 	tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1);

src/libstrongswan/utils/identification.c

@@ -1,8 +1,9 @@
 /*
+ * Copyright (C) 2016 Andreas Steffen
  * Copyright (C) 2009-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -823,6 +824,154 @@ METHOD(identification_t, matches_dn, id_match_t,
 	return ID_MATCH_NONE;
 }
 
+/**
+ * Transform netmask to CIDR bits
+ */
+static int netmask_to_cidr(char *netmask, size_t address_size)
+{
+	uint8_t byte;
+	int i, netbits = 0;
+
+	for (i = 0; i < address_size; i++)
+	{
+		byte = netmask[i];
+
+		if (byte == 0x00)
+		{
+			break;
+		}
+		if (byte == 0xff)
+		{
+			netbits += 8;
+		}
+		else
+		{
+			while (byte & 0x80)
+			{
+				netbits++;
+				byte <<= 1;
+			}
+		}
+	}
+	return netbits;
+}
+
+METHOD(identification_t, matches_range, id_match_t,
+	private_identification_t *this, identification_t *other)
+{
+	chunk_t other_encoding;
+	uint8_t *address, *from, *to, *network, *netmask;
+	size_t address_size = 0;
+	int netbits, range_sign, i;
+
+	if (other->get_type(other) == ID_ANY)
+	{
+		return ID_MATCH_ANY;
+	}
+	if (this->type == other->get_type(other) &&
+		chunk_equals(this->encoded, other->get_encoding(other)))
+	{
+		return ID_MATCH_PERFECT;
+	}
+	if ((this->type == ID_IPV4_ADDR &&
+		 other->get_type(other) == ID_IPV4_ADDR_SUBNET))
+	{
+		address_size = sizeof(struct in_addr);
+	}
+	else if ((this->type == ID_IPV6_ADDR &&
+		 other->get_type(other) == ID_IPV6_ADDR_SUBNET))
+	{
+		address_size = sizeof(struct in6_addr);
+	}
+	if (address_size)
+	{
+		other_encoding = other->get_encoding(other);
+		if (this->encoded.len != address_size ||
+			other_encoding.len != 2 * address_size)
+		{
+			return ID_MATCH_NONE;
+		}
+		address = this->encoded.ptr;
+		network = other_encoding.ptr;
+		netmask = other_encoding.ptr + address_size;
+		netbits = netmask_to_cidr(netmask, address_size);
+
+		if (netbits == 0)
+		{
+			return ID_MATCH_MAX_WILDCARDS;
+		}
+		if (netbits == 8 * address_size)
+		{
+			return memeq(address, network, address_size) ?
+				   ID_MATCH_PERFECT : ID_MATCH_NONE;
+		}
+		for (i = 0; i < (netbits + 7)/8; i++)
+		{
+			if ((address[i] ^ network[i]) & netmask[i])
+			{
+				return ID_MATCH_NONE;
+			}
+		}
+		return ID_MATCH_ONE_WILDCARD;
+	}
+	if ((this->type == ID_IPV4_ADDR &&
+		 other->get_type(other) == ID_IPV4_ADDR_RANGE))
+	{
+		address_size = sizeof(struct in_addr);
+	}
+	else if ((this->type == ID_IPV6_ADDR &&
+		 other->get_type(other) == ID_IPV6_ADDR_RANGE))
+	{
+		address_size = sizeof(struct in6_addr);
+	}
+	if (address_size)
+	{
+		other_encoding = other->get_encoding(other);
+		if (this->encoded.len != address_size ||
+			other_encoding.len != 2 * address_size)
+		{
+			return ID_MATCH_NONE;
+		}
+		address = this->encoded.ptr;
+		from = other_encoding.ptr;
+		to = other_encoding.ptr + address_size;
+
+		range_sign = memcmp(to, from, address_size);
+		if (range_sign < 0)
+		{	/* to is smaller than from */
+			return ID_MATCH_NONE;
+		}
+
+		/* check lower bound */
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != from[i])
+			{
+				if (address[i] < from[i])
+				{
+					return ID_MATCH_NONE;
+				}
+				break;
+			}
+		}
+
+		/* check upper bound */
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != to[i])
+			{
+				if (address[i] > to[i])
+				{
+					return ID_MATCH_NONE;
+				}
+				break;
+			}
+		}
+		return range_sign ? ID_MATCH_ONE_WILDCARD : ID_MATCH_PERFECT;
+	}
+	return ID_MATCH_NONE;
+}
+
 /**
  * Described in header.
  */
@@ -831,7 +980,9 @@ int identification_printf_hook(printf_hook_data_t *data,
 {
 	private_identification_t *this = *((private_identification_t**)(args[0]));
 	chunk_t proper;
-	char buf[512];
+	char buf[BUF_LEN];
+	char *pos;
+	size_t written, len, address_size;
 
 	if (this == NULL)
 	{
@@ -841,49 +992,115 @@ int identification_printf_hook(printf_hook_data_t *data,
 	switch (this->type)
 	{
 		case ID_ANY:
-			snprintf(buf, sizeof(buf), "%%any");
+			snprintf(buf, BUF_LEN, "%%any");
 			break;
 		case ID_IPV4_ADDR:
 			if (this->encoded.len < sizeof(struct in_addr) ||
-				inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
 			{
-				snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)");
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR)");
+			}
+			break;
+		case ID_IPV4_ADDR_SUBNET:
+			address_size = sizeof(struct in_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_SUBNET)");
+				break;
+			}
+			written = strlen(buf);
+			snprintf(buf + written, BUF_LEN - written, "/%d",
+					 netmask_to_cidr(this->encoded.ptr + address_size,
+														 address_size));
+			break;
+		case ID_IPV4_ADDR_RANGE:
+			address_size = sizeof(struct in_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
+				break;
+			}
+			written = strlen(buf);
+			pos = buf + written;
+			len = BUF_LEN - written;
+			written = snprintf(pos, len, "-");
+			if (written < 0 || written >= len ||
+			    inet_ntop(AF_INET, this->encoded.ptr + address_size,
+						  pos + written, len - written) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
 			}
 			break;
 		case ID_IPV6_ADDR:
 			if (this->encoded.len < sizeof(struct in6_addr) ||
-				inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
 			{
-				snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)");
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR)");
+			}
+			break;
+		case ID_IPV6_ADDR_SUBNET:
+			address_size = sizeof(struct in6_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_SUBNET)");
+			}
+			else
+			{
+				written = strlen(buf);
+				snprintf(buf + written, BUF_LEN - written, "/%d",
+						 netmask_to_cidr(this->encoded.ptr + address_size,
+															 address_size));
+			}
+			break;
+		case ID_IPV6_ADDR_RANGE:
+			address_size = sizeof(struct in6_addr);
+			if (this->encoded.len < 2 * address_size ||
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
+				break;
+			}
+			written = strlen(buf);
+			pos = buf + written;
+			len = BUF_LEN - written;
+			written = snprintf(pos, len, "-");
+			if (written < 0 || written >= len ||
+			    inet_ntop(AF_INET6, this->encoded.ptr + address_size,
+						  pos + written, len - written) == NULL)
+			{
+				snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
 			}
 			break;
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
 			chunk_printable(this->encoded, &proper, '?');
-			snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
+			snprintf(buf, BUF_LEN, "%.*s", (int)proper.len, proper.ptr);
 			chunk_free(&proper);
 			break;
 		case ID_DER_ASN1_DN:
-			dntoa(this->encoded, buf, sizeof(buf));
+			dntoa(this->encoded, buf, BUF_LEN);
 			break;
 		case ID_DER_ASN1_GN:
-			snprintf(buf, sizeof(buf), "(ASN.1 general name)");
+			snprintf(buf, BUF_LEN, "(ASN.1 general name)");
 			break;
 		case ID_KEY_ID:
 			if (chunk_printable(this->encoded, NULL, '?') &&
 				this->encoded.len != HASH_SIZE_SHA1)
 			{	/* fully printable, use ascii version */
-				snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len,
+				snprintf(buf, BUF_LEN, "%.*s", (int)this->encoded.len,
 						 this->encoded.ptr);
 			}
 			else
 			{	/* not printable, hex dump */
-				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
+				snprintf(buf, BUF_LEN, "%#B", &this->encoded);
 			}
 			break;
 		default:
-			snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
+			snprintf(buf, BUF_LEN, "(unknown ID type: %d)", this->type);
 			break;
 	}
 	if (spec->minus)
@@ -952,6 +1169,13 @@ static private_identification_t *identification_create(id_type_t type)
 			this->public.matches = _matches_dn;
 			this->public.contains_wildcards = _contains_wildcards_dn;
 			break;
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+			this->public.hash = _hash_binary;
+			this->public.equals = _equals_binary;
+			this->public.matches = _matches_range;
+			this->public.contains_wildcards = return_false;
+			break;
 		default:
 			this->public.hash = _hash_binary;
 			this->public.equals = _equals_binary;
@@ -973,6 +1197,10 @@ static private_identification_t* create_from_string_with_prefix_type(char *str)
 	} prefixes[] = {
 		{ "ipv4:",			ID_IPV4_ADDR			},
 		{ "ipv6:",			ID_IPV6_ADDR			},
+		{ "ipv4net:",		ID_IPV4_ADDR_SUBNET		},
+		{ "ipv6net:",		ID_IPV6_ADDR_SUBNET		},
+		{ "ipv4range:",		ID_IPV4_ADDR_RANGE		},
+		{ "ipv6range:",		ID_IPV6_ADDR_RANGE		},
 		{ "rfc822:",		ID_RFC822_ADDR			},
 		{ "email:",			ID_RFC822_ADDR			},
 		{ "userfqdn:",		ID_USER_FQDN			},
@@ -1038,6 +1266,115 @@ static private_identification_t* create_from_string_with_num_type(char *str)
 	return this;
 }
 
+/**
+ * Convert to an IPv4/IPv6 host address, subnet or address range
+ */
+static private_identification_t* create_ip_address_from_string(char *string,
+															   bool is_ipv4)
+{
+	private_identification_t *this;
+	uint8_t encoding[32];
+	uint8_t *str, *pos, *address, *to_address, *netmask;
+	size_t address_size;
+	int bits, bytes, i;
+	bool has_subnet = FALSE, has_range = FALSE;
+
+	address = encoding;
+	address_size = is_ipv4 ? sizeof(struct in_addr) : sizeof(struct in6_addr);
+
+	str = strdup(string);
+	pos = strchr(str, '/');
+	if (pos)
+	{	/* separate IP address from optional netmask */
+
+		*pos = '\0';
+		has_subnet = TRUE;
+	}
+	else
+	{
+		pos = strchr(str, '-');
+		if (pos)
+		{	/* separate lower address from upper address of IP range */
+			*pos = '\0';
+			has_range = TRUE;
+		}
+	}
+
+	if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, str, address) != 1)
+	{
+		free(str);
+		return NULL;
+	}
+
+	if (has_subnet)
+	{	/* is IP subnet */
+		bits = atoi(pos + 1);
+		if (bits > 8 * address_size)
+		{
+			free(str);
+			return NULL;
+		}
+		bytes = bits / 8;
+		bits -= 8 * bytes;
+		netmask = encoding + address_size;
+
+		for (i = 0; i < address_size; i++)
+		{
+			if (bytes)
+			{
+				*netmask = 0xff;
+				bytes--;
+			}
+			else if (bits)
+			{
+				*netmask = 0xff << (8 - bits);
+				bits = 0;
+			}
+			else
+			{
+				*netmask = 0x00;
+			}
+			*address++ &= *netmask++;
+		}
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR_SUBNET :
+											   ID_IPV6_ADDR_SUBNET);
+		this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
+	}
+	else if (has_range)
+	{	/* is IP range */
+		to_address = encoding + address_size;
+
+		if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, pos + 1, to_address) != 1)
+		{
+			free(str);
+			return NULL;
+		}
+		for (i = 0; i < address_size; i++)
+		{
+			if (address[i] != to_address[i])
+			{
+				if (address[i] > to_address[i])
+				{
+					free(str);
+					return NULL;
+				}
+				break;
+			}
+		}
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR_RANGE :
+											   ID_IPV6_ADDR_RANGE);
+		this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
+	}
+	else
+	{	/* is IP host address */
+		this = identification_create(is_ipv4 ? ID_IPV4_ADDR : ID_IPV6_ADDR);
+		this->encoded = chunk_clone(chunk_create(encoding, address_size));
+	}
+	free(str);
+
+	return this;
+}
+
 /*
  * Described in header.
  */
@@ -1095,15 +1432,9 @@ identification_t *identification_create_from_string(char *string)
 		{
 			if (strchr(string, ':') == NULL)
 			{
-				struct in_addr address;
+				/* IPv4 address or subnet */
-				chunk_t chunk = {(void*)&address, sizeof(address)};
+				this = create_ip_address_from_string(string, TRUE);
-
+				if (!this)
-				if (inet_pton(AF_INET, string, &address) > 0)
-				{	/* is IPv4 */
-					this = identification_create(ID_IPV4_ADDR);
-					this->encoded = chunk_clone(chunk);
-				}
-				else
 				{	/* not IPv4, mostly FQDN */
 					this = identification_create(ID_FQDN);
 					this->encoded = chunk_from_str(strdup(string));
@@ -1112,15 +1443,9 @@ identification_t *identification_create_from_string(char *string)
 			}
 			else
 			{
-				struct in6_addr address;
+				/* IPv6 address or subnet */
-				chunk_t chunk = {(void*)&address, sizeof(address)};
+				this = create_ip_address_from_string(string, FALSE);
-
+				if (!this)
-				if (inet_pton(AF_INET6, string, &address) > 0)
-				{	/* is IPv6 */
-					this = identification_create(ID_IPV6_ADDR);
-					this->encoded = chunk_clone(chunk);
-				}
-				else
 				{	/* not IPv4/6 fallback to KEY_ID */
 					this = identification_create(ID_KEY_ID);
 					this->encoded = chunk_from_str(strdup(string));

testing/tests/swanctl/rw-psk-ikev1/description.txt

@@ -1,10 +1,15 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on two <b>pre-shared keys</b>
+to gateway <b>moon</b>. The IKEv1 main mode authentication is based on
-bound to the two distinct gateway identities <b>moon1.strongswan.org</b> and
+<b>pre-shared keys</b> and <b>IPv4 address</b> identities.
-<b>moon2.strongswan.org</b>. On the gateway these two identities are bound to
+On the gateway two connections with differing parameters are defined:
-two disjoint sets of client IP address ranges which allows IKEv1 Main Mode
+One for peers from the <b>192.168.0.96/28</b> subnet and one for peers from
-to select the correct connection definition and via the gateway identity the
+the range <b>192.168.0.150-192.168.0.200</b>.
-correct PSK.
+<p/>
+On the gateway for different shared keys are defined for the following
+hierarchcal peer address ranges: <b>0.0.0.0/0 0::0/0</b>,
+<b>192.168.0.96/28</b>, <b>192.168.0.150-192.168.0.200</b> and
+<b>192.168.0.200</b>. Client <b>carol</b> uses the first and client <b>dave</b>
+the fourth PSK.
 <p/>
 Upon the successful establishment of the IPsec tunnels, <b>carol</b> pings the
 client <b>alice</b> and <b>dave</b> the client <b>venus</b> lying in two different

testing/tests/swanctl/rw-psk-ikev1/evaltest.dat

@@ -1,11 +1,13 @@
+dave::cat /var/log/daemon.log::updown approximates remote TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
+moon::cat /var/log/daemon.log::updown approximates local TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
 alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
 venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
 alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO
 venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon1.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon2.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon1.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon2.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32]
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf

@@ -6,11 +6,9 @@ connections {
 
       local {
          auth = psk
-         id = carol@strongswan.org
       }
       remote {
          auth = psk
-         id = moon1.strongswan.org 
       }
       children {
          home {
@@ -27,10 +25,9 @@ connections {
 
 secrets {
 
-   ike-moon1 {
+   ike-moon {
-      id = moon1.strongswan.org
+      id = 192.168.0.1
       # hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
       secret = 0x16964066a10de938bdb2ab7864fe4459cab1
    }
 }
-

testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf

@@ -6,15 +6,13 @@ connections {
 
       local {
          auth = psk 
-         id = dave@strongswan.org
       }
       remote {
          auth = psk 
-         id = moon2.strongswan.org 
       }
       children {
          home {
-            remote_ts = 10.1.0.16/28 
+            remote_ts = 10.1.0.17-10.1.0.20
 
             updown = /usr/local/libexec/ipsec/_updown iptables
             esp_proposals = aes192gcm128-modp3072
@@ -27,8 +25,8 @@ connections {
 
 secrets {
 
-   ike-moon2 {
+   ike-moon {
-      id = moon2.strongswan.org
+      id = 192.168.0.1
       secret = 0sjVzONCF02ncsgiSlmIXeqhGN
    }
 }

testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf

@@ -6,7 +6,6 @@ connections {
 
       local {
          auth = psk 
-         id = moon1.strongswan.org
       }
       remote {
          auth = psk 
@@ -25,18 +24,17 @@ connections {
 
    rw-2 {
       local_addrs  = 192.168.0.1
-      remote_addrs = 192.168.0.192/28
+      remote_addrs = 192.168.0.150-192.168.0.200
 
       local {
          auth = psk
-         id = moon2.strongswan.org
       }
       remote {
          auth = psk
       }
       children {
          net-2 {
-            local_ts  = 10.1.0.16/28
+            local_ts  = 10.1.0.17-10.1.0.20
 
             updown = /usr/local/libexec/ipsec/_updown iptables
             esp_proposals = aes192gcm128-modp3072
@@ -50,12 +48,20 @@ connections {
 
 secrets {
 
-   ike-moon1 {
+   ike-any {
-      id = moon1.strongswan.org
+      id = 0.0.0.0/0 0::0/0
+      secret = 0soBAJZLI7Bwwi61Rl113FqD/3
+   }
+   ike-rw-1 {
+      id = 192.168.0.96/28
       secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
    }
-   ike-moon2 {
+   ike-rw-2 {
-      id = moon2.strongswan.org
+      id = 192.168.0.150-192.168.0.200
+      secret = 0s8qPdxyhDeGfk1l211cS8urXc
+   }
+   ike-dave {
+      id = 192.168.0.200
       secret = 0sjVzONCF02ncsgiSlmIXeqhGN
    }
 }