Merge branch 'subnet-identities'
Implemented IKEv1 IPv4/IPv6 address subnet and range identities to be used as owners for shared secrets. swanctl supports configuration of traffic selectors with IPv4/IPv6 address ranges.
This commit is contained in:
commit
6b8acc49ed
|
@ -311,11 +311,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
|
||||||
ike_sa->get_unique_id(ike_sa));
|
ike_sa->get_unique_id(ike_sa));
|
||||||
push_env(envp, countof(envp), "PLUTO_ME=%H", me);
|
push_env(envp, countof(envp), "PLUTO_ME=%H", me);
|
||||||
push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa));
|
push_env(envp, countof(envp), "PLUTO_MY_ID=%Y", ike_sa->get_my_id(ike_sa));
|
||||||
if (my_ts->to_subnet(my_ts, &host, &mask))
|
if (!my_ts->to_subnet(my_ts, &host, &mask))
|
||||||
{
|
{
|
||||||
push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
|
DBG1(DBG_CHD, "updown approximates local TS %R "
|
||||||
host->destroy(host);
|
"by next larger subnet", my_ts);
|
||||||
}
|
}
|
||||||
|
push_env(envp, countof(envp), "PLUTO_MY_CLIENT=%+H/%u", host, mask);
|
||||||
|
host->destroy(host);
|
||||||
push_env(envp, countof(envp), "PLUTO_MY_PORT=%s",
|
push_env(envp, countof(envp), "PLUTO_MY_PORT=%s",
|
||||||
get_port(my_ts, other_ts, port_buf, TRUE));
|
get_port(my_ts, other_ts, port_buf, TRUE));
|
||||||
push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u",
|
push_env(envp, countof(envp), "PLUTO_MY_PROTOCOL=%u",
|
||||||
|
@ -323,11 +325,13 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
|
||||||
push_env(envp, countof(envp), "PLUTO_PEER=%H", other);
|
push_env(envp, countof(envp), "PLUTO_PEER=%H", other);
|
||||||
push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y",
|
push_env(envp, countof(envp), "PLUTO_PEER_ID=%Y",
|
||||||
ike_sa->get_other_id(ike_sa));
|
ike_sa->get_other_id(ike_sa));
|
||||||
if (other_ts->to_subnet(other_ts, &host, &mask))
|
if (!other_ts->to_subnet(other_ts, &host, &mask))
|
||||||
{
|
{
|
||||||
push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
|
DBG1(DBG_CHD, "updown approximates remote TS %R "
|
||||||
host->destroy(host);
|
"by next larger subnet", other_ts);
|
||||||
}
|
}
|
||||||
|
push_env(envp, countof(envp), "PLUTO_PEER_CLIENT=%+H/%u", host, mask);
|
||||||
|
host->destroy(host);
|
||||||
push_env(envp, countof(envp), "PLUTO_PEER_PORT=%s",
|
push_env(envp, countof(envp), "PLUTO_PEER_PORT=%s",
|
||||||
get_port(my_ts, other_ts, port_buf, FALSE));
|
get_port(my_ts, other_ts, port_buf, FALSE));
|
||||||
push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u",
|
push_env(envp, countof(envp), "PLUTO_PEER_PROTOCOL=%u",
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
* Copyright (C) 2014 revosec AG
|
* Copyright (C) 2014 revosec AG
|
||||||
*
|
*
|
||||||
* Copyright (C) 2015-2016 Tobias Brunner
|
* Copyright (C) 2015-2016 Tobias Brunner
|
||||||
* Copyright (C) 2015 Andreas Steffen
|
* Copyright (C) 2015-2016 Andreas Steffen
|
||||||
* HSR Hochschule fuer Technik Rapperswil
|
* HSR Hochschule fuer Technik Rapperswil
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
|
@ -646,6 +646,22 @@ CALLBACK(parse_ts, bool,
|
||||||
{
|
{
|
||||||
ts = traffic_selector_create_dynamic(proto, from, to);
|
ts = traffic_selector_create_dynamic(proto, from, to);
|
||||||
}
|
}
|
||||||
|
else if (strchr(buf, '-'))
|
||||||
|
{
|
||||||
|
host_t *lower, *upper;
|
||||||
|
ts_type_t type;
|
||||||
|
|
||||||
|
if (host_create_from_range(buf, &lower, &upper))
|
||||||
|
{
|
||||||
|
type = (lower->get_family(lower) == AF_INET) ?
|
||||||
|
TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
|
||||||
|
ts = traffic_selector_create_from_bytes(proto, type,
|
||||||
|
lower->get_address(lower), from,
|
||||||
|
upper->get_address(upper), to);
|
||||||
|
lower->destroy(lower);
|
||||||
|
upper->destroy(upper);
|
||||||
|
}
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
ts = traffic_selector_create_from_cidr(buf, proto, from, to);
|
ts = traffic_selector_create_from_cidr(buf, proto, from, to);
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 2013-2015 Tobias Brunner
|
* Copyright (C) 2013-2015 Tobias Brunner
|
||||||
|
* Copyright (C) 2016 Andreas Steffen
|
||||||
* Copyright (C) 2009 Martin Willi
|
* Copyright (C) 2009 Martin Willi
|
||||||
* Hochschule fuer Technik Rapperswil
|
* HSR Hochschule fuer Technik Rapperswil
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
* under the terms of the GNU General Public License as published by the
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
@ -122,67 +123,122 @@ static struct {
|
||||||
} data;
|
} data;
|
||||||
} result;
|
} result;
|
||||||
} string_data[] = {
|
} string_data[] = {
|
||||||
{NULL, ID_ANY, { .type = ENC_CHUNK }},
|
{NULL, ID_ANY, { .type = ENC_CHUNK }},
|
||||||
{"", ID_ANY, { .type = ENC_CHUNK }},
|
{"", ID_ANY, { .type = ENC_CHUNK }},
|
||||||
{"%any", ID_ANY, { .type = ENC_CHUNK }},
|
{"%any", ID_ANY, { .type = ENC_CHUNK }},
|
||||||
{"%any6", ID_ANY, { .type = ENC_CHUNK }},
|
{"%any6", ID_ANY, { .type = ENC_CHUNK }},
|
||||||
{"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }},
|
{"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }},
|
||||||
{"0::0", ID_ANY, { .type = ENC_CHUNK }},
|
{"0::0", ID_ANY, { .type = ENC_CHUNK }},
|
||||||
{"::", ID_ANY, { .type = ENC_CHUNK }},
|
{"::", ID_ANY, { .type = ENC_CHUNK }},
|
||||||
{"*", ID_ANY, { .type = ENC_CHUNK }},
|
{"*", ID_ANY, { .type = ENC_CHUNK }},
|
||||||
{"any", ID_FQDN, { .type = ENC_SIMPLE }},
|
{"any", ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
{"any6", ID_FQDN, { .type = ENC_SIMPLE }},
|
{"any6", ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
{"0", ID_FQDN, { .type = ENC_SIMPLE }},
|
{"0", ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
{"**", ID_FQDN, { .type = ENC_SIMPLE }},
|
{"**", ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
{"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
|
{"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
|
||||||
{"192.168.", ID_FQDN, { .type = ENC_SIMPLE }},
|
{"192.168.", ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
{".", ID_FQDN, { .type = ENC_SIMPLE }},
|
{".", ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
{"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
|
{"192.168.1.1/33", ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
|
{"192.168.1.1/32", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01,0xff,0xff,0xff,0xff) }},
|
||||||
|
{"192.168.1.1/31", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0xfe) }},
|
||||||
|
{"192.168.1.8/30", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x08,0xff,0xff,0xff,0xfc) }},
|
||||||
|
{"192.168.1.128/25", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x80,0xff,0xff,0xff,0x80) }},
|
||||||
|
{"192.168.1.0/24", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0x00) }},
|
||||||
|
{"192.168.1.0/23", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xc0,0xa8,0x00,0x00,0xff,0xff,0xfe,0x00) }},
|
||||||
|
{"192.168.4.0/22", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xc0,0xa8,0x04,0x00,0xff,0xff,0xfc,0x00) }},
|
||||||
|
{"0.0.0.0/0", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
|
||||||
|
{"192.168.1.0-192.168.1.40",ID_IPV4_ADDR_RANGE, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xc0,0xa8,0x01,0x28) }},
|
||||||
|
{"0.0.0.0-255.255.255.255", ID_IPV4_ADDR_RANGE, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff) }},
|
||||||
|
{"192.168.1.40-192.168.1.0",ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
|
{"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
|
||||||
{"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK,
|
{"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
|
||||||
{"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
{"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
{":", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
{":", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
{"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
|
{"fec0::1/129", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
{"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
|
{"fec0::1/128", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
{"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
|
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
{"alice", ID_FQDN, { .type = ENC_SIMPLE }},
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
|
||||||
{"@", ID_FQDN, { .type = ENC_CHUNK }},
|
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
|
||||||
{" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
|
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff ) }},
|
||||||
{"@strongswan.org", ID_FQDN, { .type = ENC_STRING,
|
{"fec0::1/127", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
|
||||||
|
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe ) }},
|
||||||
|
{"fec0::4/126", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,
|
||||||
|
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
|
||||||
|
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc ) }},
|
||||||
|
{"fec0::100/120", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
|
||||||
|
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
|
||||||
|
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00 ) }},
|
||||||
|
{"::/0", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ) }},
|
||||||
|
{"fec0::1-fec0::4fff", ID_IPV6_ADDR_RANGE, { .type = ENC_CHUNK,
|
||||||
|
.data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
|
||||||
|
0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff ) }},
|
||||||
|
{"fec0::4fff-fec0::1", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
|
{"fec0::1-", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
|
{"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
|
||||||
|
{"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
|
||||||
|
{"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
|
||||||
|
{"alice", ID_FQDN, { .type = ENC_SIMPLE }},
|
||||||
|
{"@", ID_FQDN, { .type = ENC_CHUNK }},
|
||||||
|
{" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
|
||||||
|
{"@strongswan.org", ID_FQDN, { .type = ENC_STRING,
|
||||||
.data.s = "strongswan.org" }},
|
.data.s = "strongswan.org" }},
|
||||||
{"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
|
{"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }},
|
.data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }},
|
||||||
{"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK,
|
{"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }},
|
.data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }},
|
||||||
{"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
{"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
{"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
{"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
{"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
{"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
{"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
|
{"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06,
|
.data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06,
|
||||||
0x03,0x55,0x04,0x06,0x13,0x00) }},
|
0x03,0x55,0x04,0x06,0x13,0x00) }},
|
||||||
{"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
|
{"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
|
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
|
||||||
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
|
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
|
||||||
{"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
|
{"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
|
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
|
||||||
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
|
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
|
||||||
{"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
|
{"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
|
.data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
|
||||||
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
|
0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
|
||||||
{"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
{"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }},
|
||||||
{"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
|
{"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
|
||||||
{ "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING,
|
{ "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING,
|
||||||
.data.s = "tester" }},
|
.data.s = "tester" }},
|
||||||
{ "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
|
{ "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
|
||||||
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
|
.data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
|
||||||
{ "{0x02}:tester", ID_FQDN, { .type = ENC_STRING,
|
{ "{0x02}:tester", ID_FQDN, { .type = ENC_STRING,
|
||||||
.data.s = "tester" }},
|
.data.s = "tester" }},
|
||||||
{ "{99}:somedata", 99, { .type = ENC_STRING,
|
{ "{99}:somedata", 99, { .type = ENC_STRING,
|
||||||
.data.s = "somedata" }},
|
.data.s = "somedata" }},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -264,14 +320,33 @@ START_TEST(test_printf_hook)
|
||||||
|
|
||||||
string_equals("192.168.1.1", "192.168.1.1");
|
string_equals("192.168.1.1", "192.168.1.1");
|
||||||
string_equals_id("(invalid ID_IPV4_ADDR)",
|
string_equals_id("(invalid ID_IPV4_ADDR)",
|
||||||
identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
|
identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty));
|
||||||
|
string_equals("192.168.1.1/32", "192.168.1.1/32");
|
||||||
|
string_equals("192.168.1.2/31", "192.168.1.2/31");
|
||||||
|
string_equals("192.168.1.0/24", "192.168.1.0/24");
|
||||||
|
string_equals("192.168.2.0/23", "192.168.2.0/23");
|
||||||
|
string_equals("0.0.0.0/0", "0.0.0.0/0");
|
||||||
|
string_equals_id("(invalid ID_IPV4_ADDR_SUBNET)",
|
||||||
|
identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty));
|
||||||
|
string_equals("192.168.1.1-192.168.1.254", "192.168.1.1-192.168.1.254");
|
||||||
|
string_equals("0.0.0.0-255.255.255.255", "0.0.0.0-255.255.255.255");
|
||||||
|
string_equals_id("(invalid ID_IPV4_ADDR_RANGE)",
|
||||||
|
identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty));
|
||||||
string_equals("fec0::1", "fec0::1");
|
string_equals("fec0::1", "fec0::1");
|
||||||
string_equals("fec0::1", "fec0:0:0::1");
|
string_equals("fec0::1", "fec0:0:0::1");
|
||||||
string_equals_id("(invalid ID_IPV6_ADDR)",
|
string_equals_id("(invalid ID_IPV6_ADDR)",
|
||||||
identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
|
identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty));
|
||||||
|
string_equals("fec0::1/128", "fec0::1/128");
|
||||||
|
string_equals("fec0::2/127", "fec0::2/127");
|
||||||
|
string_equals("fec0::100/120", "fec0::100/120");
|
||||||
|
string_equals("::/0", "::/0");
|
||||||
|
string_equals_id("(invalid ID_IPV6_ADDR_SUBNET)",
|
||||||
|
identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty));
|
||||||
|
string_equals("fec0::1-fec0::4fff", "fec0::1-fec0::4fff");
|
||||||
|
string_equals_id("(invalid ID_IPV6_ADDR_RANGE)",
|
||||||
|
identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty));
|
||||||
string_equals_id("(unknown ID type: 255)",
|
string_equals_id("(unknown ID type: 255)",
|
||||||
identification_create_from_encoding(255, chunk_empty));
|
identification_create_from_encoding(255, chunk_empty));
|
||||||
|
|
||||||
string_equals("moon@strongswan.org", "moon@strongswan.org");
|
string_equals("moon@strongswan.org", "moon@strongswan.org");
|
||||||
string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG");
|
string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG");
|
||||||
|
@ -595,6 +670,89 @@ START_TEST(test_matches_binary)
|
||||||
}
|
}
|
||||||
END_TEST
|
END_TEST
|
||||||
|
|
||||||
|
START_TEST(test_matches_range)
|
||||||
|
{
|
||||||
|
identification_t *a, *b;
|
||||||
|
|
||||||
|
/* IPv4 addresses */
|
||||||
|
a = identification_create_from_string("192.168.1.1");
|
||||||
|
ck_assert(a->get_type(a) == ID_IPV4_ADDR);
|
||||||
|
ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
|
||||||
|
ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_MAX_WILDCARDS));
|
||||||
|
ck_assert(id_matches(a, "192.168.1.1", ID_MATCH_PERFECT));
|
||||||
|
ck_assert(id_matches(a, "192.168.1.2", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "192.168.1.1/32", ID_MATCH_PERFECT));
|
||||||
|
ck_assert(id_matches(a, "192.168.1.0/32", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "192.168.1.0/24", ID_MATCH_ONE_WILDCARD));
|
||||||
|
ck_assert(id_matches(a, "192.168.0.0/24", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "192.168.1.1-192.168.1.1", ID_MATCH_PERFECT));
|
||||||
|
ck_assert(id_matches(a, "192.168.1.0-192.168.1.64", ID_MATCH_ONE_WILDCARD));
|
||||||
|
ck_assert(id_matches(a, "192.168.1.2-192.168.1.64", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "192.168.0.240-192.168.1.0", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
|
||||||
|
|
||||||
|
/* Malformed IPv4 subnet and range encoding */
|
||||||
|
b = identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty);
|
||||||
|
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
|
||||||
|
b->destroy(b);
|
||||||
|
b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty);
|
||||||
|
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
|
||||||
|
b->destroy(b);
|
||||||
|
b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE,
|
||||||
|
chunk_from_chars(0xc0,0xa8,0x01,0x28,0xc0,0xa8,0x01,0x00));
|
||||||
|
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
|
||||||
|
b->destroy(b);
|
||||||
|
|
||||||
|
a->destroy(a);
|
||||||
|
|
||||||
|
/* IPv6 addresses */
|
||||||
|
a = identification_create_from_string("fec0::1");
|
||||||
|
ck_assert(a->get_type(a) == ID_IPV6_ADDR);
|
||||||
|
ck_assert(id_matches(a, "%any", ID_MATCH_ANY));
|
||||||
|
ck_assert(id_matches(a, "::/0", ID_MATCH_MAX_WILDCARDS));
|
||||||
|
ck_assert(id_matches(a, "fec0::1", ID_MATCH_PERFECT));
|
||||||
|
ck_assert(id_matches(a, "fec0::2", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "fec0::1/128", ID_MATCH_PERFECT));
|
||||||
|
ck_assert(id_matches(a, "fec0::/128", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "fec0::/120", ID_MATCH_ONE_WILDCARD));
|
||||||
|
ck_assert(id_matches(a, "fec0::100/120", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "fec0::1-fec0::1", ID_MATCH_PERFECT));
|
||||||
|
ck_assert(id_matches(a, "fec0::0-fec0::5", ID_MATCH_ONE_WILDCARD));
|
||||||
|
ck_assert(id_matches(a, "fec0::4001-fec0::4ffe", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "feb0::1-fec0::0", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE));
|
||||||
|
|
||||||
|
/* Malformed IPv6 subnet and range encoding */
|
||||||
|
b = identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty);
|
||||||
|
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
|
||||||
|
b->destroy(b);
|
||||||
|
b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty);
|
||||||
|
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
|
||||||
|
b->destroy(b);
|
||||||
|
b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE,
|
||||||
|
chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff,
|
||||||
|
0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01 ));
|
||||||
|
ck_assert(a->matches(a, b) == ID_MATCH_NONE);
|
||||||
|
b->destroy(b);
|
||||||
|
|
||||||
|
a->destroy(a);
|
||||||
|
|
||||||
|
/* Malformed IPv4 address encoding */
|
||||||
|
a = identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty);
|
||||||
|
ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "0.0.0.0-255.255.255.255", ID_MATCH_NONE));
|
||||||
|
a->destroy(a);
|
||||||
|
|
||||||
|
/* Malformed IPv6 address encoding */
|
||||||
|
a = identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty);
|
||||||
|
ck_assert(id_matches(a, "::/0", ID_MATCH_NONE));
|
||||||
|
ck_assert(id_matches(a, "::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ID_MATCH_NONE));
|
||||||
|
a->destroy(a);
|
||||||
|
}
|
||||||
|
END_TEST
|
||||||
|
|
||||||
START_TEST(test_matches_string)
|
START_TEST(test_matches_string)
|
||||||
{
|
{
|
||||||
identification_t *a;
|
identification_t *a;
|
||||||
|
@ -929,6 +1087,7 @@ Suite *identification_suite_create()
|
||||||
tcase_add_test(tc, test_matches);
|
tcase_add_test(tc, test_matches);
|
||||||
tcase_add_test(tc, test_matches_any);
|
tcase_add_test(tc, test_matches_any);
|
||||||
tcase_add_test(tc, test_matches_binary);
|
tcase_add_test(tc, test_matches_binary);
|
||||||
|
tcase_add_test(tc, test_matches_range);
|
||||||
tcase_add_test(tc, test_matches_string);
|
tcase_add_test(tc, test_matches_string);
|
||||||
tcase_add_loop_test(tc, test_matches_empty, ID_ANY, ID_KEY_ID + 1);
|
tcase_add_loop_test(tc, test_matches_empty, ID_ANY, ID_KEY_ID + 1);
|
||||||
tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1);
|
tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1);
|
||||||
|
|
|
@ -1,8 +1,9 @@
|
||||||
/*
|
/*
|
||||||
|
* Copyright (C) 2016 Andreas Steffen
|
||||||
* Copyright (C) 2009-2015 Tobias Brunner
|
* Copyright (C) 2009-2015 Tobias Brunner
|
||||||
* Copyright (C) 2005-2009 Martin Willi
|
* Copyright (C) 2005-2009 Martin Willi
|
||||||
* Copyright (C) 2005 Jan Hutter
|
* Copyright (C) 2005 Jan Hutter
|
||||||
* Hochschule fuer Technik Rapperswil
|
* HSR Hochschule fuer Technik Rapperswil
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify it
|
* This program is free software; you can redistribute it and/or modify it
|
||||||
* under the terms of the GNU General Public License as published by the
|
* under the terms of the GNU General Public License as published by the
|
||||||
|
@ -823,6 +824,154 @@ METHOD(identification_t, matches_dn, id_match_t,
|
||||||
return ID_MATCH_NONE;
|
return ID_MATCH_NONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Transform netmask to CIDR bits
|
||||||
|
*/
|
||||||
|
static int netmask_to_cidr(char *netmask, size_t address_size)
|
||||||
|
{
|
||||||
|
uint8_t byte;
|
||||||
|
int i, netbits = 0;
|
||||||
|
|
||||||
|
for (i = 0; i < address_size; i++)
|
||||||
|
{
|
||||||
|
byte = netmask[i];
|
||||||
|
|
||||||
|
if (byte == 0x00)
|
||||||
|
{
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
if (byte == 0xff)
|
||||||
|
{
|
||||||
|
netbits += 8;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
while (byte & 0x80)
|
||||||
|
{
|
||||||
|
netbits++;
|
||||||
|
byte <<= 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return netbits;
|
||||||
|
}
|
||||||
|
|
||||||
|
METHOD(identification_t, matches_range, id_match_t,
|
||||||
|
private_identification_t *this, identification_t *other)
|
||||||
|
{
|
||||||
|
chunk_t other_encoding;
|
||||||
|
uint8_t *address, *from, *to, *network, *netmask;
|
||||||
|
size_t address_size = 0;
|
||||||
|
int netbits, range_sign, i;
|
||||||
|
|
||||||
|
if (other->get_type(other) == ID_ANY)
|
||||||
|
{
|
||||||
|
return ID_MATCH_ANY;
|
||||||
|
}
|
||||||
|
if (this->type == other->get_type(other) &&
|
||||||
|
chunk_equals(this->encoded, other->get_encoding(other)))
|
||||||
|
{
|
||||||
|
return ID_MATCH_PERFECT;
|
||||||
|
}
|
||||||
|
if ((this->type == ID_IPV4_ADDR &&
|
||||||
|
other->get_type(other) == ID_IPV4_ADDR_SUBNET))
|
||||||
|
{
|
||||||
|
address_size = sizeof(struct in_addr);
|
||||||
|
}
|
||||||
|
else if ((this->type == ID_IPV6_ADDR &&
|
||||||
|
other->get_type(other) == ID_IPV6_ADDR_SUBNET))
|
||||||
|
{
|
||||||
|
address_size = sizeof(struct in6_addr);
|
||||||
|
}
|
||||||
|
if (address_size)
|
||||||
|
{
|
||||||
|
other_encoding = other->get_encoding(other);
|
||||||
|
if (this->encoded.len != address_size ||
|
||||||
|
other_encoding.len != 2 * address_size)
|
||||||
|
{
|
||||||
|
return ID_MATCH_NONE;
|
||||||
|
}
|
||||||
|
address = this->encoded.ptr;
|
||||||
|
network = other_encoding.ptr;
|
||||||
|
netmask = other_encoding.ptr + address_size;
|
||||||
|
netbits = netmask_to_cidr(netmask, address_size);
|
||||||
|
|
||||||
|
if (netbits == 0)
|
||||||
|
{
|
||||||
|
return ID_MATCH_MAX_WILDCARDS;
|
||||||
|
}
|
||||||
|
if (netbits == 8 * address_size)
|
||||||
|
{
|
||||||
|
return memeq(address, network, address_size) ?
|
||||||
|
ID_MATCH_PERFECT : ID_MATCH_NONE;
|
||||||
|
}
|
||||||
|
for (i = 0; i < (netbits + 7)/8; i++)
|
||||||
|
{
|
||||||
|
if ((address[i] ^ network[i]) & netmask[i])
|
||||||
|
{
|
||||||
|
return ID_MATCH_NONE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ID_MATCH_ONE_WILDCARD;
|
||||||
|
}
|
||||||
|
if ((this->type == ID_IPV4_ADDR &&
|
||||||
|
other->get_type(other) == ID_IPV4_ADDR_RANGE))
|
||||||
|
{
|
||||||
|
address_size = sizeof(struct in_addr);
|
||||||
|
}
|
||||||
|
else if ((this->type == ID_IPV6_ADDR &&
|
||||||
|
other->get_type(other) == ID_IPV6_ADDR_RANGE))
|
||||||
|
{
|
||||||
|
address_size = sizeof(struct in6_addr);
|
||||||
|
}
|
||||||
|
if (address_size)
|
||||||
|
{
|
||||||
|
other_encoding = other->get_encoding(other);
|
||||||
|
if (this->encoded.len != address_size ||
|
||||||
|
other_encoding.len != 2 * address_size)
|
||||||
|
{
|
||||||
|
return ID_MATCH_NONE;
|
||||||
|
}
|
||||||
|
address = this->encoded.ptr;
|
||||||
|
from = other_encoding.ptr;
|
||||||
|
to = other_encoding.ptr + address_size;
|
||||||
|
|
||||||
|
range_sign = memcmp(to, from, address_size);
|
||||||
|
if (range_sign < 0)
|
||||||
|
{ /* to is smaller than from */
|
||||||
|
return ID_MATCH_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* check lower bound */
|
||||||
|
for (i = 0; i < address_size; i++)
|
||||||
|
{
|
||||||
|
if (address[i] != from[i])
|
||||||
|
{
|
||||||
|
if (address[i] < from[i])
|
||||||
|
{
|
||||||
|
return ID_MATCH_NONE;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* check upper bound */
|
||||||
|
for (i = 0; i < address_size; i++)
|
||||||
|
{
|
||||||
|
if (address[i] != to[i])
|
||||||
|
{
|
||||||
|
if (address[i] > to[i])
|
||||||
|
{
|
||||||
|
return ID_MATCH_NONE;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return range_sign ? ID_MATCH_ONE_WILDCARD : ID_MATCH_PERFECT;
|
||||||
|
}
|
||||||
|
return ID_MATCH_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Described in header.
|
* Described in header.
|
||||||
*/
|
*/
|
||||||
|
@ -831,7 +980,9 @@ int identification_printf_hook(printf_hook_data_t *data,
|
||||||
{
|
{
|
||||||
private_identification_t *this = *((private_identification_t**)(args[0]));
|
private_identification_t *this = *((private_identification_t**)(args[0]));
|
||||||
chunk_t proper;
|
chunk_t proper;
|
||||||
char buf[512];
|
char buf[BUF_LEN];
|
||||||
|
char *pos;
|
||||||
|
size_t written, len, address_size;
|
||||||
|
|
||||||
if (this == NULL)
|
if (this == NULL)
|
||||||
{
|
{
|
||||||
|
@ -841,49 +992,115 @@ int identification_printf_hook(printf_hook_data_t *data,
|
||||||
switch (this->type)
|
switch (this->type)
|
||||||
{
|
{
|
||||||
case ID_ANY:
|
case ID_ANY:
|
||||||
snprintf(buf, sizeof(buf), "%%any");
|
snprintf(buf, BUF_LEN, "%%any");
|
||||||
break;
|
break;
|
||||||
case ID_IPV4_ADDR:
|
case ID_IPV4_ADDR:
|
||||||
if (this->encoded.len < sizeof(struct in_addr) ||
|
if (this->encoded.len < sizeof(struct in_addr) ||
|
||||||
inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
|
inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
|
||||||
{
|
{
|
||||||
snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)");
|
snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR)");
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case ID_IPV4_ADDR_SUBNET:
|
||||||
|
address_size = sizeof(struct in_addr);
|
||||||
|
if (this->encoded.len < 2 * address_size ||
|
||||||
|
inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
|
||||||
|
{
|
||||||
|
snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_SUBNET)");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
written = strlen(buf);
|
||||||
|
snprintf(buf + written, BUF_LEN - written, "/%d",
|
||||||
|
netmask_to_cidr(this->encoded.ptr + address_size,
|
||||||
|
address_size));
|
||||||
|
break;
|
||||||
|
case ID_IPV4_ADDR_RANGE:
|
||||||
|
address_size = sizeof(struct in_addr);
|
||||||
|
if (this->encoded.len < 2 * address_size ||
|
||||||
|
inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL)
|
||||||
|
{
|
||||||
|
snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
written = strlen(buf);
|
||||||
|
pos = buf + written;
|
||||||
|
len = BUF_LEN - written;
|
||||||
|
written = snprintf(pos, len, "-");
|
||||||
|
if (written < 0 || written >= len ||
|
||||||
|
inet_ntop(AF_INET, this->encoded.ptr + address_size,
|
||||||
|
pos + written, len - written) == NULL)
|
||||||
|
{
|
||||||
|
snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)");
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case ID_IPV6_ADDR:
|
case ID_IPV6_ADDR:
|
||||||
if (this->encoded.len < sizeof(struct in6_addr) ||
|
if (this->encoded.len < sizeof(struct in6_addr) ||
|
||||||
inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
|
inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
|
||||||
{
|
{
|
||||||
snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)");
|
snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR)");
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case ID_IPV6_ADDR_SUBNET:
|
||||||
|
address_size = sizeof(struct in6_addr);
|
||||||
|
if (this->encoded.len < 2 * address_size ||
|
||||||
|
inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
|
||||||
|
{
|
||||||
|
snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_SUBNET)");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
written = strlen(buf);
|
||||||
|
snprintf(buf + written, BUF_LEN - written, "/%d",
|
||||||
|
netmask_to_cidr(this->encoded.ptr + address_size,
|
||||||
|
address_size));
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case ID_IPV6_ADDR_RANGE:
|
||||||
|
address_size = sizeof(struct in6_addr);
|
||||||
|
if (this->encoded.len < 2 * address_size ||
|
||||||
|
inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL)
|
||||||
|
{
|
||||||
|
snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
written = strlen(buf);
|
||||||
|
pos = buf + written;
|
||||||
|
len = BUF_LEN - written;
|
||||||
|
written = snprintf(pos, len, "-");
|
||||||
|
if (written < 0 || written >= len ||
|
||||||
|
inet_ntop(AF_INET6, this->encoded.ptr + address_size,
|
||||||
|
pos + written, len - written) == NULL)
|
||||||
|
{
|
||||||
|
snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)");
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case ID_FQDN:
|
case ID_FQDN:
|
||||||
case ID_RFC822_ADDR:
|
case ID_RFC822_ADDR:
|
||||||
case ID_DER_ASN1_GN_URI:
|
case ID_DER_ASN1_GN_URI:
|
||||||
chunk_printable(this->encoded, &proper, '?');
|
chunk_printable(this->encoded, &proper, '?');
|
||||||
snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
|
snprintf(buf, BUF_LEN, "%.*s", (int)proper.len, proper.ptr);
|
||||||
chunk_free(&proper);
|
chunk_free(&proper);
|
||||||
break;
|
break;
|
||||||
case ID_DER_ASN1_DN:
|
case ID_DER_ASN1_DN:
|
||||||
dntoa(this->encoded, buf, sizeof(buf));
|
dntoa(this->encoded, buf, BUF_LEN);
|
||||||
break;
|
break;
|
||||||
case ID_DER_ASN1_GN:
|
case ID_DER_ASN1_GN:
|
||||||
snprintf(buf, sizeof(buf), "(ASN.1 general name)");
|
snprintf(buf, BUF_LEN, "(ASN.1 general name)");
|
||||||
break;
|
break;
|
||||||
case ID_KEY_ID:
|
case ID_KEY_ID:
|
||||||
if (chunk_printable(this->encoded, NULL, '?') &&
|
if (chunk_printable(this->encoded, NULL, '?') &&
|
||||||
this->encoded.len != HASH_SIZE_SHA1)
|
this->encoded.len != HASH_SIZE_SHA1)
|
||||||
{ /* fully printable, use ascii version */
|
{ /* fully printable, use ascii version */
|
||||||
snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len,
|
snprintf(buf, BUF_LEN, "%.*s", (int)this->encoded.len,
|
||||||
this->encoded.ptr);
|
this->encoded.ptr);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{ /* not printable, hex dump */
|
{ /* not printable, hex dump */
|
||||||
snprintf(buf, sizeof(buf), "%#B", &this->encoded);
|
snprintf(buf, BUF_LEN, "%#B", &this->encoded);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
|
snprintf(buf, BUF_LEN, "(unknown ID type: %d)", this->type);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (spec->minus)
|
if (spec->minus)
|
||||||
|
@ -952,6 +1169,13 @@ static private_identification_t *identification_create(id_type_t type)
|
||||||
this->public.matches = _matches_dn;
|
this->public.matches = _matches_dn;
|
||||||
this->public.contains_wildcards = _contains_wildcards_dn;
|
this->public.contains_wildcards = _contains_wildcards_dn;
|
||||||
break;
|
break;
|
||||||
|
case ID_IPV4_ADDR:
|
||||||
|
case ID_IPV6_ADDR:
|
||||||
|
this->public.hash = _hash_binary;
|
||||||
|
this->public.equals = _equals_binary;
|
||||||
|
this->public.matches = _matches_range;
|
||||||
|
this->public.contains_wildcards = return_false;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
this->public.hash = _hash_binary;
|
this->public.hash = _hash_binary;
|
||||||
this->public.equals = _equals_binary;
|
this->public.equals = _equals_binary;
|
||||||
|
@ -973,6 +1197,10 @@ static private_identification_t* create_from_string_with_prefix_type(char *str)
|
||||||
} prefixes[] = {
|
} prefixes[] = {
|
||||||
{ "ipv4:", ID_IPV4_ADDR },
|
{ "ipv4:", ID_IPV4_ADDR },
|
||||||
{ "ipv6:", ID_IPV6_ADDR },
|
{ "ipv6:", ID_IPV6_ADDR },
|
||||||
|
{ "ipv4net:", ID_IPV4_ADDR_SUBNET },
|
||||||
|
{ "ipv6net:", ID_IPV6_ADDR_SUBNET },
|
||||||
|
{ "ipv4range:", ID_IPV4_ADDR_RANGE },
|
||||||
|
{ "ipv6range:", ID_IPV6_ADDR_RANGE },
|
||||||
{ "rfc822:", ID_RFC822_ADDR },
|
{ "rfc822:", ID_RFC822_ADDR },
|
||||||
{ "email:", ID_RFC822_ADDR },
|
{ "email:", ID_RFC822_ADDR },
|
||||||
{ "userfqdn:", ID_USER_FQDN },
|
{ "userfqdn:", ID_USER_FQDN },
|
||||||
|
@ -1038,6 +1266,115 @@ static private_identification_t* create_from_string_with_num_type(char *str)
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convert to an IPv4/IPv6 host address, subnet or address range
|
||||||
|
*/
|
||||||
|
static private_identification_t* create_ip_address_from_string(char *string,
|
||||||
|
bool is_ipv4)
|
||||||
|
{
|
||||||
|
private_identification_t *this;
|
||||||
|
uint8_t encoding[32];
|
||||||
|
uint8_t *str, *pos, *address, *to_address, *netmask;
|
||||||
|
size_t address_size;
|
||||||
|
int bits, bytes, i;
|
||||||
|
bool has_subnet = FALSE, has_range = FALSE;
|
||||||
|
|
||||||
|
address = encoding;
|
||||||
|
address_size = is_ipv4 ? sizeof(struct in_addr) : sizeof(struct in6_addr);
|
||||||
|
|
||||||
|
str = strdup(string);
|
||||||
|
pos = strchr(str, '/');
|
||||||
|
if (pos)
|
||||||
|
{ /* separate IP address from optional netmask */
|
||||||
|
|
||||||
|
*pos = '\0';
|
||||||
|
has_subnet = TRUE;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
pos = strchr(str, '-');
|
||||||
|
if (pos)
|
||||||
|
{ /* separate lower address from upper address of IP range */
|
||||||
|
*pos = '\0';
|
||||||
|
has_range = TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, str, address) != 1)
|
||||||
|
{
|
||||||
|
free(str);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (has_subnet)
|
||||||
|
{ /* is IP subnet */
|
||||||
|
bits = atoi(pos + 1);
|
||||||
|
if (bits > 8 * address_size)
|
||||||
|
{
|
||||||
|
free(str);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
bytes = bits / 8;
|
||||||
|
bits -= 8 * bytes;
|
||||||
|
netmask = encoding + address_size;
|
||||||
|
|
||||||
|
for (i = 0; i < address_size; i++)
|
||||||
|
{
|
||||||
|
if (bytes)
|
||||||
|
{
|
||||||
|
*netmask = 0xff;
|
||||||
|
bytes--;
|
||||||
|
}
|
||||||
|
else if (bits)
|
||||||
|
{
|
||||||
|
*netmask = 0xff << (8 - bits);
|
||||||
|
bits = 0;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
*netmask = 0x00;
|
||||||
|
}
|
||||||
|
*address++ &= *netmask++;
|
||||||
|
}
|
||||||
|
this = identification_create(is_ipv4 ? ID_IPV4_ADDR_SUBNET :
|
||||||
|
ID_IPV6_ADDR_SUBNET);
|
||||||
|
this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
|
||||||
|
}
|
||||||
|
else if (has_range)
|
||||||
|
{ /* is IP range */
|
||||||
|
to_address = encoding + address_size;
|
||||||
|
|
||||||
|
if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, pos + 1, to_address) != 1)
|
||||||
|
{
|
||||||
|
free(str);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
for (i = 0; i < address_size; i++)
|
||||||
|
{
|
||||||
|
if (address[i] != to_address[i])
|
||||||
|
{
|
||||||
|
if (address[i] > to_address[i])
|
||||||
|
{
|
||||||
|
free(str);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
this = identification_create(is_ipv4 ? ID_IPV4_ADDR_RANGE :
|
||||||
|
ID_IPV6_ADDR_RANGE);
|
||||||
|
this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{ /* is IP host address */
|
||||||
|
this = identification_create(is_ipv4 ? ID_IPV4_ADDR : ID_IPV6_ADDR);
|
||||||
|
this->encoded = chunk_clone(chunk_create(encoding, address_size));
|
||||||
|
}
|
||||||
|
free(str);
|
||||||
|
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Described in header.
|
* Described in header.
|
||||||
*/
|
*/
|
||||||
|
@ -1095,15 +1432,9 @@ identification_t *identification_create_from_string(char *string)
|
||||||
{
|
{
|
||||||
if (strchr(string, ':') == NULL)
|
if (strchr(string, ':') == NULL)
|
||||||
{
|
{
|
||||||
struct in_addr address;
|
/* IPv4 address or subnet */
|
||||||
chunk_t chunk = {(void*)&address, sizeof(address)};
|
this = create_ip_address_from_string(string, TRUE);
|
||||||
|
if (!this)
|
||||||
if (inet_pton(AF_INET, string, &address) > 0)
|
|
||||||
{ /* is IPv4 */
|
|
||||||
this = identification_create(ID_IPV4_ADDR);
|
|
||||||
this->encoded = chunk_clone(chunk);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{ /* not IPv4, mostly FQDN */
|
{ /* not IPv4, mostly FQDN */
|
||||||
this = identification_create(ID_FQDN);
|
this = identification_create(ID_FQDN);
|
||||||
this->encoded = chunk_from_str(strdup(string));
|
this->encoded = chunk_from_str(strdup(string));
|
||||||
|
@ -1112,15 +1443,9 @@ identification_t *identification_create_from_string(char *string)
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
struct in6_addr address;
|
/* IPv6 address or subnet */
|
||||||
chunk_t chunk = {(void*)&address, sizeof(address)};
|
this = create_ip_address_from_string(string, FALSE);
|
||||||
|
if (!this)
|
||||||
if (inet_pton(AF_INET6, string, &address) > 0)
|
|
||||||
{ /* is IPv6 */
|
|
||||||
this = identification_create(ID_IPV6_ADDR);
|
|
||||||
this->encoded = chunk_clone(chunk);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{ /* not IPv4/6 fallback to KEY_ID */
|
{ /* not IPv4/6 fallback to KEY_ID */
|
||||||
this = identification_create(ID_KEY_ID);
|
this = identification_create(ID_KEY_ID);
|
||||||
this->encoded = chunk_from_str(strdup(string));
|
this->encoded = chunk_from_str(strdup(string));
|
||||||
|
|
|
@ -1,10 +1,15 @@
|
||||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
|
||||||
to gateway <b>moon</b>. The authentication is based on two <b>pre-shared keys</b>
|
to gateway <b>moon</b>. The IKEv1 main mode authentication is based on
|
||||||
bound to the two distinct gateway identities <b>moon1.strongswan.org</b> and
|
<b>pre-shared keys</b> and <b>IPv4 address</b> identities.
|
||||||
<b>moon2.strongswan.org</b>. On the gateway these two identities are bound to
|
On the gateway two connections with differing parameters are defined:
|
||||||
two disjoint sets of client IP address ranges which allows IKEv1 Main Mode
|
One for peers from the <b>192.168.0.96/28</b> subnet and one for peers from
|
||||||
to select the correct connection definition and via the gateway identity the
|
the range <b>192.168.0.150-192.168.0.200</b>.
|
||||||
correct PSK.
|
<p/>
|
||||||
|
On the gateway for different shared keys are defined for the following
|
||||||
|
hierarchcal peer address ranges: <b>0.0.0.0/0 0::0/0</b>,
|
||||||
|
<b>192.168.0.96/28</b>, <b>192.168.0.150-192.168.0.200</b> and
|
||||||
|
<b>192.168.0.200</b>. Client <b>carol</b> uses the first and client <b>dave</b>
|
||||||
|
the fourth PSK.
|
||||||
<p/>
|
<p/>
|
||||||
Upon the successful establishment of the IPsec tunnels, <b>carol</b> pings the
|
Upon the successful establishment of the IPsec tunnels, <b>carol</b> pings the
|
||||||
client <b>alice</b> and <b>dave</b> the client <b>venus</b> lying in two different
|
client <b>alice</b> and <b>dave</b> the client <b>venus</b> lying in two different
|
||||||
|
|
|
@ -1,11 +1,13 @@
|
||||||
|
dave::cat /var/log/daemon.log::updown approximates remote TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
|
||||||
|
moon::cat /var/log/daemon.log::updown approximates local TS 10.1.0.17..10.1.0.20 by next larger subnet::YES
|
||||||
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
|
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::YES
|
||||||
venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
|
venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::YES
|
||||||
alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO
|
alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_req=1::NO
|
||||||
venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO
|
venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_req=1::NO
|
||||||
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon1.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
|
||||||
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon2.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
|
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES
|
||||||
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon1.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
|
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
|
||||||
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon2.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]
|
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32]
|
||||||
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
|
||||||
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
|
||||||
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
|
||||||
|
|
|
@ -6,11 +6,9 @@ connections {
|
||||||
|
|
||||||
local {
|
local {
|
||||||
auth = psk
|
auth = psk
|
||||||
id = carol@strongswan.org
|
|
||||||
}
|
}
|
||||||
remote {
|
remote {
|
||||||
auth = psk
|
auth = psk
|
||||||
id = moon1.strongswan.org
|
|
||||||
}
|
}
|
||||||
children {
|
children {
|
||||||
home {
|
home {
|
||||||
|
@ -27,10 +25,9 @@ connections {
|
||||||
|
|
||||||
secrets {
|
secrets {
|
||||||
|
|
||||||
ike-moon1 {
|
ike-moon {
|
||||||
id = moon1.strongswan.org
|
id = 192.168.0.1
|
||||||
# hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
|
# hex value equal to base64 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
|
||||||
secret = 0x16964066a10de938bdb2ab7864fe4459cab1
|
secret = 0x16964066a10de938bdb2ab7864fe4459cab1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -6,15 +6,13 @@ connections {
|
||||||
|
|
||||||
local {
|
local {
|
||||||
auth = psk
|
auth = psk
|
||||||
id = dave@strongswan.org
|
|
||||||
}
|
}
|
||||||
remote {
|
remote {
|
||||||
auth = psk
|
auth = psk
|
||||||
id = moon2.strongswan.org
|
|
||||||
}
|
}
|
||||||
children {
|
children {
|
||||||
home {
|
home {
|
||||||
remote_ts = 10.1.0.16/28
|
remote_ts = 10.1.0.17-10.1.0.20
|
||||||
|
|
||||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
esp_proposals = aes192gcm128-modp3072
|
esp_proposals = aes192gcm128-modp3072
|
||||||
|
@ -27,8 +25,8 @@ connections {
|
||||||
|
|
||||||
secrets {
|
secrets {
|
||||||
|
|
||||||
ike-moon2 {
|
ike-moon {
|
||||||
id = moon2.strongswan.org
|
id = 192.168.0.1
|
||||||
secret = 0sjVzONCF02ncsgiSlmIXeqhGN
|
secret = 0sjVzONCF02ncsgiSlmIXeqhGN
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,6 @@ connections {
|
||||||
|
|
||||||
local {
|
local {
|
||||||
auth = psk
|
auth = psk
|
||||||
id = moon1.strongswan.org
|
|
||||||
}
|
}
|
||||||
remote {
|
remote {
|
||||||
auth = psk
|
auth = psk
|
||||||
|
@ -25,18 +24,17 @@ connections {
|
||||||
|
|
||||||
rw-2 {
|
rw-2 {
|
||||||
local_addrs = 192.168.0.1
|
local_addrs = 192.168.0.1
|
||||||
remote_addrs = 192.168.0.192/28
|
remote_addrs = 192.168.0.150-192.168.0.200
|
||||||
|
|
||||||
local {
|
local {
|
||||||
auth = psk
|
auth = psk
|
||||||
id = moon2.strongswan.org
|
|
||||||
}
|
}
|
||||||
remote {
|
remote {
|
||||||
auth = psk
|
auth = psk
|
||||||
}
|
}
|
||||||
children {
|
children {
|
||||||
net-2 {
|
net-2 {
|
||||||
local_ts = 10.1.0.16/28
|
local_ts = 10.1.0.17-10.1.0.20
|
||||||
|
|
||||||
updown = /usr/local/libexec/ipsec/_updown iptables
|
updown = /usr/local/libexec/ipsec/_updown iptables
|
||||||
esp_proposals = aes192gcm128-modp3072
|
esp_proposals = aes192gcm128-modp3072
|
||||||
|
@ -50,12 +48,20 @@ connections {
|
||||||
|
|
||||||
secrets {
|
secrets {
|
||||||
|
|
||||||
ike-moon1 {
|
ike-any {
|
||||||
id = moon1.strongswan.org
|
id = 0.0.0.0/0 0::0/0
|
||||||
|
secret = 0soBAJZLI7Bwwi61Rl113FqD/3
|
||||||
|
}
|
||||||
|
ike-rw-1 {
|
||||||
|
id = 192.168.0.96/28
|
||||||
secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
|
secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
|
||||||
}
|
}
|
||||||
ike-moon2 {
|
ike-rw-2 {
|
||||||
id = moon2.strongswan.org
|
id = 192.168.0.150-192.168.0.200
|
||||||
|
secret = 0s8qPdxyhDeGfk1l211cS8urXc
|
||||||
|
}
|
||||||
|
ike-dave {
|
||||||
|
id = 192.168.0.200
|
||||||
secret = 0sjVzONCF02ncsgiSlmIXeqhGN
|
secret = 0sjVzONCF02ncsgiSlmIXeqhGN
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue