ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

trap-manager: Add option to ignore traffic selectors from acquire events 

The specific traffic selectors from the acquire events, which are derived
from the triggering packet, are usually prepended to those from the
config.  Some implementations might not be able to handle these properly.

References #860.
This commit is contained in:
Tobias Brunner 2015-03-12 11:50:20 +01:00
parent cb461de2a2
commit 7fa03b308c
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
conf/options/charon.opt
View File

@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
charon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookups.
charon.ignore_acquire_ts = no
Whether to ignore the traffic selectors from the kernel's acquire events for
IKEv2 connections (they are not used for IKEv1).
If this is disabled the traffic selectors from the kernel's acquire events,
which are derived from the triggering packet, are prepended to the traffic
selectors from the configuration for IKEv2 connection. By enabling this,
such specific traffic selectors will be ignored and only the ones in the
config will be sent. This always happens for IKEv1 connections as the
protocol only supports one set of traffic selectors per CHILD_SA.
charon.ikesa_limit = 0
Maximum number of IKE_SAs that can be established at the same time before
new connection attempts are blocked.

9
src/libcharon/sa/trap_manager.c
View File

@ -65,6 +65,11 @@ struct private_trap_manager_t {
* listener to track acquiring IKE_SAs
*/
trap_listener_t listener;
/**
* Whether to ignore traffic selectors from acquires
*/
bool ignore_acquire_ts;
};
/**
@ -353,7 +358,7 @@ METHOD(trap_manager_t, acquire, void,
{
ike_sa->set_peer_cfg(ike_sa, peer);
}
if (ike_sa->get_version(ike_sa) == IKEV1)
if (this->ignore_acquire_ts || ike_sa->get_version(ike_sa) == IKEV1)
{ /* in IKEv1, don't prepend the acquiring packet TS, as we only
* have a single TS that we can establish in a Quick Mode. */
src = dst = NULL;
@ -484,6 +489,8 @@ trap_manager_t *trap_manager_create(void)
},
.traps = linked_list_create(),
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
.ignore_acquire_ts = lib->settings->get_bool(lib->settings,
"%s.ignore_acquire_ts", FALSE, lib->ns),
);
charon->bus->add_listener(charon->bus, &this->listener.listener);