ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

vici: Add option to disable policy installation for CHILD_SAs

This commit is contained in:
Tobias Brunner 2015-08-05 11:01:10 +02:00
parent 3665adef19
commit 9322e5b398
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/libcharon/plugins/vici/vici_config.c
View File

@ -391,7 +391,7 @@ typedef struct {
char* updown; char* updown;
bool hostaccess; bool hostaccess;
bool ipcomp; bool ipcomp;
bool route; bool policies;
ipsec_mode_t mode; ipsec_mode_t mode;
u_int32_t replay_window; u_int32_t replay_window;
action_t dpd_action; action_t dpd_action;
@ -426,6 +426,7 @@ static void log_child_data(child_data_t *data, char *name)
DBG2(DBG_CFG, " hostaccess = %u", data->hostaccess); DBG2(DBG_CFG, " hostaccess = %u", data->hostaccess);
DBG2(DBG_CFG, " ipcomp = %u", data->ipcomp); DBG2(DBG_CFG, " ipcomp = %u", data->ipcomp);
DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, data->mode); DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, data->mode);
DBG2(DBG_CFG, " policies = %u", data->policies);
if (data->replay_window != REPLAY_UNDEFINED) if (data->replay_window != REPLAY_UNDEFINED)
{ {
DBG2(DBG_CFG, " replay_window = %u", data->replay_window); DBG2(DBG_CFG, " replay_window = %u", data->replay_window);
@ -1249,6 +1250,7 @@ CALLBACK(child_kv, bool,
{ "updown", parse_string, &child->updown }, { "updown", parse_string, &child->updown },
{ "hostaccess", parse_bool, &child->hostaccess }, { "hostaccess", parse_bool, &child->hostaccess },
{ "mode", parse_mode, &child->mode }, { "mode", parse_mode, &child->mode },
{ "policies", parse_bool, &child->policies },
{ "replay_window", parse_uint32, &child->replay_window }, { "replay_window", parse_uint32, &child->replay_window },
{ "rekey_time", parse_time, &child->lft.time.rekey }, { "rekey_time", parse_time, &child->lft.time.rekey },
{ "life_time", parse_time, &child->lft.time.life }, { "life_time", parse_time, &child->lft.time.life },
@ -1356,6 +1358,7 @@ CALLBACK(children_sn, bool,
.local_ts = linked_list_create(), .local_ts = linked_list_create(),
.remote_ts = linked_list_create(), .remote_ts = linked_list_create(),
.mode = MODE_TUNNEL, .mode = MODE_TUNNEL,
.policies = TRUE,
.replay_window = REPLAY_UNDEFINED, .replay_window = REPLAY_UNDEFINED,
.dpd_action = ACTION_NONE, .dpd_action = ACTION_NONE,
.start_action = ACTION_NONE, .start_action = ACTION_NONE,
@ -1459,6 +1462,8 @@ CALLBACK(children_sn, bool,
child.inactivity, child.reqid, &child.mark_in, child.inactivity, child.reqid, &child.mark_in,
&child.mark_out, child.tfc); &child.mark_out, child.tfc);
cfg->set_mipv6_options(cfg, FALSE, child.policies);
if (child.replay_window != REPLAY_UNDEFINED) if (child.replay_window != REPLAY_UNDEFINED)
{ {
cfg->set_replay_window(cfg, child.replay_window); cfg->set_replay_window(cfg, child.replay_window);

6
src/swanctl/swanctl.opt
View File

@ -589,6 +589,12 @@ connections.<conn>.children.<child>.mode = tunnel
_pass_ and _drop_ are used to install shunt policies, which explicitly _pass_ and _drop_ are used to install shunt policies, which explicitly
bypass the defined traffic from IPsec processing, or drop it, respectively. bypass the defined traffic from IPsec processing, or drop it, respectively.
connections.<conn>.children.<child>.policies = yes
Whether to install IPsec policies or not.
Whether to install IPsec policies or not. Disabling this can be useful in
some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
connections.<conn>.children.<child>.dpd_action = clear connections.<conn>.children.<child>.dpd_action = clear
Action to perform on DPD timeout (_clear_, _trap_ or _restart_). Action to perform on DPD timeout (_clear_, _trap_ or _restart_).