vici: Add option to disable policy installation for CHILD_SAs
This commit is contained in:
parent
3665adef19
commit
9322e5b398
|
@ -391,7 +391,7 @@ typedef struct {
|
|||
char* updown;
|
||||
bool hostaccess;
|
||||
bool ipcomp;
|
||||
bool route;
|
||||
bool policies;
|
||||
ipsec_mode_t mode;
|
||||
u_int32_t replay_window;
|
||||
action_t dpd_action;
|
||||
|
@ -426,6 +426,7 @@ static void log_child_data(child_data_t *data, char *name)
|
|||
DBG2(DBG_CFG, " hostaccess = %u", data->hostaccess);
|
||||
DBG2(DBG_CFG, " ipcomp = %u", data->ipcomp);
|
||||
DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, data->mode);
|
||||
DBG2(DBG_CFG, " policies = %u", data->policies);
|
||||
if (data->replay_window != REPLAY_UNDEFINED)
|
||||
{
|
||||
DBG2(DBG_CFG, " replay_window = %u", data->replay_window);
|
||||
|
@ -1249,6 +1250,7 @@ CALLBACK(child_kv, bool,
|
|||
{ "updown", parse_string, &child->updown },
|
||||
{ "hostaccess", parse_bool, &child->hostaccess },
|
||||
{ "mode", parse_mode, &child->mode },
|
||||
{ "policies", parse_bool, &child->policies },
|
||||
{ "replay_window", parse_uint32, &child->replay_window },
|
||||
{ "rekey_time", parse_time, &child->lft.time.rekey },
|
||||
{ "life_time", parse_time, &child->lft.time.life },
|
||||
|
@ -1356,6 +1358,7 @@ CALLBACK(children_sn, bool,
|
|||
.local_ts = linked_list_create(),
|
||||
.remote_ts = linked_list_create(),
|
||||
.mode = MODE_TUNNEL,
|
||||
.policies = TRUE,
|
||||
.replay_window = REPLAY_UNDEFINED,
|
||||
.dpd_action = ACTION_NONE,
|
||||
.start_action = ACTION_NONE,
|
||||
|
@ -1459,6 +1462,8 @@ CALLBACK(children_sn, bool,
|
|||
child.inactivity, child.reqid, &child.mark_in,
|
||||
&child.mark_out, child.tfc);
|
||||
|
||||
cfg->set_mipv6_options(cfg, FALSE, child.policies);
|
||||
|
||||
if (child.replay_window != REPLAY_UNDEFINED)
|
||||
{
|
||||
cfg->set_replay_window(cfg, child.replay_window);
|
||||
|
|
|
@ -589,6 +589,12 @@ connections.<conn>.children.<child>.mode = tunnel
|
|||
_pass_ and _drop_ are used to install shunt policies, which explicitly
|
||||
bypass the defined traffic from IPsec processing, or drop it, respectively.
|
||||
|
||||
connections.<conn>.children.<child>.policies = yes
|
||||
Whether to install IPsec policies or not.
|
||||
|
||||
Whether to install IPsec policies or not. Disabling this can be useful in
|
||||
some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon.
|
||||
|
||||
connections.<conn>.children.<child>.dpd_action = clear
|
||||
Action to perform on DPD timeout (_clear_, _trap_ or _restart_).
|
||||
|
||||
|
|
Loading…
Reference in New Issue