ike-auth: Consider negotiated IKE proposal when selecting peer configs
In some scenarios we might find multiple usable peer configs with different IKE proposals. This is a problem if we use a config with non-matching proposals that later causes IKE rekeying to fail. It might even be a problem already when creating the CHILD_SA if the proposals of IKE and CHILD_SA are consistent.
This commit is contained in:
parent
29e7fe63c3
commit
da288a07aa
|
@ -285,13 +285,18 @@ static bool load_cfg_candidates(private_ike_auth_t *this)
|
||||||
{
|
{
|
||||||
enumerator_t *enumerator;
|
enumerator_t *enumerator;
|
||||||
peer_cfg_t *peer_cfg;
|
peer_cfg_t *peer_cfg;
|
||||||
|
ike_cfg_t *ike_cfg;
|
||||||
host_t *me, *other;
|
host_t *me, *other;
|
||||||
identification_t *my_id, *other_id;
|
identification_t *my_id, *other_id;
|
||||||
|
proposal_t *ike_proposal;
|
||||||
|
bool private;
|
||||||
|
|
||||||
me = this->ike_sa->get_my_host(this->ike_sa);
|
me = this->ike_sa->get_my_host(this->ike_sa);
|
||||||
other = this->ike_sa->get_other_host(this->ike_sa);
|
other = this->ike_sa->get_other_host(this->ike_sa);
|
||||||
my_id = this->ike_sa->get_my_id(this->ike_sa);
|
my_id = this->ike_sa->get_my_id(this->ike_sa);
|
||||||
other_id = this->ike_sa->get_other_id(this->ike_sa);
|
other_id = this->ike_sa->get_other_id(this->ike_sa);
|
||||||
|
ike_proposal = this->ike_sa->get_proposal(this->ike_sa);
|
||||||
|
private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
|
||||||
|
|
||||||
DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
|
DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
|
||||||
me, my_id, other, other_id);
|
me, my_id, other, other_id);
|
||||||
|
@ -299,11 +304,18 @@ static bool load_cfg_candidates(private_ike_auth_t *this)
|
||||||
me, other, my_id, other_id, IKEV2);
|
me, other, my_id, other_id, IKEV2);
|
||||||
while (enumerator->enumerate(enumerator, &peer_cfg))
|
while (enumerator->enumerate(enumerator, &peer_cfg))
|
||||||
{
|
{
|
||||||
|
/* ignore all configs that have no matching IKE proposal */
|
||||||
|
ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
|
||||||
|
if (!ike_cfg->has_proposal(ike_cfg, ike_proposal, private))
|
||||||
|
{
|
||||||
|
DBG2(DBG_CFG, "ignore candidate '%s' without matching IKE proposal",
|
||||||
|
peer_cfg->get_name(peer_cfg));
|
||||||
|
continue;
|
||||||
|
}
|
||||||
peer_cfg->get_ref(peer_cfg);
|
peer_cfg->get_ref(peer_cfg);
|
||||||
if (this->peer_cfg == NULL)
|
if (this->peer_cfg == NULL)
|
||||||
{ /* best match */
|
{ /* best match */
|
||||||
this->peer_cfg = peer_cfg;
|
this->peer_cfg = peer_cfg;
|
||||||
this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -313,6 +325,7 @@ static bool load_cfg_candidates(private_ike_auth_t *this)
|
||||||
enumerator->destroy(enumerator);
|
enumerator->destroy(enumerator);
|
||||||
if (this->peer_cfg)
|
if (this->peer_cfg)
|
||||||
{
|
{
|
||||||
|
this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
|
||||||
DBG1(DBG_CFG, "selected peer config '%s'",
|
DBG1(DBG_CFG, "selected peer config '%s'",
|
||||||
this->peer_cfg->get_name(this->peer_cfg));
|
this->peer_cfg->get_name(this->peer_cfg));
|
||||||
return TRUE;
|
return TRUE;
|
||||||
|
|
Loading…
Reference in New Issue