While we can handle the first selector only in BEET mode in kernel-netlink,
passing the full list gives the backend more flexibility how to handle this
information.
The reqid is not strictly required, as we set the reqid with the update
call when installing the negotiated SA.
If we don't need a reqid at this stage, we can later allocate the reqid in
the kernel backend once the SA parameters have been fully negotaited. This
allows us to assign the same reqid for the same selectors to avoid conflicts
on backends this is necessary.
Without verification of the identity we can't prevent a malicious user
with a valid certificate from impersonating the AAA server and thus the
VPN gateway. So unless we make the AAA identity configurable we have to
prevent EAP-only authentication.
This will result in an infinite loop as packets sent over that socket
will again pass through the TUN device and the DNS proxy.
Apparently, bypassing fails when airplane mode is enabled.
Fixes#662.
The IKE_SA is destroyed anyway, so letting the GUI remain in
"connecting" state would be incorrect.
We still use keyingtries=0 for now, though. And we still abort after the
first failed attempt initially, in case there is a configuration error.
Since VpnStateService.disconnect() is now not called until the error
dialog is dismissed the daemon would continue to try connecting.
So while the error dialog is shown the connection might actually be
successfully established in the background, which is not intended.
This way the IKE_SA is destroyed right after sending the IKE_SA_INIT of
the second connection attempt (due to keyingtries=0).
Non-DNS data is cached in the BuilderAdapter so the TUN device can be
recreated easily (since the CHILD_SA is gone we couldn't actually gather
that information).
This class proxies DNS requests over VPN-protected UDP sockets.
It is not really Android specific and might be useful for
kernel-libipsec or libipsec in general too, so we could maybe move it later
to libipsec (might need some portability work).
No matter what triggers it. We also don't close the TUN device, but we
might handle that differently in the future to allow reestablishing the
IKE_SA if host names have to be re-resolved via DNS.
Martin Willi