This also restores the charon.signature_authentication_constraints
functionality, that is, if no explicit IKE signature schemes are
configured we apply all regular signature constraints as IKE constraints.
This now works because all plugins use the same config namespace.
If <ns>.load_modular is true, the list of plugins to load is determined
via the value of the <ns>.plugins.<name>.load options.
Using includes the following is possible:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
charon-cmd {
load_modular = yes
plugins {
include strongswan.d/charon-cmd/*.conf
}
}
Where each .conf file would contain something like:
<name> {
load = yes
<option> = <value>
}
To increase the priority of individual plugins load = <priority> can be
used (the default is 1). For instance, to use openssl instead of the
built-in crypto plugins set in strongswan.d/charon/openssl.conf:
openssl {
load = 10
}
If two plugins have the same priority their order in the default plugin
list is preserved. Plugins not found in that list are ordered
alphabetically before other plugins with the same priority.
When doing a rekey for a CHILD_SA, the use counters get reset. An inactivity
job is queued for a time unrelated to the rekey time, so it might happen
that the inactivity job gets executed just after rekeying. If this happens,
inactivity is detected even if we had traffic on the rekeyed CHILD_SA just
before rekeying.
This change implies that inactivity checks can't handle inactivity timeouts
for rekeyed CHILD_SAs, and therefore requires that inactivity timeout is shorter
than the rekey time to have any effect.
Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.
It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Tobias Brunner