Hi Jan, ME_ stands for the IKEv2 Mediation Extension as defined by the Internet Draft
http://tools.ietf.org/html/draft-brunner-ikev2-mediation-00 written by strongSwan team member Tobias Brunner and implemented by the strongSwan daemon. Kind regards Andreas On 09.04.2010 17:34, Jan Willem Beusink wrote: > Martin Willi wrote: >> Hi, >> >>> add ME_AUTHORIZATION_FAILED = 8193 in the notify_payload.h file >> >>> understanding the notify_payload.c file. More specifically I >>> can't make any sense of the enumerations... >> >> If you change the enum in a header file, you'll have to update the >> enum-to-string mappings in the corresponding .c file, too. >> >> These macros create several structs with strings to map enums to >> strings. The notify types enumeration is probably the most complex >> incarnation of this struct, my apologies. >> >> Have a look at the src/libstrongswan/enum.h header, it explains in >> detail how these macros work. >> >> Regards >> Martin >> >> > > The enum header helped a lot :) thanks! > > I was wondering though if the ME in ME_CONNECT_FAILED has special > meaning. I assumed it was for referring to adding a private > implementation (ME as in me, self). Yet after seeing it more often, > e.g.,"ME_MEDIATION","ME_ENDPOINT","ME_CALLBACK","ME_CONNECTID",ME_CONNECTKEY","ME_CONNECTAUTH","ME_RESPONSE", > I got the impression it might have an other meaning. > > Daniel Palomares wrote: >> I took this from my internal WiKi. Hope it helps you! >> >> >> Let's suppose the new payload is called |NEW_PAYLOAD|. >> >> Files to be changed: >> >> * >> |notify_payload.h| at //scr/charon/encodings/payload// >> >> It has the list of notify messages types. So, it is needed to add >> |NEW_PAYLOAD| to the |enum{}| list (|i.e.| |MOBIKE_SUPPORTED| = 16396 >> and it must be between 16397 and 16395). It means also that depending on >> the value of the notify, its location is defined on the list |enum >> notify_type_t{}|. It is VERY important to understand that this list is >> the base to build all messages of IKEv2, including its extensions (see ) >> >> /** >> * Notify message types. >> * >> * See IKEv2 RFC 3.10.1. >> */ >> enum notify_type_t { >> /* notify error messages */ >> UNSUPPORTED_CRITICAL_PAYLOAD = 1, >> INVALID_IKE_SPI = 4, >> INVALID_MAJOR_VERSION = 5, >> INVALID_SYNTAX = 7, >> INVALID_MESSAGE_ID = 9, >> INVALID_SPI = 11, >> NO_PROPOSAL_CHOSEN = 14, >> INVALID_KE_PAYLOAD = 17, >> AUTHENTICATION_FAILED = 24, >> SINGLE_PAIR_REQUIRED = 34, >> NO_ADDITIONAL_SAS = 35, >> INTERNAL_ADDRESS_FAILURE = 36, >> FAILED_CP_REQUIRED = 37, >> TS_UNACCEPTABLE = 38, >> INVALID_SELECTORS = 39, >> UNACCEPTABLE_ADDRESSES = 40, >> UNEXPECTED_NAT_DETECTED = 41, >> /* IKE-ME, private use */ >> ME_CONNECT_FAILED = 8192, >> /* MOBIKE-eXtended Messages */ >> MOBIKE_UNSUPPORTED_VERSION = 8193,<---------- i.e. This Notify was >> added. >> >> /* notify status messages */ >> INITIAL_CONTACT = 16384, >> SET_WINDOW_SIZE = 16385, >> ADDITIONAL_TS_POSSIBLE = 16386, >> IPCOMP_SUPPORTED = 16387, >> NAT_DETECTION_SOURCE_IP = 16388, >> NAT_DETECTION_DESTINATION_IP = 16389, >> COOKIE = 16390, >> USE_TRANSPORT_MODE = 16391, >> HTTP_CERT_LOOKUP_SUPPORTED = 16392, >> REKEY_SA = 16393, >> ESP_TFC_PADDING_NOT_SUPPORTED = 16394, >> NON_FIRST_FRAGMENTS_ALSO = 16395, >> /* mobike extension, RFC4555 */ >> MOBIKE_SUPPORTED = 16396, >> ADDITIONAL_IP4_ADDRESS = 16397, >> ADDITIONAL_IP6_ADDRESS = 16398, >> NO_ADDITIONAL_ADDRESSES = 16399, >> UPDATE_SA_ADDRESSES = 16400, >> COOKIE2 = 16401, >> NO_NATS_ALLOWED = 16402, >> /* repeated authentication extension, RFC4478 */ >> AUTH_LIFETIME = 16403, >> /* multiple authentication exchanges, RFC 4739 */ >> MULTIPLE_AUTH_SUPPORTED = 16404, >> ANOTHER_AUTH_FOLLOWS = 16405, >> /* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */ >> EAP_ONLY_AUTHENTICATION = 40960, >> /* BEET mode, not even a draft yet. private use */ >> USE_BEET_MODE = 40961, >> /* IKE-ME, private use */ >> ME_MEDIATION = 40962, >> ME_ENDPOINT = 40963, >> ME_CALLBACK = 40964, >> ME_CONNECTID = 40965, >> ME_CONNECTKEY = 40966, >> ME_CONNECTAUTH = 40967, >> ME_RESPONSE = 40968, >> >> }; >> >> * >> |notify_payload.c| at //scr/charon/encodings/payload// >> >> Before knowing how to modify |notify_payload.c|, first it is mandatory >> to know how enum's are represented in the code. The following structure >> is located at //src/libstrongswan/enum.h/ : >> >> /** >> * Struct to store names for enums. >> * >> * To print the string representation of enumeration values, the strings >> * are stored in these structures. Every enum_name contains a range >> * of strings, multiple ranges are linked together. >> * Use the convenience macros to define these linked ranges. >> * >> * For a single range, use: >> * @code >> ENUM(name, first, last, string1, string2, ...) >> @endcode >> * For multiple linked ranges, use: >> * @code >> ENUM_BEGIN(name, first, last, string1, string2, ...) >> ENUM_NEXT(name, first, last, last_from_previous, string3, ...) >> ENUM_NEXT(name, first, last, last_from_previous, string4, ...) >> ENUM_END(name, last_from_previous) >> @endcode >> * The ENUM and the ENUM_END define a enum_name_t pointer with the name >> supplied >> * in "name". >> * >> * Resolving of enum names is done using a printf hook. A printf fromat >> * character %N is replaced by the enum string. Printf needs two arguments >> to >> * resolve a %N, the enum_name_t* (the defined name in ENUM_BEGIN) followed >> * by the numerical enum value. >> */ >> struct enum_name_t { >> /** value of the first enum string */ >> int first; >> /** value of the last enum string */ >> int last; >> /** next enum_name_t in list */ >> enum_name_t *next; >> /** array of strings containing names from first to last */ >> char *names[]; >> }; >> >> As the |NEW_PAYLOAD| must be defined inside the enum list of IKEv2 >> notify messages, it should be added in |notify_payload.c| in order to be >> displayed as a string somewhere and whenever is needed. >> >> ENUM_BEGIN(notify_type_names, UNSUPPORTED_CRITICAL_PAYLOAD, >> UNSUPPORTED_CRITICAL_PAYLOAD, >> "UNSUPPORTED_CRITICAL_PAYLOAD"); >> ENUM_NEXT(notify_type_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, >> UNSUPPORTED_CRITICAL_PAYLOAD, >> "INVALID_IKE_SPI", >> "INVALID_MAJOR_VERSION"); >> ENUM_NEXT(notify_type_names, INVALID_SYNTAX, INVALID_SYNTAX, >> INVALID_MAJOR_VERSION, >> "INVALID_SYNTAX"); >> ENUM_NEXT(notify_type_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, >> INVALID_SYNTAX, >> "INVALID_MESSAGE_ID"); >> ENUM_NEXT(notify_type_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID, >> "INVALID_SPI"); >> ENUM_NEXT(notify_type_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, >> INVALID_SPI, >> "NO_PROPOSAL_CHOSEN"); >> ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, >> NO_PROPOSAL_CHOSEN, >> "INVALID_KE_PAYLOAD"); >> ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, >> INVALID_KE_PAYLOAD, >> "AUTHENTICATION_FAILED"); >> ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, UNEXPECTED_NAT_DETECTED, >> AUTHENTICATION_FAILED, >> "SINGLE_PAIR_REQUIRED", >> "NO_ADDITIONAL_SAS", >> "INTERNAL_ADDRESS_FAILURE", >> "FAILED_CP_REQUIRED", >> "TS_UNACCEPTABLE", >> "INVALID_SELECTORS", >> "UNACCEPTABLE_ADDRESSES", >> "UNEXPECTED_NAT_DETECTED"); >> ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, MOBIKE_UNSUPPORTED_VERSION, >> UNEXPECTED_NAT_DETECTED, >> "ME_CONNECT_FAILED", >> >> "MOBIKE_UNSUPPORTED_VERSION");<------------------------------------------------------------------- >> Added in order to support MOBIKE-X >> >> >> ENUM_NEXT(notify_type_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS, >> MOBIKE_UNSUPPORTED_VERSION, >> "INITIAL_CONTACT", >> "SET_WINDOW_SIZE", >> "ADDITIONAL_TS_POSSIBLE", >> "IPCOMP_SUPPORTED", >> "NAT_DETECTION_SOURCE_IP", >> "NAT_DETECTION_DESTINATION_IP", >> "COOKIE", >> "USE_TRANSPORT_MODE", >> "HTTP_CERT_LOOKUP_SUPPORTED", >> "REKEY_SA", >> "ESP_TFC_PADDING_NOT_SUPPORTED", >> "NON_FIRST_FRAGMENTS_ALSO", >> "MOBIKE_SUPPORTED", >> "ADDITIONAL_IP4_ADDRESS", >> "ADDITIONAL_IP6_ADDRESS", >> "NO_ADDITIONAL_ADDRESSES", >> "UPDATE_SA_ADDRESSES", >> "COOKIE2", >> "NO_NATS_ALLOWED", >> "AUTH_LIFETIME", >> "MULTIPLE_AUTH_SUPPORTED", >> "ANOTHER_AUTH_FOLLOWS"); >> ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, >> EAP_ONLY_AUTHENTICATION, ANOTHER_AUTH_FOLLOWS, >> "EAP_ONLY_AUTHENTICATION"); >> ENUM_NEXT(notify_type_names, USE_BEET_MODE, USE_BEET_MODE, >> EAP_ONLY_AUTHENTICATION, >> "USE_BEET_MODE"); >> ENUM_NEXT(notify_type_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE, >> "ME_MEDIATION", >> "ME_ENDPOINT", >> "ME_CALLBACK", >> "ME_CONNECTID", >> "ME_CONNECTKEY", >> "ME_CONNECTAUTH", >> "ME_RESPONSE"); >> ENUM_END(notify_type_names, ME_RESPONSE); >> >> >> ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD, >> UNSUPPORTED_CRITICAL_PAYLOAD, >> "CRIT"); >> ENUM_NEXT(notify_type_short_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, >> UNSUPPORTED_CRITICAL_PAYLOAD, >> "INVAL_IKE_SPI", >> "INVAL_MAJOR"); >> ENUM_NEXT(notify_type_short_names, INVALID_SYNTAX, INVALID_SYNTAX, >> INVALID_MAJOR_VERSION, >> "INVAL_SYN"); >> ENUM_NEXT(notify_type_short_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, >> INVALID_SYNTAX, >> "INVAL_MID"); >> ENUM_NEXT(notify_type_short_names, INVALID_SPI, INVALID_SPI, >> INVALID_MESSAGE_ID, >> "INVAL_SPI"); >> ENUM_NEXT(notify_type_short_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, >> INVALID_SPI, >> "NO_PROP"); >> ENUM_NEXT(notify_type_short_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, >> NO_PROPOSAL_CHOSEN, >> "INVAL_KE"); >> ENUM_NEXT(notify_type_short_names, AUTHENTICATION_FAILED, >> AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD, >> "AUTH_FAILED"); >> ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, >> UNEXPECTED_NAT_DETECTED, AUTHENTICATION_FAILED, >> "SINGLE_PAIR", >> "NO_ADD_SAS", >> "INT_ADDR_FAIL", >> "FAIL_CP_REQ", >> "TS_UNACCEPT", >> "INVAL_SEL", >> "UNACCEPT_ADDR", >> "UNEXPECT_NAT"); >> ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, >> MOBIKE_UNSUPPORTED_VERSION, UNEXPECTED_NAT_DETECTED, >> "ME_CONN_FAIL", >> >> "MOBIKE_UNSUP");<-------------------------------------------------------------------------------- >> Added in order to support MOBIKE-X >> >> >> ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, ANOTHER_AUTH_FOLLOWS, >> MOBIKE_UNSUPPORTED_VERSION, >> "INIT_CONTACT", >> "SET_WINSIZE", >> "ADD_TS_POSS", >> "IPCOMP_SUPP", >> "NATD_S_IP", >> "NATD_D_IP", >> "COOKIE", >> "USE_TRANSP", >> "HTTP_CERT_LOOK", >> "REKEY_SA", >> "ESP_TFC_PAD_N", >> "NON_FIRST_FRAG", >> "MOBIKE_SUP", >> "ADD_4_ADDR", >> "ADD_6_ADDR", >> "NO_ADD_ADDR", >> "UPD_SA_ADDR", >> "COOKIE2", >> "NO_NATS", >> "AUTH_LFT", >> "MULT_AUTH", >> "AUTH_FOLLOWS"); >> ENUM_NEXT(notify_type_short_names, EAP_ONLY_AUTHENTICATION, >> EAP_ONLY_AUTHENTICATION, ANOTHER_AUTH_FOLLOWS, >> "EAP_ONLY"); >> ENUM_NEXT(notify_type_short_names, USE_BEET_MODE, USE_BEET_MODE, >> EAP_ONLY_AUTHENTICATION, >> "BEET_MODE"); >> ENUM_NEXT(notify_type_short_names, ME_MEDIATION, ME_RESPONSE, USE_BEET_MODE, >> "ME_MED", >> "ME_EP", >> "ME_CB", >> "ME_CID", >> "ME_CKEY", >> "ME_CAUTH", >> "ME_R"); >> ENUM_END(notify_type_short_names, ME_RESPONSE); >> >> IMPORTANT: in the case of MOBIKE_UNSUPPORTED_VERSION, its value is 8193. >> Just between |ME_CONNECT_FAILED| and |INITIAL_CONTACT|. As in this case >> there are two different macros of the type |ENUM_NEXT|, these macros >> must be changed carefully in order to not loose link between them. >> Otherwise, somewhere in the code, at the moment when strings of notify >> are needed (for example in the log file), the program is not going to >> display the correct information. Note that there are two types of ENUMS, >> the long and short types of names. So, one must modify both in the same >> manner. >> >> * >> |message.c| at /scr/charon/encodings// >> >> It controls the order of the payload which is going to be sent in the >> message exchange. A |NEW_PAYLOAD| would be added depending on his >> architecture and operation. For example, |MOBIKE_UNSUPPORTED_VERSION| is >> a notify payload that could exists as a responder or as a initiator(only >> to terminate a MOBIKE-X connection), then it is needed to add a new >> payload in the payload order defined in this file. Also, it is mandatory >> to know when the |NEW_PAYLOAD| is taking place. For >> |MOBIKE_UNSUPPORTED_VERSION|, it just could happen during |IKE_AUTH| or >> as |INFORMATIONAL|. So let's take a look how it should be added: >> >> . >> . >> . >> /** >> * payload order for IKE_AUTH responder >> */ >> static payload_order_t ike_auth_r_payload_order[] = { >> >> >> /* payload type notify type */ >> {ID_RESPONDER, 0}, >> {CERTIFICATE, 0}, >> {AUTHENTICATION, 0}, >> {EXTENSIBLE_AUTHENTICATION, 0}, >> {CONFIGURATION, 0}, >> {NOTIFY, >> IPCOMP_SUPPORTED}, >> {NOTIFY, >> USE_TRANSPORT_MODE}, >> {NOTIFY, >> ESP_TFC_PADDING_NOT_SUPPORTED}, >> {NOTIFY, >> NON_FIRST_FRAGMENTS_ALSO}, >> {SECURITY_ASSOCIATION, 0}, >> {TRAFFIC_SELECTOR_INITIATOR, 0}, >> {TRAFFIC_SELECTOR_RESPONDER, 0}, >> {NOTIFY, AUTH_LIFETIME}, >> {NOTIFY, >> MOBIKE_SUPPORTED}, >> {NOTIFY, >> MOBIKE_UNSUPPORTED_VERSION},<------------- Added Here as responder for >> IKE_AUTH >> >> >> {NOTIFY, >> ADDITIONAL_IP4_ADDRESS}, >> {NOTIFY, >> ADDITIONAL_IP6_ADDRESS}, >> {NOTIFY, >> NO_ADDITIONAL_ADDRESSES}, >> {NOTIFY, 0}, >> {VENDOR_ID, 0}, >> }; >> . >> . >> . >> >> /** >> >> >> * payload order for IKE_AUTH initiator >> */ >> static payload_order_t ike_auth_i_payload_order[] = { >> >> >> /* payload type notify type */ >> {ID_INITIATOR, 0}, >> {CERTIFICATE, 0}, >> {NOTIFY, >> INITIAL_CONTACT}, >> {NOTIFY, >> HTTP_CERT_LOOKUP_SUPPORTED}, >> {CERTIFICATE_REQUEST, 0}, >> {ID_RESPONDER, 0}, >> {AUTHENTICATION, 0}, >> {EXTENSIBLE_AUTHENTICATION, 0}, >> {CONFIGURATION, 0}, >> {NOTIFY, >> IPCOMP_SUPPORTED}, >> {NOTIFY, >> USE_TRANSPORT_MODE}, >> {NOTIFY, >> ESP_TFC_PADDING_NOT_SUPPORTED}, >> {NOTIFY, >> NON_FIRST_FRAGMENTS_ALSO}, >> {SECURITY_ASSOCIATION, 0}, >> {TRAFFIC_SELECTOR_INITIATOR, 0}, >> {TRAFFIC_SELECTOR_RESPONDER, 0}, >> {NOTIFY, >> MOBIKE_SUPPORTED}, >> {NOTIFY, >> MOBIKE_UNSUPPORTED_VERSION},<------------- Added Here as initiator for >> IKE_AUTH >> >> >> {NOTIFY, >> ADDITIONAL_IP4_ADDRESS}, >> {NOTIFY, >> ADDITIONAL_IP6_ADDRESS}, >> {NOTIFY, >> NO_ADDITIONAL_ADDRESSES}, >> {NOTIFY, 0}, >> {VENDOR_ID, 0}, >> }; >> . >> . >> . >> >> >> >> Daniel Palomares Velásquez >> Orange Labs de France Télécom >> Doctorate Student >> >> > > This also helped a lot, I always liked learning by example :) > Especially thanks for pointing out that I needed to change message.c I > was not aware I needed to change that one to and I bet you saved me days > of debugging. > > Yours sincerely, > > Jan Willem Beusink ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
