Hi again! My previous question was quite vague.
I see multiple examples of manually controlled IKE clients inside
StrongSwan codebase.
It's Maemo/NetworkManager/Android clients. There are appropriate source
files for each kind of clients
(maemo_service.c/nm_service.c/android_service.c) implementing service
for controlling IKE daemon. Inside all of those files there are similar
sequences of code for connection startup:
1) creation of ike_cfg_t structure by ike_cfg_create(IKEV2, ...)
2) creation of peer_cfg_t structure by peer_cfg_create(...)
3) creation of local auth rules and remote auth constraints and set
created constraints/rules onto peer_cft_t structure
4) creation of child_cfg_t structure
5) finding/creating of ike_sa_t structure by
ike_sa_manager->checkout_by_config()
6) applying of peer configuration to IKE SA entity by
ike_sa->set_peer_cfg(ike_sa, peer_cfg)
7) initiation of exchange by ike_sa->initiate(ike_sa, child_cfg, ...)
8) returning control over SA to manager by
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa)
All of presented clients fixed on IKEV2 protocol SA from the
beginning. Does it means usage of IKEV1 is not possible in this scheme
of controlling service?
If it still possible work with IKEV1 this way is there any additional
code to append in order to make it work?
My current problem with IKEV1 and android client concerning
distribution of auth rules over peer_cfg_t and ike_sa_t structures.
At startup peer_cfg filled with local rules and ike_sa keeps its rule
list empty.
During main mode authentication inside build() method of
pubkey_v1_authenticator no any new rules merged from peer_cfg appears
and next line return short list of RULE_CA_CERT:
auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
at the same time RULE_SUBJECT_CERT is expected by this line:
private = lib->credmgr->get_private(lib->credmgr, this->type, id,
auth);
It is possible to fill ike_sa_t with all needed rules right from the
beginning (initiate() of android_service.c) but I don't think it is a
right way to solve this problem.
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
