Hi all,
I have a patch (attached) that I have been meaning to post here
for comment. This thread prompted me to send it on.
It allows the left/rightid to use DNS names when combined with the
ipv4:/ipv6: ID types to for the ID type.
The patch could be more comprehensive but it solves the basic use
case I needed.
Any comments or suggestions welcome,
Cheers,
Davidm
Glen Huang wrote the following:
> OK. Thanks a lot.
>
> > On Jun 24, 2015, at 12:27 AM, Tobias Brunner <[email protected]> wrote:
> >
> > Hi Glen,
> >
> >> The doc seems to indicate that before 5.0.0, rightid=example.com
> >> will resolve the domain to an IP address. How to
> >> get this behavior after 5.0.0.?
> >
> > 5.x won't resolve any hostnames in identities. If you want to use IPs
> > just configure the IPs, if they are dynamic use something else as
> > identities.
> >
> >> Also I guess the ID selector in ipsec.secrets is unrelated to
> >> left/rightid?
> >
> > The ID selector is a list of identities, so those are matched against
> > the values in left|rightid (or xauth|eap_identity). However, for IKEv1
> > there is a lookup based on the IP addresses first and only when using
> > Aggressive Mode will a responder be able to use identities to find secrets.
> >
> >> But is it possible to specify a domain in id selector but
> >> actually use its resolve IP as the used value?
> >
> > No.
> >
> > Regards,
> > Tobias
> >
>
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users
--
David McCullough, [email protected], Ph: 0410 560 763
--- strongswan-5.2.2/src/libstrongswan/utils/identification.c.orig 2014-10-31 01:20:15.000000000 +1000
+++ strongswan-5.2.2/src/libstrongswan/utils/identification.c 2015-03-19 15:50:35.096060175 +1000
@@ -929,6 +929,54 @@
}
/**
+ * process an ipv4 address
+ */
+static bool parse_ipv4_id(private_identification_t *this, char *str)
+{
+ host_t *host;
+ struct in_addr address;
+ chunk_t chunk = {(void*)&address, sizeof(address)};
+
+ if (inet_pton(AF_INET, str, &address) > 0)
+ { /* is IPv4 */
+ this->encoded = chunk_clone(chunk);
+ return TRUE;
+ }
+ host = lib->hosts->resolve(lib->hosts, str, AF_INET);
+ if (host)
+ {
+ this->encoded = chunk_clone(host->get_address(host));
+ host->destroy(host);
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * process an ipv6 address
+ */
+static bool parse_ipv6_id(private_identification_t *this, char *str)
+{
+ host_t *host;
+ struct in6_addr address;
+ chunk_t chunk = {(void*)&address, sizeof(address)};
+
+ if (inet_pton(AF_INET6, str, &address) > 0)
+ { /* is IPv64 */
+ this->encoded = chunk_clone(chunk);
+ return TRUE;
+ }
+ host = lib->hosts->resolve(lib->hosts, str, AF_INET6);
+ if (host)
+ {
+ this->encoded = chunk_clone(host->get_address(host));
+ host->destroy(host);
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
* Create an identity for a specific type, determined by prefix
*/
static private_identification_t* create_from_string_with_prefix_type(char *str)
@@ -936,9 +984,10 @@
struct {
const char *str;
id_type_t type;
+ bool (*helper)(private_identification_t *this, char *str);
} prefixes[] = {
- { "ipv4:", ID_IPV4_ADDR },
- { "ipv6:", ID_IPV6_ADDR },
+ { "ipv4:", ID_IPV4_ADDR, parse_ipv4_id },
+ { "ipv6:", ID_IPV6_ADDR, parse_ipv6_id },
{ "rfc822:", ID_RFC822_ADDR },
{ "email:", ID_RFC822_ADDR },
{ "userfqdn:", ID_USER_FQDN },
@@ -961,7 +1010,7 @@
{
this->encoded = chunk_from_hex(chunk_from_str(str + 1), NULL);
}
- else
+ else if (prefixes[i].helper == NULL || prefixes[i].helper(this, str) == FALSE)
{
this->encoded = chunk_clone(chunk_from_str(str));
}
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
