Hello,
I want to implement a "responder only" behavior in strongSwan.
I already discussed this before here:
https://lists.strongswan.org/pipermail/users/2014-December/006986.html
The solution proposed "auto=add and rekey=yes" may be fine but is unfortunately
not acceptable in some situations.
Since the SP are not always present in the SPD, some packets that may be
candidate to be ciphered are sent to the default gateway if the tunnel is not
set up yet.
The administrator has to make sure to properly filter these packets on the
network.
My proposal is to add an "ignore_acquire" parameter, set by per connection.
If set, the acquire messages are just discarded.
ipsec.conf:
conn "test"
leftsubnet=192.168.120.0/24
type=tunnel
auto=route
rightsubnet=192.168.110.0/24
keyexchange=ikev2
mobike=no
left=192.168.56.120
right=192.168.56.110
leftauth=pubkey
rightauth=pubkey
leftcert="..."
rightid=%any
leftsendcert=yes
rightsendcert=yes
ignore_acquire=yes
#ping -S 192.168.120.120 192.168.110.110
-> no tunnel is open
logs:
...
Oct 5 11:59:17 08[KNL] received an SADB_ACQUIRE
Oct 5 11:59:17 08[KNL] creating acquire job for policy 192.168.56.120/32 ===
192.168.56.110/32 with reqid {1}
Oct 5 11:59:17 08[CFG] Processing acquire, reqid = 1
Oct 5 11:59:17 08[CFG] ignoring acquire, due to connection configuration
...
It is up to the administrator to add "rekey=false" if he wants to prevent the
connection to be rekeyed from this side.
The "ipsec up" command can still be used to open the connection.
What do you think?
Best Regards,
PS: I did not implement the option in the vici interface
Emericdiff --git src/charon-cmd/cmd/cmd_connection.c src/charon-cmd/cmd/cmd_connection.c
index 2c0b7b9..b46cf13 100644
--- src/charon-cmd/cmd/cmd_connection.c
+++ src/charon-cmd/cmd/cmd_connection.c
@@ -195,6 +195,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
600, 600, /* jitter, over 10min */
TRUE, aggressive, TRUE, /* mobike, aggressive, pull */
30, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL); /* mediation */
return peer_cfg;
diff --git src/charon-nm/nm/nm_service.c src/charon-nm/nm/nm_service.c
index fc7e899..0f0a9a8 100644
--- src/charon-nm/nm/nm_service.c
+++ src/charon-nm/nm/nm_service.c
@@ -539,6 +539,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
600, 600, /* jitter, over 10min */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
0, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL); /* mediation */
if (virtual)
{
diff --git src/conftest/config.c src/conftest/config.c
index c83db7e..7691361 100644
--- src/conftest/config.c
+++ src/conftest/config.c
@@ -253,7 +253,7 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
ike_cfg = load_ike_config(this, settings, config);
peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND,
UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, TRUE,
- 0, 0, FALSE, NULL, NULL);
+ 0, 0, FALSE, FALSE, NULL, NULL);
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
diff --git src/frontends/android/jni/libandroidbridge/backend/android_service.c src/frontends/android/jni/libandroidbridge/backend/android_service.c
index 896bb09..f23d488 100644
--- src/frontends/android/jni/libandroidbridge/backend/android_service.c
+++ src/frontends/android/jni/libandroidbridge/backend/android_service.c
@@ -701,6 +701,7 @@ static job_requeue_t initiate(private_android_service_t *this)
600, 600, /* jitter, over 10min */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
0, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL); /* mediation */
peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET));
peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET6));
diff --git src/frontends/osx/charon-xpc/xpc_dispatch.c src/frontends/osx/charon-xpc/xpc_dispatch.c
index 04aad87..715efab 100644
--- src/frontends/osx/charon-xpc/xpc_dispatch.c
+++ src/frontends/osx/charon-xpc/xpc_dispatch.c
@@ -94,6 +94,7 @@ static peer_cfg_t* create_peer_cfg(char *name, char *host)
600, 600, /* jitter, over 10min */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
30, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL); /* mediation */
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
diff --git src/libcharon/config/peer_cfg.c src/libcharon/config/peer_cfg.c
index ce93010..1930c60 100644
--- src/libcharon/config/peer_cfg.c
+++ src/libcharon/config/peer_cfg.c
@@ -155,6 +155,11 @@ struct private_peer_cfg_t {
*/
linked_list_t *remote_auth;
+ /**
+ * ignore acquire for this peer config?
+ */
+ bool ignore_acquire;
+
#ifdef ME
/**
* Is this a mediation connection?
@@ -461,6 +466,12 @@ METHOD(peer_cfg_t, create_auth_cfg_enumerator, enumerator_t*,
return this->remote_auth->create_enumerator(this->remote_auth);
}
+METHOD(peer_cfg_t, ignore_acquire, bool,
+ private_peer_cfg_t *this)
+{
+ return this->ignore_acquire;
+}
+
#ifdef ME
METHOD(peer_cfg_t, is_mediation, bool,
private_peer_cfg_t *this)
@@ -653,8 +664,8 @@ peer_cfg_t *peer_cfg_create(char *name,
u_int32_t jitter_time, u_int32_t over_time,
bool mobike, bool aggressive, bool pull_mode,
u_int32_t dpd, u_int32_t dpd_timeout,
- bool mediation, peer_cfg_t *mediated_by,
- identification_t *peer_id)
+ bool ignore_acquire, bool mediation,
+ peer_cfg_t *mediated_by, identification_t *peer_id)
{
private_peer_cfg_t *this;
@@ -696,6 +707,7 @@ peer_cfg_t *peer_cfg_create(char *name,
.equals = (void*)_equals,
.get_ref = _get_ref,
.destroy = _destroy,
+ .ignore_acquire = _ignore_acquire,
#ifdef ME
.is_mediation = _is_mediation,
.get_mediated_by = _get_mediated_by,
@@ -722,6 +734,7 @@ peer_cfg_t *peer_cfg_create(char *name,
.pools = linked_list_create(),
.local_auth = linked_list_create(),
.remote_auth = linked_list_create(),
+ .ignore_acquire = ignore_acquire,
.refcount = 1,
);
diff --git src/libcharon/config/peer_cfg.h src/libcharon/config/peer_cfg.h
index 3e78039..ad3f939 100644
--- src/libcharon/config/peer_cfg.h
+++ src/libcharon/config/peer_cfg.h
@@ -298,6 +298,13 @@ struct peer_cfg_t {
*/
enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
+ /**
+ * ignore acquire for the connection?
+ *
+ * @return TRUE, if acquire has to be ignored
+ */
+ bool (*ignore_acquire) (peer_cfg_t *this);
+
#ifdef ME
/**
* Is this a mediation connection?
@@ -375,6 +382,7 @@ struct peer_cfg_t {
* @param aggressive use/accept aggressive mode with IKEv1
* @param pull_mode TRUE to use modeconfig pull, FALSE for push
* @param dpd DPD check interval, 0 to disable
+ * @param ignore_acquire TRUE if acquire has to be ignored
* @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies
* @param mediation TRUE if this is a mediation connection
* @param mediated_by peer_cfg_t of the mediation connection to mediate through
@@ -388,7 +396,7 @@ peer_cfg_t *peer_cfg_create(char *name,
u_int32_t jitter_time, u_int32_t over_time,
bool mobike, bool aggressive, bool pull_mode,
u_int32_t dpd, u_int32_t dpd_timeout,
- bool mediation, peer_cfg_t *mediated_by,
- identification_t *peer_id);
+ bool ignore_acquire, bool mediation,
+ peer_cfg_t *mediated_by, identification_t *peer_id);
#endif /** PEER_CFG_H_ @}*/
diff --git src/libcharon/plugins/ha/ha_tunnel.c src/libcharon/plugins/ha/ha_tunnel.c
index dd23993..a0796e8 100644
--- src/libcharon/plugins/ha/ha_tunnel.c
+++ src/libcharon/plugins/ha/ha_tunnel.c
@@ -210,7 +210,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
peer_cfg = peer_cfg_create("ha", ike_cfg, CERT_NEVER_SEND,
UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE,
- TRUE, 30, 0, FALSE, NULL, NULL);
+ TRUE, 30, 0, FALSE, FALSE, NULL, NULL);
auth_cfg = auth_cfg_create();
auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
diff --git src/libcharon/plugins/load_tester/load_tester_config.c src/libcharon/plugins/load_tester/load_tester_config.c
index 8a50063..9e6c4a2 100644
--- src/libcharon/plugins/load_tester/load_tester_config.c
+++ src/libcharon/plugins/load_tester/load_tester_config.c
@@ -745,6 +745,7 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
FALSE, FALSE, TRUE, /* mobike, aggressive, pull */
this->dpd_delay, /* dpd_delay */
this->dpd_timeout, /* dpd_timeout */
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL);
if (this->vip)
{
diff --git src/libcharon/plugins/maemo/maemo_service.c src/libcharon/plugins/maemo/maemo_service.c
index 2e96f8f..4df2914 100644
--- src/libcharon/plugins/maemo/maemo_service.c
+++ src/libcharon/plugins/maemo/maemo_service.c
@@ -336,6 +336,7 @@ static gboolean initiate_connection(private_maemo_service_t *this,
600, 600, /* jitter, over 10min */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
0, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL); /* mediation */
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
diff --git src/libcharon/plugins/medcli/medcli_config.c src/libcharon/plugins/medcli/medcli_config.c
index 1fb57b9..d8331ed 100644
--- src/libcharon/plugins/medcli/medcli_config.c
+++ src/libcharon/plugins/medcli/medcli_config.c
@@ -114,6 +114,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
this->dpd, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
@@ -151,6 +152,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
this->dpd, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
FALSE, med_cfg, /* mediation, med by */
identification_create_from_encoding(ID_KEY_ID, other));
@@ -227,6 +229,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
this->dpd, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL); /* mediation, med by, peer id */
auth = auth_cfg_create();
diff --git src/libcharon/plugins/medsrv/medsrv_config.c src/libcharon/plugins/medsrv/medsrv_config.c
index 02d805e..c85f63f 100644
--- src/libcharon/plugins/medsrv/medsrv_config.c
+++ src/libcharon/plugins/medsrv/medsrv_config.c
@@ -94,6 +94,7 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
this->dpd, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
diff --git src/libcharon/plugins/sql/sql_config.c src/libcharon/plugins/sql/sql_config.c
index c47c7c0..f75e3c2 100644
--- src/libcharon/plugins/sql/sql_config.c
+++ src/libcharon/plugins/sql/sql_config.c
@@ -375,6 +375,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
name, ike, cert_policy, uniqueid,
keyingtries, rekeytime, reauthtime, jitter, overtime,
mobike, FALSE, TRUE, dpd_delay, 0,
+ FALSE, /* ignore acquire */
mediation, mediated_cfg, peer_id);
if (vip)
{
diff --git src/libcharon/plugins/stroke/stroke_config.c src/libcharon/plugins/stroke/stroke_config.c
index 55ec7cd..09d0417 100644
--- src/libcharon/plugins/stroke/stroke_config.c
+++ src/libcharon/plugins/stroke/stroke_config.c
@@ -802,6 +802,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
msg->add_conn.mobike, msg->add_conn.aggressive,
msg->add_conn.pushmode == 0,
msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
+ msg->add_conn.ignore_acquire,
msg->add_conn.ikeme.mediation, mediated_by, peer_id);
if (msg->add_conn.other.sourceip)
diff --git src/libcharon/plugins/uci/uci_config.c src/libcharon/plugins/uci/uci_config.c
index 2a8e403..735f78a 100644
--- src/libcharon/plugins/uci/uci_config.c
+++ src/libcharon/plugins/uci/uci_config.c
@@ -163,6 +163,7 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
1800, 900, /* jitter, overtime */
TRUE, FALSE, TRUE, /* mobike, aggressive, pull */
60, 0, /* DPD delay, timeout */
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL); /* mediation, med by, peer id */
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
diff --git src/libcharon/plugins/vici/vici_config.c src/libcharon/plugins/vici/vici_config.c
index d232599..af48a4d 100644
--- src/libcharon/plugins/vici/vici_config.c
+++ src/libcharon/plugins/vici/vici_config.c
@@ -1892,6 +1892,7 @@ CALLBACK(config_sn, bool,
peer.rand_time, peer.over_time, peer.mobike,
peer.aggressive, peer.pull,
peer.dpd_delay, peer.dpd_timeout,
+ FALSE, /* ignore acquire */
FALSE, NULL, NULL);
while (peer.local->remove_first(peer.local,
diff --git src/libcharon/sa/trap_manager.c src/libcharon/sa/trap_manager.c
index d6ff3c8..db281cc 100644
--- src/libcharon/sa/trap_manager.c
+++ src/libcharon/sa/trap_manager.c
@@ -319,6 +319,8 @@ METHOD(trap_manager_t, acquire, void,
ike_sa_t *ike_sa;
this->lock->read_lock(this->lock);
+ DBG1(DBG_CFG, "Processing acquire, reqid = %d", reqid);
+
enumerator = this->traps->create_enumerator(this->traps);
while (enumerator->enumerate(enumerator, &entry))
{
@@ -344,6 +346,13 @@ METHOD(trap_manager_t, acquire, void,
return;
}
peer = found->peer_cfg->get_ref(found->peer_cfg);
+ if (peer->ignore_acquire(peer))
+ {
+ DBG1(DBG_CFG, "ignoring acquire, due to connection configuration");
+ this->lock->unlock(this->lock);
+ peer->destroy(peer);
+ return;
+ }
child = found->child_sa->get_config(found->child_sa);
child = child->get_ref(child);
reqid = found->child_sa->get_reqid(found->child_sa);
diff --git src/starter/args.c src/starter/args.c
index 0874cc7..29a4c5c 100644
--- src/starter/args.c
+++ src/starter/args.c
@@ -173,6 +173,7 @@ static const token_info_t token_info[] =
{ ARG_STR, offsetof(starter_conn_t, me_peerid), NULL },
{ ARG_UINT, offsetof(starter_conn_t, reqid), NULL },
{ ARG_UINT, offsetof(starter_conn_t, replay_window), NULL },
+ { ARG_MISC, 0, NULL, /* FW_IGNORE_ACQUIRE */ },
{ ARG_MISC, 0, NULL /* KW_MARK */ },
{ ARG_MISC, 0, NULL /* KW_MARK_IN */ },
{ ARG_MISC, 0, NULL /* KW_MARK_OUT */ },
diff --git src/starter/confread.c src/starter/confread.c
index c3a0ac0..ad476bd 100644
--- src/starter/confread.c
+++ src/starter/confread.c
@@ -523,6 +523,9 @@ static void handle_keyword(kw_token_t token, starter_conn_t *conn, char *key,
case KW_XAUTH:
KW_SA_OPTION_FLAG("server", "client", SA_OPTION_XAUTH_SERVER)
break;
+ case KW_IGNORE_ACQUIRE:
+ KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_IGNORE_ACQUIRE)
+ break;
default:
break;
}
diff --git src/starter/confread.h src/starter/confread.h
index 457327f..6ccc443 100644
--- src/starter/confread.h
+++ src/starter/confread.h
@@ -80,6 +80,7 @@ typedef enum {
SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */
SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */
SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */
+ SA_OPTION_IGNORE_ACQUIRE = 1 << 8, /* ignore acquire */
} sa_option_t;
typedef struct starter_end starter_end_t;
diff --git src/starter/keywords.h src/starter/keywords.h
index 94af493..5c74869 100644
--- src/starter/keywords.h
+++ src/starter/keywords.h
@@ -73,6 +73,7 @@ enum kw_token_t {
KW_ME_PEERID,
KW_REQID,
KW_REPLAY_WINDOW,
+ KW_IGNORE_ACQUIRE,
KW_MARK,
KW_MARK_IN,
KW_MARK_OUT,
diff --git src/starter/keywords.txt src/starter/keywords.txt
index ee0bd31..601e7a0 100644
--- src/starter/keywords.txt
+++ src/starter/keywords.txt
@@ -70,6 +70,7 @@ mediated_by, KW_MEDIATED_BY
me_peerid, KW_ME_PEERID
reqid, KW_REQID
replay_window, KW_REPLAY_WINDOW
+ignore_acquire, KW_IGNORE_ACQUIRE
mark, KW_MARK
mark_in, KW_MARK_IN
mark_out, KW_MARK_OUT
diff --git src/starter/starterstroke.c src/starter/starterstroke.c
index 79a92cd..756f93e 100644
--- src/starter/starterstroke.c
+++ src/starter/starterstroke.c
@@ -225,6 +225,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
push_string(&msg, add_conn.ikeme.peerid, conn->me_peerid);
msg->add_conn.reqid = conn->reqid;
msg->add_conn.replay_window = conn->replay_window;
+ msg->add_conn.ignore_acquire = conn->options & SA_OPTION_IGNORE_ACQUIRE;
msg->add_conn.mark_in.value = conn->mark_in.value;
msg->add_conn.mark_in.mask = conn->mark_in.mask;
msg->add_conn.mark_out.value = conn->mark_out.value;
diff --git src/stroke/stroke_msg.h src/stroke/stroke_msg.h
index 17f8a43..926f134 100644
--- src/stroke/stroke_msg.h
+++ src/stroke/stroke_msg.h
@@ -302,6 +302,7 @@ struct stroke_msg_t {
} mark_in, mark_out;
stroke_end_t me, other;
u_int32_t replay_window;
+ int ignore_acquire;
} add_conn;
/* data for STR_ADD_CA */
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
