summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRyan Thomas McBride <mcbride@cvs.openbsd.org>2006-11-01 03:10:03 +0000
committerRyan Thomas McBride <mcbride@cvs.openbsd.org>2006-11-01 03:10:03 +0000
commit037e3c4e84775802702128873f541a1042e02edc (patch)
tree5ec77c61b93ac97816ad7fd92d94b4d99e11ad55
parent0a250b06d9f17515ba375278425e54f7591327eb (diff)
Add support for aggressive mode (from the k2k6 IPsec hackathon).
ok hshoexer
-rw-r--r--sbin/ipsecctl/ike.c116
-rw-r--r--sbin/ipsecctl/ipsec.conf.516
-rw-r--r--sbin/ipsecctl/ipsecctl.c18
-rw-r--r--sbin/ipsecctl/ipsecctl.h17
-rw-r--r--sbin/ipsecctl/parse.y134
5 files changed, 185 insertions, 116 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index e8144515525..df5bf79f86f 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ike.c,v 1.50 2006/09/18 13:45:45 hshoexer Exp $ */
+/* $OpenBSD: ike.c,v 1.51 2006/11/01 03:10:02 mcbride Exp $ */
/*
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -40,12 +40,12 @@ static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,
static int ike_get_id_type(char *);
static void ike_section_ipsec(struct ipsec_addr_wrap *, struct
ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *);
-static int ike_section_qm(struct ipsec_addr_wrap *, struct
+static int ike_section_p1(struct ipsec_addr_wrap *, struct
+ ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t);
+static int ike_section_p2(struct ipsec_addr_wrap *, struct
ipsec_addr_wrap *, u_int8_t, u_int8_t, struct
- ipsec_transforms *, FILE *);
-static int ike_section_mm(struct ipsec_addr_wrap *, struct
- ipsec_transforms *, FILE *, struct ike_auth *);
-static void ike_section_qmids(u_int8_t, struct ipsec_addr_wrap *,
+ ipsec_transforms *, FILE *, u_int8_t);
+static void ike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *,
u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *);
static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct
ipsec_addr_wrap *, FILE *);
@@ -75,12 +75,12 @@ ike_section_general(struct ipsec_rule *r, FILE *fd)
fprintf(fd, SET "[General]:DPD-check-interval=%d force\n",
CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL);
}
- if (r->mmlife && r->mmlife->lifetime != -1)
+ if (r->p1life && r->p1life->lifetime != -1)
fprintf(fd, SET "[General]:Default-phase-1-lifetime=%d force\n",
- r->mmlife->lifetime);
- if (r->qmlife && r->qmlife->lifetime != -1)
+ r->p1life->lifetime);
+ if (r->p2life && r->p2life->lifetime != -1)
fprintf(fd, SET "[General]:Default-phase-2-lifetime=%d force\n",
- r->qmlife->lifetime);
+ r->p2life->lifetime);
}
static void
@@ -196,12 +196,27 @@ ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
}
static int
-ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
- u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd)
+ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
+ u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd,
+ u_int8_t ike_exch)
{
- fprintf(fd, SET "[qm-%s-%s]:EXCHANGE_TYPE=QUICK_MODE force\n",
- src->name, dst->name);
- fprintf(fd, SET "[qm-%s-%s]:Suites=QM-", src->name, dst->name);
+ char *tag, *exchange_type, *sprefix;
+
+ switch (ike_exch) {
+ case IKE_QM:
+ tag = "qm";
+ exchange_type = "QUICK_MODE";
+ sprefix = "QM";
+ break;
+ default:
+ warnx("illegal phase 2 ike mode %d", ike_exch);
+ return (-1);
+ }
+
+ fprintf(fd, SET "[%s-%s-%s]:EXCHANGE_TYPE=%s force\n",
+ tag, src->name, dst->name, exchange_type);
+ fprintf(fd, SET "[%s-%s-%s]:Suites=%s-", tag, src->name,
+ dst->name, sprefix);
switch (satype) {
case IPSEC_ESP:
@@ -328,24 +343,41 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
}
static int
-ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
- FILE *fd, struct ike_auth *auth)
+ike_section_p1(struct ipsec_addr_wrap *peer, struct ipsec_transforms *p1xfs,
+ FILE *fd, struct ike_auth *auth, u_int8_t ike_exch)
{
+ char *tag, *exchange_type;
+
+ switch (ike_exch) {
+ case IKE_MM:
+ tag = "mm";
+ exchange_type = "ID_PROT";
+ break;
+ case IKE_AM:
+ tag = "am";
+ exchange_type = "AGGRESSIVE";
+ break;
+ default:
+ warnx("illegal phase 2 ike mode %d", ike_exch);
+ return (-1);
+ }
+
if (peer) {
- fprintf(fd, SET "[peer-%s]:Configuration=mm-%s force\n",
- peer->name, peer->name);
- fprintf(fd, SET "[mm-%s]:EXCHANGE_TYPE=ID_PROT force\n",
- peer->name);
- fprintf(fd, ADD "[mm-%s]:Transforms=", peer->name);
+ fprintf(fd, SET "[peer-%s]:Configuration=%s-%s force\n",
+ peer->name, tag, peer->name);
+ fprintf(fd, SET "[%s-%s]:EXCHANGE_TYPE=%s force\n",
+ tag, peer->name, exchange_type);
+ fprintf(fd, ADD "[%s-%s]:Transforms=", tag, peer->name);
} else {
fprintf(fd, SET
- "[peer-default]:Configuration=mm-default force\n");
- fprintf(fd, SET "[mm-default]:EXCHANGE_TYPE=ID_PROT force\n");
- fprintf(fd, ADD "[mm-default]:Transforms=");
+ "[peer-default]:Configuration=%s-default force\n", tag);
+ fprintf(fd, SET "[%s-default]:EXCHANGE_TYPE=%s force\n",
+ tag, exchange_type);
+ fprintf(fd, ADD "[%s-default]:Transforms=", tag);
}
- if (mmxfs && mmxfs->encxf) {
- switch (mmxfs->encxf->id) {
+ if (p1xfs && p1xfs->encxf) {
+ switch (p1xfs->encxf->id) {
case ENCXF_3DES_CBC:
fprintf(fd, "3DES");
break;
@@ -362,15 +394,15 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
fprintf(fd, "CAST");
break;
default:
- warnx("illegal transform %s", mmxfs->encxf->name);
+ warnx("illegal transform %s", p1xfs->encxf->name);
return (-1);
}
} else
fprintf(fd, "AES");
fprintf(fd, "-");
- if (mmxfs && mmxfs->authxf) {
- switch (mmxfs->authxf->id) {
+ if (p1xfs && p1xfs->authxf) {
+ switch (p1xfs->authxf->id) {
case AUTHXF_HMAC_MD5:
fprintf(fd, "MD5");
break;
@@ -387,14 +419,14 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
fprintf(fd, "SHA2-512");
break;
default:
- warnx("illegal transform %s", mmxfs->authxf->name);
+ warnx("illegal transform %s", p1xfs->authxf->name);
return (-1);
}
} else
fprintf(fd, "SHA");
- if (mmxfs && mmxfs->groupxf) {
- switch (mmxfs->groupxf->id) {
+ if (p1xfs && p1xfs->groupxf) {
+ switch (p1xfs->groupxf->id) {
case GROUPXF_768:
fprintf(fd, "-GRP1");
break;
@@ -420,7 +452,7 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
fprintf(fd, "-GRP18");
break;
default:
- warnx("illegal group %s", mmxfs->groupxf->name);
+ warnx("illegal group %s", p1xfs->groupxf->name);
return (-1);
};
}
@@ -433,7 +465,7 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,
}
static void
-ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src,
+ike_section_p2ids(u_int8_t proto, struct ipsec_addr_wrap *src,
u_int16_t sport, struct ipsec_addr_wrap *dst, u_int16_t dport, FILE *fd)
{
char mask[NI_MAXHOST], *network, *p;
@@ -463,7 +495,7 @@ ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src,
errx(1, "could not get a numeric mask");
if ((network = strdup(src->name)) == NULL)
- err(1, "ike_section_qmids: strdup");
+ err(1, "ike_section_p2ids: strdup");
if ((p = strrchr(network, '/')) != NULL)
*p = '\0';
@@ -503,7 +535,7 @@ ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src,
errx(1, "could not get a numeric mask");
if ((network = strdup(dst->name)) == NULL)
- err(1, "ike_section_qmids: strdup");
+ err(1, "ike_section_p2ids: strdup");
if ((p = strrchr(network, '/')) != NULL)
*p = '\0';
@@ -557,14 +589,15 @@ ike_gen_config(struct ipsec_rule *r, FILE *fd)
{
ike_section_general(r, fd);
ike_section_peer(r->peer, r->local, fd, r->ikeauth);
- if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1)
+ if (ike_section_p1(r->peer, r->p1xfs,
+ fd, r->ikeauth, r->p1ie) == -1)
return (-1);
ike_section_ids(r->peer, r->auth, fd, r->ikemode);
ike_section_ipsec(r->src, r->dst, r->peer, fd);
- if (ike_section_qm(r->src, r->dst, r->satype, r->tmode, r->qmxfs, fd)
- == -1)
+ if (ike_section_p2(r->src, r->dst, r->satype, r->tmode, r->p2xfs,
+ fd, r->p2ie) == -1)
return (-1);
- ike_section_qmids(r->proto, r->src, r->sport, r->dst, r->dport, fd);
+ ike_section_p2ids(r->proto, r->src, r->sport, r->dst, r->dport, fd);
if (ike_connect(r->ikemode, r->src, r->dst, fd) == -1)
return (-1);
@@ -591,6 +624,7 @@ ike_delete_config(struct ipsec_rule *r, FILE *fd)
if (r->peer) {
fprintf(fd, DELETE "[peer-%s]\n", r->peer->name);
fprintf(fd, DELETE "[mm-%s]\n", r->peer->name);
+ fprintf(fd, DELETE "[am-%s]\n", r->peer->name);
}
if (r->auth) {
if (r->auth->srcid)
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index f7b81c72d4e..845b5f226d9 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.conf.5,v 1.102 2006/10/19 08:41:18 jmc Exp $
+.\" $OpenBSD: ipsec.conf.5,v 1.103 2006/11/01 03:10:02 mcbride Exp $
.\"
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
.\"
@@ -274,12 +274,17 @@ is identical to
.Ar remote ,
this option is generally not needed.
.It Xo
-.Ic main auth Ar algorithm
+.Ar mode auth Ar algorithm
.Ic enc Ar algorithm
.Ic group Ar group
.Xc
-These parameters define the cryptographic transforms to be used for
-main mode.
+These parameters define the mode and cryptographic transforms to be
+used for the phase 1 negotiation.
+The mode can be either
+.Ar main ,
+which specifies main mode, or
+.Ar aggressive ,
+which specifies aggressive mode.
Possible values for
.Ic auth ,
.Ic enc ,
@@ -291,6 +296,7 @@ are described below in
If omitted,
.Xr ipsecctl 8
will use the default values
+.Ar main ,
.Ar hmac-sha1 ,
.Ar aes ,
and
@@ -301,7 +307,7 @@ and
.Ic group Ar group
.Xc
These parameters define the cryptographic transforms to be used for
-quick mode.
+the phase 2 negotiation.
Possible values for
.Ic auth ,
.Ic enc ,
diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index db681e09b7e..a4139b4f115 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.c,v 1.60 2006/09/19 21:29:47 markus Exp $ */
+/* $OpenBSD: ipsecctl.c,v 1.61 2006/11/01 03:10:02 mcbride Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -242,14 +242,14 @@ ipsecctl_free_rule(struct ipsec_rule *rp)
}
if (rp->xfs)
free(rp->xfs);
- if (rp->mmxfs)
- free(rp->mmxfs);
- if (rp->qmxfs)
- free(rp->qmxfs);
- if (rp->mmlife)
- free(rp->mmlife);
- if (rp->qmlife)
- free(rp->qmlife);
+ if (rp->p1xfs)
+ free(rp->p1xfs);
+ if (rp->p2xfs)
+ free(rp->p2xfs);
+ if (rp->p1life)
+ free(rp->p1life);
+ if (rp->p2life)
+ free(rp->p2life);
if (rp->authkey) {
free(rp->authkey->data);
free(rp->authkey);
diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 3020155f241..27e84bd5850 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecctl.h,v 1.49 2006/06/18 18:18:01 hshoexer Exp $ */
+/* $OpenBSD: ipsecctl.h,v 1.50 2006/11/01 03:10:02 mcbride Exp $ */
/*
* Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
*
@@ -77,6 +77,10 @@ enum {
enum {
IKE_AUTH_RSA, IKE_AUTH_PSK
};
+enum {
+ IKE_MM=0, IKE_AM, IKE_QM
+};
+
struct ipsec_addr {
union {
@@ -149,6 +153,7 @@ struct ipsec_life {
struct ike_mode {
struct ipsec_transforms *xfs;
struct ipsec_life *life;
+ u_int8_t ike_exch;
};
extern const struct ipsec_xf authxfs[];
@@ -169,10 +174,10 @@ struct ipsec_rule {
struct ipsec_auth *auth;
struct ike_auth *ikeauth;
struct ipsec_transforms *xfs;
- struct ipsec_transforms *mmxfs;
- struct ipsec_life *mmlife;
- struct ipsec_transforms *qmxfs;
- struct ipsec_life *qmlife;
+ struct ipsec_transforms *p1xfs;
+ struct ipsec_life *p1life;
+ struct ipsec_transforms *p2xfs;
+ struct ipsec_life *p2life;
struct ipsec_key *authkey;
struct ipsec_key *enckey;
@@ -183,6 +188,8 @@ struct ipsec_rule {
u_int8_t direction;
u_int8_t flowtype;
u_int8_t ikemode;
+ u_int8_t p1ie;
+ u_int8_t p2ie;
u_int16_t sport;
u_int16_t dport;
u_int32_t spi;
diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 4734ecfe2f3..6decbd72b09 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.109 2006/09/22 10:22:49 hshoexer Exp $ */
+/* $OpenBSD: parse.y,v 1.110 2006/11/01 03:10:02 mcbride Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -219,8 +219,7 @@ typedef struct {
} keys;
struct ipsec_transforms *transforms;
struct ipsec_life *life;
- struct ike_mode *mainmode;
- struct ike_mode *quickmode;
+ struct ike_mode *mode;
} v;
int lineno;
} YYSTYPE;
@@ -228,8 +227,8 @@ typedef struct {
%}
%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI
-%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE
-%token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFE
+%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK AGGRESSIVE
+%token PASSIVE ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFE
%token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ GROUP PORT
%token <v.string> STRING
%type <v.string> string
@@ -254,8 +253,7 @@ typedef struct {
%type <v.ikeauth> ikeauth
%type <v.type> type
%type <v.life> life
-%type <v.mainmode> mainmode
-%type <v.quickmode> quickmode
+%type <v.mode> phase1mode phase2mode
%%
grammar : /* empty */
@@ -332,8 +330,8 @@ flowrule : FLOW satype dir proto hosts peers ids type {
}
;
-ikerule : IKE ikemode satype tmode proto hosts peers mainmode quickmode
- ids ikeauth {
+ikerule : IKE ikemode satype tmode proto hosts peers
+ phase1mode phase2mode ids ikeauth {
struct ipsec_rule *r;
r = create_ike($5, &$6, &$7, $8, $9, $3, $4, $2,
@@ -643,41 +641,55 @@ transform : AUTHXF STRING {
}
;
-mainmode : /* empty */ {
- struct ike_mode *mm;
+phase1mode : /* empty */ {
+ struct ike_mode *p1;
- /* We create just an empty mode */
- if ((mm = calloc(1, sizeof(struct ike_mode))) == NULL)
- err(1, "mainmode: calloc");
- $$ = mm;
+ /* We create just an empty main mode */
+ if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)
+ err(1, "phase1mode: calloc");
+ p1->ike_exch = IKE_MM;
+ $$ = p1;
}
| MAIN transforms life {
- struct ike_mode *mm;
+ struct ike_mode *p1;
- if ((mm = calloc(1, sizeof(struct ike_mode))) == NULL)
- err(1, "mainmode: calloc");
- mm->xfs = $2;
- mm->life = $3;
- $$ = mm;
+ if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)
+ err(1, "phase1mode: calloc");
+ p1->xfs = $2;
+ p1->life = $3;
+ p1->ike_exch = IKE_MM;
+ $$ = p1;
+ }
+ | AGGRESSIVE transforms life {
+ struct ike_mode *p1;
+
+ if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)
+ err(1, "phase1mode: calloc");
+ p1->xfs = $2;
+ p1->life = $3;
+ p1->ike_exch = IKE_AM;
+ $$ = p1;
}
;
-quickmode : /* empty */ {
- struct ike_mode *qm;
+phase2mode : /* empty */ {
+ struct ike_mode *p2;
- /* We create just an empty mode */
- if ((qm = calloc(1, sizeof(struct ike_mode))) == NULL)
- err(1, "quickmode: calloc");
- $$ = qm;
+ /* We create just an empty quick mode */
+ if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL)
+ err(1, "phase1mode: calloc");
+ p2->ike_exch = IKE_QM;
+ $$ = p2;
}
| QUICK transforms life {
- struct ike_mode *qm;
+ struct ike_mode *p2;
- if ((qm = calloc(1, sizeof(struct ike_mode))) == NULL)
- err(1, "quickmode: calloc");
- qm->xfs = $2;
- qm->life = $3;
- $$ = qm;
+ if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL)
+ err(1, "phase1mode: calloc");
+ p2->xfs = $2;
+ p2->life = $3;
+ p2->ike_exch = IKE_QM;
+ $$ = p2;
}
;
@@ -831,6 +843,7 @@ lookup(char *s)
static const struct keywords keywords[] = {
{ "acquire", ACQUIRE },
{ "active", ACTIVE },
+ { "aggressive", AGGRESSIVE },
{ "ah", AH },
{ "any", ANY },
{ "auth", AUTHXF },
@@ -1814,13 +1827,15 @@ copyrule(struct ipsec_rule *rule)
r->auth = copyipsecauth(rule->auth);
r->ikeauth = copyikeauth(rule->ikeauth);
r->xfs = copytransforms(rule->xfs);
- r->mmxfs = copytransforms(rule->mmxfs);
- r->qmxfs = copytransforms(rule->qmxfs);
- r->mmlife = copylife(rule->mmlife);
- r->qmlife = copylife(rule->qmlife);
+ r->p1xfs = copytransforms(rule->p1xfs);
+ r->p2xfs = copytransforms(rule->p2xfs);
+ r->p1life = copylife(rule->p1life);
+ r->p2life = copylife(rule->p2life);
r->authkey = copykey(rule->authkey);
r->enckey = copykey(rule->enckey);
+ r->p1ie = rule->p1ie;
+ r->p2ie = rule->p2ie;
r->type = rule->type;
r->satype = rule->satype;
r->proto = rule->proto;
@@ -2228,8 +2243,8 @@ reverse_rule(struct ipsec_rule *rule)
struct ipsec_rule *
create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers,
- struct ike_mode *mainmode, struct ike_mode *quickmode,
- u_int8_t satype, u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid,
+ struct ike_mode *phase1mode, struct ike_mode *phase2mode, u_int8_t satype,
+ u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid,
struct ike_auth *authtype)
{
struct ipsec_rule *r;
@@ -2253,17 +2268,17 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers,
hosts->src = NULL;
free(hosts->dst);
hosts->dst = NULL;
- if (mainmode) {
- free(mainmode->xfs);
- mainmode->xfs = NULL;
- free(mainmode->life);
- mainmode->life = NULL;
- }
- if (quickmode) {
- free(quickmode->xfs);
- quickmode->xfs = NULL;
- free(quickmode->life);
- quickmode->life = NULL;
+ if (phase1mode) {
+ free(phase1mode->xfs);
+ phase1mode->xfs = NULL;
+ free(phase1mode->life);
+ phase1mode->life = NULL;
+ }
+ if (phase2mode) {
+ free(phase2mode->xfs);
+ phase2mode->xfs = NULL;
+ free(phase2mode->life);
+ phase2mode->life = NULL;
}
if (srcid)
free(srcid);
@@ -2294,14 +2309,21 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers,
r->satype = satype;
r->tmode = tmode;
r->ikemode = mode;
- if (mainmode) {
- r->mmxfs = mainmode->xfs;
- r->mmlife = mainmode->life;
+ if (phase1mode) {
+ r->p1xfs = phase1mode->xfs;
+ r->p1life = phase1mode->life;
+ r->p1ie = phase1mode->ike_exch;
+ } else {
+ r->p1ie = IKE_MM;
}
- if (quickmode) {
- r->qmxfs = quickmode->xfs;
- r->qmlife = quickmode->life;
+ if (phase2mode) {
+ r->p2xfs = phase2mode->xfs;
+ r->p2life = phase2mode->life;
+ r->p2ie = phase2mode->ike_exch;
+ } else {
+ r->p2ie = IKE_QM;
}
+
r->auth = calloc(1, sizeof(struct ipsec_auth));
if (r->auth == NULL)
err(1, "create_ike: calloc");