src - OpenBSD base system

diff options


context:
space:
mode:

author	Ryan Thomas McBride <mcbride@cvs.openbsd.org>	2006-11-01 03:10:03 +0000
committer	Ryan Thomas McBride <mcbride@cvs.openbsd.org>	2006-11-01 03:10:03 +0000
commit	037e3c4e84775802702128873f541a1042e02edc (patch)
tree	5ec77c61b93ac97816ad7fd92d94b4d99e11ad55 /sbin
parent	0a250b06d9f17515ba375278425e54f7591327eb (diff)

Add support for aggressive mode (from the k2k6 IPsec hackathon).

ok hshoexer

Diffstat (limited to 'sbin')

-rw-r--r--

sbin/ipsecctl/ike.c

116

-rw-r--r--

sbin/ipsecctl/ipsec.conf.5

-rw-r--r--

sbin/ipsecctl/ipsecctl.c

-rw-r--r--

sbin/ipsecctl/ipsecctl.h

-rw-r--r--

sbin/ipsecctl/parse.y

134

5 files changed, 185 insertions, 116 deletions

diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index e8144515525..df5bf79f86f 100644
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ike.c,v 1.50 2006/09/18 13:45:45 hshoexer Exp $ */

+/* $OpenBSD: ike.c,v 1.51 2006/11/01 03:10:02 mcbride Exp $ */

@@ -40,12 +40,12 @@ static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *,

static int ike_get_id_type(char *);

static void ike_section_ipsec(struct ipsec_addr_wrap *, struct

ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *);

-static int ike_section_qm(struct ipsec_addr_wrap *, struct

+static int ike_section_p1(struct ipsec_addr_wrap *, struct

+ ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t);

+static int ike_section_p2(struct ipsec_addr_wrap *, struct

ipsec_addr_wrap *, u_int8_t, u_int8_t, struct

- ipsec_transforms *, FILE *);

-static int ike_section_mm(struct ipsec_addr_wrap *, struct

- ipsec_transforms *, FILE *, struct ike_auth *);

-static void ike_section_qmids(u_int8_t, struct ipsec_addr_wrap *,

+ ipsec_transforms *, FILE *, u_int8_t);

+static void ike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *,

u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *);

static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct

ipsec_addr_wrap *, FILE *);

@@ -75,12 +75,12 @@ ike_section_general(struct ipsec_rule *r, FILE *fd)

fprintf(fd, SET "[General]:DPD-check-interval=%d force\n",

CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL);

}

- if (r->mmlife && r->mmlife->lifetime != -1)

+ if (r->p1life && r->p1life->lifetime != -1)

fprintf(fd, SET "[General]:Default-phase-1-lifetime=%d force\n",

- r->mmlife->lifetime);

- if (r->qmlife && r->qmlife->lifetime != -1)

+ r->p1life->lifetime);

+ if (r->p2life && r->p2life->lifetime != -1)

fprintf(fd, SET "[General]:Default-phase-2-lifetime=%d force\n",

- r->qmlife->lifetime);

+ r->p2life->lifetime);

}

static void

@@ -196,12 +196,27 @@ ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

}

static int

-ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

- u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd)

+ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

+ u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd,

+ u_int8_t ike_exch)

{

- fprintf(fd, SET "[qm-%s-%s]:EXCHANGE_TYPE=QUICK_MODE force\n",

- src->name, dst->name);

- fprintf(fd, SET "[qm-%s-%s]:Suites=QM-", src->name, dst->name);

+ char *tag, *exchange_type, *sprefix;

+ switch (ike_exch) {

+ case IKE_QM:

+ tag = "qm";

+ exchange_type = "QUICK_MODE";

+ sprefix = "QM";

+ break;

+ default:

+ warnx("illegal phase 2 ike mode %d", ike_exch);

+ return (-1);

+ }

+ fprintf(fd, SET "[%s-%s-%s]:EXCHANGE_TYPE=%s force\n",

+ tag, src->name, dst->name, exchange_type);

+ fprintf(fd, SET "[%s-%s-%s]:Suites=%s-", tag, src->name,

+ dst->name, sprefix);

switch (satype) {

case IPSEC_ESP:

@@ -328,24 +343,41 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,

}

static int

-ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,

- FILE *fd, struct ike_auth *auth)

+ike_section_p1(struct ipsec_addr_wrap *peer, struct ipsec_transforms *p1xfs,

+ FILE *fd, struct ike_auth *auth, u_int8_t ike_exch)

{

+ char *tag, *exchange_type;

+ switch (ike_exch) {

+ case IKE_MM:

+ tag = "mm";

+ exchange_type = "ID_PROT";

+ break;

+ case IKE_AM:

+ tag = "am";

+ exchange_type = "AGGRESSIVE";

+ break;

+ default:

+ warnx("illegal phase 2 ike mode %d", ike_exch);

+ return (-1);

+ }

if (peer) {

- fprintf(fd, SET "[peer-%s]:Configuration=mm-%s force\n",

- peer->name, peer->name);

- fprintf(fd, SET "[mm-%s]:EXCHANGE_TYPE=ID_PROT force\n",

- peer->name);

- fprintf(fd, ADD "[mm-%s]:Transforms=", peer->name);

+ fprintf(fd, SET "[peer-%s]:Configuration=%s-%s force\n",

+ peer->name, tag, peer->name);

+ fprintf(fd, SET "[%s-%s]:EXCHANGE_TYPE=%s force\n",

+ tag, peer->name, exchange_type);

+ fprintf(fd, ADD "[%s-%s]:Transforms=", tag, peer->name);

} else {

fprintf(fd, SET

- "[peer-default]:Configuration=mm-default force\n");

- fprintf(fd, SET "[mm-default]:EXCHANGE_TYPE=ID_PROT force\n");

- fprintf(fd, ADD "[mm-default]:Transforms=");

+ "[peer-default]:Configuration=%s-default force\n", tag);

+ fprintf(fd, SET "[%s-default]:EXCHANGE_TYPE=%s force\n",

+ tag, exchange_type);

+ fprintf(fd, ADD "[%s-default]:Transforms=", tag);

}

- if (mmxfs && mmxfs->encxf) {

- switch (mmxfs->encxf->id) {

+ if (p1xfs && p1xfs->encxf) {

+ switch (p1xfs->encxf->id) {

case ENCXF_3DES_CBC:

fprintf(fd, "3DES");

break;

@@ -362,15 +394,15 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,

fprintf(fd, "CAST");

break;

default:

- warnx("illegal transform %s", mmxfs->encxf->name);

+ warnx("illegal transform %s", p1xfs->encxf->name);

return (-1);

}

} else

fprintf(fd, "AES");

fprintf(fd, "-");

- if (mmxfs && mmxfs->authxf) {

- switch (mmxfs->authxf->id) {

+ if (p1xfs && p1xfs->authxf) {

+ switch (p1xfs->authxf->id) {

case AUTHXF_HMAC_MD5:

fprintf(fd, "MD5");

break;

@@ -387,14 +419,14 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,

fprintf(fd, "SHA2-512");

break;

default:

- warnx("illegal transform %s", mmxfs->authxf->name);

+ warnx("illegal transform %s", p1xfs->authxf->name);

return (-1);

}

} else

fprintf(fd, "SHA");

- if (mmxfs && mmxfs->groupxf) {

- switch (mmxfs->groupxf->id) {

+ if (p1xfs && p1xfs->groupxf) {

+ switch (p1xfs->groupxf->id) {

case GROUPXF_768:

fprintf(fd, "-GRP1");

break;

@@ -420,7 +452,7 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,

fprintf(fd, "-GRP18");

break;

default:

- warnx("illegal group %s", mmxfs->groupxf->name);

+ warnx("illegal group %s", p1xfs->groupxf->name);

return (-1);

};

}

@@ -433,7 +465,7 @@ ike_section_mm(struct ipsec_addr_wrap *peer, struct ipsec_transforms *mmxfs,

}

static void

-ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src,

+ike_section_p2ids(u_int8_t proto, struct ipsec_addr_wrap *src,

u_int16_t sport, struct ipsec_addr_wrap *dst, u_int16_t dport, FILE *fd)

{

char mask[NI_MAXHOST], *network, *p;

@@ -463,7 +495,7 @@ ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src,

errx(1, "could not get a numeric mask");

if ((network = strdup(src->name)) == NULL)

- err(1, "ike_section_qmids: strdup");

+ err(1, "ike_section_p2ids: strdup");

if ((p = strrchr(network, '/')) != NULL)

*p = '\0';

@@ -503,7 +535,7 @@ ike_section_qmids(u_int8_t proto, struct ipsec_addr_wrap *src,

errx(1, "could not get a numeric mask");

if ((network = strdup(dst->name)) == NULL)

- err(1, "ike_section_qmids: strdup");

+ err(1, "ike_section_p2ids: strdup");

if ((p = strrchr(network, '/')) != NULL)

*p = '\0';

@@ -557,14 +589,15 @@ ike_gen_config(struct ipsec_rule *r, FILE *fd)

{

ike_section_general(r, fd);

ike_section_peer(r->peer, r->local, fd, r->ikeauth);

- if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1)

+ if (ike_section_p1(r->peer, r->p1xfs,

+ fd, r->ikeauth, r->p1ie) == -1)

return (-1);

ike_section_ids(r->peer, r->auth, fd, r->ikemode);

ike_section_ipsec(r->src, r->dst, r->peer, fd);

- if (ike_section_qm(r->src, r->dst, r->satype, r->tmode, r->qmxfs, fd)

- == -1)

+ if (ike_section_p2(r->src, r->dst, r->satype, r->tmode, r->p2xfs,

+ fd, r->p2ie) == -1)

return (-1);

- ike_section_qmids(r->proto, r->src, r->sport, r->dst, r->dport, fd);

+ ike_section_p2ids(r->proto, r->src, r->sport, r->dst, r->dport, fd);

if (ike_connect(r->ikemode, r->src, r->dst, fd) == -1)

return (-1);

@@ -591,6 +624,7 @@ ike_delete_config(struct ipsec_rule *r, FILE *fd)

if (r->peer) {

fprintf(fd, DELETE "[peer-%s]\n", r->peer->name);

fprintf(fd, DELETE "[mm-%s]\n", r->peer->name);

+ fprintf(fd, DELETE "[am-%s]\n", r->peer->name);

}

if (r->auth) {

if (r->auth->srcid)

diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index f7b81c72d4e..845b5f226d9 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5

@@ -1,4 +1,4 @@

-.\" $OpenBSD: ipsec.conf.5,v 1.102 2006/10/19 08:41:18 jmc Exp $

+.\" $OpenBSD: ipsec.conf.5,v 1.103 2006/11/01 03:10:02 mcbride Exp $

.\"

@@ -274,12 +274,17 @@ is identical to

.Ar remote ,

this option is generally not needed.

.It Xo

-.Ic main auth Ar algorithm

+.Ar mode auth Ar algorithm

.Ic enc Ar algorithm

.Ic group Ar group

.Xc

-These parameters define the cryptographic transforms to be used for

-main mode.

+These parameters define the mode and cryptographic transforms to be

+used for the phase 1 negotiation.

+The mode can be either

+.Ar main ,

+which specifies main mode, or

+.Ar aggressive ,

+which specifies aggressive mode.

Possible values for

.Ic auth ,

.Ic enc ,

@@ -291,6 +296,7 @@ are described below in

If omitted,

.Xr ipsecctl 8

will use the default values

+.Ar main ,

.Ar hmac-sha1 ,

.Ar aes ,

and

@@ -301,7 +307,7 @@ and

.Ic group Ar group

.Xc

These parameters define the cryptographic transforms to be used for

-quick mode.

+the phase 2 negotiation.

Possible values for

.Ic auth ,

.Ic enc ,

diff --git a/sbin/ipsecctl/ipsecctl.c b/sbin/ipsecctl/ipsecctl.c
index db681e09b7e..a4139b4f115 100644
--- a/sbin/ipsecctl/ipsecctl.c
+++ b/sbin/ipsecctl/ipsecctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.c,v 1.60 2006/09/19 21:29:47 markus Exp $ */

+/* $OpenBSD: ipsecctl.c,v 1.61 2006/11/01 03:10:02 mcbride Exp $ */

@@ -242,14 +242,14 @@ ipsecctl_free_rule(struct ipsec_rule *rp)

}

if (rp->xfs)

free(rp->xfs);

- if (rp->mmxfs)

- free(rp->mmxfs);

- if (rp->qmxfs)

- free(rp->qmxfs);

- if (rp->mmlife)

- free(rp->mmlife);

- if (rp->qmlife)

- free(rp->qmlife);

+ if (rp->p1xfs)

+ free(rp->p1xfs);

+ if (rp->p2xfs)

+ free(rp->p2xfs);

+ if (rp->p1life)

+ free(rp->p1life);

+ if (rp->p2life)

+ free(rp->p2life);

if (rp->authkey) {

free(rp->authkey->data);

free(rp->authkey);

diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h
index 3020155f241..27e84bd5850 100644
--- a/sbin/ipsecctl/ipsecctl.h
+++ b/sbin/ipsecctl/ipsecctl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ipsecctl.h,v 1.49 2006/06/18 18:18:01 hshoexer Exp $ */

+/* $OpenBSD: ipsecctl.h,v 1.50 2006/11/01 03:10:02 mcbride Exp $ */

@@ -77,6 +77,10 @@ enum {

enum {

IKE_AUTH_RSA, IKE_AUTH_PSK

};

+enum {

+ IKE_MM=0, IKE_AM, IKE_QM

+};

struct ipsec_addr {

union {

@@ -149,6 +153,7 @@ struct ipsec_life {

struct ike_mode {

struct ipsec_transforms *xfs;

struct ipsec_life *life;

+ u_int8_t ike_exch;

};

extern const struct ipsec_xf authxfs[];

@@ -169,10 +174,10 @@ struct ipsec_rule {

struct ipsec_auth *auth;

struct ike_auth *ikeauth;

struct ipsec_transforms *xfs;

- struct ipsec_transforms *mmxfs;

- struct ipsec_life *mmlife;

- struct ipsec_transforms *qmxfs;

- struct ipsec_life *qmlife;

+ struct ipsec_transforms *p1xfs;

+ struct ipsec_life *p1life;

+ struct ipsec_transforms *p2xfs;

+ struct ipsec_life *p2life;

struct ipsec_key *authkey;

struct ipsec_key *enckey;

@@ -183,6 +188,8 @@ struct ipsec_rule {

u_int8_t direction;

u_int8_t flowtype;

u_int8_t ikemode;

+ u_int8_t p1ie;

+ u_int8_t p2ie;

u_int16_t sport;

u_int16_t dport;

u_int32_t spi;

diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index 4734ecfe2f3..6decbd72b09 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.109 2006/09/22 10:22:49 hshoexer Exp $ */

+/* $OpenBSD: parse.y,v 1.110 2006/11/01 03:10:02 mcbride Exp $ */

@@ -219,8 +219,7 @@ typedef struct {

} keys;

struct ipsec_transforms *transforms;

struct ipsec_life *life;

- struct ike_mode *mainmode;

- struct ike_mode *quickmode;

+ struct ike_mode *mode;

} v;

int lineno;

} YYSTYPE;

@@ -228,8 +227,8 @@ typedef struct {

%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI

-%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE

-%token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFE

+%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK AGGRESSIVE

+%token PASSIVE ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFE

%token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ GROUP PORT

%token <v.string> STRING

%type <v.string> string

@@ -254,8 +253,7 @@ typedef struct {

%type <v.ikeauth> ikeauth

%type <v.type> type

%type <v.life> life

-%type <v.mainmode> mainmode

-%type <v.quickmode> quickmode

+%type <v.mode> phase1mode phase2mode

grammar : /* empty */

@@ -332,8 +330,8 @@ flowrule : FLOW satype dir proto hosts peers ids type {

}

;

-ikerule : IKE ikemode satype tmode proto hosts peers mainmode quickmode

- ids ikeauth {

+ikerule : IKE ikemode satype tmode proto hosts peers

+ phase1mode phase2mode ids ikeauth {

struct ipsec_rule *r;

r = create_ike($5, &$6, &$7, $8, $9, $3, $4, $2,

@@ -643,41 +641,55 @@ transform : AUTHXF STRING {

}

;

-mainmode : /* empty */ {

- struct ike_mode *mm;

+phase1mode : /* empty */ {

+ struct ike_mode *p1;

- /* We create just an empty mode */

- if ((mm = calloc(1, sizeof(struct ike_mode))) == NULL)

- err(1, "mainmode: calloc");

- $$ = mm;

+ /* We create just an empty main mode */

+ if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)

+ err(1, "phase1mode: calloc");

+ p1->ike_exch = IKE_MM;

+ $$ = p1;

}

| MAIN transforms life {

- struct ike_mode *mm;

+ struct ike_mode *p1;

- if ((mm = calloc(1, sizeof(struct ike_mode))) == NULL)

- err(1, "mainmode: calloc");

- mm->xfs = $2;

- mm->life = $3;

- $$ = mm;

+ if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)

+ err(1, "phase1mode: calloc");

+ p1->xfs = $2;

+ p1->life = $3;

+ p1->ike_exch = IKE_MM;

+ $$ = p1;

+ }

+ | AGGRESSIVE transforms life {

+ struct ike_mode *p1;

+ if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL)

+ err(1, "phase1mode: calloc");

+ p1->xfs = $2;

+ p1->life = $3;

+ p1->ike_exch = IKE_AM;

+ $$ = p1;

}

;

-quickmode : /* empty */ {

- struct ike_mode *qm;

+phase2mode : /* empty */ {

+ struct ike_mode *p2;

- /* We create just an empty mode */

- if ((qm = calloc(1, sizeof(struct ike_mode))) == NULL)

- err(1, "quickmode: calloc");

- $$ = qm;

+ /* We create just an empty quick mode */

+ if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL)

+ err(1, "phase1mode: calloc");

+ p2->ike_exch = IKE_QM;

+ $$ = p2;

}

| QUICK transforms life {

- struct ike_mode *qm;

+ struct ike_mode *p2;

- if ((qm = calloc(1, sizeof(struct ike_mode))) == NULL)

- err(1, "quickmode: calloc");

- qm->xfs = $2;

- qm->life = $3;

- $$ = qm;

+ if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL)

+ err(1, "phase1mode: calloc");

+ p2->xfs = $2;

+ p2->life = $3;

+ p2->ike_exch = IKE_QM;

+ $$ = p2;

}

;

@@ -831,6 +843,7 @@ lookup(char *s)

static const struct keywords keywords[] = {

{ "acquire", ACQUIRE },

{ "active", ACTIVE },

+ { "aggressive", AGGRESSIVE },

{ "ah", AH },

{ "any", ANY },

{ "auth", AUTHXF },

@@ -1814,13 +1827,15 @@ copyrule(struct ipsec_rule *rule)

r->auth = copyipsecauth(rule->auth);

r->ikeauth = copyikeauth(rule->ikeauth);

r->xfs = copytransforms(rule->xfs);

- r->mmxfs = copytransforms(rule->mmxfs);

- r->qmxfs = copytransforms(rule->qmxfs);

- r->mmlife = copylife(rule->mmlife);

- r->qmlife = copylife(rule->qmlife);

+ r->p1xfs = copytransforms(rule->p1xfs);

+ r->p2xfs = copytransforms(rule->p2xfs);

+ r->p1life = copylife(rule->p1life);

+ r->p2life = copylife(rule->p2life);

r->authkey = copykey(rule->authkey);

r->enckey = copykey(rule->enckey);

+ r->p1ie = rule->p1ie;

+ r->p2ie = rule->p2ie;

r->type = rule->type;

r->satype = rule->satype;

r->proto = rule->proto;

@@ -2228,8 +2243,8 @@ reverse_rule(struct ipsec_rule *rule)

struct ipsec_rule *

create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers,

- struct ike_mode *mainmode, struct ike_mode *quickmode,

- u_int8_t satype, u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid,

+ struct ike_mode *phase1mode, struct ike_mode *phase2mode, u_int8_t satype,

+ u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid,

struct ike_auth *authtype)

{

struct ipsec_rule *r;

@@ -2253,17 +2268,17 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers,

hosts->src = NULL;

free(hosts->dst);

hosts->dst = NULL;

- if (mainmode) {

- free(mainmode->xfs);

- mainmode->xfs = NULL;

- free(mainmode->life);

- mainmode->life = NULL;

- }

- if (quickmode) {

- free(quickmode->xfs);

- quickmode->xfs = NULL;

- free(quickmode->life);

- quickmode->life = NULL;

+ if (phase1mode) {

+ free(phase1mode->xfs);

+ phase1mode->xfs = NULL;

+ free(phase1mode->life);

+ phase1mode->life = NULL;

+ }

+ if (phase2mode) {

+ free(phase2mode->xfs);

+ phase2mode->xfs = NULL;

+ free(phase2mode->life);

+ phase2mode->life = NULL;

}

if (srcid)

free(srcid);

@@ -2294,14 +2309,21 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers,

r->satype = satype;

r->tmode = tmode;

r->ikemode = mode;

- if (mainmode) {

- r->mmxfs = mainmode->xfs;

- r->mmlife = mainmode->life;

+ if (phase1mode) {

+ r->p1xfs = phase1mode->xfs;

+ r->p1life = phase1mode->life;

+ r->p1ie = phase1mode->ike_exch;

+ } else {

+ r->p1ie = IKE_MM;

}

- if (quickmode) {

- r->qmxfs = quickmode->xfs;

- r->qmlife = quickmode->life;

+ if (phase2mode) {

+ r->p2xfs = phase2mode->xfs;

+ r->p2life = phase2mode->life;

+ r->p2ie = phase2mode->ike_exch;

+ } else {

+ r->p2ie = IKE_QM;

}

r->auth = calloc(1, sizeof(struct ipsec_auth));

if (r->auth == NULL)

err(1, "create_ike: calloc");