diff options
| -rw-r--r-- | regress/sbin/ipsecctl/Makefile | 4 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ike46.in | 2 | ||||
| -rw-r--r-- | regress/sbin/ipsecctl/ike46.ok | 36 | ||||
| -rw-r--r-- | sbin/ipsecctl/ike.c | 22 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 17 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 15 |
6 files changed, 80 insertions, 16 deletions
diff --git a/regress/sbin/ipsecctl/Makefile b/regress/sbin/ipsecctl/Makefile index 1ed8d4ade3c..cb1482532ff 100644 --- a/regress/sbin/ipsecctl/Makefile +++ b/regress/sbin/ipsecctl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.30 2006/06/08 18:24:32 hshoexer Exp $ +# $OpenBSD: Makefile,v 1.31 2006/06/08 21:15:21 naddy Exp $ # TARGETS # ipsec: feed ipsecNN.in through ipsecctl and check wether the output matches @@ -18,7 +18,7 @@ IKEFAIL=1 3 IKETESTS=1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 IKETESTS+=16 17 18 19 20 21 22 23 IKETESTS+=29 30 31 32 33 34 35 36 37 38 39 40 -IKETESTS+=41 42 43 44 45 +IKETESTS+=41 42 43 44 45 46 SHELL=/bin/sh diff --git a/regress/sbin/ipsecctl/ike46.in b/regress/sbin/ipsecctl/ike46.in new file mode 100644 index 00000000000..e3f90f6c004 --- /dev/null +++ b/regress/sbin/ipsecctl/ike46.in @@ -0,0 +1,2 @@ +ike esp tunnel from 1.1.1.1 to 2.2.2.2 +ike esp transport from 1.1.1.1 to 2.2.2.2 diff --git a/regress/sbin/ipsecctl/ike46.ok b/regress/sbin/ipsecctl/ike46.ok new file mode 100644 index 00000000000..aab90ab162d --- /dev/null +++ b/regress/sbin/ipsecctl/ike46.ok @@ -0,0 +1,36 @@ +C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force +C set [peer-2.2.2.2]:Phase=1 force +C set [peer-2.2.2.2]:Address=2.2.2.2 force +C set [peer-2.2.2.2]:Configuration=mm-2.2.2.2 force +C set [mm-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force +C add [mm-2.2.2.2]:Transforms=AES-SHA-GRP15-RSA_SIG force +C set [IPsec-1.1.1.1-2.2.2.2]:Phase=2 force +C set [IPsec-1.1.1.1-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force +C set [IPsec-1.1.1.1-2.2.2.2]:Configuration=qm-1.1.1.1-2.2.2.2 force +C set [IPsec-1.1.1.1-2.2.2.2]:Local-ID=lid-1.1.1.1 force +C set [IPsec-1.1.1.1-2.2.2.2]:Remote-ID=rid-2.2.2.2 force +C set [qm-1.1.1.1-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force +C set [qm-1.1.1.1-2.2.2.2]:Suites=QM-ESP-AES-SHA2-256-PFS-GRP15-SUITE force +C set [lid-1.1.1.1]:ID-type=IPV4_ADDR force +C set [lid-1.1.1.1]:Address=1.1.1.1 force +C set [rid-2.2.2.2]:ID-type=IPV4_ADDR force +C set [rid-2.2.2.2]:Address=2.2.2.2 force +C add [Phase 2]:Connections=IPsec-1.1.1.1-2.2.2.2 +C set [Phase 1]:2.2.2.2=peer-2.2.2.2 force +C set [peer-2.2.2.2]:Phase=1 force +C set [peer-2.2.2.2]:Address=2.2.2.2 force +C set [peer-2.2.2.2]:Configuration=mm-2.2.2.2 force +C set [mm-2.2.2.2]:EXCHANGE_TYPE=ID_PROT force +C add [mm-2.2.2.2]:Transforms=AES-SHA-GRP15-RSA_SIG force +C set [IPsec-1.1.1.1-2.2.2.2]:Phase=2 force +C set [IPsec-1.1.1.1-2.2.2.2]:ISAKMP-peer=peer-2.2.2.2 force +C set [IPsec-1.1.1.1-2.2.2.2]:Configuration=qm-1.1.1.1-2.2.2.2 force +C set [IPsec-1.1.1.1-2.2.2.2]:Local-ID=lid-1.1.1.1 force +C set [IPsec-1.1.1.1-2.2.2.2]:Remote-ID=rid-2.2.2.2 force +C set [qm-1.1.1.1-2.2.2.2]:EXCHANGE_TYPE=QUICK_MODE force +C set [qm-1.1.1.1-2.2.2.2]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-GRP15-SUITE force +C set [lid-1.1.1.1]:ID-type=IPV4_ADDR force +C set [lid-1.1.1.1]:Address=1.1.1.1 force +C set [rid-2.2.2.2]:ID-type=IPV4_ADDR force +C set [rid-2.2.2.2]:Address=2.2.2.2 force +C add [Phase 2]:Connections=IPsec-1.1.1.1-2.2.2.2 diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index fda820ebc00..96649799011 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.38 2006/06/08 20:52:43 todd Exp $ */ +/* $OpenBSD: ike.c,v 1.39 2006/06/08 21:15:21 naddy Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -40,8 +40,8 @@ static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *, static void ike_section_ipsec(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); static int ike_section_qm(struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, u_int8_t, struct ipsec_transforms *, - FILE *); + ipsec_addr_wrap *, u_int8_t, u_int8_t, struct + ipsec_transforms *, FILE *); static int ike_section_mm(struct ipsec_addr_wrap *, struct ipsec_transforms *, FILE *, struct ike_auth *); static void ike_section_qmids(u_int8_t, struct ipsec_addr_wrap *, @@ -171,7 +171,7 @@ ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, static int ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, - u_int8_t satype, struct ipsec_transforms *qmxfs, FILE *fd) + u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd) { fprintf(fd, SET "[qm-%s-%s]:EXCHANGE_TYPE=QUICK_MODE force\n", src->name, dst->name); @@ -187,6 +187,17 @@ ike_section_qm(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, } fprintf(fd, "-"); + switch (tmode) { + case IPSEC_TUNNEL: + break; + case IPSEC_TRANSPORT: + fprintf(fd, "TRP-"); + break; + default: + warnx("illegal encapsulation mode %d", tmode); + return (-1); + } + if (qmxfs && qmxfs->encxf) { switch (qmxfs->encxf->id) { case ENCXF_3DES_CBC: @@ -503,7 +514,8 @@ ike_gen_config(struct ipsec_rule *r, FILE *fd) return (-1); ike_section_ids(r->peer, r->auth, fd, r->ikemode); ike_section_ipsec(r->src, r->dst, r->peer, fd); - if (ike_section_qm(r->src, r->dst, r->satype, r->qmxfs, fd) == -1) + if (ike_section_qm(r->src, r->dst, r->satype, r->tmode, r->qmxfs, fd) + == -1) return (-1); ike_section_qmids(r->proto, r->src, r->sport, r->dst, r->dport, fd); diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index 8f75d07b6e3..8a40bbe8a00 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.52 2006/06/02 18:15:26 david Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.53 2006/06/08 21:15:21 naddy Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -356,7 +356,7 @@ This is accomplished by the following rule: Creates an IPsec tunnel using ESP. .El .Pp -Note that AH and transport mode are not yet supported. +Note that AH is not yet supported. See .Xr isakmpd 8 for details on ISAKMP/IKE. @@ -398,6 +398,19 @@ warriors or dialup hosts. If omitted, .Ar active mode will be used. +.It Xo +.Aq Ar tmode +.Xc +The encapsulation mode to be used can be specified. +Possible modes are +.Ar tunnel +and +.Ar transport . +When left out, +.Ar tunnel +is chosen. +For details on modes see +.Xr ipsec 4 . .It Ic proto Aq Ar protocol The optional .Ic proto diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 57f5746cb43..0a1c4748777 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.101 2006/06/08 16:51:25 todd Exp $ */ +/* $OpenBSD: parse.y,v 1.102 2006/06/08 21:15:21 naddy Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -173,8 +173,8 @@ int expand_rule(struct ipsec_rule *, u_int8_t, u_int32_t, struct ipsec_rule *reverse_rule(struct ipsec_rule *); struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *, struct ipsec_hosts *, struct ike_mode *, - struct ike_mode *, u_int8_t, u_int8_t, char *, - char *, struct ike_auth *); + struct ike_mode *, u_int8_t, u_int8_t, u_int8_t, + char *, char *, struct ike_auth *); int add_sagroup(struct ipsec_rule *); struct ipsec_transforms *ipsec_transforms; @@ -331,12 +331,12 @@ flowrule : FLOW satype dir proto hosts peers ids type { } ; -ikerule : IKE ikemode satype proto hosts peers mainmode quickmode +ikerule : IKE ikemode satype tmode proto hosts peers mainmode quickmode ids ikeauth { struct ipsec_rule *r; - r = create_ike($4, &$5, &$6, $7, $8, $3, $2, $9.srcid, - $9.dstid, &$10); + r = create_ike($5, &$6, &$7, $8, $9, $3, $4, $2, + $10.srcid, $10.dstid, &$11); if (r == NULL) YYERROR; r->nr = ipsec->rule_nr++; @@ -2226,7 +2226,7 @@ reverse_rule(struct ipsec_rule *rule) struct ipsec_rule * create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, struct ike_mode *mainmode, struct ike_mode *quickmode, - u_int8_t satype, u_int8_t mode, char *srcid, char *dstid, + u_int8_t satype, u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid, struct ike_auth *authtype) { struct ipsec_rule *r; @@ -2283,6 +2283,7 @@ create_ike(u_int8_t proto, struct ipsec_hosts *hosts, struct ipsec_hosts *peers, r->local = peers->src; r->satype = satype; + r->tmode = tmode; r->ikemode = mode; if (mainmode) { r->mmxfs = mainmode->xfs; |