diff options
| -rw-r--r-- | sbin/ipsecctl/ike.c | 34 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 29 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 4 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 6 |
4 files changed, 59 insertions, 14 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index 7cc3e76370a..e44d3bf9288 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.17 2006/02/03 13:39:29 naddy Exp $ */ +/* $OpenBSD: ike.c,v 1.18 2006/03/07 00:19:58 reyk Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -31,10 +31,11 @@ #include "ipsecctl.h" +static void ike_section_general(struct ipsec_rule *, FILE *); static void ike_section_peer(struct ipsec_addr_wrap *, FILE *, struct ike_auth *); static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *, - FILE *); + FILE *, u_int8_t); static void ike_section_ipsec(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); static int ike_section_qm(struct ipsec_addr_wrap *, struct @@ -58,6 +59,20 @@ int ike_ipsec_establish(int, struct ipsec_rule *); #define ISAKMPD_FIFO "/var/run/isakmpd.fifo" +#define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 +#define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 + +static void +ike_section_general(struct ipsec_rule *r, FILE *fd) +{ + if (r->ikemode == IKE_DYNAMIC) { + fprintf(fd, SET "[General]:Check-interval=%d force\n", + CONF_DFLT_DYNAMIC_CHECK_INTERVAL); + fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", + CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); + } +} + static void ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd, struct ike_auth *auth) { @@ -70,11 +85,20 @@ ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd, struct ike_auth *auth) } static void -ike_section_ids(struct ipsec_addr_wrap *peer, struct ipsec_auth *auth, FILE *fd) +ike_section_ids(struct ipsec_addr_wrap *peer, struct ipsec_auth *auth, FILE *fd, + u_int8_t ikemode) { + char myname[MAXHOSTNAMELEN]; + if (auth == NULL) return; + if (ikemode == IKE_DYNAMIC && auth->srcid == NULL) { + if (gethostname(myname, sizeof(myname)) == -1) + err(1, "ike_section_ids: gethostname"); + if ((auth->srcid = strdup(myname)) == NULL) + err(1, "ike_section_ids: strdup"); + } if (auth->srcid) { fprintf(fd, SET "[peer-%s]:ID=%s-ID force\n", peer->name, "local"); @@ -290,6 +314,7 @@ ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap { switch (mode) { case IKE_ACTIVE: + case IKE_DYNAMIC: fprintf(fd, ADD "[Phase 2]:Connections=IPsec-%s-%s\n", src->name, dst->name); fprintf(fd, "t IPsec-%s-%s\n", src->name, dst->name); @@ -308,10 +333,11 @@ ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap static int ike_gen_config(struct ipsec_rule *r, FILE *fd) { + ike_section_general(r, fd); ike_section_peer(r->peer, fd, r->ikeauth); if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1) return (-1); - ike_section_ids(r->peer, r->auth, fd); + ike_section_ids(r->peer, r->auth, fd, r->ikemode); ike_section_ipsec(r->src, r->dst, r->peer, fd); if (ike_section_qm(r->src, r->dst, r->proto, r->qmxfs, fd) == -1) return (-1); diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index efabfd17a8a..75f7503da2c 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.30 2006/02/21 12:19:17 hshoexer Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.31 2006/03/07 00:19:58 reyk Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -275,17 +275,34 @@ cryptographic transforms are used for Some parameters are optional. .Bl -tag -width xxxx .It Xo -.Ar passive +.Ar ike +.Aq Ar mode +.Ar esp .Xc When .Ar passive -is specified +is specified, .Xr isakmpd 8 will not immediately start negotiation of this tunnel, but wait for an incoming request from the remote peer. -If not specified, -.Xr isakmpd 8 -will start negotiation at once. +When +.Ar active +or +.Ar dynamic +is specified, negotiation will be started at once. +The +.Ar dynamic +mode will additionally enable Dead Peer Detection (DPD) and use the +local hostname as the identity of the local peer, if not specifed by +the +.Ar srcid +parameter. +.Ar dynamic +mode should be used for hosts with dynamic IP addresses like road +warriors or dialup hosts. +If omitted, +.Ar active +mode will be used. .It Xo .Ar from .Aq Ar src diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 3a0b6583175..1ffa800db72 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.27 2006/01/17 00:05:39 deraadt Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.28 2006/03/07 00:19:58 reyk Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -66,7 +66,7 @@ enum { COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS }; enum { - IKE_ACTIVE, IKE_PASSIVE + IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC }; enum { IKE_AUTH_RSA, IKE_AUTH_PSK diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 4d898d42155..a5ff3817e07 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.50 2006/01/20 16:11:22 naddy Exp $ */ +/* $OpenBSD: parse.y,v 1.51 2006/03/07 00:19:58 reyk Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -190,7 +190,7 @@ typedef struct { %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE -%token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT +%token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC %token <v.string> STRING %type <v.dir> dir %type <v.protocol> protocol @@ -575,6 +575,7 @@ keyspec : STRING { ikemode : /* empty */ { $$ = IKE_ACTIVE; } | PASSIVE { $$ = IKE_PASSIVE; } + | DYNAMIC { $$ = IKE_DYNAMIC; } | ACTIVE { $$ = IKE_ACTIVE; } ; @@ -633,6 +634,7 @@ lookup(char *s) { "authkey", AUTHKEY }, { "comp", COMPXF }, { "dstid", DSTID }, + { "dynamic", DYNAMIC }, { "enc", ENCXF }, { "enckey", ENCKEY }, { "esp", ESP }, |