From 3448598ec71c8b866168d6d16e1151a386abbde6 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Sat, 8 May 2004 20:50:30 +0000 Subject: with manual keyed ipsec, we need keys and spis for both directions - enforce that --- usr.sbin/bgpd/parse.y | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'usr.sbin/bgpd/parse.y') diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y index 9c35b1588cb..17a6a48d1bc 100644 --- a/usr.sbin/bgpd/parse.y +++ b/usr.sbin/bgpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.107 2004/05/08 19:17:20 henning Exp $ */ +/* $OpenBSD: parse.y,v 1.108 2004/05/08 20:50:29 henning Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -1586,6 +1586,7 @@ str2key(char *s, char *dest, size_t max_len) int neighbor_consistent(struct peer *p) { + /* local-address and peer's address: same address family */ if (p->conf.local_addr.af && p->conf.local_addr.af != p->conf.remote_addr.af) { yyerror("local-address and neighbor address " @@ -1593,6 +1594,7 @@ neighbor_consistent(struct peer *p) return (-1); } + /* with any form of ipsec local-address is required */ if ((p->conf.auth.method == AUTH_IPSEC_IKE_ESP || p->conf.auth.method == AUTH_IPSEC_IKE_AH || p->conf.auth.method == AUTH_IPSEC_MANUAL_ESP || @@ -1603,5 +1605,14 @@ neighbor_consistent(struct peer *p) return (-1); } + /* with static keying we need both directions */ + if ((p->conf.auth.method == AUTH_IPSEC_MANUAL_ESP || + p->conf.auth.method == AUTH_IPSEC_MANUAL_AH) && + (!p->conf.auth.spi_in || !p->conf.auth.spi_out)) { + yyerror("with manual keyed IPsec, SPIs and keys " + "for both directions are required"); + return (-1); + } + return (0); } \ No newline at end of file -- cgit v1.2.3