diff options
| author |   reyk <reyk@openbsd.org> | 2006-03-07 00:19:58 +0000 |
|---|---|---|
| committer | reyk <reyk@openbsd.org> | 2006-03-07 00:19:58 +0000 |
| commit | 101a3da258495bdbd09e9a1003bb04277dc1e06e (patch) | |
| tree | 572373cf8330727e630bd689051cf9e4b307b63b | |
| parent | sync (diff) | |
| download | wireguard-openbsd-101a3da258495bdbd09e9a1003bb04277dc1e06e.tar.xz wireguard-openbsd-101a3da258495bdbd09e9a1003bb04277dc1e06e.zip | |
add an ike option for road warrior setups (hosts with dynamic ip
addresses).
"ike dynamic esp" will use the system's hostname as the fqdn source id
(instead of the ip address) by default and enable dpd (dead peer
detection) to allow smooth reconnects after an ip address change (i.e.
forced reconnect with consumer adsl lines).
ok hshoexer@, looks fine markus@, jmc@
| -rw-r--r-- | sbin/ipsecctl/ike.c | 34 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 29 | ||||
| -rw-r--r-- | sbin/ipsecctl/ipsecctl.h | 4 | ||||
| -rw-r--r-- | sbin/ipsecctl/parse.y | 6 |
4 files changed, 59 insertions, 14 deletions
diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c index 7cc3e76370a..e44d3bf9288 100644 --- a/sbin/ipsecctl/ike.c +++ b/sbin/ipsecctl/ike.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ike.c,v 1.17 2006/02/03 13:39:29 naddy Exp $ */ +/* $OpenBSD: ike.c,v 1.18 2006/03/07 00:19:58 reyk Exp $ */ /* * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -31,10 +31,11 @@ #include "ipsecctl.h" +static void ike_section_general(struct ipsec_rule *, FILE *); static void ike_section_peer(struct ipsec_addr_wrap *, FILE *, struct ike_auth *); static void ike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *, - FILE *); + FILE *, u_int8_t); static void ike_section_ipsec(struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); static int ike_section_qm(struct ipsec_addr_wrap *, struct @@ -58,6 +59,20 @@ int ike_ipsec_establish(int, struct ipsec_rule *); #define ISAKMPD_FIFO "/var/run/isakmpd.fifo" +#define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 +#define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 + +static void +ike_section_general(struct ipsec_rule *r, FILE *fd) +{ + if (r->ikemode == IKE_DYNAMIC) { + fprintf(fd, SET "[General]:Check-interval=%d force\n", + CONF_DFLT_DYNAMIC_CHECK_INTERVAL); + fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", + CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); + } +} + static void ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd, struct ike_auth *auth) { @@ -70,11 +85,20 @@ ike_section_peer(struct ipsec_addr_wrap *peer, FILE *fd, struct ike_auth *auth) } static void -ike_section_ids(struct ipsec_addr_wrap *peer, struct ipsec_auth *auth, FILE *fd) +ike_section_ids(struct ipsec_addr_wrap *peer, struct ipsec_auth *auth, FILE *fd, + u_int8_t ikemode) { + char myname[MAXHOSTNAMELEN]; + if (auth == NULL) return; + if (ikemode == IKE_DYNAMIC && auth->srcid == NULL) { + if (gethostname(myname, sizeof(myname)) == -1) + err(1, "ike_section_ids: gethostname"); + if ((auth->srcid = strdup(myname)) == NULL) + err(1, "ike_section_ids: strdup"); + } if (auth->srcid) { fprintf(fd, SET "[peer-%s]:ID=%s-ID force\n", peer->name, "local"); @@ -290,6 +314,7 @@ ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap { switch (mode) { case IKE_ACTIVE: + case IKE_DYNAMIC: fprintf(fd, ADD "[Phase 2]:Connections=IPsec-%s-%s\n", src->name, dst->name); fprintf(fd, "t IPsec-%s-%s\n", src->name, dst->name); @@ -308,10 +333,11 @@ ike_connect(u_int8_t mode, struct ipsec_addr_wrap *src, struct ipsec_addr_wrap static int ike_gen_config(struct ipsec_rule *r, FILE *fd) { + ike_section_general(r, fd); ike_section_peer(r->peer, fd, r->ikeauth); if (ike_section_mm(r->peer, r->mmxfs, fd, r->ikeauth) == -1) return (-1); - ike_section_ids(r->peer, r->auth, fd); + ike_section_ids(r->peer, r->auth, fd, r->ikemode); ike_section_ipsec(r->src, r->dst, r->peer, fd); if (ike_section_qm(r->src, r->dst, r->proto, r->qmxfs, fd) == -1) return (-1); diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index efabfd17a8a..75f7503da2c 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.30 2006/02/21 12:19:17 hshoexer Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.31 2006/03/07 00:19:58 reyk Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -275,17 +275,34 @@ cryptographic transforms are used for Some parameters are optional. .Bl -tag -width xxxx .It Xo -.Ar passive +.Ar ike +.Aq Ar mode +.Ar esp .Xc When .Ar passive -is specified +is specified, .Xr isakmpd 8 will not immediately start negotiation of this tunnel, but wait for an incoming request from the remote peer. -If not specified, -.Xr isakmpd 8 -will start negotiation at once. +When +.Ar active +or +.Ar dynamic +is specified, negotiation will be started at once. +The +.Ar dynamic +mode will additionally enable Dead Peer Detection (DPD) and use the +local hostname as the identity of the local peer, if not specifed by +the +.Ar srcid +parameter. +.Ar dynamic +mode should be used for hosts with dynamic IP addresses like road +warriors or dialup hosts. +If omitted, +.Ar active +mode will be used. .It Xo .Ar from .Aq Ar src diff --git a/sbin/ipsecctl/ipsecctl.h b/sbin/ipsecctl/ipsecctl.h index 3a0b6583175..1ffa800db72 100644 --- a/sbin/ipsecctl/ipsecctl.h +++ b/sbin/ipsecctl/ipsecctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsecctl.h,v 1.27 2006/01/17 00:05:39 deraadt Exp $ */ +/* $OpenBSD: ipsecctl.h,v 1.28 2006/03/07 00:19:58 reyk Exp $ */ /* * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> * @@ -66,7 +66,7 @@ enum { COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS }; enum { - IKE_ACTIVE, IKE_PASSIVE + IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC }; enum { IKE_AUTH_RSA, IKE_AUTH_PSK diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y index 4d898d42155..a5ff3817e07 100644 --- a/sbin/ipsecctl/parse.y +++ b/sbin/ipsecctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.50 2006/01/20 16:11:22 naddy Exp $ */ +/* $OpenBSD: parse.y,v 1.51 2006/03/07 00:19:58 reyk Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -190,7 +190,7 @@ typedef struct { %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK PASSIVE -%token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT +%token ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC %token <v.string> STRING %type <v.dir> dir %type <v.protocol> protocol @@ -575,6 +575,7 @@ keyspec : STRING { ikemode : /* empty */ { $$ = IKE_ACTIVE; } | PASSIVE { $$ = IKE_PASSIVE; } + | DYNAMIC { $$ = IKE_DYNAMIC; } | ACTIVE { $$ = IKE_ACTIVE; } ; @@ -633,6 +634,7 @@ lookup(char *s) { "authkey", AUTHKEY }, { "comp", COMPXF }, { "dstid", DSTID }, + { "dynamic", DYNAMIC }, { "enc", ENCXF }, { "enckey", ENCKEY }, { "esp", ESP }, |