1 |
|
|
/* $OpenBSD: ike.c,v 1.82 2017/10/27 08:29:32 mpi Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> |
4 |
|
|
* |
5 |
|
|
* Permission to use, copy, modify, and distribute this software for any |
6 |
|
|
* purpose with or without fee is hereby granted, provided that the above |
7 |
|
|
* copyright notice and this permission notice appear in all copies. |
8 |
|
|
* |
9 |
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
10 |
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
11 |
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
12 |
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
13 |
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
14 |
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
15 |
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 |
|
|
*/ |
17 |
|
|
|
18 |
|
|
#include <sys/types.h> |
19 |
|
|
#include <sys/socket.h> |
20 |
|
|
#include <sys/stat.h> |
21 |
|
|
#include <sys/queue.h> |
22 |
|
|
#include <netinet/in.h> |
23 |
|
|
#include <netdb.h> |
24 |
|
|
#include <arpa/inet.h> |
25 |
|
|
|
26 |
|
|
#include <err.h> |
27 |
|
|
#include <fcntl.h> |
28 |
|
|
#include <stdio.h> |
29 |
|
|
#include <stdlib.h> |
30 |
|
|
#include <string.h> |
31 |
|
|
#include <unistd.h> |
32 |
|
|
#include <limits.h> |
33 |
|
|
|
34 |
|
|
#include "ipsecctl.h" |
35 |
|
|
|
36 |
|
|
static void ike_section_general(struct ipsec_rule *, FILE *); |
37 |
|
|
static void ike_section_peer(struct ipsec_rule *, FILE *); |
38 |
|
|
static void ike_section_ids(struct ipsec_rule *, FILE *); |
39 |
|
|
static void ike_section_ipsec(struct ipsec_rule *, FILE *); |
40 |
|
|
static int ike_section_p1(struct ipsec_rule *, FILE *); |
41 |
|
|
static int ike_section_p2(struct ipsec_rule *, FILE *); |
42 |
|
|
static void ike_section_p2ids(struct ipsec_rule *, FILE *); |
43 |
|
|
static int ike_connect(struct ipsec_rule *, FILE *); |
44 |
|
|
static int ike_gen_config(struct ipsec_rule *, FILE *); |
45 |
|
|
static int ike_delete_config(struct ipsec_rule *, FILE *); |
46 |
|
|
static void ike_setup_ids(struct ipsec_rule *); |
47 |
|
|
|
48 |
|
|
int ike_print_config(struct ipsec_rule *, int); |
49 |
|
|
int ike_ipsec_establish(int, struct ipsec_rule *, const char *); |
50 |
|
|
|
51 |
|
|
#define SET "C set " |
52 |
|
|
#define ADD "C add " |
53 |
|
|
#define DELETE "C rms " |
54 |
|
|
#define RMV "C rmv " |
55 |
|
|
|
56 |
|
|
#define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 |
57 |
|
|
#define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 |
58 |
|
|
|
59 |
|
|
char *ike_id_types[] = { |
60 |
|
|
"", "", "IPV4_ADDR", "IPV6_ADDR", "FQDN", "USER_FQDN" |
61 |
|
|
}; |
62 |
|
|
|
63 |
|
|
static void |
64 |
|
|
ike_section_general(struct ipsec_rule *r, FILE *fd) |
65 |
|
|
{ |
66 |
|
|
if (r->ikemode == IKE_DYNAMIC) { |
67 |
|
|
fprintf(fd, SET "[General]:Check-interval=%d force\n", |
68 |
|
|
CONF_DFLT_DYNAMIC_CHECK_INTERVAL); |
69 |
|
|
fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", |
70 |
|
|
CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); |
71 |
|
|
} |
72 |
|
|
} |
73 |
|
|
|
74 |
|
|
static void |
75 |
|
|
ike_section_peer(struct ipsec_rule *r, FILE *fd) |
76 |
|
|
{ |
77 |
|
|
if (r->peer) |
78 |
|
|
fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name, |
79 |
|
|
r->p1name); |
80 |
|
|
else |
81 |
|
|
fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name); |
82 |
|
|
fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name); |
83 |
|
|
if (r->peer) |
84 |
|
|
fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name, |
85 |
|
|
r->peer->name); |
86 |
|
|
if (r->local) |
87 |
|
|
fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name, |
88 |
|
|
r->local->name); |
89 |
|
|
if (r->ikeauth->type == IKE_AUTH_PSK) |
90 |
|
|
fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name, |
91 |
|
|
r->ikeauth->string); |
92 |
|
|
} |
93 |
|
|
|
94 |
|
|
static void |
95 |
|
|
ike_section_ids(struct ipsec_rule *r, FILE *fd) |
96 |
|
|
{ |
97 |
|
|
char myname[HOST_NAME_MAX+1]; |
98 |
|
|
|
99 |
|
|
if (r->auth == NULL) |
100 |
|
|
return; |
101 |
|
|
|
102 |
|
|
if (r->ikemode == IKE_DYNAMIC && r->auth->srcid == NULL) { |
103 |
|
|
if (gethostname(myname, sizeof(myname)) == -1) |
104 |
|
|
err(1, "ike_section_ids: gethostname"); |
105 |
|
|
if ((r->auth->srcid = strdup(myname)) == NULL) |
106 |
|
|
err(1, "ike_section_ids: strdup"); |
107 |
|
|
r->auth->srcid_type = ID_FQDN; |
108 |
|
|
} |
109 |
|
|
if (r->auth->srcid) { |
110 |
|
|
fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name, |
111 |
|
|
r->auth->srcid); |
112 |
|
|
fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid, |
113 |
|
|
ike_id_types[r->auth->srcid_type]); |
114 |
|
|
if (r->auth->srcid_type == ID_IPV4 || |
115 |
|
|
r->auth->srcid_type == ID_IPV6) |
116 |
|
|
fprintf(fd, SET "[id-%s]:Address=%s force\n", |
117 |
|
|
r->auth->srcid, r->auth->srcid); |
118 |
|
|
else |
119 |
|
|
fprintf(fd, SET "[id-%s]:Name=%s force\n", |
120 |
|
|
r->auth->srcid, r->auth->srcid); |
121 |
|
|
} |
122 |
|
|
if (r->auth->dstid) { |
123 |
|
|
fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name, |
124 |
|
|
r->auth->dstid); |
125 |
|
|
fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid, |
126 |
|
|
ike_id_types[r->auth->dstid_type]); |
127 |
|
|
if (r->auth->dstid_type == ID_IPV4 || |
128 |
|
|
r->auth->dstid_type == ID_IPV6) |
129 |
|
|
fprintf(fd, SET "[id-%s]:Address=%s force\n", |
130 |
|
|
r->auth->dstid, r->auth->dstid); |
131 |
|
|
else |
132 |
|
|
fprintf(fd, SET "[id-%s]:Name=%s force\n", |
133 |
|
|
r->auth->dstid, r->auth->dstid); |
134 |
|
|
} |
135 |
|
|
} |
136 |
|
|
|
137 |
|
|
static void |
138 |
|
|
ike_section_ipsec(struct ipsec_rule *r, FILE *fd) |
139 |
|
|
{ |
140 |
|
|
fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name); |
141 |
|
|
fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name); |
142 |
|
|
fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name, |
143 |
|
|
r->p2name); |
144 |
|
|
fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid); |
145 |
|
|
if (r->p2nid) |
146 |
|
|
fprintf(fd, SET "[%s]:NAT-ID=%s force\n", r->p2name, r->p2nid); |
147 |
|
|
fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid); |
148 |
|
|
|
149 |
|
|
if (r->tag) |
150 |
|
|
fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag); |
151 |
|
|
} |
152 |
|
|
|
153 |
|
|
static int |
154 |
|
|
ike_section_p2(struct ipsec_rule *r, FILE *fd) |
155 |
|
|
{ |
156 |
|
|
char *exchange_type, *key_length, *transform, *p; |
157 |
|
|
char *enc_alg, *auth_alg, *group_desc, *encap; |
158 |
|
|
int needauth = 1; |
159 |
|
|
int num_print = 0; |
160 |
|
|
|
161 |
|
|
switch (r->p2ie) { |
162 |
|
|
case IKE_QM: |
163 |
|
|
exchange_type = "QUICK_MODE"; |
164 |
|
|
break; |
165 |
|
|
default: |
166 |
|
|
warnx("illegal phase 2 ike mode %d", r->p2ie); |
167 |
|
|
return (-1); |
168 |
|
|
} |
169 |
|
|
|
170 |
|
|
fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name, |
171 |
|
|
exchange_type); |
172 |
|
|
fprintf(fd, SET "[phase2-%s]:Suites=phase2-suite-%s force\n", r->p2name, |
173 |
|
|
r->p2name); |
174 |
|
|
|
175 |
|
|
fprintf(fd, SET "[phase2-suite-%s]:Protocols=phase2-protocol-%s " |
176 |
|
|
"force\n", r->p2name, r->p2name); |
177 |
|
|
|
178 |
|
|
fprintf(fd, SET "[phase2-protocol-%s]:PROTOCOL_ID=", r->p2name); |
179 |
|
|
|
180 |
|
|
switch (r->satype) { |
181 |
|
|
case IPSEC_ESP: |
182 |
|
|
fprintf(fd, "IPSEC_ESP"); |
183 |
|
|
break; |
184 |
|
|
case IPSEC_AH: |
185 |
|
|
fprintf(fd, "IPSEC_AH"); |
186 |
|
|
break; |
187 |
|
|
default: |
188 |
|
|
warnx("illegal satype %d", r->satype); |
189 |
|
|
return (-1); |
190 |
|
|
} |
191 |
|
|
fprintf(fd, " force\n"); |
192 |
|
|
|
193 |
|
|
key_length = NULL; |
194 |
|
|
enc_alg = NULL; |
195 |
|
|
if (r->p2xfs && r->p2xfs->encxf) { |
196 |
|
|
if (r->satype == IPSEC_ESP) { |
197 |
|
|
switch (r->p2xfs->encxf->id) { |
198 |
|
|
case ENCXF_3DES_CBC: |
199 |
|
|
enc_alg = "3DES"; |
200 |
|
|
break; |
201 |
|
|
case ENCXF_AES: |
202 |
|
|
enc_alg = "AES"; |
203 |
|
|
key_length = "128,128:256"; |
204 |
|
|
break; |
205 |
|
|
case ENCXF_AES_128: |
206 |
|
|
enc_alg = "AES"; |
207 |
|
|
key_length = "128,128:128"; |
208 |
|
|
break; |
209 |
|
|
case ENCXF_AES_192: |
210 |
|
|
enc_alg = "AES"; |
211 |
|
|
key_length = "192,192:192"; |
212 |
|
|
break; |
213 |
|
|
case ENCXF_AES_256: |
214 |
|
|
enc_alg = "AES"; |
215 |
|
|
key_length = "256,256:256"; |
216 |
|
|
break; |
217 |
|
|
case ENCXF_AESCTR: |
218 |
|
|
enc_alg = "AES_CTR"; |
219 |
|
|
key_length = "128,128:128"; |
220 |
|
|
break; |
221 |
|
|
case ENCXF_AES_128_CTR: |
222 |
|
|
enc_alg = "AES_CTR"; |
223 |
|
|
key_length = "128,128:128"; |
224 |
|
|
break; |
225 |
|
|
case ENCXF_AES_192_CTR: |
226 |
|
|
enc_alg = "AES_CTR"; |
227 |
|
|
key_length = "192,192:192"; |
228 |
|
|
break; |
229 |
|
|
case ENCXF_AES_256_CTR: |
230 |
|
|
enc_alg = "AES_CTR"; |
231 |
|
|
key_length = "256,256:256"; |
232 |
|
|
break; |
233 |
|
|
case ENCXF_AES_128_GCM: |
234 |
|
|
enc_alg = "AES_GCM_16"; |
235 |
|
|
key_length = "128,128:128"; |
236 |
|
|
needauth = 0; |
237 |
|
|
break; |
238 |
|
|
case ENCXF_AES_192_GCM: |
239 |
|
|
enc_alg = "AES_GCM_16"; |
240 |
|
|
key_length = "192,192:192"; |
241 |
|
|
needauth = 0; |
242 |
|
|
break; |
243 |
|
|
case ENCXF_AES_256_GCM: |
244 |
|
|
enc_alg = "AES_GCM_16"; |
245 |
|
|
key_length = "256,256:256"; |
246 |
|
|
needauth = 0; |
247 |
|
|
break; |
248 |
|
|
case ENCXF_AES_128_GMAC: |
249 |
|
|
enc_alg = "AES_GMAC"; |
250 |
|
|
key_length = "128,128:128"; |
251 |
|
|
needauth = 0; |
252 |
|
|
break; |
253 |
|
|
case ENCXF_AES_192_GMAC: |
254 |
|
|
enc_alg = "AES_GMAC"; |
255 |
|
|
key_length = "192,192:192"; |
256 |
|
|
needauth = 0; |
257 |
|
|
break; |
258 |
|
|
case ENCXF_AES_256_GMAC: |
259 |
|
|
enc_alg = "AES_GMAC"; |
260 |
|
|
key_length = "256,256:256"; |
261 |
|
|
needauth = 0; |
262 |
|
|
break; |
263 |
|
|
case ENCXF_BLOWFISH: |
264 |
|
|
enc_alg = "BLOWFISH"; |
265 |
|
|
key_length = "128,96:192"; |
266 |
|
|
break; |
267 |
|
|
case ENCXF_CAST128: |
268 |
|
|
enc_alg = "CAST"; |
269 |
|
|
break; |
270 |
|
|
case ENCXF_NULL: |
271 |
|
|
enc_alg = "NULL"; |
272 |
|
|
needauth = 0; |
273 |
|
|
break; |
274 |
|
|
default: |
275 |
|
|
warnx("illegal transform %s", |
276 |
|
|
r->p2xfs->encxf->name); |
277 |
|
|
return (-1); |
278 |
|
|
} |
279 |
|
|
} else { |
280 |
|
|
warnx("illegal transform %s", r->p2xfs->encxf->name); |
281 |
|
|
return (-1); |
282 |
|
|
} |
283 |
|
|
} else if (r->satype == IPSEC_ESP) { |
284 |
|
|
enc_alg = "AES"; |
285 |
|
|
key_length = "128,128:256"; |
286 |
|
|
} |
287 |
|
|
|
288 |
|
|
switch (r->tmode) { |
289 |
|
|
case IPSEC_TUNNEL: |
290 |
|
|
encap = "TUNNEL"; |
291 |
|
|
break; |
292 |
|
|
case IPSEC_TRANSPORT: |
293 |
|
|
encap = "TRANSPORT"; |
294 |
|
|
break; |
295 |
|
|
default: |
296 |
|
|
warnx("illegal encapsulation mode %d", r->tmode); |
297 |
|
|
return (-1); |
298 |
|
|
} |
299 |
|
|
|
300 |
|
|
auth_alg = NULL; |
301 |
|
|
if (r->p2xfs && r->p2xfs->authxf) { |
302 |
|
|
switch (r->p2xfs->authxf->id) { |
303 |
|
|
case AUTHXF_HMAC_MD5: |
304 |
|
|
auth_alg = "MD5"; |
305 |
|
|
break; |
306 |
|
|
case AUTHXF_HMAC_SHA1: |
307 |
|
|
auth_alg = "SHA"; |
308 |
|
|
break; |
309 |
|
|
case AUTHXF_HMAC_RIPEMD160: |
310 |
|
|
auth_alg = "RIPEMD"; |
311 |
|
|
break; |
312 |
|
|
case AUTHXF_HMAC_SHA2_256: |
313 |
|
|
auth_alg = "SHA2_256"; |
314 |
|
|
break; |
315 |
|
|
case AUTHXF_HMAC_SHA2_384: |
316 |
|
|
auth_alg = "SHA2_384"; |
317 |
|
|
break; |
318 |
|
|
case AUTHXF_HMAC_SHA2_512: |
319 |
|
|
auth_alg = "SHA2_512"; |
320 |
|
|
break; |
321 |
|
|
default: |
322 |
|
|
warnx("illegal transform %s", r->p2xfs->authxf->name); |
323 |
|
|
return (-1); |
324 |
|
|
} |
325 |
|
|
} else if (needauth) |
326 |
|
|
auth_alg = "SHA2_256"; |
327 |
|
|
|
328 |
|
|
group_desc = NULL; |
329 |
|
|
if (r->p2xfs && r->p2xfs->groupxf) { |
330 |
|
|
switch (r->p2xfs->groupxf->id) { |
331 |
|
|
case GROUPXF_NONE: |
332 |
|
|
break; |
333 |
|
|
case GROUPXF_1: |
334 |
|
|
group_desc = "MODP_768"; |
335 |
|
|
break; |
336 |
|
|
case GROUPXF_2: |
337 |
|
|
group_desc = "MODP_1024"; |
338 |
|
|
break; |
339 |
|
|
case GROUPXF_5: |
340 |
|
|
group_desc = "MODP_1536"; |
341 |
|
|
break; |
342 |
|
|
case GROUPXF_14: |
343 |
|
|
group_desc = "MODP_2048"; |
344 |
|
|
break; |
345 |
|
|
case GROUPXF_15: |
346 |
|
|
group_desc = "MODP_3072"; |
347 |
|
|
break; |
348 |
|
|
case GROUPXF_16: |
349 |
|
|
group_desc = "MODP_4096"; |
350 |
|
|
break; |
351 |
|
|
case GROUPXF_17: |
352 |
|
|
group_desc = "MODP_6144"; |
353 |
|
|
break; |
354 |
|
|
case GROUPXF_18: |
355 |
|
|
group_desc = "MODP_8192"; |
356 |
|
|
break; |
357 |
|
|
case GROUPXF_19: |
358 |
|
|
group_desc = "ECP_256"; |
359 |
|
|
break; |
360 |
|
|
case GROUPXF_20: |
361 |
|
|
group_desc = "ECP_384"; |
362 |
|
|
break; |
363 |
|
|
case GROUPXF_21: |
364 |
|
|
group_desc = "ECP_521"; |
365 |
|
|
break; |
366 |
|
|
case GROUPXF_25: |
367 |
|
|
group_desc = "ECP_192"; |
368 |
|
|
break; |
369 |
|
|
case GROUPXF_26: |
370 |
|
|
group_desc = "ECP_224"; |
371 |
|
|
break; |
372 |
|
|
case GROUPXF_27: |
373 |
|
|
group_desc = "BP_224"; |
374 |
|
|
break; |
375 |
|
|
case GROUPXF_28: |
376 |
|
|
group_desc = "BP_256"; |
377 |
|
|
break; |
378 |
|
|
case GROUPXF_29: |
379 |
|
|
group_desc = "BP_384"; |
380 |
|
|
break; |
381 |
|
|
case GROUPXF_30: |
382 |
|
|
group_desc = "BP_512"; |
383 |
|
|
break; |
384 |
|
|
default: |
385 |
|
|
warnx("illegal group %s", r->p2xfs->groupxf->name); |
386 |
|
|
return (-1); |
387 |
|
|
} |
388 |
|
|
} else |
389 |
|
|
group_desc = "MODP_3072"; |
390 |
|
|
|
391 |
|
|
/* the transform name must not include "," */ |
392 |
|
|
if (key_length && (p = strchr(key_length, ',')) != NULL) |
393 |
|
|
num_print = p - key_length; |
394 |
|
|
/* |
395 |
|
|
* create a unique transform name, otherwise we cannot have |
396 |
|
|
* multiple transforms per p2name. |
397 |
|
|
*/ |
398 |
|
|
if (asprintf(&transform, "phase2-transform-%s-%s%.*s-%s-%s-%s", |
399 |
|
|
r->p2name, |
400 |
|
|
enc_alg ? enc_alg : "NONE", |
401 |
|
|
num_print, key_length ? key_length : "", |
402 |
|
|
auth_alg ? auth_alg : "NONE", |
403 |
|
|
group_desc ? group_desc : "NONE", |
404 |
|
|
encap) == -1) |
405 |
|
|
errx(1, "asprintf phase2-transform"); |
406 |
|
|
|
407 |
|
|
fprintf(fd, SET "[phase2-protocol-%s]:Transforms=%s force\n", |
408 |
|
|
r->p2name, transform); |
409 |
|
|
|
410 |
|
|
fprintf(fd, SET "[%s]:TRANSFORM_ID=%s force\n", transform, |
411 |
|
|
r->satype == IPSEC_AH ? auth_alg : enc_alg); |
412 |
|
|
if (key_length) |
413 |
|
|
fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, |
414 |
|
|
key_length); |
415 |
|
|
fprintf(fd, SET "[%s]:ENCAPSULATION_MODE=%s force\n", transform, encap); |
416 |
|
|
if (auth_alg) |
417 |
|
|
fprintf(fd, SET "[%s]:AUTHENTICATION_ALGORITHM=HMAC_%s force\n", |
418 |
|
|
transform, auth_alg); |
419 |
|
|
if (group_desc) |
420 |
|
|
fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, |
421 |
|
|
group_desc); |
422 |
|
|
|
423 |
|
|
if (r->p2life && r->p2life->lt_seconds != -1) { |
424 |
|
|
fprintf(fd, SET "[%s]:Life=%s-life force\n", |
425 |
|
|
transform, transform); |
426 |
|
|
fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", |
427 |
|
|
transform); |
428 |
|
|
fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", |
429 |
|
|
transform, r->p2life->lt_seconds); |
430 |
|
|
} else |
431 |
|
|
fprintf(fd, SET "[%s]:Life=LIFE_QUICK_MODE force\n", |
432 |
|
|
transform); |
433 |
|
|
|
434 |
|
|
free(transform); |
435 |
|
|
return (0); |
436 |
|
|
} |
437 |
|
|
|
438 |
|
|
static int |
439 |
|
|
ike_section_p1(struct ipsec_rule *r, FILE *fd) |
440 |
|
|
{ |
441 |
|
|
char *exchange_type, *key_length, *transform, *p; |
442 |
|
|
char *enc_alg, *auth_alg, *group_desc, *auth_method; |
443 |
|
|
int num_print = 0; |
444 |
|
|
|
445 |
|
|
switch (r->p1ie) { |
446 |
|
|
case IKE_MM: |
447 |
|
|
exchange_type = "ID_PROT"; |
448 |
|
|
break; |
449 |
|
|
case IKE_AM: |
450 |
|
|
exchange_type = "AGGRESSIVE"; |
451 |
|
|
break; |
452 |
|
|
default: |
453 |
|
|
warnx("illegal phase 1 ike mode %d", r->p1ie); |
454 |
|
|
return (-1); |
455 |
|
|
} |
456 |
|
|
|
457 |
|
|
fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name, |
458 |
|
|
r->p1name); |
459 |
|
|
fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name, |
460 |
|
|
exchange_type); |
461 |
|
|
|
462 |
|
|
key_length = NULL; |
463 |
|
|
if (r->p1xfs && r->p1xfs->encxf) { |
464 |
|
|
switch (r->p1xfs->encxf->id) { |
465 |
|
|
case ENCXF_3DES_CBC: |
466 |
|
|
enc_alg = "3DES"; |
467 |
|
|
break; |
468 |
|
|
case ENCXF_AES: |
469 |
|
|
enc_alg = "AES"; |
470 |
|
|
key_length = "128,128:256"; |
471 |
|
|
break; |
472 |
|
|
case ENCXF_AES_128: |
473 |
|
|
enc_alg = "AES"; |
474 |
|
|
key_length = "128,128:128"; |
475 |
|
|
break; |
476 |
|
|
case ENCXF_AES_192: |
477 |
|
|
enc_alg = "AES"; |
478 |
|
|
key_length = "192,192:192"; |
479 |
|
|
break; |
480 |
|
|
case ENCXF_AES_256: |
481 |
|
|
enc_alg = "AES"; |
482 |
|
|
key_length = "256,256:256"; |
483 |
|
|
break; |
484 |
|
|
case ENCXF_BLOWFISH: |
485 |
|
|
enc_alg = "BLOWFISH"; |
486 |
|
|
key_length = "128,96:192"; |
487 |
|
|
break; |
488 |
|
|
case ENCXF_CAST128: |
489 |
|
|
enc_alg = "CAST"; |
490 |
|
|
break; |
491 |
|
|
default: |
492 |
|
|
warnx("illegal transform %s", r->p1xfs->encxf->name); |
493 |
|
|
return (-1); |
494 |
|
|
} |
495 |
|
|
} else { |
496 |
|
|
enc_alg = "AES"; |
497 |
|
|
key_length = "128,128:256"; |
498 |
|
|
} |
499 |
|
|
|
500 |
|
|
if (r->p1xfs && r->p1xfs->authxf) { |
501 |
|
|
switch (r->p1xfs->authxf->id) { |
502 |
|
|
case AUTHXF_HMAC_MD5: |
503 |
|
|
auth_alg = "MD5"; |
504 |
|
|
break; |
505 |
|
|
case AUTHXF_HMAC_SHA1: |
506 |
|
|
auth_alg = "SHA"; |
507 |
|
|
break; |
508 |
|
|
case AUTHXF_HMAC_SHA2_256: |
509 |
|
|
auth_alg = "SHA2_256"; |
510 |
|
|
break; |
511 |
|
|
case AUTHXF_HMAC_SHA2_384: |
512 |
|
|
auth_alg = "SHA2_384"; |
513 |
|
|
break; |
514 |
|
|
case AUTHXF_HMAC_SHA2_512: |
515 |
|
|
auth_alg = "SHA2_512"; |
516 |
|
|
break; |
517 |
|
|
default: |
518 |
|
|
warnx("illegal transform %s", r->p1xfs->authxf->name); |
519 |
|
|
return (-1); |
520 |
|
|
} |
521 |
|
|
} else |
522 |
|
|
auth_alg = "SHA"; |
523 |
|
|
|
524 |
|
|
if (r->p1xfs && r->p1xfs->groupxf) { |
525 |
|
|
switch (r->p1xfs->groupxf->id) { |
526 |
|
|
case GROUPXF_1: |
527 |
|
|
group_desc = "MODP_768"; |
528 |
|
|
break; |
529 |
|
|
case GROUPXF_2: |
530 |
|
|
group_desc = "MODP_1024"; |
531 |
|
|
break; |
532 |
|
|
case GROUPXF_5: |
533 |
|
|
group_desc = "MODP_1536"; |
534 |
|
|
break; |
535 |
|
|
case GROUPXF_14: |
536 |
|
|
group_desc = "MODP_2048"; |
537 |
|
|
break; |
538 |
|
|
case GROUPXF_15: |
539 |
|
|
group_desc = "MODP_3072"; |
540 |
|
|
break; |
541 |
|
|
case GROUPXF_16: |
542 |
|
|
group_desc = "MODP_4096"; |
543 |
|
|
break; |
544 |
|
|
case GROUPXF_17: |
545 |
|
|
group_desc = "MODP_6144"; |
546 |
|
|
break; |
547 |
|
|
case GROUPXF_18: |
548 |
|
|
group_desc = "MODP_8192"; |
549 |
|
|
break; |
550 |
|
|
case GROUPXF_19: |
551 |
|
|
group_desc = "ECP_256"; |
552 |
|
|
break; |
553 |
|
|
case GROUPXF_20: |
554 |
|
|
group_desc = "ECP_384"; |
555 |
|
|
break; |
556 |
|
|
case GROUPXF_21: |
557 |
|
|
group_desc = "ECP_521"; |
558 |
|
|
break; |
559 |
|
|
case GROUPXF_25: |
560 |
|
|
group_desc = "ECP_192"; |
561 |
|
|
break; |
562 |
|
|
case GROUPXF_26: |
563 |
|
|
group_desc = "ECP_224"; |
564 |
|
|
break; |
565 |
|
|
case GROUPXF_27: |
566 |
|
|
group_desc = "BP_224"; |
567 |
|
|
break; |
568 |
|
|
case GROUPXF_28: |
569 |
|
|
group_desc = "BP_256"; |
570 |
|
|
break; |
571 |
|
|
case GROUPXF_29: |
572 |
|
|
group_desc = "BP_384"; |
573 |
|
|
break; |
574 |
|
|
case GROUPXF_30: |
575 |
|
|
group_desc = "BP_512"; |
576 |
|
|
break; |
577 |
|
|
default: |
578 |
|
|
warnx("illegal group %s", r->p1xfs->groupxf->name); |
579 |
|
|
return (-1); |
580 |
|
|
} |
581 |
|
|
} else |
582 |
|
|
group_desc = "MODP_3072"; |
583 |
|
|
|
584 |
|
|
switch (r->ikeauth->type) { |
585 |
|
|
case IKE_AUTH_PSK: |
586 |
|
|
auth_method = "PRE_SHARED"; |
587 |
|
|
break; |
588 |
|
|
case IKE_AUTH_RSA: |
589 |
|
|
auth_method = "RSA_SIG"; |
590 |
|
|
break; |
591 |
|
|
default: |
592 |
|
|
warnx("illegal authentication method %u", r->ikeauth->type); |
593 |
|
|
return (-1); |
594 |
|
|
} |
595 |
|
|
|
596 |
|
|
/* the transform name must not include "," */ |
597 |
|
|
if (key_length && (p = strchr(key_length, ',')) != NULL) |
598 |
|
|
num_print = p - key_length; |
599 |
|
|
/* create unique name for transform, see also ike_section_p2() */ |
600 |
|
|
if (asprintf(&transform, "phase1-transform-%s-%s-%s-%s%.*s-%s", |
601 |
|
|
r->p1name, auth_method, auth_alg, enc_alg, |
602 |
|
|
num_print, key_length ? key_length : "", |
603 |
|
|
group_desc) == -1) |
604 |
|
|
errx(1, "asprintf phase1-transform"); |
605 |
|
|
|
606 |
|
|
fprintf(fd, ADD "[phase1-%s]:Transforms=%s force\n", r->p1name, |
607 |
|
|
transform); |
608 |
|
|
fprintf(fd, SET "[%s]:AUTHENTICATION_METHOD=%s force\n", transform, |
609 |
|
|
auth_method); |
610 |
|
|
fprintf(fd, SET "[%s]:HASH_ALGORITHM=%s force\n", transform, auth_alg); |
611 |
|
|
fprintf(fd, SET "[%s]:ENCRYPTION_ALGORITHM=%s_CBC force\n", transform, |
612 |
|
|
enc_alg); |
613 |
|
|
if (key_length) |
614 |
|
|
fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, |
615 |
|
|
key_length); |
616 |
|
|
fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, |
617 |
|
|
group_desc); |
618 |
|
|
|
619 |
|
|
if (r->p1life && r->p1life->lt_seconds != -1) { |
620 |
|
|
fprintf(fd, SET "[%s]:Life=%s-life force\n", |
621 |
|
|
transform, transform); |
622 |
|
|
fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", |
623 |
|
|
transform); |
624 |
|
|
fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", |
625 |
|
|
transform, r->p1life->lt_seconds); |
626 |
|
|
} else |
627 |
|
|
fprintf(fd, SET "[%s]:Life=LIFE_MAIN_MODE force\n", transform); |
628 |
|
|
|
629 |
|
|
free(transform); |
630 |
|
|
return (0); |
631 |
|
|
} |
632 |
|
|
|
633 |
|
|
static void |
634 |
|
|
ike_section_p2ids_net(struct ipsec_addr *iamask, sa_family_t af, char *name, |
635 |
|
|
char *p2xid, FILE *fd) |
636 |
|
|
{ |
637 |
|
|
char mask[NI_MAXHOST], *network, *p; |
638 |
|
|
struct sockaddr_storage sas; |
639 |
|
|
struct sockaddr *sa = (struct sockaddr *)&sas; |
640 |
|
|
|
641 |
|
|
bzero(&sas, sizeof(struct sockaddr_storage)); |
642 |
|
|
bzero(mask, sizeof(mask)); |
643 |
|
|
sa->sa_family = af; |
644 |
|
|
switch (af) { |
645 |
|
|
case AF_INET: |
646 |
|
|
sa->sa_len = sizeof(struct sockaddr_in); |
647 |
|
|
bcopy(&iamask->ipa, |
648 |
|
|
&((struct sockaddr_in *)(sa))->sin_addr, |
649 |
|
|
sizeof(struct in6_addr)); |
650 |
|
|
break; |
651 |
|
|
case AF_INET6: |
652 |
|
|
sa->sa_len = sizeof(struct sockaddr_in6); |
653 |
|
|
bcopy(&iamask->ipa, |
654 |
|
|
&((struct sockaddr_in6 *)(sa))->sin6_addr, |
655 |
|
|
sizeof(struct in6_addr)); |
656 |
|
|
break; |
657 |
|
|
} |
658 |
|
|
if (getnameinfo(sa, sa->sa_len, mask, sizeof(mask), NULL, 0, |
659 |
|
|
NI_NUMERICHOST)) |
660 |
|
|
errx(1, "could not get a numeric mask"); |
661 |
|
|
|
662 |
|
|
if ((network = strdup(name)) == NULL) |
663 |
|
|
err(1, "ike_section_p2ids: strdup"); |
664 |
|
|
if ((p = strrchr(network, '/')) != NULL) |
665 |
|
|
*p = '\0'; |
666 |
|
|
|
667 |
|
|
fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n", |
668 |
|
|
p2xid, ((af == AF_INET) ? 4 : 6)); |
669 |
|
|
fprintf(fd, SET "[%s]:Network=%s force\n", p2xid, network); |
670 |
|
|
fprintf(fd, SET "[%s]:Netmask=%s force\n", p2xid, mask); |
671 |
|
|
|
672 |
|
|
free(network); |
673 |
|
|
} |
674 |
|
|
|
675 |
|
|
static void |
676 |
|
|
ike_section_p2ids(struct ipsec_rule *r, FILE *fd) |
677 |
|
|
{ |
678 |
|
|
char *p; |
679 |
|
|
struct ipsec_addr_wrap *src = r->src; |
680 |
|
|
struct ipsec_addr_wrap *dst = r->dst; |
681 |
|
|
|
682 |
|
|
if (src->netaddress) { |
683 |
|
|
ike_section_p2ids_net(&src->mask, src->af, src->name, |
684 |
|
|
r->p2lid, fd); |
685 |
|
|
} else { |
686 |
|
|
fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", |
687 |
|
|
r->p2lid, ((src->af == AF_INET) ? 4 : 6)); |
688 |
|
|
if ((p = strrchr(src->name, '/')) != NULL) |
689 |
|
|
*p = '\0'; |
690 |
|
|
fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid, |
691 |
|
|
src->name); |
692 |
|
|
} |
693 |
|
|
|
694 |
|
|
if (src->srcnat && src->srcnat->netaddress) { |
695 |
|
|
ike_section_p2ids_net(&src->srcnat->mask, src->af, src->srcnat->name, |
696 |
|
|
r->p2nid, fd); |
697 |
|
|
} else if (src->srcnat) { |
698 |
|
|
fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", |
699 |
|
|
r->p2nid, ((src->af == AF_INET) ? 4 : 6)); |
700 |
|
|
if ((p = strrchr(src->srcnat->name, '/')) != NULL) |
701 |
|
|
*p = '\0'; |
702 |
|
|
fprintf(fd, SET "[%s]:Address=%s force\n", r->p2nid, |
703 |
|
|
src->srcnat->name); |
704 |
|
|
} |
705 |
|
|
|
706 |
|
|
if (dst->netaddress) { |
707 |
|
|
ike_section_p2ids_net(&dst->mask, dst->af, dst->name, |
708 |
|
|
r->p2rid, fd); |
709 |
|
|
} else { |
710 |
|
|
fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", |
711 |
|
|
r->p2rid, ((dst->af == AF_INET) ? 4 : 6)); |
712 |
|
|
if ((p = strrchr(dst->name, '/')) != NULL) |
713 |
|
|
*p = '\0'; |
714 |
|
|
fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid, |
715 |
|
|
dst->name); |
716 |
|
|
} |
717 |
|
|
if (r->proto) { |
718 |
|
|
fprintf(fd, SET "[%s]:Protocol=%d force\n", |
719 |
|
|
r->p2lid, r->proto); |
720 |
|
|
fprintf(fd, SET "[%s]:Protocol=%d force\n", |
721 |
|
|
r->p2rid, r->proto); |
722 |
|
|
} |
723 |
|
|
if (r->sport) |
724 |
|
|
fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid, |
725 |
|
|
ntohs(r->sport)); |
726 |
|
|
if (r->dport) |
727 |
|
|
fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid, |
728 |
|
|
ntohs(r->dport)); |
729 |
|
|
} |
730 |
|
|
|
731 |
|
|
static int |
732 |
|
|
ike_connect(struct ipsec_rule *r, FILE *fd) |
733 |
|
|
{ |
734 |
|
|
switch (r->ikemode) { |
735 |
|
|
case IKE_ACTIVE: |
736 |
|
|
case IKE_DYNAMIC: |
737 |
|
|
fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name); |
738 |
|
|
break; |
739 |
|
|
case IKE_PASSIVE: |
740 |
|
|
fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n", |
741 |
|
|
r->p2name); |
742 |
|
|
break; |
743 |
|
|
default: |
744 |
|
|
return (-1); |
745 |
|
|
} |
746 |
|
|
return (0); |
747 |
|
|
} |
748 |
|
|
|
749 |
|
|
static int |
750 |
|
|
ike_gen_config(struct ipsec_rule *r, FILE *fd) |
751 |
|
|
{ |
752 |
|
|
ike_setup_ids(r); |
753 |
|
|
ike_section_general(r, fd); |
754 |
|
|
ike_section_peer(r, fd); |
755 |
|
|
if (ike_section_p1(r, fd) == -1) { |
756 |
|
|
return (-1); |
757 |
|
|
} |
758 |
|
|
ike_section_ids(r, fd); |
759 |
|
|
ike_section_ipsec(r, fd); |
760 |
|
|
if (ike_section_p2(r, fd) == -1) { |
761 |
|
|
return (-1); |
762 |
|
|
} |
763 |
|
|
ike_section_p2ids(r, fd); |
764 |
|
|
|
765 |
|
|
if (ike_connect(r, fd) == -1) |
766 |
|
|
return (-1); |
767 |
|
|
return (0); |
768 |
|
|
} |
769 |
|
|
|
770 |
|
|
static int |
771 |
|
|
ike_delete_config(struct ipsec_rule *r, FILE *fd) |
772 |
|
|
{ |
773 |
|
|
ike_setup_ids(r); |
774 |
|
|
#if 0 |
775 |
|
|
switch (r->ikemode) { |
776 |
|
|
case IKE_ACTIVE: |
777 |
|
|
case IKE_DYNAMIC: |
778 |
|
|
fprintf(fd, "t %s\n", r->p2name); |
779 |
|
|
break; |
780 |
|
|
case IKE_PASSIVE: |
781 |
|
|
fprintf(fd, DELETE "[Phase 2]\n"); |
782 |
|
|
fprintf(fd, "t %s\n", r->p2name); |
783 |
|
|
break; |
784 |
|
|
default: |
785 |
|
|
return (-1); |
786 |
|
|
} |
787 |
|
|
|
788 |
|
|
if (r->peer) { |
789 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p1name); |
790 |
|
|
fprintf(fd, DELETE "[phase1-%s]\n", r->p1name); |
791 |
|
|
} |
792 |
|
|
if (r->auth) { |
793 |
|
|
if (r->auth->srcid) |
794 |
|
|
fprintf(fd, DELETE "[%s-ID]\n", r->auth->srcid); |
795 |
|
|
if (r->auth->dstid) |
796 |
|
|
fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid); |
797 |
|
|
} |
798 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p2name); |
799 |
|
|
fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); |
800 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p2lid); |
801 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p2rid); |
802 |
|
|
#else |
803 |
|
|
fprintf(fd, "t %s\n", r->p2name); |
804 |
|
|
switch (r->ikemode) { |
805 |
|
|
case IKE_ACTIVE: |
806 |
|
|
case IKE_DYNAMIC: |
807 |
|
|
fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name); |
808 |
|
|
break; |
809 |
|
|
case IKE_PASSIVE: |
810 |
|
|
fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n", |
811 |
|
|
r->p2name); |
812 |
|
|
break; |
813 |
|
|
default: |
814 |
|
|
return (-1); |
815 |
|
|
} |
816 |
|
|
fprintf(fd, DELETE "[%s]\n", r->p2name); |
817 |
|
|
fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); |
818 |
|
|
#endif |
819 |
|
|
|
820 |
|
|
return (0); |
821 |
|
|
} |
822 |
|
|
|
823 |
|
|
static void |
824 |
|
|
ike_setup_ids(struct ipsec_rule *r) |
825 |
|
|
{ |
826 |
|
|
char sproto[10], ssport[10], sdport[10]; |
827 |
|
|
|
828 |
|
|
/* phase 1 name is peer and local address */ |
829 |
|
|
if (r->peer) { |
830 |
|
|
if (r->local) { |
831 |
|
|
/* peer-dstaddr-local-srcaddr */ |
832 |
|
|
if (asprintf(&r->p1name, "peer-%s-local-%s", |
833 |
|
|
r->peer->name, r->local->name) == -1) |
834 |
|
|
err(1, "ike_setup_ids"); |
835 |
|
|
} else |
836 |
|
|
/* peer-dstaddr */ |
837 |
|
|
if (asprintf(&r->p1name, "peer-%s", |
838 |
|
|
r->peer->name) == -1) |
839 |
|
|
err(1, "ike_setup_ids"); |
840 |
|
|
} else |
841 |
|
|
if ((r->p1name = strdup("peer-default")) == NULL) |
842 |
|
|
err(1, "ike_setup_ids"); |
843 |
|
|
|
844 |
|
|
/* Phase 2 name is from and to network, protocol, port*/ |
845 |
|
|
sproto[0] = ssport[0] = sdport[0] = 0; |
846 |
|
|
if (r->proto) |
847 |
|
|
snprintf(sproto, sizeof sproto, "=%u", r->proto); |
848 |
|
|
if (r->sport) |
849 |
|
|
snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport)); |
850 |
|
|
if (r->dport) |
851 |
|
|
snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport)); |
852 |
|
|
/* from-network/masklen=proto:port */ |
853 |
|
|
if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name, sproto, ssport) |
854 |
|
|
== -1) |
855 |
|
|
err(1, "ike_setup_ids"); |
856 |
|
|
/* to-network/masklen=proto:port */ |
857 |
|
|
if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name, sproto, sdport) |
858 |
|
|
== -1) |
859 |
|
|
err(1, "ike_setup_ids"); |
860 |
|
|
/* from-network/masklen=proto:port-to-network/masklen=proto:port */ |
861 |
|
|
if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1) |
862 |
|
|
err(1, "ike_setup_ids"); |
863 |
|
|
/* nat-network/masklen=proto:port */ |
864 |
|
|
if (r->src->srcnat && r->src->srcnat->name) { |
865 |
|
|
if (asprintf(&r->p2nid, "nat-%s%s%s", r->src->srcnat->name, sproto, |
866 |
|
|
ssport) == -1) |
867 |
|
|
err(1, "ike_setup_ids"); |
868 |
|
|
} |
869 |
|
|
} |
870 |
|
|
|
871 |
|
|
int |
872 |
|
|
ike_print_config(struct ipsec_rule *r, int opts) |
873 |
|
|
{ |
874 |
|
|
if (opts & IPSECCTL_OPT_DELETE) |
875 |
|
|
return (ike_delete_config(r, stdout)); |
876 |
|
|
else |
877 |
|
|
return (ike_gen_config(r, stdout)); |
878 |
|
|
} |
879 |
|
|
|
880 |
|
|
int |
881 |
|
|
ike_ipsec_establish(int action, struct ipsec_rule *r, const char *fifo) |
882 |
|
|
{ |
883 |
|
|
struct stat sb; |
884 |
|
|
FILE *fdp; |
885 |
|
|
int fd, ret = 0; |
886 |
|
|
|
887 |
|
|
if ((fd = open(fifo, O_WRONLY)) == -1) |
888 |
|
|
err(1, "ike_ipsec_establish: open(%s)", fifo); |
889 |
|
|
if (fstat(fd, &sb) == -1) |
890 |
|
|
err(1, "ike_ipsec_establish: fstat(%s)", fifo); |
891 |
|
|
if (!S_ISFIFO(sb.st_mode)) |
892 |
|
|
errx(1, "ike_ipsec_establish: %s not a fifo", fifo); |
893 |
|
|
if ((fdp = fdopen(fd, "w")) == NULL) |
894 |
|
|
err(1, "ike_ipsec_establish: fdopen(%s)", fifo); |
895 |
|
|
|
896 |
|
|
switch (action) { |
897 |
|
|
case ACTION_ADD: |
898 |
|
|
ret = ike_gen_config(r, fdp); |
899 |
|
|
break; |
900 |
|
|
case ACTION_DELETE: |
901 |
|
|
ret = ike_delete_config(r, fdp); |
902 |
|
|
break; |
903 |
|
|
default: |
904 |
|
|
ret = -1; |
905 |
|
|
} |
906 |
|
|
|
907 |
|
|
fclose(fdp); |
908 |
|
|
return (ret); |
909 |
|
|
} |