OLD | NEW |
1 // Copyright (c) 2011 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium OS Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "vpn-manager/ipsec_manager.h" | 5 #include "vpn-manager/ipsec_manager.h" |
6 | 6 |
7 #include <arpa/inet.h> // for inet_ntop and inet_pton | 7 #include <arpa/inet.h> // for inet_ntop and inet_pton |
8 #include <grp.h> | 8 #include <grp.h> |
9 #include <netdb.h> // for getaddrinfo | 9 #include <netdb.h> // for getaddrinfo |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
11 #include <sys/wait.h> | 11 #include <sys/wait.h> |
12 #include <unistd.h> | 12 #include <unistd.h> |
13 | 13 |
14 #include <string> | 14 #include <string> |
15 #include <vector> | 15 #include <vector> |
16 | 16 |
17 #include "base/eintr_wrapper.h" | 17 #include "base/eintr_wrapper.h" |
18 #include "base/file_util.h" | 18 #include "base/file_util.h" |
19 #include "base/logging.h" | 19 #include "base/logging.h" |
20 #include "base/string_util.h" | 20 #include "base/string_util.h" |
21 #include "chromeos/process.h" | 21 #include "chromeos/process.h" |
22 #include "gflags/gflags.h" | 22 #include "gflags/gflags.h" |
23 | 23 |
24 #pragma GCC diagnostic ignored "-Wstrict-aliasing" | 24 #pragma GCC diagnostic ignored "-Wstrict-aliasing" |
| 25 // Windows RRAS requires modp1024 dh-group. Strongswan's |
| 26 // default is modp1536 which it does not support. |
| 27 DEFINE_string(ike, "3des-sha1-modp1024", "ike proposals"); |
25 DEFINE_int32(ipsec_timeout, 10, "timeout for ipsec to be established"); | 28 DEFINE_int32(ipsec_timeout, 10, "timeout for ipsec to be established"); |
26 DEFINE_string(leftprotoport, "17/1701", "client protocol/port"); | 29 DEFINE_string(leftprotoport, "17/1701", "client protocol/port"); |
| 30 DEFINE_bool(nat_traversal, true, "Enable NAT-T nat traversal"); |
27 DEFINE_bool(pfs, false, "pfs"); | 31 DEFINE_bool(pfs, false, "pfs"); |
28 DEFINE_bool(rekey, false, "rekey"); | 32 DEFINE_bool(rekey, false, "rekey"); |
29 DEFINE_string(rightprotoport, "17/1701", "server protocol/port"); | 33 DEFINE_string(rightprotoport, "17/1701", "server protocol/port"); |
| 34 DEFINE_string(type, "transport", "IPsec type (transport or tunnel)"); |
30 #pragma GCC diagnostic error "-Wstrict-aliasing" | 35 #pragma GCC diagnostic error "-Wstrict-aliasing" |
31 | 36 |
32 const char kIpsecConnectionName[] = "ipsec_managed"; | 37 const char kIpsecConnectionName[] = "ipsec_managed"; |
33 const char kIpsecGroupName[] = "ipsec"; | 38 const char kIpsecGroupName[] = "ipsec"; |
34 const char kIpsecRunPath[] = "/var/run/ipsec"; | 39 const char kIpsecRunPath[] = "/var/run/ipsec"; |
35 const char kIpsecUpFile[] = "/var/run/ipsec/up"; | 40 const char kIpsecUpFile[] = "/var/run/ipsec/up"; |
36 const char kIpsecServiceName[] = "ipsec"; | 41 const char kIpsecServiceName[] = "ipsec"; |
37 const char kStarterPidFile[] = "/var/run/starter.pid"; | 42 const char kStarterPidFile[] = "/var/run/starter.pid"; |
38 const mode_t kIpsecRunPathMode = (S_IRUSR | S_IWUSR | S_IXUSR | | 43 const mode_t kIpsecRunPathMode = (S_IRUSR | S_IWUSR | S_IXUSR | |
39 S_IRGRP | S_IWGRP | S_IXGRP); | 44 S_IRGRP | S_IWGRP | S_IXGRP); |
(...skipping 213 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
253 } | 258 } |
254 | 259 |
255 std::string IpsecManager::FormatStarterConfigFile() { | 260 std::string IpsecManager::FormatStarterConfigFile() { |
256 std::string config; | 261 std::string config; |
257 config.append("config setup\n"); | 262 config.append("config setup\n"); |
258 if (ike_version_ == 1) { | 263 if (ike_version_ == 1) { |
259 AppendBoolSetting(&config, "charonstart", false); | 264 AppendBoolSetting(&config, "charonstart", false); |
260 } else { | 265 } else { |
261 AppendBoolSetting(&config, "plutostart", false); | 266 AppendBoolSetting(&config, "plutostart", false); |
262 } | 267 } |
| 268 AppendBoolSetting(&config, "nat_traversal", FLAGS_nat_traversal); |
263 config.append("conn managed\n"); | 269 config.append("conn managed\n"); |
| 270 AppendStringSetting(&config, "ike", FLAGS_ike); |
264 AppendStringSetting(&config, "keyexchange", | 271 AppendStringSetting(&config, "keyexchange", |
265 ike_version_ == 1 ? "ikev1" : "ikev2"); | 272 ike_version_ == 1 ? "ikev1" : "ikev2"); |
266 if (!psk_file_.empty()) AppendStringSetting(&config, "authby", "psk"); | 273 if (!psk_file_.empty()) AppendStringSetting(&config, "authby", "psk"); |
267 AppendBoolSetting(&config, "pfs", FLAGS_pfs); | 274 AppendBoolSetting(&config, "pfs", FLAGS_pfs); |
268 AppendBoolSetting(&config, "rekey", FLAGS_rekey); | 275 AppendBoolSetting(&config, "rekey", FLAGS_rekey); |
269 AppendStringSetting(&config, "left", "%defaultroute"); | 276 AppendStringSetting(&config, "left", "%defaultroute"); |
270 AppendStringSetting(&config, "leftprotoport", FLAGS_leftprotoport); | 277 AppendStringSetting(&config, "leftprotoport", FLAGS_leftprotoport); |
271 AppendStringSetting(&config, "leftupdown", IPSEC_UPDOWN); | 278 AppendStringSetting(&config, "leftupdown", IPSEC_UPDOWN); |
272 AppendStringSetting(&config, "right", remote_address_); | 279 AppendStringSetting(&config, "right", remote_address_); |
273 AppendStringSetting(&config, "rightprotoport", FLAGS_rightprotoport); | 280 AppendStringSetting(&config, "rightprotoport", FLAGS_rightprotoport); |
| 281 AppendStringSetting(&config, "type", FLAGS_type); |
274 AppendStringSetting(&config, "auto", "start"); | 282 AppendStringSetting(&config, "auto", "start"); |
275 return config; | 283 return config; |
276 } | 284 } |
277 | 285 |
278 bool IpsecManager::SetIpsecGroup(const FilePath& file_path) { | 286 bool IpsecManager::SetIpsecGroup(const FilePath& file_path) { |
279 return chown(file_path.value().c_str(), getuid(), ipsec_group_) == 0; | 287 return chown(file_path.value().c_str(), getuid(), ipsec_group_) == 0; |
280 } | 288 } |
281 | 289 |
282 bool IpsecManager::WriteConfigFiles() { | 290 bool IpsecManager::WriteConfigFiles() { |
283 // We need to keep secrets in /mnt/stateful_partition/etc for now | 291 // We need to keep secrets in /mnt/stateful_partition/etc for now |
(...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
399 return; | 407 return; |
400 } | 408 } |
401 | 409 |
402 if (!starter_->Kill(SIGTERM, kTermTimeout)) { | 410 if (!starter_->Kill(SIGTERM, kTermTimeout)) { |
403 starter_->Kill(SIGKILL, 0); | 411 starter_->Kill(SIGKILL, 0); |
404 OnStopped(true); | 412 OnStopped(true); |
405 return; | 413 return; |
406 } | 414 } |
407 OnStopped(false); | 415 OnStopped(false); |
408 } | 416 } |
OLD | NEW |