secgateway/Platform/user/configm/config-server/ipsec_config/ike_config.c

#if 0
#include <pluto_constants.h>
#include <deltatime.h>
#include <ipsecconf/confread.h>

#endif

#include "ike_config.h"

ret_code ike_config_chk(uint source, uint *config_type,
                        pointer input, int *input_len,
                        pointer output, int *output_len)
{
    return RET_OK;
}

#if 0

static int add_ike_conn(ike_config_t ike_cfg, struct starter_config *cfg,
					const struct starter_conn *conn)
{

	struct whack_message msg;
	int r;

	init_whack_msg(&msg);

	msg.whack_connection = TRUE;
	msg.whack_delete = TRUE;	/* always do replace for now */
    msg.whack_listen = TRUE;    // 开启IKE监听
    msg.whack_route = TRUE;     // 添加内核对应的SP（ACL）规则
    
	msg.name = ike_cfg->v1.ph2.ph2_name;

	msg.addr_family = conn->left.addr_family;
	msg.tunnel_addr_family = conn->left.addr_family;

//	if (conn->right.addrtype == KH_IPHOSTNAME)
//		msg.dnshostname = conn->right.strings[KSCF_IP];

	msg.nic_offload = yna_auto;
	msg.sa_ike_life_seconds = deltatime(ike_cfg.v1.ph1.sa_ike_life_seconds);       //deltatime(conn->options[KBF_IKELIFETIME]);
	msg.sa_ipsec_life_seconds = deltatime(ike_cfg.v1.ph2.sa_ipsec_life_seconds);   //deltatime(conn->options[KBF_SALIFETIME]);
	msg.sa_rekey_margin = deltatime(SA_REPLACEMENT_MARGIN_DEFAULT);
	msg.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
	msg.sa_keying_tries = conn->options[KBF_KEYINGTRIES];
	msg.sa_replay_window = conn->options[KBF_REPLAY_WINDOW];

	msg.r_interval = deltatime_ms(conn->options[KBF_RETRANSMIT_INTERVAL_MS]);
	msg.r_timeout = deltatime(conn->options[KBF_RETRANSMIT_TIMEOUT]);

	msg.policy = conn->policy;
	msg.sighash_policy = conn->sighash_policy;

	msg.connalias = conn->connalias;

	msg.metric = conn->options[KBF_METRIC];

	if (conn->options_set[KBF_CONNMTU])
		msg.connmtu = conn->options[KBF_CONNMTU];
	if (conn->options_set[KBF_PRIORITY])
		msg.sa_priority = conn->options[KBF_PRIORITY];
	if (conn->options_set[KBF_TFCPAD])
		msg.sa_tfcpad = conn->options[KBF_TFCPAD];
	if (conn->options_set[KBF_NO_ESP_TFC])
		msg.send_no_esp_tfc = conn->options[KBF_NO_ESP_TFC];
	if (conn->options_set[KBF_NFLOG_CONN])
		msg.nflog_group = conn->options[KBF_NFLOG_CONN];

	if (conn->options_set[KBF_REQID]) {
		if (conn->options[KBF_REQID] <= 0 ||
		    conn->options[KBF_REQID] > IPSEC_MANUAL_REQID_MAX) {
			starter_log(LOG_LEVEL_ERR,
				"Ignoring reqid value - range must be 1-%u",
				IPSEC_MANUAL_REQID_MAX);
		} else {
			msg.sa_reqid = conn->options[KBF_REQID];
		}
	}

	/* default to HOLD */
	msg.dpd_action = DPD_ACTION_HOLD;
	if (conn->options_set[KBF_DPDDELAY] &&
		conn->options_set[KBF_DPDTIMEOUT]) {
		msg.dpd_delay = deltatime(conn->options[KBF_DPDDELAY]);
		msg.dpd_timeout = deltatime(conn->options[KBF_DPDTIMEOUT]);
		if (conn->options_set[KBF_DPDACTION])
			msg.dpd_action = conn->options[KBF_DPDACTION];

		if (conn->options_set[KBF_REKEY] && !conn->options[KBF_REKEY]) {
			if (conn->options[KBF_DPDACTION] ==
				DPD_ACTION_RESTART) {
				starter_log(LOG_LEVEL_ERR,
					"conn: \"%s\" warning dpdaction cannot be 'restart'  when rekey=no - defaulting to 'hold'",
					conn->name);
				msg.dpd_action = DPD_ACTION_HOLD;
			}
		}
	} else {
		if (conn->options_set[KBF_DPDDELAY]  ||
			conn->options_set[KBF_DPDTIMEOUT] ||
			conn->options_set[KBF_DPDACTION]) {
			starter_log(LOG_LEVEL_ERR,
				"conn: \"%s\" warning dpd settings are ignored unless both dpdtimeout= and dpddelay= are set",
				conn->name);
		}
	}

	if (conn->options_set[KBF_SEND_CA])
		msg.send_ca = conn->options[KBF_SEND_CA];
	else
		msg.send_ca = CA_SEND_NONE;


	if (conn->options_set[KBF_ENCAPS])
		msg.encaps = conn->options[KBF_ENCAPS];
	else
		msg.encaps = yna_auto;

	if (conn->options_set[KBF_NAT_KEEPALIVE])
		msg.nat_keepalive = conn->options[KBF_NAT_KEEPALIVE];
	else
		msg.nat_keepalive = TRUE;

	if (conn->options_set[KBF_IKEV1_NATT])
		msg.ikev1_natt = conn->options[KBF_IKEV1_NATT];
	else
		msg.ikev1_natt = NATT_BOTH;


	/* Activate sending out own vendorid */
	if (conn->options_set[KBF_SEND_VENDORID])
		msg.send_vendorid = conn->options[KBF_SEND_VENDORID];

	/* Activate Cisco quircky behaviour not replacing old IPsec SA's */
	if (conn->options_set[KBF_INITIAL_CONTACT])
		msg.initial_contact = conn->options[KBF_INITIAL_CONTACT];

	/* Activate their quircky behaviour - rumored to be needed for ModeCfg and RSA */
	if (conn->options_set[KBF_CISCO_UNITY])
		msg.cisco_unity = conn->options[KBF_CISCO_UNITY];

	if (conn->options_set[KBF_VID_STRONGSWAN])
		msg.fake_strongswan = conn->options[KBF_VID_STRONGSWAN];

	/* Active our Cisco interop code if set */
	if (conn->options_set[KBF_REMOTEPEERTYPE])
		msg.remotepeertype = conn->options[KBF_REMOTEPEERTYPE];

#ifdef HAVE_NM
	/* Network Manager support */
	if (conn->options_set[KBF_NMCONFIGURED])
		msg.nmconfigured = conn->options[KBF_NMCONFIGURED];

#endif

#ifdef HAVE_LABELED_IPSEC
	/* Labeled ipsec support */
	if (conn->options_set[KBF_LABELED_IPSEC]) {
		msg.labeled_ipsec = conn->options[KBF_LABELED_IPSEC];
		msg.policy_label = conn->policy_label;
		starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" policy_label=%s",
			conn->name, msg.policy_label);
	}
#endif

	msg.modecfg_dns = conn->modecfg_dns;
	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgdns=%s",
		conn->name, msg.modecfg_dns == NULL ? "<unset>" :
			msg.modecfg_dns);
	msg.modecfg_domains = conn->modecfg_domains;
	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgdomains=%s",
		conn->name, msg.modecfg_domains == NULL ? "<unset>" :
			msg.modecfg_domains);
	msg.modecfg_banner = conn->modecfg_banner;
	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" modecfgbanner=%s",
		conn->name, msg.modecfg_banner == NULL ? "<unset>" :
			msg.modecfg_banner);

	msg.conn_mark_both = conn->conn_mark_both;
	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark=%s",
		conn->name, msg.conn_mark_both == NULL ? "<unset>" :
			msg.conn_mark_both);
	msg.conn_mark_in = conn->conn_mark_in;
	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark-in=%s",
		conn->name, msg.conn_mark_in == NULL ? "<unset>" :
			msg.conn_mark_in);
	msg.conn_mark_out = conn->conn_mark_out;
	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" mark-out=%s",
		conn->name, msg.conn_mark_out == NULL ? "<unset>" :
			msg.conn_mark_out);

	msg.vti_iface = conn->vti_iface;
	starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" vti_iface=%s",
		conn->name, msg.vti_iface == NULL ? "<unset>" :
			msg.vti_iface);
	if (conn->options_set[KBF_VTI_ROUTING])
		msg.vti_routing = conn->options[KBF_VTI_ROUTING];
	if (conn->options_set[KBF_VTI_SHARED])
		msg.vti_shared = conn->options[KBF_VTI_SHARED];

	if (conn->options_set[KBF_XAUTHBY])
		msg.xauthby = conn->options[KBF_XAUTHBY];
	if (conn->options_set[KBF_XAUTHFAIL])
		msg.xauthfail = conn->options[KBF_XAUTHFAIL];

	set_whack_end("left",  &msg.left, &conn->left);
	set_whack_end("right", &msg.right, &conn->right);

	/* for bug #1004 */
	update_ports(&msg);

	msg.esp = conn->esp;
	msg.ike = conn->ike;


	r = send_whack_msg(&msg, cfg->ctlsocket);
	if (r != 0) {
		return r;
	}

	

	return 0;
}
#endif


ret_code ike_config_proc(uint source, uint config_type,
                        pointer input, int input_len,
                        pointer output, int *output_len)
{
#if 0
    struct starter_config *cfg;
    
    ipsecconf_default_values(NULL);
   
    struct starter_conn *conn;
    for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
        //resolve_defaultroute(conn);
        starter_whack_add_conn(cfg, conn);
        starter_whack_listen(cfg);
        starter_whack_route_conn(cfg, conn);
    }
    
    
    
#endif
    return RET_OK;
FAIL:
    return RET_ERR;
}