[strongSwan-dev] IKE1 and "service" type of application

Alexander Sbitnev alexander.sbitnev at gmail.com
Tue Nov 11 18:40:17 CET 2014

   Hi again! My previous question was quite vague.
   I see multiple examples of manually controlled IKE clients inside 
StrongSwan codebase.
It's Maemo/NetworkManager/Android clients. There are appropriate source 
files for each kind of clients 
(maemo_service.c/nm_service.c/android_service.c) implementing service 
for controlling IKE daemon. Inside all of those files there are similar 
sequences of code for connection startup:
1) creation of ike_cfg_t structure by ike_cfg_create(IKEV2, ...)
2) creation of peer_cfg_t structure by peer_cfg_create(...)
3) creation of local auth rules and remote auth constraints and set 
created constraints/rules onto peer_cft_t structure
4) creation of child_cfg_t structure
5) finding/creating of ike_sa_t structure by 
6) applying of peer configuration to IKE SA entity by 
ike_sa->set_peer_cfg(ike_sa, peer_cfg)
7) initiation of exchange by ike_sa->initiate(ike_sa, child_cfg, ...)
8) returning control over SA to manager by 
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa)

   All of presented clients fixed on IKEV2 protocol SA from the 
beginning. Does it means usage of IKEV1 is not possible in this scheme 
of controlling service?
If it still possible work with IKEV1 this way is there any additional 
code to append in order to make it work?

   My current problem with IKEV1 and android client concerning 
distribution of auth rules over peer_cfg_t and ike_sa_t structures.
At startup peer_cfg filled with local rules and ike_sa keeps its rule 
list empty.
During main mode authentication inside build() method of 
pubkey_v1_authenticator no any new rules merged from peer_cfg appears 
and next line return short list of RULE_CA_CERT:
      auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);

at the same time RULE_SUBJECT_CERT is expected by this line:
      private = lib->credmgr->get_private(lib->credmgr, this->type, id, 

   It is possible to fill ike_sa_t with all needed rules right from the 
beginning (initiate() of android_service.c) but I don't think it is a 
right way to solve this problem.

More information about the Dev mailing list