[strongSwan] 答复: IP range support
Tobias Brunner
tobias at strongswan.org
Tue Feb 14 11:40:20 CET 2012
Hi Chester,
> If I want to add a parameter (like leftiprange,rightiprange) in
> ipsec.conf, and I hope the parameters can be accepted by strongswan,
> how can I implement it?
I'm not sure what you mean by "I hope the parameters can be accepted by
strongSwan", but if you want to implement all of this yourselves, you
can have a look at the following commits which show the individual steps
needed to add a new option to ipsec.conf:
1. Add the new option to keywords.txt|h and parse it in starter:
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=2b26a9c3
Depending on the type of keyword you can't assign it to a member
of struct starter_conn directly and you may have to parse it in
confread.c manually (but note that many options are actually
stored as strings in starter_conn and only parsed later by the
IKE daemon).
2. Add the option to struct stroke_msg_t which makes it available to
the IKEv2 daemon charon:
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1f83541d
In case of strings you also have to use push_string to actually
add the string to the message.
3. Read, parse and use the configured values appropriately in the
daemon:
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=277fcf9f
The above commit is really just an example, it highly depends on
the kind of option you added. IP address ranges could, for
instance, directly be converted to traffic selectors and then added
to the child_cfg_t object.
An alternative (and probably easier) solution would be to change how
left|rightsubnet is parsed and allow an alternative syntax there (e.g.
leftsubnet=192.168.2.6-192.168.2.20).
This has currently not a very high priority for us, but if you need a
solution soon and don't want to do this yourselves, you might want to
consider our commercial development services. Please contact us
directly, if that's an option for you.
Regards,
Tobias
More information about the Users
mailing list