[strongSwan] setting domain search via attr plugin (IKEv2)

Martin Willi martin at strongswan.org
Fri Jan 23 13:08:38 CET 2015


> I would need support for new payload attributes on both peers.

At the server side, configuring custom attributes is already doable, for
example with the attr plugin [1]. If configuration by the numerical
value is too cryptic, adding aliases should be trivial.

> Maybe Strongswan could support a callback function for private
> payload attribute types?

Handling custom attributes at a plugin level is possible. A plugin
implementing the attribute_handler_t [2] interface (as done by the
resolve plugin and others) can request and handle any type of attribute.

> Cisco did not hesitate to use the private attributes for IKEv1. Do you
> think it would be possible to support similar private attributes for
> IKEv2 on both sides, as Cisco did?

It is perfectly fine to allocate attribute type values from the IANA
"private use" range, and then use these attributes if we know the peer
uses them for the same purpose. Usually this is done by detecting the
implementation type by exchanging Vendor ID payloads.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/AttrPlugin
[2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/attributes/attribute_handler.h




More information about the Users mailing list