diff -Naur libreswan-3.27-orig/lib/libipsecconf/confread.c libreswan-3.27/lib/libipsecconf/confread.c
--- libreswan-3.27-orig/lib/libipsecconf/confread.c 2018-12-09 12:45:14.559217654 -0500
+++ libreswan-3.27/lib/libipsecconf/confread.c 2018-12-09 13:05:01.641609352 -0500
@@ -148,7 +148,7 @@
cfg->conn_default.policy =
POLICY_TUNNEL |
POLICY_ENCRYPT | POLICY_PFS |
- POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW | /* ikev2=permit */
+ POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE | /* ikev2=insist */
POLICY_SAREF_TRACK | /* sareftrack=yes */
POLICY_IKE_FRAG_ALLOW | /* ike_frag=yes */
POLICY_ESN_NO; /* esn=no */
@@ -1257,16 +1257,15 @@
break;
case fo_permit:
- /* this is the default for now */
- pv2 = POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW;
- break;
+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=yes or ikev2=no");
+ return TRUE;
case fo_propose:
- pv2 = POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
- break;
+ starter_error_append(perrl, "ikev2=propose is no longer accepted. Use ikev2=yes or ikev2=no");
+ return TRUE;
case fo_insist:
- pv2 = POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
+ pv2 = POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
break;
}
conn->policy = (conn->policy & ~POLICY_IKEV2_MASK) | pv2;
diff -Naur libreswan-3.27-orig/lib/libipsecconf/keywords.c libreswan-3.27/lib/libipsecconf/keywords.c
--- libreswan-3.27-orig/lib/libipsecconf/keywords.c 2018-10-07 22:52:09.000000000 -0400
+++ libreswan-3.27/lib/libipsecconf/keywords.c 2018-12-09 13:02:15.541619284 -0500
@@ -74,7 +74,7 @@
static const struct keyword_enum_values kw_keyexchange_list = VALUES_INITIALIZER(kw_keyexchange_values);
/*
- * Values for Four-State options, such as ikev2
+ * Values for Four-State options, such as ppk
*/
static const struct keyword_enum_value kw_fourvalued_values[] = {
{ "never", fo_never },
diff -Naur libreswan-3.27-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.27/programs/configs/d.ipsec.conf/ikev2.xml
--- libreswan-3.27-orig/programs/configs/d.ipsec.conf/ikev2.xml 2018-10-07 22:52:09.000000000 -0400
+++ libreswan-3.27/programs/configs/d.ipsec.conf/ikev2.xml 2018-12-09 13:02:15.541619284 -0500
@@ -1,25 +1,13 @@
ikev2
-IKEv2 (RFC 7296) settings to be used. Currently the accepted
-values are permit(the default),
-signifying IKEv2 will be accepted if received, but IKEv1 will be used
-when initiating; never or no signifying no IKEv2 negotiation should be
-transmitted or accepted; propose or
-yes signifying that we permit IKEv1
-and IKEv2, and use IKEv2 as the default to initiate; and insistsignifying we only accept and receive IKEv2 -
-IKEv1 negotiations will be rejected.
-
-If the ikev2= setting is set to permit
-or propose, Libreswan will try and detect a
-"bid down" attack from IKEv2 to IKEv1. Since there is no standard for
-transmitting the IKEv2 capability with IKEv1, Libreswan uses a special
-Vendor ID "CAN-IKEv2". If a fall back from IKEv2 to IKEv1 was detected,
-and the IKEv1 negotiation contains Vendor ID "CAN-IKEv2", Libreswan will
-immediately attempt and IKEv2 rekey and refuse to use the IKEv1 connection.
-With an ikev2= setting of insist, no IKEv1
-negotiation is allowed, and no bid down attack is possible.
+Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.
+Currently the accepted values are no (or never)
+signifying only IKEv1 is accepted, or insist(the default),
+signifying only IKEv2 is accepted. Previous versions allowed the keywords
+propose, yes or permit
+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
+now cause the connection to fail to load.
+
diff -Naur libreswan-3.27-orig/programs/whack/whack.c libreswan-3.27/programs/whack/whack.c
--- libreswan-3.27-orig/programs/whack/whack.c 2018-10-07 22:52:09.000000000 -0400
+++ libreswan-3.27/programs/whack/whack.c 2018-12-09 13:06:01.825333781 -0500
@@ -108,7 +108,7 @@
" [--mtu ] \\\n"
" [--priority ] [--reqid ] \\\n"
" [--tfc ] [--send-no-esp-tfc] \\\n"
- " [--ikev1-allow | --ikev2-allow | --ikev2-propose] \\\n"
+ " [--ikev1-allow | --ikev2-allow ] \\\n"
" [--allow-narrowing] [--sareftrack] [--sarefconntrack] \\\n"
" [--ikefrag-allow | --ikefrag-force] [--no-ikepad] \\\n"
" [--esn ] [--no-esn] [--decap-dscp] [--nopmtudisc] [--mobike] \\\n"
@@ -711,7 +711,6 @@
PS("ikev1-allow", IKEV1_ALLOW),
PS("ikev2-allow", IKEV2_ALLOW),
- PS("ikev2-propose", IKEV2_PROPOSE),
PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
#ifdef XAUTH_HAVE_PAM
@@ -1627,8 +1626,6 @@
case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:
/* --ikev2-allow */
case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:
- /* --ikev2-propose */
- case CDP_SINGLETON + POLICY_IKEV2_PROPOSE_IX:
/* --allow-narrowing */
case CDP_SINGLETON + POLICY_IKEV2_ALLOW_NARROWING_IX:
@@ -2191,6 +2188,15 @@
break;
}
+ /* fixup old to new style IKEv1/IKEv2 settings */
+ if (msg.policy & POLICY_IKEV2_ALLOW) {
+ /* IKEv2 now always has ALLOW+PROPOSE */
+ msg.policy |= POLICY_IKEV2_PROPOSE;
+ }
+ if (msg.policy & POLICY_IKEV2_ALLOW &&
+ msg.policy & POLICY_IKEV1_ALLOW) {
+ diag("connection cannot be both ikev1 and ikev2");
+ }
if (oppo_dport != 0)
setportof(htons(oppo_dport), &msg.oppo_peer_client);
@@ -2267,11 +2273,12 @@
diag("must specify connection authentication, eg --rsasig, --psk or --auth-null for non-shunt connection");
/*
- * If neither v1 nor v2, default to v1
- * (backward compatibility)
+ * If neither v1 nor v2, default to v2
*/
- if (!(msg.policy & POLICY_IKEV2_MASK))
- msg.policy |= POLICY_IKEV1_ALLOW;
+ if (!(msg.policy & POLICY_IKEV2_MASK)) {
+ msg.policy |= POLICY_IKEV2_ALLOW;
+ msg.policy |= POLICY_IKEV2_PROPOSE;
+ }
/*
* ??? this test can never fail: