mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-22 17:39:53 +03:00
Cedar: add "DisableIPsecAggressiveMode" option
Setting it to "true" mitigates CVE-2002-1623.
This commit is contained in:
parent
4acd7ab98e
commit
76c330e74b
@ -38,7 +38,10 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
|
||||
break;
|
||||
|
||||
case IKE_EXCHANGE_TYPE_AGGRESSIVE: // Aggressive mode
|
||||
ProcIkeAggressiveModePacketRecv(ike, p, header);
|
||||
if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)
|
||||
{
|
||||
ProcIkeAggressiveModePacketRecv(ike, p, header);
|
||||
}
|
||||
break;
|
||||
|
||||
case IKE_EXCHANGE_TYPE_QUICK: // Quick mode
|
||||
|
@ -5821,6 +5821,9 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
|
||||
// Disable the NAT-traversal feature
|
||||
s->DisableNatTraversal = CfgGetBool(f, "DisableNatTraversal");
|
||||
|
||||
// Disable IPsec's aggressive mode
|
||||
s->DisableIPsecAggressiveMode = CfgGetBool(f, "DisableIPsecAggressiveMode");
|
||||
|
||||
if (s->Cedar->Bridge == false)
|
||||
{
|
||||
// Enable the VPN-over-ICMP
|
||||
@ -6237,6 +6240,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
|
||||
}
|
||||
}
|
||||
|
||||
CfgAddBool(f, "DisableIPsecAggressiveMode", s->DisableIPsecAggressiveMode);
|
||||
|
||||
CfgAddStr(f, "OpenVPNDefaultClientOption", c->OpenVPNDefaultClientOption);
|
||||
|
||||
CfgAddBool(f, "OpenVPNPushDummyIPv4AddressOnL2Mode", c->OpenVPNPushDummyIPv4AddressOnL2Mode);
|
||||
|
@ -193,6 +193,7 @@ struct SERVER
|
||||
bool NoMoreSave; // Do not save any more
|
||||
bool EnableConditionalAccept; // Apply the Conditional Accept the Listener
|
||||
bool EnableLegacySSL; // Enable Legacy SSL
|
||||
bool DisableIPsecAggressiveMode; // Disable IPsec's aggressive mode
|
||||
|
||||
volatile bool Halt; // Halting flag
|
||||
LOCK *lock; // Lock
|
||||
|
Loading…
Reference in New Issue
Block a user