This adds support for the child SA to be rekeyed through the byte/packet
threshold. The default is blank (which disables the byte/packet thresholds).

Signed-off-by: Joel Low <joel@joelsplace.sg>
(cherry picked from commit 5c8af06c94)

Also from Vincent Wiemann <vincent.wiemann@ironai.com>.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Also from Vincent Wiemann <vincent.wiemann@ironai.com>.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

This option sets the interface of the policy.

Also from Vincent Wiemann <vincent.wiemann@ironai.com>.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Also from Vincent Wiemann <vincent.wiemann@ironai.com>.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Use list's where appropriate for multi-value config variables.

Forbid absolute/relative paths for certificate and key files.

Get rid of last remnants of left/right naming.

Factor invariant code paths.

Drop redundant secrets.rsa.filename section.

Thanks to Vincent Wiemann <vincent.wiemann@ironai.com> for calling
out many of these improvements.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

There were closing curly braces missing and it was checking for empty
strings while it should have been checking for non-empty strings.

Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>

Variables set in config_ipsec() need to be shared with do_postamble()
function, so change scoping to parent (prepare_env()).

Also, remove unused settings like "remote_sourceip", "reqid", and
"packet_marker".

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

ipsec uses starter, and reads /etc/ipsec.conf (which then includes
/var/ipsec/ipsec.conf, etc). This is overly complicated, and can
be problematic if you're using both swanctl and ipsec for migration.

Running charon directly from procd via the init.d script avoid
all of this.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Fixes issue #15446

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

chacha20policy1305 is also an AEAD cipher, and hence does not
permit a hash algorithm.

Fixes issue #15397.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

A subshell caused by $(...) can't persistently modify globals as a
side-effect.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Derived from the ipsec initd script, with the following changes:

(1) various code improvements, corrections (get rid of left/right
    updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;

and other minor changes.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>