ikev2: Add option to prefer childless IKE_SAs as initiator

src/libcharon/config/ike_cfg.h

@@ -68,6 +68,8 @@ enum fragmentation_t {
 enum childless_t {
 	/** Allow childless IKE_SAs as responder, but initiate regular IKE_SAs */
 	CHILDLESS_ALLOW,
+	/** Initiate childless IKE_SAs if supported, allow them as responder */
+	CHILDLESS_PREFER,
 	/** Don't accept childless IKE_SAs as responder, don't initiate them */
 	CHILDLESS_NEVER,
 	/** Only accept the creation of childless IKE_SAs (also as responder) */

src/libcharon/plugins/vici/vici_config.c

@@ -1643,6 +1643,7 @@ CALLBACK(parse_childless, bool,
 {
 	enum_map_t map[] = {
 		{ "allow",		CHILDLESS_ALLOW		},
+		{ "prefer",		CHILDLESS_PREFER	},
 		{ "never",		CHILDLESS_NEVER		},
 		{ "force",		CHILDLESS_FORCE		},
 	};

src/libcharon/sa/ikev2/tasks/child_create.c

@@ -1044,7 +1044,8 @@ static status_t defer_child_sa(private_child_create_t *this)
 		/* with SELinux, we prefer not to create a CHILD_SA when we only have
 		 * the generic label available.  if the peer does not support it,
 		 * creating the SA will most likely fail */
-		if (policy == CHILDLESS_FORCE ||
+		if (policy == CHILDLESS_PREFER ||
+			policy == CHILDLESS_FORCE ||
 			generic_label_only(this))
 		{
 			return NEED_MORE;

src/libcharon/tests/suites/test_childless.c

@@ -27,9 +27,13 @@
  */
 START_TEST(test_regular)
 {
+	childless_t childless[] = {
+		CHILDLESS_FORCE,
+		CHILDLESS_PREFER,
+	};
 	exchange_test_sa_conf_t conf = {
 		.initiator = {
-			.childless = CHILDLESS_FORCE,
+			.childless = childless[_i],
 			.esp = "aes128-sha256-modp3072",
 		},
 		.responder = {
@@ -281,7 +285,7 @@ Suite *childless_suite_create()
 	s = suite_create("childless");
 
 	tc = tcase_create("initiation");
-	tcase_add_test(tc, test_regular);
+	tcase_add_loop_test(tc, test_regular, 0, 2);
 	tcase_add_test(tc, test_regular_manual);
 	suite_add_tcase(s, tc);
 

src/swanctl/swanctl.opt

@@ -169,19 +169,21 @@ connections.<conn>.fragmentation = yes
 	irrespective of the value of this option (even when set to _no_).
 
 connections.<conn>.childless = allow
-	Use childless IKE_SA initiation (_allow_, _force_ or _never_).
+	Use childless IKE_SA initiation (_allow_, _prefer_, _force_ or _never_).
 
-	Use childless IKE_SA initiation (RFC 6023) for IKEv2.  Acceptable values
-	are _allow_ (the default), _force_ and _never_. If set to _allow_,
-	responders will accept childless IKE_SAs (as indicated via notify in the
-	IKE_SA_INIT response) while initiators continue to create regular IKE_SAs
-	with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is
-	initiated explicitly without any children (which will fail if the responder
-	does not support or has disabled this extension).  If set to _force_, only
-	childless initiation is accepted and the first CHILD_SA is created with a
-	separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange
-	for all CHILD_SAs).  Finally, setting the option to _never_ disables support
-	for childless IKE_SAs as responder.
+	Use childless IKE_SA initiation (RFC 6023) for IKEv2, with the first
+	CHILD_SA created with a separate CREATE_CHILD_SA exchange (e.g. to use an
+	independent DH exchange for all CHILD_SAs).  Acceptable values are _allow_
+	(the default), _prefer_, _force_ and _never_. If set to _allow_, responders
+	will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT
+	response) while initiators continue to create regular IKE_SAs with the first
+	CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated explicitly
+	without any children (which will fail if the responder does not support or
+	has disabled this extension). The effect of _prefer_ is the same as _allow_
+	on responders, but as initiator a childless IKE_SA is initiated if the
+	responder supports it. If set to _force_, only childless initiation is
+	accepted in either role.  Finally, setting the option to _never_ disables
+	support for childless IKE_SAs as responder.
 
 connections.<conn>.send_certreq = yes
 	Send certificate requests payloads (_yes_ or _no_).