- More detailed IKEv2 EAP payload information in debug output
-- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
+- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
- Added required userland changes for proper SHA256 and SHA384/512 in ESP that
will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
bit truncation used by previous releases. To use the old 96 bit truncation
scheme, the new "sha256_96" proposal keyword has been introduced.
+- Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This
+ change makes IPcomp tunnel mode connections incompatible with previous
+ releases; disable compression on such tunnels.
+
strongswan-4.3.5
----------------
ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
mode, ipcomp, 0, FALSE, inbound);
ipcomp = IPCOMP_NONE;
+ /* use transport mode ESP SA, IPComp uses tunnel mode */
+ mode = MODE_TRANSPORT;
}
memset(&request, 0, sizeof(request));
}
tmpl++;
+
+ /* use transport mode for ESP if we have a tunnel mode IPcomp SA */
+ mode = MODE_TRANSPORT;
+ }
+ else
+ {
+ /* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
+ host2xfrm(src, &tmpl->saddr);
+ host2xfrm(dst, &tmpl->id.daddr);
}
tmpl->reqid = reqid;
tmpl->mode = mode2kernel(mode);
tmpl->family = src->get_family(src);
- host2xfrm(src, &tmpl->saddr);
- host2xfrm(dst, &tmpl->id.daddr);
-
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
{
DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,