kernel-wfp: Set flag to get UDP encapsulation with tunnel mode working

Having this flag set fixes connections initiated by the Windows host, but
unfortunately does not yet fix incoming connections. Connection state issue?
We still see 0xc00000e2 error events, translating to INTERNAL_ERROR.

diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
index 9c9addbea8e97cbb41e02cc4aab6f77f79e19ec1..a2aa1d80b7f5e03fb8b46470246e0789c69a2ca4 100644 (file)
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
@@ -86,6 +86,27 @@ enum {
        FWPM_FILTER_FLAG_DISABLED =                                                             (1<<5),
 };
 
+/* missing in MinGW */
+enum {
+       IPSEC_SA_BUNDLE_FLAG_ND_SECURE =                                                        (1<< 0),
+       IPSEC_SA_BUNDLE_FLAG_ND_BOUNDARY =                                                      (1<< 1),
+       IPSEC_SA_BUNDLE_FLAG_ND_PEER_NAT_BOUNDARY =                                     (1<< 2),
+       IPSEC_SA_BUNDLE_FLAG_GUARANTEE_ENCRYPTION =                                     (1<< 3),
+       IPSEC_SA_BUNDLE_FLAG_NLB =                                                                      (1<< 4),
+       IPSEC_SA_BUNDLE_FLAG_NO_MACHINE_LUID_VERIFY =                           (1<< 5),
+       IPSEC_SA_BUNDLE_FLAG_NO_IMPERSONATION_LUID_VERIFY =                     (1<< 6),
+       IPSEC_SA_BUNDLE_FLAG_NO_EXPLICIT_CRED_MATCH =                           (1<< 7),
+       IPSEC_SA_BUNDLE_FLAG_ALLOW_NULL_TARGET_NAME_MATCH =                     (1<< 9),
+       IPSEC_SA_BUNDLE_FLAG_CLEAR_DF_ON_TUNNEL =                                       (1<<10),
+       IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND =                      (1<<11),
+       IPSEC_SA_BUNDLE_FLAG_ND_PEER_BOUNDARY =                                         (1<<12),
+       IPSEC_SA_BUNDLE_FLAG_SUPPRESS_DUPLICATE_DELETION =                      (1<<13),
+       IPSEC_SA_BUNDLE_FLAG_PEER_SUPPORTS_GUARANTEE_ENCRYPTION =       (1<<14),
+       IPSEC_SA_BUNDLE_FLAG_FORCE_INBOUND_CONNECTIONS =                        (1<<15),
+       IPSEC_SA_BUNDLE_FLAG_FORCE_OUTBOUND_CONNECTIONS =                       (1<<16),
+       IPSEC_SA_BUNDLE_FLAG_FORWARD_PATH_INITIATOR =                           (1<<17),
+};
+
 DWORD WINAPI FwpmIPsecTunnelAdd0(HANDLE, UINT32,
        const FWPM_PROVIDER_CONTEXT0*, const FWPM_PROVIDER_CONTEXT0*, UINT32,
        const FWPM_FILTER_CONDITION0*, PSECURITY_DESCRIPTOR);

diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index b6d7d7a58f8d563a80ba86302f67470573d5e870..d471a0010884a12be50503a56a5138e49e597f4a 100644 (file)
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -913,6 +913,7 @@ static bool install_sa(private_kernel_wfp_ipsec_t *this, entry_t *entry,
        }
        else
        {
+               bundle.flags |= IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND;
                res = IPsecSaContextAddOutbound0(this->handle, entry->sa_id, &bundle);
        }
        if (res != ERROR_SUCCESS)