From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 10 Oct 2014 10:55:39 +0000 (+0200)
Subject: ike: Do remote address updates also when behind static NATs
X-Git-Tag: 5.2.1~37
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=472156eea5ce67d9769ed2f3f9ff24e48460d4e9;p=thirdparty%2Fstrongswan.git

ike: Do remote address updates also when behind static NATs

We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.

The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 0d4aa0cc1c..d92b9df8ee 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -936,11 +936,14 @@ METHOD(ike_sa_t, update_hosts, void,
 			update = TRUE;
 		}
 
-		if (!other->equals(other, this->other_host))
+		if (!other->equals(other, this->other_host) &&
+			(force || has_condition(this, COND_NAT_THERE)))
 		{
-			/* update others address if we are NOT NATed */
-			if ((has_condition(this, COND_NAT_THERE) &&
-				 !has_condition(this, COND_NAT_HERE)) || force )
+			/* only update other's address if we are behind a static NAT,
+			 * which we assume is the case if we are not initiator */
+			if (force ||
+				(!has_condition(this, COND_NAT_HERE) ||
+				 !has_condition(this, COND_ORIGINAL_INITIATOR)))
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;