From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 9 Feb 2018 14:54:36 +0000 (+0100)
Subject: Merge branch 'mobike-nat'
X-Git-Tag: 5.6.2rc1~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d58a84e0f7e69b98d1bda2a0d2796ad9be106ec3;p=thirdparty%2Fstrongswan.git

Merge branch 'mobike-nat'

These changes improve MOBIKE task queuing. In particular we don't
want to ignore the response to an update (with NAT-D payloads) if only
an address list update or DPD is queued as that could prevent use from
updating the UDP encapsulation in the kernel.

A new optional roam trigger is added to the kernel-netlink plugin based
on routing rule changes.  This only works properly, though, if the kernel
based route lookup is used as the kernel-netlink plugin does currently
not consider routing rules for its own route lookup.

Another change prevents acquires during address updates if we have to
update IPsec SAs by deleting and readding them.  Because the outbound policy
is still installed an acquire and temporary SA might get triggered in
the short time no IPsec SA is installed, which could subsequently prevent the
reinstallation of the SA.  To this end we install drop policies before
updating the policies and SAs.  These also replace the fallback drop policies
we previously used to prevent plaintext leaks during policy updates (which
reduces the overhead in cases where addresses never or rarely change as
additional policies will only have to be tracked during address updates).

Fixes #2518.
---

d58a84e0f7e69b98d1bda2a0d2796ad9be106ec3