From 14e1ec2b77a8979195fefc865503b52cd9444a4c Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 15 Jun 2021 11:11:14 +0200 Subject: [PATCH] child-sa: Configure UDP encapsulation for per-CPU SAs As the kernel does not support processing UDP-encapsulated and plain ESP for the same SA, we require forcing UDP encapsulation if there is no NAT. --- src/libcharon/sa/child_sa.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index d5c09c1dae..2c0ef08ed1 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -988,6 +988,14 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, this->my_cpi = cpi; dst_ts = my_ts; src_ts = other_ts; + + if (this->per_cpu && this->encap) + { + src = src->clone(src); + /* accept inbound traffic from any port as we don't know if the + * peer uses random ports or not */ + src->set_port(src, 0); + } } else { @@ -1002,6 +1010,14 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, { tfc = this->config->get_tfc(this->config); } + if (this->per_cpu && this->encap && + this->config->has_option(this->config, OPT_PER_CPU_SAS_ENCAP)) + { + src = src->clone(src); + /* use a random source port between 49152 and 65535. doesn't matter + * if it's free or not as we don't receive traffic on it */ + src->set_port(src, 0xc000 | (random() & 0xffff)); + } } DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound", @@ -1106,6 +1122,10 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, status = charon->kernel->add_sa(charon->kernel, &id, &sa); + if (src != this->my_addr && src != this->other_addr) + { + src->destroy(src); + } my_ts->destroy(my_ts); other_ts->destroy(other_ts); free(lifetime); -- 2.47.2