From 23df42811ddcc9bb049c6132b07f327a5e0a29e7 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 2 May 2023 15:26:13 +0200
Subject: [PATCH] strongswan: Create AH/ESP rules for host connections, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/strongswan                                |  1 +
 ...swan-ipfire-esp-for-host-connections.patch | 28 +++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 src/patches/strongswan-ipfire-esp-for-host-connections.patch

diff --git a/lfs/strongswan b/lfs/strongswan
index 7cb886fe71..272446b1d0 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-esp-for-host-connections.patch
 
 	$(UPDATE_AUTOMAKE)
 	cd $(DIR_APP) && ./configure \
diff --git a/src/patches/strongswan-ipfire-esp-for-host-connections.patch b/src/patches/strongswan-ipfire-esp-for-host-connections.patch
new file mode 100644
index 0000000000..e7342e5c2f
--- /dev/null
+++ b/src/patches/strongswan-ipfire-esp-for-host-connections.patch
@@ -0,0 +1,28 @@
+--- a/src/_updown/_updown.in	2023-05-02 15:23:07.978551169 +0200
++++ b/src/_updown/_updown.in	2023-05-02 15:19:02.072300060 +0200
+@@ -248,6 +248,12 @@
+ 	iptables --wait -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++	    -s $PLUTO_PEER_CLIENT \
++	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++	    -s $PLUTO_PEER_CLIENT \
++	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ 	#
+ 	# allow IPIP traffic because of the implicit SA created by the kernel if
+ 	# IPComp is used (for small inbound packets that are not compressed)
+@@ -280,6 +286,12 @@
+ 	iptables --wait -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ 	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ 	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
++	iptables --wait -D IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
++	    -s $PLUTO_PEER_CLIENT \
++	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++	iptables --wait -D IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++	    -s $PLUTO_PEER_CLIENT \
++	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ 	#
+ 	# IPIP exception teardown
+ 	if [ -n "$PLUTO_IPCOMP" ]
-- 
2.39.5