From 2b2c69e992d5e279ecde7d3ebf20804d59b8bf0d Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 26 Nov 2009 15:58:55 +0100 Subject: [PATCH] Use transport mode ESP SA if IPcomp is used, IPcomp already applies outer IP header --- NEWS | 6 +++++- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 14 +++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 54b8a514a..8f71908b5 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,7 @@ strongswan-4.3.6 - More detailed IKEv2 EAP payload information in debug output -- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library +- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library - Added required userland changes for proper SHA256 and SHA384/512 in ESP that will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now @@ -13,6 +13,10 @@ strongswan-4.3.6 bit truncation used by previous releases. To use the old 96 bit truncation scheme, the new "sha256_96" proposal keyword has been introduced. +- Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This + change makes IPcomp tunnel mode connections incompatible with previous + releases; disable compression on such tunnels. + strongswan-4.3.5 ---------------- diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index cff5611d4..d96d6fc61 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -946,6 +946,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, FALSE, inbound); ipcomp = IPCOMP_NONE; + /* use transport mode ESP SA, IPComp uses tunnel mode */ + mode = MODE_TRANSPORT; } memset(&request, 0, sizeof(request)); @@ -1663,6 +1665,15 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, } tmpl++; + + /* use transport mode for ESP if we have a tunnel mode IPcomp SA */ + mode = MODE_TRANSPORT; + } + else + { + /* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */ + host2xfrm(src, &tmpl->saddr); + host2xfrm(dst, &tmpl->id.daddr); } tmpl->reqid = reqid; @@ -1671,9 +1682,6 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this, tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); - host2xfrm(src, &tmpl->saddr); - host2xfrm(dst, &tmpl->id.daddr); - if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts, -- 2.39.5