ike: Float to port 4500 if either port is 500

If the responder is behind a NAT that remaps the response from the
statically forwarded port 500 to a new external port (as Azure seems to be
doing) we should still switch to port 4500 if we used port 500 so far as
it would not have been possible to send any messages to it if it wasn't
really port 500 (we only add a non-ESP marker if neither port is 500).

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index c6cacdf9c1460b1ecb49f90f52c661f8b44eb761..381435688b65776af2d743e99cbc3cdcf9e16238 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1053,17 +1053,19 @@ METHOD(ike_sa_t, has_mapping_changed, bool,
 METHOD(ike_sa_t, float_ports, void,
           private_ike_sa_t *this)
 {
-       /* do not switch if we have a custom port from MOBIKE/NAT */
+       /* even if the remote port is not 500 (e.g. because the response was natted)
+        * we switch the remote port if we used port 500 */
+       if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT ||
+               this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
+       {
+               this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
+       }
        if (this->my_host->get_port(this->my_host) ==
                        charon->socket->get_port(charon->socket, FALSE))
        {
                this->my_host->set_port(this->my_host,
                                                                charon->socket->get_port(charon->socket, TRUE));
        }
-       if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
-       {
-               this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
-       }
 }
 
 METHOD(ike_sa_t, update_hosts, void,