ike: Fall back to the current remote IP if it resolves to %any

In some situations it might be valid for a host that configures
right=%any to reestablish or reauthenticate an IKE_SA. Using %any would
immediately abort the initiation causing the new SA to fail (which
might already have the existing CHILD_SAs assigned).

Fixes #1027.

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 0c13c587c48779bb1059b39f94ce0fc14ecacc79..752a75696f0a1aab543878262c69076e9fbbc5e4 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this)
        }
        if (host)
        {
-               set_other_host(this, host);
+               if (!host->is_anyaddr(host) ||
+                       this->other_host->is_anyaddr(this->other_host))
+               {       /* don't set to %any if we currently have an address, but the
+                        * address family might have changed */
+                       set_other_host(this, host);
+               }
        }
 
        if (this->local_host)