Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments

Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index de050cd3cfad4f382f91d5cc02a9ca6a3c0782fa..4029db11dd6f42771e51c27c628fe88ee95abb78 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1232,7 +1232,8 @@ METHOD(ike_sa_t, process_message, status_t,
                case IKE_SA_INIT:
                case IKE_AUTH:
                        if (this->state != IKE_CREATED &&
-                               this->state != IKE_CONNECTING)
+                               this->state != IKE_CONNECTING &&
+                               message->get_first_payload_type(message) != FRAGMENT_V1)
                        {
                                DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
                                         exchange_type_names, message->get_exchange_type(message));