From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 12 Aug 2014 13:15:02 +0000 (+0200)
Subject: ikev1: Make sure proposed IPsec mode matches our own
X-Git-Tag: 5.2.1dr1~80
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d38a03d77096467f32ca6b3baad4a8d5110313c;p=thirdparty%2Fstrongswan.git

ikev1: Make sure proposed IPsec mode matches our own

References #557.
---

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 0d6be38812..1133aab65b 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -1030,7 +1030,8 @@ METHOD(task_t, process_r, status_t,
 			}
 			tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
 			tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
-			if (!this->config || !this->tsi || !this->tsr)
+			if (!this->config || !this->tsi || !this->tsr ||
+				this->mode != this->config->get_mode(this->config))
 			{
 				DBG1(DBG_IKE, "no matching CHILD_SA config found");
 				return send_notify(this, INVALID_ID_INFORMATION);