From: Martin Willi <martin@revosec.ch>
Date: Thu, 16 May 2013 11:32:48 +0000 (+0200)
Subject: Allow IPComp on NATed connections, both for IKEv1 and IKEv2
X-Git-Tag: 5.1.0dr1~125
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44d9970f4c1205afa280fcb5f90897a512f90c62;p=thirdparty%2Fstrongswan.git

Allow IPComp on NATed connections, both for IKEv1 and IKEv2

While this was problematic in earlier releases, it seems that it works just
fine the way we handle compression now. So there is no need to disable it over
NATed connections or when using forceencaps.
---

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 7a0fb5788d..47c844e5f6 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -774,19 +774,11 @@ METHOD(task_t, build_i, status_t,
 
 			if (this->config->use_ipcomp(this->config))
 			{
-				if (this->udp)
+				this->cpi_i = this->child_sa->alloc_cpi(this->child_sa);
+				if (!this->cpi_i)
 				{
-					DBG1(DBG_IKE, "IPComp is not supported if either peer is "
-						 "natted, IPComp disabled");
-				}
-				else
-				{
-					this->cpi_i = this->child_sa->alloc_cpi(this->child_sa);
-					if (!this->cpi_i)
-					{
-						DBG1(DBG_IKE, "unable to allocate a CPI from kernel, "
-							 "IPComp disabled");
-					}
+					DBG1(DBG_IKE, "unable to allocate a CPI from kernel, "
+						 "IPComp disabled");
 				}
 			}
 
@@ -1009,21 +1001,13 @@ METHOD(task_t, process_r, status_t,
 
 			if (this->config->use_ipcomp(this->config))
 			{
-				if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-				{
-					DBG1(DBG_IKE, "IPComp is not supported if either peer is "
-						 "natted, IPComp disabled");
-				}
-				else
+				list = sa_payload->get_ipcomp_proposals(sa_payload,
+														&this->cpi_i);
+				if (!list->get_count(list))
 				{
-					list = sa_payload->get_ipcomp_proposals(sa_payload,
-															&this->cpi_i);
-					if (!list->get_count(list))
-					{
-						DBG1(DBG_IKE, "expected IPComp proposal but peer did "
-							 "not send one, IPComp disabled");
-						this->cpi_i = 0;
-					}
+					DBG1(DBG_IKE, "expected IPComp proposal but peer did "
+						 "not send one, IPComp disabled");
+					this->cpi_i = 0;
 				}
 			}
 			if (!list || !list->get_count(list))
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index 5a2c05d993..4e66c3f296 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -678,13 +678,6 @@ static void build_payloads(private_child_create_t *this, message_t *message)
 static void add_ipcomp_notify(private_child_create_t *this,
 								  message_t *message, u_int8_t ipcomp)
 {
-	if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
-	{
-		DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
-			 "IPComp disabled");
-		return;
-	}
-
 	this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
 	if (this->my_cpi)
 	{