From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 20 Dec 2012 10:55:33 +0000 (+0100)
Subject: Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments
X-Git-Tag: 5.0.2dr4~8^2~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8160377398e3a2e2e040824cedbf863518e98ec;p=thirdparty%2Fstrongswan.git

Allow ID_PROT/AGGRESSIVE messages for established IKE_SAs if they contain fragments

Other implementations send fragments always in an initial message type
even for transaction or quick mode exchanges.
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index de050cd3cf..4029db11dd 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1232,7 +1232,8 @@ METHOD(ike_sa_t, process_message, status_t,
 		case IKE_SA_INIT:
 		case IKE_AUTH:
 			if (this->state != IKE_CREATED &&
-				this->state != IKE_CONNECTING)
+				this->state != IKE_CONNECTING &&
+				message->get_first_payload_type(message) != FRAGMENT_V1)
 			{
 				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
 					 exchange_type_names, message->get_exchange_type(message));