This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready
Logo Program) which is required for USGv6 certification, namely:
- IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members
of the set of traffic selectors
- IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector
When traffic selectors of a triggered SA are narrowed by the responder, the
installed policy and the broader trap policy share the same reqid. Without
selectors on the IPsec SA packets matching the trap policy, but not the
narrowed policy, would incorrectly be handled by that IPsec SA. Since only
one selector can be specified per IPsec SA, there is currently no solution
for tunnel mode SAs.
lifetime->time.rekey = 0;
}
- if (this->mode == MODE_BEET)
+ if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT)
{
/* BEET requires the bound address from the traffic selectors.
* TODO: We add just the first traffic selector for now, as the
sa->flags |= XFRM_STATE_AF_UNSPEC;
break;
case MODE_BEET:
+ case MODE_TRANSPORT:
if(src_ts && dst_ts)
{
sa->sel = ts2selector(src_ts, dst_ts);
projects / thirdparty / strongswan.git / commitdiff
