From: Tobias Brunner Date: Mon, 30 Aug 2010 12:54:31 +0000 (+0200) Subject: Port floating patch partially reversed. X-Git-Tag: 4.5.0~382 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2402dee177e538a653828020fb0b186ebf8d14df;p=thirdparty%2Fstrongswan.git Port floating patch partially reversed. If MOBIKE is enabled, we do have to switch to port 4500 with the IKE_AUTH request, that is, before we know whether the other peer actually supports MOBIKE or not. --- diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c index 6dbd1bafd8..a62886f02e 100644 --- a/src/libcharon/sa/tasks/ike_mobike.c +++ b/src/libcharon/sa/tasks/ike_mobike.c @@ -468,18 +468,7 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message) if (message->get_exchange_type(message) == IKE_AUTH && this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED) { - peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - process_payloads(this, message); - - /* if peer supports NAT-T and MOBIKE, we switch to port 4500 even - * if no NAT is detected. MOBIKE requires this. */ - if (peer_cfg->use_mobike(peer_cfg) && - this->ike_sa->supports_extension(this->ike_sa, EXT_NATT) && - this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) - { - this->ike_sa->float_ports(this->ike_sa); - } return SUCCESS; } else if (message->get_exchange_type(message) == INFORMATIONAL) diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/tasks/ike_natd.c index c731178bb7..aa0d3ec1c1 100644 --- a/src/libcharon/sa/tasks/ike_natd.c +++ b/src/libcharon/sa/tasks/ike_natd.c @@ -264,7 +264,14 @@ static status_t process_i(private_ike_natd_t *this, message_t *message) if (message->get_exchange_type(message) == IKE_SA_INIT) { - if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY)) + peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) || + /* if peer supports NAT-T, we switch to port 4500 even + * if no NAT is detected. can't be done later (when we would know + * whether the peer supports MOBIKE) because there would be no + * exchange to actually do the switch (other than a forced DPD). */ + (peer_cfg->use_mobike(peer_cfg) && + this->ike_sa->supports_extension(this->ike_sa, EXT_NATT))) { this->ike_sa->float_ports(this->ike_sa); }