Force the update of ph2 in pk_recvupdate() if NAT_T support, to solve some port match problems with the first IPSec SAs negociated as initiator

2007-05-04 09:09:26 +00:00 · 2007-05-04 09:09:26 +00:00 · ae24f5b259
parent 29cb26a639
commit ae24f5b259
1 changed files with 11 additions and 2 deletions
--- a/crypto/dist/ipsec-tools/src/racoon/pfkey.c
+++ b/crypto/dist/ipsec-tools/src/racoon/pfkey.c
@ -1,6 +1,6 @@
-/*	$NetBSD: pfkey.c,v 1.20 2007/03/21 14:29:22 vanhu Exp $	*/
+/*	$NetBSD: pfkey.c,v 1.21 2007/05/04 09:09:26 vanhu Exp $	*/

-/* $Id: pfkey.c,v 1.20 2007/03/21 14:29:22 vanhu Exp $ */
+/* $Id: pfkey.c,v 1.21 2007/05/04 09:09:26 vanhu Exp $ */

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -1283,6 +1283,15 @@ pk_recvupdate(mhp)
 	/* turn off schedule */
 	SCHED_KILL(iph2->scr);

+	/* Force the update of ph2's ports, as there is at least one
+	 * situation where they'll mismatch with ph1's values
+	 */
+
+#ifdef ENABLE_NATT
+	set_port(iph2->src, extract_port(iph2->ph1->local));
+	set_port(iph2->dst, extract_port(iph2->ph1->remote));
+#endif
+
 	/*
 	 * since we are going to reuse the phase2 handler, we need to
 	 * remain it and refresh all the references between ph1 and ph2 to use.