suppress IKEv2-specific policy flags in pluto. Patch contributed by Heiko Hund from...
[strongswan.git] / src / starter / starterwhack.c
index 38cff4a..019489e 100644 (file)
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterwhack.c,v 1.17 2006/04/17 10:32:36 as Exp $
+ * RCSID $Id$
  */
 
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/un.h>
-#include <linux/stddef.h>
+#include <stddef.h>
 #include <unistd.h>
 #include <errno.h>
 
@@ -148,25 +148,32 @@ connection_name(starter_conn_t *conn)
 }
 
 static void
-set_whack_end(whack_end_t *w, starter_end_t *end)
+set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
 {
     w->id                  = end->id;
     w->cert                = end->cert;
     w->ca                  = end->ca;
     w->groups              = end->groups;
     w->host_addr           = end->addr;
-    w->host_nexthop        = end->nexthop;
     w->host_srcip          = end->srcip;
+    w->has_client          = end->has_client;
+
+    if (family == AF_INET6 && isanyaddr(&end->nexthop))
+    {
+       anyaddr(AF_INET6, &end->nexthop);
+    }
+    w->host_nexthop        = end->nexthop;
 
-    if (end->has_client)
-       w->client = end->subnet;
+    if (w->has_client)
+       w->client          = end->subnet;
     else
-       w->client.addr.u.v4.sin_family = AF_INET;
+       w->client.addr.u.v4.sin_family = addrtypeof(&w->host_addr);
 
-    w->has_client          = end->has_client;
     w->has_client_wildcard = end->has_client_wildcard;
     w->has_port_wildcard   = end->has_port_wildcard;
     w->has_srcip           = end->has_srcip;
+    w->has_natip           = end->has_natip;
+    w->allow_any           = end->allow_any && !end->dns_failed;
     w->modecfg             = end->modecfg;
     w->hostaccess          = end->hostaccess;
     w->sendcert            = end->sendcert;
@@ -234,6 +241,7 @@ starter_whack_add_conn(starter_conn_t *conn)
     msg.whack_connection = TRUE;
     msg.name = connection_name(conn);
 
+    msg.ikev1                 = conn->keyexchange != KEY_EXCHANGE_IKEV2;
     msg.addr_family           = conn->addr_family;
     msg.tunnel_addr_family    = conn->tunnel_addr_family;
     msg.sa_ike_life_seconds   = conn->sa_ike_life_seconds;
@@ -243,8 +251,16 @@ starter_whack_add_conn(starter_conn_t *conn)
     msg.sa_keying_tries       = conn->sa_keying_tries;
     msg.policy                = conn->policy;
 
-    set_whack_end(&msg.left, &conn->left);
-    set_whack_end(&msg.right, &conn->right);
+    /*
+     * Make sure the IKEv2-only policy bits are unset for IKEv1 connections
+     */
+    msg.policy &= ~POLICY_DONT_REAUTH;
+    msg.policy &= ~POLICY_BEET;
+    msg.policy &= ~POLICY_MOBIKE;
+    msg.policy &= ~POLICY_FORCE_ENCAP;
+
+    set_whack_end(&msg.left, &conn->left, conn->addr_family);
+    set_whack_end(&msg.right, &conn->right, conn->addr_family);
 
     msg.esp = conn->esp;
     msg.ike = conn->ike;