suppress IKEv2-specific policy flags in pluto. Patch contributed by Heiko Hund from...
[strongswan.git] / src / starter / starterwhack.c
index e920fc7..019489e 100644 (file)
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterwhack.c,v 1.17 2006/04/17 10:32:36 as Exp $
+ * RCSID $Id$
  */
 
 #include <sys/types.h>
@@ -148,17 +148,22 @@ connection_name(starter_conn_t *conn)
 }
 
 static void
-set_whack_end(whack_end_t *w, starter_end_t *end)
+set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family)
 {
     w->id                  = end->id;
     w->cert                = end->cert;
     w->ca                  = end->ca;
     w->groups              = end->groups;
     w->host_addr           = end->addr;
-    w->host_nexthop        = end->nexthop;
     w->host_srcip          = end->srcip;
     w->has_client          = end->has_client;
 
+    if (family == AF_INET6 && isanyaddr(&end->nexthop))
+    {
+       anyaddr(AF_INET6, &end->nexthop);
+    }
+    w->host_nexthop        = end->nexthop;
+
     if (w->has_client)
        w->client          = end->subnet;
     else
@@ -168,9 +173,9 @@ set_whack_end(whack_end_t *w, starter_end_t *end)
     w->has_port_wildcard   = end->has_port_wildcard;
     w->has_srcip           = end->has_srcip;
     w->has_natip           = end->has_natip;
+    w->allow_any           = end->allow_any && !end->dns_failed;
     w->modecfg             = end->modecfg;
     w->hostaccess          = end->hostaccess;
-    w->allow_any           = end->allow_any;
     w->sendcert            = end->sendcert;
     w->updown              = end->updown;
     w->host_port           = IKE_UDP_PORT;
@@ -246,8 +251,16 @@ starter_whack_add_conn(starter_conn_t *conn)
     msg.sa_keying_tries       = conn->sa_keying_tries;
     msg.policy                = conn->policy;
 
-    set_whack_end(&msg.left, &conn->left);
-    set_whack_end(&msg.right, &conn->right);
+    /*
+     * Make sure the IKEv2-only policy bits are unset for IKEv1 connections
+     */
+    msg.policy &= ~POLICY_DONT_REAUTH;
+    msg.policy &= ~POLICY_BEET;
+    msg.policy &= ~POLICY_MOBIKE;
+    msg.policy &= ~POLICY_FORCE_ENCAP;
+
+    set_whack_end(&msg.left, &conn->left, conn->addr_family);
+    set_whack_end(&msg.right, &conn->right, conn->addr_family);
 
     msg.esp = conn->esp;
     msg.ike = conn->ike;