Port floating patch partially reversed.
authorTobias Brunner <tobias@strongswan.org>
Mon, 30 Aug 2010 12:54:31 +0000 (14:54 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 30 Aug 2010 12:54:31 +0000 (14:54 +0200)
If MOBIKE is enabled, we do have to switch to port 4500 with the
IKE_AUTH request, that is, before we know whether the other peer
actually supports MOBIKE or not.

src/libcharon/sa/tasks/ike_mobike.c
src/libcharon/sa/tasks/ike_natd.c

index 6dbd1ba..a62886f 100644 (file)
@@ -468,18 +468,7 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
        if (message->get_exchange_type(message) == IKE_AUTH &&
                this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
        {
-               peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
                process_payloads(this, message);
-
-               /* if peer supports NAT-T and MOBIKE, we switch to port 4500 even
-                * if no NAT is detected. MOBIKE requires this. */
-               if (peer_cfg->use_mobike(peer_cfg) &&
-                       this->ike_sa->supports_extension(this->ike_sa, EXT_NATT) &&
-                       this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
-               {
-                       this->ike_sa->float_ports(this->ike_sa);
-               }
                return SUCCESS;
        }
        else if (message->get_exchange_type(message) == INFORMATIONAL)
index c731178..aa0d3ec 100644 (file)
@@ -264,7 +264,14 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 
        if (message->get_exchange_type(message) == IKE_SA_INIT)
        {
-               if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+               peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+               if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
+                       /* if peer supports NAT-T, we switch to port 4500 even
+                        * if no NAT is detected. can't be done later (when we would know
+                        * whether the peer supports MOBIKE) because there would be no
+                        * exchange to actually do the switch (other than a forced DPD). */
+                       (peer_cfg->use_mobike(peer_cfg) &&
+                        this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
                {
                        this->ike_sa->float_ports(this->ike_sa);
                }