ike: Do remote address updates also when behind static NATs
authorTobias Brunner <tobias@strongswan.org>
Fri, 10 Oct 2014 10:55:39 +0000 (12:55 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 13 Oct 2014 13:20:17 +0000 (15:20 +0200)
We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.

The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.

src/libcharon/sa/ike_sa.c

index 0d4aa0c..d92b9df 100644 (file)
@@ -936,11 +936,14 @@ METHOD(ike_sa_t, update_hosts, void,
                        update = TRUE;
                }
 
-               if (!other->equals(other, this->other_host))
+               if (!other->equals(other, this->other_host) &&
+                       (force || has_condition(this, COND_NAT_THERE)))
                {
-                       /* update others address if we are NOT NATed */
-                       if ((has_condition(this, COND_NAT_THERE) &&
-                                !has_condition(this, COND_NAT_HERE)) || force )
+                       /* only update other's address if we are behind a static NAT,
+                        * which we assume is the case if we are not initiator */
+                       if (force ||
+                               (!has_condition(this, COND_NAT_HERE) ||
+                                !has_condition(this, COND_ORIGINAL_INITIATOR)))
                        {
                                set_other_host(this, other->clone(other));
                                update = TRUE;