ike: Fall back to the current remote IP if it resolves to %any
authorTobias Brunner <tobias@strongswan.org>
Fri, 10 Jul 2015 08:23:02 +0000 (10:23 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 27 Jul 2015 11:45:16 +0000 (13:45 +0200)
In some situations it might be valid for a host that configures
right=%any to reestablish or reauthenticate an IKE_SA. Using %any would
immediately abort the initiation causing the new SA to fail (which
might already have the existing CHILD_SAs assigned).

Fixes #1027.

src/libcharon/sa/ike_sa.c

index 0c13c58..752a756 100644 (file)
@@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this)
        }
        if (host)
        {
-               set_other_host(this, host);
+               if (!host->is_anyaddr(host) ||
+                       this->other_host->is_anyaddr(this->other_host))
+               {       /* don't set to %any if we currently have an address, but the
+                        * address family might have changed */
+                       set_other_host(this, host);
+               }
        }
 
        if (this->local_host)