Use transport mode ESP SA if IPcomp is used, IPcomp already applies outer IP header
This commit is contained in:
parent
52fd0ef9e0
commit
2b2c69e992
6
NEWS
6
NEWS
|
@ -5,7 +5,7 @@ strongswan-4.3.6
|
|||
|
||||
- More detailed IKEv2 EAP payload information in debug output
|
||||
|
||||
- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
|
||||
- IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
|
||||
|
||||
- Added required userland changes for proper SHA256 and SHA384/512 in ESP that
|
||||
will be introduced with Linux 2.6.33. The "sha256"/"sha2_256" keyword now
|
||||
|
@ -13,6 +13,10 @@ strongswan-4.3.6
|
|||
bit truncation used by previous releases. To use the old 96 bit truncation
|
||||
scheme, the new "sha256_96" proposal keyword has been introduced.
|
||||
|
||||
- Fixed IPComp in tunnel mode, stripping out the duplicated outer header. This
|
||||
change makes IPcomp tunnel mode connections incompatible with previous
|
||||
releases; disable compression on such tunnels.
|
||||
|
||||
strongswan-4.3.5
|
||||
----------------
|
||||
|
||||
|
|
|
@ -946,6 +946,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
|
|||
ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty,
|
||||
mode, ipcomp, 0, FALSE, inbound);
|
||||
ipcomp = IPCOMP_NONE;
|
||||
/* use transport mode ESP SA, IPComp uses tunnel mode */
|
||||
mode = MODE_TRANSPORT;
|
||||
}
|
||||
|
||||
memset(&request, 0, sizeof(request));
|
||||
|
@ -1663,6 +1665,15 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
|
|||
}
|
||||
|
||||
tmpl++;
|
||||
|
||||
/* use transport mode for ESP if we have a tunnel mode IPcomp SA */
|
||||
mode = MODE_TRANSPORT;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* when using IPcomp, only the IPcomp SA uses tmp src/dst addresses */
|
||||
host2xfrm(src, &tmpl->saddr);
|
||||
host2xfrm(dst, &tmpl->id.daddr);
|
||||
}
|
||||
|
||||
tmpl->reqid = reqid;
|
||||
|
@ -1671,9 +1682,6 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
|
|||
tmpl->mode = mode2kernel(mode);
|
||||
tmpl->family = src->get_family(src);
|
||||
|
||||
host2xfrm(src, &tmpl->saddr);
|
||||
host2xfrm(dst, &tmpl->id.daddr);
|
||||
|
||||
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
|
||||
{
|
||||
DBG1(DBG_KNL, "unable to add policy %R === %R %N", src_ts, dst_ts,
|
||||
|
|
Loading…
Reference in New Issue