ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

As Quick Mode initiator, select a subset of the proposed and the returned TS 

Cisco 5505 firewalls don't return the port if we send a specific one, letting
the is_contained_in() checks fail. Using get_subset() selection builds the
Quick Mode correctly with the common subset of selectors.

Based on an initial patch from Paul Stewart.
This commit is contained in:
Martin Willi 2013-03-07 09:50:43 +01:00
parent 486f4b5838
commit 9d9042d6d9
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/libcharon/sa/ikev1/tasks/quick_mode.c
View File

@ -594,20 +594,27 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
if (this->initiator)
{
traffic_selector_t *tsisub, *tsrsub;
/* check if peer selection is valid */
if (!tsr->is_contained_in(tsr, this->tsr) ||
!tsi->is_contained_in(tsi, this->tsi))
tsisub = this->tsi->get_subset(this->tsi, tsi);
tsrsub = this->tsr->get_subset(this->tsr, tsr);
if (!tsisub || !tsrsub)
{
DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
"%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
DESTROY_IF(tsisub);
DESTROY_IF(tsrsub);
tsi->destroy(tsi);
tsr->destroy(tsr);
return FALSE;
}
tsi->destroy(tsi);
tsr->destroy(tsr);
this->tsi->destroy(this->tsi);
this->tsr->destroy(this->tsr);
this->tsi = tsi;
this->tsr = tsr;
this->tsi = tsisub;
this->tsr = tsrsub;
}
else
{