fixed notify handling in IKE_AUTH
moved nonce payload before TS in CHILD_SA setup
This commit is contained in:
Martin Willi
parent
f2d4ec5639
commit
c676f2e2a6
|
|
@ -330,12 +330,6 @@ static void build_payloads(private_child_create_t *this, message_t *message)
|
|||
}
|
||||
message->add_payload(message, (payload_t*)sa_payload);
|
||||
|
||||
/* add TSi/TSr payloads */
|
||||
ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
|
||||
message->add_payload(message, (payload_t*)ts_payload);
|
||||
ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
|
||||
message->add_payload(message, (payload_t*)ts_payload);
|
||||
|
||||
/* add nonce payload if not in IKE_AUTH */
|
||||
if (message->get_exchange_type(message) == CREATE_CHILD_SA)
|
||||
{
|
||||
|
|
@ -344,6 +338,12 @@ static void build_payloads(private_child_create_t *this, message_t *message)
|
|||
message->add_payload(message, (payload_t*)nonce_payload);
|
||||
}
|
||||
|
||||
/* add TSi/TSr payloads */
|
||||
ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
|
||||
message->add_payload(message, (payload_t*)ts_payload);
|
||||
ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
|
||||
message->add_payload(message, (payload_t*)ts_payload);
|
||||
|
||||
/* add a notify if we are not in tunnel mode */
|
||||
switch (this->mode)
|
||||
{
|
||||
|
|
@ -590,13 +590,25 @@ static status_t process_i(private_child_create_t *this, message_t *message)
|
|||
notify_payload_t *notify = (notify_payload_t*)payload;
|
||||
notify_type_t type = notify->get_notify_type(notify);
|
||||
|
||||
if (type < 16383)
|
||||
switch (type)
|
||||
{
|
||||
SIG(CHILD_UP_FAILED, "received %N notify error",
|
||||
notify_type_names, type);
|
||||
iterator->destroy(iterator);
|
||||
/* an error in CHILD_SA creation is not critical */
|
||||
return SUCCESS;
|
||||
/* handle notify errors related to CHILD_SA only */
|
||||
case NO_PROPOSAL_CHOSEN:
|
||||
case SINGLE_PAIR_REQUIRED:
|
||||
case NO_ADDITIONAL_SAS:
|
||||
case INTERNAL_ADDRESS_FAILURE:
|
||||
case FAILED_CP_REQUIRED:
|
||||
case TS_UNACCEPTABLE:
|
||||
case INVALID_SELECTORS:
|
||||
{
|
||||
SIG(CHILD_UP_FAILED, "received %N notify, no CHILD_SA built",
|
||||
notify_type_names, type);
|
||||
iterator->destroy(iterator);
|
||||
/* an error in CHILD_SA creation is not critical */
|
||||
return SUCCESS;
|
||||
}
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -386,10 +386,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
|
|||
case INVALID_SELECTORS:
|
||||
/* these are errors, but are not critical as only the
|
||||
* CHILD_SA won't get build, but IKE_SA establishes anyway */
|
||||
DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
|
||||
notify_type_names, type);
|
||||
iterator->destroy(iterator);
|
||||
return SUCCESS;
|
||||
break;
|
||||
default:
|
||||
{
|
||||
if (type < 16383)
|
||||
|
|
|
|||
Loading…
Reference in New Issue