[Openswan dev] [PATCH] uniqueids fixes for NAT-T and this.id

Herbert Xu herbert at gondor.apana.org.au
Wed Sep 7 15:21:32 CEST 2005 

Hi Ken:

Here is a patch which changes --uniqueids in two ways:

1. Allow the same ID to connect twice if the local ID of the two
connections differ.

This shouldn't break existing users of --uniqueids since the local
ID should always be identical.

Where this becomes useful is if you have two connection templates
on the same server which provide different IPsec services that are
keyed by the local ID.

So depending on which ID the client connects to they will get a
different service.

In this situation it makes sense to allow the client to connect
to both services by checking for the local ID for the --uniqueids
check.

2. Check remote host port for NAT-T.

When the remote client is behind a NAT-T gateway, its IP address
may never change.  However, this doesn't prevent it from connecting
twice since its source port is allowed to change change.  Therefore
we need to check both the address as well as the port to see if this
is a duplicate connection.

This shouldn't break clients not using NAT-T since their host_port
is fixed and therefore the new check simply becomes || 0 which is
a no-op.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-------------- next part --------------
Index: programs/pluto/connections.c
===================================================================
RCS file: /var/cvs/snwb/packages/openswan/programs/pluto/connections.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 connections.c
--- programs/pluto/connections.c	25 Aug 2005 01:13:48 -0000	1.1.1.2
+++ programs/pluto/connections.c	7 Sep 2005 04:07:24 -0000
@@ -3330,8 +3330,8 @@
 #endif
 	)
 {
-	/* for all connections: if the same Phase 1 peer ID is used
-	 * for a different IP address, unorient that connection.
+	/* for all connections: if the same Phase 1 IDs are used
+	 * for different IP addresses, unorient that connection.
 	 */
 	struct connection *d;
 
@@ -3340,8 +3340,10 @@
 	    struct connection *next = d->ac_next;	/* might move underneath us */
 
 	    if (d->kind >= CK_PERMANENT
+ 	    && same_id(&c->spd.this.id, &d->spd.this.id)
 	    && same_id(&c->spd.that.id, &d->spd.that.id)
-	    && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
+	    && (!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr)
+		|| (c->spd.that.host_port != d->spd.that.host_port)))
 	    {
 		release_connection(d, FALSE);
 	    }

More information about the Dev mailing list