security/ipsec-tools: small correction NATT patch

This change fixes rare case for "site to site" IPSec tunnel mode when remote peer is behind NAT and has its own LAN behind. Now this works too (previously NATT worked only for single host behind NAT).
author: Eugene Grosbein <eugen@FreeBSD.org> 2019-03-27 08:56:35 +0000
committer: Eugene Grosbein <eugen@FreeBSD.org> 2019-03-27 08:56:35 +0000
commit: 6f8db9116757748957c3e3f0f20f71e6a8d524e9 (patch)
tree: 1a43101142d5eae60dd7d8e6e5736d9c76fb9e20 /security/ipsec-tools/files/natt.diff
parent: Python library for decoding time units and variable values in a netCDF (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/security/ipsec-tools/files/natt.diff b/security/ipsec-tools/files/natt.diff
index 0b1c0c26938f..ff0daa44475c 100644
--- a/security/ipsec-tools/files/natt.diff
+++ b/security/ipsec-tools/files/natt.diff
@@ -82,12 +82,14 @@
  	return pfkey_send_add2(&psaa);
 --- src/racoon/isakmp_quick.c
 +++ src/racoon/isakmp_quick.c
-@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
+@@ -2390,6 +2390,34 @@
  			     spidx.src.ss_family, spidx.dst.ss_family,
  			     _XIDT(iph2->id_p),idi2type);
  		}
 +#ifdef ENABLE_NATT
-+		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
++		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER
++		    && _XIDT(iph2->id) != IPSECDOI_ID_IPV4_ADDR_SUBNET
++		    && _XIDT(iph2->id) != IPSECDOI_ID_IPV6_ADDR_SUBNET) {
 +			u_int16_t port;
 +
 +			port = extract_port(&spidx.src);
author	Eugene Grosbein <eugen@FreeBSD.org>	2019-03-27 08:56:35 +0000
committer	Eugene Grosbein <eugen@FreeBSD.org>	2019-03-27 08:56:35 +0000
commit	6f8db9116757748957c3e3f0f20f71e6a8d524e9 (patch)
tree	1a43101142d5eae60dd7d8e6e5736d9c76fb9e20 /security/ipsec-tools/files/natt.diff
parent	Python library for decoding time units and variable values in a netCDF (diff)