diff -urNp openswan-2.6.32-orig/programs/pluto/ikev1_aggr.c openswan-2.6.32-cvs-patched/programs/pluto/ikev1_aggr.c --- openswan-2.6.32-orig/programs/pluto/ikev1_aggr.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32-cvs-patched/programs/pluto/ikev1_aggr.c 2011-01-12 12:59:26.037072703 -0500 @@ -795,6 +795,18 @@ aggr_inR1_outI2_tail(struct msg_digest * if (!encrypt_message(&md->rbody, st)) return STF_INTERNAL_ERROR; /* ??? we may be partly committed */ + if(c->newest_isakmp_sa != SOS_NOBODY && st->st_connection->spd.this.xauth_client && st->st_connection->remotepeertype == CISCO) { + DBG(DBG_CONTROL, DBG_log("This seems to be rekey, and XAUTH is not supposed to be done again")); + st->hidden_variables.st_xauth_client_done = TRUE; + st->st_oakley.xauth = 0; + + if(st->st_connection->spd.this.modecfg_client) { + DBG(DBG_CONTROL, DBG_log("This seems to be rekey, and MODECFG is not supposed to be done again")); + st->hidden_variables.st_modecfg_vars_set = TRUE; + st->hidden_variables.st_modecfg_started = TRUE; + } + } + c->newest_isakmp_sa = st->st_serialno; /* save last IV from phase 1 so it can be restored later so anything @@ -883,6 +895,18 @@ aggr_inI2_tail(struct msg_digest *md /**************** done input ****************/ + if(c->newest_isakmp_sa != SOS_NOBODY && st->st_connection->spd.this.xauth_client && st->st_connection->remotepeertype == CISCO) { + DBG(DBG_CONTROL, DBG_log("This seems to be rekey, and XAUTH is not supposed to be done again")); + st->hidden_variables.st_xauth_client_done = TRUE; + st->st_oakley.xauth = 0; + + if(st->st_connection->spd.this.modecfg_client) { + DBG(DBG_CONTROL, DBG_log("This seems to be rekey, and MODECFG is not supposed to be done again")); + st->hidden_variables.st_modecfg_vars_set = TRUE; + st->hidden_variables.st_modecfg_started = TRUE; + } + } + c->newest_isakmp_sa = st->st_serialno; update_iv(st); /* Finalize our Phase 1 IV */ @@ -1151,7 +1175,7 @@ aggr_outI1_tail(struct pluto_crypto_req_ } #endif - if (!nat_traversal_insert_vid(np, &md->rbody)) { + if (!nat_traversal_insert_vid(np, &md->rbody, st)) { reset_cur_state(); return STF_INTERNAL_ERROR; } diff -urNp openswan-2.6.32-orig/programs/pluto/ikev1_main.c openswan-2.6.32-cvs-patched/programs/pluto/ikev1_main.c --- openswan-2.6.32-orig/programs/pluto/ikev1_main.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32-cvs-patched/programs/pluto/ikev1_main.c 2011-01-12 12:59:44.631048136 -0500 @@ -216,7 +216,7 @@ main_outI1(int whack_sock int np = --numvidtosend > 0 ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE; /* Add supported NAT-Traversal VID */ - if (!nat_traversal_insert_vid(np, &md.rbody)) { + if (!nat_traversal_insert_vid(np, &md.rbody, st)) { reset_cur_state(); return STF_INTERNAL_ERROR; } diff -urNp openswan-2.6.32-orig/programs/pluto/nat_traversal.c openswan-2.6.32-cvs-patched/programs/pluto/nat_traversal.c --- openswan-2.6.32-orig/programs/pluto/nat_traversal.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32-cvs-patched/programs/pluto/nat_traversal.c 2011-01-12 13:00:01.581048370 -0500 @@ -198,7 +198,7 @@ static void _natd_hash(const struct hash * * Used when we're Initiator */ -bool nat_traversal_insert_vid(u_int8_t np, pb_stream *outs) +bool nat_traversal_insert_vid(u_int8_t np, pb_stream *outs, struct state *st) { bool r = TRUE; DBG(DBG_NATT @@ -207,6 +207,9 @@ bool nat_traversal_insert_vid(u_int8_t n , nat_traversal_support_non_ike)); if (nat_traversal_support_port_floating) { + if (st->st_connection->remotepeertype == CISCO) { + if (r) r = out_vid(np, outs, VID_NATT_RFC); + } else { if (r) r = out_vid(ISAKMP_NEXT_VID, outs, VID_NATT_RFC); if (r) r = out_vid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_05); if (r) r = out_vid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_03); @@ -214,8 +217,9 @@ bool nat_traversal_insert_vid(u_int8_t n if (r) r = out_vid(nat_traversal_support_non_ike ? ISAKMP_NEXT_VID : np, outs, VID_NATT_IETF_02); + } } - if (nat_traversal_support_non_ike) { + if (nat_traversal_support_non_ike && st->st_connection->remotepeertype != CISCO) { if (r) r = out_vid(np, outs, VID_NATT_IETF_00); } return r; diff -urNp openswan-2.6.32-orig/programs/pluto/nat_traversal.h openswan-2.6.32-cvs-patched/programs/pluto/nat_traversal.h --- openswan-2.6.32-orig/programs/pluto/nat_traversal.h 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32-cvs-patched/programs/pluto/nat_traversal.h 2011-01-12 13:00:08.907049604 -0500 @@ -129,7 +129,7 @@ extern int nat_traversal_espinudp_socket */ #ifndef PB_STREAM_UNDEFINED bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs); -bool nat_traversal_insert_vid(u_int8_t np, pb_stream *outs); +bool nat_traversal_insert_vid(u_int8_t np, pb_stream *outs, struct state *st); #endif u_int32_t nat_traversal_vid_to_method(unsigned short nat_t_vid); diff -urNp openswan-2.6.32-orig/programs/pluto/spdb_v1_struct.c openswan-2.6.32-cvs-patched/programs/pluto/spdb_v1_struct.c --- openswan-2.6.32-orig/programs/pluto/spdb_v1_struct.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32-cvs-patched/programs/pluto/spdb_v1_struct.c 2011-01-12 13:00:40.692054622 -0500 @@ -1547,7 +1547,7 @@ parse_ipsec_transform(struct isakmp_tran case SA_LIFE_TYPE_SECONDS: /* silently limit duration to our maximum */ attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM - ? val : SA_LIFE_DURATION_MAXIMUM; + ? (val < st->st_connection->sa_ipsec_life_seconds ? val : st->st_connection->sa_ipsec_life_seconds) : SA_LIFE_DURATION_MAXIMUM; break; case SA_LIFE_TYPE_KBYTES: attrs->life_kilobytes = val; @@ -1613,7 +1613,13 @@ parse_ipsec_transform(struct isakmp_tran loglog(RC_LOG_SERIOUS, "%s must only be used with old IETF drafts", enum_name(&enc_mode_names, val)); + if(st->st_connection->remotepeertype == CISCO) { + DBG_log( "Allowing, as this may be due to rekey"); + attrs->encapsulation = val - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS + ENCAPSULATION_MODE_TUNNEL; + } + else { return FALSE; + } } else if (st->hidden_variables.st_nat_traversal & NAT_T_DETECTED) { attrs->encapsulation = val - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS + ENCAPSULATION_MODE_TUNNEL; diff -urNp openswan-2.6.32-orig/programs/_updown.netkey/_updown.netkey.in openswan-2.6.32-cvs-patched/programs/_updown.netkey/_updown.netkey.in --- openswan-2.6.32-orig/programs/_updown.netkey/_updown.netkey.in 2011-01-12 12:31:15.237048214 -0500 +++ openswan-2.6.32-cvs-patched/programs/_updown.netkey/_updown.netkey.in 2011-01-12 12:58:50.291049690 -0500 @@ -318,6 +318,40 @@ addsource() { return $st } +delsource() { + st=0 + # check if given sourceip is local and add as alias if not + if ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local; then + #it="ip addr del ${PLUTO_MY_SOURCEIP%/*}/32 label ${PLUTO_INTERFACE%:*}:1 dev ${PLUTO_INTERFACE%:*}" + + saddr=${PLUTO_MY_SOURCEIP%/*}/32 + if test "${PLUTO_PEER_CLIENT##*/}" != 32 + then + saddr=${PLUTO_MY_SOURCEIP%/*}/"${PLUTO_PEER_CLIENT##*/}" + fi + + it="ip addr del ${saddr} dev ${PLUTO_INTERFACE%:*}" + + oops="`eval $it 2>&1`" + st=$? + if [ " $oops" = " " -a " $st" != " 0" ]; then + oops="silent error, exit status $st" + fi + case "$oops" in + 'RTNETLINK answers: File exists'*) + # should not happen, but ... ignore if the + # address was already assigned on interface + oops="" + st=0 + ;; + esac + if [ " $oops" != " " -o " $st" != " 0" ]; then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + doroute() { if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ] @@ -357,6 +391,10 @@ doroute() { parms2="$parms2 src ${PLUTO_MY_SOURCEIP%/*}" fi + if [ "$1" = "del" -a -n "$PLUTO_MY_SOURCEIP" ]; then + delsource + fi + case "$PLUTO_PEER_CLIENT" in "0.0.0.0/0") # opportunistic encryption work around