diff options
author | Timo Teräs <timo.teras@iki.fi> | 2011-03-30 09:38:30 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2011-03-30 09:39:25 +0300 |
commit | 6185e1ece14658b5d6ca7ac80a5567eed10565ae (patch) | |
tree | 6430311e6a58af3a5de6af40bf6031ba68faad59 /main/ipsec-tools/20-grekey-support.patch | |
parent | ddc05422175ce83055dfbfdbb96eef94156b1806 (diff) | |
download | aports-6185e1ece14658b5d6ca7ac80a5567eed10565ae.tar.bz2 aports-6185e1ece14658b5d6ca7ac80a5567eed10565ae.tar.xz |
main/ipsec-tools: refresh gre-support patch
It was missing some ulport swaps that caused isakmp quick mode
as responder to fail under certain cases.
Diffstat (limited to 'main/ipsec-tools/20-grekey-support.patch')
-rw-r--r-- | main/ipsec-tools/20-grekey-support.patch | 234 |
1 files changed, 176 insertions, 58 deletions
diff --git a/main/ipsec-tools/20-grekey-support.patch b/main/ipsec-tools/20-grekey-support.patch index 9ad2bca740..b8b5c35b11 100644 --- a/main/ipsec-tools/20-grekey-support.patch +++ b/main/ipsec-tools/20-grekey-support.patch @@ -1,7 +1,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c 2011-03-03 19:28:29.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c 2011-03-03 19:29:42.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c 2011-03-29 22:08:43.000000000 +0300 @@ -232,7 +232,7 @@ "\n" " <saopts>: \"isakmp\" <family> <src> <dst>\n" @@ -83,8 +83,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c if (p_port) Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-03 19:28:29.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-03 21:16:47.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-30 08:31:00.000000000 +0300 @@ -444,7 +444,7 @@ /* search appropreate configuration */ @@ -94,27 +94,18 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c else rmconf = getrmconf_by_name(name); if (rmconf == NULL) { -@@ -536,6 +536,16 @@ +@@ -536,6 +536,7 @@ spidx.prefs = ndx->prefd; spidx.prefd = ndx->prefs; spidx.ul_proto = ndx->ul_proto; -+ switch (ndx->ul_proto) { -+ case IPPROTO_ICMP: -+ case IPPROTO_ICMPV6: -+ case IPPROTO_GRE: -+ /* Ports are UL specific data, and should -+ * not get swapped */ -+ set_port((struct sockaddr *) &spidx.src, extract_port(src)); -+ set_port((struct sockaddr *) &spidx.dst, extract_port(dst)); -+ break; -+ } ++ spidx_normalize_ulports(&spidx); sp_in = getsp_r(&spidx); if (sp_in) { Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l 2011-03-03 19:57:26.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l 2011-03-04 13:07:03.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l 2011-03-29 22:08:43.000000000 +0300 @@ -288,6 +288,7 @@ <S_SAINF>any { YYD; return(ANY); } <S_SAINF>from { YYD; return(FROM); } @@ -125,9 +116,9 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l <S_SAINF>{semi} { BEGIN S_INI; return(EOS); } Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y 2011-03-03 19:57:30.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y 2011-03-04 13:09:01.000000000 +0200 -@@ -213,7 +213,7 @@ +--- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y 2011-03-14 19:12:41.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y 2011-03-29 22:08:43.000000000 +0300 +@@ -214,7 +214,7 @@ /* algorithm */ %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE /* sainfo */ @@ -136,7 +127,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y /* remote */ %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE -@@ -1301,6 +1301,35 @@ +@@ -1302,6 +1302,35 @@ cur_sainfo->idsrc = $1; cur_sainfo->iddst = $2; } @@ -172,7 +163,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y ; sainfo_id : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto -@@ -1667,7 +1696,7 @@ +@@ -1668,7 +1697,7 @@ { struct remoteconf *from, *new; @@ -183,13 +174,14 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y saddr2str($4)); Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h 2011-03-03 20:19:23.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h 2011-03-03 20:42:35.000000000 +0200 -@@ -227,6 +227,9 @@ +--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h 2011-03-30 09:22:13.000000000 +0300 +@@ -227,6 +227,10 @@ extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int)); extern int ipsecdoi_setid2 __P((struct ph2handle *)); extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int)); +extern int ipsecdoi_fixup_id_uldata __P((vchar_t *, vchar_t *, u_int16_t, u_int16_t, u_int16_t)); ++extern int ipsecdoi_normalize_id_uldata __P((vchar_t *, vchar_t *)); +extern int ipsecdoi_id_has_port __P((vchar_t *)); + extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *, @@ -197,8 +189,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h extern char *ipsecdoi_id2str __P((const vchar_t *)); Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-03 20:19:23.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-03 21:01:16.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-30 09:22:56.000000000 +0300 @@ -3371,6 +3371,7 @@ vchar_t ident_t; vchar_t ident_s; @@ -250,15 +242,15 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c + (id_bt->port != id_bs->port && id_bs->port != 0)) + /* if target is wildcard, source should be too, otherwise + * specific rule matches wildcard request */ - result = 1; -+ else if (ident_t.l != ident_s.l) + result = 1; ++ else if (ident_t.l != ident_s.l) + result = 1; + else + result = memcmp(ident_t.v,ident_s.v,ident_t.l); cmpid_result: -@@ -4089,6 +4099,44 @@ +@@ -4089,6 +4099,67 @@ return new; } @@ -280,6 +272,29 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c + return 0; +} + ++int ipsecdoi_normalize_id_uldata(srcid, dstid) ++ vchar_t *srcid, *dstid; ++{ ++ struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v; ++ struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v; ++ u_int16_t tmp; ++ ++ if (src->proto_id != dst->proto_id) ++ return -1; ++ ++ switch (src->proto_id) { ++ case IPPROTO_ICMP: ++ case IPPROTO_ICMPV6: ++ case IPPROTO_GRE: ++ tmp = src->port; ++ src->port = dst->port; ++ dst->port = tmp; ++ break; ++ } ++ ++ return 0; ++} ++ +int ipsecdoi_id_has_port(id) + vchar_t *id; +{ @@ -303,7 +318,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c vchar_t * ipsecdoi_sockrange2id(laddr, haddr, ul_proto) struct sockaddr *laddr, *haddr; -@@ -4318,7 +4366,7 @@ +@@ -4318,7 +4389,7 @@ saddr.sa.sa_len = sizeof(struct sockaddr_in); #endif saddr.sa.sa_family = AF_INET; @@ -312,7 +327,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c memcpy(&saddr.sin.sin_addr, id->v + sizeof(*id_b), sizeof(struct in_addr)); break; -@@ -4331,7 +4379,7 @@ +@@ -4331,7 +4402,7 @@ saddr.sa.sa_len = sizeof(struct sockaddr_in6); #endif saddr.sa.sa_family = AF_INET6; @@ -321,7 +336,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c memcpy(&saddr.sin6.sin6_addr, id->v + sizeof(*id_b), sizeof(struct in6_addr)); saddr.sin6.sin6_scope_id = -@@ -4347,7 +4395,7 @@ +@@ -4347,7 +4418,7 @@ #ifdef INET6 case IPSECDOI_ID_IPV6_ADDR: #endif @@ -330,7 +345,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c break; case IPSECDOI_ID_IPV4_ADDR_SUBNET: -@@ -4403,7 +4451,9 @@ +@@ -4403,7 +4474,9 @@ plen += l; } @@ -341,7 +356,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c } break; -@@ -4415,12 +4465,12 @@ +@@ -4415,12 +4488,12 @@ saddr.sa.sa_len = sizeof(struct sockaddr_in); #endif saddr.sa.sa_family = AF_INET; @@ -356,7 +371,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c break; #ifdef INET6 -@@ -4431,7 +4481,7 @@ +@@ -4431,7 +4504,7 @@ saddr.sa.sa_len = sizeof(struct sockaddr_in6); #endif saddr.sa.sa_family = AF_INET6; @@ -365,7 +380,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c memcpy(&saddr.sin6.sin6_addr, id->v + sizeof(*id_b) + sizeof(struct in6_addr), sizeof(struct in6_addr)); -@@ -4440,7 +4490,7 @@ +@@ -4440,7 +4513,7 @@ ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id : 0); @@ -376,8 +391,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c 2011-03-03 20:07:44.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c 2011-03-03 20:55:02.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c 2011-03-29 22:08:44.000000000 +0300 @@ -124,7 +124,7 @@ plog(LLV_DEBUG, LOCATION, NULL, "evaluating sainfo: %s\n", sainfostr); @@ -416,9 +431,9 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c } Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 20:55:57.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 21:14:13.000000000 +0200 -@@ -2170,7 +2170,15 @@ +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-14 19:18:12.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-30 08:20:18.000000000 +0300 +@@ -2173,7 +2173,15 @@ * so no need to bother yet. --arno */ if (iph1hint == NULL || iph1hint->rmconf == NULL) { @@ -435,7 +450,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c if (rmconf == NULL) { plog(LLV_ERROR, LOCATION, NULL, "no configuration found for %s.\n", -@@ -2246,7 +2254,7 @@ +@@ -2249,7 +2257,7 @@ struct secpolicy *sp_out, *sp_in; { struct remoteconf *conf; @@ -444,7 +459,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c plog(LLV_DEBUG, LOCATION, NULL, "new acquire %s\n", spidx2str(&sp_out->spidx)); -@@ -2273,7 +2281,7 @@ +@@ -2276,7 +2284,7 @@ return -1; } @@ -453,10 +468,27 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c if (conf != NULL) remoteid = conf->ph1id; else +@@ -3582,6 +3590,8 @@ + + #undef _XIDT + ++ spidx_normalize_ulports(&spidx); ++ + plog(LLV_DEBUG, LOCATION, NULL, + "get a src address from ID payload " + "%s prefixlen=%u ul_proto=%u\n", +@@ -3654,6 +3664,7 @@ + pref = spidx.prefs; + spidx.prefs = spidx.prefd; + spidx.prefd = pref; ++ spidx_normalize_ulports(&spidx); + + if (pk_sendspddelete(iph2) < 0) { + plog(LLV_ERROR, LOCATION, NULL, Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c 2011-03-03 21:06:03.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c 2011-03-03 21:17:09.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c 2011-03-14 19:12:41.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c 2011-03-29 22:08:44.000000000 +0300 @@ -217,6 +217,13 @@ return MATCH_NONE; } @@ -493,8 +525,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c plog(LLV_ERROR, LOCATION, remote, Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h 2011-03-03 21:06:03.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h 2011-03-03 21:10:53.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h 2011-03-14 19:12:41.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h 2011-03-29 22:08:44.000000000 +0300 @@ -178,6 +178,7 @@ int flags; struct sockaddr *remote; @@ -520,9 +552,17 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 21:14:45.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 21:16:17.000000000 +0200 -@@ -2898,7 +2898,7 @@ +--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-14 19:18:13.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-30 08:21:09.000000000 +0300 +@@ -1886,6 +1886,7 @@ + spidx.prefs = sp_out->spidx.prefd; + spidx.prefd = sp_out->spidx.prefs; + spidx.ul_proto = sp_out->spidx.ul_proto; ++ spidx_normalize_ulports(&spidx); + + #ifdef HAVE_SECCTX + if (m_sec_ctx) { +@@ -2898,7 +2899,7 @@ /* If we are not acting as initiator, let's just leave and * let the remote peer handle the restart */ @@ -531,7 +571,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c if (rmconf == NULL || !rmconf->passive) { iph1->status = PHASE1ST_EXPIRED; sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub); -@@ -3068,8 +3068,10 @@ +@@ -3068,8 +3069,10 @@ if (iph2->ph1 && iph2->ph1->rmconf) rmconf = iph2->ph1->rmconf; @@ -545,8 +585,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c struct ph1handle *iph1hint; Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8 =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8 2011-03-04 11:48:30.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8 2011-03-04 11:48:56.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8 2011-03-29 22:08:44.000000000 +0300 @@ -453,7 +453,7 @@ .Pp A second example of requiring transport mode encryption of specific @@ -558,8 +598,8 @@ Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8 .Ar upperspec Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5 2011-03-04 11:57:36.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 2011-03-04 12:01:13.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 2011-03-29 22:08:44.000000000 +0300 @@ -981,6 +981,7 @@ .Bl -tag -width Ds -compact .It Ic sainfo Po Ar local_id | Ic anonymous Pc \ @@ -586,8 +626,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 keyword allows an sainfo to only match for peers that use a specific phase1 Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y =================================================================== ---- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y 2011-03-04 13:04:05.000000000 +0200 -+++ ipsec-tools-cvs-HEAD/src/setkey/parse.y 2011-03-04 13:04:09.000000000 +0200 +--- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/setkey/parse.y 2011-03-29 22:08:44.000000000 +0300 @@ -856,6 +856,17 @@ } $$.len = strlen($$.buf); @@ -606,3 +646,81 @@ Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y ; context_spec +Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.8 +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.8 2011-03-05 09:23:59.000000000 +0200 ++++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.8 2011-03-29 22:08:44.000000000 +0300 +@@ -158,8 +158,8 @@ + has the following format: + .Bl -tag -width Bl + .It isakmp {inet|inet6} Ar src Ar dst +-.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port +-{icmp|tcp|udp|gre|any} ++.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port \ ++ {icmp|tcp|udp|gre|any} Oo grekey Ar key Oc + .El + .It vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway + This is a particular case of the previous command. +Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c 2011-03-29 22:18:12.000000000 +0300 ++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c 2011-03-30 09:23:13.000000000 +0300 +@@ -2168,6 +2168,8 @@ + goto end; + } + ++ ipsecdoi_normalize_id_uldata(idsrc, iddst); ++ + #ifdef ENABLE_HYBRID + + /* clientaddr check : obtain modecfg address */ +@@ -2494,6 +2496,7 @@ + pref = spidx.prefs; + spidx.prefs = spidx.prefd; + spidx.prefd = pref; ++ spidx_normalize_ulports(&spidx); + + sp_out = getsp_r(&spidx); + if (!sp_out) { +Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c 2011-03-30 08:03:15.000000000 +0300 ++++ ipsec-tools-cvs-HEAD/src/racoon/policy.c 2011-03-30 08:05:23.000000000 +0300 +@@ -444,6 +444,25 @@ + return new; + } + ++void ++spidx_normalize_ulports(spidx) ++ struct policyindex *spidx; ++{ ++ u_int16_t tmp; ++ ++ switch (spidx->ul_proto) { ++ case IPPROTO_ICMP: ++ case IPPROTO_ICMPV6: ++ case IPPROTO_GRE: ++ /* Ports are UL specific data, and should not get swapped */ ++ tmp = extract_port((struct sockaddr *) &spidx->src); ++ set_port((struct sockaddr *) &spidx->src, ++ extract_port((struct sockaddr *) &spidx->dst)); ++ set_port((struct sockaddr *) &spidx->dst, tmp); ++ break; ++ } ++} ++ + const char * + spidx2str(spidx) + const struct policyindex *spidx; +Index: ipsec-tools-cvs-HEAD/src/racoon/policy.h +=================================================================== +--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.h 2011-03-30 08:15:44.000000000 +0300 ++++ ipsec-tools-cvs-HEAD/src/racoon/policy.h 2011-03-30 08:16:21.000000000 +0300 +@@ -156,6 +156,7 @@ + extern void flushsp __P((void)); + extern void initsp __P((void)); + extern struct ipsecrequest *newipsecreq __P((void)); ++extern void spidx_normalize_ulports __P((struct policyindex *)); + + extern const char *spidx2str __P((const struct policyindex *)); + #ifdef HAVE_SECCTX |