aboutsummaryrefslogtreecommitdiffstats
path: root/main/ipsec-tools/20-grekey-support.patch
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2011-03-30 09:38:30 +0300
committerTimo Teräs <timo.teras@iki.fi>2011-03-30 09:39:25 +0300
commit6185e1ece14658b5d6ca7ac80a5567eed10565ae (patch)
tree6430311e6a58af3a5de6af40bf6031ba68faad59 /main/ipsec-tools/20-grekey-support.patch
parentddc05422175ce83055dfbfdbb96eef94156b1806 (diff)
downloadaports-6185e1ece14658b5d6ca7ac80a5567eed10565ae.tar.bz2
aports-6185e1ece14658b5d6ca7ac80a5567eed10565ae.tar.xz
main/ipsec-tools: refresh gre-support patch
It was missing some ulport swaps that caused isakmp quick mode as responder to fail under certain cases.
Diffstat (limited to 'main/ipsec-tools/20-grekey-support.patch')
-rw-r--r--main/ipsec-tools/20-grekey-support.patch234
1 files changed, 176 insertions, 58 deletions
diff --git a/main/ipsec-tools/20-grekey-support.patch b/main/ipsec-tools/20-grekey-support.patch
index 9ad2bca740..b8b5c35b11 100644
--- a/main/ipsec-tools/20-grekey-support.patch
+++ b/main/ipsec-tools/20-grekey-support.patch
@@ -1,7 +1,7 @@
Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c 2011-03-03 19:28:29.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c 2011-03-03 19:29:42.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c 2011-03-29 22:08:43.000000000 +0300
@@ -232,7 +232,7 @@
"\n"
" <saopts>: \"isakmp\" <family> <src> <dst>\n"
@@ -83,8 +83,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c
if (p_port)
Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-03 19:28:29.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-03 21:16:47.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/admin.c 2011-03-30 08:31:00.000000000 +0300
@@ -444,7 +444,7 @@
/* search appropreate configuration */
@@ -94,27 +94,18 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
else
rmconf = getrmconf_by_name(name);
if (rmconf == NULL) {
-@@ -536,6 +536,16 @@
+@@ -536,6 +536,7 @@
spidx.prefs = ndx->prefd;
spidx.prefd = ndx->prefs;
spidx.ul_proto = ndx->ul_proto;
-+ switch (ndx->ul_proto) {
-+ case IPPROTO_ICMP:
-+ case IPPROTO_ICMPV6:
-+ case IPPROTO_GRE:
-+ /* Ports are UL specific data, and should
-+ * not get swapped */
-+ set_port((struct sockaddr *) &spidx.src, extract_port(src));
-+ set_port((struct sockaddr *) &spidx.dst, extract_port(dst));
-+ break;
-+ }
++ spidx_normalize_ulports(&spidx);
sp_in = getsp_r(&spidx);
if (sp_in) {
Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l 2011-03-03 19:57:26.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l 2011-03-04 13:07:03.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l 2011-03-29 22:08:43.000000000 +0300
@@ -288,6 +288,7 @@
<S_SAINF>any { YYD; return(ANY); }
<S_SAINF>from { YYD; return(FROM); }
@@ -125,9 +116,9 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l
<S_SAINF>{semi} { BEGIN S_INI; return(EOS); }
Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y 2011-03-03 19:57:30.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y 2011-03-04 13:09:01.000000000 +0200
-@@ -213,7 +213,7 @@
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y 2011-03-14 19:12:41.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y 2011-03-29 22:08:43.000000000 +0300
+@@ -214,7 +214,7 @@
/* algorithm */
%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
/* sainfo */
@@ -136,7 +127,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y
/* remote */
%token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
-@@ -1301,6 +1301,35 @@
+@@ -1302,6 +1302,35 @@
cur_sainfo->idsrc = $1;
cur_sainfo->iddst = $2;
}
@@ -172,7 +163,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y
;
sainfo_id
: IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
-@@ -1667,7 +1696,7 @@
+@@ -1668,7 +1697,7 @@
{
struct remoteconf *from, *new;
@@ -183,13 +174,14 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y
saddr2str($4));
Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h 2011-03-03 20:19:23.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h 2011-03-03 20:42:35.000000000 +0200
-@@ -227,6 +227,9 @@
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h 2011-03-30 09:22:13.000000000 +0300
+@@ -227,6 +227,10 @@
extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
extern int ipsecdoi_setid2 __P((struct ph2handle *));
extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
+extern int ipsecdoi_fixup_id_uldata __P((vchar_t *, vchar_t *, u_int16_t, u_int16_t, u_int16_t));
++extern int ipsecdoi_normalize_id_uldata __P((vchar_t *, vchar_t *));
+extern int ipsecdoi_id_has_port __P((vchar_t *));
+
extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
@@ -197,8 +189,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h
extern char *ipsecdoi_id2str __P((const vchar_t *));
Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-03 20:19:23.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-03 21:01:16.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c 2011-03-30 09:22:56.000000000 +0300
@@ -3371,6 +3371,7 @@
vchar_t ident_t;
vchar_t ident_s;
@@ -250,15 +242,15 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
+ (id_bt->port != id_bs->port && id_bs->port != 0))
+ /* if target is wildcard, source should be too, otherwise
+ * specific rule matches wildcard request */
- result = 1;
-+ else if (ident_t.l != ident_s.l)
+ result = 1;
++ else if (ident_t.l != ident_s.l)
+ result = 1;
+ else
+ result = memcmp(ident_t.v,ident_s.v,ident_t.l);
cmpid_result:
-@@ -4089,6 +4099,44 @@
+@@ -4089,6 +4099,67 @@
return new;
}
@@ -280,6 +272,29 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
+ return 0;
+}
+
++int ipsecdoi_normalize_id_uldata(srcid, dstid)
++ vchar_t *srcid, *dstid;
++{
++ struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v;
++ struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v;
++ u_int16_t tmp;
++
++ if (src->proto_id != dst->proto_id)
++ return -1;
++
++ switch (src->proto_id) {
++ case IPPROTO_ICMP:
++ case IPPROTO_ICMPV6:
++ case IPPROTO_GRE:
++ tmp = src->port;
++ src->port = dst->port;
++ dst->port = tmp;
++ break;
++ }
++
++ return 0;
++}
++
+int ipsecdoi_id_has_port(id)
+ vchar_t *id;
+{
@@ -303,7 +318,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
vchar_t *
ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
struct sockaddr *laddr, *haddr;
-@@ -4318,7 +4366,7 @@
+@@ -4318,7 +4389,7 @@
saddr.sa.sa_len = sizeof(struct sockaddr_in);
#endif
saddr.sa.sa_family = AF_INET;
@@ -312,7 +327,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
memcpy(&saddr.sin.sin_addr,
id->v + sizeof(*id_b), sizeof(struct in_addr));
break;
-@@ -4331,7 +4379,7 @@
+@@ -4331,7 +4402,7 @@
saddr.sa.sa_len = sizeof(struct sockaddr_in6);
#endif
saddr.sa.sa_family = AF_INET6;
@@ -321,7 +336,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
memcpy(&saddr.sin6.sin6_addr,
id->v + sizeof(*id_b), sizeof(struct in6_addr));
saddr.sin6.sin6_scope_id =
-@@ -4347,7 +4395,7 @@
+@@ -4347,7 +4418,7 @@
#ifdef INET6
case IPSECDOI_ID_IPV6_ADDR:
#endif
@@ -330,7 +345,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
break;
case IPSECDOI_ID_IPV4_ADDR_SUBNET:
-@@ -4403,7 +4451,9 @@
+@@ -4403,7 +4474,9 @@
plen += l;
}
@@ -341,7 +356,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
}
break;
-@@ -4415,12 +4465,12 @@
+@@ -4415,12 +4488,12 @@
saddr.sa.sa_len = sizeof(struct sockaddr_in);
#endif
saddr.sa.sa_family = AF_INET;
@@ -356,7 +371,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
break;
#ifdef INET6
-@@ -4431,7 +4481,7 @@
+@@ -4431,7 +4504,7 @@
saddr.sa.sa_len = sizeof(struct sockaddr_in6);
#endif
saddr.sa.sa_family = AF_INET6;
@@ -365,7 +380,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
memcpy(&saddr.sin6.sin6_addr,
id->v + sizeof(*id_b) + sizeof(struct in6_addr),
sizeof(struct in6_addr));
-@@ -4440,7 +4490,7 @@
+@@ -4440,7 +4513,7 @@
? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
: 0);
@@ -376,8 +391,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c 2011-03-03 20:07:44.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c 2011-03-03 20:55:02.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c 2011-03-29 22:08:44.000000000 +0300
@@ -124,7 +124,7 @@
plog(LLV_DEBUG, LOCATION, NULL,
"evaluating sainfo: %s\n", sainfostr);
@@ -416,9 +431,9 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c
}
Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-03 20:55:57.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-03 21:14:13.000000000 +0200
-@@ -2170,7 +2170,15 @@
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c 2011-03-14 19:18:12.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c 2011-03-30 08:20:18.000000000 +0300
+@@ -2173,7 +2173,15 @@
* so no need to bother yet. --arno */
if (iph1hint == NULL || iph1hint->rmconf == NULL) {
@@ -435,7 +450,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
if (rmconf == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
"no configuration found for %s.\n",
-@@ -2246,7 +2254,7 @@
+@@ -2249,7 +2257,7 @@
struct secpolicy *sp_out, *sp_in;
{
struct remoteconf *conf;
@@ -444,7 +459,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
plog(LLV_DEBUG, LOCATION, NULL,
"new acquire %s\n", spidx2str(&sp_out->spidx));
-@@ -2273,7 +2281,7 @@
+@@ -2276,7 +2284,7 @@
return -1;
}
@@ -453,10 +468,27 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
if (conf != NULL)
remoteid = conf->ph1id;
else
+@@ -3582,6 +3590,8 @@
+
+ #undef _XIDT
+
++ spidx_normalize_ulports(&spidx);
++
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "get a src address from ID payload "
+ "%s prefixlen=%u ul_proto=%u\n",
+@@ -3654,6 +3664,7 @@
+ pref = spidx.prefs;
+ spidx.prefs = spidx.prefd;
+ spidx.prefd = pref;
++ spidx_normalize_ulports(&spidx);
+
+ if (pk_sendspddelete(iph2) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c 2011-03-03 21:06:03.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c 2011-03-03 21:17:09.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c 2011-03-14 19:12:41.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c 2011-03-29 22:08:44.000000000 +0300
@@ -217,6 +217,13 @@
return MATCH_NONE;
}
@@ -493,8 +525,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c
plog(LLV_ERROR, LOCATION, remote,
Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h 2011-03-03 21:06:03.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h 2011-03-03 21:10:53.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h 2011-03-14 19:12:41.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h 2011-03-29 22:08:44.000000000 +0300
@@ -178,6 +178,7 @@
int flags;
struct sockaddr *remote;
@@ -520,9 +552,17 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h
Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-03 21:14:45.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-03 21:16:17.000000000 +0200
-@@ -2898,7 +2898,7 @@
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c 2011-03-14 19:18:13.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c 2011-03-30 08:21:09.000000000 +0300
+@@ -1886,6 +1886,7 @@
+ spidx.prefs = sp_out->spidx.prefd;
+ spidx.prefd = sp_out->spidx.prefs;
+ spidx.ul_proto = sp_out->spidx.ul_proto;
++ spidx_normalize_ulports(&spidx);
+
+ #ifdef HAVE_SECCTX
+ if (m_sec_ctx) {
+@@ -2898,7 +2899,7 @@
/* If we are not acting as initiator, let's just leave and
* let the remote peer handle the restart */
@@ -531,7 +571,7 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
if (rmconf == NULL || !rmconf->passive) {
iph1->status = PHASE1ST_EXPIRED;
sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
-@@ -3068,8 +3068,10 @@
+@@ -3068,8 +3069,10 @@
if (iph2->ph1 && iph2->ph1->rmconf)
rmconf = iph2->ph1->rmconf;
@@ -545,8 +585,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
struct ph1handle *iph1hint;
Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8 2011-03-04 11:48:30.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8 2011-03-04 11:48:56.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8 2011-03-29 22:08:44.000000000 +0300
@@ -453,7 +453,7 @@
.Pp
A second example of requiring transport mode encryption of specific
@@ -558,8 +598,8 @@ Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8
.Ar upperspec
Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5 2011-03-04 11:57:36.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 2011-03-04 12:01:13.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5 2011-03-29 22:08:44.000000000 +0300
@@ -981,6 +981,7 @@
.Bl -tag -width Ds -compact
.It Ic sainfo Po Ar local_id | Ic anonymous Pc \
@@ -586,8 +626,8 @@ Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5
keyword allows an sainfo to only match for peers that use a specific phase1
Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y
===================================================================
---- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y 2011-03-04 13:04:05.000000000 +0200
-+++ ipsec-tools-cvs-HEAD/src/setkey/parse.y 2011-03-04 13:04:09.000000000 +0200
+--- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/setkey/parse.y 2011-03-29 22:08:44.000000000 +0300
@@ -856,6 +856,17 @@
}
$$.len = strlen($$.buf);
@@ -606,3 +646,81 @@ Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y
;
context_spec
+Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.8
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.8 2011-03-05 09:23:59.000000000 +0200
++++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.8 2011-03-29 22:08:44.000000000 +0300
+@@ -158,8 +158,8 @@
+ has the following format:
+ .Bl -tag -width Bl
+ .It isakmp {inet|inet6} Ar src Ar dst
+-.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
+-{icmp|tcp|udp|gre|any}
++.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port \
++ {icmp|tcp|udp|gre|any} Oo grekey Ar key Oc
+ .El
+ .It vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway
+ This is a particular case of the previous command.
+Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c 2011-03-29 22:18:12.000000000 +0300
++++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c 2011-03-30 09:23:13.000000000 +0300
+@@ -2168,6 +2168,8 @@
+ goto end;
+ }
+
++ ipsecdoi_normalize_id_uldata(idsrc, iddst);
++
+ #ifdef ENABLE_HYBRID
+
+ /* clientaddr check : obtain modecfg address */
+@@ -2494,6 +2496,7 @@
+ pref = spidx.prefs;
+ spidx.prefs = spidx.prefd;
+ spidx.prefd = pref;
++ spidx_normalize_ulports(&spidx);
+
+ sp_out = getsp_r(&spidx);
+ if (!sp_out) {
+Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c 2011-03-30 08:03:15.000000000 +0300
++++ ipsec-tools-cvs-HEAD/src/racoon/policy.c 2011-03-30 08:05:23.000000000 +0300
+@@ -444,6 +444,25 @@
+ return new;
+ }
+
++void
++spidx_normalize_ulports(spidx)
++ struct policyindex *spidx;
++{
++ u_int16_t tmp;
++
++ switch (spidx->ul_proto) {
++ case IPPROTO_ICMP:
++ case IPPROTO_ICMPV6:
++ case IPPROTO_GRE:
++ /* Ports are UL specific data, and should not get swapped */
++ tmp = extract_port((struct sockaddr *) &spidx->src);
++ set_port((struct sockaddr *) &spidx->src,
++ extract_port((struct sockaddr *) &spidx->dst));
++ set_port((struct sockaddr *) &spidx->dst, tmp);
++ break;
++ }
++}
++
+ const char *
+ spidx2str(spidx)
+ const struct policyindex *spidx;
+Index: ipsec-tools-cvs-HEAD/src/racoon/policy.h
+===================================================================
+--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.h 2011-03-30 08:15:44.000000000 +0300
++++ ipsec-tools-cvs-HEAD/src/racoon/policy.h 2011-03-30 08:16:21.000000000 +0300
+@@ -156,6 +156,7 @@
+ extern void flushsp __P((void));
+ extern void initsp __P((void));
+ extern struct ipsecrequest *newipsecreq __P((void));
++extern void spidx_normalize_ulports __P((struct policyindex *));
+
+ extern const char *spidx2str __P((const struct policyindex *));
+ #ifdef HAVE_SECCTX