1 files changed, 37 insertions, 0 deletions

diff --git a/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
new file mode 100644
index 0000000000..411bc58df9
--- /dev/null
+++ b/main/strongswan/0005-ike-Fall-back-to-the-current-remote-IP-if-it-resolve.patch
@@ -0,0 +1,37 @@
+From 6f7a3b33bc044e0c212be54be74b9497d513ca86 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 10 Jul 2015 10:23:02 +0200
+Subject: [PATCH] ike: Fall back to the current remote IP if it resolves to
+ %any
+
+In some situations it might be valid for a host that configures
+right=%any to reestablish or reauthenticate an IKE_SA. Using %any would
+immediately abort the initiation causing the new SA to fail (which
+might already have the existing CHILD_SAs assigned).
+
+Fixes #1027.
+---
+ src/libcharon/sa/ike_sa.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
+index 0c13c58..752a756 100644
+--- a/src/libcharon/sa/ike_sa.c
++++ b/src/libcharon/sa/ike_sa.c
+@@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this)
+ 	}
+ 	if (host)
+ 	{
+-		set_other_host(this, host);
++		if (!host->is_anyaddr(host) ||
++			this->other_host->is_anyaddr(this->other_host))
++		{	/* don't set to %any if we currently have an address, but the
++			 * address family might have changed */
++			set_other_host(this, host);
++		}
+ 	}
+ 
+ 	if (this->local_host)
+-- 
+2.4.6
+