From 6f7a3b33bc044e0c212be54be74b9497d513ca86 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 10 Jul 2015 10:23:02 +0200 Subject: [PATCH] ike: Fall back to the current remote IP if it resolves to %any In some situations it might be valid for a host that configures right=%any to reestablish or reauthenticate an IKE_SA. Using %any would immediately abort the initiation causing the new SA to fail (which might already have the existing CHILD_SAs assigned). Fixes #1027. --- src/libcharon/sa/ike_sa.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 0c13c58..752a756 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -1224,7 +1224,12 @@ static void resolve_hosts(private_ike_sa_t *this) } if (host) { - set_other_host(this, host); + if (!host->is_anyaddr(host) || + this->other_host->is_anyaddr(this->other_host)) + { /* don't set to %any if we currently have an address, but the + * address family might have changed */ + set_other_host(this, host); + } } if (this->local_host) -- 2.4.6