Slightly refactored port floating.

In case of MOBIKE, only float to port 4500 if the other peer actually supports MOBIKE.

5 files changed, 39 insertions, 35 deletions

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 83d1e003e..b1638374d 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -810,6 +810,20 @@ METHOD(ike_sa_t, get_pending_updates, u_int32_t,
 	return this->pending_updates;
 }
 
+METHOD(ike_sa_t, float_ports, void,
+	   private_ike_sa_t *this)
+{
+	/* do not switch if we have a custom port from MOBIKE/NAT */
+	if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
+	{
+		this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
+	}
+	if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
+	{
+		this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
+	}
+}
+
 METHOD(ike_sa_t, update_hosts, void,
 	private_ike_sa_t *this, host_t *me, host_t *other)
 {
@@ -2023,6 +2037,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
 			.get_other_host = _get_other_host,
 			.set_other_host = _set_other_host,
 			.set_message_id = _set_message_id,
+			.float_ports = _float_ports,
 			.update_hosts = _update_hosts,
 			.get_my_id = _get_my_id,
 			.set_my_id = _set_my_id,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 34842a573..c0007e27d 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -329,6 +329,14 @@ struct ike_sa_t {
 	void (*set_other_host) (ike_sa_t *this, host_t *other);
 
 	/**
+	 * Float to port 4500 (e.g. if a NAT is detected).
+	 *
+	 * The port of either endpoint is changed only if it is currently
+	 * set to the default value of 500.
+	 */
+	void (*float_ports)(ike_sa_t *this);
+
+	/**
 	 * Update the IKE_SAs host.
 	 *
 	 * Hosts may be NULL to use current host.
diff --git a/src/libcharon/sa/tasks/ike_me.c b/src/libcharon/sa/tasks/ike_me.c
index 2d2847ae0..a04bf56ec 100644
--- a/src/libcharon/sa/tasks/ike_me.c
+++ b/src/libcharon/sa/tasks/ike_me.c
@@ -454,6 +454,9 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
 				DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
 				return FAILED;
 			}
+			/* if we are on a mediation connection we switch to port 4500 even
+			 * if no NAT is detected. */
+			this->ike_sa->float_ports(this->ike_sa);
 			return NEED_MORE;
 		}
 		case IKE_AUTH:
diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c
index a62886f02..6dbd1bafd 100644
--- a/src/libcharon/sa/tasks/ike_mobike.c
+++ b/src/libcharon/sa/tasks/ike_mobike.c
@@ -468,7 +468,18 @@ static status_t process_i(private_ike_mobike_t *this, message_t *message)
 	if (message->get_exchange_type(message) == IKE_AUTH &&
 		this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
 	{
+		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+
 		process_payloads(this, message);
+
+		/* if peer supports NAT-T and MOBIKE, we switch to port 4500 even
+		 * if no NAT is detected. MOBIKE requires this. */
+		if (peer_cfg->use_mobike(peer_cfg) &&
+			this->ike_sa->supports_extension(this->ike_sa, EXT_NATT) &&
+			this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+		{
+			this->ike_sa->float_ports(this->ike_sa);
+		}
 		return SUCCESS;
 	}
 	else if (message->get_exchange_type(message) == INFORMATIONAL)
diff --git a/src/libcharon/sa/tasks/ike_natd.c b/src/libcharon/sa/tasks/ike_natd.c
index 9ea20ba36..c731178bb 100644
--- a/src/libcharon/sa/tasks/ike_natd.c
+++ b/src/libcharon/sa/tasks/ike_natd.c
@@ -264,42 +264,9 @@ static status_t process_i(private_ike_natd_t *this, message_t *message)
 
 	if (message->get_exchange_type(message) == IKE_SA_INIT)
 	{
-		peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-
-#ifdef ME
-		/* if we are on a mediated connection we have already switched to
-		 * port 4500 and the correct destination port is already configured,
-		 * therefore we must not switch again */
-		if (peer_cfg->get_mediated_by(peer_cfg))
+		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
 		{
-			return SUCCESS;
-		}
-#endif /* ME */
-
-		if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
-#ifdef ME
-			/* if we are on a mediation connection we switch to port 4500 even
-			 * if no NAT is detected. */
-			peer_cfg->is_mediation(peer_cfg) ||
-#endif /* ME */
-			/* if peer supports NAT-T, we switch to port 4500 even
-			 * if no NAT is detected. MOBIKE requires this. */
-			(peer_cfg->use_mobike(peer_cfg) &&
-			 this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
-		{
-			host_t *me, *other;
-
-			/* do not switch if we have a custom port from mobike/NAT */
-			me = this->ike_sa->get_my_host(this->ike_sa);
-			if (me->get_port(me) == IKEV2_UDP_PORT)
-			{
-				me->set_port(me, IKEV2_NATT_PORT);
-			}
-			other = this->ike_sa->get_other_host(this->ike_sa);
-			if (other->get_port(other) == IKEV2_UDP_PORT)
-			{
-				other->set_port(other, IKEV2_NATT_PORT);
-			}
+			this->ike_sa->float_ports(this->ike_sa);
 		}
 	}