Added support for responders to change their address via MOBIKE.

If the original responder updates its list of additional addresses we
check if the remote endpoint changed and update the IPsec SAs if it did,
as we assume the original address became unavailable and the responder
already updated the SAs on its side.

1 files changed, 20 insertions, 0 deletions

diff --git a/src/libcharon/sa/tasks/ike_mobike.c b/src/libcharon/sa/tasks/ike_mobike.c
index e63a4212c..3d7827c37 100644
--- a/src/libcharon/sa/tasks/ike_mobike.c
+++ b/src/libcharon/sa/tasks/ike_mobike.c
@@ -71,6 +71,11 @@ struct private_ike_mobike_t {
 	 * include address list update
 	 */
 	bool address;
+
+	/**
+	 * additional addresses got updated
+	 */
+	bool addresses_updated;
 };
 
 /**
@@ -154,6 +159,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 				host = host_create_from_chunk(family, data, 0);
 				DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
 				this->ike_sa->add_additional_address(this->ike_sa, host);
+				this->addresses_updated = TRUE;
 				break;
 			}
 			case UPDATE_SA_ADDRESSES:
@@ -164,6 +170,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
 			case NO_ADDITIONAL_ADDRESSES:
 			{
 				flush_additional_addresses(this);
+				this->addresses_updated = TRUE;
 				break;
 			}
 			case NAT_DETECTION_SOURCE_IP:
@@ -412,6 +419,19 @@ METHOD(task_t, process_r, status_t,
 		{
 			this->natd->task.process(&this->natd->task, message);
 		}
+		if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
+												COND_ORIGINAL_INITIATOR))
+		{
+			host_t *other = message->get_source(message);
+			host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
+			if (!other->equals(other, other_old))
+			{
+				DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
+					 other);
+				this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+				this->update = TRUE;
+			}
+		}
 	}
 	return NEED_MORE;
 }