Handle IKEv1 NAT-T vendor ID payload (only RFC 3947 for now).

2 files changed, 19 insertions, 1 deletions

diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 882de41b2..bc3544f92 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -69,7 +69,7 @@ typedef struct ike_sa_t ike_sa_t;
 enum ike_extension_t {
 
 	/**
-	 * peer supports NAT traversal as specified in RFC4306
+	 * peer supports NAT traversal as specified in RFC4306 or RFC3947
 	 */
 	EXT_NATT = (1<<0),
 
diff --git a/src/libcharon/sa/tasks/ike_vendor_v1.c b/src/libcharon/sa/tasks/ike_vendor_v1.c
index bf857a314..450c5b287 100644
--- a/src/libcharon/sa/tasks/ike_vendor_v1.c
+++ b/src/libcharon/sa/tasks/ike_vendor_v1.c
@@ -41,11 +41,23 @@ struct private_ike_vendor_v1_t {
 	bool initiator;
 };
 
+/**
+ * Indicate support for XAuth, MD5("draft-ietf-ipsra-isakmp-xauth-06.txt")
+ * Truncated to the first half.
+ */
 static chunk_t xauth6_vid = chunk_from_chars(
 	0x09,0x00,0x26,0x89,0xdf,0xd6,0xb7,0x12
 );
 
 /**
+ * Indicate support for NAT-Traversal, MD5("RFC 3947")
+ */
+static chunk_t natt_vid = chunk_from_chars(
+	0x4a,0x13,0x1c,0x81,0x07,0x03,0x58,0x45,
+	0x5c,0x57,0x28,0xf2,0x0e,0x95,0x45,0x2f
+);
+
+/**
  * strongSwan specific vendor ID without version, MD5("strongSwan")
  */
 static chunk_t strongswan_vid = chunk_from_chars(
@@ -76,6 +88,7 @@ METHOD(task_t, build, status_t,
 	}
 
 	add_vendor_id(this, message, xauth6_vid);
+	add_vendor_id(this, message, natt_vid);
 
 	return this->initiator ? NEED_MORE : SUCCESS;
 }
@@ -107,6 +120,11 @@ METHOD(task_t, process, status_t,
 				DBG1(DBG_IKE, "received XAuth vendor id");
 				this->ike_sa->enable_extension(this->ike_sa, EXT_XAUTH);
 			}
+			else if (chunk_equals(data, natt_vid))
+			{
+				DBG1(DBG_IKE, "received NAT-T vendor id");
+				this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
+			}
 			else
 			{
 				DBG1(DBG_ENC, "received unknown vendor id: %#B", &data);