implemented inheritance of virtual IP assigned by Mode Config on the responder side

2 files changed, 17 insertions, 1 deletions

diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 349d4b722..dd193042a 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -3693,7 +3693,8 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp,
 			}
 			else
 			{
-				if (!peer_net_is_host)
+				if (!peer_net_is_host && !(sr->that.modecfg && c->spd.that.modecfg &&
+						subnetisaddr(peer_net, &c->spd.that.host_srcip)))
 				{
 					continue;
 				}
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 797ac6d01..3026ab0db 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -4872,6 +4872,21 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b,
 					 */
 					p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
 								, his_net, c->spd.that.id);
+
+					/* inherit any virtual IP assigned by a Mode Config exchange */ 
+					if (p->spd.that.modecfg && c->spd.that.modecfg &&
+						subnetisaddr(his_net, &c->spd.that.host_srcip))
+					{
+						char srcip[ADDRTOT_BUF];
+
+						DBG(DBG_CONTROL,
+							addrtot(&c->spd.that.host_srcip, 0, srcip, sizeof(srcip));
+							DBG_log("inheriting virtual IP source address %s from ModeCfg", srcip)
+						)
+						p->spd.that.host_srcip = c->spd.that.host_srcip;
+						p->spd.that.client = c->spd.that.client;
+						p->spd.that.has_client = TRUE;
+					}
 				}
 			}
 #ifdef DEBUG