Install selectors on transport mode IPsec SAs.

This fixes several test cases in IKEv2_Self_Test (part of the IPv6 Ready
Logo Program) which is required for USGv6 certification, namely:

  - IKEv2.EN.I.1.1.7.1, IKEv2.EN.I.1.1.7.1: Narrowing the range of members
    of the set of traffic selectors
  - IKEv2.EN.R.1.1.7.3: Narrowing multiple traffic selector

When traffic selectors of a triggered SA are narrowed by the responder, the
installed policy and the broader trap policy share the same reqid.  Without
selectors on the IPsec SA packets matching the trap policy, but not the
narrowed policy, would incorrectly be handled by that IPsec SA.  Since only
one selector can be specified per IPsec SA, there is currently no solution
for tunnel mode SAs.

2 files changed, 2 insertions, 1 deletions

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index b6ef31da0..74ad97c19 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -620,7 +620,7 @@ METHOD(child_sa_t, install, status_t,
 		lifetime->time.rekey = 0;
 	}
 
-	if (this->mode == MODE_BEET)
+	if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT)
 	{
 		/* BEET requires the bound address from the traffic selectors.
 		 * TODO: We add just the first traffic selector for now, as the
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index de665dd6b..d2b939244 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -920,6 +920,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 			sa->flags |= XFRM_STATE_AF_UNSPEC;
 			break;
 		case MODE_BEET:
+		case MODE_TRANSPORT:
 			if(src_ts && dst_ts)
 			{
 				sa->sel = ts2selector(src_ts, dst_ts);