ike: Do remote address updates also when behind static NATs

We assume that a responder is behind a static NAT (e.g. port forwarding)
and allow remote address updates in such situations.

The problem described in RFC 5996 is only an issue if the NAT mapping
can expire.

1 files changed, 7 insertions, 4 deletions

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 0d4aa0cc1..d92b9df8e 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -936,11 +936,14 @@ METHOD(ike_sa_t, update_hosts, void,
 			update = TRUE;
 		}
 
-		if (!other->equals(other, this->other_host))
+		if (!other->equals(other, this->other_host) &&
+			(force || has_condition(this, COND_NAT_THERE)))
 		{
-			/* update others address if we are NOT NATed */
-			if ((has_condition(this, COND_NAT_THERE) &&
-				 !has_condition(this, COND_NAT_HERE)) || force )
+			/* only update other's address if we are behind a static NAT,
+			 * which we assume is the case if we are not initiator */
+			if (force ||
+				(!has_condition(this, COND_NAT_HERE) ||
+				 !has_condition(this, COND_ORIGINAL_INITIATOR)))
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;