1 files changed, 3 insertions, 20 deletions

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 258e562d4..0157599c1 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -900,7 +900,7 @@ METHOD(ike_sa_t, update_hosts, void,
 	else
 	{
 		/* update our address in any case */
-		if (!me->equals(me, this->my_host))
+		if (force && !me->equals(me, this->my_host))
 		{
 			set_my_host(this, me->clone(me));
 			update = TRUE;
@@ -909,7 +909,8 @@ METHOD(ike_sa_t, update_hosts, void,
 		if (!other->equals(other, this->other_host))
 		{
 			/* update others address if we are NOT NATed */
-			if (force || !has_condition(this, COND_NAT_HERE))
+			if ((has_condition(this, COND_NAT_THERE) &&
+				 !has_condition(this, COND_NAT_HERE)) || force )
 			{
 				set_other_host(this, other->clone(other));
 				update = TRUE;
@@ -1250,24 +1251,6 @@ METHOD(ike_sa_t, process_message, status_t,
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
-	switch (message->get_exchange_type(message))
-	{
-		case ID_PROT:
-		case AGGRESSIVE:
-		case IKE_SA_INIT:
-		case IKE_AUTH:
-			if (this->state != IKE_CREATED &&
-				this->state != IKE_CONNECTING &&
-				message->get_first_payload_type(message) != FRAGMENT_V1)
-			{
-				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
-					 exchange_type_names, message->get_exchange_type(message));
-				return FAILED;
-			}
-			break;
-		default:
-			break;
-	}
 	if (message->get_major_version(message) != this->version)
 	{
 		DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",