From f7e9e6a3fdda8c714eddf70015f998bb9c370904 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 1 Apr 2016 16:51:51 +0200
Subject: kernel-netlink: Only associate templates with inbound FWD policies

We can't set a template on the outbound FWD policy (or we'd have to make
it optional).  Because if the traffic does not come from another (matching)
IPsec tunnel it would get dropped due to the template mismatch.
---
 src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c')

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index df79f86fc..22afc6352 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2156,7 +2156,7 @@ static status_t add_policy_internal(private_kernel_netlink_ipsec_t *this,
 	policy_info->lft.soft_use_expires_seconds = 0;
 	policy_info->lft.hard_use_expires_seconds = 0;
 
-	if (mapping->type == POLICY_IPSEC)
+	if (mapping->type == POLICY_IPSEC && ipsec->cfg.reqid)
 	{
 		struct xfrm_user_tmpl *tmpl;
 		struct {
-- 
cgit v1.2.3