From 21a500a092e4a2a0f91118846fede5f445d59d31 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 3 Nov 2017 09:37:44 +0100
Subject: kernel-pfkey: Don't include keys in SADB_UPDATE message to update IPs
 on FreeBSD

The FreeBSD kernel explicitly rejects messages containing keys for mature SAs.

Fixes #2457.
---
 src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c')

diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index fd1adb2ae..eca0bc132 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1960,6 +1960,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	PFKEY_EXT_COPY(msg, response.lft_soft);
 	PFKEY_EXT_COPY(msg, response.lft_hard);
 
+#ifndef __FreeBSD__
+	/* FreeBSD 11.1 does not allow key updates via SADB_UPDATE for mature SAs */
 	if (response.key_encr)
 	{
 		PFKEY_EXT_COPY(msg, response.key_encr);
@@ -1969,6 +1971,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
 	{
 		PFKEY_EXT_COPY(msg, response.key_auth);
 	}
+#endif
 
 #ifdef HAVE_NATT
 	if (data->new_encap)
-- 
cgit v1.2.3