From e5b5a66712a81f3cbe5f84c0f8980a5f6daa4129 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 18 Jul 2013 15:41:36 +0200
Subject: kernel-pfkey: Fail route installation if remote TS matches peer

---
 src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c')

diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index fb90f5b21..dd998042c 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -2148,6 +2148,14 @@ static bool install_route(private_kernel_pfkey_ipsec_t *this,
 	if (hydra->kernel_interface->get_features(
 					hydra->kernel_interface) & KERNEL_REQUIRE_EXCLUDE_ROUTE)
 	{
+		if (in->src_ts->is_host(in->src_ts, dst))
+		{
+			DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts "
+				 "with IKE traffic", in->src_ts, in->dst_ts, policy_dir_names,
+				 policy->direction);
+			route_entry_destroy(route);
+			return FALSE;
+		}
 		if (in->src_ts->includes(in->src_ts, dst))
 		{
 			add_exclude_route(this, route, in->generic.sa->dst, dst);
-- 
cgit v1.2.3