iked(8): enable udpencap with -t

Tobias Heider Mon, 18 Nov 2019 04:56:27 -0800

Hi,

this is only a minor fix. The '-t' flag forces iked to use NAT-traversal on UDP
port 4500. Currently it enables NATT only for IKE, not for the resulting
ESP SAs. The diff enables ESP NATT when iked NATT is enforced.


ok?

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index bd22bda0255..3ffda3cd2ec 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1075,7 +1075,7 @@ ikev2_init_ike_sa_peer(struct iked *env, struct 
iked_policy *pol,
                if (ntohs(port) == IKED_NATT_PORT) {
                        /* Enforce NAT-T on the initiator side */
                        log_debug("%s: enforcing NAT-T", __func__);
-                       req.msg_natt = sa->sa_natt = 1;
+                       req.msg_natt = sa->sa_natt = sa->sa_udpencap = 1;
                }
                if ((len = ikev2_add_nat_detection(env, buf, &pld, &req, len))
                    == -1)

iked(8): enable udpencap with -t

Reply via email to