From bfaee42974fac839c450410f5dd430ed5a8f94f3 Mon Sep 17 00:00:00 2001 From: tobhe Date: Sat, 4 Dec 2021 13:07:17 +0000 Subject: [PATCH] Send out dstid as initiator if configured. This makes it easier for the responder to match the correct policy if multiple are available. ok patrick@ --- sbin/iked/ikev2.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 2dc218f615d..6ae85f79ae2 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.340 2021/12/01 16:42:12 deraadt Exp $ */ +/* $OpenBSD: ikev2.c,v 1.341 2021/12/04 13:07:17 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -1464,7 +1464,7 @@ ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa) struct ikev2_payload *pld; struct ikev2_cert *cert; struct ikev2_auth *auth; - struct iked_id *id, *certid; + struct iked_id *id, *certid, peerid; struct ibuf *e = NULL; uint8_t firstpayload; int ret = -1; @@ -1485,7 +1485,7 @@ ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa) id = &sa->sa_iid; certid = &sa->sa_icert; - /* ID payload */ + /* ID payloads */ if ((pld = ikev2_add_payload(e)) == NULL) goto done; firstpayload = IKEV2_PAYLOAD_IDi; @@ -1493,6 +1493,21 @@ ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa) goto done; len = ibuf_size(id->id_buf); + if (pol->pol_peerid.id_type) { + bzero(&peerid, sizeof(peerid)); + if (ikev2_policy2id(&pol->pol_peerid, &peerid, 0) != 0) { + log_debug("%s: failed to get remote id", __func__); + goto done; + } + if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_IDr) == -1) + goto done; + if ((pld = ikev2_add_payload(e)) == NULL) + goto done; + if (ibuf_cat(e, peerid.id_buf) != 0) + goto done; + len = ibuf_size(peerid.id_buf); + } + /* CERT payload */ if ((sa->sa_stateinit & IKED_REQ_CERT) && (certid->id_type != IKEV2_CERT_NONE)) { -- 2.20.1