Fix NAT traversal detection bug when "local" option is not explicitly

set.

ok patrick@

3 files changed, 17 insertions, 16 deletions

diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 436823f9c6d..a51197d8c22 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.122 2019/08/12 07:40:45 tobhe Exp $	*/
+/*	$OpenBSD: iked.h,v 1.123 2019/08/14 08:35:46 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -514,6 +514,7 @@ struct iked_message {
 	int			 msg_valid;
 	int			 msg_natt;
 	int			 msg_natt_rcvd;
+	int			 msg_nat_detected;
 	int			 msg_error;
 	int			 msg_e;
 	struct iked_message	*msg_parent;
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index e71f0c0db1a..f357f9837de 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.172 2019/08/12 07:40:45 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.173 2019/08/14 08:35:46 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -855,7 +855,7 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
 	if (!ikev2_msg_frompeer(msg))
 		return;
 
-	if (sa->sa_udpencap && sa->sa_natt == 0 &&
+	if (sa && msg->msg_nat_detected && sa->sa_natt == 0 &&
 	    (sock = ikev2_msg_getsocket(env,
 	    sa->sa_local.addr_af, 1)) != NULL) {
 		/*
@@ -872,9 +872,10 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
 		msg->msg_fd = sa->sa_fd = sock->sock_fd;
 		msg->msg_sock = sock;
 		sa->sa_natt = 1;
+		sa->sa_udpencap = 1;
 
-		log_debug("%s: NAT detected, updated SA to "
-		    "peer %s local %s", __func__,
+		log_debug("%s: detected NAT, enabling UDP encapsulation,"
+		    " updated SA to peer %s local %s", __func__,
 		    print_host((struct sockaddr *)&sa->sa_peer.addr, NULL, 0),
 		    print_host((struct sockaddr *)&sa->sa_local.addr, NULL, 0));
 	}
@@ -2440,6 +2441,11 @@ ikev2_resp_ike_sa_init(struct iked *env, struct iked_message *msg)
 		log_debug("%s: called by initiator", __func__);
 		return (-1);
 	}
+	if (msg->msg_nat_detected && sa->sa_udpencap == 0) {
+		log_debug("%s: detected NAT, enabling UDP encapsulation",
+		    __func__);
+		sa->sa_udpencap = 1;
+	}
 
 	if ((buf = ikev2_msg_init(env, &resp,
 	    &msg->msg_peer, msg->msg_peerlen,
diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c
index 1355bcf3586..032c71935ad 100644
--- a/sbin/iked/ikev2_pld.c
+++ b/sbin/iked/ikev2_pld.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2_pld.c,v 1.72 2019/08/12 07:40:45 tobhe Exp $	*/
+/*	$OpenBSD: ikev2_pld.c,v 1.73 2019/08/14 08:35:46 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1023,18 +1023,12 @@ ikev2_pld_notify(struct iked *env, struct ikev2_payload *pld,
 		if (ikev2_nat_detection(env, msg, md, sizeof(md), type) == -1)
 			return (-1);
 		if (memcmp(buf, md, len) != 0) {
-			log_debug("%s: %s detected NAT, enabling "
-			    "UDP encapsulation", __func__,
+			log_debug("%s: %s detected NAT", __func__,
 			    print_map(type, ikev2_n_map));
-
-			/*
-			 * Enable UDP encapsulation of ESP packages if
-			 * the check detected NAT.
-			 */
-			if (msg->msg_sa != NULL)
-				msg->msg_sa->sa_udpencap = 1;
+			msg->msg_parent->msg_nat_detected = 1;
 			/* Send keepalive, since we are behind a NAT-gw */
-			if (type == IKEV2_N_NAT_DETECTION_DESTINATION_IP)
+			if (msg->msg_sa != NULL &&
+			    type == IKEV2_N_NAT_DETECTION_DESTINATION_IP)
 				msg->msg_sa->sa_usekeepalive = 1;
 		}
 		print_hex(md, 0, sizeof(md));