Send out dstid as initiator if configured. This makes it easier for

the responder to match the correct policy if multiple are available.

ok patrick@

1 files changed, 18 insertions, 3 deletions

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 2dc218f615d..6ae85f79ae2 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.340 2021/12/01 16:42:12 deraadt Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.341 2021/12/04 13:07:17 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1464,7 +1464,7 @@ ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa)
 	struct ikev2_payload		*pld;
 	struct ikev2_cert		*cert;
 	struct ikev2_auth		*auth;
-	struct iked_id			*id, *certid;
+	struct iked_id			*id, *certid, peerid;
 	struct ibuf			*e = NULL;
 	uint8_t				 firstpayload;
 	int				 ret = -1;
@@ -1485,7 +1485,7 @@ ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa)
 	id = &sa->sa_iid;
 	certid = &sa->sa_icert;
 
-	/* ID payload */
+	/* ID payloads */
 	if ((pld = ikev2_add_payload(e)) == NULL)
 		goto done;
 	firstpayload = IKEV2_PAYLOAD_IDi;
@@ -1493,6 +1493,21 @@ ikev2_init_ike_auth(struct iked *env, struct iked_sa *sa)
 		goto done;
 	len = ibuf_size(id->id_buf);
 
+	if (pol->pol_peerid.id_type) {
+		bzero(&peerid, sizeof(peerid));
+		if (ikev2_policy2id(&pol->pol_peerid, &peerid, 0) != 0) {
+			log_debug("%s: failed to get remote id", __func__);
+			goto done;
+		}
+		if (ikev2_next_payload(pld, len, IKEV2_PAYLOAD_IDr) == -1)
+			goto done;
+		if ((pld = ikev2_add_payload(e)) == NULL)
+			goto done;
+		if (ibuf_cat(e, peerid.id_buf) != 0)
+			goto done;
+		len = ibuf_size(peerid.id_buf);
+	}
+
 	/* CERT payload */
 	if ((sa->sa_stateinit & IKED_REQ_CERT) &&
 	    (certid->id_type != IKEV2_CERT_NONE)) {