[Swan-dev] [Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth

[Paul Wouters]

On Tue, 23 Aug 2016, Lennart Sorensen wrote:

>> @@ -1819,6 +1821,9 @@ char *add_group_instance(struct connection *group, const i p_subnet *target)
>>
>>  		t->spd.reqid = group->spd.reqid == 0 ?
>>  			gen_reqid() : group->spd.reqid;
>> +		t->spd.reqid =  gen_reqid(); + +
>>
>> 		/* add to connections list */
>> 		t->ac_next = connections;
>
> That doesn't look like valid syntax with all those '+'
>
> And that line seems like it overrides the previous like, so what is the
> point in doing that?

Sorry, let me try explain and fixup the patch :)

When we add_connection(), we check if the user supplied a reqid= option.
If so, use that. Otherwise, generate a unique one:

                 c->spd.reqid = wm->sa_reqid == 0 ? gen_reqid() : wm->sa_reqid;

Then in instantiate() we again checked for reqid being 0 and if so,
generate one. Since it was never 0 anymore, it would never generate
one, meaning all instances received the same number generated on the
original add_connection() call.

So the proper patch would be:

diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
index 0e3c23e..634c12f 100644
--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -1756,9 +1756,6 @@ char *add_group_instance(struct connection *group, const ip_subnet *target)
  		t->log_file = NULL;
  		t->log_file_err = FALSE;

-		t->spd.reqid = group->spd.reqid == 0 ?
-			gen_reqid() : group->spd.reqid;
-
  		/* add to connections list */
  		t->ac_next = connections;
  		connections = t;
@@ -1834,7 +1831,7 @@ struct connection *instantiate(struct connection *c, const ip_address *him,
  	default_end(&d->spd.this, &d->spd.that.host_addr);
  	d->spd.spd_next = NULL;

-	d->spd.reqid = c->spd.reqid == 0 ? gen_reqid() : c->spd.reqid;
+	d->spd.reqid = gen_reqid();

  	/* set internal fields */
  	d->ac_next = connections;