aboutsummaryrefslogblamecommitdiffstats
path: root/main/ipsec-tools/20-grekey-support.patch
blob: 7651b8dbf2c86de0cbcd4bf828361588059a66b9 (plain) (tree)
1
2
3
4

                                                                   

                                                                                           
















































































                                                                                       
                                                                                           
                                                                                   








                                                                 
                   


                                                       
                                                        




                                                                   

                                                                                           









                                                                   


                                                                                           







                                                                      
                      


































                                                                                       
                     









                                                                           


                                                                                           



                                                                                                  
                                                                     






                                                                   
                                                                                           




























                                                                                   






                                 






























                                                                             






                                                                   
                     






                                                                       
                     






                                                                    
                     






                                                                        
                       





                                                               
                                   
                           



                                                               





                                                                         
 


                                   




















                                                                         






















                                                                      






















                                                                    
                     







                                                                       
                     







                                                                        
                     







                                                                            
                     









                                                                                     
                       













                                                                                        
                     







                                                                        
                     









                                                                                        

                                                                                           





































                                                                   
                                                                                           
                                                                                   
                      




                                                                                      
                                      









                                                                   
                     







                                                               
                     







                                                  
















                                                     

                                                                   

                                                                                           



































                                                                   

                                                                                           
























                                                                                                  










                                                                                           







                                                                             
                      












                                                                                                        

                                                                                           










                                                                         

                                                                                           

























                                                                            

                                                                                           

















                                                               













































































                                                                                           
Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.c	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.c	2011-03-29 22:08:43.000000000 +0300
@@ -232,7 +232,7 @@
 "\n"
 "    <saopts>: \"isakmp\" <family> <src> <dst>\n"
 "            : {\"esp\",\"ah\"} <family> <src/prefixlen/port> <dst/prefixlen/port>\n"
-"                              <ul_proto>\n"
+"                              <ul_proto> [grekey <grekey>]\n"
 "    <family>: \"inet\" or \"inet6\"\n"
 "    <ul_proto>: \"icmp\", \"tcp\", \"udp\", \"gre\" or \"any\"\n"
 "\n",
@@ -819,7 +819,7 @@
 {
 	int family;
 
-	if (ac != 3 && ac != 4) {
+	if (ac < 3) {
 		errno = EINVAL;
 		return NULL;
 	}
@@ -861,10 +861,8 @@
 	struct sockaddr *src = NULL, *dst = NULL;
 	int ulproto;
 
-	if (ac != 2 && ac != 3) {
-		errno = EINVAL;
-		return NULL;
-	}
+	if (ac < 2)
+		goto bad_args;
 
 	if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1)
 		goto bad;
@@ -901,13 +899,34 @@
 
 	av++;
 	ac--;
-	if(ac){
+	if (ac) {
 		ulproto = get_ulproto(*av);
 		if (ulproto == -1)
 			goto bad;
-	}else
+		av++;
+		ac--;
+	} else
 		ulproto=0;
 
+	if (ac == 2 && strcmp(av[0], "grekey") == 0) {
+		int a, b, c, d;
+		unsigned long u;
+
+		if (sscanf(av[1], "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
+			set_port(src, (a << 8) + b);
+			set_port(dst, (c << 8) + d);
+		} else if (sscanf(av[1], "%lu", &u) == 1) {
+			set_port(src, u >> 16);
+			set_port(dst, u & 0xffff);
+		} else
+			goto bad_args;
+		av += 2;
+		ac -= 2;
+	}
+
+	if (ac != 0)
+		goto bad_args;
+
 	ci = (struct admin_com_indexes *)buf->v;
 	if(p_prefs)
 		ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
@@ -926,7 +945,9 @@
 
 	return buf;
 
-   bad:
+bad_args:
+	errno = EINVAL;
+bad:
 	if (p_name)
 		racoon_free(p_name);
 	if (p_port)
Index: ipsec-tools-cvs-HEAD/src/racoon/admin.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/admin.c	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/admin.c	2011-03-30 09:41:46.000000000 +0300
@@ -444,7 +444,7 @@
 
 			/* search appropreate configuration */
 			if (name == NULL)
-				rmconf = getrmconf(dst, 0);
+				rmconf = getrmconf(dst, 0, 0);
 			else
 				rmconf = getrmconf_by_name(name);
 			if (rmconf == NULL) {
@@ -536,6 +536,7 @@
 			spidx.prefs = ndx->prefd;
 			spidx.prefd = ndx->prefs;
 			spidx.ul_proto = ndx->ul_proto;
+			spidx_normalize_ulports(&spidx);
 
 			sp_in = getsp_r(&spidx);
 			if (sp_in) {
Index: ipsec-tools-cvs-HEAD/src/racoon/cftoken.l
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/cftoken.l	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/cftoken.l	2011-03-29 22:08:43.000000000 +0300
@@ -288,6 +288,7 @@
 <S_SAINF>any		{ YYD; return(ANY); }
 <S_SAINF>from		{ YYD; return(FROM); }
 <S_SAINF>group		{ YYD; return(GROUP); }
+<S_SAINF>grekey		{ YYD; return(GREKEY); }
 	/* sainfo spec */
 <S_SAINF>{bcl}		{ BEGIN S_SAINFS; return(BOC); }
 <S_SAINF>{semi}		{ BEGIN S_INI; return(EOS); }
Index: ipsec-tools-cvs-HEAD/src/racoon/cfparse.y
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/cfparse.y	2011-03-14 19:12:41.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/cfparse.y	2011-03-29 22:08:43.000000000 +0300
@@ -214,7 +214,7 @@
 	/* algorithm */
 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
 	/* sainfo */
-%token SAINFO FROM
+%token SAINFO FROM GREKEY
 	/* remote */
 %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
@@ -1302,6 +1302,35 @@
 			cur_sainfo->idsrc = $1;
 			cur_sainfo->iddst = $2;
 		}
+	|	sainfo_id sainfo_id GREKEY ADDRSTRING
+		{
+			int a, b, c, d;
+
+			if (sscanf($4->v, "%d.%d.%d.%d", &a, &b, &c, &d) == 4) {
+				a = ipsecdoi_fixup_id_uldata(
+					$1, $2, IPPROTO_GRE,
+					(a << 8) + b, (c << 8) + d);
+			} else {
+				yyerror("grekey format unrecognized.");
+				return -1;
+			}
+			if (a != 0) {
+				yyerror("ul_proto needs to be 'gre' to use grekey.");
+				return -1;
+			}
+			cur_sainfo->idsrc = $1;
+			cur_sainfo->iddst = $2;
+		}
+	|	sainfo_id sainfo_id GREKEY NUMBER
+		{
+			if (ipsecdoi_fixup_id_uldata($1, $2, IPPROTO_GRE,
+						     ($4) >> 16, ($4) & 0xffff) != 0) {
+				yyerror("ul_proto needs to be 'gre' to use grekey.");
+				return -1;
+			}
+			cur_sainfo->idsrc = $1;
+			cur_sainfo->iddst = $2;
+		}
 	;
 sainfo_id
 	:	IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
@@ -1668,7 +1697,7 @@
 		{
 			struct remoteconf *from, *new;
 
-			from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS);
+			from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS, 0);
 			if (from == NULL) {
 				yyerror("failed to get remoteconf for %s.",
 					saddr2str($4));
Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.h	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.h	2011-03-30 09:22:13.000000000 +0300
@@ -227,6 +227,10 @@
 extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
 extern int ipsecdoi_setid2 __P((struct ph2handle *));
 extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
+extern int ipsecdoi_fixup_id_uldata __P((vchar_t *, vchar_t *, u_int16_t, u_int16_t, u_int16_t));
+extern int ipsecdoi_normalize_id_uldata __P((vchar_t *, vchar_t *));
+extern int ipsecdoi_id_has_port __P((vchar_t *));
+
 extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
 	u_int8_t *, u_int16_t *));
 extern char *ipsecdoi_id2str __P((const vchar_t *));
Index: ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/ipsec_doi.c	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/ipsec_doi.c	2011-03-30 16:59:49.000000000 +0300
@@ -3308,6 +3308,7 @@
 	const vchar_t *subnet;
 	const vchar_t *address;
 {
+	struct in_addr *a, *b;
 	struct in_addr *mask;
 
 	if (address->l != sizeof(struct in_addr))
@@ -3316,12 +3317,15 @@
 	if (subnet->l != (sizeof(struct in_addr)*2))
 		return 1;
 
+	a = (struct in_addr*)(subnet->v);
+	b = (struct in_addr*)(address->v);
 	mask = (struct in_addr*)(subnet->v + sizeof(struct in_addr));
 
-	if (mask->s_addr!=0xffffffff)
-		return 1;
+	//if (mask->s_addr!=0xffffffff)
+	//	return 1;
+	//return memcmp(subnet->v,address->v,address->l);
 
-	return memcmp(subnet->v,address->v,address->l);
+	return (a->s_addr & mask->s_addr) != (b->s_addr & mask->s_addr);
 }
 
 #ifdef INET6
@@ -3371,6 +3375,7 @@
 	vchar_t ident_t;
 	vchar_t ident_s;
 	int result;
+	int check_ports = 0;
 
 	/* handle wildcard IDs */
 
@@ -3410,12 +3415,14 @@
 
 		if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR)&&
 		    (id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) {
+			check_ports = 1;
 			result = ipsecdoi_subnetisaddr_v4(&ident_t,&ident_s);
 			goto cmpid_result;
 		}
 
 		if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)&&
 		    (id_bt->type == IPSECDOI_ID_IPV4_ADDR)) {
+			check_ports = 1;
 			result = ipsecdoi_subnetisaddr_v4(&ident_s,&ident_t);
 			goto cmpid_result;
 		}
@@ -3423,12 +3430,14 @@
 #ifdef INET6
 		if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR)&&
 		    (id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
+			check_ports = 1;
 			result = ipsecdoi_subnetisaddr_v6(&ident_t,&ident_s);
 			goto cmpid_result;
 		}
 
 		if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)&&
 		    (id_bt->type == IPSECDOI_ID_IPV6_ADDR)) {
+			check_ports = 1;
 			result = ipsecdoi_subnetisaddr_v6(&ident_s,&ident_t);
 			goto cmpid_result;
 		}
@@ -3460,6 +3469,7 @@
 
 		case IPSECDOI_ID_IPV4_ADDR:
 			/* validate lengths */
+			check_ports = 1;
 			if ((ident_t.l != sizeof(struct in_addr))||
 			    (ident_s.l != sizeof(struct in_addr)))
 				goto cmpid_invalid;
@@ -3468,6 +3478,7 @@
 		case IPSECDOI_ID_IPV4_ADDR_SUBNET:
 		case IPSECDOI_ID_IPV4_ADDR_RANGE:
 			/* validate lengths */
+			check_ports = 1;
 			if ((ident_t.l != (sizeof(struct in_addr)*2))||
 			    (ident_s.l != (sizeof(struct in_addr)*2)))
 				goto cmpid_invalid;
@@ -3476,6 +3487,7 @@
 #ifdef INET6
 		case IPSECDOI_ID_IPV6_ADDR:
 			/* validate lengths */
+			check_ports = 1;
 			if ((ident_t.l != sizeof(struct in6_addr))||
 			    (ident_s.l != sizeof(struct in6_addr)))
 				goto cmpid_invalid;
@@ -3484,6 +3496,7 @@
 		case IPSECDOI_ID_IPV6_ADDR_SUBNET:
 		case IPSECDOI_ID_IPV6_ADDR_RANGE:
 			/* validate lengths */
+			check_ports = 1;
 			if ((ident_t.l != (sizeof(struct in6_addr)*2))||
 			    (ident_s.l != (sizeof(struct in6_addr)*2)))
 				goto cmpid_invalid;
@@ -3502,12 +3515,18 @@
 	}
 
 	/* validate matching data and length */
-	if (ident_t.l == ident_s.l)
-		result = memcmp(ident_t.v,ident_s.v,ident_t.l);
-	else
+	if (ident_t.l != ident_s.l)
 		result = 1;
+	else
+		result = memcmp(ident_t.v,ident_s.v,ident_t.l);
 
 cmpid_result:
+	if (check_ports &&
+	    (id_bt->port != id_bs->port && id_bs->port != 0))  {
+		/* if target is wildcard, source should be too, otherwise
+		 * specific rule matches wildcard request */
+		result = 1;
+	}
 
 	/* debug level output */
 	if(loglevel >= LLV_DEBUG) {
@@ -4089,6 +4108,67 @@
 	return new;
 }
 
+int ipsecdoi_fixup_id_uldata(srcid, dstid, ul_proto, ul_data1, ul_data2)
+	vchar_t *srcid, *dstid;
+	u_int16_t ul_proto;
+	u_int16_t ul_data1, ul_data2;
+{
+	struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v;
+	struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v;
+
+	if (src->proto_id != ul_proto ||
+	    dst->proto_id != ul_proto)
+		return -1;
+
+	src->port = htons(ul_data1);
+	dst->port = htons(ul_data2);
+
+	return 0;
+}
+
+int ipsecdoi_normalize_id_uldata(srcid, dstid)
+	vchar_t *srcid, *dstid;
+{
+	struct ipsecdoi_id_b *src = (struct ipsecdoi_id_b *) srcid->v;
+	struct ipsecdoi_id_b *dst = (struct ipsecdoi_id_b *) dstid->v;
+	u_int16_t tmp;
+
+	if (src->proto_id != dst->proto_id)
+		return -1;
+
+	switch (src->proto_id) {
+	case IPPROTO_ICMP:
+	case IPPROTO_ICMPV6:
+	case IPPROTO_GRE:
+		tmp = src->port;
+		src->port = dst->port;
+		dst->port = tmp;
+		break;
+	}
+
+	return 0;
+}
+
+int ipsecdoi_id_has_port(id)
+	vchar_t *id;
+{
+	struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *) id->v;
+
+	switch (id_b->type) {
+	case IPSECDOI_ID_IPV4_ADDR:
+	case IPSECDOI_ID_IPV4_ADDR_SUBNET:
+	case IPSECDOI_ID_IPV4_ADDR_RANGE:
+	case IPSECDOI_ID_IPV6_ADDR:
+	case IPSECDOI_ID_IPV6_ADDR_SUBNET:
+	case IPSECDOI_ID_IPV6_ADDR_RANGE:
+		if (ntohs(id_b->port) != 0)
+			return 1;
+		break;
+	}
+	return 0;
+}
+
+
 vchar_t *
 ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
 	struct sockaddr *laddr, *haddr;
@@ -4318,7 +4398,7 @@
 		saddr.sa.sa_len = sizeof(struct sockaddr_in);
 #endif
 		saddr.sa.sa_family = AF_INET;
-		saddr.sin.sin_port = IPSEC_PORT_ANY;
+		saddr.sin.sin_port = id_b->port;
 		memcpy(&saddr.sin.sin_addr,
 			id->v + sizeof(*id_b), sizeof(struct in_addr));
 		break;
@@ -4331,7 +4411,7 @@
 		saddr.sa.sa_len = sizeof(struct sockaddr_in6);
 #endif
 		saddr.sa.sa_family = AF_INET6;
-		saddr.sin6.sin6_port = IPSEC_PORT_ANY;
+		saddr.sin6.sin6_port = id_b->port;
 		memcpy(&saddr.sin6.sin6_addr,
 			id->v + sizeof(*id_b), sizeof(struct in6_addr));
 		saddr.sin6.sin6_scope_id =
@@ -4347,7 +4427,7 @@
 #ifdef INET6
 	case IPSECDOI_ID_IPV6_ADDR:
 #endif
-		len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr.sa));
+		len = snprintf( buf, BUFLEN, "%s", saddr2str(&saddr.sa));
 		break;
 
 	case IPSECDOI_ID_IPV4_ADDR_SUBNET:
@@ -4403,7 +4483,9 @@
 			plen += l;
 		}
 
-		len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr.sa), plen);
+		len = snprintf(buf, BUFLEN, "%s/%i[%d]",
+			       saddrwop2str(&saddr.sa), plen,
+			       ntohs(id_b->port));
 	    }
 		break;
 
@@ -4415,12 +4497,12 @@
 		saddr.sa.sa_len = sizeof(struct sockaddr_in);
 #endif
 		saddr.sa.sa_family = AF_INET;
-		saddr.sin.sin_port = IPSEC_PORT_ANY;
+		saddr.sin.sin_port = id_b->port;
 		memcpy(&saddr.sin.sin_addr,
 			id->v + sizeof(*id_b) + sizeof(struct in_addr),
 			sizeof(struct in_addr));
 
-		len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa));
+		len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa));
 		break;
 
 #ifdef INET6
@@ -4431,7 +4513,7 @@
 		saddr.sa.sa_len = sizeof(struct sockaddr_in6);
 #endif
 		saddr.sa.sa_family = AF_INET6;
-		saddr.sin6.sin6_port = IPSEC_PORT_ANY;
+		saddr.sin6.sin6_port = id_b->port;
 		memcpy(&saddr.sin6.sin6_addr,
 			id->v + sizeof(*id_b) + sizeof(struct in6_addr),
 			sizeof(struct in6_addr));
@@ -4440,7 +4522,7 @@
 				? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
 				: 0);
 
-		len += snprintf(buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr.sa));
+		len += snprintf(buf + len, BUFLEN - len, "%s", saddr2str(&saddr.sa));
 		break;
 #endif
 
Index: ipsec-tools-cvs-HEAD/src/racoon/sainfo.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/sainfo.c	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/sainfo.c	2011-03-29 22:08:44.000000000 +0300
@@ -124,7 +124,7 @@
 		plog(LLV_DEBUG, LOCATION, NULL,
 			"evaluating sainfo: %s\n", sainfostr);
 
-		if(s->remoteid != remoteid) {
+		if (remoteid != -1 && s->remoteid != remoteid) {
 			plog(LLV_DEBUG, LOCATION, NULL,
 				"remoteid mismatch: %u != %u\n",
 				s->remoteid, remoteid);
@@ -234,16 +234,22 @@
 	int pri = 0;
 
 	if(s->remoteid)
-		pri += 3;
+		pri += 7;
 
 	if(s->id_i)
-		pri += 3;
+		pri += 7;
 
-	if(s->idsrc)
+	if(s->idsrc) {
 		pri++;
+		if (ipsecdoi_id_has_port(s->idsrc))
+			pri += 2;
+	}
 
-	if(s->iddst)
+	if(s->iddst) {
 		pri++;
+		if (ipsecdoi_id_has_port(s->iddst))
+			pri += 2;
+	}
 
 	return pri;
 }
Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp.c	2011-03-14 19:18:12.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/isakmp.c	2011-03-30 09:41:46.000000000 +0300
@@ -2173,7 +2173,15 @@
 	 * so no need to bother yet. --arno */
 
 	if (iph1hint == NULL || iph1hint->rmconf == NULL) {
-		rmconf = getrmconf(iph2->dst, nopassive ? GETRMCONF_F_NO_PASSIVE : 0);
+		int flags = 0;
+		uint32_t remoteid = 0;
+		if (nopassive)
+			flags |= GETRMCONF_F_NO_PASSIVE;
+		if (iph2->sainfo != NULL) {
+			flags |= GETRMCONF_F_HAS_REMOTEID;
+			remoteid = iph2->sainfo->remoteid;
+		}
+		rmconf = getrmconf(iph2->dst, flags, remoteid);
 		if (rmconf == NULL) {
 			plog(LLV_ERROR, LOCATION, NULL,
 				"no configuration found for %s.\n",
@@ -2249,7 +2257,7 @@
 	struct secpolicy *sp_out, *sp_in;
 {
 	struct remoteconf *conf;
-	uint32_t remoteid = 0;
+	uint32_t remoteid = -1;
 
 	plog(LLV_DEBUG, LOCATION, NULL,
 		"new acquire %s\n", spidx2str(&sp_out->spidx));
@@ -2276,7 +2284,7 @@
 			return -1;
 		}
 
-		conf = getrmconf(iph2->dst, 0);
+		conf = getrmconf(iph2->dst, 0, 0);
 		if (conf != NULL)
 			remoteid = conf->ph1id;
 		else
@@ -3582,6 +3590,8 @@
 
 #undef _XIDT
 
+	spidx_normalize_ulports(&spidx);
+
 	plog(LLV_DEBUG, LOCATION, NULL,
 		 "get a src address from ID payload "
 		 "%s prefixlen=%u ul_proto=%u\n",
@@ -3654,6 +3664,7 @@
 	pref = spidx.prefs;
 	spidx.prefs = spidx.prefd;
 	spidx.prefd = pref;
+	spidx_normalize_ulports(&spidx);
 
 	if (pk_sendspddelete(iph2) < 0) {
 		plog(LLV_ERROR, LOCATION, NULL,
Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.c	2011-03-14 19:12:41.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.c	2011-03-29 22:08:44.000000000 +0300
@@ -217,6 +217,13 @@
 		return MATCH_NONE;
 	}
 
+	if ((rmsel->flags & GETRMCONF_F_HAS_REMOTEID) &&
+	    rmsel->remoteid != rmconf->ph1id){
+		plog(LLV_DEBUG2, LOCATION, rmsel->remote,
+		     "Not matched: remote_id did not match.\n");
+		return MATCH_NONE;
+	}
+
 	ret |= MATCH_BASIC;
 
 	/* Check address */
@@ -387,9 +394,10 @@
  */
 
 struct remoteconf *
-getrmconf(remote, flags)
+getrmconf(remote, flags, remoteid)
 	struct sockaddr *remote;
 	int flags;
+	uint32_t remoteid;
 {
 	struct rmconf_find_context ctx;
 	int n = 0;
@@ -397,6 +405,7 @@
 	memset(&ctx, 0, sizeof(ctx));
 	ctx.sel.flags = flags;
 	ctx.sel.remote = remote;
+	ctx.sel.remoteid = remoteid;
 
 	if (enumrmconf(&ctx.sel, rmconf_find, &ctx) != 0) {
 		plog(LLV_ERROR, LOCATION, remote,
Index: ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/remoteconf.h	2011-03-14 19:12:41.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/remoteconf.h	2011-03-29 22:08:44.000000000 +0300
@@ -178,6 +178,7 @@
 	int flags;
 	struct sockaddr *remote;
 	int etype;
+	uint32_t remoteid;
 	struct isakmpsa *approval;
 	vchar_t *identity;
 	vchar_t *certificate_request;
@@ -191,12 +192,13 @@
 
 #define GETRMCONF_F_NO_ANONYMOUS	0x0001
 #define GETRMCONF_F_NO_PASSIVE		0x0002
+#define GETRMCONF_F_HAS_REMOTEID	0x0004
 
 #define RMCONF_ERR_MULTIPLE		((struct remoteconf *) -1)
 
 extern int rmconf_match_identity __P((struct remoteconf *rmconf,
 				      vchar_t *id_p));
-extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags));
+extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags, uint32_t remoteid));
 extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1));
 extern struct remoteconf *getrmconf_by_name __P((const char *name));
 
Index: ipsec-tools-cvs-HEAD/src/racoon/pfkey.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/pfkey.c	2011-03-14 19:18:13.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/pfkey.c	2011-03-30 08:21:09.000000000 +0300
@@ -1886,6 +1886,7 @@
 	spidx.prefs = sp_out->spidx.prefd;
 	spidx.prefd = sp_out->spidx.prefs;
 	spidx.ul_proto = sp_out->spidx.ul_proto;
+	spidx_normalize_ulports(&spidx);
 
 #ifdef HAVE_SECCTX
 	if (m_sec_ctx) {
@@ -2898,7 +2899,7 @@
 
 		/* If we are not acting as initiator, let's just leave and
 		 * let the remote peer handle the restart */
-		rmconf = getrmconf(ma->remote, 0);
+		rmconf = getrmconf(ma->remote, 0, 0);
 		if (rmconf == NULL || !rmconf->passive) {
 			iph1->status = PHASE1ST_EXPIRED;
 			sched_schedule(&iph1->sce, 1, isakmp_ph1delete_stub);
@@ -3068,8 +3069,10 @@
 
 		if (iph2->ph1 && iph2->ph1->rmconf)
 			rmconf = iph2->ph1->rmconf;
+		else if (iph2->sainfo != NULL)
+			rmconf = getrmconf(iph2->dst, GETRMCONF_F_HAS_REMOTEID, iph2->sainfo->remoteid);
 		else
-			rmconf = getrmconf(iph2->dst, 0);
+			rmconf = getrmconf(iph2->dst, 0, 0);
 
 		if (rmconf && !rmconf->passive) {
 			struct ph1handle *iph1hint;
Index: ipsec-tools-cvs-HEAD/src/setkey/setkey.8
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/setkey/setkey.8	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/setkey/setkey.8	2011-03-29 22:08:44.000000000 +0300
@@ -453,7 +453,7 @@
 .Pp
 A second example of requiring transport mode encryption of specific
 GRE tunnel:
-.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 ipsec esp/transport//require ;
+.Dl spdadd 0.0.0.0 0.0.0.0 gre 1234 -P in ipsec esp/transport//require ;
 .Pp
 .Em Note :
 .Ar upperspec
Index: ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoon.conf.5	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/racoon.conf.5	2011-03-29 22:08:44.000000000 +0300
@@ -981,6 +981,7 @@
 .Bl -tag -width Ds -compact
 .It Ic sainfo Po Ar local_id | Ic anonymous Pc \
 Po Ar remote_id | Ic clientaddr | Ic anonymous Pc \
+Bo Ic grekey Ar key Bc \
 Bo Ic from Ar idtype Bo Ar string Bc Bc Bo Ic group Ar string Bc \
 Ic { Ar statements Ic }
 Defines the parameters of the IKE phase 2 (IPsec-SA establishment).
@@ -1026,6 +1027,15 @@
 to restrict policy generation when racoon is acting as a client gateway
 for peers with dynamic ip addresses.
 .Pp
+If both
+.Ar local_id
+and
+.Ar remote_id
+are specified with GRE as upper layer protocol, the upper layer GRE
+key match can be specified with
+.Ic grekey
+.Ar key .
+.Pp
 The
 .Ic from
 keyword allows an sainfo to only match for peers that use a specific phase1
Index: ipsec-tools-cvs-HEAD/src/setkey/parse.y
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/setkey/parse.y	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/setkey/parse.y	2011-03-29 22:08:44.000000000 +0300
@@ -856,6 +856,17 @@
 			}
 			$$.len = strlen($$.buf);
 		}
+	|	DECSTRING
+		{
+			char tmp[16];
+			sprintf(tmp, "%lu", $1);
+			$$.buf = strdup(tmp);
+			if (!$$.buf) {
+				yyerror("insufficient memory");
+				return -1;
+			}
+			$$.len = strlen(tmp);
+		}
 	;
 
 context_spec
Index: ipsec-tools-cvs-HEAD/src/racoon/racoonctl.8
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/racoonctl.8	2011-03-05 09:23:59.000000000 +0200
+++ ipsec-tools-cvs-HEAD/src/racoon/racoonctl.8	2011-03-29 22:08:44.000000000 +0300
@@ -158,8 +158,8 @@
 has the following format:
 .Bl -tag -width Bl
 .It isakmp {inet|inet6} Ar src Ar dst
-.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
-{icmp|tcp|udp|gre|any}
+.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port \
+  {icmp|tcp|udp|gre|any} Oo grekey Ar key Oc
 .El
 .It vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway
 This is a particular case of the previous command.
Index: ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/isakmp_quick.c	2011-03-29 22:18:12.000000000 +0300
+++ ipsec-tools-cvs-HEAD/src/racoon/isakmp_quick.c	2011-03-30 09:23:13.000000000 +0300
@@ -2168,6 +2168,8 @@
 		goto end;
 	}
 
+	ipsecdoi_normalize_id_uldata(idsrc, iddst);
+
 #ifdef ENABLE_HYBRID
 
 	/* clientaddr check : obtain modecfg address */
@@ -2494,6 +2496,7 @@
 	pref = spidx.prefs;
 	spidx.prefs = spidx.prefd;
 	spidx.prefd = pref;
+	spidx_normalize_ulports(&spidx);
 
 	sp_out = getsp_r(&spidx);
 	if (!sp_out) {
Index: ipsec-tools-cvs-HEAD/src/racoon/policy.c
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.c	2011-03-30 08:03:15.000000000 +0300
+++ ipsec-tools-cvs-HEAD/src/racoon/policy.c	2011-03-30 08:05:23.000000000 +0300
@@ -444,6 +444,25 @@
 	return new;
 }
 
+void
+spidx_normalize_ulports(spidx)
+	struct policyindex *spidx;
+{
+	u_int16_t tmp;
+
+	switch (spidx->ul_proto) {
+	case IPPROTO_ICMP:
+	case IPPROTO_ICMPV6:
+	case IPPROTO_GRE:
+		/* Ports are UL specific data, and should not get swapped */
+		tmp = extract_port((struct sockaddr *) &spidx->src);
+		set_port((struct sockaddr *) &spidx->src,
+			 extract_port((struct sockaddr *) &spidx->dst));
+		set_port((struct sockaddr *) &spidx->dst, tmp);
+		break;
+	}
+}
+
 const char *
 spidx2str(spidx)
 	const struct policyindex *spidx;
Index: ipsec-tools-cvs-HEAD/src/racoon/policy.h
===================================================================
--- ipsec-tools-cvs-HEAD.orig/src/racoon/policy.h	2011-03-30 08:15:44.000000000 +0300
+++ ipsec-tools-cvs-HEAD/src/racoon/policy.h	2011-03-30 08:16:21.000000000 +0300
@@ -156,6 +156,7 @@
 extern void flushsp __P((void));
 extern void initsp __P((void));
 extern struct ipsecrequest *newipsecreq __P((void));
+extern void spidx_normalize_ulports __P((struct policyindex *));
 
 extern const char *spidx2str __P((const struct policyindex *));
 #ifdef HAVE_SECCTX