ipsec: initialize msgid and allow no dh in child sa

[vpp.git] / src / plugins / ikev2 / ikev2.c

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 090f66c..3b47ee2 100644 (file)
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -2575,24 +2575,27 @@ ikev2_set_initiator_proposals (vlib_main_t * vm, ikev2_sa_t * sa,
     }
 
   /* DH */
-  error = 1;
-  vec_foreach (td, km->supported_transforms)
-  {
-    if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
+  if (is_ike || ts->dh_type != IKEV2_TRANSFORM_DH_TYPE_NONE)
+    {
+      error = 1;
+      vec_foreach (td, km->supported_transforms)
       {
-       vec_add1 (proposal->transforms, *td);
-       if (is_ike)
+       if (td->type == IKEV2_TRANSFORM_TYPE_DH && td->dh_type == ts->dh_type)
          {
-           sa->dh_group = td->dh_type;
+           vec_add1 (proposal->transforms, *td);
+           if (is_ike)
+             {
+               sa->dh_group = td->dh_type;
+             }
+           error = 0;
+           break;
          }
-       error = 0;
-       break;
       }
-  }
-  if (error)
-    {
-      r = clib_error_return (0, "Unsupported algorithm");
-      return r;
+      if (error)
+       {
+         r = clib_error_return (0, "Unsupported algorithm");
+         return r;
+       }
     }
 
   if (!is_ike)
@@ -3057,6 +3060,7 @@ ikev2_initiate_sa_init (vlib_main_t * vm, u8 * name)
     ike0->exchange = IKEV2_EXCHANGE_SA_INIT;
     ike0->ispi = sa.ispi;
     ike0->rspi = 0;
+    ike0->msgid = 0;
 
     /* store whole IKE payload - needed for PSK auth */
     vec_free (sa.last_sa_init_req_packet_data);