This should fix ipsec status for natted tunnel(s).

1 files changed, 8 insertions, 3 deletions

diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc
index cf2caa2..52037ea 100644
--- a/etc/inc/ipsec.inc
+++ b/etc/inc/ipsec.inc
@@ -329,12 +329,17 @@ function ipsec_phase2_status(& $spd,& $sad,& $ph1ent,& $ph2ent) {
 	$rmt_ip = ipsec_get_phase1_dst($ph1ent);
 
 	$loc_id = ipsec_idinfo_to_cidr($ph2ent['localid'],true);
+	if (!empty($ph2ent['natlocalid']))
+		$natloc_id = ipsec_idinfo_to_cidr($ph2ent['natlocalid'],true);
 	$rmt_id = ipsec_idinfo_to_cidr($ph2ent['remoteid'],true);
 
 	/* check for established SA in both directions */
-	if( ipsec_lookup_ipsec_sa($spd,$sad,"out",$loc_ip,$rmt_ip,$loc_id,$rmt_id) &&
-		ipsec_lookup_ipsec_sa($spd,$sad,"in",$rmt_ip,$loc_ip,$rmt_id,$loc_id))
-		return true;
+	if( ipsec_lookup_ipsec_sa($spd,$sad,"out",$loc_ip,$rmt_ip,$loc_id,$rmt_id)) {
+		if (empty($ph2ent['natlocalid']) && ipsec_lookup_ipsec_sa($spd,$sad,"in",$rmt_ip,$loc_ip,$rmt_id,$loc_id))
+			return true;
+		else if (!empty($ph2ent['natlocalid']) && ipsec_lookup_ipsec_sa($spd,$sad,"in",$rmt_ip,$loc_ip,$rmt_id,$natloc_id))
+			return true;
+	}
 
 	return false;
 }