diff -Naur libreswan-4.3-orig/programs/pluto/connections.c libreswan-4.3/programs/pluto/connections.c

--- libreswan-4.3-orig/programs/pluto/connections.c	2021-02-21 12:03:03.000000000 -0500

+++ libreswan-4.3/programs/pluto/connections.c	2021-02-24 16:28:05.608119041 -0500

@@ -2475,9 +2475,8 @@

 			    endpoint_in_selector(local_client, &sr->this.client) &&

 			    endpoint_in_selector(remote_client, &sr->that.client)

 #ifdef HAVE_LABELED_IPSEC

-			    && ((sec_label.ptr == NULL &&

-			      sr->this.sec_label.ptr == NULL) ||

-			     /* don't call with NULL, it confuses it */

+			    && ((sec_label.ptr == NULL && sr->this.sec_label.ptr == NULL) ||

+			     hunk_eq(sec_label, sr->this.sec_label) || 

 			     within_range((const char *)sec_label.ptr,

 					  (const char *)sr->this.sec_label.ptr, logger))

 #endif

diff -Naur libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c libreswan-4.3/programs/pluto/ikev1_spdb_struct.c

--- libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c	2021-02-21 12:03:03.000000000 -0500

+++ libreswan-4.3/programs/pluto/ikev1_spdb_struct.c	2021-02-24 16:28:59.819791102 -0500

@@ -113,7 +113,9 @@

 		return false;

 	}

-	if (!within_range(sec_label.ptr, /* we ensured NUL termination above */

+

+	 if (!hunk_eq(sec_label, c->spd.this.sec_label) &&

+               !within_range(sec_label.ptr, /* we ensured NUL termination above */

 			  (const char *)c->spd.this.sec_label.ptr,  /* we ensured NUL termination earlier? */

 			  st->st_logger)) {

 		LLOG_JAMBUF(RC_LOG_SERIOUS, st->st_logger, buf) {

diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_ts.c libreswan-4.3/programs/pluto/ikev2_ts.c

--- libreswan-4.3-orig/programs/pluto/ikev2_ts.c	2021-02-21 12:03:03.000000000 -0500

+++ libreswan-4.3/programs/pluto/ikev2_ts.c	2021-02-24 16:30:19.639780631 -0500

@@ -862,7 +862,8 @@

 }

 #ifdef HAVE_LABELED_IPSEC

-static bool score_ends_seclabel(const struct ends *ends,

+static bool score_ends_seclabel(const chunk_t **selected_sec_label,

+				const struct ends *ends,

 				const struct connection *d,

 				const struct traffic_selectors *tsi,

 				const struct traffic_selectors *tsr,

@@ -875,6 +876,10 @@

 	bool match_i = false;

 	bool match_r = false;

+	if (selected_sec_label != NULL) {

+		*selected_sec_label = NULL;

+	}

+

 	for (unsigned tsi_n = 0; tsi_n < tsi->nr; tsi_n++) {

 		const struct traffic_selector *cur = &tsi->ts[tsi_n];

 		if (cur->ts_type == IKEv2_TS_SECLABEL) {

@@ -883,7 +888,8 @@

 				// complain loudly

 				continue;

 			} else {

-				if (within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {

+				if (hunk_eq(cur->sec_label, d->spd.this.sec_label) ||

+				    within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {

 					match_i = true;

 					dbg("ikev2ts #1: received label within range of our security label");

 				} else {

@@ -902,9 +908,13 @@

 						dbg("IKEv2_TS_SECLABEL but zero length cur->sec_label");

 						continue;

 					} else {

-						if (within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {

+						if (hunk_eq(ends->r->sec_label, d->spd.this.sec_label) ||

+						    within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {

 							dbg("ikev2ts #2: received label within range of our security label");

 							match_r = true;

+							if (selected_sec_label != NULL) {

+								*selected_sec_label = &cur->sec_label;

+							}

 						} else {

 							dbg("ikev2ts #2: received label not within range of our security label");

 							DBG_dump_hunk("ends->r->sec_label", ends->r->sec_label);

@@ -926,7 +936,8 @@

 	return require_label == recv_label_i && match_i && match_r;

 }

 #else

-static bool score_ends_seclabel(const struct ends *ends UNUSED,

+static bool score_ends_seclabel(const chunk_t **selected_sec_label,

+				const struct ends *ends UNUSED,

 				const struct connection *d UNUSED,

 				const struct traffic_selectors *tsi UNUSED,

 				const struct traffic_selectors *tsr UNUSED,

@@ -1030,6 +1041,7 @@

 	struct best_score best_score = NO_SCORE;

 	const struct spd_route *best_spd_route = NULL;

 	struct connection *best_connection = c;

+	const chunk_t *best_sec_label = NULL;

 	/* find best spd in c */

@@ -1042,7 +1054,8 @@

 			.r = &sra->this,

 		};

-		if (!score_ends_seclabel(&ends, c, &tsi, &tsr, child->sa.st_logger)) {

+		const chunk_t* selected_sec_label = NULL;

+		if (!score_ends_seclabel(&selected_sec_label, &ends, c, &tsi, &tsr, child->sa.st_logger)) {

 			continue;

 		}

@@ -1060,6 +1073,7 @@

 			    score.tsi - tsi.ts, score.tsr - tsr.ts);

 			best_score = score;

 			best_spd_route = sra;

+			best_sec_label = selected_sec_label;

 			passert(best_connection == c);

 		}

 	}

@@ -1143,7 +1157,8 @@

 					? END_NARROWER_THAN_TS

 					: END_EQUALS_TS;

-				if (!score_ends_seclabel(&ends, d, &tsi, &tsr,

+				const chunk_t* selected_sec_label = NULL;

+				if (!score_ends_seclabel(&selected_sec_label, &ends, d, &tsi, &tsr,

 					    child->sa.st_logger))

 					continue;

@@ -1159,6 +1174,7 @@

 					best_connection = d;

 					best_score = score;

 					best_spd_route = sr;

+					best_sec_label = selected_sec_label;

 				}

 			}

 		}

@@ -1389,6 +1405,13 @@

 	 */

 	update_state_connection(&child->sa, best_connection);

+	if (best_sec_label != NULL) {

+		if (child->sa.st_seen_sec_label.len != 0) {

+			free_chunk_content(&child->sa.st_seen_sec_label);

+		}

+		child->sa.st_seen_sec_label = clone_hunk(*best_sec_label, "st_seen_sec_label");

+	}

+

 	child->sa.st_ts_this = ikev2_end_to_ts(&best_spd_route->this, child->sa.st_acquired_sec_label);

 	child->sa.st_ts_that = ikev2_end_to_ts(&best_spd_route->that, child->sa.st_seen_sec_label);

@@ -1424,7 +1447,8 @@

 		? END_WIDER_THAN_TS

 		: END_EQUALS_TS;

-	if (!score_ends_seclabel(&e, c, &tsi, &tsr, child->sa.st_logger))

+	const chunk_t *selected_sec_label = NULL;

+	if (!score_ends_seclabel(&selected_sec_label, &e, c, &tsi, &tsr, child->sa.st_logger))

 		return false;

 	struct best_score best = score_ends_iprange(initiator_widening, c, &e, &tsi, &tsr;;

@@ -1435,6 +1459,13 @@

 		return false;

 	}

+	if (selected_sec_label != NULL) {

+		if (child->sa.st_seen_sec_label.len != 0) {

+			free_chunk_content(&child->sa.st_seen_sec_label);

+		}

+		child->sa.st_seen_sec_label = clone_hunk(*selected_sec_label, "st_seen_sec_label");

+	}

+

 	/* XXX: check conversions */

 	dbg("initiator saving acceptable TSi response in this");

 	ts_to_end(best.tsi, &c->spd.this, &child->sa.st_ts_this);

@@ -1489,7 +1520,7 @@

 	enum fit fitness = END_NARROWER_THAN_TS;

-	if (!score_ends_seclabel(&ends, c, &their_tsis, &their_tsrs,

+	if (!score_ends_seclabel(NULL, &ends, c, &their_tsis, &their_tsrs,

 				 child->sa.st_logger)) {

 		log_state(RC_LOG_SERIOUS, &child->sa,

 			  "rekey: received Traffic Selectors mismatch configured selectors for Security Label");

diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_parent.c libreswan-4.3/programs/pluto/ikev2_parent.c

--- libreswan-4.3-orig/programs/pluto/ikev2_parent.c	2021-02-21 12:03:03.000000000 -0500

+++ libreswan-4.3/programs/pluto/ikev2_parent.c	2021-03-01 10:31:49.667207958 -0500

@@ -5943,8 +5943,6 @@

 			 * from a policy we gave the kernel, so it _should_ be within our range?

 			 */

 			child->sa.st_acquired_sec_label = clone_hunk(p->sec_label, "st_acquired_sec_label");

-			c->spd.this.sec_label = clone_hunk(p->sec_label, "updated conn label");

-			c->spd.that.sec_label = clone_hunk(p->sec_label, "updated conn label");

 		}

 	} else {