ikev1: Only delete redundant CHILD_SAs if configured

If we find a redundant CHILD_SA (the peer probably rekeyed the SA before
us) we might not want to delete the old SA because the peer might still
use it (same applies to old CHILD_SAs after rekeyings).  So only delete
them if configured to do so.

Fixes #2358.

diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 48ec3e7f578fcf7c04b7bdc7376acb43f12f9c81..3472d2c3517dc6318a8e38345f7598e105232ecf 100644 (file)
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1805,8 +1805,12 @@ METHOD(task_manager_t, queue_child_rekey, void,
                if (is_redundant(this, child_sa))
                {
                        child_sa->set_state(child_sa, CHILD_REKEYED);
-                       queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
+                       if (lib->settings->get_bool(lib->settings, "%s.delete_rekeyed",
+                                                                               FALSE, lib->ns))
+                       {
+                               queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
                                                                                                protocol, spi, FALSE, FALSE));
+                       }
                }
                else
                {