ike-sa: Avoid reusing established IKE_SAs that got redirected

These will get terminated by the peer after a while.  So we don't want
to reuse them.

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index b1e5e368c924943dc10342ba0e8cbd6a88bfd976..319eca02e619bdb86ed6b5dcaa4bb40939f1ae10 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -2341,6 +2341,9 @@ static bool redirect_established(private_ike_sa_t *this, identification_t *to)
        {
                return FALSE;
        }
+       /* mark the SA so it won't get reused even though it's established */
+       set_condition(this, COND_REDIRECTED, TRUE);
+
        new_priv = (private_ike_sa_t*)new;
        new->set_peer_cfg(new, this->peer_cfg);
        new_priv->redirected_from = this->other_host->clone(this->other_host);

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index c128cc07872141944c5d78a39f4f0a22e92c9670..fca61ce7c8b2b3fa45244859a99bd8b5c5644a46 100644 (file)
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1563,6 +1563,7 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
                }
                if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
                        entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED ||
+                       entry->ike_sa->has_condition(entry->ike_sa, COND_REDIRECTED) ||
                        ike_sa_is_delete_queued(entry->ike_sa))
                {       /* skip IKE_SAs which are not usable, wake other waiting threads */
                        entry->condvar->signal(entry->condvar);