quick-mode: Remove outbound SA/policy of rekeyed CHILD_SA

Remove outbound SA and policy of rekeyed CHILD_SA since only one is valid.
Otherwise, during update-SA job (when NAT mapping changed), CHILD_SA are
updated and installed one by one, leaving a window where old SAs are being
used. There are also circumstances where the new SA is not processed last.

Closes strongswan/strongswan#1041

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 5e4bf8620b2594c2c7259ceca5261f01ea26f416..22bead945fdd32cf631ff1bef3adfb61093e453d 100644 (file)
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -411,6 +411,8 @@ static bool install(private_quick_mode_t *this)
                /* rekeyed CHILD_SAs stay installed until they expire or are deleted
                 * by the other peer */
                old->set_state(old, CHILD_REKEYED);
+               /* but remove outbound SA as we don't want to use it actively */
+               old->remove_outbound(old);
                /* as initiator we delete the CHILD_SA if configured to do so */
                if (this->initiator && this->delete)
                {