enumerator->destroy(enumerator);
}
+/**
+ * Check if the replaced IKE_SA might get reauthenticated from host
+ */
+static bool is_ikev1_reauth(ike_sa_t *duplicate, host_t *host)
+{
+ return duplicate->get_version(duplicate) == IKEV1 &&
+ host->equals(host, duplicate->get_other_host(duplicate));
+}
+
/**
* Delete an existing IKE_SA due to a unique replace policy
*/
{
charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
- if (duplicate->get_version(duplicate) == IKEV1 &&
- host->equals(host, duplicate->get_other_host(duplicate)))
+ if (is_ikev1_reauth(duplicate, host))
{
/* looks like a reauthentication attempt */
adopt_children(duplicate, new);
other, other_host);
break;
case UNIQUE_KEEP:
- cancel = TRUE;
- /* we keep the first IKE_SA and delete all
- * other duplicates that might exist */
- policy = UNIQUE_REPLACE;
+ if (!is_ikev1_reauth(duplicate, other_host))
+ {
+ cancel = TRUE;
+ /* we keep the first IKE_SA and delete all
+ * other duplicates that might exist */
+ policy = UNIQUE_REPLACE;
+ }
break;
default:
break;