From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 1 Jul 2020 11:49:58 +0000 (+0200)
Subject: vici: With start_action=start, terminate IKE_SA without children on unload
X-Git-Tag: 5.9.0rc1~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=feda4a3d37728bc84f12a95f86f034cf835e6919;p=thirdparty%2Fstrongswan.git

vici: With start_action=start, terminate IKE_SA without children on unload

This includes IKE_SAs in CONNECTING state, which not yet have any
CHILD_SAs.

Closes strongswan/strongswan#175.
---

diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 3ce1e36192..1eb7a24cd6 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -2202,9 +2202,9 @@ static void clear_start_action(private_vici_config_t *this, char *peer_name,
 				}
 				children->destroy(children);
 
-				if (id && !others)
+				if (!ike_sa->get_child_count(ike_sa) || (id && !others))
 				{
-					/* found matching children only, delete full IKE_SA */
+					/* found no children or only matching, delete IKE_SA */
 					id = ike_sa->get_unique_id(ike_sa);
 					array_insert_create_value(&ikeids, sizeof(id),
 											  ARRAY_TAIL, &id);