From 24ab8530e5e6ec209aff5292026b7d1e84d5ccab Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 18 Dec 2015 15:23:30 +0100 Subject: [PATCH] ikev1: Always enable charon.reuse_ikesa With IKEv1 we have to reuse IKE_SAs as otherwise the responder might detect the new SA as reauthentication and will "adopt" the CHILD_SAs of the original IKE_SA, while the initiator will not do so. This could cause CHILD_SA rekeying to fail later. Fixes #1236. --- conf/options/charon.opt | 2 +- src/libcharon/sa/ike_sa_manager.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 816f3250c4..a4e03d4af3 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -283,7 +283,7 @@ charon.retry_initiate_interval = 0 resolution failed), 0 to disable retries. charon.reuse_ikesa = yes - Initiate CHILD_SA within existing IKE_SAs. + Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). charon.routing_table Numerical routing table to install routes to. diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 3d15009099..908ce81915 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1384,8 +1384,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, DBG2(DBG_MGR, "checkout IKE_SA by config"); - if (!this->reuse_ikesa) - { /* IKE_SA reuse disable by config */ + if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1) + { /* IKE_SA reuse disabled by config (not possible for IKEv1) */ ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); charon->bus->set_sa(charon->bus, ike_sa); return ike_sa; -- 2.39.5