From 3a9120373ddd5275bce837684833726a21dd79ab Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 7 Aug 2025 11:56:25 +0200 Subject: [PATCH] ike-sa: Avoid reusing established IKE_SAs that got redirected These will get terminated by the peer after a while. So we don't want to reuse them. --- src/libcharon/sa/ike_sa.c | 3 +++ src/libcharon/sa/ike_sa_manager.c | 1 + 2 files changed, 4 insertions(+) diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index b1e5e368c9..319eca02e6 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2341,6 +2341,9 @@ static bool redirect_established(private_ike_sa_t *this, identification_t *to) { return FALSE; } + /* mark the SA so it won't get reused even though it's established */ + set_condition(this, COND_REDIRECTED, TRUE); + new_priv = (private_ike_sa_t*)new; new->set_peer_cfg(new, this->peer_cfg); new_priv->redirected_from = this->other_host->clone(this->other_host); diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index c128cc0787..fca61ce7c8 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1563,6 +1563,7 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, } if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING || entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED || + entry->ike_sa->has_condition(entry->ike_sa, COND_REDIRECTED) || ike_sa_is_delete_queued(entry->ike_sa)) { /* skip IKE_SAs which are not usable, wake other waiting threads */ entry->condvar->signal(entry->condvar); -- 2.47.3