ike-rekey: Respond with TEMPORARY_FAILURE while reauthenticating

This could lead to duplicates as the new IKE_SA can't delete the old one
once reauthentication is complete if it was replaced by a rekeying.

diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index c12876bfe4f0f893378f5dc015cbd7dbcb63e03d..a74e2f7cd7c762017ffbacb1e5a919a7d043f201 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -231,6 +231,12 @@ METHOD(task_t, process_r, status_t,
                this->failed_temporarily = TRUE;
                return NEED_MORE;
        }
+       if (this->ike_sa->has_condition(this->ike_sa, COND_REAUTHENTICATING))
+       {
+               DBG1(DBG_IKE, "peer initiated rekeying, but we are reauthenticating");
+               this->failed_temporarily = TRUE;
+               return NEED_MORE;
+       }
        if (have_half_open_children(this))
        {
                DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");