git.ipfire.org Git - thirdparty/strongswan.git/commit

author	Martin Willi <martin@revosec.ch>
	Fri, 22 Nov 2013 08:54:43 +0000 (09:54 +0100)
committer	Martin Willi <martin@revosec.ch>
	Fri, 16 May 2014 15:08:07 +0000 (17:08 +0200)
commit	03f572282a87f9d03eb3daf6ddde9ee16df17164
tree	9254303569ee829afea6cac7f9920f310212ba59	tree
parent	2145f0c212d6e804125c615978fd22f3829e8839	commit \| diff

ikev2: Detect and delete duplicate CHILD_SAs under the same IKE_SA

If both peers initiate the connection simultaneously, this might end up in
duplicate CHILD_SAs. In most situations, these get rejected since we now
reject identical policies having the same reqid in the kernel. However, this
doesn't work in all cases, for example when using static reqids for a
connection.

We defer duplicate detection until SA installation. We don't know how the final
TS looks like before then, and creating multiple CHILD_SAs from a single
configuration is feasible in some configurations.

WIP: Can we somehow avoid the race condition when both peers actually initiate
a colliding exchange?

req1 -->
                                           <-- req2
recv req2 & install SA 2 <--
                                           --> recv req1 & install SA 1
send resp2 -->
                                           <-- send resp1
recv resp1 & replace SA2 with 1 <--
                                           --> recv resp2 & replace SA1 with 2