When serving as a responder and receiving an INFORMATIONAL exchange
containing INVALID_SYNTAX after IKE_AUTH, the IKE_SA should be deleted.
Currently, it only gets deleted after receiving AUTHENTICATION_FAILED.
RFC7296 section 2.21.2 says:
In an IKE_AUTH exchange, or in the INFORMATIONAL exchange immediately
following it (in case an error happened when processing a response to
IKE_AUTH), the UNSUPPORTED_CRITICAL_PAYLOAD, INVALID_SYNTAX, and
AUTHENTICATION_FAILED notifications are the only ones to cause the
IKE SA to be deleted or not created, without a Delete payload.
Closes strongswan/strongswan#2636
task = (task_t*)ike_auth_lifetime_create(
this->ike_sa, FALSE);
break;
+ case INVALID_SYNTAX:
case AUTHENTICATION_FAILED:
- /* initiator failed to authenticate us.
- * We use ike_delete to handle this, which
- * invokes all the required hooks. */
+ /* initiator failed to authenticate us or
+ * parse our response. we use ike_delete to
+ * handle this, which invokes all the
+ * required hooks */
task = (task_t*)ike_delete_create(
this->ike_sa, FALSE);
break;
projects / thirdparty / strongswan.git / commitdiff
