ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauth

We are actually not in rekeying state, but just trigger a separate, new IKE_SA
as a replacement for the current IKE_SA. Switching to the REKEYING state
disables the invocation of both IKE and CHILD_SA updown hooks as initiator,
preventing the removal of any firewall rules.

Fixes #885.

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 540d4dc836719483062c19e4ec1d0c80ab16c171..298167703cbf5c914c964aa3e172e7a910d4cf3b 100644 (file)
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1573,7 +1573,6 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
                new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
                                                                                this->ike_sa->get_id(this->ike_sa)));
                charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
-               this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
        }
        else
        {