ike-rekey: Don't actively rekey already rekeyed SAs

If the peer successfully rekeyed the SA it gets marked as IKE_REKEYED
and it remains until the peer deletes it (or a timeout).  There is no
point in rekeying such SAs again.

IKE_REKEYING will be relevant if we have multi-KE rekeyings and are
waiting for followup key exchanges for a passive rekeying.

diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index 2e9732a9e4f4778d0d1cec35e5704abec99d871f..cca211fed5a825b16e1dd4487b2a8d2d5fe18663 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -169,6 +169,14 @@ METHOD(task_t, build_i, status_t,
        /* create new SA only on first try */
        if (!this->new_sa)
        {
+               if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING ||
+                       this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED)
+               {
+                       /* ignore SAs that have or are currently being rekeyed passively */
+                       message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+                       return SUCCESS;
+               }
+
                version = this->ike_sa->get_version(this->ike_sa);
                this->new_sa = charon->ike_sa_manager->create_new(
                                                                                charon->ike_sa_manager, version, TRUE);