ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILED

RFC 5996 compatible implementations MAY send an INFORMATIONAL message
with an AUTHENTICATION_FAILED if the initiator failed to authenticate us.
Handle such a message like a DELETE for an IKE_SA.

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 5298abf794f1062bb5e5be44ba6695bab794cd5a..839bdb9902a37a462e1f1bcf808d0a36850d7b97 100644 (file)
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -849,6 +849,12 @@ static status_t process_request(private_task_manager_t *this,
                                                                        task = (task_t*)ike_auth_lifetime_create(
                                                                                                                        this->ike_sa, FALSE);
                                                                        break;
+                                                               case AUTHENTICATION_FAILED:
+                                                                       /* initiator failed to authenticate us.
+                                                                        * We use ike_delete to handle this, which
+                                                                        * invokes all the required hooks. */
+                                                                       task = (task_t*)ike_delete_create(
+                                                                                                               this->ike_sa, FALSE);
                                                                default:
                                                                        break;
                                                        }