From: Thomas Egerer <thomas.egerer@secunet.com>
Date: Thu, 9 Oct 2014 09:15:07 +0000 (+0200)
Subject: ikev1: Don't inherit children if INITITAL_CONTACT was seen
X-Git-Tag: 5.2.2dr1~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1201ddcbc5dda4849524f08a0923071d1b15b387;p=thirdparty%2Fstrongswan.git

ikev1: Don't inherit children if INITITAL_CONTACT was seen

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
---

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index bdabc59b5a..144cd7d3f9 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1783,7 +1783,10 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
 	if (is_ikev1_reauth(duplicate, host))
 	{
 		/* looks like a reauthentication attempt */
-		adopt_children(duplicate, new);
+		if (!new->has_condition(new, COND_INIT_CONTACT_SEEN))
+		{
+			adopt_children(duplicate, new);
+		}
 		/* For IKEv1 we have to delay the delete for the old IKE_SA. Some
 		 * peers need to complete the new SA first, otherwise the quick modes
 		 * might get lost. */