From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 12 Aug 2014 10:05:16 +0000 (+0200)
Subject: ike: Reset IKE_SA in state CONNECTING instead of reauthenticating
X-Git-Tag: 5.2.1dr1~81
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34e402ef8da46fdd38715611eb7ad1ea49ea1f40;p=thirdparty%2Fstrongswan.git

ike: Reset IKE_SA in state CONNECTING instead of reauthenticating

Due to how reauthentication works for IKEv1 we could get a second
IKE_SA, which might cause problems, when connectivity problems arise
when the connection is initially established.

Fixes #670.
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index fddd83c63b..e63e0fa6cd 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1487,6 +1487,14 @@ METHOD(ike_sa_t, reauth, status_t,
 	{
 		return INVALID_STATE;
 	}
+	if (this->state == IKE_CONNECTING)
+	{
+		DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
+			 get_name(this), this->unique_id);
+		reset(this);
+		this->task_manager->queue_ike(this->task_manager);
+		return this->task_manager->initiate(this->task_manager);
+	}
 	/* we can't reauthenticate as responder when we use EAP or virtual IPs.
 	 * If the peer does not support RFC4478, there is no way to keep the
 	 * IKE_SA up. */