From: Xiao Liang <shaw.leon@gmail.com>
Date: Sat, 7 May 2022 12:42:27 +0000 (+0800)
Subject: quick-mode: Remove outbound SA/policy of rekeyed CHILD_SA
X-Git-Tag: 5.9.7dr1~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b742c75ab99cbcf8ea0dcbabff63dd2c505d555;p=thirdparty%2Fstrongswan.git

quick-mode: Remove outbound SA/policy of rekeyed CHILD_SA

Remove outbound SA and policy of rekeyed CHILD_SA since only one is valid.
Otherwise, during update-SA job (when NAT mapping changed), CHILD_SA are
updated and installed one by one, leaving a window where old SAs are being
used. There are also circumstances where the new SA is not processed last.

Closes strongswan/strongswan#1041
---

diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 5e4bf8620b..22bead945f 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -411,6 +411,8 @@ static bool install(private_quick_mode_t *this)
 		/* rekeyed CHILD_SAs stay installed until they expire or are deleted
 		 * by the other peer */
 		old->set_state(old, CHILD_REKEYED);
+		/* but remove outbound SA as we don't want to use it actively */
+		old->remove_outbound(old);
 		/* as initiator we delete the CHILD_SA if configured to do so */
 		if (this->initiator && this->delete)
 		{