From: Tobias Brunner Date: Tue, 12 May 2015 14:59:20 +0000 (+0200) Subject: ikev1: When a reauth is detected explicitly delete the old IKE_SA X-Git-Tag: 5.3.1rc1~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4112ebad4a4f2e247896dcb3ed2416b69df95051;p=thirdparty%2Fstrongswan.git ikev1: When a reauth is detected explicitly delete the old IKE_SA Instead of just implicitly destroying the old SA we properly delete it to notify the other peer (if the other peer keeps the SA up after the reauthentication and sends DPDs it might consider us dead even though the new SA is up, that seems to be the case with racoon). We delay the DELETE a bit to give the other peer time to get the new SA fully established. Since DELETE messages are not retransmitted it is still possible that the other peer misses that we deleted the SA. --- diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c index 9ad4b73041..b4f135a57f 100644 --- a/src/libcharon/processing/jobs/adopt_children_job.c +++ b/src/libcharon/processing/jobs/adopt_children_job.c @@ -21,6 +21,7 @@ #include #include #include +#include typedef struct private_adopt_children_job_t private_adopt_children_job_t; @@ -133,10 +134,19 @@ METHOD(job_t, execute, job_requeue_t, "adopting %d children and %d virtual IPs", children->get_count(children), vips->get_count(vips)); } - ike_sa->set_state(ike_sa, IKE_DELETING); - charon->bus->ike_updown(charon->bus, ike_sa, FALSE); - charon->ike_sa_manager->checkin_and_destroy( + if (ike_sa->get_state(ike_sa) == IKE_PASSIVE) + { + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + } + else + { + lib->scheduler->schedule_job(lib->scheduler, (job_t*) + delete_ike_sa_job_create(ike_sa->get_id(ike_sa), + TRUE), 10); + charon->ike_sa_manager->checkin( charon->ike_sa_manager, ike_sa); + } } else {