From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 15 Apr 2014 14:00:47 +0000 (+0200)
Subject: ikev2: Fix reauthentication if peer assigns a different virtual IP
X-Git-Tag: 5.2.0dr2~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4469e3d0507ad869488d3e7524a061e18fb3ee21;p=thirdparty%2Fstrongswan.git

ikev2: Fix reauthentication if peer assigns a different virtual IP

Before this change a reqid set on the create_child_t task was used as
indicator of the CHILD_SA being rekeyed.  Only if that was not the case
would the local traffic selector be changed to 0.0.0.0/0|::/0 (as we
don't know which virtual IP the gateway will eventually assign).
On the other hand, in case of a rekeying the VIP is expected to remain
the same, so the local TS would simply equal the VIP.

Since c949a4d5016e33c5 reauthenticated CHILD_SAs also have the reqid
set.  Which meant that the local TS would contain the previously
assigned VIP, basically rendering the gateway unable to assign a
different VIP to the client as the resulting TS would not match
the client's proposal anymore.

Fixes #553.
---

diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index df7bc96d66..e0ade07b27 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -950,7 +950,7 @@ METHOD(task_t, build_i, status_t,
 	/* check if we want a virtual IP, but don't have one */
 	list = linked_list_create();
 	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-	if (!this->reqid)
+	if (!this->rekey)
 	{
 		enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
 		while (enumerator->enumerate(enumerator, &vip))