From: Martin Willi <martin@revosec.ch>
Date: Fri, 17 May 2013 08:30:13 +0000 (+0200)
Subject: ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILED
X-Git-Tag: 5.1.0dr1~123^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca74bf7a06d0ecc87f7e0d5704714b487fed0abd;p=thirdparty%2Fstrongswan.git

ikev2: close an established IKE_SA when receiving AUTHENTICATION_FAILED

RFC 5996 compatible implementations MAY send an INFORMATIONAL message
with an AUTHENTICATION_FAILED if the initiator failed to authenticate us.
Handle such a message like a DELETE for an IKE_SA.
---

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 5298abf794..839bdb9902 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -849,6 +849,12 @@ static status_t process_request(private_task_manager_t *this,
 									task = (task_t*)ike_auth_lifetime_create(
 															this->ike_sa, FALSE);
 									break;
+								case AUTHENTICATION_FAILED:
+									/* initiator failed to authenticate us.
+									 * We use ike_delete to handle this, which
+									 * invokes all the required hooks. */
+									task = (task_t*)ike_delete_create(
+														this->ike_sa, FALSE);
 								default:
 									break;
 							}