From: Tobias Brunner Date: Thu, 16 Mar 2023 14:57:53 +0000 (+0100) Subject: ha: Enable optimized rekeying for CHILD_SAs with synced KE method X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d08bd9e3d6cda6e7043e58be7a647c0fdd1887ec;p=thirdparty%2Fstrongswan.git ha: Enable optimized rekeying for CHILD_SAs with synced KE method This avoids having to explicitly sync if optimized rekeying can be used for a CHILD_SA i.e. whether it was created with IKE_AUTH or with a separate CREATE_CHILD_SA exchange (from scratch or rekeyed). If a key exchange method was synced, we definitely know the latter is the case. --- diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 0f497f8427..ed61110923 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -767,6 +767,9 @@ static void process_child_add(private_ha_dispatcher_t *this, if (dh_grp) { proposal->add_algorithm(proposal, KEY_EXCHANGE_METHOD, dh_grp, 0); + /* enable this only for SAs that we definitely know were rekeyed or + * created with a CREATE_CHILD_SA exchange */ + child_sa->set_optimized_rekey(child_sa, TRUE); } proposal->add_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, esn, 0); if (secret.len)