From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 22 Aug 2016 10:26:05 +0000 (+0200)
Subject: ikev1: Send DELETE for rekeyed IKE_SAs
X-Git-Tag: 5.5.1rc1~15^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ebc6445de8abfd719ab41b447bc9bc6e4c5c1ada;p=thirdparty%2Fstrongswan.git

ikev1: Send DELETE for rekeyed IKE_SAs

If we silently delete the IKE_SA the other peer might still use it even
if only to send DPDs.  If we don't answer to DPDs that might result in the
deletion of the new IKE_SA too.
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index ceeafcbb84..7b87918d36 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1781,16 +1781,12 @@ METHOD(ike_sa_t, delete_, status_t,
 {
 	switch (this->state)
 	{
-		case IKE_REKEYING:
-			if (this->version == IKEV1)
-			{	/* SA has been reauthenticated, delete */
-				charon->bus->ike_updown(charon->bus, &this->public, FALSE);
-				break;
-			}
-			/* FALL */
 		case IKE_ESTABLISHED:
-			if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
-			{	/* IKE_SA hard lifetime hit */
+		case IKE_REKEYING:
+			if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
+				!(this->version == IKEV1 && this->state == IKE_REKEYING))
+			{	/* IKE_SA hard lifetime hit, ignored for reauthenticated
+				 * IKEv1 SAs */
 				charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
 			}
 			this->task_manager->queue_ike_delete(this->task_manager);