From ee668ae91edb7e1a8b2fb0de4e2fa5294ad242f9 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 11 Aug 2025 10:26:55 +0200
Subject: [PATCH] controller: Migrate tracked IKE SA in case of redirect during
 IKE_AUTH

---
 src/libcharon/control/controller.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 4e778ed63d..42a4822bb4 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -393,6 +393,26 @@ METHOD(listener_t, child_state_change_terminate, bool,
 	return TRUE;
 }
 
+METHOD(listener_t, ike_reestablish_pre, bool,
+	interface_listener_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+	if (old->has_condition(old, COND_REDIRECTED))
+	{
+		/* if we get redirected during IKE_AUTH, we just migrate to the new SA.
+		 * we'd have to disable listening for child state changes otherwise (due
+		 * to task migration).  and if the initiation failed, the initial SA
+		 * couldn't be used anyway, so we can also just track the destruction of
+		 * of the new one in that case */
+		this->lock->lock(this->lock);
+		if (this->ike_sa == old)
+		{
+			this->ike_sa = new;
+		}
+		this->lock->unlock(this->lock);
+	}
+	return TRUE;
+}
+
 METHOD(job_t, destroy_job, void,
 	interface_job_t *this)
 {
@@ -510,6 +530,7 @@ METHOD(controller_t, initiate, status_t,
 		.listener = {
 			.public = {
 				.ike_state_change = _ike_state_change,
+				.ike_reestablish_pre = _ike_reestablish_pre,
 				.child_state_change = _child_state_change,
 			},
 			.logger = {
-- 
2.47.3