From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 5 Dec 2018 11:24:55 +0000 (+0100)
Subject: ikev2: Don't recreate IKE_SA if deletion fails after make-before-break reauth
X-Git-Tag: 5.7.2dr4~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=10f8834bf927f3cf880359995c8a11bac7fc45c9;p=thirdparty%2Fstrongswan.git

ikev2: Don't recreate IKE_SA if deletion fails after make-before-break reauth

Fixes: 745714307256 ("During reauthentication reestablish IKE_SA even if deleting the old one fails.")
Fixes #2847.
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index a4ad866d3a..27b0c337f7 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -2404,7 +2404,9 @@ METHOD(ike_sa_t, retransmit, status_t,
 			}
 			case IKE_DELETING:
 				DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
-				if (has_condition(this, COND_REAUTHENTICATING))
+				if (has_condition(this, COND_REAUTHENTICATING) &&
+					!lib->settings->get_bool(lib->settings,
+										"%s.make_before_break", FALSE, lib->ns))
 				{
 					DBG1(DBG_IKE, "delete during reauthentication failed, "
 						 "trying to reestablish IKE_SA anyway");