From: Martin Willi <martin@revosec.ch>
Date: Wed, 11 Mar 2015 13:41:37 +0000 (+0100)
Subject: ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauth
X-Git-Tag: 5.3.0dr1~7
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=799f4c5db942b6a1cc92e0f6cc0f01f591695309;p=thirdparty%2Fstrongswan.git

ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauth

We are actually not in rekeying state, but just trigger a separate, new IKE_SA
as a replacement for the current IKE_SA. Switching to the REKEYING state
disables the invocation of both IKE and CHILD_SA updown hooks as initiator,
preventing the removal of any firewall rules.

Fixes #885.
---

diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 540d4dc836..298167703c 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1573,7 +1573,6 @@ static void trigger_mbb_reauth(private_task_manager_t *this)
 		new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
 										this->ike_sa->get_id(this->ike_sa)));
 		charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
-		this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
 	}
 	else
 	{