From 1b989dd4c54735ff6dd4b96a58d8302b4787367a Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 31 May 2016 12:22:32 +0200 Subject: [PATCH] ike-rekey: Properly handle situation if the peer did not notice the rekey collision We conclude the rekeying before deleting the IKE_SA. Waiting for the potential TEMPORARY_FAILURE notify is no good because if that response does not reach us the peer will not retransmit it upon our retransmits of the rekey request if it already deleted the IKE_SA after receiving our response to the delete. --- src/libcharon/sa/ikev2/tasks/ike_rekey.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index 2d0b8f2940..e99536e2d3 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -392,6 +392,17 @@ METHOD(ike_rekey_t, collide, void, { DBG1(DBG_IKE, "detected %N collision with %N", task_type_names, TASK_IKE_REKEY, task_type_names, other->get_type(other)); + if (other->get_type(other) == TASK_IKE_DELETE) + { + if (this->collision && + this->collision->get_type(this->collision) == TASK_IKE_REKEY) + { + DBG1(DBG_IKE, "peer did not notice IKE_SA rekey collision"); + other->destroy(other); + establish_new((private_ike_rekey_t*)this->collision); + return; + } + } DESTROY_IF(this->collision); this->collision = other; } -- 2.47.2