From 3b742c75ab99cbcf8ea0dcbabff63dd2c505d555 Mon Sep 17 00:00:00 2001 From: Xiao Liang Date: Sat, 7 May 2022 20:42:27 +0800 Subject: [PATCH] quick-mode: Remove outbound SA/policy of rekeyed CHILD_SA Remove outbound SA and policy of rekeyed CHILD_SA since only one is valid. Otherwise, during update-SA job (when NAT mapping changed), CHILD_SA are updated and installed one by one, leaving a window where old SAs are being used. There are also circumstances where the new SA is not processed last. Closes strongswan/strongswan#1041 --- src/libcharon/sa/ikev1/tasks/quick_mode.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 5e4bf8620b..22bead945f 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -411,6 +411,8 @@ static bool install(private_quick_mode_t *this) /* rekeyed CHILD_SAs stay installed until they expire or are deleted * by the other peer */ old->set_state(old, CHILD_REKEYED); + /* but remove outbound SA as we don't want to use it actively */ + old->remove_outbound(old); /* as initiator we delete the CHILD_SA if configured to do so */ if (this->initiator && this->delete) { -- 2.47.2