In IKEv1 it's perfectly acceptable to have multiple IKE_SAs and they never replace one another implicitly. It makes sense to delete the obsoleted IKE_SA after rekeying, but delete notification needs to be sent. Otherwise if the remote monitors the IKE_SA using DPD it will consider us dead, and might end up flushing CHILD_SAs it has maybe not yet moved (or potentially also other IKE_SAs like racoon does).
This seems to fix IKEv1 rekeying against racoon. Signed-off-by: Timo Teräs <[email protected]> --- src/libcharon/processing/jobs/adopt_children_job.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c index c8a9c17..380900a 100644 --- a/src/libcharon/processing/jobs/adopt_children_job.c +++ b/src/libcharon/processing/jobs/adopt_children_job.c @@ -64,6 +64,7 @@ METHOD(job_t, execute, job_requeue_t, ike_sa_id_t *id; ike_sa_t *ike_sa; child_sa_t *child_sa; + status_t status; ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id); if (ike_sa) @@ -96,6 +97,7 @@ METHOD(job_t, execute, job_requeue_t, { /* not from self */ continue; } + status = SUCCESS; ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id); if (ike_sa) { @@ -126,20 +128,24 @@ METHOD(job_t, execute, job_requeue_t, ike_sa->clear_virtual_ips(ike_sa, FALSE); if (children->get_count(children) || vips->get_count(vips)) { - DBG1(DBG_IKE, "detected reauth of existing IKE_SA, " - "adopting %d children and %d virtual IPs", + DBG1(DBG_IKE, "adopt_chiren_job detected reauth of existing " + "IKE_SA, adopting %d children and %d virtual IPs", children->get_count(children), vips->get_count(vips)); } - ike_sa->set_state(ike_sa, IKE_DELETING); - charon->bus->ike_updown(charon->bus, ike_sa, FALSE); - charon->ike_sa_manager->checkin_and_destroy( - charon->ike_sa_manager, ike_sa); + status = ike_sa->delete(ike_sa); + } + + if (status == DESTROY_ME) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); } else { charon->ike_sa_manager->checkin( charon->ike_sa_manager, ike_sa); } + if (children->get_count(children) || vips->get_count(vips)) { break; -- 2.4.0 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
