In cases that both peers of tunnel try to initiate the connection
simultaneously one of the peers ends up with having two IKE_SA in state
IKE_ESTABLISHED. Therefore lets call check_uniqueness() before we switch
state like it is already the case as a responder in build_r.
---
src/libcharon/sa/ikev2/tasks/ike_auth.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c
b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index e554ca3..a7ec37c 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -1140,6 +1140,14 @@ METHOD(task_t, process_i, status_t,
{
goto peer_auth_failed;
}
+ if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+ this->ike_sa, FALSE))
+ {
+ DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness
policy");
+ charon->bus->alert(charon->bus, ALERT_UNIQUE_KEEP);
+ send_auth_failed_informational(this, message);
+ return FAILED;
+ }
if (!charon->bus->authorize(charon->bus, TRUE))
{
DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
--
2.5.5
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
