ikev1: Always enable charon.reuse_ikesa

With IKEv1 we have to reuse IKE_SAs as otherwise the responder might detect the new SA as reauthentication and will "adopt" the CHILD_SAs of the original IKE_SA, while the initiator will not do so. This could cause CHILD_SA rekeying to fail later. Fixes #1236.
2015-12-18 15:23:30 +01:00 · 2015-12-18 15:23:30 +01:00 · 24ab8530e5
parent db57f5702b
commit 24ab8530e5
2 changed files with 3 additions and 3 deletions
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@ -283,7 +283,7 @@ charon.retry_initiate_interval = 0
 	resolution failed), 0 to disable retries.

 charon.reuse_ikesa = yes
-	Initiate CHILD_SA within existing IKE_SAs.
+	Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).

 charon.routing_table
 	Numerical routing table to install routes to.
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@ -1384,8 +1384,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,

 	DBG2(DBG_MGR, "checkout IKE_SA by config");

-	if (!this->reuse_ikesa)
-	{	/* IKE_SA reuse disable by config */
+	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 		charon->bus->set_sa(charon->bus, ike_sa);
 		return ike_sa;