ikev1: Always enable charon.reuse_ikesa
With IKEv1 we have to reuse IKE_SAs as otherwise the responder might detect the new SA as reauthentication and will "adopt" the CHILD_SAs of the original IKE_SA, while the initiator will not do so. This could cause CHILD_SA rekeying to fail later. Fixes #1236.
This commit is contained in:
parent
db57f5702b
commit
24ab8530e5
|
@ -283,7 +283,7 @@ charon.retry_initiate_interval = 0
|
|||
resolution failed), 0 to disable retries.
|
||||
|
||||
charon.reuse_ikesa = yes
|
||||
Initiate CHILD_SA within existing IKE_SAs.
|
||||
Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
|
||||
|
||||
charon.routing_table
|
||||
Numerical routing table to install routes to.
|
||||
|
|
|
@ -1384,8 +1384,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
|
|||
|
||||
DBG2(DBG_MGR, "checkout IKE_SA by config");
|
||||
|
||||
if (!this->reuse_ikesa)
|
||||
{ /* IKE_SA reuse disable by config */
|
||||
if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
|
||||
{ /* IKE_SA reuse disabled by config (not possible for IKEv1) */
|
||||
ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
|
||||
charon->bus->set_sa(charon->bus, ike_sa);
|
||||
return ike_sa;
|
||||
|
|
Loading…
Reference in New Issue