Merge branch 'ikev1-rekeying'
Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces the old Main Mode having a uniqueids=replace policy.
This commit is contained in:
commit
b611d8ba48
|
@ -1747,6 +1747,23 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
|
|||
(void*)id_enumerator_cleanup, ids);
|
||||
}
|
||||
|
||||
/**
|
||||
* Move all CHILD_SAs from old to new
|
||||
*/
|
||||
static void adopt_children(ike_sa_t *old, ike_sa_t *new)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
child_sa_t *child_sa;
|
||||
|
||||
enumerator = old->create_child_sa_enumerator(old);
|
||||
while (enumerator->enumerate(enumerator, &child_sa))
|
||||
{
|
||||
old->remove_child_sa(old, enumerator);
|
||||
new->add_child_sa(new, child_sa);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
METHOD(ike_sa_manager_t, check_uniqueness, bool,
|
||||
private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
|
||||
{
|
||||
|
@ -1799,6 +1816,10 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
|
|||
{
|
||||
case UNIQUE_REPLACE:
|
||||
charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
|
||||
if (duplicate->get_version(duplicate) == IKEV1)
|
||||
{
|
||||
adopt_children(duplicate, ike_sa);
|
||||
}
|
||||
DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
|
||||
"'%Y' due to uniqueness policy", other);
|
||||
status = duplicate->delete(duplicate);
|
||||
|
|
|
@ -1757,6 +1757,10 @@ METHOD(kernel_net_t, add_ip, status_t,
|
|||
DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
|
||||
entry->iface->ifname);
|
||||
this->lock->unlock(this->lock);
|
||||
/* during IKEv1 reauthentication, children get moved from
|
||||
* old the new SA before the virtual IP is available. This
|
||||
* kills the route for our virtual IP, reinstall. */
|
||||
queue_route_reinstall(this, entry->iface->ifname);
|
||||
return SUCCESS;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue