Merge branch 'ikev1-rekeying'

Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces
the old Main Mode having a uniqueids=replace policy.

src/libcharon/sa/ike_sa_manager.c

@@ -1747,6 +1747,23 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
 									 (void*)id_enumerator_cleanup, ids);
 }
 
+/**
+ * Move all CHILD_SAs from old to new
+ */
+static void adopt_children(ike_sa_t *old, ike_sa_t *new)
+{
+	enumerator_t *enumerator;
+	child_sa_t *child_sa;
+
+	enumerator = old->create_child_sa_enumerator(old);
+	while (enumerator->enumerate(enumerator, &child_sa))
+	{
+		old->remove_child_sa(old, enumerator);
+		new->add_child_sa(new, child_sa);
+	}
+	enumerator->destroy(enumerator);
+}
+
 METHOD(ike_sa_manager_t, check_uniqueness, bool,
 	private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
 {
@@ -1799,6 +1816,10 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
 					{
 						case UNIQUE_REPLACE:
 							charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
+							if (duplicate->get_version(duplicate) == IKEV1)
+							{
+								adopt_children(duplicate, ike_sa);
+							}
 							DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
 									"'%Y' due to uniqueness policy", other);
 							status = duplicate->delete(duplicate);

src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c

@@ -1757,6 +1757,10 @@ METHOD(kernel_net_t, add_ip, status_t,
 				DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
 					 entry->iface->ifname);
 				this->lock->unlock(this->lock);
+				/* during IKEv1 reauthentication, children get moved from
+				 * old the new SA before the virtual IP is available. This
+				 * kills the route for our virtual IP, reinstall. */
+				queue_route_reinstall(this, entry->iface->ifname);
 				return SUCCESS;
 			}
 		}