Merge branch 'ikev1-down-reauth'

This triggers child_updown() if IKEv1 reauthentication fails due to retransmits. The SA is also tried to be reestablished. Fixes #2573.
2018-04-12 15:19:49 +02:00 · 2018-04-12 15:19:49 +02:00 · ce0a770c74
parent a36d8097ed 40ec7f998a
commit ce0a770c74
2 changed files with 25 additions and 4 deletions
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@ -215,10 +215,6 @@ then
 	fi
 fi

-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
 case "$PLUTO_VERB:$1" in
 up-host:)
 	# connection to me coming up
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -2347,6 +2347,31 @@ METHOD(ike_sa_t, retransmit, status_t,
 					return this->task_manager->initiate(this->task_manager);
 				}
 				DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
+
+				if (this->version == IKEV1 && array_count(this->child_sas))
+				{
+					enumerator_t *enumerator;
+					child_sa_t *child_sa;
+
+					/* if reauthenticating an IKEv1 SA failed (assumed for an SA
+					 * in this state with CHILD_SAs), try again from scratch */
+					DBG1(DBG_IKE, "reauthentication failed, trying to "
+						 "reestablish IKE_SA");
+					reestablish(this);
+					/* trigger down events for the CHILD_SAs, as no down event
+					 * is triggered below for IKE SAs in this state */
+					enumerator = array_create_enumerator(this->child_sas);
+					while (enumerator->enumerate(enumerator, &child_sa))
+					{
+						if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
+							child_sa->get_state(child_sa) != CHILD_DELETED)
+						{
+							charon->bus->child_updown(charon->bus, child_sa,
+													  FALSE);
+						}
+					}
+					enumerator->destroy(enumerator);
+				}
 				break;
 			}
 			case IKE_DELETING: