From eb82210620e0e4f297fdb0274f1ab8e1015971fd Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 1 Mar 2018 18:02:08 +0100
Subject: [PATCH] ikev1: Trigger down events for CHILD_SAs if reauthentication
 failed due to retransmits

---
 src/libcharon/sa/ike_sa.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 7f272a95b..c6cacdf9c 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -2350,11 +2350,27 @@ METHOD(ike_sa_t, retransmit, status_t,
 
 				if (this->version == IKEV1 && array_count(this->child_sas))
 				{
+					enumerator_t *enumerator;
+					child_sa_t *child_sa;
+
 					/* if reauthenticating an IKEv1 SA failed (assumed for an SA
 					 * in this state with CHILD_SAs), try again from scratch */
 					DBG1(DBG_IKE, "reauthentication failed, trying to "
 						 "reestablish IKE_SA");
 					reestablish(this);
+					/* trigger down events for the CHILD_SAs, as no down event
+					 * is triggered below for IKE SAs in this state */
+					enumerator = array_create_enumerator(this->child_sas);
+					while (enumerator->enumerate(enumerator, &child_sa))
+					{
+						if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
+							child_sa->get_state(child_sa) != CHILD_DELETED)
+						{
+							charon->bus->child_updown(charon->bus, child_sa,
+													  FALSE);
+						}
+					}
+					enumerator->destroy(enumerator);
 				}
 				break;
 			}