ikev2: Don't recreate IKE_SA if deletion fails after make-before-break reauth
authorTobias Brunner <tobias@strongswan.org>
Wed, 5 Dec 2018 11:24:55 +0000 (12:24 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 7 Dec 2018 09:28:21 +0000 (10:28 +0100)
Fixes: 745714307256 ("During reauthentication reestablish IKE_SA even if deleting the old one fails.")
Fixes #2847.

src/libcharon/sa/ike_sa.c

index a4ad866..27b0c33 100644 (file)
@@ -2404,7 +2404,9 @@ METHOD(ike_sa_t, retransmit, status_t,
                        }
                        case IKE_DELETING:
                                DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
-                               if (has_condition(this, COND_REAUTHENTICATING))
+                               if (has_condition(this, COND_REAUTHENTICATING) &&
+                                       !lib->settings->get_bool(lib->settings,
+                                                                               "%s.make_before_break", FALSE, lib->ns))
                                {
                                        DBG1(DBG_IKE, "delete during reauthentication failed, "
                                                 "trying to reestablish IKE_SA anyway");