ikev1: Don't inherit children if INITITAL_CONTACT was seen

author Thomas Egerer <thomas.egerer@secunet.com>

Thu, 9 Oct 2014 09:15:07 +0000 (11:15 +0200)

committer Martin Willi <martin@revosec.ch>

Thu, 30 Oct 2014 10:53:56 +0000 (11:53 +0100)
author Thomas Egerer <thomas.egerer@secunet.com>
Thu, 9 Oct 2014 09:15:07 +0000 (11:15 +0200)
committer Martin Willi <martin@revosec.ch>
Thu, 30 Oct 2014 10:53:56 +0000 (11:53 +0100)
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c

index bdabc59..144cd7d 100644 (file)
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1783,7 +1783,10 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
         if (is_ikev1_reauth(duplicate, host))
         {
                 /* looks like a reauthentication attempt */
-               adopt_children(duplicate, new);
+               if (!new->has_condition(new, COND_INIT_CONTACT_SEEN))
+               {
+                       adopt_children(duplicate, new);
+               }
                 /* For IKEv1 we have to delay the delete for the old IKE_SA. Some
                  * peers need to complete the new SA first, otherwise the quick modes
                  * might get lost. */
author	Thomas Egerer <thomas.egerer@secunet.com>
	Thu, 9 Oct 2014 09:15:07 +0000 (11:15 +0200)
committer	Martin Willi <martin@revosec.ch>
	Thu, 30 Oct 2014 10:53:56 +0000 (11:53 +0100)