ikev2: Don't adopt any CHILD_SA during make-before-break reauthentication

While the comment is rather clear that we should not adopt live CHILD_SAs
during reauthentication in IKEv2, the code does nonetheless. Add an additional
version check to fix reauthentication if the reauth responder has a replace
uniqueids policy.

Fixes #871.

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 6d0a598..d0cbd47 100644 (file)
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1755,7 +1755,8 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
        if (host->equals(host, duplicate->get_other_host(duplicate)))
        {
                /* looks like a reauthentication attempt */
-               if (!new->has_condition(new, COND_INIT_CONTACT_SEEN))
+               if (!new->has_condition(new, COND_INIT_CONTACT_SEEN) &&
+                       new->get_version(new) == IKEV1)
                {
                        /* IKEv1 implicitly takes over children, IKEv2 recreates them
                         * explicitly. */