ikev1: Always enable charon.reuse_ikesa

With IKEv1 we have to reuse IKE_SAs as otherwise the responder might
detect the new SA as reauthentication and will "adopt" the CHILD_SAs of
the original IKE_SA, while the initiator will not do so.  This could
cause CHILD_SA rekeying to fail later.

Fixes #1236.

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 816f325..a4e03d4 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -283,7 +283,7 @@ charon.retry_initiate_interval = 0
        resolution failed), 0 to disable retries.
 
 charon.reuse_ikesa = yes
        resolution failed), 0 to disable retries.
 
 charon.reuse_ikesa = yes

-       Initiate CHILD_SA within existing IKE_SAs.
+       Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).

 
 charon.routing_table
        Numerical routing table to install routes to.
 
 charon.routing_table
        Numerical routing table to install routes to.

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 3d15009..908ce81 100644 (file)
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1384,8 +1384,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 
        DBG2(DBG_MGR, "checkout IKE_SA by config");
 
 
        DBG2(DBG_MGR, "checkout IKE_SA by config");
 

-       if (!this->reuse_ikesa)
-       {       /* IKE_SA reuse disable by config */
+       if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+       {       /* IKE_SA reuse disabled by config (not possible for IKEv1) */

                ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
                charon->bus->set_sa(charon->bus, ike_sa);
                return ike_sa;
                ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
                charon->bus->set_sa(charon->bus, ike_sa);
                return ike_sa;