With IKEv1 we have to reuse IKE_SAs as otherwise the responder might
detect the new SA as reauthentication and will "adopt" the CHILD_SAs of
the original IKE_SA, while the initiator will not do so. This could
cause CHILD_SA rekeying to fail later.
Fixes #1236.
resolution failed), 0 to disable retries.
charon.reuse_ikesa = yes
resolution failed), 0 to disable retries.
charon.reuse_ikesa = yes
- Initiate CHILD_SA within existing IKE_SAs.
+ Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
charon.routing_table
Numerical routing table to install routes to.
charon.routing_table
Numerical routing table to install routes to.
DBG2(DBG_MGR, "checkout IKE_SA by config");
DBG2(DBG_MGR, "checkout IKE_SA by config");
- if (!this->reuse_ikesa)
- { /* IKE_SA reuse disable by config */
+ if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+ { /* IKE_SA reuse disabled by config (not possible for IKEv1) */
ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;