ike: Reset IKE_SA in state CONNECTING instead of reauthenticating
authorTobias Brunner <tobias@strongswan.org>
Tue, 12 Aug 2014 10:05:16 +0000 (12:05 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 9 Sep 2014 08:56:15 +0000 (10:56 +0200)
Due to how reauthentication works for IKEv1 we could get a second
IKE_SA, which might cause problems, when connectivity problems arise
when the connection is initially established.

Fixes #670.

src/libcharon/sa/ike_sa.c

index fddd83c..e63e0fa 100644 (file)
@@ -1487,6 +1487,14 @@ METHOD(ike_sa_t, reauth, status_t,
        {
                return INVALID_STATE;
        }
+       if (this->state == IKE_CONNECTING)
+       {
+               DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
+                        get_name(this), this->unique_id);
+               reset(this);
+               this->task_manager->queue_ike(this->task_manager);
+               return this->task_manager->initiate(this->task_manager);
+       }
        /* we can't reauthenticate as responder when we use EAP or virtual IPs.
         * If the peer does not support RFC4478, there is no way to keep the
         * IKE_SA up. */