After IKEv1 reauthentication, reinstall VIP routes after migrating CHILD_SAs
authorMartin Willi <martin@revosec.ch>
Wed, 20 Feb 2013 08:16:00 +0000 (09:16 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 20 Feb 2013 08:16:00 +0000 (09:16 +0100)
During IKEv1 reauthentication, the virtual IP gets removed, then reinstalled.
The CHILD_SAs get migrated, but any associated route gets removed from the
kernel. Reinstall routes after adding the virtual IP again.

src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c

index e478878..b6df987 100644 (file)
@@ -1757,6 +1757,10 @@ METHOD(kernel_net_t, add_ip, status_t,
                                DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
                                         entry->iface->ifname);
                                this->lock->unlock(this->lock);
+                               /* during IKEv1 reauthentication, children get moved from
+                                * old the new SA before the virtual IP is available. This
+                                * kills the route for our virtual IP, reinstall. */
+                               queue_route_reinstall(this, entry->iface->ifname);
                                return SUCCESS;
                        }
                }