From 3dc9d427c92ee3bece4bc1c3c575250156deeebc Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Wed, 20 Feb 2013 09:16:00 +0100
Subject: [PATCH] After IKEv1 reauthentication, reinstall VIP routes after
 migrating CHILD_SAs

During IKEv1 reauthentication, the virtual IP gets removed, then reinstalled.
The CHILD_SAs get migrated, but any associated route gets removed from the
kernel. Reinstall routes after adding the virtual IP again.
---
 src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index e478878..b6df987 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1757,6 +1757,10 @@ METHOD(kernel_net_t, add_ip, status_t,
 				DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
 					 entry->iface->ifname);
 				this->lock->unlock(this->lock);
+				/* during IKEv1 reauthentication, children get moved from
+				 * old the new SA before the virtual IP is available. This
+				 * kills the route for our virtual IP, reinstall. */
+				queue_route_reinstall(this, entry->iface->ifname);
 				return SUCCESS;
 			}
 		}
-- 
2.7.4