child-sa: Remove policies before states to avoid acquire events for untrapped policies

1 files changed, 16 insertions, 16 deletions

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 9c74b9517..068092d60 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1114,22 +1114,6 @@ METHOD(child_sa_t, destroy, void,
 
 	set_state(this, CHILD_DESTROYING);
 
-	/* delete SAs in the kernel, if they are set up */
-	if (this->my_spi)
-	{
-		hydra->kernel_interface->del_sa(hydra->kernel_interface,
-					this->other_addr, this->my_addr, this->my_spi,
-					proto_ike2ip(this->protocol), this->my_cpi,
-					this->mark_in);
-	}
-	if (this->other_spi)
-	{
-		hydra->kernel_interface->del_sa(hydra->kernel_interface,
-					this->my_addr, this->other_addr, this->other_spi,
-					proto_ike2ip(this->protocol), this->other_cpi,
-					this->mark_out);
-	}
-
 	if (this->config->install_policy(this->config))
 	{
 		/* delete all policies in the kernel */
@@ -1146,6 +1130,22 @@ METHOD(child_sa_t, destroy, void,
 		enumerator->destroy(enumerator);
 	}
 
+	/* delete SAs in the kernel, if they are set up */
+	if (this->my_spi)
+	{
+		hydra->kernel_interface->del_sa(hydra->kernel_interface,
+					this->other_addr, this->my_addr, this->my_spi,
+					proto_ike2ip(this->protocol), this->my_cpi,
+					this->mark_in);
+	}
+	if (this->other_spi)
+	{
+		hydra->kernel_interface->del_sa(hydra->kernel_interface,
+					this->my_addr, this->other_addr, this->other_spi,
+					proto_ike2ip(this->protocol), this->other_cpi,
+					this->mark_out);
+	}
+
 	if (this->reqid_allocated)
 	{
 		if (hydra->kernel_interface->release_reqid(hydra->kernel_interface,