aboutsummaryrefslogtreecommitdiffstats
path: root/src/libcharon/sa
diff options
context:
space:
mode:
authorMartin Willi <martin@revosec.ch>2013-09-18 14:11:40 +0200
committerMartin Willi <martin@revosec.ch>2013-09-30 13:51:12 +0200
commitd2e4dd75b7967a7f2c024a1b4c2c1c916ea036ba (patch)
treeb3acaa3bd5add5da1b3b130aaa9491d31a3c2f37 /src/libcharon/sa
parent9c19d7ca31f2a801935580f4b737f1ed3720f469 (diff)
downloadstrongswan-d2e4dd75b7967a7f2c024a1b4c2c1c916ea036ba.tar.bz2
strongswan-d2e4dd75b7967a7f2c024a1b4c2c1c916ea036ba.tar.xz
ikev1: Accept reauthentication attempts with a keep unique policy from same host
When we have a "keep" unique policy in place, we have to be less strict in rejecting Main/Aggressive Modes to enforce it. If the host/port equals to that of an existing ISAKMP SA, we assume it is a reauthentication attempt and accept the new SA (to replace the old).
Diffstat (limited to 'src/libcharon/sa')
-rw-r--r--src/libcharon/sa/ike_sa_manager.c23
1 files changed, 17 insertions, 6 deletions
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 736642096..7f165957b 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1766,6 +1766,15 @@ static void adopt_children(ike_sa_t *old, ike_sa_t *new)
}
/**
+ * Check if the replaced IKE_SA might get reauthenticated from host
+ */
+static bool is_ikev1_reauth(ike_sa_t *duplicate, host_t *host)
+{
+ return duplicate->get_version(duplicate) == IKEV1 &&
+ host->equals(host, duplicate->get_other_host(duplicate));
+}
+
+/**
* Delete an existing IKE_SA due to a unique replace policy
*/
static status_t enforce_replace(private_ike_sa_manager_t *this,
@@ -1774,8 +1783,7 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
{
charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
- if (duplicate->get_version(duplicate) == IKEV1 &&
- host->equals(host, duplicate->get_other_host(duplicate)))
+ if (is_ikev1_reauth(duplicate, host))
{
/* looks like a reauthentication attempt */
adopt_children(duplicate, new);
@@ -1846,10 +1854,13 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
other, other_host);
break;
case UNIQUE_KEEP:
- cancel = TRUE;
- /* we keep the first IKE_SA and delete all
- * other duplicates that might exist */
- policy = UNIQUE_REPLACE;
+ if (!is_ikev1_reauth(duplicate, other_host))
+ {
+ cancel = TRUE;
+ /* we keep the first IKE_SA and delete all
+ * other duplicates that might exist */
+ policy = UNIQUE_REPLACE;
+ }
break;
default:
break;