diff options
| author | Martin Willi <martin@revosec.ch> | 2013-03-01 11:32:02 +0100 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2013-03-01 11:32:02 +0100 |
| commit | b611d8ba48424747ad1330e6ffbba3de8f5f0555 (patch) | |
| tree | 8d3e07c2471da412a11ba947a10cb84ccc94ea0b /src | |
| parent | ec1b4e6638598b5c77684cd01ab4caeaf3e230a4 (diff) | |
| parent | 3dc9d427c92ee3bece4bc1c3c575250156deeebc (diff) | |
| download | strongswan-b611d8ba48424747ad1330e6ffbba3de8f5f0555.tar.bz2 strongswan-b611d8ba48424747ad1330e6ffbba3de8f5f0555.tar.xz | |
Merge branch 'ikev1-rekeying'
Migrates Quick Modes to the new Main Mode if an IKEv1 reauthentication replaces
the old Main Mode having a uniqueids=replace policy.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libcharon/sa/ike_sa_manager.c | 21 | ||||
| -rw-r--r-- | src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c | 4 |
2 files changed, 25 insertions, 0 deletions
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index c5e6bf4bd..4fbc4da8e 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1747,6 +1747,23 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*, (void*)id_enumerator_cleanup, ids); } +/** + * Move all CHILD_SAs from old to new + */ +static void adopt_children(ike_sa_t *old, ike_sa_t *new) +{ + enumerator_t *enumerator; + child_sa_t *child_sa; + + enumerator = old->create_child_sa_enumerator(old); + while (enumerator->enumerate(enumerator, &child_sa)) + { + old->remove_child_sa(old, enumerator); + new->add_child_sa(new, child_sa); + } + enumerator->destroy(enumerator); +} + METHOD(ike_sa_manager_t, check_uniqueness, bool, private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace) { @@ -1799,6 +1816,10 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool, { case UNIQUE_REPLACE: charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE); + if (duplicate->get_version(duplicate) == IKEV1) + { + adopt_children(duplicate, ike_sa); + } DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer " "'%Y' due to uniqueness policy", other); status = duplicate->delete(duplicate); diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c index e47887859..b6df9879c 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c @@ -1757,6 +1757,10 @@ METHOD(kernel_net_t, add_ip, status_t, DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip, entry->iface->ifname); this->lock->unlock(this->lock); + /* during IKEv1 reauthentication, children get moved from + * old the new SA before the virtual IP is available. This + * kills the route for our virtual IP, reinstall. */ + queue_route_reinstall(this, entry->iface->ifname); return SUCCESS; } } |