[strongSwan-dev] question for the deletion of ike/child sa

김익호 strongikho at gmail.com
Mon Jul 13 02:25:08 CEST 2015 

I found one different thing between deletion of ikesa and childsa in
StrongSwan v5.3.1 like below

Comparing with childsa, Is there any reason for missing recreation of
ikesa?(refer to yellow blocks)



src/libcharon/sa/ikev2/tasks/ike_delete.c

METHOD(task_t, build_i, status_t,

    private_ike_delete_t *this, message_t *message)

{

    delete_payload_t *delete_payload;



    DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",

         this->ike_sa->get_name(this->ike_sa),

         this->ike_sa->get_unique_id(this->ike_sa),

         this->ike_sa->get_my_host(this->ike_sa),

         this->ike_sa->get_my_id(this->ike_sa),

         this->ike_sa->get_other_host(this->ike_sa),

         this->ike_sa->get_other_id(this->ike_sa));



    delete_payload = delete_payload_create(PLV2_DELETE, PROTO_IKE);

    message->add_payload(message, (payload_t*)delete_payload);



    if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)

    {

        this->rekeyed = TRUE;

    }

    this->ike_sa->set_state(this->ike_sa, IKE_DELETING);



    DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",

         this->ike_sa->get_name(this->ike_sa),

         this->ike_sa->get_unique_id(this->ike_sa));



    return NEED_MORE;

}



src/libcharon/sa/ikev2/tasks/child_delete.c

METHOD(task_t, build_i, status_t,

    private_child_delete_t *this, message_t *message)

{

    child_sa_t *child_sa;



    child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,

                                          this->spi, TRUE);

    if (!child_sa)

    {   /* check if it is an outbound sa */

        child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,

                                              this->spi, FALSE);

        if (!child_sa)

        {   /* child does not exist anymore */

            return SUCCESS;

        }

        /* we work only with the inbound SPI */

        this->spi = child_sa->get_spi(child_sa, TRUE);

    }

    this->child_sas->insert_last(this->child_sas, child_sa);

    if (child_sa->get_state(child_sa) == CHILD_REKEYING)

    {

        this->rekeyed = TRUE;

    }

    log_children(this);

    build_payloads(this, message);



    if (!this->rekeyed && this->expired)

    {

        child_cfg_t *child_cfg;



        DBG1(DBG_IKE, "scheduling CHILD_SA recreate after hard expire");

        child_cfg = child_sa->get_config(child_sa);

        this->ike_sa->queue_task(this->ike_sa, (task_t*)

                child_create_create(this->ike_sa,
child_cfg->get_ref(child_cfg),

                                    FALSE, NULL, NULL));

    }

    return NEED_MORE;

}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150713/68aa4880/attachment.html>

More information about the Dev mailing list