[strongSwan-dev] [PATCH] ikev1: send delete notification when deleting IKE_SA on rekeying

[Timo Teräs]

In IKEv1 it's perfectly acceptable to have multiple IKE_SAs and
they never replace one another implicitly. It makes sense to delete
the obsoleted IKE_SA after rekeying, but delete notification needs
to be sent. Otherwise if the remote monitors the IKE_SA using DPD
it will consider us dead, and might end up flushing CHILD_SAs it
has maybe not yet moved (or potentially also other IKE_SAs like
racoon does).

This seems to fix IKEv1 rekeying against racoon.

Signed-off-by: Timo Teräs <timo.teras at iki.fi>
---
 src/libcharon/processing/jobs/adopt_children_job.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index c8a9c17..380900a 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -64,6 +64,7 @@ METHOD(job_t, execute, job_requeue_t,
 	ike_sa_id_t *id;
 	ike_sa_t *ike_sa;
 	child_sa_t *child_sa;
+	status_t status;
 
 	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id);
 	if (ike_sa)
@@ -96,6 +97,7 @@ METHOD(job_t, execute, job_requeue_t,
 			{	/* not from self */
 				continue;
 			}
+			status = SUCCESS;
 			ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
 			if (ike_sa)
 			{
@@ -126,20 +128,24 @@ METHOD(job_t, execute, job_requeue_t,
 					ike_sa->clear_virtual_ips(ike_sa, FALSE);
 					if (children->get_count(children) || vips->get_count(vips))
 					{
-						DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
-							 "adopting %d children and %d virtual IPs",
+						DBG1(DBG_IKE, "adopt_chiren_job detected reauth of existing "
+							 "IKE_SA, adopting %d children and %d virtual IPs",
 							 children->get_count(children), vips->get_count(vips));
 					}
-					ike_sa->set_state(ike_sa, IKE_DELETING);
-					charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
-					charon->ike_sa_manager->checkin_and_destroy(
-											charon->ike_sa_manager, ike_sa);
+					status = ike_sa->delete(ike_sa);
+				}
+
+				if (status == DESTROY_ME)
+				{
+					charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+																ike_sa);
 				}
 				else
 				{
 					charon->ike_sa_manager->checkin(
 											charon->ike_sa_manager, ike_sa);
 				}
+
 				if (children->get_count(children) || vips->get_count(vips))
 				{
 					break;
-- 
2.4.0