Project

General

Profile

Bug #885

updown script isn't executed after make-before-break reauthentication

Added by Luka Logar over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Martin Willi
Category:
libcharon
Target version:
5.3.0
Start date:
11.03.2015
Due date:
Estimated time:
Affected version:
dr|rc|master
Resolution:
Fixed

Description

Hi,

I have noticed that when using make-before-break reauthentication, down script (on the reauth initiator side) doesn't get called after the successful reauthentication thus not deleting old firewall rules. I think that the problem is that SA is (falsely?) in IKE_REKEYING mode when calling ike_delete->process_i().

Best regards
Luka

History

#1 Updated by Martin Willi over 10 years ago

  • Tracker changed from Issue to Bug
  • Category set to libcharon
  • Status changed from New to Closed
  • Assignee set to Martin Willi
  • Target version set to 5.3.0
  • Resolution set to Fixed

Hi Luka,

Thanks for your bug report. In fact do we miss the invocation of both IKE and CHILD updown hooks for re-authenticated IKE_SAs as initiator because of that IKE_REKEYING state.

Instead of switching to the REKEYING state, I think we should just keep the old IKE_SA as ESTABLISHED. This should ensure that the hooks get invoked after deleting the old SA. Implemented in master with the referenced commit.

Regards
Martin