Bug #885
updown script isn't executed after make-before-break reauthentication
Description
Hi,
I have noticed that when using make-before-break reauthentication, down script (on the reauth initiator side) doesn't get called after the successful reauthentication thus not deleting old firewall rules. I think that the problem is that SA is (falsely?) in IKE_REKEYING mode when calling ike_delete->process_i().
Best regards
Luka
Associated revisions
History
#1 Updated by Martin Willi over 5 years ago
- Tracker changed from Issue to Bug
- Category set to libcharon
- Status changed from New to Closed
- Assignee set to Martin Willi
- Target version set to 5.3.0
- Resolution set to Fixed
Hi Luka,
Thanks for your bug report. In fact do we miss the invocation of both IKE and CHILD updown hooks for re-authenticated IKE_SAs as initiator because of that IKE_REKEYING state.
Instead of switching to the REKEYING state, I think we should just keep the old IKE_SA as ESTABLISHED. This should ensure that the hooks get invoked after deleting the old SA. Implemented in master with the referenced commit.
Regards
Martin
ikev2: Don't set old IKE_SA to REKEYING state during make-before-break reauth
We are actually not in rekeying state, but just trigger a separate, new IKE_SA
as a replacement for the current IKE_SA. Switching to the REKEYING state
disables the invocation of both IKE and CHILD_SA updown hooks as initiator,
preventing the removal of any firewall rules.
Fixes #885.