From 6de79119f8ac35ae5fcabb55486c883ea9341596 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 11 Jun 2020 14:33:22 +0200 Subject: [PATCH] ike-rekey: Don't actively rekey already rekeyed SAs If the peer successfully rekeyed the SA it gets marked as IKE_REKEYED and it remains until the peer deletes it (or a timeout). There is no point in rekeying such SAs again. IKE_REKEYING will be relevant if we have multi-KE rekeyings and are waiting for followup key exchanges for a passive rekeying. --- src/libcharon/sa/ikev2/tasks/ike_rekey.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c index 81e7603040..65f6ca2fd3 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c @@ -168,6 +168,14 @@ METHOD(task_t, build_i, status_t, /* create new SA only on first try */ if (!this->new_sa) { + if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING || + this->ike_sa->get_state(this->ike_sa) == IKE_REKEYED) + { + /* ignore SAs that have or are currently being rekeyed passively */ + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + return SUCCESS; + } + version = this->ike_sa->get_version(this->ike_sa); this->new_sa = charon->ike_sa_manager->create_new( charon->ike_sa_manager, version, TRUE);