|
 |
f0195e |
diff --git a/programs/pluto/state.c b/programs/pluto/state.c
|
|
|
f0195e |
index 7b33145..a3bcc3c 100644
|
|
|
f0195e |
--- a/programs/pluto/state.c
|
|
|
f0195e |
+++ b/programs/pluto/state.c
|
|
|
f0195e |
@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
|
|
|
f0195e |
d = next;
|
|
|
f0195e |
}
|
|
|
f0195e |
|
|
|
f0195e |
- if (c->newest_isakmp_sa != SOS_NOBODY &&
|
|
|
f0195e |
- c->newest_isakmp_sa != pst->st_serialno) {
|
|
|
f0195e |
- struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
|
|
|
f0195e |
+ /*
|
|
|
f0195e |
+ * This only affects IKEv2, since we don't store any
|
|
|
f0195e |
+ * received INITIAL_CONTACT for IKEv1.
|
|
|
f0195e |
+ * We don't do this on IKEv1, because it seems to
|
|
|
f0195e |
+ * confuse various third parties (Windows, Cisco VPN 300,
|
|
|
f0195e |
+ * and juniper
|
|
|
f0195e |
+ * likely because this would be called before the IPsec SA
|
|
|
f0195e |
+ * of QuickMode is installed, so the remote endpoints view
|
|
|
f0195e |
+ * this IKE SA still as the active one?
|
|
|
f0195e |
+ */
|
|
|
f0195e |
+ if (pst->st_seen_initialc) {
|
|
|
f0195e |
|
|
|
f0195e |
- DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
|
|
|
f0195e |
- old_p1->st_connection->name));
|
|
|
f0195e |
- old_p1->st_suppress_del_notify = TRUE;
|
|
|
f0195e |
- event_force(EVENT_SA_EXPIRE, old_p1);
|
|
|
f0195e |
- }
|
|
|
f0195e |
+ if (c->newest_isakmp_sa != SOS_NOBODY &&
|
|
|
f0195e |
+ c->newest_isakmp_sa != pst->st_serialno) {
|
|
|
f0195e |
+ struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
|
|
|
f0195e |
|
|
|
f0195e |
- if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
|
|
|
f0195e |
- {
|
|
|
f0195e |
- struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
|
|
|
f0195e |
- struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
|
|
|
f0195e |
+ DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
|
|
|
f0195e |
+ old_p1->st_connection->name));
|
|
|
f0195e |
+ old_p1->st_suppress_del_notify = TRUE;
|
|
|
f0195e |
+ event_force(EVENT_SA_EXPIRE, old_p1);
|
|
|
f0195e |
+ }
|
|
|
f0195e |
|
|
|
f0195e |
- if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
|
|
|
f0195e |
+ if (c->newest_ipsec_sa != SOS_NOBODY)
|
|
|
f0195e |
{
|
|
|
f0195e |
- DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
|
|
|
f0195e |
- c->newest_ipsec_sa, c->name));
|
|
|
f0195e |
- old_p2->st_suppress_del_notify = TRUE;
|
|
|
f0195e |
- event_force(EVENT_SA_EXPIRE, old_p2);
|
|
|
f0195e |
+ struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
|
|
|
f0195e |
+ struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
|
|
|
f0195e |
+
|
|
|
f0195e |
+ if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
|
|
|
f0195e |
+ {
|
|
|
f0195e |
+ DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
|
|
|
f0195e |
+ c->newest_ipsec_sa, c->name));
|
|
|
f0195e |
+ old_p2->st_suppress_del_notify = TRUE;
|
|
|
f0195e |
+ event_force(EVENT_SA_EXPIRE, old_p2);
|
|
|
f0195e |
+ }
|
|
|
f0195e |
}
|
|
|
f0195e |
}
|
|
|
f0195e |
|