IKEv2: OE connection timing out could accidentally overwrite tunnel p…

…olicy The failure scenario: west OE initiates conn private #1 to east but east is not running pluto. west keeps trying (keyingtries=%forver) east is started, and triggers its own OE initiatialize to west west creates a new IKE state #2 and an IPsec tunnel is installed. west state #1 finds out it is no longer newest IKE SA and deletes itself west will try to install an OE bare shunt on deleting, overwriting the IPsec tunnel out policy. This commit ensures west skips creating bare shunts when it is no longer c->newest_isakmp_sa
libreswan · Jun 28, 2019 · 24bffe6 · 24bffe6
1 parent fc5da93
commit 24bffe6
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/programs/pluto/state.c b/programs/pluto/state.c
@@ -896,7 +896,8 @@ void delete_state(struct state *st)
 		linux_audit_conn(st, LAK_PARENT_DESTROY);
 
 	/* If we are failed OE initiator, make shunt bare */
-	if (IS_IKE_SA(st) && (c->policy & POLICY_OPPORTUNISTIC) &&
+	if (IS_IKE_SA(st) && c->newest_isakmp_sa == st->st_serialno
+	   && (c->policy & POLICY_OPPORTUNISTIC) &&
 	    (st->st_state->kind == STATE_PARENT_I1 ||
 	     st->st_state->kind == STATE_PARENT_I2)) {
 		ipsec_spi_t failure_shunt = shunt_policy_spi(c, FALSE /* failure_shunt */);