From: tobhe <tobhe@openbsd.org>
Date: Tue, 23 Mar 2021 21:31:29 +0000 (+0000)
Subject: Don't send DELETE notify if IKE SA is replaced because of
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=402eaff54e7845e7cf82f69ab69bdc5221b0b1c2;p=openbsd

Don't send DELETE notify if IKE SA is replaced because of
'enforcesingleikesa'.  Fixes an interop problem with strongswan
if make-before-break is enabled.

ok patrick@
---

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 819e9d5be24..fd917367799 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.318 2021/03/15 22:29:17 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.319 2021/03/23 21:31:29 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -3409,7 +3409,7 @@ ikev2_record_dstid(struct iked *env, struct iked_sa *sa)
 			if (osa->sa_state == IKEV2_STATE_ESTABLISHED)
 				ikev2_disable_timer(env, osa);
 			ikev2_ike_sa_setreason(osa, "sa replaced");
-			ikev2_ikesa_delete(env, osa, 1);
+			ikev2_ikesa_delete(env, osa, 0);
 			timer_add(env, &osa->sa_timer,
 			    3 * IKED_RETRANSMIT_TIMEOUT);
 		}