[Swan-dev] Always delete outbound SA with inbound SA

Herbert Xu herbert at gondor.apana.org.au
Fri Apr 10 11:44:26 EEST 2015

Ever since install_inbound_ipsec_sa was changed to always install
the outbound SA before the inbound SA, I have been getting outbound
SAs left behind when a phase 2 negotiation fails.  This is because
pluto will try to delete only the inbound SA if the negotiation
isn't complete.

Obviously this makes no sense so this patch changes delete_ipsec_sa
to always delete both SAs.

diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index 0f40248..d58c36b 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -2952,6 +2952,11 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
 void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
 		     bool inbound_only USED_BY_KLIPS)
+	/* Because install_inbound_ipsec_sa always sets up the outbound
+	 * SA first we always have to delete them both.
+	 */
+	inbound_only = FALSE;
 	switch (kern_interface) {
 	case USE_KLIPS:
Email: Herbert Xu <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

More information about the Swan-dev mailing list