From c052b5d6296529f1373dd0de996a64002a5a10d0 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Mon, 2 Jul 2018 12:12:34 -0400
Subject: [PATCH] - Relax deleting IKE SA's and IPsec SA's to avoid interop
 issues with third party VPN vendors

---
 libreswan-3.25-relax-delete.patch | 62 +++++++++++++++++++++++++++++++
 libreswan.spec                    |  9 ++++-
 2 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 libreswan-3.25-relax-delete.patch

diff --git a/libreswan-3.25-relax-delete.patch b/libreswan-3.25-relax-delete.patch
new file mode 100644
index 0000000..e5a0280
--- /dev/null
+++ b/libreswan-3.25-relax-delete.patch
@@ -0,0 +1,62 @@
+diff --git a/programs/pluto/state.c b/programs/pluto/state.c
+index 7b33145..a3bcc3c 100644
+--- a/programs/pluto/state.c
++++ b/programs/pluto/state.c
+@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
+ 			d = next;
+ 		}
+ 
+-		if (c->newest_isakmp_sa != SOS_NOBODY &&
+-			c->newest_isakmp_sa != pst->st_serialno) {
+-				struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
++		/*
++		 * This only affects IKEv2, since we don't store any
++		 * received INITIAL_CONTACT for IKEv1.
++		 * We don't do this on IKEv1, because it seems to
++		 * confuse various third parties (Windows, Cisco VPN 300,
++		 * and juniper
++		 * likely because this would be called before the IPsec SA
++		 * of QuickMode is installed, so the remote endpoints view
++		 * this IKE SA still as the active one?
++		 */
++		if (pst->st_seen_initialc) {
+ 
+-				DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
+-					old_p1->st_connection->name));
+-				old_p1->st_suppress_del_notify = TRUE;
+-				event_force(EVENT_SA_EXPIRE, old_p1);
+-		}
++			if (c->newest_isakmp_sa != SOS_NOBODY &&
++				c->newest_isakmp_sa != pst->st_serialno) {
++					struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
+ 
+-		if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
+-		{
+-			struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
+-			struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
++					DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
++						old_p1->st_connection->name));
++					old_p1->st_suppress_del_notify = TRUE;
++					event_force(EVENT_SA_EXPIRE, old_p1);
++			}
+ 
+-			if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
++			if (c->newest_ipsec_sa != SOS_NOBODY)
+ 			{
+-				DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
+-					c->newest_ipsec_sa, c->name));
+-				old_p2->st_suppress_del_notify = TRUE;
+-				event_force(EVENT_SA_EXPIRE, old_p2);
++				struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
++				struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
++
++				if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
++				{
++					DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
++						c->newest_ipsec_sa, c->name));
++					old_p2->st_suppress_del_notify = TRUE;
++					event_force(EVENT_SA_EXPIRE, old_p2);
++				}
+ 			}
+ 		}
+ 
diff --git a/libreswan.spec b/libreswan.spec
index 8acc140..a3dc5cd 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -30,7 +30,7 @@ Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
 Version: 3.25
-Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@@ -39,6 +39,9 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
+
+Patch1: libreswan-3.25-relax-delete.patch
+
 Requires(post): bash coreutils systemd
 Requires(preun): systemd
 Requires(postun): systemd
@@ -102,6 +105,7 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
+%patch1 -p1
 
 %build
 %if 0%{with_efence}
@@ -208,6 +212,9 @@ export NSS_DISABLE_HW_GCM=1
 %{_libdir}/fipscheck/pluto.hmac
 
 %changelog
+* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
+- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
+
 * Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
 - Updated to 3.25