Handle NO_PROPOSAL_CHOSEN for CREATE_CHILD_SA.

ok markus@

1 files changed, 10 insertions, 2 deletions

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 2f7b781a195..3b552f7468a 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.296 2021/01/21 16:46:47 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.297 2021/01/21 16:50:46 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -1163,7 +1163,7 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
 		if (msg->msg_flags & IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN) {
 			log_info("%s: failed to negotiate IKE SA",
 			    SPI_SA(sa, __func__));
-			ikev2_ike_sa_setreason(sa, "no proposal chosen");
+			ikev2_ike_sa_setreason(sa, "no proposal chosen (IKE SA)");
 			sa_state(env, sa, IKEV2_STATE_CLOSED);
 			msg->msg_sa = NULL;
 			return;
@@ -1172,6 +1172,14 @@ ikev2_init_recv(struct iked *env, struct iked_message *msg,
 		(void)ikev2_ike_auth_recv(env, sa, msg);
 		break;
 	case IKEV2_EXCHANGE_CREATE_CHILD_SA:
+		if (msg->msg_flags & IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN) {
+			log_info("%s: CREATE_CHILD_SA failed",
+			    SPI_SA(sa, __func__));
+			ikev2_ike_sa_setreason(sa, "no proposal chosen (CHILD SA)");
+			sa_state(env, sa, IKEV2_STATE_CLOSED);
+			msg->msg_sa = NULL;
+			return;
+		}
 		(void)ikev2_init_create_child_sa(env, msg);
 		break;
 	case IKEV2_EXCHANGE_INFORMATIONAL: