1 files changed, 10 insertions, 8 deletions

diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index c806e19ca..c7a8a1342 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -170,13 +170,8 @@ METHOD(task_t, build_i, status_t,
 	}
 	config = this->child_sa->get_config(this->child_sa);
 
-	/* we just need the rekey notify ... */
-	notify = notify_payload_create_from_protocol_and_type(PLV2_NOTIFY,
-													this->protocol, REKEY_SA);
-	notify->set_spi(notify, this->spi);
-	message->add_payload(message, (payload_t*)notify);
 
-	/* ... our CHILD_CREATE task does the hard work for us. */
+	/* our CHILD_CREATE task does the hard work for us */
 	if (!this->child_create)
 	{
 		this->child_create = child_create_create(this->ike_sa,
@@ -194,6 +189,14 @@ METHOD(task_t, build_i, status_t,
 		schedule_delayed_rekey(this);
 		return FAILED;
 	}
+	if (message->get_exchange_type(message) == CREATE_CHILD_SA)
+	{
+		/* don't add the notify if the CHILD_CREATE task changed the exchange */
+		notify = notify_payload_create_from_protocol_and_type(PLV2_NOTIFY,
+													this->protocol, REKEY_SA);
+		notify->set_spi(notify, this->spi);
+		message->add_payload(message, (payload_t*)notify);
+	}
 	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
 
 	return NEED_MORE;
@@ -334,8 +337,7 @@ METHOD(task_t, process_i, status_t,
 	if (this->child_create->task.process(&this->child_create->task,
 										 message) == NEED_MORE)
 	{
-		/* bad DH group while rekeying, try again */
-		this->child_create->task.migrate(&this->child_create->task, this->ike_sa);
+		/* bad DH group while rekeying, retry, or failure requiring deletion */
 		return NEED_MORE;
 	}
 	if (message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL)