ike: Don't send NAT keepalives if we have no path to the other peer

If there is no path to the other peer there is no point in trying to send a NAT keepalive. If the condition changes back and forth within the keepalive interval there is a chance that multiple jobs get queued.
2015-11-16 17:01:46 +01:00 · 2015-11-16 17:01:46 +01:00 · 34f7d3b7ae
parent 35d0b8b152
commit 34f7d3b7ae
1 changed files with 9 additions and 3 deletions
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -487,9 +487,12 @@ METHOD(ike_sa_t, send_keepalive, void,
 	send_keepalive_job_t *job;
 	time_t last_out, now, diff;

-	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
-		this->state == IKE_PASSIVE)
-	{	/* disable keep alives if we are not NATed anymore, or we are passive */
+	if (!this->keepalive_interval || this->state == IKE_PASSIVE)
+	{	/* keepalives disabled either by configuration or for passive IKE_SAs */
+		return;
+	}
+	if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
+	{	/* disable keepalives if we are not NATed anymore, or the SA is stale */
 		return;
 	}

@ -590,6 +593,9 @@ METHOD(ike_sa_t, set_condition, void,
 								  has_condition(this, COND_NAT_THERE) ||
 								  has_condition(this, COND_NAT_FAKE));
 					break;
+				case COND_STALE:
+					send_keepalive(this);
+					break;
 				default:
 					break;
 			}