ike: Optionally use DPD to check if the current path still works

We could maybe check the duration of the last stale condition or when
the last packet was sent as filter to avoid unnecessary updates.

conf/options/charon.opt

@@ -40,6 +40,17 @@ charon.cache_crls = no
 	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
 	**/etc/swanctl/x509crl** (vici), respectively.
 
+charon.check_current_path = no
+	Whether to use DPD to check if the current path still works after any
+	changes to interfaces/addresses.
+
+	By default, after detecting any changes to interfaces and/or addresses no
+	action is taken if the current path to the remote peer still looks usable.
+	Enabling this option will use DPD to check if the path actually still works,
+	or, for instance, the peer removed the state after a longer phase without
+	connectivity.  It will also trigger a MOBIKE update if NAT mappings were
+	removed during the downtime.
+
 charon.cisco_unity = no
 	Send Cisco Unity vendor ID payload (IKEv1 only).
 

src/libcharon/sa/ike_sa.c

@@ -2708,6 +2708,14 @@ METHOD(ike_sa_t, roam, status_t,
 			this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
 			return this->task_manager->initiate(this->task_manager);
 		}
+		if (lib->settings->get_bool(lib->settings,
+								"%s.check_current_path", FALSE, lib->ns) &&
+			!this->task_manager->busy(this->task_manager))
+		{
+			DBG1(DBG_IKE, "checking if current path still works using DPD");
+			this->task_manager->queue_dpd(this->task_manager);
+			return this->task_manager->initiate(this->task_manager);
+		}
 		return SUCCESS;
 	}