Added a ipsec.conf "inactivity" option to configure inactivity timeout for CHILD_SAs

2010-01-27 16:05:11 +01:00 · 2010-01-27 16:05:11 +01:00 · 8015c91cb9
parent 71da001753
commit 8015c91cb9
9 changed files with 39 additions and 27 deletions
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@ -786,7 +786,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
 	child_cfg = child_cfg_create(
 				msg->add_conn.name, &lifetime,
 				msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
-				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, 0);
+				msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
+				msg->add_conn.inactivity);
 	child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
 											msg->add_conn.install_policy);
 	add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
--- a/src/starter/args.c
+++ b/src/starter/args.c
@ -227,6 +227,7 @@ static const token_info_t token_info[] =
 	{ ARG_TIME, offsetof(starter_conn_t, dpd_delay), NULL                          },
 	{ ARG_TIME, offsetof(starter_conn_t, dpd_timeout), NULL                        },
 	{ ARG_ENUM, offsetof(starter_conn_t, dpd_action), LST_dpd_action               },
+	{ ARG_TIME, offsetof(starter_conn_t, inactivity), NULL                         },
 	{ ARG_MISC, 0, NULL  /* KW_MODECONFIG */                                       },
 	{ ARG_MISC, 0, NULL  /* KW_XAUTH */                                            },
 	{ ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool                   },
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@ -135,6 +135,8 @@ struct starter_conn {
 		dpd_action_t    dpd_action;
 		int             dpd_count;

+		time_t          inactivity;
+
 		bool            me_mediation;
 		char            *me_mediated_by;
 		char            *me_peerid;
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@ -348,6 +348,10 @@ defines the timeout interval, after which all connections to a peer are deleted
 in case of inactivity. This only applies to IKEv1, in IKEv2 the default
 retransmission timeout applies, as every exchange is used to detect dead peers.
 .TP
+.B inactivity
+defines the timeout interval, after which a CHILD_SA is closed if it did
+not send or receive any traffic. Currently supported in IKEv2 connections only.
+.TP
 .B eap
 defines the EAP type to propose as server if the client requests EAP
 authentication. This parameter is deprecated in the favour of
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@ -90,6 +90,7 @@ typedef enum {
 	KW_DPDDELAY,
 	KW_DPDTIMEOUT,
 	KW_DPDACTION,
+	KW_INACTIVITY,
 	KW_MODECONFIG,
 	KW_XAUTH,
 	KW_MEDIATION,
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@ -81,6 +81,7 @@ pfsgroup,          KW_PFSGROUP
 dpddelay,          KW_DPDDELAY
 dpdtimeout,        KW_DPDTIMEOUT
 dpdaction,         KW_DPDACTION
+inactivity,        KW_INACTIVITY
 modeconfig,        KW_MODECONFIG
 xauth,             KW_XAUTH
 mediation,         KW_MEDIATION
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@ -264,6 +264,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
 	msg.add_conn.dpd.delay = conn->dpd_delay;
 	msg.add_conn.dpd.action = conn->dpd_action;
+	msg.add_conn.inactivity = conn->inactivity;
 	msg.add_conn.ikeme.mediation = conn->me_mediation;
 	msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
 	msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@ -223,6 +223,7 @@ struct stroke_msg_t {
 			int mobike;
 			int force_encap;
 			int ipcomp;
+			time_t inactivity;
 			int proxy_mode;
 			int install_policy;