Delete IKE_SAs if responder does not initiate XAuth exchange within a certain time frame
This commit is contained in:
parent
7a87381840
commit
8a0a1ae857
|
@ -76,11 +76,21 @@ METHOD(job_t, execute, job_requeue_t,
|
|||
}
|
||||
else
|
||||
{
|
||||
/* destroy IKE_SA did not complete connecting phase */
|
||||
/* destroy IKE_SA only if it did not complete connecting phase */
|
||||
if (ike_sa->get_state(ike_sa) != IKE_CONNECTING)
|
||||
{
|
||||
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
||||
}
|
||||
else if (ike_sa->get_version(ike_sa) == IKEV1 &&
|
||||
ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
|
||||
{ /* as initiator we waited for the peer to initiate e.g. an
|
||||
* XAuth exchange, reauth the SA to eventually trigger DPD */
|
||||
DBG1(DBG_JOB, "peer did not initiate expected exchange, "
|
||||
"reestablishing IKE_SA");
|
||||
ike_sa->reauth(ike_sa);
|
||||
charon->ike_sa_manager->checkin_and_destroy(
|
||||
charon->ike_sa_manager, ike_sa);
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
#include <sa/ikev1/tasks/informational.h>
|
||||
#include <sa/ikev1/tasks/isakmp_delete.h>
|
||||
#include <processing/jobs/adopt_children_job.h>
|
||||
#include <processing/jobs/delete_ike_sa_job.h>
|
||||
|
||||
typedef struct private_aggressive_mode_t private_aggressive_mode_t;
|
||||
|
||||
|
@ -299,8 +300,14 @@ METHOD(task_t, build_i, status_t,
|
|||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_INIT_RSA:
|
||||
case AUTH_HYBRID_INIT_RSA:
|
||||
/* wait for XAUTH request */
|
||||
{ /* wait for XAUTH request, since this may never come,
|
||||
* we queue a timeout */
|
||||
job_t *job = (job_t*)delete_ike_sa_job_create(
|
||||
this->ike_sa->get_id(this->ike_sa), FALSE);
|
||||
lib->scheduler->schedule_job(lib->scheduler, job,
|
||||
HALF_OPEN_IKE_SA_TIMEOUT);
|
||||
break;
|
||||
}
|
||||
case AUTH_XAUTH_RESP_PSK:
|
||||
case AUTH_XAUTH_RESP_RSA:
|
||||
case AUTH_HYBRID_RESP_RSA:
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
#include <sa/ikev1/tasks/informational.h>
|
||||
#include <sa/ikev1/tasks/isakmp_delete.h>
|
||||
#include <processing/jobs/adopt_children_job.h>
|
||||
#include <processing/jobs/delete_ike_sa_job.h>
|
||||
|
||||
typedef struct private_main_mode_t private_main_mode_t;
|
||||
|
||||
|
@ -638,8 +639,14 @@ METHOD(task_t, process_i, status_t,
|
|||
case AUTH_XAUTH_INIT_PSK:
|
||||
case AUTH_XAUTH_INIT_RSA:
|
||||
case AUTH_HYBRID_INIT_RSA:
|
||||
/* wait for XAUTH request */
|
||||
{ /* wait for XAUTH request, since this may never come,
|
||||
* we queue a timeout */
|
||||
job_t *job = (job_t*)delete_ike_sa_job_create(
|
||||
this->ike_sa->get_id(this->ike_sa), FALSE);
|
||||
lib->scheduler->schedule_job(lib->scheduler, job,
|
||||
HALF_OPEN_IKE_SA_TIMEOUT);
|
||||
break;
|
||||
}
|
||||
case AUTH_XAUTH_RESP_PSK:
|
||||
case AUTH_XAUTH_RESP_RSA:
|
||||
case AUTH_HYBRID_RESP_RSA:
|
||||
|
|
Loading…
Reference in New Issue