Delete IKE_SAs if responder does not initiate XAuth exchange within a certain time frame

src/libcharon/processing/jobs/delete_ike_sa_job.c

@@ -76,11 +76,21 @@ METHOD(job_t, execute, job_requeue_t,
 		}
 		else
 		{
-			/* destroy IKE_SA did not complete connecting phase */
+			/* destroy IKE_SA only if it did not complete connecting phase */
 			if (ike_sa->get_state(ike_sa) != IKE_CONNECTING)
 			{
 				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
 			}
+			else if (ike_sa->get_version(ike_sa) == IKEV1 &&
+					 ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
+			{	/* as initiator we waited for the peer to initiate e.g. an
+				 * XAuth exchange, reauth the SA to eventually trigger DPD */
+				DBG1(DBG_JOB, "peer did not initiate expected exchange, "
+					 "reestablishing IKE_SA");
+				ike_sa->reauth(ike_sa);
+				charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+			}
 			else
 			{
 				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");

src/libcharon/sa/ikev1/tasks/aggressive_mode.c

@@ -30,6 +30,7 @@
 #include <sa/ikev1/tasks/informational.h>
 #include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_aggressive_mode_t private_aggressive_mode_t;
 
@@ -299,8 +300,14 @@ METHOD(task_t, build_i, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					/* wait for XAUTH request */
+				{	/* wait for XAUTH request, since this may never come,
+					 * we queue a timeout */
+					job_t *job = (job_t*)delete_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+					lib->scheduler->schedule_job(lib->scheduler, job,
+												 HALF_OPEN_IKE_SA_TIMEOUT);
 					break;
+				}
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
 				case AUTH_HYBRID_RESP_RSA:

src/libcharon/sa/ikev1/tasks/main_mode.c

@@ -30,6 +30,7 @@
 #include <sa/ikev1/tasks/informational.h>
 #include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_main_mode_t private_main_mode_t;
 
@@ -638,8 +639,14 @@ METHOD(task_t, process_i, status_t,
 				case AUTH_XAUTH_INIT_PSK:
 				case AUTH_XAUTH_INIT_RSA:
 				case AUTH_HYBRID_INIT_RSA:
-					/* wait for XAUTH request */
+				{	/* wait for XAUTH request, since this may never come,
+					 * we queue a timeout */
+					job_t *job = (job_t*)delete_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+					lib->scheduler->schedule_job(lib->scheduler, job,
+												 HALF_OPEN_IKE_SA_TIMEOUT);
 					break;
+				}
 				case AUTH_XAUTH_RESP_PSK:
 				case AUTH_XAUTH_RESP_RSA:
 				case AUTH_HYBRID_RESP_RSA: