ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

ike: Don't immediately DPD after deferred DELETEs following IKE_SA rekeying 

Some peers seem to defer DELETEs a few seconds after rekeying the IKE_SA, which
is perfectly valid. For short(er) DPD delays, this leads to the situation where
we send a DPD request during set_state(), but the IKE_SA has no hosts set yet.
Avoid that DPD by resetting the INBOUND timestamp during set_state().
This commit is contained in:
Martin Willi 2013-11-01 11:28:53 +01:00
parent 7b8fbd7402
commit b76e96e2ef
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libcharon/sa/ike_sa.c
View File

@ -687,6 +687,14 @@ METHOD(ike_sa_t, set_state, void,
DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
}
trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
if (trigger_dpd)
{
/* Some peers delay the DELETE after rekeying an IKE_SA.
* If this delay is longer than our DPD delay, we would
* send a DPD request here. The IKE_SA is not ready to do
* so yet, so prevent that. */
this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
}
}
break;
}