ike: Disable NAT keepalives in state PASSIVE

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2015-04-24 13:43:11 +02:00 · 2015-04-24 13:43:11 +02:00 · edaba56ec7
parent 008a9ad12c
commit edaba56ec7
1 changed files with 12 additions and 3 deletions
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -487,8 +487,9 @@ METHOD(ike_sa_t, send_keepalive, void,
 	send_keepalive_job_t *job;
 	time_t last_out, now, diff;

-	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
-	{	/* disable keep alives if we are not NATed anymore */
+	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
+		this->state == IKE_PASSIVE)
+	{	/* disable keep alives if we are not NATed anymore, or we are passive */
 		return;
 	}

@ -651,7 +652,7 @@ METHOD(ike_sa_t, get_state, ike_sa_state_t,
 METHOD(ike_sa_t, set_state, void,
 	private_ike_sa_t *this, ike_sa_state_t state)
 {
-	bool trigger_dpd = FALSE;
+	bool trigger_dpd = FALSE, keepalives = FALSE;

 	DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
 		 get_name(this), this->unique_id,
@ -722,6 +723,10 @@ METHOD(ike_sa_t, set_state, void,
 					 * so yet, so prevent that. */
 					this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
 				}
+				if (this->state == IKE_PASSIVE)
+				{
+					keepalives = TRUE;
+				}
 			}
 			break;
 		}
@ -742,6 +747,10 @@ METHOD(ike_sa_t, set_state, void,
 			DBG1(DBG_IKE, "DPD not supported by peer, disabled");
 		}
 	}
+	if (keepalives)
+	{
+		send_keepalive(this);
+	}
 }

 METHOD(ike_sa_t, reset, void,