ikev1: Respond to DPDs for rekeyed IKE_SAs
Some devices always use the oldest IKE_SA to send DPDs and will delete all IKE_SAs when there is no response. If uniqueness is not enforced rekeyed IKE_SAs might not get deleted until they expire so we should respond to DPDs. References #2090.
This commit is contained in:
parent
597e8c9e00
commit
f15c85a487
|
@ -762,6 +762,10 @@ METHOD(ike_sa_t, send_dpd, status_t,
|
|||
{
|
||||
return INVALID_STATE;
|
||||
}
|
||||
if (this->version == IKEV1 && this->state == IKE_REKEYING)
|
||||
{ /* don't send DPDs for rekeyed IKEv1 SAs */
|
||||
return SUCCESS;
|
||||
}
|
||||
delay = this->peer_cfg->get_dpd(this->peer_cfg);
|
||||
if (this->task_manager->busy(this->task_manager))
|
||||
{
|
||||
|
|
|
@ -552,6 +552,12 @@ METHOD(task_manager_t, initiate, status_t,
|
|||
new_mid = TRUE;
|
||||
break;
|
||||
}
|
||||
if (activate_task(this, TASK_ISAKMP_DPD))
|
||||
{
|
||||
exchange = INFORMATIONAL_V1;
|
||||
new_mid = TRUE;
|
||||
break;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
|
|
Loading…
Reference in New Issue