Disable DPD checking for peers not supporting it
authorMartin Willi <martin@revosec.ch>
Tue, 10 Jan 2012 16:40:07 +0000 (17:40 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:31:35 +0000 (17:31 +0100)
src/libcharon/sa/ike_sa.c
src/libcharon/sa/ike_sa.h
src/libcharon/sa/ikev1/tasks/isakmp_vendor.c

index fbe1259..98d636f 100644 (file)
@@ -670,7 +670,14 @@ METHOD(ike_sa_t, set_state, void,
                                /* start DPD checks */
                                if (this->peer_cfg->get_dpd(this->peer_cfg))
                                {
-                                       send_dpd(this);
+                                       if (supports_extension(this, EXT_DPD))
+                                       {
+                                               send_dpd(this);
+                                       }
+                                       else
+                                       {
+                                               DBG1(DBG_IKE, "DPD not supported by peer, disabled");
+                                       }
                                }
                        }
                        break;
@@ -2037,6 +2044,11 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
                                                                        "charon.flush_auth_cfg", FALSE),
        );
 
+       if (version == IKEV2)
+       {       /* always supported with IKEv2 */
+               enable_extension(this, EXT_DPD);
+       }
+
        this->task_manager = task_manager_create(&this->public);
        this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
 
index b7c96fd..3fc0a7b 100644 (file)
@@ -108,6 +108,11 @@ enum ike_extension_t {
         * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
         */
        EXT_XAUTH = (1<<7),
+
+       /**
+        * peer supports DPD detection, RFC 3706 (or IKEv2)
+        */
+       EXT_DPD = (1<<8),
 };
 
 /**
index 8b5776d..ea0dff5 100755 (executable)
@@ -69,8 +69,8 @@ static struct {
        { "NAT-T (RFC 3947)", EXT_NATT, TRUE, 16,
          "\x4a\x13\x1c\x81\x07\x03\x58\x45\x5c\x57\x28\xf2\x0e\x95\x45\x2f"},
 
-       /* draft-ietf-ipsec-dpd-00 */
-       { "DPD", 0, TRUE, 16,
+       /* Dead peer detection, RFC 3706 */
+       { "DPD", EXT_DPD, TRUE, 16,
          "\xaf\xca\xd7\x13\x68\xa1\xf1\xc9\x6b\x86\x96\xfc\x77\x57\x01\x00"},
 
        { "draft-stenberg-ipsec-nat-traversal-01", 0, FALSE, 16,