ikev1: Ensure DPD_ACK is sent in time
authorAfschin Hormozdiary <afschin.hormozdiary@sophos.com>
Wed, 10 Oct 2018 08:01:05 +0000 (10:01 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 20 Nov 2018 09:24:48 +0000 (10:24 +0100)
If a lot of QUICK_MODE tasks are queued and the other side
sends a DPD request, there is a good chance for timeouts.

Observed this in cases where other side is quite slow in responding
QUICK_MODE requests (e.g. Cisco ASA v8.x) and about 100 CHILD_SAs
are to be spawned.

Closes strongswan/strongswan#115.

src/libcharon/sa/ikev1/task_manager_v1.c

index 7a1e16b..b1a8702 100644 (file)
@@ -544,20 +544,20 @@ METHOD(task_manager_t, initiate, status_t,
                                        new_mid = TRUE;
                                        break;
                                }
-                               if (!mode_config_expected(this) &&
-                                       activate_task(this, TASK_QUICK_MODE))
+                               if (activate_task(this, TASK_ISAKMP_DPD))
                                {
-                                       exchange = QUICK_MODE;
+                                       exchange = INFORMATIONAL_V1;
                                        new_mid = TRUE;
                                        break;
                                }
-                               if (activate_task(this, TASK_INFORMATIONAL))
+                               if (!mode_config_expected(this) &&
+                                       activate_task(this, TASK_QUICK_MODE))
                                {
-                                       exchange = INFORMATIONAL_V1;
+                                       exchange = QUICK_MODE;
                                        new_mid = TRUE;
                                        break;
                                }
-                               if (activate_task(this, TASK_ISAKMP_DPD))
+                               if (activate_task(this, TASK_INFORMATIONAL))
                                {
                                        exchange = INFORMATIONAL_V1;
                                        new_mid = TRUE;