mode_t mode;
/**
- * action to take on DPD/passive close
+ * action to take on DPD
*/
- action_t action;
+ action_t dpd_action;
+
+ /**
+ * action to take on CHILD_SA close
+ */
+ action_t close_action;
/**
* Time before an SA gets invalid
}
/**
- * Implementation of child_cfg_t.get_action
+ * Implementation of child_cfg_t.get_dpd_action
+ */
+static action_t get_dpd_action(private_child_cfg_t *this)
+{
+ return this->dpd_action;
+}
+
+/**
+ * Implementation of child_cfg_t.get_close_action
*/
-static action_t get_action(private_child_cfg_t *this)
+static action_t get_close_action(private_child_cfg_t *this)
{
- return this->action;
+ return this->close_action;
}
/**
child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
u_int32_t rekeytime, u_int32_t jitter,
char *updown, bool hostaccess, mode_t mode,
- action_t action)
+ action_t dpd_action, action_t close_action)
{
private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
this->public.get_updown = (char* (*) (child_cfg_t*))get_updown;
this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess;
this->public.get_mode = (mode_t (*) (child_cfg_t *))get_mode;
- this->public.get_action = (action_t (*) (child_cfg_t *))get_action;
+ this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
+ this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
this->public.get_ref = (void (*) (child_cfg_t*))get_ref;
this->updown = updown ? strdup(updown) : NULL;
this->hostaccess = hostaccess;
this->mode = mode;
- this->action = action;
+ this->dpd_action = dpd_action;
+ this->close_action = close_action;
this->refcount = 1;
this->proposals = linked_list_create();
this->my_ts = linked_list_create();
mode_t (*get_mode) (child_cfg_t *this);
/**
- * Action to take on DPD/passive close
+ * Action to take on DPD.
*
- * @return DPD/passive close action
+ * @return DPD action
*/
- action_t (*get_action) (child_cfg_t *this);
+ action_t (*get_dpd_action) (child_cfg_t *this);
+
+ /**
+ * Action to take if CHILD_SA gets closed.
+ *
+ * @return close action
+ */
+ action_t (*get_close_action) (child_cfg_t *this);
/**
* Get the DH group to use for CHILD_SA setup.
* @param updown updown script to execute on up/down event
* @param hostaccess TRUE to allow access to the local host
* @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
- * @param action DPD/passive close action
+ * @param dpd_action DPD action
+ * @param close_action lose action
* @return child_cfg_t object
*/
child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
u_int32_t rekeytime, u_int32_t jitter,
char *updown, bool hostaccess, mode_t mode,
- action_t action);
+ action_t dpd_action, action_t close_action);
#endif /* CHILD_CFG_H_ @} */
&updown, &hostaccess, &mode))
{
child_cfg = child_cfg_create(name, lifetime, rekeytime, jitter,
- updown, hostaccess, mode, ACTION_NONE);
+ updown, hostaccess, mode,
+ ACTION_NONE, ACTION_NONE);
/* TODO: read proposal from db */
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
add_traffic_selectors(this, child_cfg, id);
{
child_cfg_t *child_cfg;
traffic_selector_t *ts;
- action_t action;
+ action_t dpd;
switch (msg->add_conn.dpd.action)
{ /* map startes magic values to our action type */
case 2: /* =hold */
- action = ACTION_ROUTE;
+ dpd = ACTION_ROUTE;
break;
case 3: /* =restart */
- action = ACTION_RESTART;
+ dpd = ACTION_RESTART;
break;
default:
- action = ACTION_NONE;
+ dpd = ACTION_NONE;
break;
}
child_cfg = child_cfg_create(
msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100,
msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
- msg->add_conn.mode, action);
+ msg->add_conn.mode, dpd, ACTION_NONE);
ts = build_ts(this, &msg->add_conn.me);
if (!ts)
{
ike_sa_t *new;
host_t *host;
+ action_t action;
iterator_t *iterator;
child_sa_t *child_sa;
child_cfg_t *child_cfg;
while (iterator->iterate(iterator, (void**)&child_sa))
{
child_cfg = child_sa->get_config(child_sa);
- switch (child_cfg->get_action(child_cfg))
+ if (this->state == IKE_DELETING)
+ {
+ action = child_cfg->get_close_action(child_cfg);
+ }
+ else
+ {
+ action = child_cfg->get_dpd_action(child_cfg);
+ }
+ switch (action)
{
case ACTION_RESTART:
case ACTION_ROUTE:
while (iterator->iterate(iterator, (void**)&child_sa))
{
child_cfg = child_sa->get_config(child_sa);
- switch (child_cfg->get_action(child_cfg))
+ if (this->state == IKE_DELETING)
+ {
+ action = child_cfg->get_close_action(child_cfg);
+ }
+ else
+ {
+ action = child_cfg->get_dpd_action(child_cfg);
+ }
+ switch (action)
{
case ACTION_RESTART:
DBG1(DBG_IKE, "restarting CHILD_SA %s",
SIG(IKE_UP_FAILED, "establishing IKE_SA failed, peer not responding");
break;
}
- case IKE_REKEYING:
- SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
- break;
case IKE_DELETING:
SIG(IKE_DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
break;
+ case IKE_REKEYING:
+ SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
+ /* FALL */
default:
+ reestablish(this);
break;
}
- reestablish(this);
return DESTROY_ME;
}
return SUCCESS;
this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
if (!this->initiator)
{ /* enforce child_cfg policy if deleted passively */
- switch (child_cfg->get_action(child_cfg))
+ switch (child_cfg->get_close_action(child_cfg))
{
case ACTION_RESTART:
child_cfg->get_ref(child_cfg);
* come so far without being correct */
switch (this->ike_sa->get_state(this->ike_sa))
{
- case IKE_DELETING:
- this->simultaneous = TRUE;
- break;
case IKE_ESTABLISHED:
DBG1(DBG_IKE, "deleting IKE_SA on request");
+ this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
this->ike_sa->reestablish(this->ike_sa);
break;
- case IKE_REKEYING:
- break;
+ case IKE_DELETING:
+ this->simultaneous = TRUE;
+ /* FALL */
default:
+ this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
break;
}
- this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
return NEED_MORE;
}