ike: Don't send NAT keepalives if we have no path to the other peer
authorTobias Brunner <tobias@strongswan.org>
Mon, 16 Nov 2015 16:01:46 +0000 (17:01 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 3 Mar 2016 16:15:37 +0000 (17:15 +0100)
If there is no path to the other peer there is no point in trying to
send a NAT keepalive.

If the condition changes back and forth within the keepalive interval there
is a chance that multiple jobs get queued.

src/libcharon/sa/ike_sa.c

index dcf9d5f..3632d62 100644 (file)
@@ -487,9 +487,12 @@ METHOD(ike_sa_t, send_keepalive, void,
        send_keepalive_job_t *job;
        time_t last_out, now, diff;
 
-       if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
-               this->state == IKE_PASSIVE)
-       {       /* disable keep alives if we are not NATed anymore, or we are passive */
+       if (!this->keepalive_interval || this->state == IKE_PASSIVE)
+       {       /* keepalives disabled either by configuration or for passive IKE_SAs */
+               return;
+       }
+       if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
+       {       /* disable keepalives if we are not NATed anymore, or the SA is stale */
                return;
        }
 
@@ -590,6 +593,9 @@ METHOD(ike_sa_t, set_condition, void,
                                                                  has_condition(this, COND_NAT_THERE) ||
                                                                  has_condition(this, COND_NAT_FAKE));
                                        break;
+                               case COND_STALE:
+                                       send_keepalive(this);
+                                       break;
                                default:
                                        break;
                        }