CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
36000, 0, /* rekey 10h, reauth none */
600, 600, /* jitter, over 10min */
- TRUE, FALSE, 0, /* mobike, aggressive, DPD */
+ TRUE, FALSE, /* mobike, aggressive */
+ 0, 0, /* DPD delay, timeout */
virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
NULL, FALSE, NULL, NULL); /* pool, mediation */
auth = auth_cfg_create();
ike_cfg = load_ike_config(this, settings, config);
peer_cfg = peer_cfg_create(config, IKEV2, ike_cfg, CERT_ALWAYS_SEND,
- UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0,
+ UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0, 0,
NULL, NULL, FALSE, NULL, NULL);
auth = auth_cfg_create();
u_int32_t dpd;
/**
+ * DPD timeout intervall (used for IKEv1 only)
+ */
+ u_int32_t dpd_timeout;
+
+ /**
* virtual IP to use locally
*/
host_t *virtual_ip;
return this->dpd;
}
+METHOD(peer_cfg_t, get_dpd_timeout, u_int32_t,
+ private_peer_cfg_t *this)
+{
+ return this->dpd_timeout;
+}
+
METHOD(peer_cfg_t, get_virtual_ip, host_t*,
private_peer_cfg_t *this)
{
u_int32_t rekey_time, u_int32_t reauth_time,
u_int32_t jitter_time, u_int32_t over_time,
bool mobike, bool aggressive, u_int32_t dpd,
- host_t *virtual_ip, char *pool, bool mediation,
- peer_cfg_t *mediated_by, identification_t *peer_id)
+ u_int32_t dpd_timeout, host_t *virtual_ip,
+ char *pool, bool mediation, peer_cfg_t *mediated_by,
+ identification_t *peer_id)
{
private_peer_cfg_t *this;
.use_mobike = _use_mobike,
.use_aggressive = _use_aggressive,
.get_dpd = _get_dpd,
+ .get_dpd_timeout = _get_dpd_timeout,
.get_virtual_ip = _get_virtual_ip,
.get_pool = _get_pool,
.add_auth_cfg = _add_auth_cfg,
.use_mobike = mobike,
.aggressive = aggressive,
.dpd = dpd,
+ .dpd_timeout = dpd_timeout,
.virtual_ip = virtual_ip,
.pool = strdupnull(pool),
.local_auth = linked_list_create(),
u_int32_t (*get_dpd) (peer_cfg_t *this);
/**
+ * Get the DPD timeout interval (IKEv1 only)
+ *
+ * @return dpd_timeout in seconds
+ */
+ u_int32_t (*get_dpd_timeout) (peer_cfg_t *this);
+
+ /**
* Get a virtual IP for the local peer.
*
* If no virtual IP should be used, NULL is returned. %any means to request
* @param mobike use MOBIKE (RFC4555) if peer supports it
* @param aggressive use/accept aggressive mode with IKEv1
* @param dpd DPD check interval, 0 to disable
+ * @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies
* @param virtual_ip virtual IP for local host, or NULL
* @param pool pool name to get configuration attributes from, or NULL
* @param mediation TRUE if this is a mediation connection
u_int32_t rekey_time, u_int32_t reauth_time,
u_int32_t jitter_time, u_int32_t over_time,
bool mobike, bool aggressive, u_int32_t dpd,
- host_t *virtual_ip, char *pool, bool mediation,
- peer_cfg_t *mediated_by, identification_t *peer_id);
+ u_int32_t dpd_timeout, host_t *virtual_ip,
+ char *pool, bool mediation, peer_cfg_t *mediated_by,
+ identification_t *peer_id);
#endif /** PEER_CFG_H_ @}*/
UNIQUE_REPLACE, 1, /* keyingtries */
36000, 0, /* rekey 10h, reauth none */
600, 600, /* jitter, over 10min */
- TRUE, FALSE, 0, /* mobike, aggressive, DPD */
+ TRUE, FALSE, /* mobike, aggressive */
+ 0, 0, /* DPD delay, timeout */
host_create_from_string("0.0.0.0", 0) /* virt */,
NULL, FALSE, NULL, NULL); /* pool, mediation */
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create("ha", IKEV2, ike_cfg, CERT_NEVER_SEND,
UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
- NULL, NULL, FALSE, NULL, NULL);
+ 0, NULL, NULL, FALSE, NULL, NULL);
auth_cfg = auth_cfg_create();
auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
u_int dpd_delay;
/**
+ * DPD timeout (IKEv1 only)
+ */
+ u_int dpd_timeout;
+
+ /**
* incremental numbering of generated configs
*/
u_int num;
this->ike_rekey, 0, /* rekey, reauth */
0, this->ike_rekey, /* jitter, overtime */
FALSE, FALSE, /* mobike, aggressive mode */
- this->dpd_delay, /* dpddelay */
+ this->dpd_delay, /* dpd_delay */
+ this->dpd_timeout, /* dpd_timeout */
this->vip ? this->vip->clone(this->vip) : NULL,
this->pool, FALSE, NULL, NULL);
if (num)
"%s.plugins.load-tester.child_rekey", 600, charon->name);
this->dpd_delay = lib->settings->get_int(lib->settings,
"%s.plugins.load-tester.dpd_delay", 0, charon->name);
+ this->dpd_timeout = lib->settings->get_int(lib->settings,
+ "%s.plugins.load-tester.dpd_timeout", 0, charon->name);
this->initiator_auth = lib->settings->get_str(lib->settings,
"%s.plugins.load-tester.initiator_auth", "pubkey", charon->name);
UNIQUE_REPLACE, 1, /* keyingtries */
36000, 0, /* rekey 10h, reauth none */
600, 600, /* jitter, over 10min */
- TRUE, FALSE, 0, /* mobike, aggressive, DPD */
+ TRUE, FALSE, /* mobike, aggressive */
+ 0, 0, /* DPD delay, timeout */
host_create_from_string("0.0.0.0", 0) /* virt */,
NULL, FALSE, NULL, NULL); /* pool, mediation */
CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
- TRUE, FALSE, this->dpd, /* mobike, aggressive, dpddelay */
+ TRUE, FALSE, /* mobike, aggressive */
+ this->dpd, 0, /* DPD delay, timeout */
NULL, NULL, /* vip, pool */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
- TRUE, FALSE, this->dpd, /* mobike, aggressive, dpddelay */
+ TRUE, FALSE, /* mobike, aggressive */
+ this->dpd, 0, /* DPD delay, timeout */
NULL, NULL, /* vip, pool */
FALSE, med_cfg, /* mediation, med by */
identification_create_from_encoding(ID_KEY_ID, other));
CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
- TRUE, FALSE, this->dpd, /* mobike, aggr., dpddelay */
+ TRUE, FALSE, /* mobike, aggressive */
+ this->dpd, 0, /* DPD delay, timeout */
NULL, NULL, /* vip, pool */
FALSE, NULL, NULL); /* mediation, med by, peer id */
CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
- TRUE, FALSE, this->dpd, /* mobike, aggr., dpddelay */
+ TRUE, FALSE, /* mobike, aggressiv */
+ this->dpd, 0, /* DPD delay, timeout */
NULL, NULL, /* vip, pool */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
peer_cfg = peer_cfg_create(
name, IKEV2, ike, cert_policy, uniqueid,
keyingtries, rekeytime, reauthtime, jitter, overtime,
- mobike, FALSE, dpd_delay, vip, pool,
+ mobike, FALSE, dpd_delay, 0, vip, pool,
mediation, mediated_cfg, peer_id);
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
msg->add_conn.version, ike_cfg,
msg->add_conn.me.sendcert, unique,
msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
- msg->add_conn.mobike, msg->add_conn.aggressive, msg->add_conn.dpd.delay,
+ msg->add_conn.mobike, msg->add_conn.aggressive,
+ msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
vip, msg->add_conn.other.sourceip_mask ?
msg->add_conn.name : msg->add_conn.other.sourceip,
msg->add_conn.ikeme.mediation, mediated_by, peer_id);
DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike);
DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp);
DBG2(DBG_CFG, " dpddelay=%d", msg->add_conn.dpd.delay);
+ DBG2(DBG_CFG, " dpdtimeout=%d", msg->add_conn.dpd.timeout);
DBG2(DBG_CFG, " dpdaction=%d", msg->add_conn.dpd.action);
DBG2(DBG_CFG, " closeaction=%d", msg->add_conn.close_action);
DBG2(DBG_CFG, " mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
name, IKEV2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
1, create_rekey(ike_rekey), 0, /* keytries, rekey, reauth */
1800, 900, /* jitter, overtime */
- TRUE, FALSE, 60, /* mobike, aggr., dpddelay */
+ TRUE, FALSE, /* mobike, aggressive */
+ 60, 0, /* DPD delay, timeout */
NULL, NULL, /* vip, pool */
FALSE, NULL, NULL); /* mediation, med by, peer id */
auth = auth_cfg_create();
}
enumerator->destroy(enumerator);
- /* check if no incoming packet during timeout, reestalish SA */
+ /* check if no incoming packet during timeout, reestablish SA */
if (use_time < this->check)
{
DBG1(DBG_JOB, "DPD check timed out, enforcing DPD action");
METHOD(task_manager_t, queue_dpd, void,
private_task_manager_t *this)
{
- u_int32_t t = 0, retransmit;
+ peer_cfg_t *peer_cfg;
+ u_int32_t t, retransmit;
queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
this->dpd_send++));
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
- /* schedule DPD timeout job using the same timeout as a retransmitting
- * IKE message would have. */
- for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
+ /* compute timeout in milliseconds */
+ t = 1000 * peer_cfg->get_dpd_timeout(peer_cfg);
+ if (t == 0)
{
- t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
- pow(this->retransmit_base, retransmit));
+ /* use the same timeout as a retransmitting IKE message would have */
+ for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
+ {
+ t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
+ pow(this->retransmit_base, retransmit));
+ }
}
+
+ /* schedule DPD timeout job */
lib->scheduler->schedule_job_ms(lib->scheduler,
(job_t*)dpd_timeout_job_create(this->ike_sa->get_id(this->ike_sa)), t);
}
cfg->conn_default.addr_family = AF_INET;
cfg->conn_default.tunnel_addr_family = AF_INET;
cfg->conn_default.install_policy = TRUE;
- cfg->conn_default.dpd_delay = 30; /* seconds */
+ cfg->conn_default.dpd_delay = 30; /* seconds */
cfg->conn_default.dpd_timeout = 150; /* seconds */
cfg->conn_default.left.seen = LEMPTY;
msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
msg.add_conn.dpd.delay = conn->dpd_delay;
+ msg.add_conn.dpd.timeout = conn->dpd_timeout;
msg.add_conn.dpd.action = conn->dpd_action;
msg.add_conn.close_action = conn->close_action;
msg.add_conn.inactivity = conn->inactivity;
} rekey;
struct {
time_t delay;
+ time_t timeout;
int action;
} dpd;
struct {