Delete IKE_SAs if responder does not initiate XAuth exchange within a certain time...
authorTobias Brunner <tobias@strongswan.org>
Fri, 21 Sep 2012 10:14:29 +0000 (12:14 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 19 Mar 2013 11:00:00 +0000 (12:00 +0100)
src/libcharon/processing/jobs/delete_ike_sa_job.c
src/libcharon/sa/ikev1/tasks/aggressive_mode.c
src/libcharon/sa/ikev1/tasks/main_mode.c

index 3a8c2e1..a394e9d 100644 (file)
@@ -76,11 +76,21 @@ METHOD(job_t, execute, job_requeue_t,
                }
                else
                {
-                       /* destroy IKE_SA did not complete connecting phase */
+                       /* destroy IKE_SA only if it did not complete connecting phase */
                        if (ike_sa->get_state(ike_sa) != IKE_CONNECTING)
                        {
                                charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
                        }
+                       else if (ike_sa->get_version(ike_sa) == IKEV1 &&
+                                        ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
+                       {       /* as initiator we waited for the peer to initiate e.g. an
+                                * XAuth exchange, reauth the SA to eventually trigger DPD */
+                               DBG1(DBG_JOB, "peer did not initiate expected exchange, "
+                                        "reestablishing IKE_SA");
+                               ike_sa->reauth(ike_sa);
+                               charon->ike_sa_manager->checkin_and_destroy(
+                                                                                               charon->ike_sa_manager, ike_sa);
+                       }
                        else
                        {
                                DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
index 7336d5d..6b00706 100644 (file)
@@ -30,6 +30,7 @@
 #include <sa/ikev1/tasks/informational.h>
 #include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_aggressive_mode_t private_aggressive_mode_t;
 
@@ -299,8 +300,14 @@ METHOD(task_t, build_i, status_t,
                                case AUTH_XAUTH_INIT_PSK:
                                case AUTH_XAUTH_INIT_RSA:
                                case AUTH_HYBRID_INIT_RSA:
-                                       /* wait for XAUTH request */
+                               {       /* wait for XAUTH request, since this may never come,
+                                        * we queue a timeout */
+                                       job_t *job = (job_t*)delete_ike_sa_job_create(
+                                                                       this->ike_sa->get_id(this->ike_sa), FALSE);
+                                       lib->scheduler->schedule_job(lib->scheduler, job,
+                                                                                                HALF_OPEN_IKE_SA_TIMEOUT);
                                        break;
+                               }
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA:
index bc9d4bb..441bd7a 100644 (file)
@@ -30,6 +30,7 @@
 #include <sa/ikev1/tasks/informational.h>
 #include <sa/ikev1/tasks/isakmp_delete.h>
 #include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
 
 typedef struct private_main_mode_t private_main_mode_t;
 
@@ -638,8 +639,14 @@ METHOD(task_t, process_i, status_t,
                                case AUTH_XAUTH_INIT_PSK:
                                case AUTH_XAUTH_INIT_RSA:
                                case AUTH_HYBRID_INIT_RSA:
-                                       /* wait for XAUTH request */
+                               {       /* wait for XAUTH request, since this may never come,
+                                        * we queue a timeout */
+                                       job_t *job = (job_t*)delete_ike_sa_job_create(
+                                                                       this->ike_sa->get_id(this->ike_sa), FALSE);
+                                       lib->scheduler->schedule_job(lib->scheduler, job,
+                                                                                                HALF_OPEN_IKE_SA_TIMEOUT);
                                        break;
+                               }
                                case AUTH_XAUTH_RESP_PSK:
                                case AUTH_XAUTH_RESP_RSA:
                                case AUTH_HYBRID_RESP_RSA: