ikev1: Respond to DPDs for rekeyed IKE_SAs

Some devices always use the oldest IKE_SA to send DPDs and will delete
all IKE_SAs when there is no response. If uniqueness is not enforced
rekeyed IKE_SAs might not get deleted until they expire so we should
respond to DPDs.

References #2090.

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 76294ce..76e1069 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -762,6 +762,10 @@ METHOD(ike_sa_t, send_dpd, status_t,
        {
                return INVALID_STATE;
        }
+       if (this->version == IKEV1 && this->state == IKE_REKEYING)
+       {       /* don't send DPDs for rekeyed IKEv1 SAs */
+               return SUCCESS;
+       }
        delay = this->peer_cfg->get_dpd(this->peer_cfg);
        if (this->task_manager->busy(this->task_manager))
        {

diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 7c8eeba..1da17ee 100644 (file)
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -552,6 +552,12 @@ METHOD(task_manager_t, initiate, status_t,
                                        new_mid = TRUE;
                                        break;
                                }
+                               if (activate_task(this, TASK_ISAKMP_DPD))
+                               {
+                                       exchange = INFORMATIONAL_V1;
+                                       new_mid = TRUE;
+                                       break;
+                               }
                                break;
                        default:
                                break;