diff options
| author | Martin Willi <martin@strongswan.org> | 2006-09-05 14:07:25 +0000 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2006-09-05 14:07:25 +0000 |
| commit | a655f5c09c2ba180b7d393dbdfc8b8057293d9ab (patch) | |
| tree | e645a61c178ebcb932a56f09e4bdcca80b230431 /src/charon/config/configuration.c | |
| parent | da8ab11e918353293953636abea73f12bf8f956e (diff) | |
| download | strongswan-a655f5c09c2ba180b7d393dbdfc8b8057293d9ab.tar.bz2 strongswan-a655f5c09c2ba180b7d393dbdfc8b8057293d9ab.tar.xz | |
reuse reqid when a ROUTED child_sa gets INSTALLED
fixed a bug in retransmission code
added support for the "keyingtries" ipsec.conf parameter
added support for the "dpddelay" ipsec.conf parameter
done some work for "dpdaction" behavior
some other cleanups and fixes
Diffstat (limited to 'src/charon/config/configuration.c')
| -rwxr-xr-x | src/charon/config/configuration.c | 89 |
1 files changed, 62 insertions, 27 deletions
diff --git a/src/charon/config/configuration.c b/src/charon/config/configuration.c index 2dcf0bb72..e983e5968 100755 --- a/src/charon/config/configuration.c +++ b/src/charon/config/configuration.c @@ -29,38 +29,77 @@ /** * Timeout in milliseconds after that a half open IKE_SA gets deleted. - * Set to zero to disable */ #define HALF_OPEN_IKE_SA_TIMEOUT 30000 /** + * The retransmission algorithm uses a multiple sequences. + * Each sequence contains multiple retransmits. Those retransmits + * are sent using a exponential backoff algorithm. The sequences + * are retried with linear timings: + * + * <------sequence---------><------sequence---------><------sequence---------> + * + * T-R---R-----R---------R--R-R---R-----R---------R--R-R---R-----R---------R--X + * + * T = first transmit + * R = retransmit + * X = giving up, peer is dead + * + * if (retransmit >= TRIES * sequences) + * => abort + * TIMEOUT * (BASE ** (try % TRIES)) + * + * Using an initial TIMEOUT of 4s, a BASE of 1.8, 5 TRIES + * per sequnce and 3 sequences, this gives us: + * + * | relative | absolute + * --------------------------------------------------------- + * 4s * (1.8 ** (0 % 5)) = 4s 4s + * 4s * (1.8 ** (1 % 5)) = 7s 11s + * 4s * (1.8 ** (2 % 5)) = 13s 24s + * 4s * (1.8 ** (3 % 5)) = 23s 47s + * 4s * (1.8 ** (4 % 5)) = 42s 89s + * 4s * (1.8 ** (5 % 5)) = 76s 165s + * 4s * (1.8 ** (6 % 5)) = 4s 169s + * 4s * (1.8 ** (7 % 5)) = 7s 176s + * 4s * (1.8 ** (8 % 5)) = 13s 189s + * 4s * (1.8 ** (9 % 5)) = 23s 212s + * 4s * (1.8 ** (10 % 5)) = 42s 254s + * 4s * (1.8 ** (11 % 5)) = 76s 330s + * 4s * (1.8 ** (12 % 5)) = 4s 334 + * 4s * (1.8 ** (13 % 5)) = 7s 341s + * 4s * (1.8 ** (14 % 5)) = 13s 354s + * 4s * (1.8 ** (15 % 5)) = 23s 377s + * 4s * (1.8 ** (16 % 5)) = 42s 419s + * 4s * (1.8 ** (17 % 5)) = 76s 495s + * + * If the configuration uses 1 sequence, the peer is considered dead + * after 2min 45s when no reply comes in. If it uses 3 sequences, after + * 8min 15s the DPD action is executed... + */ + +/** * First retransmit timeout in milliseconds. * Timeout value is increasing in each retransmit round. */ -#define RETRANSMIT_TIMEOUT 6000 +#define RETRANSMIT_TIMEOUT 4000 /** * Base which is raised to the power of the retransmission count. */ -#define RETRANSMIT_BASE 1.5 +#define RETRANSMIT_BASE 1.8 /** - * Max retransmit count. - * 0 for infinite. The max time a half open IKE_SA is alive is set by - * RETRANSMIT_TIMEOUT. + * Number of retransmits done in a retransmit sequence */ -#define MAX_RETRANSMIT_COUNT 6 +#define RETRANSMIT_TRIES 5 /** * Keepalive interval in seconds. */ #define KEEPALIVE_INTERVAL 20 -/** - * DPD interval in seconds. - */ -#define DPD_INTERVAL 60 - typedef struct private_configuration_t private_configuration_t; @@ -79,13 +118,18 @@ struct private_configuration_t { /** * Implementation of configuration_t.get_retransmit_timeout. */ -static u_int32_t get_retransmit_timeout (private_configuration_t *this, u_int32_t retransmit_count) +static u_int32_t get_retransmit_timeout (private_configuration_t *this, + u_int32_t retransmit_count, + u_int32_t max_sequences) { - if (retransmit_count > MAX_RETRANSMIT_COUNT && MAX_RETRANSMIT_COUNT != 0) + if (max_sequences != 0 && + retransmit_count >= RETRANSMIT_TRIES * max_sequences) { + /* give up */ return 0; } - return (u_int32_t)(RETRANSMIT_TIMEOUT * pow(RETRANSMIT_BASE, retransmit_count)); + return (u_int32_t)(RETRANSMIT_TIMEOUT * + pow(RETRANSMIT_BASE, retransmit_count % RETRANSMIT_TRIES)); } /** @@ -105,14 +149,6 @@ static u_int32_t get_keepalive_interval (private_configuration_t *this) } /** - * Implementation of configuration_t.get_dpd_interval. - */ -static u_int32_t get_dpd_interval (private_configuration_t *this) -{ - return DPD_INTERVAL; -} - -/** * Implementation of configuration_t.destroy. */ static void destroy(private_configuration_t *this) @@ -129,10 +165,9 @@ configuration_t *configuration_create() /* public functions */ this->public.destroy = (void(*)(configuration_t*))destroy; - this->public.get_retransmit_timeout = (u_int32_t (*) (configuration_t *, u_int32_t retransmit_count))get_retransmit_timeout; - this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t *)) get_half_open_ike_sa_timeout; - this->public.get_keepalive_interval = (u_int32_t (*) (configuration_t *)) get_keepalive_interval; - this->public.get_dpd_interval = (u_int32_t (*) (configuration_t *)) get_dpd_interval; + this->public.get_retransmit_timeout = (u_int32_t (*) (configuration_t*,u_int32_t,u_int32_t))get_retransmit_timeout; + this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t*)) get_half_open_ike_sa_timeout; + this->public.get_keepalive_interval = (u_int32_t (*) (configuration_t*)) get_keepalive_interval; return (&this->public); } |