ike: Disable NAT keepalives in state PASSIVE

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

1 files changed, 12 insertions, 3 deletions

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 6ffbd55bd..3bfd149f2 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -487,8 +487,9 @@ METHOD(ike_sa_t, send_keepalive, void,
 	send_keepalive_job_t *job;
 	time_t last_out, now, diff;
 
-	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
-	{	/* disable keep alives if we are not NATed anymore */
+	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
+		this->state == IKE_PASSIVE)
+	{	/* disable keep alives if we are not NATed anymore, or we are passive */
 		return;
 	}
 
@@ -651,7 +652,7 @@ METHOD(ike_sa_t, get_state, ike_sa_state_t,
 METHOD(ike_sa_t, set_state, void,
 	private_ike_sa_t *this, ike_sa_state_t state)
 {
-	bool trigger_dpd = FALSE;
+	bool trigger_dpd = FALSE, keepalives = FALSE;
 
 	DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
 		 get_name(this), this->unique_id,
@@ -722,6 +723,10 @@ METHOD(ike_sa_t, set_state, void,
 					 * so yet, so prevent that. */
 					this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
 				}
+				if (this->state == IKE_PASSIVE)
+				{
+					keepalives = TRUE;
+				}
 			}
 			break;
 		}
@@ -742,6 +747,10 @@ METHOD(ike_sa_t, set_state, void,
 			DBG1(DBG_IKE, "DPD not supported by peer, disabled");
 		}
 	}
+	if (keepalives)
+	{
+		send_keepalive(this);
+	}
 }
 
 METHOD(ike_sa_t, reset, void,