ike: Don't send NAT keepalives if we have no path to the other peer

If there is no path to the other peer there is no point in trying to
send a NAT keepalive.

If the condition changes back and forth within the keepalive interval there
is a chance that multiple jobs get queued.

1 files changed, 9 insertions, 3 deletions

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index dcf9d5f2c..3632d62a8 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -487,9 +487,12 @@ METHOD(ike_sa_t, send_keepalive, void,
 	send_keepalive_job_t *job;
 	time_t last_out, now, diff;
 
-	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
-		this->state == IKE_PASSIVE)
-	{	/* disable keep alives if we are not NATed anymore, or we are passive */
+	if (!this->keepalive_interval || this->state == IKE_PASSIVE)
+	{	/* keepalives disabled either by configuration or for passive IKE_SAs */
+		return;
+	}
+	if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
+	{	/* disable keepalives if we are not NATed anymore, or the SA is stale */
 		return;
 	}
 
@@ -590,6 +593,9 @@ METHOD(ike_sa_t, set_condition, void,
 								  has_condition(this, COND_NAT_THERE) ||
 								  has_condition(this, COND_NAT_FAKE));
 					break;
+				case COND_STALE:
+					send_keepalive(this);
+					break;
 				default:
 					break;
 			}