make IKEv1 DPD timeout configurable in charon

author: Andreas Steffen <andreas.steffen@strongswan.org> 2012-05-17 19:49:22 +0200
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2012-05-17 19:49:22 +0200
commit: 80c5b17d1af10bf2eeba55e1caba770cb3dcf734 (patch)
tree: 0233436f53bac2b77fc1909cb736c9919fdba8c7 /src
parent: 24742c0f8385b194d5e2587bb8575de4a9eb6fec (diff)
download: strongswan-80c5b17d1af10bf2eeba55e1caba770cb3dcf734.tar.bz2
strongswan-80c5b17d1af10bf2eeba55e1caba770cb3dcf734.tar.xz
19 files changed, 76 insertions, 25 deletions
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 64da53f79..61b6a6c91 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -503,7 +503,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 					CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
 					36000, 0, /* rekey 10h, reauth none */
 					600, 600, /* jitter, over 10min */
-					TRUE, FALSE, 0, /* mobike, aggressive, DPD */
+					TRUE, FALSE, /* mobike, aggressive */
+					0, 0, /* DPD delay, timeout */
 					virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
 					NULL, FALSE, NULL, NULL); /* pool, mediation */
 	auth = auth_cfg_create();
diff --git a/src/conftest/config.c b/src/conftest/config.c
index a62363cd8..d45d512a2 100644
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@@ -252,7 +252,7 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 
 	ike_cfg = load_ike_config(this, settings, config);
 	peer_cfg = peer_cfg_create(config, IKEV2, ike_cfg, CERT_ALWAYS_SEND,
-							   UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0,
+							   UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0, 0,
 							   NULL, NULL, FALSE, NULL, NULL);
 
 	auth = auth_cfg_create();
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index b278dc337..d16aedc79 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -136,6 +136,11 @@ struct private_peer_cfg_t {
 	u_int32_t dpd;
 
 	/**
+	 * DPD timeout intervall (used for IKEv1 only)
+	 */
+	u_int32_t dpd_timeout;
+
+	/**
 	 * virtual IP to use locally
 	 */
 	host_t *virtual_ip;
@@ -398,6 +403,12 @@ METHOD(peer_cfg_t, get_dpd, u_int32_t,
 	return this->dpd;
 }
 
+METHOD(peer_cfg_t, get_dpd_timeout, u_int32_t,
+	private_peer_cfg_t *this)
+{
+	return this->dpd_timeout;
+}
+
 METHOD(peer_cfg_t, get_virtual_ip, host_t*,
 	private_peer_cfg_t *this)
 {
@@ -586,8 +597,9 @@ peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
 							u_int32_t rekey_time, u_int32_t reauth_time,
 							u_int32_t jitter_time, u_int32_t over_time,
 							bool mobike, bool aggressive, u_int32_t dpd,
-							host_t *virtual_ip, char *pool, bool mediation,
-							peer_cfg_t *mediated_by, identification_t *peer_id)
+							u_int32_t dpd_timeout, host_t *virtual_ip,
+							char *pool, bool mediation, peer_cfg_t *mediated_by,
+							identification_t *peer_id)
 {
 	private_peer_cfg_t *this;
 
@@ -618,6 +630,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
 			.use_mobike = _use_mobike,
 			.use_aggressive = _use_aggressive,
 			.get_dpd = _get_dpd,
+			.get_dpd_timeout = _get_dpd_timeout,
 			.get_virtual_ip = _get_virtual_ip,
 			.get_pool = _get_pool,
 			.add_auth_cfg = _add_auth_cfg,
@@ -646,6 +659,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
 		.use_mobike = mobike,
 		.aggressive = aggressive,
 		.dpd = dpd,
+		.dpd_timeout = dpd_timeout,
 		.virtual_ip = virtual_ip,
 		.pool = strdupnull(pool),
 		.local_auth = linked_list_create(),
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 969ccabf2..572153505 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -271,6 +271,13 @@ struct peer_cfg_t {
 	u_int32_t (*get_dpd) (peer_cfg_t *this);
 
 	/**
+	 * Get the DPD timeout interval (IKEv1 only)
+	 *
+	 * @return			dpd_timeout in seconds
+	 */
+	u_int32_t (*get_dpd_timeout) (peer_cfg_t *this);
+
+	/**
 	 * Get a virtual IP for the local peer.
 	 *
 	 * If no virtual IP should be used, NULL is returned. %any means to request
@@ -366,6 +373,7 @@ struct peer_cfg_t {
  * @param mobike			use MOBIKE (RFC4555) if peer supports it
  * @param aggressive		use/accept aggressive mode with IKEv1
  * @param dpd				DPD check interval, 0 to disable
+ * @param dpd_timeout		DPD timeout interval (IKEv1 only), if 0 default applies
  * @param virtual_ip		virtual IP for local host, or NULL
  * @param pool				pool name to get configuration attributes from, or NULL
  * @param mediation			TRUE if this is a mediation connection
@@ -379,7 +387,8 @@ peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
 							u_int32_t rekey_time, u_int32_t reauth_time,
 							u_int32_t jitter_time, u_int32_t over_time,
 							bool mobike, bool aggressive, u_int32_t dpd,
-							host_t *virtual_ip, char *pool, bool mediation,
-							peer_cfg_t *mediated_by, identification_t *peer_id);
+							u_int32_t dpd_timeout, host_t *virtual_ip,
+							char *pool, bool mediation, peer_cfg_t *mediated_by,
+							identification_t *peer_id);
 
 #endif /** PEER_CFG_H_ @}*/
diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c
index 62fd52b12..a25ca3612 100644
--- a/src/libcharon/plugins/android/android_service.c
+++ b/src/libcharon/plugins/android/android_service.c
@@ -277,7 +277,8 @@ static job_requeue_t initiate(private_android_service_t *this)
 							   UNIQUE_REPLACE, 1, /* keyingtries */
 							   36000, 0, /* rekey 10h, reauth none */
 							   600, 600, /* jitter, over 10min */
-							   TRUE, FALSE, 0, /* mobike, aggressive, DPD */
+							   TRUE, FALSE, /* mobike, aggressive */
+							   0, 0, /* DPD delay, timeout */
 							   host_create_from_string("0.0.0.0", 0) /* virt */,
 							   NULL, FALSE, NULL, NULL); /* pool, mediation */
 
diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c
index 6f20620f2..6558ea3b7 100644
--- a/src/libcharon/plugins/ha/ha_tunnel.c
+++ b/src/libcharon/plugins/ha/ha_tunnel.c
@@ -208,7 +208,7 @@ static void setup_tunnel(private_ha_tunnel_t *this,
 	ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
 	peer_cfg = peer_cfg_create("ha", IKEV2, ike_cfg, CERT_NEVER_SEND,
 						UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, FALSE, 30,
-						NULL, NULL, FALSE, NULL, NULL);
+						0, NULL, NULL, FALSE, NULL, NULL);
 
 	auth_cfg = auth_cfg_create();
 	auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 47ce6fa71..75ac1ff49 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -95,6 +95,11 @@ struct private_load_tester_config_t {
 	u_int dpd_delay;
 
 	/**
+	 * DPD timeout (IKEv1 only)
+	 */
+	u_int dpd_timeout;
+
+	/**
 	 * incremental numbering of generated configs
 	 */
 	u_int num;
@@ -259,7 +264,8 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
 							   this->ike_rekey, 0, /* rekey, reauth */
 							   0, this->ike_rekey, /* jitter, overtime */
 							   FALSE, FALSE, /* mobike, aggressive mode */
-							   this->dpd_delay, /* dpddelay */
+							   this->dpd_delay,   /* dpd_delay */
+							   this->dpd_timeout, /* dpd_timeout */
 							   this->vip ? this->vip->clone(this->vip) : NULL,
 							   this->pool, FALSE, NULL, NULL);
 	if (num)
@@ -367,6 +373,8 @@ load_tester_config_t *load_tester_config_create()
 			"%s.plugins.load-tester.child_rekey", 600, charon->name);
 	this->dpd_delay = lib->settings->get_int(lib->settings,
 			"%s.plugins.load-tester.dpd_delay", 0, charon->name);
+	this->dpd_timeout = lib->settings->get_int(lib->settings,
+			"%s.plugins.load-tester.dpd_timeout", 0, charon->name);
 
 	this->initiator_auth = lib->settings->get_str(lib->settings,
 			"%s.plugins.load-tester.initiator_auth", "pubkey", charon->name);
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c
index 67d2b2984..1d1bb63d8 100644
--- a/src/libcharon/plugins/maemo/maemo_service.c
+++ b/src/libcharon/plugins/maemo/maemo_service.c
@@ -332,7 +332,8 @@ static gboolean initiate_connection(private_maemo_service_t *this,
 							   UNIQUE_REPLACE, 1, /* keyingtries */
 							   36000, 0, /* rekey 10h, reauth none */
 							   600, 600, /* jitter, over 10min */
-							   TRUE, FALSE, 0, /* mobike, aggressive, DPD */
+							   TRUE, FALSE, /* mobike, aggressive */
+							   0, 0, /* DPD delay, timeout */
 							   host_create_from_string("0.0.0.0", 0) /* virt */,
 							   NULL, FALSE, NULL, NULL); /* pool, mediation */
 
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index 7fa0152bd..3b99144f0 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -126,7 +126,8 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3,	/* jitter, overtime */
-		TRUE, FALSE, this->dpd,			/* mobike, aggressive, dpddelay */
+		TRUE, FALSE,					/* mobike, aggressive */
+		this->dpd, 0,					/* DPD delay, timeout */
 		NULL, NULL,						/* vip, pool */
 		TRUE, NULL, NULL);				/* mediation, med by, peer id */
 	e->destroy(e);
@@ -163,7 +164,8 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
 		CERT_NEVER_SEND, UNIQUE_REPLACE,
 		1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 		this->rekey*5, this->rekey*3,	/* jitter, overtime */
-		TRUE, FALSE, this->dpd,			/* mobike, aggressive, dpddelay */
+		TRUE, FALSE,					/* mobike, aggressive */
+		this->dpd, 0,					/* DPD delay, timeout */
 		NULL, NULL,						/* vip, pool */
 		FALSE, med_cfg,					/* mediation, med by */
 		identification_create_from_encoding(ID_KEY_ID, other));
@@ -238,7 +240,8 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3,	/* jitter, overtime */
-				TRUE, FALSE, this->dpd,			/* mobike, aggr., dpddelay */
+				TRUE, FALSE,					/* mobike, aggressive */
+				this->dpd, 0,					/* DPD delay, timeout */
 				NULL, NULL,						/* vip, pool */
 				FALSE, NULL, NULL);				/* mediation, med by, peer id */
 
diff --git a/src/libcharon/plugins/medsrv/medsrv_config.c b/src/libcharon/plugins/medsrv/medsrv_config.c
index 366558ac2..42564734f 100644
--- a/src/libcharon/plugins/medsrv/medsrv_config.c
+++ b/src/libcharon/plugins/medsrv/medsrv_config.c
@@ -92,7 +92,8 @@ METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
 				CERT_NEVER_SEND, UNIQUE_REPLACE,
 				1, this->rekey*60, 0,			/* keytries, rekey, reauth */
 				this->rekey*5, this->rekey*3,	/* jitter, overtime */
-				TRUE, FALSE, this->dpd,			/* mobike, aggr., dpddelay */
+				TRUE, FALSE,					/* mobike, aggressiv */
+				this->dpd, 0,					/* DPD delay, timeout */
 				NULL, NULL,						/* vip, pool */
 				TRUE, NULL, NULL);				/* mediation, med by, peer id */
 			e->destroy(e);
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index b06bd3706..c2d4b6885 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -370,7 +370,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 			peer_cfg = peer_cfg_create(
 					name, IKEV2, ike, cert_policy, uniqueid,
 					keyingtries, rekeytime, reauthtime, jitter, overtime,
-					mobike, FALSE, dpd_delay, vip, pool,
+					mobike, FALSE, dpd_delay, 0, vip, pool,
 					mediation, mediated_cfg, peer_id);
 			auth = auth_cfg_create();
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 89e1e0a91..6b8dc234b 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -661,7 +661,8 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
 		msg->add_conn.version, ike_cfg,
 		msg->add_conn.me.sendcert, unique,
 		msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
-		msg->add_conn.mobike, msg->add_conn.aggressive, msg->add_conn.dpd.delay,
+		msg->add_conn.mobike, msg->add_conn.aggressive,
+		msg->add_conn.dpd.delay, msg->add_conn.dpd.timeout,
 		vip, msg->add_conn.other.sourceip_mask ?
 							msg->add_conn.name : msg->add_conn.other.sourceip,
 		msg->add_conn.ikeme.mediation, mediated_by, peer_id);
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 8a52e0eb0..daf244e74 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -234,6 +234,7 @@ static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
 	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
 	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
 	DBG2(DBG_CFG, "  dpddelay=%d", msg->add_conn.dpd.delay);
+	DBG2(DBG_CFG, "  dpdtimeout=%d", msg->add_conn.dpd.timeout);
 	DBG2(DBG_CFG, "  dpdaction=%d", msg->add_conn.dpd.action);
 	DBG2(DBG_CFG, "  closeaction=%d", msg->add_conn.close_action);
 	DBG2(DBG_CFG, "  mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c
index b4e99c3f2..eb2c4b330 100644
--- a/src/libcharon/plugins/uci/uci_config.c
+++ b/src/libcharon/plugins/uci/uci_config.c
@@ -175,7 +175,8 @@ METHOD(enumerator_t, peer_enumerator_enumerate, bool,
 					name, IKEV2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
 					1, create_rekey(ike_rekey), 0,  /* keytries, rekey, reauth */
 					1800, 900,						/* jitter, overtime */
-					TRUE, FALSE, 60,			/* mobike, aggr., dpddelay */
+					TRUE, FALSE,				/* mobike, aggressive */
+					60, 0,						/* DPD delay, timeout */
 					NULL, NULL,					/* vip, pool */
 					FALSE, NULL, NULL);			/* mediation, med by, peer id */
 		auth = auth_cfg_create();
diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c
index 0615be053..c3337996b 100644
--- a/src/libcharon/processing/jobs/dpd_timeout_job.c
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.c
@@ -73,7 +73,7 @@ METHOD(job_t, execute, void,
 		}
 		enumerator->destroy(enumerator);
 
-		/* check if no incoming packet during timeout, reestalish SA */
+		/* check if no incoming packet during timeout, reestablish SA */
 		if (use_time < this->check)
 		{
 			DBG1(DBG_JOB, "DPD check timed out, enforcing DPD action");
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 7e56fb71c..2f47e721e 100755
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1388,18 +1388,26 @@ METHOD(task_manager_t, queue_child_delete, void,
 METHOD(task_manager_t, queue_dpd, void,
 	private_task_manager_t *this)
 {
-	u_int32_t t = 0, retransmit;
+	peer_cfg_t *peer_cfg;
+	u_int32_t t, retransmit;
 
 	queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
 												this->dpd_send++));
+	peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
 
-	/* schedule DPD timeout job using the same timeout as a retransmitting
-	 * IKE message would have. */
-	for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
+	/* compute timeout in milliseconds */
+	t = 1000 * peer_cfg->get_dpd_timeout(peer_cfg);
+	if (t == 0)
 	{
-		t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
-						pow(this->retransmit_base, retransmit));
+		/* use the same timeout as a retransmitting IKE message would have */
+		for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
+		{
+			t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
+							pow(this->retransmit_base, retransmit));
+		}
 	}
+
+	/* schedule DPD timeout job */
 	lib->scheduler->schedule_job_ms(lib->scheduler,
 		(job_t*)dpd_timeout_job_create(this->ike_sa->get_id(this->ike_sa)), t);
 }
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 2fb329c85..804ec6e99 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -97,7 +97,7 @@ static void default_values(starter_config_t *cfg)
 	cfg->conn_default.addr_family           = AF_INET;
 	cfg->conn_default.tunnel_addr_family    = AF_INET;
 	cfg->conn_default.install_policy	= TRUE;
-	cfg->conn_default.dpd_delay		=  30; /* seconds */
+	cfg->conn_default.dpd_delay			=  30; /* seconds */
 	cfg->conn_default.dpd_timeout		= 150; /* seconds */
 
 	cfg->conn_default.left.seen  = LEMPTY;
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index c28db5c36..72b3f1a89 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -252,6 +252,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
 	msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
 	msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
 	msg.add_conn.dpd.delay = conn->dpd_delay;
+	msg.add_conn.dpd.timeout = conn->dpd_timeout;
 	msg.add_conn.dpd.action = conn->dpd_action;
 	msg.add_conn.close_action = conn->close_action;
 	msg.add_conn.inactivity = conn->inactivity;
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 22d4f11a3..e1ac684e2 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -278,6 +278,7 @@ struct stroke_msg_t {
 			} rekey;
 			struct {
 				time_t delay;
+				time_t timeout;
 				int action;
 			} dpd;
 			struct {
author	Andreas Steffen <andreas.steffen@strongswan.org>	2012-05-17 19:49:22 +0200
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2012-05-17 19:49:22 +0200
commit	80c5b17d1af10bf2eeba55e1caba770cb3dcf734 (patch)
tree	0233436f53bac2b77fc1909cb736c9919fdba8c7 /src
parent	24742c0f8385b194d5e2587bb8575de4a9eb6fec (diff)
download	strongswan-80c5b17d1af10bf2eeba55e1caba770cb3dcf734.tar.bz2 strongswan-80c5b17d1af10bf2eeba55e1caba770cb3dcf734.tar.xz