aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--man/ipsec.conf.5.in4
-rw-r--r--src/libcharon/processing/jobs/inactivity_job.c5
2 files changed, 6 insertions, 3 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 92be67000..a0be75536 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -386,7 +386,9 @@ retransmission timeout applies, as every exchange is used to detect dead peers.
.TP
.BR inactivity " = <time>"
defines the timeout interval, after which a CHILD_SA is closed if it did
-not send or receive any traffic.
+not send or receive any traffic. The inactivity counter is reset during CHILD_SA
+rekeying. This means that the inactivity timeout must be smaller than the
+rekeying interval to have any effect.
.TP
.BR eap_identity " = <id>"
defines the identity the client uses to reply to an EAP Identity request.
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 9ab69b417..197733979 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -73,12 +73,13 @@ METHOD(job_t, execute, job_requeue_t,
{
if (child_sa->get_reqid(child_sa) == this->reqid)
{
- time_t in, out, diff;
+ time_t in, out, install, diff;
child_sa->get_usestats(child_sa, TRUE, &in, NULL, NULL);
child_sa->get_usestats(child_sa, FALSE, &out, NULL, NULL);
+ install = child_sa->get_installtime(child_sa);
- diff = time_monotonic(NULL) - max(in, out);
+ diff = time_monotonic(NULL) - max(max(in, out), install);
if (diff >= this->timeout)
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-13 04:57:07 +0000