diff options
| -rw-r--r-- | conf/options/charon.opt | 10 | ||||
| -rw-r--r-- | src/libcharon/sa/ike_sa.c | 24 |
2 files changed, 33 insertions, 1 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 6e0b37c57..7c56fc1e5 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -260,6 +260,16 @@ charon.port_nat_t = 4500 allocated. Has to be different from **charon.port**, otherwise a random port will be allocated. +charon.prefer_best_path = no + Wether to prefer updating SAs to the path with the best route. + + By default, charon keeps SAs on the routing path with addresses it + previously used if that path is still usable. By setting this option to + yes, it tries more aggressively to update SAs with MOBIKE on routing + priority changes using the cheapest path. This adds more noise, but allows + to dynamically adapt SAs to routing priority changes. This option has no + effect if MOBIKE is not supported or disabled. + charon.prefer_configured_proposals = yes Prefer locally configured proposals for IKE/IPsec over supplied ones as responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 589784c85..76294ce39 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2442,6 +2442,25 @@ static bool is_current_path_valid(private_ike_sa_t *this) { bool valid = FALSE; host_t *src; + + if (supports_extension(this, EXT_MOBIKE) && + lib->settings->get_bool(lib->settings, + "%s.prefer_best_path", FALSE, lib->ns)) + { + /* check if the current path is the best path; migrate otherwise */ + src = charon->kernel->get_source_addr(charon->kernel, this->other_host, + NULL); + if (src) + { + valid = src->ip_equals(src, this->my_host); + src->destroy(src); + } + if (!valid) + { + DBG1(DBG_IKE, "old path is not preferred anymore"); + } + return valid; + } src = charon->kernel->get_source_addr(charon->kernel, this->other_host, this->my_host); if (src) @@ -2452,6 +2471,10 @@ static bool is_current_path_valid(private_ike_sa_t *this) } src->destroy(src); } + if (!valid) + { + DBG1(DBG_IKE, "old path is not available anymore, try to find another"); + } return valid; } @@ -2478,7 +2501,6 @@ static bool is_any_path_valid(private_ike_sa_t *this) break; } - DBG1(DBG_IKE, "old path is not available anymore, try to find another"); enumerator = create_peer_address_enumerator(this); while (enumerator->enumerate(enumerator, &addr)) { |