return this->task_manager->initiate(this->task_manager);
}
+/*
+ * Described in header
+ */
+bool ike_sa_can_reauthenticate(ike_sa_t *public)
+{
+ private_ike_sa_t *this = (private_ike_sa_t*)public;
+
+ return array_count(this->other_vips) == 0 &&
+ !has_condition(this, COND_XAUTH_AUTHENTICATED) &&
+ !has_condition(this, COND_EAP_AUTHENTICATED)
+#ifdef ME
+ /* as mediation server we too cannot reauth the IKE_SA */
+ && !this->is_mediation_server
+#endif /* ME */
+ ;
+}
+
METHOD(ike_sa_t, reauth, status_t,
private_ike_sa_t *this)
{
/* we can't reauthenticate as responder when we use EAP or virtual IPs.
* If the peer does not support RFC4478, there is no way to keep the
* IKE_SA up. */
- if (!has_condition(this, COND_ORIGINAL_INITIATOR))
+ if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
+ !ike_sa_can_reauthenticate(&this->public))
{
- DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
- if (array_count(this->other_vips) != 0 ||
- has_condition(this, COND_XAUTH_AUTHENTICATED) ||
- has_condition(this, COND_EAP_AUTHENTICATED)
-#ifdef ME
- /* as mediation server we too cannot reauth the IKE_SA */
- || this->is_mediation_server
-#endif /* ME */
- )
- {
- time_t del, now;
+ time_t del, now;
- del = this->stats[STAT_DELETE];
- now = time_monotonic(NULL);
- DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
- get_name(this), this->unique_id, &now, &del);
- return FAILED;
- }
- else
- {
- DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
- get_name(this), this->unique_id);
- }
- }
- else
- {
- DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
- get_name(this), this->unique_id);
+ del = this->stats[STAT_DELETE];
+ now = time_monotonic(NULL);
+ DBG1(DBG_IKE, "initiator did not reauthenticate as requested, IKE_SA "
+ "%s[%d] will timeout in %V", get_name(this), this->unique_id,
+ &now, &del);
+ return FAILED;
}
+ DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
+ get_name(this), this->unique_id);
set_condition(this, COND_REAUTHENTICATING, TRUE);
this->task_manager->queue_ike_reauth(this->task_manager);
return this->task_manager->initiate(this->task_manager);
This scenario tests <b>repeated authentication</b> according to RFC 4478.
The initiator <b>carol</b> sets a large <b>reauth_time=60m</b> but the responder
<b>moon</b> defining a much shorter <b>reauth_time=30s</b> proposes this
-value via an AUTH_LIFETIME notification to the initiator. Thus the
+value via an AUTH_LIFETIME notification to the initiator as it can't initiate
+the reauthentication itself due to the EAP authentication. Thus the
IKE reauthentication takes places after less than 30s. A ping from
<b>carol</b> to client <b>alice</b> hiding in the subnet behind <b>moon</b>
tests if the CHILD_SA has been recreated under the new IKE_SA.
This scenario tests <b>repeated authentication</b> according to RFC 4478.
The initiator <b>carol</b> sets a short <b>reauth_time=20s</b> but the responder
<b>moon</b> defining a much larger <b>reauth_time=60m</b> proposes this
-value via an AUTH_LIFETIME notification to the initiator. The initiator
+value via an AUTH_LIFETIME notification to the initiator as it can't initiate
+the reauthentication itself due to the virtual IP address. The initiator
ignores this notification and schedules the IKE reauthentication at its
configured time. A ping from <b>carol</b> to client <b>alice</b>
hiding in the subnet behind <b>moon</b> tests if the CHILD_SA has been
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES
+carol::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
carol::cat /var/log/daemon.log::scheduling reauthentication in 20s::YES
carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 20s::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
projects / thirdparty / strongswan.git / commitdiff
