ike: Optionally use DPD to check if the current path still works

We could maybe check the duration of the last stale condition or when
the last packet was sent as filter to avoid unnecessary updates.

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index b6e55e11253bf9503fde78f2e863e809a697d756..52983ee63d2f56b56e7c7ab49ac2314e87bf9211 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -40,6 +40,17 @@ charon.cache_crls = no
        Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
        **/etc/swanctl/x509crl** (vici), respectively.
 
+charon.check_current_path = no
+       Whether to use DPD to check if the current path still works after any
+       changes to interfaces/addresses.
+
+       By default, after detecting any changes to interfaces and/or addresses no
+       action is taken if the current path to the remote peer still looks usable.
+       Enabling this option will use DPD to check if the path actually still works,
+       or, for instance, the peer removed the state after a longer phase without
+       connectivity.  It will also trigger a MOBIKE update if NAT mappings were
+       removed during the downtime.
+
 charon.cisco_unity = no
        Send Cisco Unity vendor ID payload (IKEv1 only).
 

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 5e54208ec046e0b566255f9b3c4fdb5c8b9cb6b0..e482d55eedd836ad6af5df106a2c0244b802e924 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -2708,6 +2708,14 @@ METHOD(ike_sa_t, roam, status_t,
                        this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
                        return this->task_manager->initiate(this->task_manager);
                }
+               if (lib->settings->get_bool(lib->settings,
+                                                               "%s.check_current_path", FALSE, lib->ns) &&
+                       !this->task_manager->busy(this->task_manager))
+               {
+                       DBG1(DBG_IKE, "checking if current path still works using DPD");
+                       this->task_manager->queue_dpd(this->task_manager);
+                       return this->task_manager->initiate(this->task_manager);
+               }
                return SUCCESS;
        }